Incorrect access control in the install directory (C:\RailsInstaller) of Rubyinstaller2 v3.1.2 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.

**Incorrect default permission of RailsInstaller dir****Basic Info**

Description：The default install dir of RailsInstaller is C:\RailsInstaller, howerver, the permission of C:\RailsInstaller is inherited from C:, so all Users in Authenticated Users group have write permission of C:\RailsInstaller and files in it.

Vuln Type: CWE-276

Vuln influence: arbitrary code execution

Download:https://railsinstaller.org/

Vuln Version: 3.4.0 and below

**Vuln Analyse**

The default install dir of RailsInstaller is C:\RailsInstaller

howerver, the permission of C:\RailsInstaller is inherited from C:\.

All Users in Authenticated Users group have write permission of C:\RailsInstaller and files in it.

So an attacker with low privilege can hijack binary like ruby.exe to execute arbitrary code when administrator or other users use ruby installed by RailsInstaller

CVE-2022-36563: Vuln/Railsinstaller-Vuln.md at main · ycdxsb/Vuln

Incorrect access control in the install directory (C:\Ruby31-x64) of Rubyinstaller2 v3.1.2 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.

main

Switch branches/tags

Vuln/**RubyInstaller2-Vuln**/

Go to file

Vuln/**RubyInstaller2-Vuln**/

**Latest commit**

ycdxsb update

1058e3b

Jul 23, 2022

update

1058e3b

**Git stats**

*   **History**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

. .

pic

update

Jul 23, 2022

RubyInstaller2-Vuln.md

update

Jul 23, 2022

CVE-2022-36562: Vuln/RubyInstaller2-Vuln at main · ycdxsb/Vuln

RubyGems, the official package manager for the Ruby programming language, has become the latest platform to mandate multi-factor authentication (MFA) for popular package maintainers, following the footsteps of NPM and PyPI.
To that end, owners of gems with over 180 million total downloads are mandated to turn on MFA effective August 15, 2022.

"Users in this category who do not

RubyGems, the official package manager for the Ruby programming language, has become the latest platform to mandate multi-factor authentication (MFA) for popular package maintainers, following the footsteps of NPM and PyPI.

To that end, owners of gems with over 180 million total downloads are mandated to turn on MFA effective August 15, 2022.

"Users in this category who do not have MFA enabled on the UI and API or UI and gem sign-in level will not be able to edit their profile on the web, perform privileged actions (i.e. push and yank gems, or add and remove gem owners), or sign in on the command line until they configure MFA," RubyGems noted.

What's more, gem maintainers who cross 165 million cumulative downloads are expected to receive reminders to turn on MFA until the download count touches the 180 million thresholds, at which point it will be made mandatory.

The development is seen as an attempt by package ecosystems to bolster the software supply chain and prevent account takeover attacks, which could enable malicious actors to leverage the access to push rogue packages to downstream customers.

The new requirement also comes in the backdrop of adversaries increasingly setting their sights on open source code repositories, with attacks on NPM and PyPI snowballing by 289% combined since 2018, according to a new analysis from ReversingLabs.

In what has by now become a recurring theme, researchers from Checkmarx, Kaspersky, and Snyk uncovered a slew of malicious packages in PyPI that could be abused to conduct DDoS attacks and harvest browser passwords as well as Discord and Roblox credential and payment information.

This is just one of a seemingly endless stream of malware specifically tailored to infect developer's systems with information stealers, potentially enabling the threat actors to identify suitable pivoting points in the compromised environments and deepen their intrusions.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

RubyGems Makes Multi-Factor Authentication Mandatory for Top Package Maintainers

Gentoo Linux Security Advisory 202208-29 - Multiple vulnerabilities have been discovered in Nokogiri, the worst of which could result in denial of service. Versions less than 1.13.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-29  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Nokogiri: Multiple Vulnerabilities  
     Date: August 14, 2022  
     Bugs: #846623, #837902, #762685  
       ID: 202208-29

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Nokogiri, the worst of  
which could result in denial of service.

