Red Hat Security Advisory 2024-1997-03 - An update for gnutls is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1997.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: gnutls security updateAdvisory ID:        RHSA-2024:1997-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1997Issue date:         2024-04-23Revision:           03CVE Names:          CVE-2024-28834====================================================================Summary: An update for gnutls is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.Security Fix(es):* gnutls: vulnerable to Minerva side-channel information leak (CVE-2024-28834)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-28834References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2269228

Red Hat Security Advisory 2024-1997-03

Red Hat Security Advisory 2024-1994-03 - An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1994.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: container-tools:rhel8 security updateAdvisory ID:        RHSA-2024:1994-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1994Issue date:         2024-04-23Revision:           03CVE Names:          CVE-2022-32149====================================================================Summary: An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.Security Fix(es):* podman: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-32149References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2134010

Red Hat Security Advisory 2024-1994-03

Red Hat Security Advisory 2024-1992-03 - An update for opencryptoki is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1992.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opencryptoki security updateAdvisory ID:        RHSA-2024:1992-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1992Issue date:         2024-04-23Revision:           03CVE Names:          CVE-2024-0914====================================================================Summary: An update for opencryptoki is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.Security Fix(es):* opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0914References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2260407

Red Hat Security Advisory 2024-1992-03

Red Hat Security Advisory 2024-1989-03 - An update for less is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1989.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: less security updateAdvisory ID:        RHSA-2024:1989-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1989Issue date:         2024-04-23Revision:           03CVE Names:          CVE-2022-48624====================================================================Summary: An update for less is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The \"less\" utility is a text file browser that resembles \"more\", but allows users to move backwards in the file as well as forwards. Since \"less\" does not read the entire input file at startup, it also starts more quickly than ordinary text editors.Security Fix(es):* less: missing quoting of shell metacharacters in LESSCLOSE handling (CVE-2022-48624)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48624References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2265081

Red Hat Security Advisory 2024-1989-03

Red Hat Security Advisory 2024-1982-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1982.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: thunderbird security updateAdvisory ID:        RHSA-2024:1982-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1982Issue date:         2024-04-23Revision:           03CVE Names:          CVE-2024-3302====================================================================Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 115.10.0.Security Fix(es):* Mozilla: Denial of Service using HTTP/2 CONTINUATION frames (CVE-2024-3302)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3302References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2273383

Red Hat Security Advisory 2024-1982-03

An exploit for the vulnerability allows unauthenticated attackers to escape a virtual file system sandbox to download system files and potentially achieve RCE.

Source: Andre Boukreev via Shutterstock

Virtual file transfer system provider CrushFTP and various security researchers are sounding the alarm about a sandbox escape flaw in the CrushFTP server that attackers already have exploited as a zero-day in attacks against organizations in the US.

CrushFTP is a multiprotocol, multiplatform, cloud-based file transfer server. The security vulnerability, tracked as CVE-2024-4040, is an improper input validation bug in the CrushFTP file transfer server version 11.1. The company unveiled and patched the flaw on April 19 with the release of version 11.1.0 of the product; however, there already were various reports of threat actors hammering the flaw with an existing exploit.

These attacks, which were potentially "politically motivated," were targeted in nature for intelligence gathering and detected at various US entities, according to Crowdstrike's threat hunters Falcon OverWatch and Falcon Intelligence, which published an advisory on Reddit.

**A Developing Attack Scenario for Cloud File Transfer**

The attack scenario is developing, with new research by Tenable published April 23 identifying more than 7,100 CrushFTP servers publicly accessible "based on a Shodan query in a Nuclei template created by h4sh," according to the report. However, "it's unclear how many of these systems are potentially vulnerable," Satnam Narang, a Tenable senior staff research engineer, noted in the post.

Attacks are likely to continue on unpatched servers given that a proof-of-concept (PoC) exploit for the flaw is now publicly available, posted April 23 to GitHub by the researcher who discovered and reported the flaw to CrushFTP, Simon Garrelou of Airbus Community Emergency Response Team (CERT), Narang added.

Other attackers also aim to benefit from all the attention in the flaw, by targeting users with fake PoCs, Narang wrote, noting there already is a repository posted to GitHub that directs users to a third-party site called SatoshiDisk, which requests a payment of 0.00735 bitcoin (around $513) for an alleged exploit.

