Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).

Expand Up @@ -212,7 +212,7 @@ public function common\_headers($privacy = true) }  
/\*\* \* Send headers related to file downloads \* Send headers related to file downloads. \* \* @param string $filename File name \* @param array $params Optional parameters: Expand All @@ -225,34 +225,54 @@ public function common\_headers($privacy = true) \*/ public function download\_headers($filename, $params = \[\]) { // For security reasons we validate type, filename and charset params. // Some HTTP servers might drop a header that is malformed or very long, this then // can lead to web browsers unintentionally executing javascript code in the body.  
if (empty($params\['disposition'\])) { $params\['disposition'\] = 'attachment'; }  
if ($params\['disposition'\] == 'inline' && stripos($params\['type'\], 'text') === 0) { $params\['type'\] .= '; charset=' . ($params\['type\_charset'\] ?: $this\->charset); $ctype = 'application/octet-stream'; $disposition = $params\['disposition'\];  
if (!empty($params\['type'\]) && is\_string($params\['type'\]) && strlen($params\['type'\]) < 256 && preg\_match('/^\[a-z0-9!#$&.+^\_-\]+\\/\[a-z0-9!#$&.+^\_-\]+$/i', $params\['type'\]) ) { $ctype = $params\['type'\]; }  
header("Content-Type: " . (!empty($params\['type'\]) ? $params\['type'\] : "application/octet-stream")); if ($disposition == 'inline' && stripos($ctype, 'text') === 0) { $charset = $this\->charset; if (!empty($params\['type\_charset'\]) && rcube\_charset::is\_valid($params\['type\_charset'\])) { $charset = $params\['type\_charset'\]; }  
if ($params\['disposition'\] == 'attachment' && $this\->browser\->ie) { header("Content-Type: application/force-download"); $ctype .= "; charset={$charset}"; }  
$disposition = "Content-Disposition: " . $params\['disposition'\]; if (is\_string($filename) && strlen($filename) > 0 && strlen($filename) <= 1024) { // For non-ascii characters we'll use RFC2231 syntax if (!preg\_match('/\[^a-zA-Z0-9\_.:,?;@+ -\]/', $filename)) { $disposition .= "; filename=\\"{$filename}\\""; } else { $filename = rawurlencode($filename); $charset = $this\->charset; if (!empty($params\['charset'\]) && rcube\_charset::is\_valid($params\['charset'\])) { $charset = $params\['charset'\]; }  
// For non-ascii characters we'll use RFC2231 syntax if (!preg\_match('/\[^a-zA-Z0-9\_.:,?;@+ -\]/', $filename)) { $disposition .= sprintf("; filename=\\"%s\\"", $filename); } else { $disposition .= sprintf("; filename\*=%s''%s", !empty($params\['charset'\]) ? $params\['charset'\] : $this\->charset, rawurlencode($filename) ); $disposition .= "; filename\*={$charset}''{$filename}"; } }  
header($disposition); header("Content-Disposition: {$disposition}"); header("Content-Type: {$ctype}");  
if ($params\['disposition'\] == 'attachment' && $this\->browser\->ie) { header("Content-Type: application/force-download"); }  
if (isset($params\['length'\])) { header("Content-Length: " . $params\['length'\]); Expand Down

CVE-2023-47272: Fix cross-site scripting (XSS) vulnerability in setting Content-Type/… · roundcube/roundcubemail@5ec4968

PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an issue cover image.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-47271: Sanitize cover image filename in native import · Issue #9464 · pkp/pkp-lib

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of October I was a guest lecturer at MIPT/PhysTech university. But first thing first.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239138

On October 3, I joined the Positive Technologies team. There I will work on developing Vulnerability Management practices. I have already worked at PT for 6 years, from June 2009 to October 2015. And now, exactly 8 years later, I’m here again. I feel very pleasant emotions about this and have many plans. 🤩 I am sure that in the PT team I will be able to implement many cool things for the development of Vulnerability Management in Russia and abroad. 🙂

**Vulristics**

As for my open source Vulristics vulnerability prioritization project, I’ve made a few important updates.

**NVD Data Source**

I corrected the NVD data source, because NVD has become much less tolerant in the use of its API. After 5 consecutive requests, the API returns an error:

    
    <html><body><h1>403 Forbidden</h1>
    Request forbidden by administrative rules.
    </body></html>

Request forbidden by administrative rules.

According to the documentation:

> “The public rate limit (without an API key) is 5 requests in a rolling 30 second window; the rate limit with an API key is 50 requests in a rolling 30 second window”.

For Vulristics, I made support for authentication using the NVD API key and sleeps of 0.6 seconds when using the key and 6 seconds without using the key.

