Sitefinity version 15.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Sitefinity 15.0 - Cross-Site Scripting (XSS)# Date: 2023-12-05# Exploit Author: Aldi Saputra Wahyudi# Vendor Homepage: https://www.progress.com/sitefinity-cms# Version: < 15.0.0# Tested on: Windows/Linux# CVE : CVE-2023-27636# Description: In the backend of the Sitefinity CMS, a Cross-site scripting vulnerability has been discovered in all features that use SF-Editor# Steps To Reproduce:Attacker as lower privilegeVictim as Higher privilege1. Login as an Attacker2. Go to the function using the SF Editor, go to the news page as example3. Create or Edit news item4. On the content form, insert the XSS payload as HTML5. After the payload is inserted, click on the content form (just click) and publish or save6. If the victim visits the page with XSS payload, XSS will be triggeredPayload: <noalert><iframe src="javascript:alert(document.domain);">

Sitefinity 15.0 Cross Site Scripting

Red Hat Security Advisory 2024-3530-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3530.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel-rt security and bug fix updateAdvisory ID:        RHSA-2024:3530-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3530Issue date:         2024-05-31Revision:           03CVE Names:          CVE-2023-52578====================================================================Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.Security Fix(es):* kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086)* kernel: net: bridge: data races indata-races in br_handle_frame_finish() (CVE-2023-52578)Bug Fix(es):* kernel-rt: update RT source tree to the latest RHEL-8.4.z Batch 25 (JIRA:RHEL-36724)* [RHEL-8.4] kernel-rt-debug: BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:968 (JIRA:RHEL-8758)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-52578References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2262126https://bugzilla.redhat.com/show_bug.cgi?id=2267758

Red Hat Security Advisory 2024-3530-03

Red Hat Security Advisory 2024-3529-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3529.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel security updateAdvisory ID:        RHSA-2024:3529-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3529Issue date:         2024-05-31Revision:           03CVE Names:          CVE-2023-52578====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086)* kernel: net: bridge: data races indata-races in br_handle_frame_finish() (CVE-2023-52578)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-52578References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2262126https://bugzilla.redhat.com/show_bug.cgi?id=2267758

Red Hat Security Advisory 2024-3529-03

Donald Trump has vowed to go after political enemies, undocumented immigrants, and others if he wins. Experts warn he could easily turn the surveillance state against his targets.

Every president of the United States has within their grasp the power of a vast surveillance state that has grown significantly over the past few decades and has beaten back any real effort to rein it in. Through America’s numerous enigmatic intelligence agencies, presidents possess the ability to dive deeply into the communications, movements, and relationships of everyday Americans. Presidents of both parties have abused the surveillance state, but under a second Trump administration, this power could be abused in ways it has never been before.

Donald Trump, a now convicted felon and the presumptive 2024 Republican presidential nominee, has said he plans to prosecute his political opponents should he return to the White House. He’s said he would allow states to monitor pregnant women and prosecute those who seek abortions. Trump wants to deport millions of undocumented immigrants. He plans to invoke the Insurrection Act to quell civil unrest, which means sending the military into the streets. The much publicized Project 2025 outlines how he would quickly replace thousands of career civil servants in the federal government with loyalists.

If a president was interested in prosecuting their political opponents, crushing protests, targeting undocumented immigrants, and had the right people in place to help them carry out those plans, surveillance could become a valuable tool for accomplishing those goals. Like former US president Richard Nixon in the late 1960s and early 1970s, Trump could use the surveillance powers available to him to monitor his political opponents, disrupt protest movements, and more.

Nixon and former FBI director J. Edgar Hoover famously surveilled the president’s political opponents and activists, including Martin Luther King Jr., through a program called COINTELPRO. One of the main goals of the program was to “expose, disrupt, misdirect, discredit, or otherwise neutralize” civil rights groups.

If he so desired, Trump could create his own version of this program, but he’d be working with much more advanced technology—and it’d be in a time when there are countless data points available on every American. Hoover could have only dreamed of a world where everyone was walking around with tracking devices.

“So much of what we depend on, in terms of the rule of law, depends on norms. When those norms are ignored, that’s when things start to fall apart,” says Jeffrey L. Vagle, an assistant professor of law at Georgia State University. “Some of the norms, like prosecutorial discretion, might be eroded or disappear entirely. That could mean a number of things in terms of surveillance.”