Background  
=========  
Nokogiri is an HTML, XML, SAX, and Reader parser.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-ruby/nokogiri          < 1.13.6                    >= 1.13.6

Description  
==========  
Multiple vulnerabilities have been discovered in Nokogiri. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Nokogiri users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-ruby/nokogiri-1.13.6"

References  
=========  
[ 1 ] CVE-2020-26247  
      https://nvd.nist.gov/vuln/detail/CVE-2020-26247  
[ 2 ] CVE-2022-24836  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24836  
[ 3 ] CVE-2022-29181  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29181

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-29

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-29

Gentoo Linux Security Advisory 202208-28 - Multiple vulnerabilities have been discovered in Puma, the worst of which could result in denial of service. Versions less than 5.6.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-28  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Puma: Multiple Vulnerabilities  
     Date: August 14, 2022  
     Bugs: #794034, #817893, #833155, #836431  
       ID: 202208-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Puma, the worst of  
which could result in denial of service.

Background  
=========  
Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server  
for Ruby/Rack.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-servers/puma           < 5.6.4                      >= 5.6.4

Description  
==========  
Multiple vulnerabilities have been discovered in Puma. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Puma users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-servers/puma-5.6.4"

References  
=========  
[ 1 ] CVE-2021-29509  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29509  
[ 2 ] CVE-2021-41136  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41136  
[ 3 ] CVE-2022-23634  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23634  
[ 4 ] CVE-2022-24790  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24790

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-28

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-28

Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation as a workaround.

**August 9, 2022**

The Arvados team is pleased to announce Arvados 2.4.2.

This release includes a critical security update to address vulnerability GHSL-2022-063, described below. We strongly recommend that _all_ installations of Arvados, especially those accessible via the public Internet, upgrade to 2.4.2 as soon as possible. See Upgrading Arvados for upgrade instructions.

In addition, this release includes several performance improvements, usability improvements, and bug fixes.

**Security updates****GHSL-2022-063**

GitHub Security Lab (GHSL) reported a remote code execution (RCE) vulnerability in the Arvados Workbench that allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads.

This vulnerability is fixed in 2.4.2 (#19316)

It is likely that this vulnerability exists in all versions of Arvados up to 2.4.1.

This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack.

**CVE-2022-31163 and CVE-2022-32224**

As a precaution, Arvados 2.4.2 has includes security updates for Ruby on Rails and the TZInfo Ruby gem. However, there are no known exploits in Arvados based on these CVEs.

**New Features**

#18984

The “Type” column filters in the Workbench 2 Projects view are now expanded by default, and intermediate workflow steps are now hidden by default.

#18203

In Workbench 2, after adding a metadata element to a Project or Collection, the “key” is not cleared and focus remains on the “value” field, making it easier to enter multiple values for the same key.

#19177

There is now a configuration option for admins to disable the user interface for the “sharing link” feature (URLs which can be sent to users to access the data in a specific collection in Arvados without an Arvados account), for organizations where sharing links violate their data sharing policy.

#18975

Workflow logs on Workbench 2 now show “Main logs” by default, which is a combination of the crunch-run, stdout and stderr logs. Following scrolling has also been improved.

#16070

Workbench 2 now features a new panel showing the command line used to invoke a workflow or workflow step.

#19231

Workbench 2 now has options for smaller page sizes (10 and 20 items) to speed up loading project contents.

#19282 #19220

Added new method to the Java SDK to upload files via Keep Web API. The Java SDK uses config parameter to fetch api token in KeepClient.

**Bug Fixes**

#19192

Fixed an internal, silent failure in keep-web that would prevent use of the manifest cache after keep-web was running for a while, resulting in poor performance accessing files in Keep via HTTP, WebDAV and S3 APIs until the service was restarted. keep-web now correctly uses the cache and maintains consistent performance.

#19153

In the Workbench 2 collection file browser, following the URL resulting from “Copy to clipboard” will now open the file content in the browser, instead of forcing a file download.

#19297

Workbench 2 advanced search by metadata property now works as intended, instead of returning an error.

#19305

When using the “breadcrumbs bar” to edit Project properties, the existing metadata properties are now loaded correctly.

#19296

Fixed Python SDK bug in Collection.remove where the recursive flag was not propagated, preventing removal of more than one level of directories. Recursively removing deep directory trees in Collections now works as intended.

