Just a day after Cisco disclosed CVE-2023-20198, it remains unpatched, and one vendor says a Shodan scan shows at least 10,000 Cisco devices with an implant for arbitrary code execution on them. The vendor meanwhile has updated the advisory with more mitigation steps.

A threat actor has already infected thousands of Internet exposed Cisco IOS XE devices with an implant for arbitrary code execution via an as-yet-unpatched maximum severity vulnerability in the operating system.

Cisco disclosed the flaw, identified as CVE-2023-20198, on Oct. 17, with a warning about exploit activity in the wild targeting the flaw. The bug, which has a severity rating of 10 out of 10 on the CVSS vulnerability-severity scale, is present in the Web UI component of IOS XE. 

The company said it had observed an attacker using the vulnerability to gain administrator level privileges on IOS XE devices, and then, in an apparent patch bypass, abusing an older remote code execution (RCE) flaw from 2021 (CVE-2021-1435) to drop a Lua-language implant on affected systems.

Now, those attacks appear to have a global footprint.

**Unpatched Bug Leads to 10K Infected Cisco Systems**

Cisco's security advisory noted that the company had responded to reports of unusual activity tied to the flaw from multiple customers. But the actual scope of the infections appears to be a lot higher than what was apparent from the advisory.

Jacob Baines, CTO at VulnCheck says his company has fingerprinted at least 10,000 Cisco IOS XE systems with the implant on them — and that's from scanning just half of the affected devices that are visible on search engines such as Shodan and Censys.

"From what we can tell, it doesn't not appear to be localized," Baines says. "The IPs geolocate to a wide number of countries all over the globe."

Baines says it's somewhat difficult to determine if the attacks are opportunistic or targeted. On the one hand, opportunistic attacks often involve threat actors using publicly available or researcher-developed proof-of-concept (PoC) exploits. 

But that's not what has happened with the activity targeted at CVE-2023-20198 so far, he says. "Not only did the attackers allegedly use a zero day — and perhaps a second patch bypass — but they also deployed a custom implant. That isn't opportunistic." 

Yet at the same time, the sheer number of exploited systems suggests more of an indiscriminate approach, Baines says.

**Cisco Pwning Likely From a Single Threat Actor**

The fact that the compromised Cisco IOS XE systems all have the same implant suggests that one threat actor is behind the attacks. "Because the initial auth-bypass vulnerability was — and still is unpatched —finding vulnerable targets is as simple as a Shodan query," Baines adds. Because Cisco has not made details of the vulnerability public yet, it is to ascertain how easy or not CVE-2023-20198 is to exploit, he notes.

Researchers at Detectify too on Oct. 17 reported observing what appears to be Internet-wide exploit activity targeting the Cisco zero-day vulnerability. But they believe the threat actor behind it is opportunistically hitting every affected system they can find. "The attackers seem to be casting a wide net by attempting to exploit systems without a specific target in mind first," one researcher from the firm says. The approach appears to be to "exploit everything first and then determine what is interesting." Detectify's researchers shared Baines' assessment about affected systems being trivially easy to find via search engines like Shodan.

Detectify's team only verified a relatively limited number of systems as being infected while building a test for detecting the implant for customers, the researcher says. But it is conceivable that thousands of systems have the implant, the researcher adds.

**Access Lists Are Effective Mitigation**

Cisco has not yet released a patch for the zero-day threat. But the company has recommended that organizations with affected systems immediately disable the HTTPS Server feature on Internet-facing IOS XE devices. On Oct. 17, Cisco updated its advisory to note that controlling access to the HTTPS Server feature using access lists, works as well.

"We assess with high confidence, based on further understanding of the exploit, that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation," Cisco said. When implementing access controls for these services, organization need to be cognizant of what they are doing because of the potential for interruption of production services, the company cautioned.

Cisco did not respond to a Dark Reading question about the reports about thousands of systems having the implant via the new zero-day bug. But in an emailed statement the company said it is "working non-stop" to provide a software fix. In the meantime, customers should immediately implement the steps outlined in the security advisory, the statement reiterated. 

"Cisco has nothing more to share at this time but will provide an update on the status of our investigation through the security advisory. Please refer to the security advisory and Talos blog for additional details."

Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised

The ClearFake campaign uses fake browser updates to lure victims and spread RedLine, Amadey, and Lumma stealers.

A threat actor has been abusing proprietary blockchain technology to hide malicious code in a campaign that uses fake browser updates to spread various malware, including the infostealers RedLine, Amadey, and Lumma.

