Gentoo Linux Security Advisory 202310-17 - Multiple vulnerabilities have been discovered in UnZip, the worst of which could lead to code execution. Versions greater than or equal to 6.0_p27 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: UnZip: Multiple Vulnerabilities  
     Date: October 30, 2023  
     Bugs: #831190  
       ID: 202310-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in UnZip, the worst of  
which could lead to code execution.

Background  
==========

Info-ZIP’s UnZip is a tool to list and extract files inside PKZIP  
compressed files.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
app-arch/unzip  < 6.0_p27     >= 6.0_p27

Description  
===========

Multiple vulnerabilities have been discovered in UnZip. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All UnZip users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-arch/unzip-6.0_p27"

References  
==========

[ 1 ] CVE-2022-0529  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0529  
[ 2 ] CVE-2022-0530  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0530

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-17

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-17

Red Hat Security Advisory 2023-6156-01 - The components for Red Hat OpenShift support for Windows Containers 8.1.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Issues addressed include a bypass vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6156.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift support for Windows Containers 8.1.0 security updateAdvisory ID:        RHSA-2023:6156-01Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6156Issue date:         2023-10-30Revision:           01CVE Names:          CVE-2023-2431====================================================================Summary: The components for Red Hat OpenShift support for Windows Containers 8.1.0 are now available.  This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server nodes.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* kubernetes: Bypass of seccomp profile enforcement (CVE-2023-2431)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.htmlCVEs:CVE-2023-2431References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6156-01

A new ongoing campaign dubbed EleKtra-Leak has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities.
"As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and

Cloud Security / Cryptocurrency

A new ongoing campaign dubbed **EleKtra-Leak** has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities.

"As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said in a technical report shared with The Hacker News.

The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023.

A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are programmatically cloning and scanning the repositories to capture the exposed keys.

The adversary has also been observed blocklisting AWS accounts that publicize IAM credentials in what's likely seen as an effort to prevent further analysis.

There is evidence to suggest that the attacker may also have been linked to another cryptojacking campaign disclosed by Intezer in January 2021 aimed at poorly secured Docker services using the same bespoke mining software.

Part of the campaign's success lies in the exploitation of blindspots in GitHub's secret scanning feature and AWS' AWSCompromisedKeyQuarantine policy to flag and prevent the misuse of compromised or exposed IAM credentials to run or start EC2 instances.

While the quarantine policy is applied within two minutes of the AWS credentials being publicly accessible on GitHub, it's being suspected that the keys are being exposed through an as-yet-undetermined method.

Unit 42 said that the "threat actor might be able to find exposed AWS keys that aren't automatically detected by AWS and subsequently control these keys outside of the AWSCompromisedKeyQuarantine policy."

In the attack chains discovered by the cybersecurity company, the stolen AWS credentials are used to perform an account reconnaissance operation, followed by creating AWS security groups and launching multiple EC2 instances across various regions from behind a virtual private network (VPN).

The cryptomining operations are conducted on c5a.24xlarge AWS instances owing to their higher processing power, allowing its operators to mine more cryptocurrency in a shorter period of time.

The mining software used to carry out cryptojacking is fetched from a Google Drive URL, highlighting a pattern of malicious actors leveraging the trust associated with widely used applications to fly under the radar.

"The type of Amazon Machine Images (AMI) the threat actor used was also distinctive," the researchers said. "The identified images were private and they were not listed in the AWS Marketplace."

To mitigate such attacks, organizations that accidentally expose AWS IAM credentials are recommended to immediately revoke any API connections using the keys, remove them from the GitHub repository, and audit GitHub repository cloning events for any suspicious operations.

"The threat actor can detect and launch a full-scale mining operation within five minutes from the time of an AWS IAM credential being exposed in a public GitHub repository," the researchers said. "Despite successful AWS quarantine policies, the campaign maintains continuous fluctuation in the number and frequency of compromised victim accounts."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

With the rapid advancement and adoption of artificial intelligence (AI) in cybersecurity, the benefits of speed and accuracy are becoming clearer every day.