To obtain an NVD API key, you need to specify your organization, organization type, and email in the form. After a few seconds, you will receive a one-time link via email, which will give you the key.

I also started using the NVD API v2.0 in Vulristics, which allowed me to get CISA KEV data on vulnerabilities being exploited in the wild. I also take links to exploits from NVD (however, be careful, these links are not always good enough).

**Custom Data Source**

I added a custom data source to Vulristics. This is a small but quite useful improvement. Sometimes you know for sure that there is an exploit for a vulnerability or a sign of exploitation in the wild. But the sources that Vulristics supports do not contain this data. 🤷‍♂️ How to take into account such facts in a Vulristics report?

Vulristics now has a custom data source. It does not make any requests to external sources. It simply reads JSON files from the data/custom\_cve directory. You can add your JSON file for some CVE to this directory. And you can set the parameters in this file that you want to define for this CVE. You don’t have to set all the parameters. You can only set the ones you want. For example, only links to exploits.

Of course, you don’t have to do this manually. You can generate such files using a script based on the data you have. 😉

File example:

    {
      "description": "Remote Code Execution in Chromium",
      "cvss_base_score": 9.2,
      "wild_exploited": true,
      "wild_exploited_sources": [
        {"type": "ransomware_info_source", "text": "RansomwareINFO", "url": "https://www.some-site-about-ransomware-attacks.com/12345"}
      ],
      "public_exploit": true,
      "public_exploit_sources": [
        {"type": "exploit_info_source", "text": "ExploitINFO", "url": "https://www.some-site-about-exploits.com/12345"}
      ],
      "epss": 0.97434,
      "epss_percentile": 0.99924
    }

**Linux Patch Wednesday**

I launched my new project – Linux Patch Wednesday! 🚀🥳 For Microsoft products we have a single day of increased attention – Microsoft Patch Tuesday, and for Linux there is no such day. Everything is too fragmented there and patches are released literally every day. But what’s stopping us from independently generating a list of CVEs fixed during the month and highlighting critical issues? Let’s try!

If Microsoft Patch Tuesday occurs every second Tuesday of the month, then Linux Patch Wednesday will occur **every third Wednesday** of the month!

I analyzed the public OVAL content of 5 Linux distribution vendors and uploaded the resulting monthly Linux Patch Wednesday bullruetins to Github. From March 2007 to November 2023. I invite you to check it out and, if you like it, give it a star. 🙂⭐️

I analyzed first October Linux Patch Wednesday bulletin using Vulristics! 🥳

I’m pleased with the result. The top looks adequate and corresponds to what I highlighted in my Russian-language telegram channel avleonovrus and blog avleonov.ru.

1.  **Memory Corruption** – Chromium (CVE-2023-5217). This is a vulnerability in the libvpx library, which was the most critical in the October Microsoft Patch Tuesday. There is a PoC on Github and signs of exploitation in the wild.
2.  **Elevation of Privilege** **/ Remote Code Execution** – GNU C Library (CVE-2023-4911). This is Qualys Looney Tunables. There has been a PoC for this vulnerability for a long time, but there are no signs of exploitation in the wild yet.
3.  **Denial of Service** – Golang Go (CVE-2023-29409). There is a PoC. Vulristics detected the software as TLS, since there is no hint of Go in the description of the CVE vulnerability. 🤷‍♂️
4.  **Denial of Service** – HTTP/2 protocol (CVE-2023-44487). Will also be in MSPT.  
    …
5.  **Memory Corruption** – Curl (CVE-2023-38545). Not a very critical vulnerability, but PoCs have appeared for it on Github.

The rest of the vulnerabilities are without exploits or signs of exploitation in the wild.

Full Vulristics report: linux\_patch\_wednesday\_october2023

**Microsoft Patch Tuesday October 2023**

I also released the Vulristics report on October’s Microsoft Patch Tuesday.

What is in the TOP:

1.  **Memory Corruption** – Microsoft Edge (CVE-2023-5217). This is a vulnerability in the libvpx library, which is used to play video in VP8 format. As in the recent libwebp case, this vulnerability affects many software products, but primarily web browsers. There is no public exploit yet, but there are signs of exploitation in the wild.
2.  **Elevation of Privilege** – Skype for Business (CVE-2023-41763). In fact, this is an information disclosure vulnerability. An unauthenticated attacker may send a special request to a vulnerable Skype for Business server and this will lead to the disclosure of confidential information. Such information may be used to gain access to internal networks. 🤷‍♂️ There are signs of exploitation in the wild and there are no public exploits yet. Several RCEs have also been released for Skype for Business.
3.  **Information Disclosure** – Microsoft WordPad (CVE-2023-36563). Exploiting this vulnerability could allow the disclosure of NTLM hashes. An attacker must send the user a malicious file and convince him to open it. Or, if an attacker has access to the host, he himself can run a special program on the host with the same result. This looks dangerous. There are signs of exploitation in the wild and there are no public exploits yet.
4.  **Denial of Service** – HTTP/2 protocol (CVE-2023-44487). Microsoft has released fixes for IIS (HTTP.sys), .NET (Kestrel) and Windows against the new effective DDoS attack “HTTP/2 Rapid Reset”. The problem is universal. Amazon, Cloudflare and Google recently reported that they were attacked via “HTTP/2 Rapid Reset”. So there are signs of exploitation in the wild.

There were no more vulnerabilities in Patch Tuesday that showed signs of exploitation in the wild or had a publicly exploit. You can also pay attention to:

🔻 20 Microsoft Message Queuing vulnerabilities, including some **RCEs**.  
🔻 **Remote Code Execution** – Microsoft Exchange (CVE-2023-36778). “Successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell remoting session”. It doesn’t seem particularly critical, however “Exploitation More Likely.”  
🔻 **Elevation of Privilege** – Windows IIS Server (CVE-2023-36434). This is achieved through simplified password brute-force attack. 🤷‍♂️  
🔻 A pack of **Elevation of Privilege** vulnerabilities in Windows Win32k and Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

Full Vulristics report: ms\_patch\_tuesday\_october2023\_report

**Other Vulnerabilities**

And finally, let’s note other important vulnerabilities, which I also wrote about in October in Russian

1\. **Authentication Bypass / Privilege Escalation** – Cisco IOS XE (CVE-2023-20198)

2\. **Authentication** **Bypass** – Confluence (CVE-2023-22515)

3\. VMware vulnerabilities: **Remote code execution** – vCenter Server (CVE-2023-34048) and **Authentication Bypass** – Aria Operations for Logs (CVE-2023-34051).

4\. “Citrix Bleed“: **Information Disclosure** – NetScaler ADC/Citrix ADC and NetScaler Gateway (CVE-2023-4966)

5\. JetBrains: **Remote code execution** – TeamCity (CVE-2023-42793).

6\. Full disclosure for unfixed Squid vulnerabilities.

**VM Vendors news**

From VM vendor news, I would like to highlight the following.

Miercom released a report “Vulnerability Management Competitive Assessment“. They did the research at the request of Tenable, so there couldn’t be much intrigue about who among Tenable, Qualys and Rapid7 would win. 😏 Unlike similar marketing comparisons, Miercom decided not to ask customers of the vendors or compare on high-level features. They compared based on basic functionality, namely the completeness of the detection databases. It’s nice to know that I myself was involved in comparing CVE knowledge bases and identifying blind spots before it became mainstream. 😅

The guys from the Vulners team presented a new version of the automatic metric for assessing the criticality of vulnerabilities – AI Score v2. As the name implies, data processing there is carried out using machine learning, and specifically using the CatBoost library. Relationships between objects (there are more than 3 million objects in Vulners), CVSS Base Score values of ancestor objects, object type, text description of the object, etc. are analyzed. Give it a try, this feature is available for free to all Vulners users.

**PhysTech Lecture**

At the end of the month, I gave a lecture on Vulnerability Management at the Moscow PhysTech university. This is the second time, the first was 5 years ago. This time remotely.

On occasion, I updated my educational presentation. I separated 4 approximately equal parts:

🔹 Security Analysis – vulnerabilities and vulnerability detection  
🔹 Asset Management – getting rid of chaos in infrastructure  
🔹 Vulnerability Management – building a process with a focus on prioritizing vulnerabilities  
🔹 Patch Management – everything related to patching vulnerabilities and relationships with IT

I primarily reworked the Asset Management and Vulnerability Management parts. It seems that I managed to combine the effective safety approach (by Positive Technologies), the guidelines of regulators and my own considerations quite well. This presentation would be good for guest lectures, and it is clear how it could usefully be expanded to 4 separate lectures (or even more). I’m satisfied. 🙂

By the way, PhysTech is under sanctions of the EU, USA, UK, Japan, Switzerland and New Zealand. A decent place. 🙂👍

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture

LOYTEC LINX-212 firmware 6.2.4 and LVIS-3ME12-A1 firmware 6.2.2 and LIOB-586 firmware 6.2.3 devices use cleartext HTTP for login.