#18965

When navigating to destination on Workbench 2 but not logged in, the user is redirected to a login page, and after logging in, now correctly navigated back to the page they intended to visit.

#19142

Workbench 2 “All processes” and “Subprocesses” panels now load faster by limiting which fields of the container record are requested.

#19321

When launching a workflow on Workbench 1, workflow inputs with “enum” type are now displayed and set correctly.

#19280

When submitting very large workflows with arvados-cwl-runner, particularly those defined entirely in a single file, the time spent in initialization (before the first workflow step is submitted) has been greatly reduced.

CVE-2022-36006: Arvados 2.4.2 Release Notes

Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrade to version >= 0.1.3 that uses `Arel` instead to construct the resulting sql statement, with sanitized sql.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-35956

**update\_by\_case before 0.1.3 can be vulnerable to sql injection**

**Package**

bundler update\_by\_case (RubyGems)

**Affected versions**

< 0.1.3

**Description**

Before version 0.1.3 update_by_case gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrade to version >= 0.1.3 that uses Arel instead to construct the resulting sql statement, with sanitized sql.

**References**

*   GHSA-33wh-w4m7-c6r8

**Weaknesses**

**GHSA ID**

GHSA-33wh-w4m7-c6r8

**Source code**

GHSA-33wh-w4m7-c6r8: update_by_case before 0.1.3 can be vulnerable to sql injection

wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped.

Note:  
\*\* Future releases of wolfSSL will turn off TLS 1.1 by default  
\*\* Release 5.4.0 made SP math the default math implementation. To make an equivalent build as –disable-fastmath from previous versions of wolfSSL, now requires using the configure option –enable-heapmath instead.

Release 5.4.0 of wolfSSL embedded TLS has bug fixes and new features including:

**Vulnerabilities**

*   \[High\] Potential for DTLS DoS attack. In wolfSSL versions before 5.4.0 the return-routability check is wrongly skipped in a specific edge case. The check on the return-routability is there for stopping attacks that either consume excessive resources on the server, or try to use the server as an amplifier sending an excessive amount of messages to a victim IP. If using DTLS 1.0/1.2 on the server side users should update to avoid the potential DoS attack. CVE-2022-34293
*   \[Medium\] Ciphertext side channel attack on ECC and DH operations. Users on systems where rogue agents can monitor memory use should update the version of wolfSSL and change private ECC keys. Thanks to Sen Deng from Southern University of Science and Technology (SUSTech) for the report.
*   \[Medium\] Public disclosure of a side channel vulnerability that has been fixed since wolfSSL version 5.1.0. When running on AMD there is the potential to leak private key information with ECDSA operations due to a ciphertext side channel attack. Users on AMD doing ECDSA operations with wolfSSL versions less than 5.1.0 should update their wolfSSL version used. Thanks to professor Yinqian Zhang from Southern University of Science and Technology (SUSTech), his Ph.D. student Mengyuan Li from The Ohio State University, and his M.S students Sen Deng and Yining Tang from SUStech along with other collaborators; Luca Wilke, Jan Wichelmann and Professor Thomas Eisenbarth from the University of Lubeck, Professor Shuai Wang from Hong Kong University of Science and Technology, Professor Radu Teodorescu from The Ohio State University, Huibo Wang, Kang Li and Yueqiang Cheng from Baidu Security and Shoumeng Yang from Ant Financial Services Group.  
    CVE-2020-12966 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1013 CVE-2021-46744 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1033

**New Feature Additions****DTLS 1.3**

*   Support for using the new DTLSv1.3 protocol was added
*   Enhancements to bundled examples for an event driven server with DTLS 1.3 was added

**Ports**

*   Update for the version of VxWorks supported, adding in support for version 6.x
*   Support for new DPP and EAP-TEAP/EAP-FAST in wpa\_supplicant
*   Update for TSIP version support, adding support for version 1.15 for RX65N and RX72N
*   Improved TSIP build to handle having the options WOLFSSL\_AEAD\_ONLY defined or NO\_AES\_CBC defined
*   Added support for offloading TLS1.3 operations to Renesas RX boards with TSIP

