Plus: A leaked US “no fly” list, the SCOTUS leaker slips investigators, and PayPal gets stuffed.

“Ordinary people’s private financial records are being siphoned indiscriminately into a massive database, with access given to virtually any cop who wants it,” Nathan Freed Wessler, deputy director of the ACLU’s Speech, Privacy, and Technology Project, told the _WSJ_. “This program should never have been launched, and it must be shut down now.”

A security researcher discovered a version of the United States’ controversial “no fly list” on an unsecured server run by CommuteAir, a regional airline based out of Ohio. The list, which contains more than 1.5 million entries, is far larger than previously reported and includes the names of individuals who are barred from flying to the United States.

CommuteAir confirmed the authenticity of the document to the Daily Dot, which was first to report about the leaked list.

According to the Daily Dot, the list contains the names of several notable figures, including the convicted Russian arms dealer Viktor Bout. The Biden administration sent Bout back to Russia in a prisoner exchange for WNBA star Brittney Griner, who returned to the US in December. In the data, which was shared with WIRED on Thursday evening, there were nearly 30 entries for individuals who were born after 2010. 

According to CNN, the US Transportation Security Administration is investigating the incident. 

After an eight-month investigation, the US Supreme Court has failed to discover who leaked the draft decision overturning _Roe v. Wade_, according to a report released by the court on Thursday. The unprecedented leak to _Politico_ last spring came more than a month before the final opinion was released and sparked nationwide protests.

Over the course of the leak investigation, the court interviewed 97 court employees and brought in forensic experts to examine call logs, printer logs, and fingerprints. According to the report, 80 people besides the nine justices had access to the draft opinion. 

“No one confessed to publicly disclosing the document, and none of the available forensic and other evidence provided a basis for identifying any individual as the source of the document,” the report states. “It is not possible to determine the identity of any individual who may have disclosed the document or how the draft opinion ended up with _Politico_.”

The report did not say whether the justices were interviewed.

According to a PayPal notice of security incident, attackers gained unauthorized access to the accounts of thousands of users between December 6 and December 8, 2022, using a credential-stuffing attack. Credential stuffing is when hackers, typically using a bot, attempt to access accounts using lists of leaked password and username pairs.

Over two days, hackers had access to account holders’ full names, dates of birth, postal addresses, Social Security numbers, and individual tax identification numbers. According to PayPal, 34,942 of its users have been impacted by the incident.

The affected users will get a free two-year identity monitoring service from Equifax.

The Biggest US Surveillance Program You Didn’t Know About

** UNSUPPORTED WHEN ASSIGNED ** dtprintinfo in Common Desktop Environment 1.6 has a bug in the parser of lpstat (an invoked external command) during listing of the names of available printers. This allows low-privileged local users to inject arbitrary printer names via the $HOME/.printers file. This injection allows those users to manipulate the control flow and disclose memory contents on Solaris 10 systems. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVE-2023-24040: vulns/HNS-2022-01-dtprintinfo.txt at main · hnsecurity/vulns

CRYSTALS-DILITHIUM (in Post-Quantum Cryptography Selected Algorithms 2022) in PQClean d03da30 may allow universal forgeries of digital signatures via a template side-channel attack because of intermediate data leakage of one vector.

**PQClean**

_See the build status for each component here_

**PQClean**, in short, is an effort to collect **clean** implementations of the post-quantum schemes that are in the NIST post-quantum project. The goal of PQClean is to provide _standalone implementations_ that

*   can easily be integrated into libraries such as liboqs.
*   can efficiently upstream into higher-level protocol integration efforts such as Open Quantum Safe;
*   can easily be integrated into benchmarking frameworks such as SUPERCOP;
*   can easily be integrated into frameworks targeting embedded platforms such as pqm4;
*   are suitable starting points for architecture-specific optimized implementations;
*   are suitable starting points for evaluation of implementation security; and
*   are suitable targets for formal verification.

What PQClean is **not** aiming for is

*   a build system producing an integrated library of all schemes;
*   including benchmarking of implementations; and
*   including integration into higher-level applications or protocols.

As a first main target, we are collecting C implementations that fulfill the requirements listed below. We also accept optimised implementations, but still requiring high-quality, tested code.

Please also review our guidelines for contributors if you are interested in adding a scheme to PQClean.