Vagle says that if a second Trump administration wanted to defend its abuse of surveillance powers, it could stretch the use of national security as a justification for doing so. He says presidents have done this in the past in other ways.

“Administrations from both parties have invoked the term ‘national security’ and have used national security loopholes to justify surveillance and profiling,” says Patrick Toomey, deputy director of the American Civil Liberties Union’s National Security Project. “They have too often used national security as a pretext for law enforcement to target Muslims, communities of color, and immigrants.”

Toomey says Trump has sent “mixed signals” when it comes to how he feels about surveillance, but he’s made it clear he plans to target his political opponents in various ways if he’s elected again.

“A second Trump administration could be disastrous for many of our most fundamental freedoms,” Toomey says.

The administration may not even need to come up with a justification for surveilling Americans without a warrant, because it could simply purchase scores of people's personal data. The federal government has been known to purchase data from private brokers in the past, and doing so doesn’t require a warrant.

“We are just awash in data, and data brokers can just collect and sell these data,” Vagle says. “Law enforcement or quasi-law enforcement can collect that information.”

Surveillance can be done in secret so that the people being surveilled don’t realize they’re being surveilled, or it can be done openly as a way to stifle free expression, Vagle says. The government might tell you they’re keeping an eye on people, and then you might be less likely to speak out.

“If you think you’re being watched, you act differently,” Vagle says. “You could see a Trump version of COINTELPRO—only maybe not so covert. They might be more open about it with the idea that it might chill speech.”

As for the abortion issue, some of what may occur will depend on the future legal status of abortion, which could involve a US Supreme Court decision or congressional action. A major change in its legal status would likely affect how the federal government approaches the issue. If it remains a state issue, the federal government wouldn’t typically get involved in how a state is implementing a law it’s passed, but that’s not to say it couldn’t. If a state wanted help tracking people who are crossing state lines for abortions, for example, the federal government could conceivably assist with that.

“The federal government is not in the business of enforcing state laws, but there are a lot of what-ifs. How crazy might a Trump administration be willing to be?” Vagle says.

Whether it’s monitoring political opponents, activists, immigrants, or pregnant people, there are many ways in which a second Trump administration could utilize surveillance powers to exert more control over the populace. If the FBI and the Department of Justice are staffed with people who won’t push back when Trump orders them to do things that might be legally or morally questionable, they may carry out his wishes, and Americans may discover how much their privacy rights have eroded over the years.

“One of the things about Project 2025 is that it’s clear that the Trump camp, and more broadly the Republican Party that’s behind Trump, want to make it a more organized presidency than his first presidency was,” Vagle says. “It would be very unsurprising if the Department of Justice and the FBI dismissed anyone if they even had a whiff of disloyalty.”

How Donald Trump Could Weaponize US Surveillance in a Second Term

In seemingly the first case of its kind, the US Justice Department has charged a Chinese national with using a drone to photograph a Virginia shipyard where the US Navy was assembling nuclear submarines.

The United States Department of Justice is quietly prosecuting a novel Espionage Act case involving a drone, a Chinese national, and classified nuclear submarines.

The case is such a rarity that it appears to be the first known prosecution under a World War II–era law that bans photographing vital military installations using aircraft, showing how new technologies are leading to fresh national security and First Amendment issues.

“This is definitely not something that the law has addressed to any significant degree,” Emily Berman, a law professor at the University of Houston who specializes in national security, tells WIRED. “There’s definitely no reported cases.”

On January 5, 2024, Fengyun Shi flew to Virginia while on leave from his graduate studies at the University of Minnesota and rented a Tesla at the airport. His research focused on using AI to detect signs of crop disease in photos. Shi’s subject that week wasn’t plants, however, but allegedly the local shipyards—the only ones manufacturing the latest generation of Navy carrier ships in the country, and nuclear submarines as well.

According to an affidavit filed by FBI special agent Sara Shalowitz in February, a shipyard security officer alerted the Naval Criminal Investigative Service to Shi’s actions. The affidavit alleges that on January 6, Shi was flying a drone in “inclement weather” before it got stuck in a neighbor’s tree. When Shi, who is a Chinese citizen, approached the neighbor for help, he was questioned about his nationality and purpose for being in the area. The unnamed resident took photos of Shi, his license plate, and his ID, and called the police. The affidavit alleges that Shi was “very nervous” when questioned by police and “did not have any real reasons” for flying a drone in bad weather. The police gave Shi the number for the fire department and said he would need to stay on the scene. Instead, he returned the rental car an hour later and left Hampton Roads, Virginia, abandoning the drone.