While abuse of blockchain is typically seen in attacks aimed at stealing cryptocurrency — as the security technology is best known for protecting these transactions — EtherHiding demonstrates how attackers can leverage it for other types of malicious activity.

Researchers from Guardio have been tracking a campaign dubbed ClearFake over the last two months in which users are misled into downloading malicious fake browser updates from at least 30 highjacked WordPress sites.

The campaign uses a technique called "EtherHiding," which "presents a novel twist on serving malicious code" by using Binance Smart Chain (BSC) contracts from Binance — one of the world's largest cryptocurrency sites — to host parts of a malicious code chain "in what is the next level of Bullet-Proof Hosting," according to a recent post by Guardio.

"BSC is owned by Binance and focuses on contracts: coded agreements that execute actions automatically when certain conditions are met," Guardio explained in the post. "These contracts offer innovative ways to build applications and processes. Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted 'on-chain' without the ability for a takedown."

Attackers are leveraging this in their attack by hosting and serving malicious code in a manner that can't be blocked, making it difficult to stop the activity. "This campaign is up and harder than ever to detect and take down," according to the post.

Attackers turned to this tack when their initial method of hosing code on abused Cloudflare Worker hosts was taken down, the researchers noted. "They've quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain," according to the post.

**How the EtherHiding Cyberattack Works**

The attack begins when threat actors use compromised WordPress sites to embed a concealed JavaScript code that is injected into the pages, which retrieves a second-stage payload from an attacker-controlled server. From there, attackers deface websites with "a very believable overlay demanding a browser update before the site can be accessed," according to Guardio.

"Using this method, the attacker can remotely and instantly modify the infection process and display any message they want," according to the post. "It can change tactics, update blocked domains, and switch out detected payloads without re-accessing the WordPress sites."

**Blocking Blockchain Abuse**

While blockchain and other Web 3.0 technologies bring innovation, they are also rife for abuse by threat actors that are continuously adapting to leverage their benefits for nefarious activity.

"Beyond this specific exploit, blockchain can be misused in myriad ways, from malware propagation stages to data exfiltration of stolen credentials and files, all eluding traditional law enforcement shutdown methods," according to Guardio.

One simple way to block the ClearFake attack would be for Binance to disable any query to addresses already tagged as "malicious," or disable the eth\_call debug method for unvalidated contracts, according to the post. The researchers did not disclose if they contacted Binance about this potential fix.

Securing WordPress sites — which are prone to vulnerabilities and thus ripe for exploitation — also would block the gateway for threats like this to have broad victim impact, according to Guardio.

To this end, the researchers recommend protecting sites by keeping WordPress infrastructure and plugins updated, safeguarding credentials, using robust, periodically-changed passwords, and generally keeping a close eye on what's happening on sites to detect malicious activity.

'Etherhiding' Blockchain Technique Masks Malicious Code in WordPress Sites

Updating your browser when prompted is a good practice, just make sure the notification comes from the vendor themselves.

Threat actors are using cybersecurity best practices against you, hiding malware inside of fake browser updates.

They do so by seeding legitimate but vulnerable websites with malicious JavaScript. Upon loading, the code presents users with convincing browser update notifications, masking dangerous payloads.

According to a Oct. 17 report from Proofpoint, the trend began with one threat actor, TA569, and it has since been adopted by at least four different threat clusters, in what appears to be a growing and intractable new trend.

"TA569 has been very active for quite some time, and I've seen how difficult it has been for customers to understand and remediate the threat on their own," says Daniel Blackford, senior manager of threat research at Proofpoint. Because it's so effective, he adds, "other threat actors have absolutely piggybacked on it."

**Malicious Code, Hidden in Honest Websites**

Though they may vary in the particulars, each of the four threat clusters tracked by Proofpoint follow largely the same script.

First, the actors take advantage of a legitimate but vulnerable website, injecting their own malicious JavaScript code.

"It's generally very opportunistic. We have seen it across basically every industry: media, local sports associations — like kids' soccer groups — software companies, in some cases," Blackford says.

It might be an unpatched vulnerability, or a WordPress misconfiguration that provides the opening, "but it doesn't always have to be the website itself. It can be any assets that are imported into the website — any type of styling template, media player, or pretty much any third-party code," he says.

When an end user loads the website, the attackers' script runs alongside the rest of the site's various assets. Its job is to refer traffic to an attacker-controlled domain.