**Misc.**

*   Constant time improvements due to development of new constant time tests
*   Initial translation of API headers to Japanese and expansion of Japanese help message support in example applications
*   Add support for some FPKI (Federal PKI) certificate cases, UUID, FASC-N, PIV extension for use with smart cards
*   Add support for parsing additional CSR attributes such as unstructured name and content type
*   Add support for Linux getrandom() when defining the macro WOLFSSL\_GETRANDOM
*   Add TLS 1.2 ciphersuite ECDHE\_PSK\_WITH\_AES\_128\_GCM\_SHA256 from RFC 8442
*   Expand CAAM support with QNX to include i.MX8 boards and add AES-CTR support
*   Enhanced glitching protection by hardening the TLS encrypt operations

**Math and Performance****SP Math Additions**

*   Support for ARMv3, ARMv6 and ARMv7a
    *   Changes and improvements to get SP building for armv7-a
    *   Updated assembly for moving large immediate values on ARMv6
    *   Support for architectures with no ldrd/strd and clz
*   Reworked generation using common asm ruby code for 32bit ARM
*   Enable wolfSSL SP math all by default (sp\_int.c)
*   Update SP math all to not use sp\_int\_word when SQR\_MUL\_ASM is available

**SP Math Fixes**

*   Fixes for constant time with div function
*   Fix casting warnings for Windows builds and assembly changes to support XMM6-15 being non-volatile
*   Fix for div\_word when not using div function
*   Fixes for user settings with SP ASM and ED/Curve25519 small
*   Additional Wycheproof tests ran and fixes
*   Fix for SP math ECC non-blocking to always check hashLen
*   Fix for SP math handling edge case with submod

**Improvements and Optimizations****Compatibility Layer**

*   Provide access to "Finished" messages outside of compatibility layer builds
*   Remove unneeded FIPS guard on wolfSSL\_EVP\_PKEY\_derive
*   Fix control command issues with AES-GCM, control command EVP\_CTRL\_GCM\_IV\_GEN
*   Add support for importing private only EC key to a WOLFSSL\_EVP\_PKEY struct
*   Add support for more extensions to wolfSSL\_X509\_print\_ex
*   Update for internal to DER (i2d) AIPs to move the buffer pointer when passed in and the operation is successful
*   Return subject and issuer X509\_NAME object even when not set

**Ports**

*   Renesas RA6M4 example update and fixes
*   Support multi-threaded use cases with Renesas SCE protected mode and TSIP
*   Add a global variable for heap-hint for use with TSIP
*   Changes to support v5.3.0 cube pack for STM32
*   Use the correct mutex type for embOS
*   ESP-IDF build cleanup and enhancements, adding in note regarding ESP-IDF Version
*   Support for SEGGER embOS and emNET
*   Fix to handle WOLFSSL\_DTLS macro in Micrium build

