Red Hat Security Advisory 2023-7641-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7641.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat JBoss Enterprise Application Platform 7.4.14 security update  
Advisory ID:        RHSA-2023:7641-03  
Product:            Red Hat JBoss Enterprise Application Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7641  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-2976  
====================================================================

Summary: 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.13, and includes bug fixes and enhancements.

See the Red Hat JBoss Enterprise Application Platform 7.4.14 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

* guava: insecure temporary directory creation (CVE-2023-2976)

* eap-galleon: custom provisioning creates unsecured http-invoker (CVE-2023-4503)

* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)

* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

* sshd-common: apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2023-2976

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=7.4  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/  
https://bugzilla.redhat.com/show_bug.cgi?id=2184751  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2236340  
https://bugzilla.redhat.com/show_bug.cgi?id=2236341  
https://bugzilla.redhat.com/show_bug.cgi?id=2240036  
https://bugzilla.redhat.com/show_bug.cgi?id=2242521  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://issues.redhat.com/browse/JBEAP-25004  
https://issues.redhat.com/browse/JBEAP-25085  
https://issues.redhat.com/browse/JBEAP-25086  
https://issues.redhat.com/browse/JBEAP-25378  
https://issues.redhat.com/browse/JBEAP-25380  
https://issues.redhat.com/browse/JBEAP-25419  
https://issues.redhat.com/browse/JBEAP-25451  
https://issues.redhat.com/browse/JBEAP-25457  
https://issues.redhat.com/browse/JBEAP-25541  
https://issues.redhat.com/browse/JBEAP-25547  
https://issues.redhat.com/browse/JBEAP-25576  
https://issues.redhat.com/browse/JBEAP-25594  
https://issues.redhat.com/browse/JBEAP-25627  
https://issues.redhat.com/browse/JBEAP-25657  
https://issues.redhat.com/browse/JBEAP-25685  
https://issues.redhat.com/browse/JBEAP-25700  
https://issues.redhat.com/browse/JBEAP-25716  
https://issues.redhat.com/browse/JBEAP-25726  
https://issues.redhat.com/browse/JBEAP-25772  
https://issues.redhat.com/browse/JBEAP-25779  
https://issues.redhat.com/browse/JBEAP-25803  
https://issues.redhat.com/browse/JBEAP-25838  
https://issues.redhat.com/browse/JBEAP-26041

Red Hat Security Advisory 2023-7641-03

Red Hat Security Advisory 2023-7639-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7639.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 9 security update  
Advisory ID:        RHSA-2023:7639-03  
Product:            Red Hat JBoss Enterprise Application Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7639  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-2976  
====================================================================

Summary: 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.13, and includes bug fixes and enhancements.

See the Red Hat JBoss Enterprise Application Platform 7.4.14 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

* guava: insecure temporary directory creation (CVE-2023-2976)

* eap-galleon: custom provisioning creates unsecured http-invoker (CVE-2023-4503)

* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)

* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

* sshd-common: apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2023-2976

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/  
https://bugzilla.redhat.com/show_bug.cgi?id=2184751  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2236340  
https://bugzilla.redhat.com/show_bug.cgi?id=2236341  
https://bugzilla.redhat.com/show_bug.cgi?id=2240036  
https://bugzilla.redhat.com/show_bug.cgi?id=2242521  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://issues.redhat.com/browse/JBEAP-25004  
https://issues.redhat.com/browse/JBEAP-25085  
https://issues.redhat.com/browse/JBEAP-25086  
https://issues.redhat.com/browse/JBEAP-25378  
https://issues.redhat.com/browse/JBEAP-25380  
https://issues.redhat.com/browse/JBEAP-25419  
https://issues.redhat.com/browse/JBEAP-25451  
https://issues.redhat.com/browse/JBEAP-25457  
https://issues.redhat.com/browse/JBEAP-25541  
https://issues.redhat.com/browse/JBEAP-25547  
https://issues.redhat.com/browse/JBEAP-25576  
https://issues.redhat.com/browse/JBEAP-25594  
https://issues.redhat.com/browse/JBEAP-25627  
https://issues.redhat.com/browse/JBEAP-25657  
https://issues.redhat.com/browse/JBEAP-25685  
https://issues.redhat.com/browse/JBEAP-25700  
https://issues.redhat.com/browse/JBEAP-25716  
https://issues.redhat.com/browse/JBEAP-25726  
https://issues.redhat.com/browse/JBEAP-25772  
https://issues.redhat.com/browse/JBEAP-25779  
https://issues.redhat.com/browse/JBEAP-25803  
https://issues.redhat.com/browse/JBEAP-25838  
https://issues.redhat.com/browse/JBEAP-26041

Red Hat Security Advisory 2023-7639-03

Red Hat Security Advisory 2023-7638-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7638.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 8 security update  
Advisory ID:        RHSA-2023:7638-03  
Product:            Red Hat JBoss Enterprise Application Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7638  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-2976  
====================================================================

Summary: 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.13, and includes bug fixes and enhancements.