In their 1955 proposal for a summer research project on artificial intelligence (AI), researchers at Dartmouth Conference predicted "…every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it." In the decades that followed, AI research continued at what seemed a glacial pace, always promising a breakthrough in the near future — until language tools like ChatGPT finally exploded on the scene.

As we find our footing with AI today, it's clear that we're facing risks as well as benefits. A recent survey of 1,500 IT professionals showed that nearly half (49%) of decision-makers are concerned the new tools will help cybercriminals, but a full 82% said they plan to integrate AI into their security programs over the next two years.

**AI Is the Hero to Embrace, Not the Villain to Defeat**

Rapid advancements in AI since the 1950s set the stage for growth — with no signs of slowing. The global market for AI-based security tools is expected to reach $133 billion by 2030 with more integration and use in daily DevSecOps workflows. As the industry incorporates AI and machine learning (ML) into more processes, we're seeing more and more opportunities to engage AI as a force for good, including the following.

**Faster and More Accurate Configuration for Security Tools**

To be effective, most security technologies today require a lot of manual fine-tuning, often through sophisticated parameter tweaks. Depending on the tool, these can affect what incidents are reported, what vulnerabilities a tool finds, or how issue priorities are determined. All these manual tweaks are time-consuming and can leave you exposed to threats until the right configurations are in place.

That's where machine learning comes to the rescue. In this case, ML can continually optimize parameters, for instance by prioritizing items in a scanning queue to ensure operations run as efficiently as possible. Once they automate these configuration tasks, future cybersecurity teams will spend far less time on tedious manual work.

**Improved Risk Scoring and Threat Intelligence**

Modern scanning tools typically provide a risk assessment once a scan is complete. This shows the various levels of security protection and potential risk across your applications, websites, and networks for a better view of your threat exposure. Different tools will factor in different data, such as the technical severity of vulnerabilities, their potential exploitability, their impact on business if exploited, and their importance for your overall security posture.

While useful, these assessments don't always provide deeper context or guidance, which are necessary for security to keep up with fast-paced software development. In the coming years, security tools will extensively use machine learning for evaluating risk and managing threats. As machine-generated results continue to improve in scope and quality, they will support more accurate, data-based decision making by showing which issues are actionable and in what order they should be addressed to minimize risk.

**Putting a Sharper Edge on Security Testing**

As ChatGPT and similar tools powered by large language models (LLMs) are refined and continue to gain popularity, we can expect easier access to ever more accurate insights. By encouraging engineers and developers to safely use AI and ML in their work, these machine-driven solutions should also provide better and more useful insights over time — even more so when accurate security guidance is included in the mix.

When it comes to security testing, training AI/ML tools to become sharper will further help with fine-tuning static application security testing (SAST) and dynamic application security testing (DAST) tools. Ultimately that means increasing control and precision for scan results, providing reliable intelligence into current and future risks, and improving the efficacy of vulnerability hunting.

**Fewer False Positives for Less Manual Verification**

False positives are a persistent challenge for security and one that frequently translates into hours of manual work checking scan results. As teams spend valuable time verifying reports that should already be as accurate as possible, they can lose confidence in security tools and processes. Fortunately, a recent study by IBM showed that AI can reduce false positives by 65%, freeing resources for activities that add business value.

As the technology progresses, business and operational leaders will have the reliable data they need to confidently make decisions based on accurate AI/ML results. These outputs will harness the power of learning systems to deliver clear and actionable vulnerability reports, allowing DevSecOps teams to focus on what matters most: building and delivering innovative applications.

**Winning the Race to AI Supremacy in Security**

From threat identification to tool configuration, we're already seeing tangible impacts of AI in cybersecurity. Where researchers at the Dartmouth Conference nearly 70 years ago were only speculating, cybersecurity professionals today should look for far more tangible opportunities to incorporate AI and ML into their operations and strategies. If we can realize the potential of existing and emerging tools to continuously improve cybersecurity, AI can truly be one of the good guys.

**About the Author**

    

Frank Catucci is a global application security technical leader with over 20 years of experience designing scalable application security-specific architecture, partnering with cross-functional engineering and product teams. Frank is a past OWASP chapter president and contributor to the OWASP bug bounty initiative and most recently was the Head of Application & Product Security at Data Robot. Prior to that role, Frank was the Sr. Director of Application Security & DevSecOps and Security Researcher at Gartner, and was also the Director of Application Security for Qualys. Outside of work and hacking things, Frank and his wife maintain a family farm. He is an avid outdoors fan and loves all types of fishing, boating, watersports, hiking, camping, and especially dirt bikes and motorcycles.