**Build Options**

*   Support for verify only and no-PSS builds updated
*   Add the enable options wolfssh (mapped to the existing –enable-ssh)
*   Remove WOLFSSL\_ALT\_NAMES restriction on notBefore/notAfter use in Cert struct
*   Move several more definitions outside the BUILDING\_WOLFSSL gate with linux kernel module build
*   Modify --enable-openssh to not enable non-FIPS algos for FIPS builds
*   Remove the Python wrappers from wolfSSL source (use pip install instead of using wolfSSL with Python and our separate Python repository)
*   Add --enable-openldap option to configure.ac for building the OpenLDAP port
*   Resolve DTLS build to handle not having –enable-hrrcookie when not needed
*   Add an --enable-strongswan option to configure.ac for building the Strongswan port
*   Improve defaults for 64-bit BSDs in configure
*   Crypto only build can now be used openssl extra
*   Update ASN template build to properly handle WOLFSSL\_CERT\_EXT and HAVE\_OID\_ENCODING
*   Allow using 3DES and MD5 with FIPS 140-3, as they fall outside of the FIPS boundary
*   Add the build option --enable-dh=const which replaces setting the macro WOLFSSL\_DH\_CONST and now conditionally link to -lm as needed
*   Add the macro WOLFSSL\_HOSTNAME\_VERIFY\_ALT\_NAME\_ONLY which is used to verify hostname/ip address using alternate name (SAN) only and does not use the common name
*   WOLFSSL\_DTLS\_NO\_HVR\_ON\_RESUME macro added (off by default to favor more security). If defined, a DTLS server will not do a cookie exchange on successful client resumption: the resumption will be faster (one RTT less) and will consume less bandwidth (one ClientHello and one HelloVerifyRequest less). On the other hand, if a valid SessionID is collected, forged clientHello messages will consume resources on the server.
*   Misc.
*   Refactoring of some internal TLS functions to reduce the memory usage
*   Make old less secure TimingPadVerify implementation available
*   Add support for aligned data with clang LLVM
*   Remove subject/issuer email from the list of alt. Email names in the DecodedCerts struct
*   Zeroizing of pre-master secret buffer in TLS 1.3
*   Update to allow TLS 1.3 application server to send session ticket
*   Improve the sniffer asynchronous test case to support multiple concurrent streams
*   Clean up wolfSSL\_clear() and add more logging
*   Update to not error out on bad CRL next date if using NO\_VERIFY when parsing
*   Add an example C# PSK client
*   Add ESP-IDF WOLFSSL\_ESP8266 setting for ESP8266 devices
*   Support longer sigalg list for post quantum use cases and inter-op with OQS's OpenSSL fork
*   Improve AES-GCM word implementation of GMULT to be constant time
*   Additional sanity check with Ed25519/Ed448, now defaults to assume public key is not trusted
*   Support PSK ciphersuites in benchmark apps
*   FIPS in core hash using SHA2-256 and SHA2-384
*   Add ability to store issuer name components when parsing a certificate
*   Make the critical extension flags in DecodedCert always available
*   Updates to the default values for basic constraint with X509’s
*   Support using RSA OAEP with no malloc and add additional sanity checks
*   Leverage async code paths to support WANT\_WRITE while sending packet fragments
*   New azsphere example for continuous integration testing
*   Update RSA key generation function to handle pairwise consistency tests with static memory pools used
*   Resolve build time warning by passing in and checking output length with internal SetCurve function
*   Support DTLS bidirectional shutdown in the examples
*   Improve DTLS version negotiation and downgrade capability

**General Fixes**

*   Fixes for STM32 Hash/PKA, add some missing mutex frees, and add an additional benchmark
*   Fix missing return checks in KSDK ED25519 code
*   Fix compilation warnings from IAR
*   Fixes for STM32U5/H7 hash/crypto support
*   Fix for using track memory feature with FreeRTOS
*   Fixup XSTR processing for MICRIUM
*   Update Zephyr fs.h path
*   DTLS fixes with WANT\_WRITE simulations
*   Fixes for BER use with PKCS7 to have additional sanity checks and guards on edge cases
*   Fix to handle exceptional edge case with TFM mp\_exptmod\_ex
*   Fix for stack and heap measurements of a 32-bit build
*   Fix to allow enabling AES key wrap (direct) with KCAPI
*   Fix --enable-openssh FIPS detection syntax in configure.ac
*   Fix to move wolfSSL\_ERR\_clear\_error outside gate for OPENSSL\_EXTRA
*   Remove MCAPI project's dependency on zlib version
*   Only use \_\_builtin\_offset on supported GCC versions (4+)
*   Fix for c89 builds with using WOLF\_C89
*   Fix 64bit postfix for constants building with powerpc
*   Fixed async Sniffer with TLS v1.3, async removal of WC_HW_WAIT_E and sanitize leak
*   Fix for QAT ECC to gate use of HW based on marker
*   Fix the supported version extension to always check minDowngrade
*   Fix for TLS v1.1 length sanity check for large messages
*   Fixes for loading a long DER/ASN.1 certificate chain
*   Fix to expose the RSA public DER export functions with certgen
*   Fixes for building with small version of SHA3
*   Fix configure with WOLFSSL\_WPAS\_SMALL
*   Fix to free PKCS7 recipient list in error cases
*   Sanity check to confirm ssl->hsHashes is not NULL before attempting to dereference it
*   Clear the leftover byte count in Aes struct when setting IV

For additional vulnerability information visit the vulnerability page at:  
https://www.wolfssl.com/docs/security-vulnerabilities/

See INSTALL file for build instructions.  
More info can be found on-line at: https://wolfssl.com/wolfSSL/Docs.html

CVE-2022-34293: Release wolfSSL Release 5.4.0 (July 11, 2022) · wolfSSL/wolfssl

Pwn stars

Hacker Summer Camp is only days away, so in order to whet your appetite, The Daily Swig has compiled a list of some of the best talks of years past.