**The Fake Browser Update Lure**

From here, Blackford explains, "the Web inject is going to take some information about your system — you're coming from this geographic location, you're using this browser version. It can determine whether you're in some type of virtual environment or not. And if you pass all of the criteria, then it's going to reach out to that backend server and pull in the fake Update page."

The update lures are designed to look like they're coming from the browser's developers, with a clean look and relevant iconography. The following screenshots, courtesy of the security researcher Jerome Segura, capture fake updates from TA569 and another cluster, "FakeSG," also known as "RogueRaticate" (see below).

If a user falls for the trap and clicks "Update," they download malware to their computer.

If the attacker is TA569, for example, a user will download its signature "SocGholish" initial access malware. In the past, SocGholish has been used as a primer for ransomware, including WastedLocker, LockBit, Drydex, Hive, and more.

**How to Avoid Fake Browser Updates**

Employees and otherwise educated civilians are taught to avoid links and attachments in unrecognized emails or text messages. They might know to avoid a seedy-looking link, but what about a notification coming from their browser?

To suss out a real update from a fake one, Blackford urges users to pay attention to how their trusted websites and browsers typically behave, and whether anything happens that doesn't align with the usual pattern.

"Nine times out of 10, I'll go to my kid's soccer league website and see: okay, we've got a match against some other school on Wednesday, and nothing happens. And then one time, all of a sudden, I'm redirected to a page that says I'm using an old version of Chrome, click this button to update. That difference in pattern should be the trigger," he says, while admitting that "it's not easy to spot. But that's also why bad guys continue to make money hand over fist."

In the end, users shouldn't be spooked from maintaining their cybersecurity hygiene. "Updating your browser is a good security practice," Blackford maintains, "and I strongly suggest that people do it."

Watch Out: Attackers Are Hiding Malware in 'Browser Updates'

By Deeba Ahmed
KEY FINDINGS Cybersecurity firm Checkmarx has discovered a new wave of supply chain attacks exploiting bugs in popular…
This is a post from HackRead.com Read the original post: Supply Chain Attack Targeting Telegram, AWS and Alibaba Cloud Users

****_KEY FINDINGS_****

**Cybersecurity firm Checkmarx has discovered a new wave of supply chain attacks exploiting bugs in popular communication and e-commerce platforms.**

**The targeted platforms include Telegram, Alibaba Cloud, and AWS.**

**Attackers are injecting malicious code into open-source projects and compromising systems.**

**They leveraged Starjacking and Typosquatting techniques to lure developers to the malicious packages.**

**The campaign was active throughout September 2023.**

Cybersecurity firm Checkmarx discovered a new supply chain attack, which they believe was launched by a low-key threat actor it tracks as kohlersbtuh15. This campaign was active in September 2023. 

The recent surge in these malicious attacks prompted the Open Source Security Foundation (OpenSSF) to introduce its latest initiative, the Malicious Packages Repository, just last week.

As per the Checkmarx report authored by Yehuda Gelb, the attacker used the Python programming software repository (Pypi) and launched attacks using Starjacking and Typosquatting techniques.

Further probing revealed that the actor is exploiting vulnerabilities in platforms, such as Telegram, Amazon Web Services (AWS), and Alibaba Cloud Elastic Compute Service (ECS) to target developers and users. They are exploiting Aliyun’s services, and these three platforms are a part of it.

The attacker injects malicious code into the open-source projects these platforms are using to compromise users’ devices and steal sensitive data, financial and personal information, and login credentials. The malicious code is injected into specific software functions, which makes it pretty challenging to detect foul play and address the issue.

The code embedded into these packages doesn’t execute automatically but is strategically hidden inside different functions and triggers when one of these functions is called. Reportedly, kohlersbtuh15 launched a series of malicious packages to the PyPi package manager, targeting the open-source community.

Using typosquatting, the attackers craft a package mirroring the legitimate one, but the fake package has a hidden malicious dependency, which triggers the malicious script running in the background. The victim would not suspect anything as everything happens behind the scenes.

Starjacking refers to linking a package hosted on a package manager to an unrelated package repository on GitHub. Through this technique, unsuspecting developers are tricked into considering it an authentic package. To enhance the scope of this attack, threat actors have combined these two techniques in the same software package.

For instance, the Telethon 2 package is a typosquatted version of the popular Telethon package that also performs starjacking via the official Telethon package’s GitHub repository. This indicates the threat actor has copied the source code exactly as it is from the official package and embedded malicious lines in the telethon/client/messages.py file. The malicious code is executed with the command Send Message only.