When the FBI seized the drone and pulled the photos off its memory card, they discovered images that special agent Shalowitz said she recognized as being taken at Newport News Shipyard and BAE Systems, which is a 45-minute drive away. The affidavit states that on the day Shi took the photos, the Newport News Shipyard was “actively manufacturing” aircraft carriers and Virginia class nuclear submarines.

“Naval aircraft carriers have classified and sensitive systems throughout the carriers,” the affidavit states. “The nuclear submarines present on that date also have highly classified and sensitive Navy Nuclear Propulsion Information (‘NNPI’) and those submarines even in the design and construction phase are sensitive and classified.”

The DOJ is charging Shi with six Espionage Act misdemeanors under two statutes: one banning photographing a vital military installation and one banning the use of an aircraft to do so. Each misdemeanor can result in up to a year in prison upon conviction. While he awaits trial, Shi is restricted to living in Virginia under probation. He was forced to surrender his passport. According to court filings, he appears to require a translator.

Shi’s case, filed in federal court in Virginia’s Eastern District, was first spotted by Court Watch in February. Its rarity became apparent in March, after prosecutors filed a motion for a time extension. The judge agreed, writing that it was justified because the case is “so unusual due to the nature of the prosecution and the novel questions of both law and fact.”

Indeed, Shi is being charged “under two statutes which have been rarely prosecuted” to the degree that “the Court has been able to only find one reported case,” the judge wrote. That case, _Genovese v. Town of Southampton,_ centered on just one of the two statutes Shi is being charged under—photographing a military installation, without an aircraft.

The DOJ declined to comment when WIRED posed questions about Shi’s case, including whether the Chinese government is being engaged on the issue.

According to a filing from US prosecutors, both parties wish to end the case in a plea agreement. Shi’s attorney did not respond to multiple requests for comment.

WIRED found multiple social media accounts connected to Shi. He appears to have a small online footprint and few interactions with others online, portraying a life of quiet normalcy. He appears to be a soccer fan who enjoys campus and is a devoted _League of Legends_ player. He even attended the competitive online game’s 2022 World Championship tournament in San Francisco. In fact, according to online records, he often plays _League of Legends_ multiple times a day while awaiting trial in Virginia. His university research is similarly innocuous: He’s developing an app for detecting crop diseases in photos called Gopher Eye, which is being funded by the National Science Foundation, and has applied for a patent. He describes himself as a “startup manager” on LinkedIn.

One of Shi’s colleagues at the University of Minnesota, who spoke to WIRED under the condition of anonymity, says that he was a “typical” kid who was “very passionate” about his research. In the fall of 2023, however, financial and familial strife compounded by mounting pressure from lagging grades led to a break. The colleague said that Shi soon all but disappeared, taking leave from his studies and “basically hiding from all of his normal relationships.” He’s been difficult to contact since then, they say, adding that they did not know that Shi is currently in the US—much less embroiled in a rare national security case.

“From my point of view, he’s had very bad luck,” they say. “I don’t think that he did anything wrong intentionally.”

The question of why the DOJ is prosecuting Shi in the first place looms large over his case. After all, satellites originating in China photograph the US daily, including military sites and aircraft carriers. The degree to which Shi’s nationality played a role in the DOJ’s decision to prosecute the case isn’t clear. The case is proceeding amid rising animosity between China and the US, but Shi isn’t being charged under any laws related to collecting intelligence for a foreign government. He is not being accused of acting as a spy. His only alleged crime is taking photos with a drone.

“The Justice Department has guidelines that say \[nationality\] is not supposed to play a role in a criminal investigation, but there are exceptions to that rule for national security and border-related investigations,” Berman says. “It certainly seems likely that the fact Shi is a Chinese national raises red flags for investigators that wouldn't necessarily go up in the same way if he was an American citizen, rightly or wrongly.”

Cases prosecuted under statutes banning photographing military bases can have implications for First Amendment rights, Berman says. Photographing in a public place is a constitutionally protected activity.

“It would be a good thing to litigate some of these cases and clarify what the rules actually are about what you can and can't do,” she says. “Any time there is uncertainty, that may make people hesitant to do things that they are constitutionally entitled to do.”