Over the years there’s been thrills, spills, and (of course) ‘sploits, as the top researchers in the security world have descended on Las Vegas for Black Hat USA and DEF CON – a security double bill that’s hard to beat.

This year’s Black Hat – which is again taking place as a hybrid event – and DEF CON offerings are sure to add to the already impressive roster of ground-breaking talks from years gone by.

Now that Covid-related restrictions have largely been lifted, the 2022 edition promises to be something of a grand reopening of arguably the single most important event in the infosec calendar.

Without further ado (and in no particular order) here are our top picks from past Black Hat and DEF CON events…

**Panic in the Cisco**

Michael Lunn’s 2005 talk on the security shortcomings of Cisco’s networking technology was important not only because of the potential impact of his discovery, but because it served as an example of an attempt to suppress security research.

Lunn resigned from his employment with Internet Security Systems in order to deliver a talk on a critical vulnerability in router technology from Cisco.

The security researcher demonstrated an exploit – which opened the door to a range of attacks from eavesdropping to disabling the compromised device – while withholding any details. Cisco issued a security fix to its firmware prior to the talk, but not many organizations had applied it by the time it rolled around.

Cisco initially gave the go-ahead for the talk but had second thoughts with the event imminent. ISS agreed to a request from the networking giant, but Lunn disagreed. This prompted his decision to resign in order to present his findings.

**Cache from chaos**

Dan Kaminsky’s reveal of a cache poisoning flaw affecting the software of multiple DNS vendors back in 2008 remains a landmark event in networking security.

The security researcher worked with DNS vendors for months to fix the critical vulnerability before laying the problem bare during Black Hat 2008.

It remains a testament to the late security researcher, who sadly passed away in April 2021, prompting an outpouring of tributes to a true infosec great characterized by “kindness, boundless energy, and positivity”.

**Hitting the Jackpot**

Barnaby Jack’s live hack demo on an ATM set the benchmark for spectacular hacks and cutting-edge security research. Jackpotting – as the attack later became known – involved a targeted assault on the software running on ATMs.

The end result involved injecting malware into the operating system of cash dispensing machines, causing them to dish out bank notes fraudulently. Either exploitable vulnerabilities in an ATM’s remote management system or unauthorised physical access to a machine (perhaps facilitated by a corrupt insider) might be used to carry out an attack.

Prior to Jack’s research, embedded systems such as ATMs were widely (but incorrectly) thought to be beyond the scope of potential hack attacks. The research paved the road to follow-up studies into the security of medical devices such as pacemakers and insulin pumps.

**Up in the air**

Interest in the security of air traffic control systems took off with Andrei Costin’s presentation on the issue during Black Hat 2012. Costin’s talk focused on security aspects of ADS-B (Automatic Dependent Surveillance-Broadcast), a satellite-based aircraft tracking technology, and other flight technologies.

The presentation looked at ADS-B (in)security from a practical perspective, presenting the “feasibility and techniques of how potential attackers could play with generated/injected air traffic, and as such potentially opening new attack surface” into air traffic control systems.

**Don’t look up**

Shifting the focus from airborne planes to satellites in orbit, a well-received 2014 talk by Ruben Santamarta reviewed the security of satellite communication terminals.

IOActive found that all the devices they accessed were potentially open to abuse. The vulnerabilities uncovered included multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, or weak encryption algorithms.

“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products,” IOActive warned at the time. “In certain cases, no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.”

**Policy forum**

Black Hat and DEF CON have never been the forum for technical discussions and hacking demos alone. Policy issues are often in play too, as evidenced by talks from the likes of Dan Geer and Jennifer Granick.