**Requirements on C implementations that are automatically checked**

_The checking of items on this list is still being developed. Checked items should be working._

*   Code is valid C99
*   Passes functional tests
*   API functions do not write outside provided buffers
*   api.h cannot include external files
*   Compiles with -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes with gcc and clang
*   #if/#ifdefs only for header encapsulation
*   Consistent test vectors across runs
*   Consistent test vectors on big-endian and little-endian machines
*   Consistent test vectors on 32-bit and 64-bit machines
*   const arguments are labeled as const
*   No errors/warnings reported by valgrind
*   No errors/warnings reported by address sanitizer
*   Only dependencies: fips202.c, sha2.c, aes.c, randombytes.c
*   API functions return 0 on success
*   No dynamic memory allocations (including variable-length arrays)
*   No branching on secret data (dynamically checked using valgrind)
*   No access to secret memory locations (dynamically checked using valgrind)
*   Separate subdirectories (without symlinks) for each parameter set of each scheme
*   Builds under Linux, MacOS, and Windows
    *   Linux
    *   MacOS
    *   Windows
*   Makefile-based build for each separate scheme
*   Makefile-based build for Windows (nmake)
*   All exported symbols are namespaced with PQCLEAN_SCHEMENAME_
*   Each implementation comes with a LICENSE file (see below)
*   Each scheme comes with a META.yml file giving details about version of the algorithm, designers
    *   Each individual implementation is specified in META.yml.

**Requirements on C implementations that are manually checked**

*   Minimalist Makefiles
*   No stringification macros
*   Output-parameter pointers in functions are on the left
*   All exported symbols are namespaced in place
*   Integer types are of fixed size where relevant, using stdint.h types (optional, recommended)
*   Integers used for indexing memory are of size size_t (optional, recommended)
*   Variable declarations at the beginning (except in for (size_t i=...) (optional, recommended)

**Schemes currently in PQClean**

For the following schemes we have implementations of one or more of their parameter sets. For all of these schemes we have clean C code, but for some we also have optimised code.

**Key Encapsulation Mechanisms**

**Finalists:**

*   Kyber

**Alternate candidates:**

*   HQC
*   Classic McEliece

**Signature schemes**

**To-be standards:**

*   Dilithium
*   Falcon
*   SPHINCS+

**Alternate candidates:**

*   No participants yet.

Implementations previously available in PQClean and dropped in Round 3 of the NIST standardization effort are available in the round2 tag.

Implementations previously available in PQClean and dropped in Round 4 of the NIST standardization effort are available in the round3 tag.

**API used by PQClean**

PQClean is essentially using the same API as required for the NIST reference implementations, which is also used by SUPERCOP and by libpqcrypto. The only differences to that API are the following:

*   All functions are namespaced;
*   All lengths are passed as type size_t instead of unsigned long long; and
*   Signatures offer two additional functions that follow the "traditional" approach used in most software stacks of computing and verifying signatures instead of producing and recovering signed messages. Specifically, those functions have the following name and signature:

int PQCLEAN\_SCHEME\_IMPL\_crypto\_sign\_signature(
    uint8\_t \*sig, size\_t \*siglen,
    const uint8\_t \*m, size\_t mlen,
    const uint8\_t \*sk);
int PQCLEAN\_SCHEME\_IMPL\_crypto\_sign\_verify(
    const uint8\_t \*sig, size\_t siglen,
    const uint8\_t \*m, size\_t mlen,
    const uint8\_t \*pk);

**Building PQClean**

As noted above, PQClean is **not** meant to be built as a single library: it is a collection of source code that can be easily integrated into other libraries. The PQClean repository includes various test programs which do build various files, but you should not use the resulting binaries.

List of required dependencies: gcc or clang, make, python3, python-yaml library, valgrind, astyle (>= 3.0).

**Using source code from PQClean in your own project**

Each implementation directory in PQClean (e.g., crypto\_kem/kyber768\\clean) can be extracted for use in your own project. You will need to:

1.  Copy the source code from the implementation's directory into your project.
2.  Add the files to your project's build system.
3.  Provide instantiations of any of the common cryptographic algorithms used by the implementation. This likely includes common/randombytes.h (a cryptographic random number generator), and possibly common/sha2.h (the SHA-2 hash function family), common/aes.h (AES implementations), common/fips202.h (the SHA-3 hash function family) and common/sp800-185.h (the cSHAKE family).

Regarding #2, adding the files to your project's build system, each implementation in PQClean is accompanied by example two makefiles that show how one could build the files for that implementation:

*   The file Makefile which can be used with GNU Make, BSD Make, and possibly others.
*   The file Makefile.Microsoft_nmake which can be used with Visual Studio's nmake.