"It is unlikely that the exploit code will work and we do not expect it to be malicious in nature," Narang wrote. "Instead, it is more likely that the attackers are seeking to make money from the interest in the exploit code for this vulnerability."

**CVE-2024-4040: Potential for RCE**

The vulnerability as described by the vendor is an arbitrary read flaw that allows an attacker with low privileges to escape the server's virtual file system (VFS) sandbox to access and download system files.

However, there is evidence that it is more to the flaw than has so far been reported, Rapid7 researchers noted in a blog post published on April 23.

"Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI)," Caitlin Condon, Rapid7's director of vulnerability intelligence, wrote in the post.

CVE-2024-4040 is a "fully unauthenticated flaw" and is easy to exploit; successful exploitation allows not only or arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution (RCE), she observed.

"Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance," Condon wrote.

**Exploit Code Available**

The PoC exploit posted by Garrelou includes two scripts. The first, scan\_host.py, attempts to use the vulnerability to read files outside the sandbox, according to the GitHub post.

"If it succeeds, the script writes Vulnerable to standard output and returns with exit code 1," according to Garrelou. "If exploiting the vulnerability does not succeed, the script writes Not vulnerable and exits with status code 0."

The second script, scan\_logs.py, looks for indicators of compromise in a CrushFTP server installation directory and, upon finding them, will attempt to extract the IP that tried to exploit the server.

**Patch Now for Full Protection**

The best way for organizations with CrushFTP present in their environment to mitigate the situation is to update their systems to the patched version of the product now, the company and security researchers alike advised.

Customers using a front-end demilitarized zone (DMZ) server to process protocols and connections in front of their main CrushFTP instance are afforded partial protection from exploit due to the protocol translation system used in the DMZ, according to CrushFTP.

"A DMZ, however, does not fully protect you, and you must update immediately," the company advised customers in its advisory. One of the factors complicating an organization's detection of exploitation of CVE-2024-4040 is that payloads "can be delivered in many different forms," Rapid7's Condon noted.

"When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic," she wrote.

For this reason, Rapid7 recommends that CrushFTP customers harden their servers against administrator-level RCE attacks by enabling Limited Server mode with the most restrictive configuration possible. Condon added that they also should use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs

By Waqas
Update Windows Now or Get Hacked: Microsoft Warns of Actively Exploited Vulnerability!
This is a post from HackRead.com Read the original post: Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool

Hackers exploiting a critical Windows flaw (CVE-2022-38028) in the Print Spooler service. Patch immediately to block APT28 (Forest Blizzard and Fancy Bear) attacks & protect your system!

Microsoft issued a security warning about a critical vulnerability (CVE-2022-38028) in the Windows Print Spooler service that attackers are actively exploiting. This vulnerability allows attackers to escalate privileges on a compromised system, potentially granting them complete control.

The vulnerability resides in how the Print Spooler processes JavaScript code. By manipulating a specific file, attackers can execute malicious code with administrator privileges.

Microsoft attributes these attacks to the APT28 hacking group (also known as Fancy Bear or Forest Blizzard) which is using a custom malware tool called GooseEgg. While the exact timeframe for GooseEgg’s activity is unknown, Microsoft has observed it being operational since at least June 2020.

> Microsoft has identified longstanding activity by the Russian-based threat actor we track as Forest Blizzard using a custom tool we call GooseEgg to exploit CVE-2022-38028 in the Windows Print Spooler service to elevate permissions and steal credentials: https://t.co/YKHvxqJa61
> 
> — Microsoft Threat Intelligence (@MsftSecIntel) April 22, 2024

Targets of these attacks include organizations in North America, Western Europe, and Ukraine across various sectors such as government, non-governmental organizations (NGOs), education, and transportation.

To mitigate this risk, Microsoft strongly recommends that all users install the security patch they released in October 2022. This patch addresses the vulnerability and prevents attackers from exploiting it.

While Microsoft offers temporary mitigation steps for those who cannot patch immediately, patching remains the most effective way to address this vulnerability and protect your system.

Nevertheless, it’s crucial to consistently update your Windows systems with the latest security patches, as this is the most effective defence against vulnerabilities. Additionally, exercise caution when interacting with attachments or links, particularly in emails from unfamiliar sources, as phishing attempts are a prevalent method used by attackers to compromise systems.

