Red Hat Security Advisory 2024-0376-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0376.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kpatch-patch security update  
Advisory ID:        RHSA-2024:0376-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0376  
Issue date:         2024-01-24  
Revision:           03  
CVE Names:          CVE-2023-2163  
====================================================================

Summary: 

An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: use after free in unix_stream_sendpage (CVE-2023-4622)

* kernel: netfilter: potential slab-out-of-bound access due to integer underflow (CVE-2023-42753)

* kernel: bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (CVE-2023-2163)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-2163

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2237760  
https://bugzilla.redhat.com/show_bug.cgi?id=2239843  
https://bugzilla.redhat.com/show_bug.cgi?id=2240249

Red Hat Security Advisory 2024-0376-03

python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the `ecdsa.SigningKey.sign_digest()` API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH operations are affected. ECDSA signature verification is unaffected. The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix.

**Minerva timing attack on P-256 in python-ecdsa**

High severity GitHub Reviewed Published Jan 22, 2024 in tlsfuzzer/python-ecdsa • Updated Jan 22, 2024

GHSA-wj6h-64fc-37mp: Minerva timing attack on P-256 in python-ecdsa

Apple’s iOS 17.3 introduces Stolen Device Protection to iPhones, which could stop phone thieves from taking over your accounts. Here’s how to enable it right now.

Apple today launched a new tool for iPhones to help reduce what a thief with your phone and passcode can access. The feature, called Stolen Device Protection, adds extra layers of protection to your iPhone when someone tries to access or change sensitive settings on your device. If someone tries to access passwords stored in Apple’s keychain, for instance, they won’t be able to unless they also use a fingerprint or the phone’s face recognition to prove they’re the legitimate owner.

You don't need to look far to find stories of stolen phones. In London, a phone is stolen every six minutes. Subreddits are littered with people having their phones snatched by thieves. In some of the most extreme cases, crooks can also take the passcodes—forcibly, or by peering over someone’s shoulder—and then steal a phone and unlock it. Social media accounts, passwords, and financial data can all be put at risk.

Stolen Device Protection is included with iOS 17.3, the latest iteration of Apple’s mobile operating system, which was released today. The feature should be high on your list to enable. It better protects your data—without you having to do anything—and has the potential to disrupt thieves. The move from Apple, according to cybersecurity experts, is a positive one and adds to the protections that already accompany passcodes.

The stolen iPhone protection is “likely to act as another barrier and put more pressure on thieves when targeting victims,” says Jake Moore, a global cybersecurity adviser at security firm Eset and a former police computer crime investigator. “Selling phones will always be big business among organized crime groups, but criminals will just need to work harder on their craft now.”

When you turn on Stolen Device Protection, Apple puts extra limits on some settings when your iPhone isn’t at a familiar location, such as your home or work. If someone unlocks your phone and tries to change these settings, they’ll have to use Face ID or Touch ID. So if a thief has your phone and passcode, they won’t be able to change the settings unless they have your biometric information too, which is not straightforward to clone and fool the systems that power them.

These extra checks will appear when someone tries to access passwords or passkeys you’ve saved in iCloud’s keychain, use payment methods saved in Safari, turn off Lost Mode, erase your phone, use your phone in the setup of a new Apple device, apply for a new Apple Card, view your Apple Card’s virtual number, or transfer money with Apple Cash.

There’s also a second layer of checks for even more sensitive information. If your phone is not at a familiar location, Apple will also put in place a one-hour “security delay” after using your biometrics. When this one-hour delay is up, your biometrics are needed again to change the settings. (Your iPhone will still be accessible during this hour.)

This hour delay applies to attempts to change your Apple ID password, sign out of Apple ID, or update Apple ID account security settings, such as removing a trusted device. The delay is also in place if someone tries to remove Face ID or Touch ID accounts, change your iPhone passcode, reset your settings, disable the Find My tool, and turn off Stolen Device Protection itself. If a thief has your phone, there’s a chance they’ll want to change these settings quickly to either take over your phone or online accounts, and the delay may reduce their ability to do so. Moore says the extra hour’s delay adds a “greatly appreciated layer of security.”