**Full Disclosure mailing list archives**

_From_: Chizuru Toyama <chizuru\_toyama () txone com>  
_Date_: Fri, 3 Nov 2023 05:44:39 +0000  

\[+\] CVE                                 : CVE-2023-46380, CVE-2023-46381, CVE-2023-46382 
\[+\] Title                                : Multiple vulnerabilities in Loytec LWEB-802, L-INX Automation Servers, L-IOB 
I/O Controllers, L-VIS Touch Panels 
\[+\] Vendor                           : LOYTEC electronics GmbH
\[+\] Affected Product(s)     : LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2, LIOB-586 firmware 6.2.3
\[+\] Affected Components : LWEB-802, L-INX Automation Servers, L-IOB I/O Controllers, L-VIS Touch Panels 
\[+\] Discovery Date             : 01-Sep-2021
\[+\] Publication date           : 03-Nov-2023
\[+\] Discovered by               : Chizuru Toyama of TXOne networks


\[Vulnerability Description\]

 CVE-2023-46380 : Insecure Permissions
 Password change request on the web interface on LOYTEC devices is sent
 in clear text over HTTP, and this allows information theft and account 
 takeover via network sniffing.

 CVE-2023-46381 : Improper Access Control
 Authentication is missing on the web user interface for the preinstalled 
 version of LWEB-802. If there is a project on a device, an unauthenticated 
 user could create a new project on a web and access/control a graphical 
 interface. An unauthenticated user also could edit or delete a current 
 web project, change settings and delete system logs etc...
 http://<IP>:<port>/lweb802\_pre/

 CVE-2023-46382 : Insecure Permissions
 The web user interface on Loytec devices requires login credentials for 
 critical information (Data, Commission, Config, etc...); however, username 
 and password information is sent in clear text over HTTP. If anyone sniff 
 network traffic, they could easily steal credentials.


\[Timeline\]

 01-Sep-2021 : Vulnerabilities discovered
 13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)
 07-Oct-2022 : ICS CERT reported to vendor (no response)
 03-Nov-2023 : Public disclosure
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **\[CVE-2023-46380, CVE-2023-46381, CVE-2023-46382\] Multiple vulnerabilities in Loytec products** _Chizuru Toyama (Nov 03)_

CVE-2023-46382: [CVE-2023-46380, CVE-2023-46381, CVE-2023-46382] Multiple vulnerabilities in Loytec products

kerawen before v2.5.1 was discovered to contain a SQL injection vulnerability via the ocs_id_cart parameter at KerawenDeliveryModuleFrontController::initContent().

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “KerAwen” (kerawen) up to version 2.3.81.1 from KerAwen for PrestaShop, an anonymous user can perform a SQL injection.

**Summary**

*   **CVE ID**: CVE-2023-40922
*   **Published at**: 2023-11-02
*   **Platform**: PrestaShop
*   **Product**: kerawen
*   **Impacted release**: < 2.5.1 (2.5.1 fixed the vulnerability)
*   **Product author**: Kerawen
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method KerawenDeliveryModuleFrontController::initContent() has a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**WARNING** : The exploit will bypass most WAF due to its design. Patch it quickly.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Steal/Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch**

    --- a/modules/kerawen/controllers/front/delivery.php
    +++ b/modules/kerawen/controllers/front/delivery.php
                                    case 'updateDeliveryDate':
                                            if ($id_cart && Tools::isSubmit('delivery_date'))
                                            {
                                                    $date = date(Tools::getValue('delivery_date'));
                                                    Db::getInstance()->execute(
                                                            'INSERT INTO `'._DB_PREFIX_.'cart_kerawen` (id_cart, delivery_date)
    -                                                        VALUES ('. (int) $id_cart .', FROM_UNIXTIME('.$date.'))
    +                                                        VALUES ('. (int) $id_cart .', FROM_UNIXTIME("'.pSQL($date).'"))
                                                            ON DUPLICATE KEY UPDATE delivery_date = VALUES(delivery_date)');
                                            }
                                            break;
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **Kerawen**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2022-12-13

Issue discovered after security audit by TouchWeb.fr and documented by 202-ecommerce.com

2022-12-13

Contact author

2022-12-20

Recontact author

2022-12-20

The author confirm the vulnerability

2023-01-04

Author provide a patch

2023-08-15

Request a CVE ID

2023-08-25

Received CVE ID

2023-11-02

Publish this security advisory

**Links**

*   Product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-40922: [CVE-2023-40922] Improper neutralization of SQL parameter in KerAwen module for PrestaShop

By Deeba Ahmed
Beware of Provocative Facebook Ads, Warn Researchers!
This is a post from HackRead.com Read the original post: Provocative Facebook Ads Leveraged to Deliver NodeStealer Malware

Scammers are using AI-generated provocative ads to lure users into downloading and installing the notorious NodeStealer malware.