Getting Smart With Cybersecurity: AI Can Help the Good Guys, Too

By Deeba Ahmed
What happens in iLeakage attacks is that the CPU is tricked into executing speculative code that reads sensitive data from memory. 
This is a post from HackRead.com Read the original post: iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser

A team of researchers comprising Georgia Tech’s cybersecurity professors, Daniel Genkin and Jason Kim, University of Michigan’s Stephan van Schaik, and Ruhr University Bochum’s Yuval Yarom have published a research paper explaining a vulnerability they discovered in Apple devices that affects Macs and iPhones.

Researchers explained in the paper titled “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices,” that the vulnerability, dubbed iLeakage, has been affecting Macs and iPhones since 2020. The attack mainly affects those devices that were built with Apple’s Arm-based A-series and M-series chips.

Researchers devised an attack that forced Apple’s Safari browser to divulge passwords, Gmail content, and other sensitive data by exploiting a side channel vulnerability in the CPUs. 

This vulnerability is built off an existing attack technique used on CPUs for over six years. Back in 2018, security researchers reported that all modern CPUs can be exploited to leak sensitive data by exploiting an integral feature on the processor called Speculative Execution. 

In this technique, modern CPUs try to improve performance by executing instructions before they know it is needed. iLeakage is a browser-based attack exploiting a timerless speculative execution flaw in Apple devices. Timerless speculative execution lets the CPU execute instructions even without any time running. The attackers can exploit this to perform malicious operations without getting detected.

What happens in iLeakage attacks is that the CPU is tricked into executing speculative code that reads sensitive data from memory. The attacker can exfiltrate this data without alerting the user. It is a dangerous attack because adversaries can perform them without needing the victim to click on malicious links or open infected documents/attachments.

The flaw exists in the way the Safari browser handles JavaScript timers. This allows attackers to create malicious JavaScript code and use it to steal sensitive data from the device. The stolen data may include passwords, PII (personal identification information), and credit card numbers. Using this data, attackers can commit crimes like identity theft and fraud.

Researchers noted that iLeakage attacks are currently effective on Apple devices running Safari. However, other platforms or browsers may also be vulnerable. Therefore, it is essential to exercise caution to prevent iLeakage attacks. Always keep your software up-to-date and use a security solution that can detect/block speculative execution attacks.

The findings were disclosed to Apple on 12 September 2022. The company acknowledged this issue, and Apple’s Product Security team and Safari browser development team collaborated with the researchers to develop countermeasures. As a result, Apple refactored Safari’s multi-process architecture. These changes are currently under active development and are available in Safari Technology Preview versions 173 and above.

Apple has released a new inter-process communication API to spawn new processes for pages launched with window.open(). Researchers have confirmed that the patch mitigates iLeakage attacks by preventing the consolidation of domains across security boundaries but it has limitations.

“We have empirically verified that this patch mitigates our attack by preventing the consolidation of domains across security boundaries. This means that while it is still possible to escape the speculative JavaScript sandbox, an attacker will only be able to read their own address space and therefore their own data,” researchers concluded.

The full report can be accessed here (PDF), and there is a dedicated site available to demonstrate the iLeakage attack.

Regarding this research, Lionel Litty, Chief Security Architect at Menlo Security, a Mountain View, Calif.-based provider of browser security stated that this attack shows browsers are the new OS. 

“This attack illustrates how for both attackers and defenders, the browser is the new OS, with web primitives such as origins and web workers that parallel OS primitives, such as applications and threads. Security practitioners must educate themselves on this attack surface.”

John Gallagher, Vice President of Viakoo Labs at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene noted that this attack method is not as significant as is the realization that threats are continually evolving. 

“The significance is not necessarily in this as an attack method, but more in how threats are evolving based on the tradeoff between speed and security. Prefetching of information to speed up CPU execution has been around for a while, and equally has been exploited for a while.  This is just a further “tit for tat”, and will be remediated in future CPU development.”