**Projects integrating PQClean-distributed source code**

The following projects consume implementations from PQClean and provide their own wrappers around the implementations. Their integration strategies may serve as examples for your own projects.

*   **pqcrypto crate**: Rust integration that automatically generates wrappers from PQClean source code.
*   **mupq**: Runs the implementations from PQClean as reference implementations to compare with microcontroller-optimized code.
*   **Open Quantum Safe**: The Open Quantum Safe project integrates implementations from PQClean into their liboqs C library, which then exposes them via C++, C# / .NET, and Python wrappers, as well as to forks of OpenSSL and OpenSSH.

**License**

Each subdirectory containing implementations contains a LICENSE file stating under what license that specific implementation is released. The files in common contain licensing information at the top of the file (and are currently either public domain or MIT). All other code in this repository is released under the conditions of CC0.

**Running tests locally**

See https://github.com/PQClean/PQClean/wiki/Test-framework for details about the PQClean test framework.

While we run extensive automatic testing on Github Actions ((emulated) Linux builds, MacOS and Windows builds) and Travis CI (Aarch64 builds), and most tests can also be run locally. To do this, make sure the following is installed:

*   Python 3.6+
*   pytest for python 3.

We also recommend installing pytest-xdist to allow running tests in parallel.

You will also need to make sure the submodules are initialized by running:

    git submodule update --init
    

Run the Python-based tests by going into the test directory and running pytest -v or (recommended) pytest -n=auto for parallel testing.

You may also run python3 <testmodule> where <testmodule> is any of the files starting with test_ in the test/ folder.

CVE-2023-24025: GitHub - PQClean/PQClean at d03da3053491e767ef842deaef43fc5bdb6bc911

By Deeba Ahmed
The database injection against WordPress websites features two different malware embedded together to achieve two entirely different goals.
This is a post from HackRead.com Read the original post: Database Malware Strikes Hundreds of Vulnerable WordPress Sites

The first injection redirected users to a spammy sports website, whereas the second one boosted the authority of a spammy casino website in search engines.

Cybersecurity researchers at Sucuri have shared their research on how **WordPress vulnerabilities** can jeopardize the system’s security and that usually already discovered flaws are used to compromise WordPress sites with multiple infections.

Researchers noted that outdated websites are highly likely to be exploited by multiple attackers, or the same hacker can target them using multiple channels. The latter scenario was recently identified by Sucuri’s researchers, who detected a database injection featuring two different malware embedded together to achieve two entirely different goals. Both the malware could be found scattered over a WordPress database.

The first injection redirected users to a spammy sports website, whereas the second one boosted the authority of a spammy casino website in search engines. As per Sucuri, nearly 270 websites were impacted by the first injection, and the second impacted 82 websites.

One of the compromised WordPress websites (Image credit: Sucuri)

The first injection’s domain performs the redirecting process. The browser is instructed to wait for 60 seconds, after which a redirect is made to the domain “hxxp://redirect4xyz.” The user is redirected again, and they arrive on this spam domain: hxxp://pontiarmadacom when the first redirecting process is complete. This spammed site has iframes that disseminate malware to clueless users.

The second injection’s domain, “hxxp://nomortogelkuxyz,” is a gambling casino site that uses a common methodology to boost its authority in search engines. This attacker used a black hat SEO tactic and placed an invisible link throughout the compromised sites to improve its domain authority and appear genuine.

It is worth noting that, according to Sucuri’s **blog post**, both injections use the ‘.xyz’ domain extension, which attackers commonly use in such campaigns. These domains are available at cheaper rates for the first year, which explains why it is used extensively.

However, the presence of two different infections on the same website shows how attackers can disseminate various malware on the same site and how different bad actors can exploit a single flaw to infect the site.

Threat actors can easily monetize the same outdated sites with different malware to get full access. The problem lies in **vulnerable WordPress plugins/themes**, which allow multiple threat actors to exploit and distribute malware.

To mitigate the threat, keep your WordPress site plugin themes and software up-to-date by enabling auto-updates so that vulnerabilities are patched on time. Moreover, a web application firewall can block attacks caused due to vulnerabilities and add another layer of protection for a vulnerable site.

Additionally, the admin user count should be low, and securer passwords should be created for all accounts. Lastly, it is essential to **enable two-factor authentication (2FA)** to secure the WordPress admin accounts from unauthorized access.