The few occasions where statutes banning photographing military installations have come up illustrate this concern. In _Genovese v. Town of Southampton,_ Nancy Genovese sued law enforcement officials who arrested her for photographing an airport—part of which was a military base—while having guns in her car. A jury agreed that law enforcement was maliciously prosecuting Genovese, and she landed a settlement amounting to more than $1 million in 2016. In another incident, in 2014, reporters for The Blade in Ohio filed a federal lawsuit after they were unlawfully detained for taking photos outside a military base. In that case, too, the law favored the plaintiffs, and the reporters were awarded $18,000.

Shi’s case is scheduled to start on June 20.

The Unusual Espionage Act Case Against a Drone Photographer

### Impact
Template authors could inject php code by choosing a malicous file name for an extends-tag. Users that cannot fully trust template authors should update asap.

### Patches
Please upgrade to the most recent version of Smarty v4 or v5. There is no patch for v3.



Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-35226

**Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag**

High severity GitHub Reviewed Published May 28, 2024 in smarty-php/smarty • Updated May 29, 2024

**Package**

composer smarty/smarty (Composer)

**Affected versions**

\>= 5.0.0, < 5.1.1

\>= 3.0.0, < 4.5.3

**Patched versions**

5.1.1

4.5.3

**Description**

Published to the GitHub Advisory Database

May 29, 2024

Last updated

May 29, 2024

GHSA-4rmg-292m-wg3w: Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag

Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014) expose serial shells on multiple PLCs. A serial interface can be accessed with physical access to the PCB. After connecting to the interface, access to a shell with various debug functions as well as a login prompt is possible. The hardware is no longer produced nor offered to the market.

SEC Consult Vulnerability Lab Security Advisory < 20240524-0 >  
=======================================================================  
               title: Exposed Serial Shell on multiple PLCs  
             product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014)  
  vulnerable version: All hardware revisions  
       fixed version: Hardware is EOL, no fix  
          CVE number: -  
              impact: Low  
            homepage: https://www.siemens.com  
               found: ~2023-06-01  
                  by: Steffen Robertz (Office Vienna)  
                      Gerhard Hechenberger (Office Vienna)  
                      Constantin Schieber-Knöbl (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"We are a technology company focused on industry, infrastructure,  
transport, and healthcare. From more resource-efficient factories,  
resilient supply chains, and smarter buildings and grids, to cleaner  
and more comfortable transportation as well as advanced healthcare,  
we create technology with purpose adding real value for customers."

Source: https://new.siemens.com/global/en/company/about.html

Business recommendation:  
------------------------  
The hardware is no longer produced nor offered to the market. Hence  
HW adaptions resulting in modified products are not possible anymore.  
The described HW behavior on this generation of devices cannot be  
corrected by means of FW patches.

The risk of successful exploitation is considered low as physical access to  
those devices is needed.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Exposed Serial Shell on multiple Siemens PLCs  
A serial interface can be accessed with physical access to the PCB. After  
connecting to the interface, access to a shell with various debug functions  
as well as a login prompt is possible.

Proof of concept:  
-----------------  
1) Exposed Serial Shell on multiple Siemens PLCs

* CP-2016 (Figure 1)  
The serial interface on the CP-2016 can be accessed by connecting to the  
following through hole pins of an unpopulated header:

  +-+  
  |o|  
  |o|RX  
  |o|TX  
  |o|  
  |o|  
  |o|GND  
  +-+

* CP-2019 (Figure 2)  
The serial interface on the CP-2019 can be accessed by connecting to the  
following through hole pins of an unpopulated header:

  +-+  
  |o|  
  |o|RX  
  |o|TX  
  |o|  
  |o|  
  |o|GND  
  +-+

  * CP-2014 (Figure 3)  
The serial interface on the CP-2014 can be accessed by connecting to the  
following through hole pins of an unpopulated header:

  +-+  
  |o|GND  
  |o|  
  |o|  
  |o|RX  
  |o|TX  
  |o|  
  +-+

  * CP-2017 (Figure 4)  
The serial interface on the CP-2017 can be accessed on the compute module  
by connecting to pins 9 and 10 on the populated SMD connector:

   1              TX RX  
   '-'-'-'-'-'-'-'-'-'  
  /-------------------\  
  |                   |  
  |-------------------|  
  +'-'-'-'-'-'-'-'-'-'+  
   11                20

* CP-5014 (Figure 5)  
The serial interface on the CP-5014 can be accessed on the compute module  
by connecting to pins 1 and 2 on the populated SMD connector:

  RX TX              10  
   '-'-'-'-'-'-'-'-'-'  
  /-------------------\  
  |                   |  
  |-------------------|  
  +'-'-'-'-'-'-'-'-'-'+  
   11                20

All serial connections allow access to the SH1703 shell in version 1.00.  
The shell requires no authentication and allows the usage of multiple  
commands.