See the Red Hat JBoss Enterprise Application Platform 7.4.14 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

* guava: insecure temporary directory creation (CVE-2023-2976)

* eap-galleon: custom provisioning creates unsecured http-invoker (CVE-2023-4503)

* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)

* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

* sshd-common: apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2023-2976

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/  
https://bugzilla.redhat.com/show_bug.cgi?id=2184751  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2236340  
https://bugzilla.redhat.com/show_bug.cgi?id=2236341  
https://bugzilla.redhat.com/show_bug.cgi?id=2240036  
https://bugzilla.redhat.com/show_bug.cgi?id=2242521  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://issues.redhat.com/browse/JBEAP-25004  
https://issues.redhat.com/browse/JBEAP-25085  
https://issues.redhat.com/browse/JBEAP-25086  
https://issues.redhat.com/browse/JBEAP-25378  
https://issues.redhat.com/browse/JBEAP-25380  
https://issues.redhat.com/browse/JBEAP-25419  
https://issues.redhat.com/browse/JBEAP-25451  
https://issues.redhat.com/browse/JBEAP-25457  
https://issues.redhat.com/browse/JBEAP-25541  
https://issues.redhat.com/browse/JBEAP-25547  
https://issues.redhat.com/browse/JBEAP-25576  
https://issues.redhat.com/browse/JBEAP-25594  
https://issues.redhat.com/browse/JBEAP-25627  
https://issues.redhat.com/browse/JBEAP-25657  
https://issues.redhat.com/browse/JBEAP-25685  
https://issues.redhat.com/browse/JBEAP-25700  
https://issues.redhat.com/browse/JBEAP-25716  
https://issues.redhat.com/browse/JBEAP-25726  
https://issues.redhat.com/browse/JBEAP-25772  
https://issues.redhat.com/browse/JBEAP-25779  
https://issues.redhat.com/browse/JBEAP-25803  
https://issues.redhat.com/browse/JBEAP-25838  
https://issues.redhat.com/browse/JBEAP-26041

Red Hat Security Advisory 2023-7638-03

Red Hat Security Advisory 2023-7637-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7637.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 7 security update  
Advisory ID:        RHSA-2023:7637-03  
Product:            Red Hat JBoss Enterprise Application Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7637  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-2976  
====================================================================

Summary: 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.13, and includes bug fixes and enhancements.

See the Red Hat JBoss Enterprise Application Platform 7.4.14 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

* guava: insecure temporary directory creation (CVE-2023-2976)

* eap-galleon: custom provisioning creates unsecured http-invoker (CVE-2023-4503)

* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)

* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

* sshd-common: apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2023-2976

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/  
https://bugzilla.redhat.com/show_bug.cgi?id=2184751  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2236340  
https://bugzilla.redhat.com/show_bug.cgi?id=2236341  
https://bugzilla.redhat.com/show_bug.cgi?id=2240036  
https://bugzilla.redhat.com/show_bug.cgi?id=2242521  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://issues.redhat.com/browse/JBEAP-25004  
https://issues.redhat.com/browse/JBEAP-25085  
https://issues.redhat.com/browse/JBEAP-25086  
https://issues.redhat.com/browse/JBEAP-25378  
https://issues.redhat.com/browse/JBEAP-25380  
https://issues.redhat.com/browse/JBEAP-25419  
https://issues.redhat.com/browse/JBEAP-25451  
https://issues.redhat.com/browse/JBEAP-25457  
https://issues.redhat.com/browse/JBEAP-25541  
https://issues.redhat.com/browse/JBEAP-25547  
https://issues.redhat.com/browse/JBEAP-25576  
https://issues.redhat.com/browse/JBEAP-25594  
https://issues.redhat.com/browse/JBEAP-25627  
https://issues.redhat.com/browse/JBEAP-25657  
https://issues.redhat.com/browse/JBEAP-25685  
https://issues.redhat.com/browse/JBEAP-25700  
https://issues.redhat.com/browse/JBEAP-25716  
https://issues.redhat.com/browse/JBEAP-25726  
https://issues.redhat.com/browse/JBEAP-25772  
https://issues.redhat.com/browse/JBEAP-25779  
https://issues.redhat.com/browse/JBEAP-25803  
https://issues.redhat.com/browse/JBEAP-25838  
https://issues.redhat.com/browse/JBEAP-26041