The screenshot displays a list of malicious packages and the countries with the highest downloads of these packages, as reported by Checkmarx.

“By targeting popular packages used in platforms such as Telegram, AWS, and Alibaba Cloud, the attacker demonstrated a high level of precision. This was not a random act, but a deliberate effort to compromise specific users who rely on these widely-used platforms, potentially impacting millions of people,” Gelb wrote.

The damage caused by this attack is far greater than compromised devices as all types of data linked with these platforms, like communication details from Telegram or AWS cloud data and business-related data from Alibaba Cloud, could be accessed and exploited. This attack highlights that supply chain attacks continue to be a threat as attackers are eyeing vulnerabilities in third-party services/software to access targeted systems and steal data.

****_RELATED ARTICLES_****

1.  Understanding Software Supply Chain and How to Secure It
2.  Luna Grabber Malware Hits Roblox Devs Through npm Packages
3.  6 official Python repositories plagued with cryptomining malware
4.  CISA warns of trojanized versions of JavaScript library’s NPM package
5.  VMCONNECT: Malicious PyPI Package Mimicking Common Python Tools
6.  Crypto Discord Communities Targeted by Malicious Bookmarks & JavaScript

Supply Chain Attack Targeting Telegram, AWS and Alibaba Cloud Users

TSplus Remote Work 16.0.0.0 places a cleartext password on the "var pass" line of the HTML source code for the secure single sign-on web portal. NOTE: CVE-2023-31069 is only about the TSplus Remote Access product, not the TSplus Remote Work product.

    # Exploit Title: TSPlus 16.0.0.0 - Remote Work Insecure Credential storage# Date: 2023-08-09# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia# Vendor Homepage: https://tsplus.net/# Version: Up to 16.0.0.0# Tested on: Windows# CVE : CVE-2023-31069With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single sign-on web portal and remote desktop gateway that enables users to remotely access the console session of their office PC.It is possible to create a custom web portal login page which allows a user to login without providing their credentials.However, the credentials are stored in an insecure manner since they are saved in cleartext, within the html login page.This means that everyone with an access to the web login page, can easely retrieve the credentials to access to the application by simply looking at the html code page.This is a code snippet extracted by the source code of the login page (var user and var pass):   // --------------- Access Configuration ---------------   var user = "Admin";                         // Login to use when connecting to the remote server (leave "" to use the login typed in this page)   var pass = "SuperSecretPassword";           // Password to use when connecting to the remote server (leave "" to use the password typed in this page)   var domain = "";                            // Domain to use when connecting to the remote server (leave "" to use the domain typed in this page)   var server = "127.0.0.1";                   // Server to connect to (leave "" to use localhost and/or the server chosen in this page)   var port = "";                              // Port to connect to (leave "" to use localhost and/or the port of the server chosen in this page)   var lang = "as_browser";                    // Language to use   var serverhtml5 = "127.0.0.1";              // Server to connect to, when using HTML5 client   var porthtml5 = "3389";                     // Port to connect to, when using HTML5 client   var cmdline = "";                           // Optional text that will be put in the server's clipboard once connected   // --------------- End of Access Configuration ---------------

CVE-2023-27132: TSPlus 16.0.0.0 Insecure Credential Storage ≈ Packet Storm

TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files under the %PROGRAMFILES(X86)%\TSplus-RemoteWork\Clients\www folder. This may enable privilege escalation if a different local user modifies a file. NOTE: CVE-2023-31067 and CVE-2023-31068 are only about the TSplus Remote Access product, not the TSplus Remote Work product.

    # Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions# Date: 2023-08-09# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia# Vendor Homepage: https://tsplus.net/# Version: Up to 16.0.0.0# Tested on: Windows# CVE : CVE-2023-31068With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single sign-on web portal and remote desktop gateway that enables users to remotely access the console session of their office PC.The solution comes with an embedded web server to allow remote users to easely connect remotely.However, insecure file and folder permissions are set, and this could allow a malicious user to manipulate file content (e.g.: changing the code of html pages or js scripts) or change legitimate files (e.g. Setup-RemoteWork-Client.exe) in order to compromise a system or to gain elevated privileges.This is the list of insecure files and folders with their respective permissions:Permission: Everyone:(OI)(CI)(F)C:\Program Files (x86)\TSplus-RemoteWork\Clients\wwwC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-binC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloadC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloadsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\printsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\softwareC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\varC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteappC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\sharedC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\javaC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwresC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\localesC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\ownC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\desC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\keyC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenuC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\partsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\imgC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\thirdC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\cpC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\srvC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\imagesC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramusC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototypeC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log-------------------------------------------------------------------------------------------Permission: Everyone:(F)C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txtC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.configC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.configC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.htmlC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exeC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jarC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jarC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.htmlC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.htmlC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\index.htmlC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.htmlC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.binC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.js