Gallagher, however, claims that in this attack, organizations aren’t at high risk because this attack requires a high degree of sophistication and there aren’t any reports that it has been exploited in the wild. 

“Organizations are not at high risk, given that this attack method requires a high degree of sophistication by the threat actor and has not been seen exploited yet in the wild (or at least not reported).  Organizations concerned (or high-value individual targets) should consider enabling lockdown mode, or using the MacOS (unstable) patch available,” Gallagher stated.

1.  According to Chrome, Safari and FireFox ThePirateBay is a Phishing Site
2.  Hackers Pwned Apple Safari in 20 seconds; Google Pixel in 60 seconds
3.  Bug in Safari browser leaks personal identifiers and browsing activity
4.  Apple Safari Safest, Google Chrome Riskiest Browser of 2022- Study

iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser


When the isula cp command is used to copy files from a container to a host machine and the container is controlled by an attacker, the attacker can escape the container.



627 **add bind mount file lock**

已合并

zhongtao:20.03-lts-sp1 src-openEuler:openEuler-20.03-LTS-SP1

 zhongtao 创建于 2023-09-19 15:07

克隆/下载

HTTPS SSH

复制

下载 Email Patch 下载 Diff 文件

add bind mount file lock

相关issue：#I82QEQ:在链接 glibc库场景下，当nsswitch工具动态加载一个包含容器内容的chroot库时，代码注入可能会发生。

怎样手动合并此 Pull Request

git checkout openEuler-20.03-LTS-SP1

git pull https://gitee.com/taotao-sauce/src-iSulad.git 20.03-lts-sp1

git push origin openEuler-20.03-LTS-SP1

评论 30 提交 1 文件 2 代码问题 0

展开设置 折叠设置

审查

审查人员

haomintsai

caihaomin

JingWoo

jingwoo

haozi007

duguhaotian

jingxiaolu

jingxiaolu

未设置

最少人数

0

测试

haomintsai

caihaomin

JingWoo

jingwoo

haozi007

duguhaotian

jingxiaolu

jingxiaolu

未设置

最少人数

0

优先级

不指定

严重

主要

次要

不重要

标签

openeuler-cla/yes

ci\_successful

sig/iSulad

关联 Issue

I82QEQ

在链接 glibc库场景下，当nsswitch工具动态加载一个包含容器内容的chroot库时，代码注入可能会发生。

Pull Request 合并后将关闭上述关联 Issue

里程碑

未关联

参与者 （3）

CVE-2021-33638: add bind mount file lock · Pull Request !627 · src-openEuler/iSulad - Gitee.com

Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxmox products, allows XSS via the edit notes feature.

From Proxmox VE

Jump to navigation Jump to search

Proxmox VE uses APT as its package management tool like any other Debian-based system.

**Repositories in Proxmox VE**

Repositories are a collection of software packages, they can be used to install new software, but are also important to get new updates.

You need valid Debian and Proxmox repositories to get the latest security updates, bug fixes and new features.

APT Repositories are defined in the file /etc/apt/sources.list and in .list files placed in /etc/apt/sources.list.d/.

**Repository Management**

Since Proxmox VE 7, you can check the repository state in the web interface. The node summary panel shows a high level status overview, while the separate _Repository_ panel shows in-depth status and list of all configured repositories.

Basic repository management, for example, activating or deactivating a repository, is also supported.

**Sources.list**

In a sources.list file, each line defines a package repository. The preferred source must come first. Empty lines are ignored. A # character anywhere on a line marks the remainder of that line as a comment. The available packages from a repository are acquired by running apt-get update. Updates can be installed directly using apt-get, or via the GUI (Node → Updates).

File

/etc/apt/sources.list

deb http://deb.debian.org/debian bookworm main contrib
deb http://deb.debian.org/debian bookworm-updates main contrib

# security updates
deb http://security.debian.org/debian-security bookworm-security main contrib

Proxmox VE provides three different package repositories.