Cybersecurity researchers at Bitdefender Labs have shared details of a new wave of malware scams targeting Meta’s ad network on Facebook to steal user data via deploying NodeStealer malware.

It is an information-stealing tool designed to steal sensitive user/device data, including browser cookies and passwords. It allows its operators to hijack Facebook, Gmail, Outlook, and other accounts.

Meta has been under malware attacks, particularly on its Facebook Business accounts network, where malicious actors attempt to steal users’ login credentials and payment information.”

According to Bitdefender’s blog post published on 31 October 2023, Meta’s Ads Manager tool is actively exploited in these scams. Researchers noticed that the campaign targets male users (aged 18-65 but mostly 45+ males) on Facebook, primarily from Africa, Europe, and the Caribbean.

Per Bitdefender’s research, cybercriminals are now targeting regular Facebook users apart from business accounts. The threat actors use ad credit balances of hacked business accounts to run misleading, malware-infected ads to deliver malware to unsuspecting users.

The campaign involves displaying ads featuring provocative photos of young women. For this purpose, attackers have created Facebook pages where they run fake ads featuring a few revealing photos of young women, many of which are AI-generated or photoshopped/edited. According to researchers, several fake profiles have been performing the same activity. These include:

*   · Album Update
*   · Private Album Update
*   · Album Girl News Update
*   · Hot Album Update Today
*   · Album New Update Today
*   · Album Private Update Today

These albums link to Gitlab or Bitbucket repositories that store the archive containing the Windows executable and install a new variant of the NodeStealer infostealer. Attackers also lure users through short descriptions so that they download the media archive. For instance, they post captions like “Watch now before it’s deleted” and “New stuff is online today.”

When an unsuspecting user clicks on the ads or photos, they get redirected to a malicious website and are prompted to download a file titled “Photo Album.” This is an archive file containing the malicious executable.

Further, once NodeStealer gets installed on the victim’s device, it starts stealing data such as Facebook account credentials, browser cookies, and other personal data, which attackers then use to hijack the account. Within just ten days, there have been 100,000 potential malware downloads, and a single ad attracted around 15,000 downloads within 24 hours.

Hackread reported a previous campaign where hackers hijacked Facebook business accounts using NodeStealer 2.0 and stole cryptocurrency. This campaign was detected in August by Palo Alto Networks’ Unit 42 researchers. 

It’s unclear which cybercrime gang is behind the recent campaign. Previous attacks, like those against Meta from Vietnam, raise concern. Caution is advised when clicking ads or accessing websites.

“The first line of defence against Nodestealer malware, delivered via phishing links, attachments or ads) is to always use a security solution on your device and keep it up to date. Anti-malware and anti-virus software keep you and your devices safe from new and existing threats by detecting malware and safely removing or stopping it from causing any damage,” researchers concluded.

1.  Facebook ads dropped malware posing as Clubhouse app for PC
2.  Fake ChatGPT and AI pages on Facebook are spreading infostealers
3.  Beware of Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer
4.  Ducktail Malware Exploits LinkedIn to Hack Facebook Business Accounts
5.  Vietnamese DarkGate Malware Targets META Accounts in the UK, USA, India

Provocative Facebook Ads Leveraged to Deliver NodeStealer Malware

By Deeba Ahmed
BrickLink confirms probing into unusual activity.
This is a post from HackRead.com Read the original post: LEGO Marketplace BrickLink Hacked? Website Down Amid Unusual Activity

****_Key Points_****

*   **The official website of BrickLink displays a message stating that it experienced unusual activity.**
*   **Ransom messages were reportedly sent out to many BrickLink users’ accounts.**
*   **Apparently, hackers are demanding payments in cryptocurrency in exchange for not deleting store inventories and other items.**
*   **BrickLink is yet to release an official statement about the incident, and there is no confirmation that the company has become a target of cyberattack.**

The website of BrickLink, the world’s leading LEGO marketplace and fan community, is currently down, allegedly due to a hacking incident. The company is investigating the issue and has taken down the website as a precautionary measure.

Usually, BrickLink’s website goes under maintenance regularly, but this lasts for a few minutes only. This time, the maintenance mode has lasted for over five hours, according to Jay’sBrickBlog. Users who visited the site saw the following message:

“Bricklink is currently investigating some unusual activity, so it’s too early to speculate further. We will share more information once it’s available.”

The company posted another update on November 4 at 3:58 a.m. EST, “We continue to investigate the unusual activity. We want to make sure we take the time to investigate fully. We will be back up and running as soon as possible”.