Red Hat Security Advisory 2023-7637-03

An argument injection vulnerability has been identified in the 
administrative web interface of the Atos Unify OpenScape products "Session Border Controller" (SBC) and "Branch", before version V10 R3.4.0, and OpenScape "BCF" before versions V10R10.12.00 and V10R11.05.02. This allows an 
unauthenticated attacker to gain root access to the appliance via SSH (scope change) and also bypass authentication for the administrative interface and gain
 access as an arbitrary (administrative) user.

%PDF-1.4 %���� 3 0 obj <> /Annots \[ 9 0 R 10 0 R \] /Contents 4 0 R>> endobj 4 0 obj <> stream �1%���?�þʭ�Ʉ񿽍i�:�J<��)E�~DXV@�/ۻ���};��@�����r�!|�F��+�4S#J�j����\*h�Ɵ2ɝ!��+;W�A���5��V����s=��eH�Bp�>����-}��d���C/SER��,�(��3�e���\*��+������,�� '��I��(�46ܨc(���{/v�z�\\99c���Ԋ��!?�3zp7���k}Y\]hd}�FEף�W96�%�r������ձ�U�P9��B �J�9V-E�gP�"����{�\_HҤ\*��W�V 2u��E��P!~�Z4'D<��2�׺7�;?����5D'�8s2x���>���=�X�W4�Ohў%\\'��j���� ����N��QR�%S��|�LX܃�m( ��7k���V�9�#�K�Ǭ�}� R5��}�\`TW����������"+?��K5�U�3v\*l��\*��p1�0 $#��J�J�j�\_\*��Gdw�g������LfI�����9t��Ѽ�tt\[���Y�\\�?��A��TDdƖk�\\M�E�Y�F�)(�9�\*�����|�n2Q��\`,o�K~7,������܍��ο�'���b3"j�:=���������^�^ƑѺ�(���5O�}�βAL��N����e���ה�G�%,\*{���N��N�}-����P\*��$)���j4D��&�IC(�����H�����h���#���e�^1iZe;%��� 9QE@ .\[���x���=}�c����iH�E\*�4\*HF8.��:��S�e��PE\*���$����\_J�5ޅB�s{��bM��:m0��R4�v}C:e�n\_~\*<�M?<2j�39Ӄ}�\_"S{FJqVE��T�T�9:�t^�/�Fv�%�(Q��f\`�X�KX�����͘\\\_zph$��\_6��eд�LJ3WGr��a����ne'\[Tǔ>��ᔬ�>�y��5 x�UDS���zӉ:�2���ER�C��ᯗ�����M��;F�j�������e��4�L����|�%�$א�4)�����.L�h�L.�\*b�C�Xɋ�i+��d�I=���&j��'$~�2p�1��Jx��ZG�sr���"\\~׾B!%ڼ�����J�^%�AZ��%^��P�wL�N���D��Ҩri�f�4o��Nk4��;�k�����x\_E��\_ȗu/ ��MM��\_-�@N7��=���mR�kM\[O��o2{ɷ�v����گvci�����u��(��ӌ+6�D>\`4b�dҿ�^� U$\`Jl\`W�kIX�Y��g8\[2�f�X�T�0C��e�D��"�:��4��F�<�;���(4��Ӷ�S�FX�P���\]�e��KN��r�k�1"0�8�5IF6��������#Oa|�0�襤#�U�f���;@� D�,"H͆U{?a1�LgWXcGa���|���S�&�&��� �w߲6��8�H��4���\*'�H���|�Bm��\\b��Oo�p�W$��8�,�� \*���m/�~ohr�\*yu����{�H�=��\`���n�:\\�)W��x�̡Uƌ�u��8{���Zu�f��4�n,N/� endstream endobj 5 0 obj <> /Annots \[ 11 0 R \] /Contents 6 0 R>> endobj 6 0 obj <> stream ���\\v,XM���E 2�=�q�uT�Ӡ�g���rp������=v�V?s�-�1�)�F��e�����9�\\y{�%��w�}�����Ul��ڀ�aF8���\]ˬb�\_���a���^��\_=�ê��(�G6ۇ;<�=p�|��Ȉ����i���!j\*3�A\`W�0��� ����G0D!��.!-7\`��4�~��r� G-��>�5�,�;��M0��c�(�P�!�ϲ�gNG�ā�s�"��ʡ�P���>τs�߆+�6S�m�8k̖�W��L6��BV�\_n'y�:���2������\`����\*�u4˝ LRd��W��E��yf���um�%s��P�N���E�:ʺ� 4�Q)��\\j���\_d ����:�����b\_,v���s�Y�\_-�ތ����/&�\[��7���X=o RH콮�6q.��G�����\_��Iy�^���;Wb7!k�k�J�\`��{�ė:P\*�z�(��9��Xv�9�c�\`SI)\_��ҍ+�-\\���a�'?�12l1Ӿ�DF����$�t�k��ј�QN��t~�� �FZ��ܵ�G^��!��&\_ i��"W�B���C\\�M�a ��x@y�����MDo����;�d�ɳs8�@Z\]��fg���% FY���/է\\Њ� x\]��p\*�����dn��7���V �e��nqt��� ͦ+���8js�EA�璅FIA���nc�!F p��$ϭ�CPy�)6(���'0v��'�vܕ�Ңj�ʘ�>�Q����=K���aǃ��)�Ѣxm���ĕ��\*h��%Z�� h�O���\\y��7����� �A�kW��}H���S<�y\_oRJ����l����l%�/���P��(-A��Ȣ�V$H�#�\]iȂK+X���t��z7S��)\\�A߾6�I\]= �?���O����iʶ/��Q�)}�5����o� ��OP��.���J7����Pc���qx۠�\]�<6Jq�=ya�Y�\[���X�6�P�JP�߳�IK6��:t���\`�T��R�\`: 4X\[Njٿ�v�5����� �ɒLBR=\[�J����P���q��i������f�SJ\*1�'���ŀ�\[� = w�B:bE�=���$�"��|��%��\[��=8�%V#k֬Z��J�S������Ģ�� ��w�xC�}Zu�F~��P����z\[�(ae"��QIW��v�ea)wVn� �P�e�H�>/%��n^�޵�R٥H/�K� �j�Z��\]px��(�}����C1F�帨��!@qn6��ɦ����� ��\_J9P\\8�9D�(��?����������bIK't4z�(-�k�+�4z�¤���D%Ӣ<�Y����a����M��KC���}�Ҩ9T�;�j�O�b~\*� �c�Asm�~�h����\[��,�C�lֿ-G�"SY}��!JV�\\3��0gv�X�I$�N���LCݡLz�(goU�M����F�0���KR�z\[���d��O���V@� y̱7Ȋ\`F%���W>�Y�S2��@���a&$#�� w%�d�i�<��b\]Y��zY�,��i�X �W�l����) �-^��-Y���O�h\`��V����Y�=JXSk%���9��B�yB�&�S$�;�ݗ��� 樭E9��;K��9���-���24�,��C�5j��1N�g�Ge��S���t\]RZ6��(� .bn���{yc\[� \*4꟣���

CVE-2023-6269


Dell PowerScale OneFS versions 8.2.2.x through 9.6.0.x contains an improper control of a resource through its lifetime vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to loss of information, and information disclosure.



**Impact**

High

**Details**

   

Third-Party Component

CVE

CVSS Base Score

CVSS Vector String

OpenSSH

CVE-2023-38408

8.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

   

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2023-44288

Dell PowerScale OneFS, 8.2.2.x through 9.6.0.x, contains an improper control of a resource through its lifetime vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, leading to denial of service.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2023-44295

Dell PowerScale OneFS versions 8.2.2.x through 9.6.0.x contains an improper control of a resource through its lifetime vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to loss of information, and information disclosure.

6.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L 

   

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2023-44288

Dell PowerScale OneFS, 8.2.2.x through 9.6.0.x, contains an improper control of a resource through its lifetime vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, leading to denial of service.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2023-44295

Dell PowerScale OneFS versions 8.2.2.x through 9.6.0.x contains an improper control of a resource through its lifetime vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to loss of information, and information disclosure.

6.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L 

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

    

CVE(s) Addressed

Product

Affected Version(s)

Remediated Version(s)

Link

CVE-2023-38408

PowerScale OneFS

Version 9.4.0.0 through 9.4.0.15

Version 9.4.0.16 or later, RUP for version 9.5 is expected in January 2024.