1.  Step-by-Step Security Guide for WordPress
2.  WordPress Plugin NextGEN Gallery Vulnerable
3.  Hackers deface thousands of WordPress websites
4.  Hacked WordPress & Joomla sites dropping malware
5.  5 WordPress Security Solutions with Free SSL Certificates
6.  3 vulnerable WordPress plugins affecting 21,000 websites

Database Malware Strikes Hundreds of Vulnerable WordPress Sites

The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL injection vulnerability in the 'ID' parameter of its 'lwp_forgot_password' action.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2023-3

CVSSv3 Base / Temporal Score

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products

Quick Event Manager WordPress Plugin

Login with Phone Number WordPress Plugin

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2023-23492: Cross-Site Scripting vulnerabilities in Multiple WordPress Plugins

The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the 'surveys_ids' parameter of its 'ays_surveys_export_json' action.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2023-2

CVSSv3 Base / Temporal Score

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Paid Memberships Pro WordPress Plugin

Easy Digital Downloads WordPress Plugin

Survey Maker WordPress Plugin

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2023-23490: SQL Injection in Multiple WordPress Plugins

A privilege escalation vulnerability was identified in Nessus versions 8.10.1 through 8.15.8 and 10.0.0 through 10.4.1. An authenticated attacker could potentially execute a specially crafted file to obtain root or NT AUTHORITY / SYSTEM privileges on the Nessus host.

_This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TNS-2023-02

Credit

Ammarit Thongthua

Sarun Pornjarungsak

CVSSv3 Base / Temporal Score

CVSSv3 Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2023-0101: [R1] Nessus Version 8.15.8 Fixes One Vulnerability

Multiple vulnerabilities have been discovered across Common Desktop Environment version 1.6, Motif version 2.1, and X.Org libXpm versions prior to 3.5.15 on Oracle Solaris 10 that can be chained together to achieve root.

Solaris 10 dtprintinfo / libXm / libXpm Security Issues

OpenText Extended ECM versions 20.4 through 22.3 suffer from a pre-authentication remote code execution vulnerability in cs.exe.

SEC Consult Vulnerability Lab Security Advisory < 20230117-0 >  
=======================================================================  
               title: Pre-authenticated Remote Code Execution in cs.exe  
             product: OpenText™ Content Server component of OpenText™ Extended ECM  
  vulnerable version: 20.4 - 22.3  
       fixed version: 22.4  
          CVE number: CVE-2022-45923  
              impact: Critical  
            homepage: https://www.opentext.com/  
               found: 2022-09-16  
                  by: Armin Stock (Atos)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"OpenText™ Extended ECM is an enterprise CMS platform that securely governs the  
information lifecycle by integrating with leading enterprise applications, such  
as SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing content  
and processes together, Extended ECM provides access to information when and  
where it’s needed, improves decision-making and drives operational effectiveness."

Source: https://www.opentext.com/products/extended-ecm

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)  
The `Common Gateway Interface (CGI)` program `cs.exe` of the `Content Server`  
has a vulnerability, which allows an attacker to increase/decrease an arbitrary  
memory address by 1 and to trigger a call to a method of a `vftable` with a  
`vftable pointer` value chosen by the attacker.

The `cs.exe` does de-serialize (crack) the user provided data in the `_fInArgs`  
parameter, if the parameter `_ApiName` is set. During this de-serialization to  
a `class KOSValue` object, the function `obj_ref_cracker` can be called. This  
function tries to create a new `class KOSValue` object with an unknown class ID  
of `3`.

As the class ID is unknown the function returns an object of type  
`KOSValueBaseClass` instead of `KOSObjRefClass`, but the value of the  
`class_ptr` attribute of the new `class KOSValue` object is controlled by the  
attacker. This new object can then be used to increase/decrease arbitrary  
memory addresses and call methods of its `vftable` via the functions  
`KOSValueBaseClass::AddReference` and `KOSValueBaseClass::ReleaseReference`.

Proof of concept:  
-----------------  
1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)  
The following request crashes the `CGI` binary `cs.exe` with an `access  
violation exception - 0xC0000005` trying to read memory from address  
`0xAAAA+8`:

-------------------------------------------------------------------------------  
[ PoC removed, will be published at a later date ]  
-------------------------------------------------------------------------------

There are `.dll` files (`libaprutil-1` & `libapriconv-1.dll`) which are not  
compiled with the security flag `Address Space Layout Randomization - ASLR`  
enabled, which can be used to achieve remote code execution.