The following output can be seen on all devices:

---------------------------------------------------  
    XXXXX  XXX XXX      X     XXXXX    XXX     XXX  
   X     X  X   X     XXX     X   X   X   X   X   X  
   X        X   X       X        X    X   X       X  
    XXXXX   XXXXX       X        X    X   X     XX  
         X  X   X       X       X     X   X       X  
   X     X  X   X       X      X      X   X   X   X  
    XXXXX  XXX XXX    XXXXX    X       XXX     XXX  
---------------------------------------------------

1703 Shell [V1.00]  
(c) by 1703 Development Team

type 'help' or '?' or press 'F1' for help

SH1703>

Initialize system ..  
. Init Done.

system startup after Power-Up ...  
Install device 'USB Server'.

  RTC time not valid

  RTC time not valid

  RTC time not valid  
Reg: 100 Komp: 2 BSE: 20  
Hello from <R#100 / K#2 / BSE#2> FW-ID: 2019 FW-Version: 0.06A01  
Startup ZBGs ... done.

system ready  
SH1703>help  
Available commands:  
  hist                             Display command history  
!<n>                             Execute <n> command from stack  
  ?        [<cmd>]                 Display this message  
  help     [<cmd>]                 Display this message  
  echo     <text>                  Displays text  
  call     <file>                  Run script file  
  cls                              Clear screen  
  loop     <cmd>                   Loop-execution of cmd  
  ldfile   <file>                  Load ascii file  
  db       <a> [-b|w|d<x> [-n<x>]] Display memory byte/word/dword  
  wb       <a> <val> [-b|w|d<x>]   Write memory byte/word/dword  
  mb       <a> [-b|w|d<x> [-n<x>]] Monitoring memory byte/word/dword  
  login                            Login  
  logoff                           Logoff  
  pci      ...                     PCI Commands  
  bemrk                            Run Benchmark  
  drv                              List installed drives  
  dir                              List files in directory  
  del      [<drv:>]<file>          Delete file  
  ren      <src> <dest>            Rename or move file  
  cd       <dir>|<..>              Change current directory or drive  
  md       <dir>                   Make directory  
  rd       <dir>                   Remove directory  
  type     [<drv:>]<file>          Displays the contents of a file  
  copy     <src> <dest>            Copy a file  
  findstr  <file> <str>            Find a string in a textfile  
  mkdisk   <drvname> <size>        Make a Ramdisk  
  uidisk   <drvname>               Close and uninstall a disk  
  format   <drvname>               Format drive  
  mem_wr   <addr> <size> <des>     Write mem to file  
  idr                              Read from diagnostic ring  
  icr                              Clear diagnostic ring  
  idd                              Debug-Trace ON  
  bp                               Read all breakpoint settings  
  bpf      [<file>]                Set File for Debugprint (no arg = stdout)  
  is       ...                     Debugger settings  
  ig       [f|s]                   Display BPs / Clear all BPs  
  idb                              Read DB-Breaks  
  idt                              Read DB-Trace Settings  
  icz                              Clear breakpoint counters  
  dev      ...                     ZIO-Device commands  
  bsp      ...                     bsp commands  
  ftrc     ...                     FTRC Commands  
  banner                           Display the banner  
  pl                               Display process list  
  pi       [<appl_nr>]             Display process info  
  ad       -c|d|k|s                APP-Debug Create|Detach|Kill|Start  
  tl                               Display task list (all processes)  
  tm       [-r]                    Display task monitor (-r = runtime)  