**Proxmox VE Enterprise Repository**

This is the default, stable, and recommended repository, available for all Proxmox VE subscription users. It contains the most stable packages and is suitable for production use. The pve-enterprise repository is enabled by default:

File

/etc/apt/sources.list.d/pve-enterprise.list

deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise

The root@pam user is notified via email about available updates. Click the _Changelog_ button in the GUI to see more details about the selected update.

You need a valid subscription key to access the pve-enterprise repository. Different support levels are available. Further details can be found at https://www.proxmox.com/en/proxmox-ve/pricing.

You can disable this repository by commenting out the above line using a # (at the start of the line). This prevents error messages if your host does not have a subscription key. Please configure the pve-no-subscription repository in that case.

**Proxmox VE No-Subscription Repository**

This is the recommended repository for testing and non-production use. Its packages are not as heavily tested and validated. You don’t need a subscription key to access the pve-no-subscription repository.

We recommend to configure this repository in /etc/apt/sources.list.

File

/etc/apt/sources.list

deb http://ftp.debian.org/debian bookworm main contrib
deb http://ftp.debian.org/debian bookworm-updates main contrib

# Proxmox VE pve-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription

# security updates
deb http://security.debian.org/debian-security bookworm-security main contrib

**Proxmox VE Test Repository**

This repository contains the latest packages and is primarily used by developers to test new features. To configure it, add the following line to /etc/apt/sources.list:

sources.list entry for

pvetest

deb http://download.proxmox.com/debian/pve bookworm pvetest

The pvetest repository should (as the name implies) only be used for testing new features or bug fixes.

**Ceph Quincy Enterprise Repository**

This repository holds the enterprise Proxmox VE Ceph Quincy packages. They are suitable for production. Use this repository if you run the Ceph client or a full Ceph cluster on Proxmox VE.

File

/etc/apt/sources.list.d/ceph.list

deb https://enterprise.proxmox.com/debian/ceph-quincy bookworm enterprise

**Ceph Quincy No-Subscription Repository**

This Ceph repository contains the Ceph Quincy packages before they are moved to the enterprise repository and after they where on the test repository.

It’s recommended to use the enterprise repository for production machines.

File

/etc/apt/sources.list.d/ceph.list

deb http://download.proxmox.com/debian/ceph-quincy bookworm no-subscription

**Ceph Quincy Test Repository**

This Ceph repository contains the Ceph Quincy packages before they are moved to the main repository. It is used to test new Ceph releases on Proxmox VE.

File

/etc/apt/sources.list.d/ceph.list

deb http://download.proxmox.com/debian/ceph-quincy bookworm test

**Older Ceph Repositories**

Proxmox VE 8 doesn’t support Ceph Pacific, Ceph Octopus, or even older releases for hyper-converged setups. For those releases, you need to first upgrade Ceph to a newer release before upgrading to Proxmox VE 8.

**SecureApt**

The _Release_ files in the repositories are signed with GnuPG. APT is using these signatures to verify that all packages are from a trusted source.

If you install Proxmox VE from an official ISO image, the key for verification is already installed.

If you install Proxmox VE on top of Debian, download and install the key with the following commands:

 # wget https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg

Verify the checksum afterwards with the sha512sum CLI tool:

\# sha512sum /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87 /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg

or the md5sum CLI tool:

\# md5sum /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
41558dc019ef90bd0f6067644a51cf5b /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg

**Proxmox VE 7.x Repositories**

Proxmox VE 7.x is based on Debian 11.x (“bullseye”). Please note that this release is out of date (see the FAQ support table). Existing installations should be updated. Nevertheless access to these repositories is still provided.

 

Repository

sources.list entry

Proxmox VE 7.x Enterprise

deb https://enterprise.proxmox.com/debian/pve bullseye pve-enterprise

Proxmox VE 7.x No-Subscription

deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription

Proxmox VE 7.x Test

deb http://download.proxmox.com/debian/pve bullseye pvetest

Release key hash sums:

sha512sum /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
7fb03ec8a1675723d2853b84aa4fdb49a46a3bb72b9951361488bfd19b29aab0a789a4f8c7406e71a69aabbc727c936d3549731c4659ffa1a08f44db8fdcebfa

md5sum /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
bcc35c7173e0845c0d6ad6470b70f50e

**Outdated: stable Repository pve**

This repository is a leftover to ease the update to 3.1. It will not get any updates after the release of 3.1. Therefore the repository needs to be removed after the upgrade to 3.1.