Bricklink website down (Screenshot: Hackread.com)

Several BrickLink users have reported receiving or viewing ransom messages allegedly from the hacker(s). A user wrote this message on Reddit, “I saw ransom messages on the forum and now can’t access the site. Any info?”

Another user wrote that BrickLink has gone into “preventive shutdown” and that “BrickLink had 30 minutes to pay EUR 50,000 to a bitcoin account or they would start deleting inventories from big stores. The shutdown appears to be an effort to get the hackers out of the system.”

According to the messages shared by BrickLink users, Sellers and Stores accounts have been hacked, and attackers are demanding payments in cryptocurrencies in exchange for not deleting items and store inventories. Instagram user exabrickslegogo\_ claims that attackers are allegedly asking €50,000 for site restoration.

Ransom message received by users

BrickLink was founded by Dan Jezek in 2020. It boasts over a million members, 10,000+ seller stores in 70 countries, and hosts the BrickLink Designer Program that lets fans create personalized sets that become physical builds if they attract 10,000 votes. It became a wholly owned Lego subsidiary in 2019 but is managed as a standalone platform where fans can buy specific pieces, get instructions on models, and locate hard-to-find sets.

Since the company is yet to release an official statement, there’s no clarity on what could have happened and what data may have been compromised. BrickLink is investigating the incident but hasn’t provided any timeline for when the site will be online again. Meanwhile, BrickLink users must exercise caution and avoid clicking on links/attachments in emails or messages from unknown senders.

1.  Disney+ accounts being sold on dark web marketplaces
2.  Fashion marketplace giant 21 Buttons exposes millions of users’ data
3.  Brazilian marketplace integrator Hariexpress exposed billion of records

LEGO Marketplace BrickLink Hacked? Website Down Amid Unusual Activity

Identity and authentication management provider Okta on Friday disclosed that the recent support case management system breach affected 134 of its 18,400 customers.
It further noted that the unauthorized intruder gained access to its systems from September 28 to October 17, 2023, and ultimately accessed HAR files containing session tokens that could be used for session hijacking attacks.
"The

Data Breach / Cyber Attack

Identity and authentication management provider Okta on Friday disclosed that the recent support case management system breach affected 134 of its 18,400 customers.

It further noted that the unauthorized intruder gained access to its systems from September 28 to October 17, 2023, and ultimately accessed HAR files containing session tokens that could be used for session hijacking attacks.

"The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers," Okta's Chief Security Officer, David Bradbury, said.

Three of those affected include 1Password, BeyondTrust, and Cloudflare. 1Password was the first company to report suspicious activity on September 29. Two other unnamed customers were identified on October 12 and October 18.

Okta formally revealed the security event on October 20, stating that the threat actor leveraged access to a stolen credential to access Okta's support case management system.

Now, the company has shared some more details of how this happened.

It said the access to Okta's customer support system abused a service account stored in the system itself, which had privileges to view and update customer support cases.

Further investigation revealed that the username and password of the service account had been saved to an employee's personal Google account and that the individual had signed-in to their personal account on the Chrome web browser of their Okta-managed laptop.

"The most likely avenue for exposure of this credential is the compromise of the employee's personal Google account or personal device," Bradbury said.

Okta has since revoked the session tokens embedded in the HAR files shared by the affected customers and disabled the compromised service account.

It has also blocked the use of personal Google profiles within enterprise versions of Google Chrome, preventing its employees from signing in to their personal accounts on Okta-managed laptops.

"Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators," Bradbury said.

"Okta administrators are now forced to re-authenticate if we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal."

The development comes days after Okta revealed that personal information belonging to 4,961 current and former employees was exposed after its healthcare coverage vendor, Rightway Healthcare, was breached on September 23, 2023. Compromised data included names, Social Security numbers, and health or medical insurance plans.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Okta's Recent Customer Support Data Breach Impacted 134 Customers

By Waqas
The hackers are selling the trove of data for $50,000 in Bitcoin (BTC) or Monero (XMR) cryptocurrency.
This is a post from HackRead.com Read the original post: Russia’s 2nd-Largest Insurer Rosgosstrakh Hacked; 400GB of Data Sold Online

An analysis of the sample data shared by the hackers revealed, among other details, personal and insurance-related information belonging to three GRU agents.

Since the beginning of the **Russia-Ukraine conflict**, both nations have experienced a series of non-stop large-scale cyberattacks targeting critical infrastructure, personal data of unsuspecting users, as well as sensitive military and banking information. Additionally, **hacktivists** from both sides are engaging in these attacks aligned with their respective causes.