  tc       <taskname>              Display task context  
  td       <taskID>                Display task descriptor  
  tq                               Display task queues  
  sysztsk                          Display ZOS-tasks of system process  
  appztsk  [<appl_nr>]             Display ZOS-tasks of appl-process(es)  
  stack                            Display stack usage of all tasks  
  stsk     -c|d|e|s|r              ZOS-Task Create|Del|Exch|Suspend|Resume  
  tsktrc   -s|r|c                  ZOS-Task-Trace Start|Read|Clear  
  set      [<name>=<val>]          Display, set or remove environment variables  
  time                             Display the current time  
  timeset                          Set the current time  
  mem                              Display memory usage  
  status                           Display system status informations  
  ver                              Display version informations  
  r                                Reset system element (R,R Cxx,R Pxx,R Zxx  
  klog     [dis|ena|all]           Display, disable or enable kernel logging  
  psp_info                         Display prozessor configuration infos  
  int_info                         Interrupt-Info-List  
  int_gen                          Generate Interrupt (for Admin only)  
  tlbs                             Display TLBs  
  ga       [<appl_nr>]             Start Subshell of application  
  tsd                              Debug Timeserver  
  mci                              MCI Commands  
  usb      <cmd>                   USB commands  
  mmc      <cmd>                   MMC Commands  
  zhs                              ZHS commands  
  zpv                              Parameter infos  
  zdt                              data transporter  
  fsn                              ZIO/FSN statistics  
  net      <enet|emac|mal> <dev>   Network statistics  
  prd      <pg> <reg> <len>        Read PHY register (len: 8|16|32)  
  pwr      <pg> <reg> <len> <data> Write PHY register (len: 8|16|32)  
  rmib                             Reset all statistic counters  
  scfg                             Display broadcom switch registers  
  ipaddr   <dev>                   Display ip addresses on interface  
  route                            Display routing table  
  socket                           Display socket statistic  
  tcp                              Display tcp statistic  
  udp                              Display udp statistic  
  arp                              Display arp cache  
  ping     host-ipaddr             send ICMP ECHO_REQUEST to a host  
  arl                              Switch Address Resolution table  
  ebuf                             Statistic for Buffer handling FSN  
  tls_ciph                         print cipher suites for all connections  
  tls_obj  idx                     print connection objects  
  tls_log                          log level for tls lib  
  tls_deb  idx                     print connection debug cnts  
  tlscache                         print cert/key cache  
  opensslm                         print mem pool statistic for openssl  
  tlsdeb_s                         START mem pool debug function  
  tlsdeb_e                         END mem pool debug function  
  tlsdeb_r                         print mem pool debug for openssl  
  tlsdeb_c                         CLEAR mem pool debug function  
  sap                              special application function  
Available Function-Keys:  
  F1     Help  
  F2     Display system status informations  
  F3     Display Last command  
  F5     Display the current time  
  F7     History  
  F8     Display memory usage  
  F9     Display ZOS-Task Infos  
  F10    Display Tasklist  
  F11    Execute Last command  
SH1703>