Turning on the iPhone’s Stolen Device Protection is simple—it’s just one small toggle in your phone’s settings. You need to make sure your iPhone is updated to iOS 17.3. Open the **Settings** app, scroll to **Face ID & Passcode**, then to **Stolen Device Protection**, and turn the switch on.

With the new feature, Apple is increasingly relying on biometrics, through Touch ID and Face ID, as a way of proving the person with your phone is actually you. “Apple now has a decade of experience with biometrics on hundreds of millions of devices, and its confidence in them seems to be growing,” says Mark Stockley, a cybersecurity expert at security firm Malwarebytes. Traditionally, he says, a password or passcode has been the option that’s turned to when biometrics fail to work. With this new feature, the roles are being reversed, indicating a greater trust in the technologies. “This could be a step towards a passcode-less future,” Stockley says.

While Stolen Device Protection is a step forward, it doesn’t protect everything on your phone if a thief gets hold of it and your passcode. It’s worth making sure your data is backed up, and some apps, such as WhatsApp, will allow you to add another (ideally different) passcode or PIN, on top of your phone’s passcode, before allowing someone into the apps.

Broadly speaking, if your iPhone is stolen—beyond contacting the cops—you’ll also want to visit Apple’s iCloud to take back control of your device. “Start by changing your Apple ID password and ticking the option to sign you out of devices and websites you’re currently logged in to,” Stockley says. Then, within iCloud’s Find Devices settings, you can mark your phone as lost and remotely wipe it. Hopefully, Stolen Device Protection’s features will never need to come to your rescue, but for every person who turns it on, it makes thieves’ lives just that little bit harder.

Apple iOS 17.3: How to Turn on iPhone's New Stolen Device Protection

By Owais Sultan
One of the most needed functions in the CS console has always been a command that allows you…
This is a post from HackRead.com Read the original post: Bind For Cleaning Blood And Bullet Marks In Counter-Strike 2

One of the most needed functions in the CS console has always been a command that allows you to instantly remove all traces of blood and bullet marks on the walls. This bind is useful not only for aesthetic reasons — traces of blood have been proven to slightly reduce FPS in Counter-Strike 2.

If you want an effective game that will allow you to achieve success on par with the best pro players, this article from eZstah is for you. You can also further explore grim, KSCERATO from FURIA Esports, or twistzz CS2 settings on the Profilerr platform.

****Binds In CS2: What Is It?****

Many people know that CS2 has a fairly impressive set of commands. The classic version of their use involves activating the console and entering a certain set of characters manually.

It’s long and inconvenient. Another option is that some commands can be attached or changed in the game settings. But not everything is there. Plus, it’s not always convenient.

However, binds solve this problem! It is enough to configure everything once, and then everything will work by pressing a certain button!

The fact is that binds in KS2 are a special system that allows you to bind one or another command existing in the game to a specific button.

It turns out the following:

*   The gamer sets up the bind once – it should be linked via the console to a specific command to a specific button.
*   During the game or during pauses between battles, a person presses a button to execute a command.
*   The result is a quick response to commands. Control is carried out with maximum comfort and speed for the user.

****How to Set Up Binds in CS2****

Setting up binds as usual is not difficult. To configure a specific bind in KS2, you must follow the following instructions:

Activate the console in the game. Initially, this function is bound to the “~” key.

Enter bind: “button” “command”. The first quotes indicate the key to which a specific command will be bound, and the second quotes indicate the command itself.

****The Most Popular Binds in KS2****

CS2 has just a huge number of different commands. Naturally, there are more or less popular binds. Below is a list of those that are in greatest demand:

bind “button” “+cl\_show\_team\_equipment”

This bind provides highlighting of allies, showing their health and the type of weapon they are using. A useful command for players who take into account all the little things in their strategy.

bind “button” “toggle cl\_righthand”

This bind changes the game character’s right-handedness to left-handedness and back.

bind “button” “use weapon\_c4; drop”

With this bind, the player quickly throws the bomb out of his inventory, saving time in searching for it.

bind “button” “toggle voice\_enable”

This bind mutes the sound in the general chat.

bind “button” “buy m4a1; buy AK47”

This bind allows you to quickly buy an AK47, the type of which changes depending on who the person is playing as. Similarly, you can link the purchase of any game item. To do this, instead of the name AK47, the desired option is used – the list is easy to find on the Internet.