-------------------------------------------------------------------------------  
.\winchecksec.exe --json (get-item C:\OPENTEXT-22\cgi\*.dll) > .\checksec-results.json  
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------  
cat checksec-results.json | jq -r '.[] | [.path, .mitigations.aslr.presence] | @csv'

"icudt69.dll","Present"  
"icuin69.dll","Present"  
"icuio69.dll","Present"  
"icutu69.dll","Present"  
"icuuc69.dll","Present"  
"jsoncpp.dll","Present"  
"libapr-1.dll","Present"  
"libapriconv-1.dll","NotPresent"  
"libaprutil-1.dll","NotPresent"  
"libcrypto-1_1-x64.dll","Present"  
"libexpat.dll","Present"  
"libssl-1_1-x64.dll","Present"  
"llcrypt.dll","Present"  
"llisapi.dll","Present"  
"llkernel.dll","Present"  
"llresources.dll","Present"  
"log4cxx.dll","Present"  
"PocoFoundation.dll","Present"  
-------------------------------------------------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* 22.1 (16.2.19.1803)

The following versions are vulnerable according to the vendor:  
* 20.4 - 22.3

Vendor contact timeline:  
------------------------  
2022-10-07: Vendor contacted via security@opentext.com  
2022-10-07: Vendor acknowledged the email and is reviewing the reports  
2022-11-18: Vendor confirms all vulnerabilities and is working on a patch aimed to  
             be released in November  
2022-11-24: Vendor delays the patch "few days/weeks into December"  
2022-11-25: Requesting CVE numbers (Mitre)  
2022-12-15: Vendor delays the patch and provides a release date: January 16th 2023  
2023-01-17: Public release of security advisory

Solution:  
---------  
Upgrade to at least version 22.4 or apply hotfixes which can be downloaded at  
the vendor's page:  
https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0781429

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Armin Stock / @2023

OpenText Extended ECM 22.3 cs.exe Remote Code Execution

wolfSSL versions prior to 5.5.2 suffer from a heap buffer over-read with WOLFSSL_CALLBACKS and can be triggered with a single Client Hello message.