It is also important to know that the Cybersecurity and Infrastructure Security Agency (CISA) has also flagged CVE-2022-38028 as a high-risk vulnerability, given its ongoing exploitation.

1.  Microsoft Executives’ Emails Breached by Russia Hackers
2.  Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
3.  Russian Operatives Expose German Military Webex Conversations
4.  Russian Midnight Blizzard Hackers Breached Microsoft Source Code
5.  Russian Hackers Hit Mail Servers in Europe for Political, Military Intel

Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool

By Waqas
Popular keyboard apps leak user data! Citizen Lab reports 8 out of 9 Android IMEs expose keystrokes. Change yours & protect passwords!
This is a post from HackRead.com Read the original post: Popular Keyboard Apps Leak User Data: Billion Potentially Exposed

Citizen Lab investigated the security of cloud-based pinyin keyboard apps and found that eight out of nine vendors transmitted user keystrokes in an insecure manner. This means keystrokes could be intercepted by eavesdroppers on the network.

A new report by Citizen Lab has uncovered critical security vulnerabilities in popular keyboard apps, potentially exposing the keystrokes of nearly a billion users to eavesdroppers.

The report, titled “The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers,” investigates cloud-based pinyin input method editors (IMEs) used on a vast majority of Android devices in China.

Researchers analyzed keyboard apps from nine major vendors: Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. Alarmingly, they found vulnerabilities in eight of these apps that could allow attackers to steal users’ keystrokes as they type.

The report details various weaknesses in how these apps transmit data. Some apps, like Samsung Keyboard, send keystrokes completely unencrypted, making them easy for anyone snooping on the network to intercept. Others rely on flawed encryption methods that can be cracked.

The ease of eavesdropping varies depending on the app. In some cases, a malicious actor on the same Wi-Fi network could steal your data. Even more concerning, some vulnerabilities are exploitable by entirely passive eavesdroppers, who can intercept data without needing any interaction from the user.

The report highlights Huawei as the only vendor whose keyboard app did not exhibit these vulnerabilities. This offers some peace of mind for Huawei users but leaves a significant number of users potentially exposed.

Citizen Lab estimates that the combined market share of Baidu, Sogou (mentioned in a previous report by Citizen Lab), and iFlytek represents over 95% of the third-party IME market in China, translating to roughly one billion users at risk.

This security lapse has serious consequences. Keystrokes can contain sensitive information like passwords, credit card details, and private messages. If intercepted, this data could be used for identity theft, financial fraud, and other malicious activities.

Nevertheless, the report shows the importance of using secure keyboard apps. Users should prioritize apps with a strong reputation for security and that encrypt user data properly. Additionally, it’s recommended to avoid using sensitive information on public Wi-Fi networks.

Researchers urge app developers to address these vulnerabilities immediately by implementing strong encryption methods and secure data transmission protocols.

1.  AI Model Listens to Typing, Compromising Sensitive Data
2.  Keyboard app collecting users data after 31M records leaked online
3.  Intel removes remote Android keyboard app rather than fixing its flaws
4.  Chinese Keyboard Developer Spies on User Through Built-in Keylogger
5.  Android Emoji keyboard app makes millions with unauthorized purchases

Popular Keyboard Apps Leak User Data: Billion Potentially Exposed

Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users' keystrokes to nefarious actors.
The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security

Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App Users

SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2014-8089

**Zend Framework SQL injection vulnerability**

Critical severity GitHub Reviewed Published Apr 23, 2024 to the GitHub Advisory Database • Updated Apr 23, 2024

**Package**

composer zendframework/zend-db (Composer)

**Affected versions**

\>= 2.0.0, < 2.0.99

\>= 2.1.0, < 2.1.99

\>= 2.2.0, < 2.2.8

\>= 2.3.0, < 2.3.3

**Patched versions**

2.0.99

2.1.99

2.2.8

2.3.3

composer zendframework/zendframework (Composer)

\>= 2.0.0, < 2.0.99

\>= 2.1.0, < 2.1.99

\>= 2.2.0, < 2.2.8

\>= 2.3.0, < 2.3.3

2.0.99

2.1.99

2.2.8

2.3.3

composer zendframework/zendframework1 (Composer)

**Description**

Published to the GitHub Advisory Database

Apr 23, 2024

Last updated

Apr 23, 2024

Tag

#vulnerability