IBM QRadar SIEM 7.3, 7.4, and 7.5 in some senarios may reveal authorized service tokens to other QRadar users. IBM X-Force ID: 210021

CVE-2021-38919: Security Bulletin: IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities

In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.

CVE-2022-27239: Linux CIFS Utils and Samba - Free Knowledge Base

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.

**Conversation**

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>

schmichael added a commit to hashicorp/nomad that referenced this pull request

Jan 12, 2022

schmichael added a commit to hashicorp/nomad that referenced this pull request

Jan 12, 2022

 jba mentioned this pull request

Apr 27, 2022

CVE-2022-29810: Redact SSH key from URL query parameter by macedogm · Pull Request #348 · hashicorp/go-getter

The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Redact SSH key from URL query parameter #348**

Conversation 5 Commits 2 Checks 0 Files changed

Foundry Issues service versions 2.244.0 to 2.249.0 was found to be logging in a manner that captured sensitive information (session tokens). This issue was fixed in Fixed in 2.249.1.

**Security Bulletin**

**Bulletin ID:** PLTRSEC-2022-01

**CVE:** CVE-2022-27888

**Affected Products / Versions:** Foundry Issues versions 2.244.0 to 2.249.0. Resolved in 2.249.1.

**Publication** **Date:** March 29, 2022

**Summary**

The _**Foundry Issues**_ service was found to be logging in a manner that captured session tokens. This vulnerability is resolved in Foundry Issues 2.249.1, which has been automatically deployed to all Apollo-managed Foundry instances. Out of an abundance of caution, all session tokens with a time-to-live (TTL) longer than 24 hours have been revoked from our hosted platforms.

**Background**

Palantir Foundry is a platform that enables auditable, arbitrary-scale transformations on data while preserving fine-grained access controls. Foundry Issues is an in-platform interface to Palantir Customer Support, and enables customers to report, track, and resolve problems within Foundry.

**Details**

On March 15th, 2022, it was discovered that the Foundry Issues service was logging the session token of users that directly interacted with the service. These sessions tokens, if accessed by an unauthorized party, could allow Foundry access under the user context for the lifetime of the token (e.g. a default of 10 hours).

An investigation was opened and subsequently determined that this vulnerability was introduced in Foundry Issues version 2.244.0. As a result, any account that interacted with the Foundry Issues service between February 21st, 2022 and March 16, 2022 had their session token incorrectly and unexpectedly recorded in Palantir service event logs. These event logs are stored on the backend of the Palantir Foundry infrastructure and, in hosted Palantir environments, also flow to centralized event logging infrastructure that is used by Palantir engineers to provide operational support.

Access to the logs where these tokens may have been captured is strictly limited to authorized Palantir personnel based on role. These systems are highly segmented from corporate infrastructure, are encrypted, and meet strict security controls, including multi-factor authentication. Upon discovery of the issue, all access to the logging infrastructure was temporarily suspended and all logged session tokens were purged. Furthermore, the risk of token exposure is time-bound by the session token time-to-live (TTL) on the Palantir Foundry platform. The TTL for Foundry sessions is 10 hours by default, after which the session token expires and is no longer useful.

Our Investigation concluded with no indications of abuse or malicious activity observed across the entirety of our hosted platform.

While we are confident there was no adverse impact to customer environments or data, this misconfiguration does not meet our high bar for security, and we remain committed to providing best in class information security. We have scheduled a root cause analysis for the relevant engineering teams, and a plan of action will be implemented to prevent similar regressions in the future.

**Remediation**

For Foundry infrastructure without Apollo, customers will need to update Foundry Issues to 2.249.1 or greater. Additionally, backend event logs may need to be purged on the underlying Foundry infrastructure.

On Palantir-managed Foundry enrollments, the Foundry Issues service has been automatically upgraded to the fully-patched version. Out of an abundance of caution, all session tokens were revoked. In most cases, these tokens had already expired due to the time-to-live values.