CVE-2023-27133: TSPlus 16.0.0.0 Insecure Permissions ≈ Packet Storm

Apple Security Advisory 10-10-2023-1 - iOS 16.7.1 and iPadOS 16.7.1 addresses buffer overflow and code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-10-10-2023-1 iOS 16.7.1 and iPadOS 16.7.1iOS 16.7.1 and iPadOS 16.7.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213972.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A local attacker may be able to elevate their privileges. Appleis aware of a report that this issue may have been actively exploitedagainst versions of iOS before iOS 16.6.Description: The issue was addressed with improved checks.CVE-2023-42824WebRTCAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A buffer overflow may result in arbitrary code executionDescription: The issue was addressed by updating to libvpx 1.13.1.WebKit Bugzilla: 262365CVE-2023-5217This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7.1 and iPadOS 16.7.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUlzKUACgkQX+5d1TXaIvqGIRAAxGp22tn+wyg1wLbAZczutp0owJ1VTWjHpbMulutHJAI6iTTzsR9Bxu40t/rJ4CQXfh8f/5i31h8w1RZeeOxQLuL/S8fTzYMBjWg7M2Tja1vfOPBqxMaJp0WR2pccl2rpdthebFNBVCs+IAeQNZ5Dlsn1Z/9m8qHSthK2Ol+jl3ICOYrXqQt78H3hi1faz/qlLMggtalddzZAa8KvVGbHPdHBvz4fbPDlxGItD0KU+QNz5ovp3XiBoJTiqGNCoNfGU/QRt5Dockhj7UuRz8iTUA+uKiWlRlGR+WrG14hpepLWm5GuR5UGeP6lLer5Ksb30vKTeeSm+1yeEXTJo2pMWcRmX9PpyTSVuAto68fi0hdhXk3PxlPejfeKi5NVUEvVGsKozmgZjAr2XYToxgPSC8SkaAC7OklVY7oZqJFUY8xuL/qjZeNbvgN/QP83FqoVsPTQc95RWiNEHUELAcpww+L4rWqfXboSq53OmQrADeNDurCcdd1AMi1G8/+n5DOiVUllQilMUZGzPrVgA+YvMYgRYtD3q6oTe+N7PnUimKAZTU6dG8Axb5VnxT8HKb0vAPYc6LXM6+N7mANOXsuOGa0NLm+aeiqq2D2USfb28QHcBEXeKCYH6d6VtsbQZ2KnsXqTakcpPisX2YqUbB6BtvWSfcSeSdbE6E1/eNvx8V4==Bccn-----END PGP SIGNATURE-----

Apple Security Advisory 10-10-2023-1

Red Hat Security Advisory 2023-5780-01 - A security update for Camel Extensions for Quarkus 2.13.3 is now available. The purpose of this text-only erratum is to inform you about the security issues fixed. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5780.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Integration Camel Extensions for Quarkus 2.13.3 security update  
Advisory ID:        RHSA-2023:5780-01  
Product:            Red Hat Integration  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5780  
Issue date:         2023-10-17  
Revision:           01  
CVE Names:          CVE-2023-40167  
====================================================================

Summary: 

Red Hat Integration Camel Extensions for Quarkus 2.13.3 release and security update is now available (updates to RHBQ 2.13.8.SP3).

Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

A security update for Camel Extensions for Quarkus 2.13.3 is now available (updates to RHBQ 2.13.8.SP3). The purpose of this text-only erratum is to inform you about the security issues fixed.

Security Fix(es):

* netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.

* jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-40167

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q4

Red Hat Security Advisory 2023-5780-01

Red Hat Security Advisory 2023-5770-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5770.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: nghttp2 security updateAdvisory ID:        RHSA-2023:5770-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5770Issue date:         2023-10-17Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for nghttp2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:nghttp2 contains the Hypertext Transfer Protocol version 2 (HTTP/2) client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5770-01

Red Hat Security Advisory 2023-5769-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5769.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: nghttp2 security updateAdvisory ID:        RHSA-2023:5769-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5769Issue date:         2023-10-17Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for nghttp2 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:nghttp2 contains the Hypertext Transfer Protocol version 2 (HTTP/2) client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Tag

#web