During the ongoing conflict, a significant aspect often overlooked is the involvement of hackers motivated by financial gain. These actors, driven by profit, engage in hacking and selling data. In a recent cybersecurity incident tied to financial motivations, a threat actor targeted **Rosgosstrakh** (Russian: Росгосстрах), Russia’s second-largest insurance company after SOGAZ, successfully stealing a substantial amount of customer and sensitive financial data.

The individual known by the alias “Apathy” has announced intentions to sell the hacked data. Notably, the Rosgosstrakh data has emerged on well-known **Breach Forums**, with a price tag set at $50,000 in Bitcoin (BTC) or Monero (XMR) cryptocurrency for the extensive collection of information.

****What’s in the leaked data?****

The compromised data includes full access to the investment and life insurance department records dating back to 2010. The breach, which has put approximately 3 million bank statements at risk, has also compromised data on 730,000 individuals, with approximately 80,000 individuals’ Russian Social Security Numbers (SNILS) and 45,000 individuals’ complete bank routing information now in jeopardy.

The breach also includes access to all life insurance policies and contracts, as well as associated attachments such as passports and scanned documents of public officials or their immediate relatives.

The hacker additionally intends to offer prospective buyers a “full buyout” by providing complete access to Rosgosstrakh’s internal Web User Interface (UI). A full buyout refers to the complete purchase or acquisition of all rights and ownership of a product, service, or asset.

****(GRU DATA) Data of Russian Military Intelligence Agents****

Hackread.com has examined the sample data shared by the hacker on Breach Forums. However, another party that obtained a portion of the data from the hacker is Maia Arson Crimew, a Swiss security researcher and hacker.

Crimew disclosed acquiring an extensive 22GB of JSON data in plain-text format. The complete database comprises a staggering 400GB of data.

In a blog post, Crimew revealed their analysis of the dataset, uncovering information attributed to three GRU agents. The GRU, an entity within the Russian Armed Forces, functions as a military foreign intelligence agency situated in Russia.

Crimew’s findings contained comprehensive details about the agents, featuring their full names, dates of birth, phone numbers, email addresses, passport numbers, and specifics related to insurance coverage, particularly life insurance information.

****Conclusion****

Rosgosstrakh is a large and well-established company, yet it was vulnerable to a cyberattack. This demonstrates that no organization is immune to cyber threats. The Rosgosstrakh data breach is a serious incident that has exposed the personal and financial information of a large number of individuals.

It is also worth noting that the data breach could have implications for the Russian government. The fact that the data includes information on Russian military intelligence agents could be used by foreign governments to gain an advantage over Russia. Additionally, the breach could damage Russia’s reputation and make it more difficult for Russian companies to do business internationally.