File

/etc/apt/sources.list

deb http://ftp.debian.org/debian wheezy main contrib

# PVE packages provided by proxmox.com - NO UPDATES after the initial release of 3.1
# deb http://download.proxmox.com/debian wheezy pve

# security updates
deb http://security.debian.org/ wheezy/updates main contrib

**Outdated: Proxmox VE 2.x Repositories**

Proxmox VE 2.x is based on Debian 6.0 (“squeeze”) and outdated. Please upgrade to the latest version as soon as possible. In order to use the stable pve 2.x repository, check your sources.list:

File

/etc/apt/sources.list

deb http://ftp.debian.org/debian squeeze main contrib

# PVE packages provided by proxmox.com
deb http://download.proxmox.com/debian squeeze pve

# security updates
deb http://security.debian.org/ squeeze/updates main contrib

**Outdated: Proxmox VE VE 1.x Repositories**

Proxmox VE 1.x is based on Debian 5.0 (“lenny”) and very outdated. Please upgrade to latest version as soon as possible.

CVE-2023-46854: Package Repositories - Proxmox VE

An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console.

**CVE-2023-35794-WebSSH-Hijacking**

Repository contains description for CVE-2023-35794 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.

CVE ID: CVE-2023-35794  
Vendor: Cassia Networks  
Product: Access Controller  
Version: Cassia-AC-2.1.1.2303271039

Vulnerability: Incorrect Access Control  
Affected: web ssh, gateways  
Decription: WebSSH session can be hijacked  
Status: Confirmed by vendor, Fixed  
Version Patched: Cassia-AC-2.1.1.2308181707

**Details**

Cassia uses WebSSH2 by billchurch to initiate SSH sessions from AC to Gateways. WebSSH2 Is a web SSH Client which uses ssh2, socket.io, xterm.js, and express. A bare bones example of an HTML5 web-based terminal emulator and SSH client. It uses SSH2 as a client on a host to proxy a Websocket/Socket.io connection to a SSH2 server.

When a session of WebSSH is established with Gateway Device any external user can hijack it without any authentication and authorization.

Session establishment is done via GET request to proper /ap/remote/<mac>?ssh_port=<ac-rev-ssh-port> Gateway then receiving request through MQTT (or CAPWAP) channel and establishes SSH tunnel with local port forwarding to Access Controller. Then Access-Controller binds to the forwarded port with SSH Web Session. The user who invoked the web ssh session is redirected to /ssh/host but the session cookie is not validated. The new WebSSH2 cookie is provided with 401 error.  In fact a user is being asked for providing Basic auth.  Obtained Basic authentication credentials are sent in next requests and potentially consumed by webssh2.bundle.js as credentials used to authenticate to the choosen device.   This allows unathorized to Access Controller portal User to hijack already existing SSH session with only knowing SSH username and password (note that this commonly may be default cassia:cassia-<last-mac-6-digits>).

**Exploitation**

An attacker may use CVE-2023-35793 to trick any athenticated user to initiate a session to any device connected to the AC (note that the user does not need to login into the gateway, the session itself will be initiated with only exploiting CVE-2023-35793 CSRF). Then using this vulnerability and knowing the MAC address an attacker may easily obtain access to the device through WebSSH.

Lets assume an attacker triggered someone and the session is established to the gateway where the default credentials are used.

1.  Attacker just opens the web browser and enters default credentials for known device. 
2.  Attacker knowing which device were triggered provides default credentials (commonly these are not being changed) 
3.  Attacker is authenticated to device LXC container as a user which has root rights by default 

**Remediation**

*   Patch to the highest possible version availaible on Cassia Networks

CVE-2023-35794: GitHub - Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking: Repository contains description for CVE-2023-35794 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.

An issue was discovered in VERMEG AgileReporter 21.3. Attackers can gain privileges via an XSS payload in an Add Comment action to the Activity log.