****How to Remove Blood in CS 2****

To activate the command you will need to launch the console. Usually, it opens with the ~ key. A window will open in which you can use various functions.

It is worth noting that the command that activates the disappearance of blood and traces of weapons only works for the person who launched it. For other players on the server, the picture will not change; they need to register the command themselves.

****Console Command to Remove Blood And Bullet Marks in CS 2****

Unlike CS:GO, in Counter-Strike 2 this feature does not work on all servers, since you need to enable cheat mode to use it. After pressing ~ and opening the console, you need to write:

sv\_cheats 1

Then press Enter. After activating the cheats, directly enter the command to clear the blood and bullets, and then press Enter again.

cl\_removedecals

After this, all traces of blood and the use of weapons should disappear from the map.

Bind to erase blood in CS 2

If you don’t want to write a command every time you want to clean the blood, use a bind. To use the Shift key on your keyboard instead of the console, enter this text into the console:

bind “SHIFT” “cl\_removedecals”

Instead of Shift, you can use any other button on the keyboard – F or G.

****Bind to Remove Blood And Bullet Marks When Moving in Counter-Strike 2****

You can make life even easier: enter the following text into the console and the blood will disappear every time you press the WASD movement keys:

*   bind “W” “cl\_removedecals”
*   bind “A” “cl\_removedecals”
*   bind “S” “cl\_removedecals”
*   bind “D” “cl\_removedecals”

****Bind to Erase Traces of Bullets And Blood in CS2 With The Left Mouse Button****

You can make the command work after each shot – instead of the name of the key, use MOUSE 1 (left mouse button). This bind can be used in conjunction with the bind above.

bind “MOUSE1” “cl\_removedecals”

****Command to Completely Remove Blood And Shots in CS 2****

Finally, here’s new command for the console in Counter-Strike 2. It allows you to completely get rid of all traces of blood and bullets – they simply will not appear until you enter the opposite command – you need to replace 0 with 1.

r\_csgo\_render\_decals 0

****Final Thoughts****

The average number of players in CS2 is over 750,000. The competition is high and only the most trained and fastest will win. To quickly react to events in CS2, you can use binds. This will make the process more enjoyable and will bring you closer to participating in USD reward matches.

****_RELATED ARTICLES_****

1.  **4 Best War Games You Should Play**
2.  **GAM3S.GG Raises $2M to Grow Web3 Gaming Superapp**
3.  **The Best FPS Games on Android In 2023: Popular by Demand**
4.  **Setting Strong Passwords: First Line of Defense for PS5 Security**
5.  **Gamers Warned of Potential CS2 Exploit That Can Reveal IP Addresses**

Bind For Cleaning Blood And Bullet Marks In Counter-Strike 2

By Deeba Ahmed
The latest Chae$ 4.1 sends a direct message to the cybersecurity researchers at Morphisec within the source code.
This is a post from HackRead.com Read the original post: The Fake Fix: New Chae$ 4.1 Malware Hides in Driver Downloads

The original Chae$ malware was identified in September 2023, and its latest version, dubbed Chae$ 4.1, employs advanced code polymorphism to bypass antivirus detection.

Morphisec Threat Labs has documented its findings on Chae$ 4.1, an update to the Chae malware Infostealer series, as part of its investigation of emerging cyber threats. The report explores the new Chae$ variant, highlighting its mechanics, implications, and safeguarding measures.

Back in September 2023, Morphisec shared its analysis on a new variant of Chae$ malware, dubbed Chae$4 with Hackread.com. The malware targeted login credentials, financial data, and other sensitive information of e-commerce customers particularly in Brazil. 

Chae$4 was quickly evolving, and in its latest research blog, Morphisec provided details on the updates in Chae$ 4.1, which includes an improved Chronod module and surprisingly, a direct message to the Morphisec team within the source code. Version 4.1 is a significant improvement over previous brute force and basic obfuscation methods.

The authors of the Chae$ 4.1 malware send a message to Morphisec researchers.