PowerScale OneFS Downloads Area

CVE-2023-38408

PowerScale OneFS

Version 9.5.0.0 through 9.5.0.6

RUP for version 9.5 is expected in January 2024

PowerScale OneFS Downloads Area

CVE-2023-44295

PowerScale OneFS

Version 8.2.2.x through 9.6.0.x

None

Please refer to KB article : 000219929 : "SyncIQ and SmartSync do not preserve file quarantine attributes"

CVE-2023-44288

PowerScale OneFS

Version 8.2.2.x through 9.6.0.x

None

Please refer to KB article: 000219931 "NDMP does not automatically close the connection from the security scanner."

    

CVE(s) Addressed

Product

Affected Version(s)

Remediated Version(s)

Link

CVE-2023-38408

PowerScale OneFS

Version 9.4.0.0 through 9.4.0.15

Version 9.4.0.16 or later, RUP for version 9.5 is expected in January 2024.

PowerScale OneFS Downloads Area

CVE-2023-38408

PowerScale OneFS

Version 9.5.0.0 through 9.5.0.6

RUP for version 9.5 is expected in January 2024

PowerScale OneFS Downloads Area

CVE-2023-44295

PowerScale OneFS

Version 8.2.2.x through 9.6.0.x

None

Please refer to KB article : 000219929 : "SyncIQ and SmartSync do not preserve file quarantine attributes"

CVE-2023-44288

PowerScale OneFS

Version 8.2.2.x through 9.6.0.x

None

Please refer to KB article: 000219931 "NDMP does not automatically close the connection from the security scanner."

Any version prior to PowerScale OneFS version 9.4.0.16 not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to a version 9.4.0.16.

CVE-2023-38408: Customer on 9.6.0.x should upgrade to upcoming 9.7 release (Expected to release in December 2023). RUP for version 9.5 is expected in January 2024.

**Workarounds and Mitigations**

 

CVE

Workaround/mitigation

CVE-2023-38408

Please refer to the OpenSSH security advisory for a workaround.

Note: The user with ISI\_PRIV\_LOGIN\_SSH or ISI\_PRIV\_LOGIN\_CONSOLE is potentially impacted. 

CVE-2023-44295

Please refer the KB Link for mitigation.

CVE-2023-44288

Please refer the KB Link for mitigation.

**Revision History**

Revision

Date

Description

1.0

2023-12-05

Initial Release

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

CVE-2023-44295: DSA-2023-417: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities

Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect that's capable of targeting routers and IoT devices.
The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, broadening its capabilities and reach.
"It's highly likely that by targeting MIPS, the P2PInfect developers

Cybersecurity researchers have discovered a new variant of an emerging botnet called **P2PInfect** that's capable of targeting routers and IoT devices.

The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, broadening its capabilities and reach.

"It's highly likely that by targeting MIPS, the P2PInfect developers intend to infect routers and IoT devices with the malware," security researcher Matt Muir said in a report shared with The Hacker News.

P2PInfect, a Rust-based malware, was first disclosed back in July 2023, targeting unpatched Redis instances by exploiting a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) for initial access.

UPCOMING WEBINAR

Learn Insider Threat Detection with Application Response Strategies

Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.

Join Now

A subsequent analysis from the cloud security firm in September revealed a surge in P2PInfect activity, coinciding with the release of iterative variants of the malware.

The new artifacts, besides attempting to conduct SSH brute-force attacks on devices embedded with 32-bit MIPS processors, packs in updated evasion and anti-analysis techniques to fly under the radar.

The brute-force attempts against SSH servers identified during the scanning phase are carried out using common username and password pairs present within the ELF binary itself.

It's suspected that both SSH and Redis servers are propagation vectors for the MIPS variant owing to the fact that it's possible to run a Redis server on MIPS using an OpenWrt package known as redis-server.

One of the notable evasion methods used is a check to determine if it's being analyzed and, if so, terminate itself, as well as an attempt to disable Linux core dumps, which are files automatically generated by the kernel after a process crashes unexpectedly.

The MIPS variant also includes an embedded 64-bit Windows DLL module for Redis that allows for the execution of shell commands on a compromised system.

"Not only is this an interesting development in that it demonstrates a widening of scope for the developers behind P2PInfect (more supported processor architectures equals more nodes in the botnet itself), but the MIPS32 sample includes some notable defense evasion techniques," Cado said.