----------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested which were the latest version available  
at the time of the test:  
* CP-2016: CPCX26 V0.06A01  
* CP-2019: PCCX26 V0.06A01  
* CP-2014: CPCX25 V0.05A04  
* CP-2017: PCCX25 V0.11A10  
* CP-5056: CPCX55 V0.10A04

Vendor contact timeline:  
------------------------  
2024-03-05: Contacting vendor through productcert@siemens.com  
2024-03-06: Siemens tracks this issue as case #04393  
2024-04-03: Requested status update.  
2024-04-03: Product is EOL, no fix planned.  
2024-04-29: Informed Siemens about planned publication of advisory.  
2024-04-30: Siemens, requests draft of advisory. Advisory is sent for review.  
2024-05-07: Siemens requested small changes in the Solution and Business  
             Recommendation.  
2024-05-24: Public release of security advisory.

Solution:  
---------  
The hardware is no longer produced nor offered to the market. Hence HW  
adaptions resulting in modified products are not possible anymore. The  
described HW behavior on this generation of devices cannot be corrected  
by means of FW patches.

The risk of successful exploitation is considered low as physical access to  
those devices is needed.

Workaround:  
-----------  
Make sure to strictly limit physical access to the PLC during and also  
after its life cycle.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knöbl / @2024

Siemens CP-XXXX Series Exposed Serial Shell

Debian Linux Security Advisory 5698-1 - Multiple security issues were found in Rack, an interface for developing web applications in Ruby, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5698-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 24, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ruby-rackCVE ID         : CVE-2024-25126 CVE-2024-26141 CVE-2024-26146Multiple security issues were found in Rack, an interface for developingweb applications in Ruby, which could result in denial of service.For the oldstable distribution (bullseye), these problems have been fixedin version 2.1.4-3+deb11u2.For the stable distribution (bookworm), these problems have been fixed inversion 2.2.6.4-1+deb12u1.We recommend that you upgrade your ruby-rack packages.For the detailed security status of ruby-rack please refer toits security tracker page at:https://security-tracker.debian.org/tracker/ruby-rackFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZQw0YACgkQEMKTtsN8TjaEDQ/+In6arFD5sCgR6IZW2RiwAgBlLY9SAPlcuSI4qYkoN3JDMsm3dWV38UEOIwhvEiNpOXRiHCi4V15Eo92I1ayKJIZYM9n5B1pjGQrci5tl1cnFIfhfkIEjRET7OFRgL6TYgzsc5PKmlBNmff/yQOPXdw2q8dfgJkBb9Nc7GUxrhnsAdy/5mrW9NgSPerd65rYZ3NcGpSCiKcUcweatBalf2GycXFXSNzUlYw4nGuEOM5P4uyB8TI0lhaxy+hQA24fVGfKIldSHvQu4gs2jN2CaCNp4KyV5SkAtK7lBTxWMihmXwhzvpGeKF/ABokicqj4AC/T1BhjqS7S5/CjScmJwwkOcpaNhcqoI9wmFkx/bVYbQGmFuYPibziBHfBeucZhCFW2zhxSGYX/oWx/V4J3kBwMMUll4pI3AM0SEs/loeU3k+eLR7mq1ElcLt+IOmQpwNIIuvy/r8wvSySBLXu07b1lS29LMtqk3qXdb3HO6e2QznIdW6CatcewEc6uWOAzUBSFwvA1kgXWFqT9gj17RQ6VdMAdOw+5dkWIbJrWeJfiDdlT6R0KWpAfExQFzLbywtKJAtOnS7v+jyBkPlTg5Rz6z7o6PCf5fYA42FnI6p5AAryPvEupbiE6N72K1+8x+mDeiPFLlmrlP3tUsdhVwSfD5AEO+Qiyi04rYY7w55RM==9BYJ-----END PGP SIGNATURE-----

Debian Security Advisory 5698-1

By Uzair Amir
Is End-to-End Encryption (E2EE) a Myth? Traditional encryption has vulnerabilities. Fully Homomorphic Encryption (FHE) offers a new hope…
This is a post from HackRead.com Read the original post: How FHE Technology Is Making End-to-End Encryption a Reality

Is End-to-End Encryption (E2EE) a Myth? Traditional encryption has vulnerabilities. Fully Homomorphic Encryption (FHE) offers a new hope for truly secure messaging, cloud storage, and data analysis.

Encryption is like waterproofing: it needs to be all or not at all. Just as it makes no sense to waterproof a left shoe and leave the right unprotected, encrypting the consumer component of a messaging app is pointless if content can later be decrypted on cloud servers.

It’s called end-to-end encryption (E2EE) for a reason, but up until now many services claiming to utilize this technology have fallen woefully short. From an architectural perspective, E2EE is difficult to implement, particularly in applications that serve millions of users.

However, the emergence of a relatively new encryption technology is raising hope that E2EE may become a reality rather than an aspiration. Its name is Fully Homomorphic Encryption (FHE) and its unique design makes it ideally suited to services that are reliant on true end-to-end encryption.

**How End-to-End Encryption Works**

End-to-end encryption is a technology that’s meant to ensure that only users communicating with one another can read the messages. This could be two individuals chatting via a messaging application or it could be a business exchanging payment data with another entity such as a bank. Data is encrypted on the sender’s device and decrypted on the recipient’s device, preventing intermediaries, including service providers, from accessing the content.

This is achieved by using cryptographic keys that encode the message before transmitting it in encrypted form. The counterparty then decodes the message using its own cryptographic key in order to read its content. In addition to messaging apps such as Signal and Telegram, the technology is used by email providers, cloud storage services, and file-sharing platforms. It’s no exaggeration to say that E2EE is the backbone of the internet.

While E2EE can prove very effective at preventing third parties from intercepting messages, it is by no means bulletproof. Concerted attempts by adversaries, ranging from governments to state-sponsored hackers, to weaken encryption and introduce backdoors have resulted in many services that purport to use E2EE being vulnerable.