The infection chain begins with an email in the Portuguese language, claiming to be an urgent request from a lawyer concerning a legal case. The victim is then redirected to a deceptive website, (totalavprotectionshop/abrirProcesso.php?email=), where they are prompted to download a ZIP file. This website also functions as a deceptive website for TotalAV, directly delivering the MSI installer without the intermediary step of a ZIP file.

Another website, (webcamcheckonline), allegedly scans the machine for risks and updates the driver after scanning. After the victim clicks the BLOCK button, JavaScript gets executed in the background, mimicking a legitimate system scan, which presents a hardcoded list of files, creating the illusion of a comprehensive computer analysis of the device.

Once the scanning is complete, the attacker sends a message stating “Security Risk Detected” and prompts the victim to download an updated driver to eliminate the risk. The unsuspecting victim clicks on the button, which triggers a script named download.js to run the malicious installer.

With the installer activated, Chae$ 4.1 also gets triggered, and from this point, the attack chain follows a similar path as Morphisec discovered in previous analyses except for some advancements in the Chae$ framework, such as modifications in the Chronod module. After successful activation, exfiltrated data is delivered to the threat actor’s C2 and the Chae$ team panel login page.

The Chronod module intercepts user activity to steal information like login credentials and banking information. It spans over 2,000 lines of code and has been adjusted to steal credentials from specific services like WhatsApp, AWS, and WordPress. In version 4.1, the Chae$ team rewrote the module to be more generic and modular, dividing the logic into several classes instead of one class responsible for all functionality.

Chae$ 4.1 also employs advanced code polymorphism to bypass antivirus detection, and detect sandbox environments, raising concerns about its potential impact on users. 

Chae$ 4.1 malware’s infection chain

To stay safe, regularly update your operating system and software, use a layered security solution with advanced malware detection, be cautious when clicking on suspicious links or opening attachments, and regularly back up critical data. Staying informed and adopting robust security practices can help protect against cyberattacks.

****_RELATED ARTICLES_****

1.  **Fake Symantec Blog Caught Spreading Proton macOS Malware**
2.  **Hackers send explicit messages to riders on hacked e-scooters**
3.  **Scammers Distribute Malware to Drivers in Speeding Ticket Scam**
4.  **iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers**
5.  **Fake PoC Script Used to Trick Researchers into Downloading VenomRAT**

The Fake Fix: New Chae$ 4.1 Malware Hides in Driver Downloads

One of America’s largest internet providers may collect data about your political beliefs, race, and sexual orientation to serve personalized ads.

Your internet service provider could have a good idea of who you’re planning to vote for in the 2024 election as well as the gender of the last person you slept with—and it’s saving that information for later. Major internet providers, like Comcast’s Xfinity, stockpile more revealing data than users might initially realize.

For example, Xfinity customers are automatically opted in to allow the company to store sensitive personal information. This could include your “race, ethnicity, political affiliations, or philosophical beliefs,” according to Xfinity’s website. Your sexual orientation, immigration status, biometric info, and precise location are also considered to be sensitive data. While Comcast does not sell this info, the company does use sensitive data in a variety of ways, like to serve up personalized ads and recommendations.

There are many reasons to be anxious about this kind of data collection. Xfinity itself was recently hacked; the personal data of over 30 million customers was stolen in October of last year, yet the breach was revealed by the company to users two months after the fact. (Definitely change your Xfinity password right now, and turn on two factor-authentication if you haven’t already.)

The good news is that you can take steps to opt out of Comcast’s data storage—although there are limitations on how far the privacy options go. Also, if you live in a state with supplemental privacy legislation, then you might have the right to request and receive more details about your collected data.

How to Change Your Sensitive Personal Information Settings

You don’t have to log in to the Xfinity website with your username and password to make this settings change, but be forewarned: You will be asked to fork over your email, phone number, and location.

Start by visiting Xfinity’s Privacy Center and scrolling down to **Review your privacy preferences**. Then, click on **Manage your information** and skim through all the available options to get a better grasp on your choices. Find the **Sensitive personal information preferences** section, and choose **Review settings**.

This next step was sometimes quite slow to load during my testing, so a little patience might be necessary. When it eventually pops up, fill out the form and click **Continue**. You may be asked to confirm the provided address. Finally, after all that clicking, locate the toggle labeled **Storage and usage of sensitive personal information** that appears on the last page and switch it off.