"This, combined with the malware's utilization of Rust (aiding cross-platform development) and rapid growth of the botnet itself, reinforces previous suggestions that this campaign is being conducted by a sophisticated threat actor."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices

Red Hat Security Advisory 2023-7540-01 - An update for curl is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7540.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: curl security and bug fix updateAdvisory ID:        RHSA-2023:7540-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7540Issue date:         2023-11-28Revision:           01CVE Names:          CVE-2023-38546====================================================================Summary: An update for curl is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.Security Fix(es):* curl: cookie injection with none file (CVE-2023-38546)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Bug Fix(es):* libssh (curl sftp) not trying password auth (BZ#2240032)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-38546References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2240032https://bugzilla.redhat.com/show_bug.cgi?id=2241938

Red Hat Security Advisory 2023-7540-01

Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary code via bypassing the command filtering function.

**广受欢迎的开源堡垒机**

   

9 年时间，倾情投入，用心做好一款开源堡垒机。

JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。

JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：

*   **SSH**: Linux / Unix / 网络设备 等；
*   **Windows**: Web 方式连接 / 原生 RDP 连接；
*   **数据库**: MySQL / MariaDB / PostgreSQL / Oracle / SQLServer / ClickHouse 等；
*   **NoSQL**: Redis / MongoDB 等；
*   **GPT**: ChatGPT 等;
*   **云服务**: Kubernetes / VMware vSphere 等;
*   **Web 站点**: 各类系统的 Web 管理后台；
*   **应用**: 通过 Remote App 连接各类应用。

**产品特色**

*   **开源**: 零门槛，线上快速获取和安装；
*   **无插件**: 仅需浏览器，极致的 Web Terminal 使用体验；
*   **分布式**: 支持分布式部署和横向扩展，轻松支持大规模并发访问；
*   **多云支持**: 一套系统，同时管理不同云上面的资产；
*   **多租户**: 一套系统，多个子公司或部门同时使用；
*   **云端存储**: 审计录像云端存储，永不丢失；

**UI 展示**

**在线体验**

*   环境地址：https://demo.jumpserver.org/

⚠️ 注意

该环境仅作体验目的使用，我们会定时清理、重置数据！

请勿修改体验环境用户的密码！

请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！

**快速开始**

*   快速入门
*   产品文档
*   在线学习
*   知识库

**案例研究**

*   腾讯音乐娱乐集团：基于JumpServer的安全运维审计解决方案
*   腾讯海外游戏：基于JumpServer构建游戏安全运营能力
*   万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动
*   雪花啤酒：JumpServer堡垒机使用体会
*   顺丰科技：JumpServer 堡垒机护航顺丰科技超大规模资产安全运维
*   沐瞳游戏：通过JumpServer管控多项目分布式资产
*   携程：JumpServer 堡垒机部署与运营实战
*   大智慧：JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧
*   小红书：JumpServer 堡垒机大规模资产跨版本迁移之路
*   中手游：JumpServer堡垒机助力中手游提升多云环境下安全运维能力
*   中通快递：JumpServer主机安全运维实践
*   东方明珠：JumpServer高效管控异构化、分布式云端资产
*   江苏农信：JumpServer堡垒机助力行业云安全运维

**社区交流**

如果您在使用过程中有任何疑问或对建议，欢迎提交 GitHub Issue。

您也可以到我们的 社区论坛 当中进行交流沟通。

**参与贡献**

欢迎提交 PR 参与贡献。 参考 CONTRIBUTING.md

**组件项目**

项目

状态

描述

Lina

JumpServer Web UI 项目

Luna

JumpServer Web Terminal 项目

KoKo

JumpServer 字符协议 Connector 项目

Lion

JumpServer 图形协议 Connector 项目，依赖 Apache Guacamole

Razor

JumpServer RDP 代理 Connector 项目

Tinker

JumpServer 远程应用 Connector 项目

Magnus

JumpServer 数据库代理 Connector 项目

Chen

JumpServer Web DB 项目，替代原来的 OmniDB

Kael

JumpServer 连接 GPT 资产的组件项目

Wisp

JumpServer 各系统终端组件和 Core API 通信的组件项目

Clients

JumpServer 客户端 项目

Installer

JumpServer 安装包 项目

**安全说明**

JumpServer是一款安全产品，请参考 基本安全建议 进行安装部署。如果您发现安全相关问题，请直接联系我们：

*   邮箱：support@fit2cloud.com
*   电话：400-052-0755

**License & Copyright**

Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.