**Palantir Foundry - Customer hosted (without Apollo)**

**Versions:** Foundry Issues \[2.244.0 - 2.249.0\]

**Impact:** Foundry installations with vulnerable versions of Issues may leak session tokens into local logs.

**Remediation:**

*   Upgrade to Foundry Issues version 2.249.1 or greater.
*   Event logs may need to be purged on the underlying Foundry infrastructure to remove valid session tokens from logs.
*   Customers are encouraged to review Foundry audit (security) logs to look for unusual authentication activity during the time period specified.
    *   Review SSH or privileged access to your Foundry infrastructure. Foundry event logs are stored on the backend filesystem of the underlying hosts. A malicious actor would need to have read access to the logs in question to extract session tokens. This can be further investigated with your endpoint security tooling.
    *   Review Multipass authentication logs. As session tokens are already authenticated, you can identify abuse by identifying unusual IP addresses or access patterns for a user. Since session tokens have a short time-to-live, concurrent access may be an indicator of malicious activity.
*   Please coordinate with your forward deployed engineering team or Palantir POC for further information on remediation and response.

**Palantir Foundry - Palantir Cloud or Apollo-Connected Environments**

**Versions:** Foundry Issues \[2.244.0 - 2.249.0\]

**Impact:** Remediated.

**Remediation:**

*   Palantir Apollo has deployed updated versions of platform services to remediate this issue. No customer action is required.

**Timeline**

2022-02-21: Product Development merges a code change that inadvertently logs Foundry Multipass session tokens.

2022-03-15: A Palantir employee discovers the issue, and files a critical incident notification with the Palantir CIRT.

2022-03-15: Palantir CIRT acknowledges the incident and initiates response procedures.

2022-03-15: As a result of the coordinated investigation, affected products and versions are identified. Foundry Issues versions 2.244.0 (released February 21, 2022) to 2.249.0 (released March 15, 2022) are impacted with this bug.

2022-03-15: Product Development issues a patch and releases Foundry Issues version 2.249.1. Products fixes are backported to Foundry Issues 2.249.0, 2.248.0, 2.247.0. Palantir's software delivery mechanisms are updated such that vulnerable Foundry Issues versions can no longer be deployed.

2022-03-16: Customer disclosure of the issue.

2022-03-16: Palantir CIRT performs a manual review and investigation of all Palantir employees who had accessed Foundry Issues event logs in the period of concern.

2022-03-16: Palantir CIRT revokes or expires all active tokens.

2022-03-16: CVE reserved for issue.

2022-03-19: Palantir CIRT completes a manual review of the all access to logging systems containing captured session tokens. No indicators of abuse or malicious activity are observed across our hosted platform.

2022-03-29: Public disclosure as per our commitment to transparency.

**Acknowledgement**

This issue was identified internally at Palantir.

CVE-2022-27888: security-bulletins/PLTRSEC-2022-01.md at main · palantir/security-bulletins

By Waqas
The vulnerability that existed for the last 8 months allowed attackers to weaponize the VirusTotal platform to achieve…
This is a post from HackRead.com Read the original post: Critical RCE Vulnerability Reported in Google’s VirusTotal

**The vulnerability that existed for the last 8 months allowed attackers to weaponize the VirusTotal platform to achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.**

In January 2022, a report dubbed “VirusTotal Hacking” revealed how the platform can be used to access stolen login credentials and other sensitive files. Now, the IT security researchers at CySource have reported a method to abuse the VirusTotal malware scanning service to execute arbitrary commands and access multiple internal hosts remotely by using a remote code execution (RCE) vulnerability (CVE-2021-22204).

According to researchers, the vulnerability could allow attackers to weaponize the VirusTotal platform and achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.

**How Could the Vulnerability be Exploited?**

Israeli security services provider CySource’s researchers Shai Alfasi and Marlon Fabiano da Silva embedded a payload in the DjVu file’s metadata for exploiting the vulnerability, identified in ExifTool open-source utility. This utility extracts Exchangeable Image File annotations, metadata, and tags.

Moreover, it can trigger another vulnerability to obtain remote code execution. This vulnerability is triggered by DjVu files and was identified by researcher William Bowling in 2021 in ExifTool 12.23. It was surprising that none of the VirusTotal anti-virus scanners could detect the CySource researchers’ Base64 encoded payload they included in the malicious DjVu file’s metadata.

> “Instead of ExifTool detecting the metadata of the file, it executes our payload.”
> 
> CySource

The researchers also got a reverse shell that allowed them to access over 50 internal network hosts with high privileges at Google and its other VirusTotal security vendor partners. Every time they uploaded a file with a new hash and a new payload, VirusTotal forwarded it to bots.

This indicates that apart from an RCE, the payload was forwarded by Google servers to the company’s internal network, partners, and customers as well. When researchers were able to invade the networks, they mapped out various services, including MySQL, Kubernetes container orchestration, Oracle databases, web applications, and Secure Shell (SSH).