Geer, CISO for In-Q-Tel, a not-for-profit venture capitalist firm that looks for tech that supports the US intelligence community, spoke about cyberspace as a domain for conflict between nations and on power politics in 2014.

Granick, director of civil liberties at the Stanford Center for Internet and Society, looked forward to the next phases of the development of the internet in 2015.

More recently Parisa Tabriz, director of engineering at Google, used her 2018 Black Hat keynote to give a practical perspective on secure development. And last year Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), outlined how hackers, the government, and the private sector can work together to confront cyber threats.

**Kettle reinvents HTTP request smuggling**

PortSwigger’s James Kettle reinvented the long-neglected topic of request smuggling with his presentation on HTTP desync attacks at DEF CON in 2019.

Kettle showed how it was possible to manipulate web requests in order to poison web caches. The hack allowed Kettle to compromise PayPal’s login page, among other targets, and claim $70K in bug bounties.

The hack relied in exploiting flaws in how web systems pass web-based requests between front end and back end system, as explained in a Daily Swig article published at the time of the talk.

**A new era in SSRF**

Noted web security researcher Orange Tsai used a 2017 Black Hat talk to outline an exploit technique variant that might be harnessed to bypass server-side request forgery (SSRF) protections.

The technique relied on fuzzing to unearth previously undiscovered vulnerabilities in the libraries of programming languages including Python, PHP, Perl, Ruby, Java, JavaScript, Wget, and cURL.

The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.

Flaws in web applications such as WordPress, vBulletin, MyBB, and GitHub have also been uncovered using the same approach, the security researcher told Black Hat USA attended in 2017.

**Hasta la Vista**

Polish security researcher Joanna Rutkowska became well known in the security community following her demonstration of an attack against Windows Vista’s kernel protection mechanism at Black Hat USA 2006.

During the same presentation, she also demonstrated a technique called ‘Blue Pill’ that involved hacking the operation of a virtual machine to plant stealthy malware.

**Gone in 40ms**

Hacking took to the roads in 2015 after security researchers Charlie Millar and Chris Valasek demonstrated how to launch a remote cyber-attack against an unaltered factory vehicle.

The security researchers hacked into a Jeep Cherokee through a mobile connection to its entertainment system via a technique that allowed them to send messages on the CAN bus to critical electronic control units. This, in turn, allowed them to control the braking, steering, and acceleration of the car.

That’s our round-up of the best-ever talks at Hacker Summer Camp – but what are your picks?

Have we failed to mention any unmissable talks? What are your favourite hacks? Let us know on Twitter at @DailySwig.

You can also watch more talks from previous Hacker Summer Camps on YouTube, ranked by numbers of views, via the DEF CON and Black Hat archives.  

YOU MAY ALSO LIKE ParseThru: HTTP parameter smuggling flaw uncovered in several Go applications

The best Black Hat and DEF CON talks of all time

Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user's OAuth autorization code.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**oss-sec mailing list archives**

_From_: Tute Costa <tute () thoughtbot com>  
_Date_: Fri, 1 Apr 2016 13:42:37 -0400  

Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4
and earlier allows remote attackers to hijack the user's OAuth
autorization code.

Versions Affected:  0.1.4 and below
Fixed Versions:     0.1.5

Impact
------

\`Administrate::ApplicationController\` actions didn't have CSRF
protection. Remote attackers can hijack user's sessions and use any
functionality that administrate exposes on their behalf.

Releases
--------

The 0.1.5 release is available at
https://rubygems.org/gems/administrate and
https://github.com/thoughtbot/administrate.

Upgrade Process
---------------

Upgrade administrate version at least to 0.1.5.

Workarounds
-----------

You can reopen Administrate's \`ApplicationController\` to add CSRF
protection to your application:

\`\`\`ruby
module Administrate
  class ApplicationController < ActionController::Base
    protect\_from\_forgery with: :exception
  end
end
\`\`\`

Credits
-------
Thanks to Jason Yeo of SRC:CLR for finding and reporting this vulnerability.

**Current thread:**

*   **Cross-site request forgery (CSRF) vulnerability in administrate gem** _Tute Costa (Apr 01)_

Tag

#ruby