Licensed under The GNU General Public License version 3 (GPLv3) (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.gnu.org/licenses/gpl-3.0.html

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an " AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

CVE-2023-48193: GitHub - jumpserver/jumpserver: JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。

m-privacy TightGate-Pro suffers from code execution, insecure permissions, deletion mitigation, and outdated server vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20231122-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: m-privacy TightGate-Pro  
  vulnerable version: Rolling Release, servers with the following package  
                      versions are vulnerable:  
                      tightgatevnc < 4.1.2~1  
                      rsbac-policy-tgpro < 2.0.159  
                      mprivacy-tools < 2.0.406g  
       fixed version: Servers with the following package versions and higher:  
                      mprivacy-tools_2.0.406g  
                      tightgatevnc_4.1.2~1  
                      rsbac-policy-tgpro_2.0.159  
          CVE number: CVE-2023-47250, CVE-2023-47251  
              impact: high  
            homepage: https://www.m-privacy.de/en/tightgate-pro-safe-surfing/  
               found: 2023-08-18  
                  by: Daniel Hirschberger (Office Bochum)  
                      Steven Kurka (Office Essen)  
                      Marco Schillinger (Office Nürnberg)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"TightGate-Pro is a ReCoB system. ReCoBS stands for Remote-Controlled Browser  
System, literally translated 'remote-controlled web browser'. TightGate-Pro  
physically separates the web browser execution environment from the workstation.  
The system thus shields the internal network from the Internet and reliably  
and preventively prevents attacks via the web browser. TightGate-Pro is the  
strongest dedicated ReCoBS, because only physical outsourcing on a hardened  
system permanently withstands attacks. Local virtualisations, sandboxing  
systems or micro-virtualisations do not offer effective protection.  
TightGate-Pro is used in public authorities, financial institutions, industrial  
companies and critical infrastructures – in short, everywhere where “safe  
surfing on the Internet” is indispensable at the workplace and internal  
infrastructures must be reliably protected. TightGate-Pro is BSI-certified  
according to EAL3+."

Source: https://www.m-privacy.de/en/tightgate-pro-safe-surfing/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Code Execution  
Execution of single commands and scripts is possible with the privileges of  
the current user. Code execution is possible with any file type on the  
server and no specific permissions need to be set for the utilized file.

Vendor response (translated):  
"It is intended behavior to execute arbitrary bash scripts. It is not possible  
to execute arbitrary programs and libraries. There is no privilege escalation  
possible with this vulnerability."

We can confirm that it was not possible to escalate privileges during our test.

2) Access to all Desktops (CVE-2023-47250)  
Multiple users are connecting to the same TightGate-Pro server, resulting in  
one instance of the X11 window system. Due to insecure permissions of the  
X11 sockets it is possible for any user to open arbitrary windows on the  
desktop of other users for phishing attacks or installing a keylogger  
directly.

Vendor response (translated):  
"We acknowledge this issue as a important vulnerability. A fix with full  
RSBAC-Jail-Separation and changed Linux-Filesystem permissions is currently  
available in the "Prestable" packages:  
- mprivacy-tools_2.0.406g  
- tightgatevnc_4.1.2~1  
- rsbac-policy-tgpro_2.0.159  
These can be applied by the admin user "update". The updates will be provided  
automatically as Hotfix around 2023-10-24."

3) File Transfer by Abusing the Print function (CVE-2023-47251)  
TightGate-Pro allows printing PDF documents on the host system. Documents are  
transferred to the host, printed and deleted afterwards. An attacker is able  
to control the path of the transferred file and to prevent the automatic  
deletion of the file.

Vendor response (translated):  
"This is not a severe finding but we already fixed it. The fixes are available  
in the packages:  
- mprivacy-tools_2.0.406g  
- tightgatevnc_4.1.2~1

Now the .spool directly is always scanned for malicious data and the VNC- client  
does not transfer files which contain path symbols (e.g. ../)."

4) Outdated Update Server  
Based on disclosed version numbers the update server is running outdated software  
with known vulnerabilities. The criticality of this issue depends on the  
exploitability of these issues.

Vendor response (translated):  
"The old version of thttpd is already known. This is not seen as security-relevant.  
The access to the updateserver requires a previous registration of a customer-  
provided SSH key, which is only available to administrators on the TightGate-Pro  
instance. thttpd is isolated on the updateserver and can only *read* files.

Even if an attacker can write malicious updatepackages, these are still secured  
by a cryptographic signature and would not be installed on TightGate-Pro instances.  
We will eventually replace thttpd with lighthttpd which is still supported."