    # wolfSSL before 5.5.2: Heap-buffer over-read with WOLFSSL_CALLBACKS====================================================================## INFO=======The CVE project has assigned the id CVE-2022-42905 to this issue.Severity: 9.1 CRITICALAffected version: before 5.5.2End of embargo: Ended October 28, 2022Blog Post: https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/## SUMMARY==========If wolfSSL callback functions are enabled (i.e., the flag `WOLFSSL_CALLBACKS` isenabled), then a malicious client or network attacker can send a Client Hellomessage to a server that when parsed by the server will trigger a bufferover-read on the heap of at least 5 bytes. Similarly, a malicious server or anetwork attacker can send a Hello Retry Request message to a client that whenparsed by the client will trigger a buffer over-read on the heap of at least 15bytes.The `AddPacketInfo` is given a buffer that should be the input buffer and thatactually is shifted by 5 bytes on the left, i.e., instead of reading`input[0]..input[length]`, the function will read `input[-5]..input[length]` andstore it in a buffer that is exposed through the wolfSSL API. Note that `input`is stored on the heap and `input[-5]` to `input[-1]` might store sensitive datathat should not be given to `AddPacketInfo`, for example when callback functionsare used as logging facility (through the API functions `wolfSSL_accept_ex` and`wolfSSL_connect_ex`).This buffer over-read can be triggered at a server with a single Client Hellomessage. We have confirmed this with a proof-of-concept test case given below onwolfSSL 5.5.0, on the version from the master branch, and on version 5.4.0. Asimilar buffer over-read can be triggered at a client with the same wolfSSLversions.## DETAILS==========(Note: All code snippets and line numbers are with respect to the git hash`#43715d1bb5b8c5b8b18cba4be3171fd1dd7eb046` on remote`git@github.com:wolfssl/wolfssl.git`.)When executing the first proof of concept test case given below, we reach a callto `DoTls13HandShakeMsgType` from `tls13.c:DoTls13HandShakeMsg:10443` when theserver parses the Client Hello message, with the following values:```csize = 16520;totalSz = 16524;*inOutIdx = 4;type = 1;input; // buffer containing the input to be processed, before input,there seems to be another input stored````*inOutIdx=4` because of the call to `GetHandshakeHeader` at line`tls13.c:10411`.We enter the function `tls13.c:DoTls13HandShakeMsgType` and because`WOLFSSL_CALLBACKS` flag is defined, we enter this snippet:```c#if defined(WOLFSSL_CALLBACKS)/* add name later, add on record and handshake header part back on */if (ssl->toInfoOn) {int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;AddPacketInfo(ssl, 0, handshake, input + *inOutIdx - add,size + add, READ_PROTO, ssl->heap);AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);}#endif````tls13.c:DoTls13HandShakeMsgType:10094`We have that `RECORD_HEADER_SZ = 5` and `HANDSHAKE_HEADER_SZ = 4` so `add = 9`while `*inOutIdx` is still set to `4`. Therefore, the pointer indicating thebeginning of the alleged input that is given to the `AddPacketInfo` function(argument `data`) is `data = input + *inOutIdx - add = input - 5`. This bufferstarts 5 bytes before the actual input buffer. The argument `sz = size + add` isthe total length of the input, which is too long here `16529` instead of `16524`bytes.It seems the snippet above makes a wrong assumption about the past increases of`*inOutIdx`, which has not been increased by `RECORD_HEADER_SZ` as no recordheader has been parsed yet.Next, in `internal.c:AddPacketInfo:25153`, see the snippet:```c/* add data, put in buffer if bigger than static buffer */info->packets[info->numberPackets].valueSz = sz;if (sz < MAX_VALUE_SZ)XMEMCPY(info->packets[info->numberPackets].value, data, sz);else {info->packets[info->numberPackets].bufferValue = (byte*)XMALLOC(sz,heap, DYNAMIC_TYPE_INFO);if (!info->packets[info->numberPackets].bufferValue)/* let next alloc catch, just don't fill, not fatal here */info->packets[info->numberPackets].valueSz = 0;elseXMEMCPY(info->packets[info->numberPackets].bufferValue, data, sz);}````internal.c:AddPacketInfo:25169`and recall that `sz = 16529`, `data = input - 5`. The last line will write`input[-5]..input[16524]` into `info->packets[0]`. Recall that`info->packets[0]` equals `ssl->timeoutInfo->packets[0]`.It turns out `ssl->timeoutInfo` and in particular the content of`ssl->timeoutInfo->packets[0]` is exposed to the wolfSSL user through thefunctions `wolfSSL_connect_ex` and `wolfSSL_accept_ex` whose declarations are asfollows (where `typedef int (*TimeoutCallBack)(TimeoutInfo*);` from `ssl.h`);see also the[wolfSSL documentation](https://www.wolfssl.com/documentation/manuals/wolfssl/chapter06.html).Therefore, in addition to the over-read per se, this might be exploited toexfiltrate sensitive data, depending on the use case.## POTENTIAL EXPLOITATION=========================We found no systematic exploit using this bug but it could be exploited in somespecific use cases. We note that this problem only occurs when`WOLFSSL_CALLBACKS` is enabled, but we found no documentation forbidding the useof this flag in production.For instance, a wolfSSL server could be configured to use the API function`wolfSSL_connect_ex` with an argument `srvTimeoutCB`. This argument could be afunction that logs on disk the content of `timeoutInfo->packets` when theincoming message has a packet name (packetName) "ClientHello". The rationalebeing that logging Client Hello messages should not expose sensitive and secretinformation on disk (assuming logs are not well-protected). Because of this bug,the log will contain extra data from the heap that do not correspond to thereceived Client Hello message and that could be sensitive data.Here is a threat model for which this could be a problem:- attacker has partial access to the architecture, for example log files (logfiles could be stored at rest and because considered less sensitive, they areless secured),- wolfSSL server is set up to use callback functions to log some allegedlynon-sensitive information, for example it logs the received packets (let ussay client hello for now) that were rejected by the server for futureinspection. But it does not log full handshake.Then the attacker can trigger at will the bug to write in the log some bytes ofthe heap, it could theoretically fine-tune the timing to exfiltrate data ofinterest.## POTENTIAL REMEDIATION========================First, the use of `WOLFSSL_CALLBACKS` could be vehemently discouraged inproduction. Second, the flawed logic of `tls13.c:DoTls13HandShakeMsgType`exposed above should be fixed. The addition of `RECORD_HEADER_SZ` to `add`should be conditionded by whether a record layer header was processed or not.In `internal.c:AddPacketInfo` and for a similar input message without a recordheader, the lines below call `ssl->protoMsgCb` on a (right) shifted inputbuffer:```cssl->protoMsgCb(written, version, type,(const void *)(data + RECORD_HEADER_SZ),(size_t)(sz - RECORD_HEADER_SZ),ssl, ssl->protoMsgCtx);```This does not trigger a buffer overflow but yields inconsistent log messages.

Tag

#ssl