**More Vulnerability News on Hackread.com**

1.  Hackers mining Monero on Microsoft SQL databases for last 2 years
2.  Hackers are using a 19-year-old WinRAR bug to install nasty malware
3.  12-Year-Old vulnerability in Windows Defender risked 1 billion devices
4.  Google, Microsoft and Oracle generated the most vulnerabilities in 2021
5.  Google Drive accounted for 50% of malicious Office document downloads

**Google Released Patch after Eight Months**

The vulnerability was disclosed to Google’s vulnerability reward program in April 2021, and the report was accepted in May 2021. However, the fix was dispatched in January 2022, after which CySource received the green signal to share details of the bug.

It is still unclear why Google took so long to fix this vulnerability. VirusTotal is a trusted service from Google’s subsidiary Chronicle, offering access to more than 70 different anti-virus scanning solutions from mainstream security vendors, including ESET, Kaspersky, and 360 Total Security. It is, therefore, quite shocking that a dangerous remote code execution vulnerability plagued this service for over eight months.

![](https://secure.gravatar.com/avatar/cf728b76a63b387b11edeafcb1b9b654?s=100&d=wavatar&r=g)

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Critical RCE Vulnerability Reported in Google’s VirusTotal

An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).

CVE-2022-28218: Webmail Messenger release notes - CipherMail Email Encryption

In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest.

CVE-2021-45841: How to summon RCEs

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.

This release addresses the following issues:

1.  This release fixes 2 security issues reported by researcher Hyeong Gwan, Yi

CVE-2022-28367: AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content. https://www.cvedetails.com/cve/CVE-2022-28367. NOTE: This release only included a PARTIAL fix. It's completely fixed in the 1.6.7 release.

AntiSamy prior to 1.6.6 used the old CyberNeko HTML library v1.9.22, which is subject to https://www.cvedetails.com/cve/CVE-2022-28366 and no longer maintained. AntiSamy 1.6.6 upgraded to an active fork of CyberNeko called HtmlUnit-Neko which fixed this CVE in v2.27 of that library. AntiSamy 1.6.6 upgraded to version 2.60.0 of HtmlUnit-Neko.

2.  Enhancement #147: Add require-closing-tags to default AntiSamy policy file
    
3.  Bug #151: Change in behavior between 1.6.4 and 1.6.5 for getErrorMessages
    

We accidentally stopped propagating an errorMessages parameter in 1 API. This is now fixed.

NOTIFICATION 1: This 1.6.6 release has 2 dependencies which require Java 8, although the AntiSamy source code itself still only requires Java 7.

NOTIFICATION 2: The 1.7.0 release will drop support for several things deprecated in the 1.6.x series of releases.

a) AntiSamy 1.6.0 introduced XML schema validation for AntiSamy policy files to address issue #58. In all the 1.6.X releases, enforcement of schema validation is optional, with warnings generated to indicate it should be enforced. Starting with AntiSamy 1.7.0 this will no longer be optional.

To support this new feature, but keep it optional, 2 new Policy class methods were created, and immediately deprecated:

public static boolean getSchemaValidation()  
public static void setSchemaValidation(boolean enable)

These two methods will be dropped in the 1.7.0 release, and any AntiSamy policy files that fail schema validation will result in an error and have to be fixed.

b) AntiSamy 1.6.5 changed some APIs. Specifically:

These constructors are now @deprecated:

public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, ResourceBundle messages)  
public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, String tagName, ResourceBundle messages)

And are being replaced with:

public CssHandler(Policy policy, List errorMessages, ResourceBundle messages)  
public CssHandler(Policy policy, List errorMessages, ResourceBundle messages, String tagName) <-- Notice that the tagName is now the last parameter in the new API.

Both constructors drop the 2nd parameter (the queue of stylesheets imported), as that queue is now created inside this constructor. A reference to this queue (if needed) can be retrieved by using the new method:

public LinkedList getImportedStylesheetsURIList()

c) This 1.6.6 release deprecates support for Xhtml. As such, the following are deprecated:

The constant: Policy.USE\_XHTML = "useXHTML";  
The method: InternalPolicy.isXhtml()  
The entire class: org/owasp/validator/html/scan/ASXHTMLSerializer.java

We plan to remove everything deprecated in the 1.7.0 release.

Tag

#ssh