It’s worth pointing out a crucial caveat from Comcast about how the setting works. The catch is that this toggle impacts the use of your personal data only in Comcast’s advertising, marketing, and recommendations systems. “Even when off, we may still use your sensitive personal information for certain purposes, including to provide your Services, security purposes, and fraud monitoring,” reads a disclaimer right below the toggle. While some data collection may be necessary to operate basic services, the lack of accessible, granular control over what’s stored is disappointing.

Depending on where you live in the US, you can learn more about what Comcast stores and scrub it. In the following five states, you have the right to receive more details about the data Xfinity collects about you: California, Colorado, Connecticut, Utah, and Virginia. By residing here, you have the right to receive details about the gathered data and have personal info deleted. Your right to correct inaccurate info is codified in all of these states as well, except for Utah.

Anyone can technically fill out the form and make the request regardless of location, but you might not receive a real answer if you live somewhere without the legal protections. Even in the states where you are legally covered, be prepared to wait. Comcast may take up to a month to process requests from Xfinity customers, and will notify you if the process ends up stretching out even longer.

How to Opt Out of Comcast’s Xfinity Storing Your Sensitive Data

By Waqas
Bitdefender's latest research reveals that crypto scams on YouTube are at an all-time high, with no sign of slowing down in the near future.
This is a post from HackRead.com Read the original post: YouTube Crypto Con: Scammers Rake in $600K with Deepfakes and QR Codes

Hijacked accounts, hollow promises: Stream-jacked channels lure viewers with fake Bitcoin giveaways by utilizing deepfakes of popular celebrities, including Elon Musk, Ripple’s CEO Brad Garlinghouse, and Michael J. Saylor, former managing director of MicroStrategy, among many others.

Cybersecurity researchers at Bitdefender have published their latest research, highlighting a growing trend of YouTube stream-jacking campaigns using deepfake videos for cryptocurrency theft. The latest report continues the company’s research on YouTube-related malicious scams published in October 2023.

Despite companies like McAfee launching tools such as MockingBird, designed to detect 90% of deepfake content, scammers persist in employing malicious techniques to execute crypto scams. In some instances, they have managed to successfully bypass facial recognition systems, highlighting the ongoing challenges in combating these deceptive practices.

****Stream-Jacking****

For your information, YouTube stream-jacking is a cybercrime where criminals steal accounts from popular channels using livestream pop-ups, QR codes, and malicious links. Crypto-doubling scams lure viewers into depositing their cryptocurrency into platforms, promising quick returns. Victims are lured into depositing their funds, only to find their funds disappear without a trace.

As of the first week of January 2024, there were 2.70 billion active users on YouTube. These staggering stats make the video hosting platform a lucrative target for cybercriminals and scammers.

According to Bitdefender’s research, cybercriminals are enhancing their stream-jacking attacks by creating content that mimics legitimate cryptocurrency news or announcements. 

Stream-jacking 2.0 scams target popular channels for account takeover or lure followers to mimic channels with rewards. During their research, the researchers discovered that the top three highjacked accounts to carry these scams have over 31 million subscribers, with Tesla, MicroStrategy, and SpaceX being the top brands used. Bitdefender estimates that cyber criminals have netted over $600K so far.

****Fake YouTube Channels, Real Verification!****

Bitdefender’s blog post suggests that scammers use multiple announcements and high-profile news headlines to make their scams appear credible. For instance, attackers used the “SpaceX Starship integrated flight test 2” official event to launch fake livestreams under “SpaceX Launch Starship Flight Test! Elon Musk gives update on Starship!” on compromised channels.

Deepfake content helps scammers spread fraudulent schemes on compromised channels, using cryptocurrency-related videos of famous personalities, popular conference talks, and recordings. They encourage viewers to scan a QR code and send a certain amount of crypto to be doubled. Some deep fakes are of decent quality, but the live chat section is disabled unless a selected member or subscriber has been a long-term subscriber.

There is also a rising trend of using Deepfakes in YouTube ads rather than livestreams, providing more opportunities for cybercriminals to spread scams. Account takeovers are usually enabled by compromising YouTube access tokens with stealers.