For a strategic solution you seek:

*   Cost reduction & risk reduction
*   Efficiency optimisation
*   Embedded regulatory change management
*   Straight through process control
*   Senior management certification obligations
*   Regulatory reporting certainty, globally
*   Machine-readable regulatory reporting readiness

**SaaS**

Reduce your TCO. Let VERMEG handle the IT complexity​

**AGILE MI**

Gain valuable insights from your regulatory data​​

**AGILE Assure**

Bring the DataOps revolution to your regulatory data management ​​

​​

**Digital Transformation**

Extend, customise and innovate with AGILE Design Studio and Veggo ​​

**AGILE Reporter value for our clients**

Calculation & allocation: Comprehensive calculations from Basel III risks to national statistical allocations

Ratios: Credit & Market Risk, Leverage, Liquidity Coverage, Large Exposures, IRFS standard computations, integration of models and own analysis reporting

International reporting: Coverage including EBA & ECB (COREP, AnaCredit etc), and multiple international regulators in EU, UK, US, and MAS, HKMA, APRA and others

Added value: Capital utilisation, CFO & management information, dashboard status, threshold alerts, key performance metrics

Change management: VERMEG regulatory change management includes horizon management, impact analyses, data deltas and reporting update service

Workflow and maximised automation: Validations, variance, trend and other sanity checks achieve optimised straight-through processing

Process control: Enjoy ‘exceptions only’ intervention & instantly traceable attestation & approval audit trail

Sized & delivered to suit you: Choose from enterprise-wide full automation, or local last mile, on premise, in the cloud or Regulatory-Reporting-As-A-Service

Download our brochure about AGILE Reporter (PDF).

Granular Data Reporting – a new paradigm of innovation in regulatory reporting or just new challenges?

**Download the Whitepaper**

**Client stories**

**Client 1  
Tier 1 Domestic Bank**

**Challenge**

*   To find a Regulatory Reporting solution capable of integrating with external calculation and processing capabilities
*   To reduce operational risk
*   To increase reporting consistency and transparency
*   To facilitate accelerated regulatory change management

**Client 2  
Neobank growing from start-up**

**Challenge**

*   To find a partner for its Finance team to assist with regulatory reporting requirements in the immediate term and the future as the organisation evolves and scales to a fully fledged bank.
*   The need for a solution/system that minimises the resource requirements of bank’s teams in the areas of Solution Delivery
*   To find a vendor to provide not just a solution but also subject matter expertise to complement the in house team, and to ensure all new regulatory reporting requirements can be met.

**Solution**

*   Provision of AGILE Reporter’s out of the box integration to Oracle’s OFSAA (Oracle Financial Services Analytical Applications) platform.
*   Improved Straight Through Processing (STP) achieved from direct coupling of outputs from OFSAA Results data to AGILE Reporter.
*   VERMEG Subject Matter Expertise around the interpretation of client requirements and business for reporting purposes and the delivery of the operational process to fulfil these.
*   Ability to incorporate data from sources outside of OFSAA into regulatory reporting workflow to ensure completeness of automated reporting coverage.

**Solution**

*   Full scope automated AGILE Reporter deployment
*   VERMEG regulatory expertise to provide guidance on current and future regulatory requirements
*   Analysis Module to facilitate Bank scrutiny of Regulatory Data
*   Hosted on VERMEG cloud platform (Amazon Web Services)

**Results**

*   Streamlined overall Regulatory Reporting workflow while minimising manual intervention in the process
*   Increased accuracy of reporting results through use of the consolidated platform
*   Transparency of process by providing lineage of reporting data from source to regulatory return

**Results**

*   Automated, end-to-end solution providing population of regulatory returns from source data without manual intervention or work arounds
*   Flexible data mapping that meets the needs of a growing business and an evolving IT Architecture
*   Consistent data lineage from source through to final returns
*   Comprehensive validation checks ensure integrity of regulator submissions
*   Cloud solution minimises burden on Bank’s technical resources with regard to both delivery and ongoing maintenance

****Awards & Certifications****

**VEREMG is delighted to share that we were recently awarded ‘Best Vendor Solution for APRA APS 220′ AND ‘Best MAS 610 Solution’ by the RegTech Insight APAC Awards 2022 for our AGILE Reporter solution.**

Read More

CVE-2022-34834: AgileReporter | Regulatory Reporting Solution by VERMEG

The "iLeakage" attack affects all recent iPhone, iPad, and MacBook models, allowing attackers to peruse your Gmail inbox, steal your Instagram password, or scrutinize your YouTube history.