Critically, from the user’s perspective, there is no easy means of verifying whether encryption has been maintained throughout. As a result, individuals are compelled to take service providers at their word when they promise that messages are fully encrypted.

**How Encrypted Is Fully Encrypted?**

When a service claims to be end-to-end encrypted, it should be just that. In reality, implementations can differ wildly in terms of encryption strength. While it’s theoretically possible for users to check that the service they’re using is implementing robust encryption, it’s technically complex to do so, placing this ability beyond the reach of most users.

Telegram, for instance, allows users to verify that its open-source code is the same as that being used within its mobile applications and on desktop. However, this requires running a series of Terminal commands.

Telegram founder Pavel Durov has previously taken aim at other messaging applications, questioning the integrity of their E2EE. In his personal Telegram channel, he’s claimed: “An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick.”

He then elaborates on the inability for users to verify that Signal’s Github code is the same as that running in the app. It should be noted that despite its claims to offer superior encryption, Telegram has also fielded accusations of weaknesses in its own E2EE implementation.

One of the challenges is that even when a service provider has implemented robust encryption, there is still the potential for messages to be deciphered. From weak key management to compromised devices due to malware, there’s a multitude of ways in which content can be accessed by adversaries. And when a key is compromised, unless the provider generates new keys for every session, it’s possible to decrypt the entire messaging history.

Finally, even when E2EE is working optimally, its implementation places additional computational demands on networks, resulting in increased latency and reduced performance, especially on devices with limited processing power or on blockchains where resources are capped. For this reason, E2EE is by no means impregnable. Can FHE solve some of these challenges, or will it run into the same problems that have weakened existing encryption protocols?

****FHE Meets E2EE****

One of the weak points with traditional E2EE is when it comes to decrypting the data: it’s here that there’s potential for a third party to gain access to it. FHE, in comparison, allows computation to be performed directly on encrypted data without decryption, ensuring that data remains protected throughout the entire process. This is its greatest attribute and the one that differentiates it from other encryption technologies.

It may be hard to visualize the benefit FHE brings to bear in this respect when considering a messaging application, in which the data must be decrypted before it can be read by the recipient. But consider another instance in which FHE proves superior at safeguarding data within E2EE systems: email. Here, FHE makes it possible for an email provider or cloud service to return results from an encrypted database without actually seeing the data.

This capability can also be extended to numerous other use cases in which data can be analyzed without disclosing its contents: analysts can run algorithms on encrypted datasets, with the results only decryptable by the intended recipient. Or machine learning models can be trained using encrypted data. This allows organizations to leverage powerful AI tools without compromising the privacy of the underlying data.

Within a blockchain context, fully homomorphic encryption also has significant potential, particularly in the construction of end-to-end encrypted applications for messaging or transmitting financial data. Fhenix, for example, is powered by fhEVM, a variation of the Ethereum Virtual Machine, that supports confidential smart contracts. As a result, confidential data can be analyzed and transmitted without its contents being disclosed.

Given that data remains encrypted at all stages with FHE – in transit, at rest, and during processing – it’s easy to see why developers are so excited about its potential for strengthening E2EE systems.

FHE can reduce the attack surface and ensure that sensitive data is never exposed to unauthorized parties, even during processing. This eliminates the need to trust service providers since they only handle encrypted data and mitigates the risks associated with data breaches. 

If FHE can achieve wider adoption, both in blockchain and traditional systems, end-to-end encryption may soon live up to its name, providing truly unbreakable data protection.

1.  WhatsApp Engineers Fear Encryption Flaw Exposes User Data
2.  8 tips to protect company data sent via home internet connections
3.  Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps

How FHE Technology Is Making End-to-End Encryption a Reality

Red Hat Security Advisory 2024-3323-03 - An update for pcp is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3323.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pcp security updateAdvisory ID:        RHSA-2024:3323-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3323Issue date:         2024-05-23Revision:           03CVE Names:          CVE-2024-3019====================================================================Summary: An update for pcp is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Performance Co-Pilot (PCP) is a suite of tools, services, and libraries for acquisition, archiving, and analysis of system-level performance measurements. Its light-weight distributed architecture makes it particularly well-suited to centralized analysis of complex systems.Security Fix(es):* pcp: exposure of the redis server backend allows remote command execution via pmproxy (CVE-2024-3019)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3019References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271898

Tag

#sap