Malicious actors revamp the channel to impersonate the entity they want to impersonate, likely through automated processes. The revamping process involves changes to the channel name, handle, visibility, avatar, banner, description, links, featured channels, and anything that can help identify the original channel.

Bitdefender researchers have identified signs of artificial boosting of viewers in most livestreams. In December 2023, malicious actors began broadcasting scams targeting the Bitcoin ETF, focusing on MicroStrategy and Michael Saylor.

One such example is scammers broadcasting using looped deepfakes relying on MicroStrategy’s former CEO to participate in giveaways by scanning QR codes and following instructions. Compromised channels use variations of the official MicroStrategy logo, official banners, and playlists to boost credibility.

Deepfake YouTube ad featuring Ripple’s CEO Brad Garlinghouse – Deepfake powered livestream featuring Michael J. Saylor, former managing director of MicroStrategy giving away Bitcoin – Fake and verified SpaceX YouTube account with millions of subscribers.

The most common names after the takeover are MicroStrategy US, MicroStrategy, Microstrategy, Microstrategy US, Microstrategy Live, and Micro Strategy. Subsequently, deceptive websites began to surface, hosted on domains mimicking the company’s name or its former CEO, often incorporating symbols associated with cryptocurrencies and multipliers.

These fraudulent sites featured animated presentations showcasing multiple transactions, designed to create the illusion of live activity. It’s important to note that these animations were randomly generated and did not reflect actual transactions, serving as a misleading tactic to convey a false sense of legitimacy.

****Protect Yourself from YouTube Crytp Scams!****

Crypto scams on YouTube are a serious issue. In 2020, Apple co-founder Steve Wozniak sued YouTube over Bitcoin scams using his name. Wozniak accused YouTube and Google of enabling Bitcoin giveaway scams by failing to take action against them.

To avoid becoming a victim of stream-Jacking 2.0, be cautious of unexpected changes in content, double-check links, avoid investing based on online endorsements, and thoroughly research investment opportunities.

Additionally, Enable two-factor authentication (2FA) on YouTube accounts to prevent unauthorized access. Remember that if something seems too good to be true, it could be a scam. Don’t let a deepfake fool you into losing your crypto.

****_RELATED ARTICLES_****

1.  **Fake YouTube Android Apps Used to Distribute CapraRAT**
2.  **New YouTube phishing scam using authentic email address**
3.  **YouTube Channels Hacked, Spread Lumma Stealer Malware**
4.  **British Military’s YouTube Account Hacked to Scam Crypto Users**
5.  **Google details cookie stealer malware campaign targeting YouTubers**

YouTube Crypto Con: Scammers Rake in $600K with Deepfakes and QR Codes

Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild.
The flaws are listed below -

CVE-2023-6548 (CVSS score: 5.5) - Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management

Vulnerability / Cyber Threat

Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild.

The flaws are listed below -

*   **CVE-2023-6548** (CVSS score: 5.5) - Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management interface access)
*   **CVE-2023-6549** (CVSS score: 8.2) - Denial-of-service (requires that the appliance be configured as a Gateway or authorization and accounting, or AAA, virtual server)

The following customer-managed versions of NetScaler ADC and NetScaler Gateway are impacted by the shortcomings -

*   NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
*   NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
*   NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
*   NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
*   NetScaler ADC 13.1-FIPS before 13.1-37.176
*   NetScaler ADC 12.1-FIPS before 12.1-55.302, and
*   NetScaler ADC 12.1-NDcPP before 12.1-55.302

"Exploits of these CVEs on unmitigated appliances have been observed," Citrix said, without sharing any additional specifics. Users of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version that patches the flaws.

It's also advised to not expose the management interface to the internet to reduce the risk of exploitation.

In recent months, multiple security vulnerabilities in Citrix appliances (CVE-2023-3519 and CVE-2023-4966) have been weaponized by threat actors to drop web shells and hijack existing authenticated sessions.

**VMware Fixes Critical Aria Automation Flaw**

The disclosure comes as VMware alerted customers of a critical security vulnerability in Aria Automation (previously vRealize Automation) that could allow an authenticated attacker to gain unauthorized access to remote organizations and workflows.

The issue has been assigned the CVE identifier **CVE-2023-34063** (CVSS score: 9.9), with the Broadcom-owned virtualization services provider describing it as a "missing access control" flaw.