Researchers have developed a side-channel exploit for Apple CPUs, enabling sophisticated attackers to extract sensitive information from browsers.

Side-channel attacks are usually overlooked, often physical counterparts to traditional software hacks. Rather than an unsecured password or a vulnerability in a program, they take advantage of the extra information a computer system or hardware generates — in the form of sound, light, or electromagnetic radiation, for example, or in the time it takes to complete certain computations (a timing attack).

On Wednesday, four researchers — including two of those responsible for uncovering the Spectre processor vulnerability back in 2018 — published the details of such an attack, which they've named "iLeakage," affecting all recent iPhone, iPad, and MacBook models.

The researchers informed Apple of their findings on Sept. 12, 2022, according to their website, and the company has since developed a mitigation. However, it's still considered unstable, it's not enabled on devices by default, and mitigating is only possible on Macs, not mobile devices.

In comments provided to Dark Reading on background, an Apple spokesperson wrote, "This proof of concept advances our understanding of these types of threats. We are aware of the issue and it will be addressed in our next scheduled software release."

**How iLeakage Works**

iLeakage takes advantage of A- and M-series Apple silicon CPUs' capacity to perform speculative execution.

Speculative execution is a method by which modern CPUs predict tasks before they're even prompted, in order to speed up information processing. "This technique has been around for over 20 years, and today all modern CPUs use it — it significantly speeds up processing, even accounting for times it might get the anticipated instructions wrong," explains John Gallagher, vice president of Viakoo Labs.

The rub is that "cache inside the CPU holds a lot of valuable data, including what might be staged for upcoming instructions. iLeakage uses the Apple WebKit capabilities inside a browser to use JavaScript to gain access to those contents."

Specifically, the researchers used a new speculation-based gadget to read the contents of another webpage when a victim clicked on their malicious webpage.

"Alone, WebKit would not enable the cache contents to be divulged, nor would how A-Series and M-Series perform speculative execution — it's the combination of the two together that leads to this exploit," Gallagher explains.

**A Successor to Meltdown/Spectre**

"This builds on a line of attacks against CPU vulnerabilities that started around 2017 with Meltdown and Spectre," Lionel Litty, chief security architect at Menlo Security points out. "High level, you want to think about applications and processes, and trust that the operating system with help from the hardware is properly isolating these from one another," but those two exploits broke the fundamental isolation between different applications, and an application and operating system, that we tend to take for granted as users, he says.

iLeakage, then, is a spiritual successor that focuses on breaking the isolation between browser tabs.

The good news is, in their website's FAQ section, the researchers described iLeakage as "a significantly difficult attack to orchestrate end-to-end," which "requires advanced knowledge of browser-based side-channel attacks and Safari's implementation." They also noted that successful exploitation hasn't been demonstrated in the wild.

Were a capable enough attacker to come along and try it, however, this method is powerful enough to siphon just about any data users traffic online: logins, search histories, credit card details, what have you. In YouTube videos, the researchers demonstrated how their exploit could expose victims' Gmail inboxes, their YouTube watch histories, and their Instagram passwords, as just a few examples.

**iPhone Users Are Especially Affected**

Though it takes advantage of the idiosyncrasies in Safari's JavaScript engine specifically, iLeakage affects all browsers on iOS, because Apple's policies force all iPhone browser apps to use Safari's engine.

"Chrome, Firefox and Edge on iOS are simply wrappers on top of Safari that provide auxiliary features such as synchronizing bookmarks and settings. Consequently, nearly every browser application listed on the App Store is vulnerable to iLeakage," the researchers explained.

iPhone users are doubly in trouble, because the best fix Apple has released thus far only works on MacBooks (and, for that matter, only in an unstable state). But for his part, Gallagher backs Apple's ability to design an effective remediation.

"Chip-level vulnerabilities are typically hard to patch, which is why it is not surprising that there is not a fix for this right now. It will take time, but ultimately if this becomes a real exploited vulnerability a patch will likely be available," he says.

Tag

#mac