Proof of concept:  
-----------------  
1) Code Execution  
Code execution is possible using the context menu of any file in the VNC session  
of TightGate-Pro. Selecting "Öffnen mit" (Open with) in the context menu of any  
file and  selecting the "Benutzerdefinierte Befehlszeile" (custom commandline)  
section of the menu allows to provide a custom shell command to be executed:

[advisory_ce_open_with.png]  
[advisory_ce_custom_command.png]

At this point there are two possible options:  
In case the selected file is a bash script typing `/bin/bash` as custom command  
will execute the script. For this PoC the following script has been used:

```  
#!bin/bash  
echo poc >> /home/user/testuser/Desktop/test/PoC2.txt  
```

In case any other file is selected a complete command can be used as well.  
A possible example is listed below:  
`/bin/bash -c "echo poc >> /home/user/testuser/Desktop/test/PoC2.txt"`

According to vendor, arbitrary code execution is not possible as programs and  
libraries won't be executed.

2) Access to all Desktops (CVE-2023-47250)  
A normal user without special permissions has read and write access to all X11  
sockets stored in the temp folder of the user TightGate-Pro, visible in the  
following screenshot:

[advisory_desktop_access_x11_perms.png]

This allows any user for example to open dialogue boxes on the desktop of the  
currently connected users as shown in the following screenshots. The command  
used is listed below.

`/bin/bash -c 'for i in $(ls /home/tmpdir/tmp510/.X11-unix | cut -b 2-); do  
DISPLAY=unix:"$i".0 zenity --password --username & done;'`

[advisory_desktop_access_gui_triggered.png]

As it can be seen in the following screenshot any input to the dialogue boxes  
can be read by the attacker.

[advisory_desktop_access_result.png]

3) File Transfer by Abusing the Print function (CVE-2023-47251)  
File transfers can be triggered for PDF files which are stored in the  
`/home/user/.spool/<username>` directory. By setting a relative path as file  
name, the file can be stored in any user directory on the host system.  
In case the file name contains Unicode characters, deletion of the file is  
not executed after transfer and closing of the print prompt. To store a file  
on the user's desktop, the name `..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf`  
can be used. The transfer can then be triggered by sending the  
signal `SIGUSR2` to the `Xtightgatevnc` process:

```  
cp eicar.pdf '/home/user/.spool/<username>/..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf'  
pkill -u $USER --signal SIGUSR2 Xtightgatevnc  
```

In addition, this file transfer does not check if any malicious files are  
transferred to the host system. The following screenshot shows the warning of  
a malware scanner after an eicar testfile was transferred. It is therefore  
possible to circumvent the malware scanner of TightGate-Pro which only runs  
if the intended way of transfer, namely the TightGate-Schleuse, is used.

[advisory_file_transfer_mal_file.png]

4) Outdated Update Server  
Access to the update server is possible with the ssh key stored at  
`/etc/cu/id_ed25519` and ssh port forwarding. The ssh key is customized  
for each customer. Root access is needed to retrieve the key.  
The command used for the forwarding is listed below:

```  
ssh -N -L 8000:localhost:85 tgpro13@update.m-privacy.de -i id_ed25519 -v  
```

Afterwards access is possible at `http:127.0.0.1:8000`.  
The server headers return the version of the webserver:  
`thttpd/2.25b 29dec2003`

[advisory_outdated_server.png]

This version has in sum four known vulnerabilities (high and medium) listed:  
* CVE-2006-1078  
* CVE-2006-1079  
* CVE-2007-0664  
* CVE-2009-4491

Vulnerable / tested versions:  
-----------------------------  
A TightGate-Pro server with the following package versions was used  
for testing:

* tightgatevnc < 4.1.2~1  
* rsbac-policy-tgpro < 2.0.159  
* mprivacy-tools < 2.0.406g

Vendor contact timeline:  
------------------------  
2023-10-11: Contacting vendor through info@m-privacy.de via GPG  
2023-10-13: CEO of m-privacy phones us and thanks us for the advisory,  
             a developer will send us a written statement next week.  
2023-10-16: Received a written statement of their lead developer;  
             the vulnerabilities #2 (Access to all Desktops) and  
             #3 (File Transfer by Abusing the Print function) are  
             confirmed and a fix is available  
             #1 is seen as a feature not a bug, #4 is claimed to be  
             prevented by hardening measures on the server, also  
             thttpd will be replaced by lighthttpd in the future.  
2023-10-24: We ask for some clarifications regarding software  
             versions and advisory publication date.  
2023-10-29: Vendor provides software version information and asks us  
             to publish the advisory after 2023-11-06.  
2023-11-22: Public release of security advisory.

Solution:  
---------  
Install the "Prestable" packages or wait until they are available as hotfix:  
* mprivacy-tools_2.0.406g  
* tightgatevnc_4.1.2~1  
* rsbac-policy-tgpro_2.0.159

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger, Steven Kurka, Marco Schillinger / @2023

Tag

#ssh