Commonwealth Scientific and Industrial Research Organization's (CSIRO) Scientific Computing Platforms team has been credited with discovering and reporting the security vulnerability.

The versions impacted by the vulnerability are provided below -

*   VMware Aria Automation (8.11.x, 8.12.x, 8.13.x, and 8.14.x)
*   VMware Cloud Foundation (4.x and 5.x)

"The only supported upgrade path after applying the patch is to version 8.16," VMware said. "If you upgrade to an intermediate version, the vulnerability will be reintroduced, requiring an additional round of patching."

**Atlassian Discloses Critical Code Execution Bug**

The development also follows Atlassian's release of patches for over two dozen vulnerabilities, including a critical remote code execution (RCE) flaw impacting Confluence Data Center and Confluence Server.

The vulnerability, **CVE-2023-22527**, has been assigned a CVSS score of 10.0, indicating maximum severity. It affects versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3. It's worth noting that 7.19.x LTS versions are not affected by the vulnerability.

"A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version," the Australian company said.

  
The issue has been addressed in versions 8.5.4, 8.5.5 (Confluence Data Center and Server), 8.6.0, 8.7.1, and 8.7.2 (Data Center only). Users who are on out-of-date instances are recommended to update their installations to the latest version available.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Citrix, VMware, and Atlassian Hit with Critical Flaws — Patch ASAP!

This week on the Lock and Code podcast, we tell the true story of a virtual kidnapping scam from December of last year.

_This week on the Lock and Code podcast…_

On Thursday, December 28, at 8:30 pm in the Utah town of Riverdale, the city police began investigating what they believed was a kidnapping.

17-year-old foreign exchange student Kai Zhuang was missing, and according to Riverdale Police Chief Casey Warren, Zhuang was believed to be “forcefully taken” from his home, and “being held against his will.”

The evidence leaned in police’s favor. That night, Zhuang’s parents in China reportedly received a photo of Zhuang in distress. They’d also received a ransom demand.

But as police in Riverdale and across the state of Utah would soon learn, the alleged kidnapping had a few wrinkles.

For starters, there was no sign that Zhuang had been forcefully removed from his home in Riverdale, where he’d been living with his host family. In fact, Zhuang’s disappearance was so quiet that his host family was entirely unaware that he’d been missing until police came and questioned them. Additionally, investigators learned that Zhuang had experienced a recent run-in with police officers nearly 75 miles away in the city of Provo. Just eight days before his disappearance in Riverdale, Zhuang caught the attention of Provo residents because of what they deemed strange behavior for a teenager: Buying camping gear in the middle of a freezing winter season. Police officers who intervened at the residents’ requests asked Zhuang if he was okay, he assured them he was, and a ride was arranged for the teenager back home.

But what Zhuang didn’t tell Provo police at the time was that, already, he was being targeted in an extortion scam. But when Zhuang started to push back against his scammers, it was his parents who became the next target.

Zhuang—and his family—had become victims of what is known as “virtual kidnapping.”

For years, virtual kidnapping scams happened most frequently in Mexico and the Southwestern United States, in cities like Los Angeles and Houston. But in 2015, the scams began reaching farther into the US.

The scams themselves are simple yet cruel attempts at extortion. Virtual kidnappers will call phone numbers belonging to affluent neighborhoods in the US and make bogus threats about a holding a family member hostage.

As explained by the FBI in 2017, virtual kidnappers do not often know the person they are calling, their name, their occupation, or even the name of the family member they have pretended to abduct:

“When an unsuspecting person answered the phone, they would hear a female screaming, ‘Help me!’ The screamer’s voice was likely a recording. Instinctively, the victim might blurt out his or her child’s name: ‘Mary, are you okay?’ And then a man’s voice would say something like, ‘We have Mary. She’s in a truck. We are holding her hostage. You need to pay a ransom and you need to do it now or we are going to cut off her fingers.’”

Today, on the Lock and Code podcast with host David Ruiz, we are presenting a short, true story from December about virtual kidnapping. Today’s episode cites reporting and public statements from the Associated Press, the FBI, ABC4.com, Fox 6 Milwaukee, and the Riverdale Police Department.

Tune in today to listen to the full story.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#sap