Gone: Russian Central Bank hacked; $31 million stolen

2 Russian Industrial Firms Hacked, 112GB of Data Leaked

Anonymous Leaks 128 GB of Data from Russian ISP Convex

Elite North Korean Hackers Breach Russian Missile Developer

Anonymous Hacks Central Bank of Russia; Leaks 28GB of Data

Russia’s 2nd-Largest Insurer Rosgosstrakh Hacked; 400GB of Data Sold Online

Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability

Release Information: Product: AvalanchePremise\_6.4.1.236 Description: Avalanche Premise 6.4.1.236 for Windows Version: v6.4.1.236 Notes: Avalanche 6.4.1.236 Release What's New in This Version -------------------------- Security hardening fixes to for the following reported issues: CVE-2022-43554 ZDI-CAN-19502 CVE-2022-43555 ZDI-CAN-19503 CVE-2023-41725 ZDI-CAN-21006 CVE-2023-32567 ZDI-CAN-21030 CVE-2023-41726 ZDI-CAN-21231 Reported by Trend Micro's Zero Day Initiative \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.4.1 Description: Avalanche Premise 6.4.1 for Windows Version: v6.4.1.207 Notes: Avalanche 6.4.1 Release What's New in This Version -------------------------- Security hardening fixes to for the following reported issues: CVE-2023-32560 TRA-470 Reported by a researcher at Tenable CVE-2023-32561 ZDI-CAN-20904 CVE-2023-32562 ZDI-CAN-20991 CVE-2023-32563 ZDI-CAN-21081 CVE-2023-32564 ZDI-CAN-21002 CVE-2023-32565 ZDI-CAN-21004 CVE-2023-32566 ZDI-CAN-21005 Reported by Trend Micro's Zero Day Initiative \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.4.0 Description: Avalanche Premise 6.4.0 for Windows Version: v6.4.0.186 Notes: Avalanche 6.4.0 Release What's New in This Version -------------------------- New features and enhancements: -Added scheduled reboot functionality -Added reboot functionality to WindowsCE device details page for supported devices/enabler -Added scheduled and manual reboots to Audit Log -Android Client Admin password moved to Android Restriction Payload from SDS Profile -Update Play Store search results UI in AE software payload -Update Play Store search results UI in AE restrictions payload -Add major os version device property to Smartdevices (SDS Controlled) OsVer 9.1.2 => OsVerMajor 009 OsVer 11.3 => OsVerMajor 011 OsVer 13 => OsVerMajor 013 OsVer funkyformat => OsVerMajor 000 OsVer missing => OsVerMajor 000 -The default CFS/LFS port is changed to 9019 in the installer on a clean install to avoid possible conflict with neurons/cloud agent -Scan to Config Profile UI updated to modern design Deprecated features: -5.3 Migration support removed. To upgrade from 5.3, you first need to upgrade to 6.2 or 6.3 , then updgrade to 6.4.0 -GCM settings retired: Remove GCM configuration in SDS profile Remove GCM as option in Enrollment rules if a pre-existing enrollment rule from 6.3 or previous had GCM set as the notification type, it will get changed to ANS in 6.4 Security hardening: -InfoRail Router encryption enforcement -InfoRail Access control API key creation page in support and licensing page -InfoRail API key field added to remote dserver installers -InfoRail options screen added to Installer (clear existing keys, legacy access, legacy ACE access) -User password strength on user password creation/edit -Double password fields (enter/confirm) have been changed to a single password field with a toggle to view password on creation or edit -Passwords are no longer viewable after changes have been saved \*\*Password fields in legacy WIndowsCE profiles have not been changed Fixes: Defect: Clicking on smart device location history logout and exception error Defect: dserver Profiles not displayed in deployment dialog Defect: Avalanche inventory search bar fails to retrieve devices by serial number Defect: SDS not observing the check in time interval, always using 24hrs Fix to address ZDI-CAN-17729 Fix to address ZDI-CAN-17750 Fix to address ZDI-CAN-17769 Fix to address ZDI-CAN-17812 Fix to address ZDI-CAN-19513 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Product: AvalanchePremise\_6.3.4 Description: Avalanche Premise 6.3.4 for Windows Version: v6.3.4.153 Notes: Avalanche 6.3.4 Release What's New in This Version: Support for Battery Campaigns in Neurons Support for Device Actions in Neurons User Management: Neurons Access Token has been added to allow device commands to be sent from Neurons. Audit Log: Device commands sent from Neurons will be captured and filterable in the audit log. Fixes: Fix to address CVE-2021-44228 Fix to address CVE-2022-22965 Fix to address ZDI-CAN-15301 Fix to address ZDI-CAN-15328 Fix to address ZDI-CAN-15329 Fix to address ZDI-CAN-15330 Fix to address ZDI-CAN-15332 Fix to address ZDI-CAN-15333 Fix to address ZDI-CAN-15449 Fix to address ZDI-CAN-15493 Fix to address ZDI-CAN-15528 Fix to address ZDI-CAN-15919 Fix to address ZDI-CAN-15966 Fix to address ZDI-CAN-15967 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.3 Description: Avalanche Premise 6.3.3 for Windows Version: v6.3.3.101 Notes: Avalanche 6.3.3 Release What's New in This Version: User Management: Neurons Access Token has been added to allow device commands to be sent from Neurons. Audit Log: Device commands sent from Neurons will be captured and filterable in the audit log. Android Enterprise Restrictions Payload: Allow Developer Options to be enabled on the Android Enterprise devices in Fully Managed mode. Configuring Windows (AIDC) Software Packages: Single use password is now issued and required for launching configuration utilities with software packages. Device Details: Device actions are now enabled or disabled based on the reporting of the enabler capabilities property. Data Repository Service: The DRS has been removed. File and OS Update payloads that used DRS will need to be updated to use the Central FileStore. Component Updates: Updated to Java 15 Updated to Tomcat 9.0.56 Fixes: Fix to address Remote Control service startup error when port 80 is blocked. Fix to address CVE-2021-30497 Fix to address ZDI-CAN-14123 Fix to address ZDI-CAN-14187 Fix to address ZDI-CAN-14188 Fix to address ZDI-CAN-15130 Fix to address ZDI-CAN-15137 Fix to address ZDI-CAN-15168 Fix to address ZDI-CAN-15169 Fix to address ZDI-CAN-15200 Fix to address ZDI-CAN-15217 Fix to address ZDI-CAN-15251 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.2 Description: Avalanche Premise 6.3.2 for Windows Version: v6.3.2.3490 Notes: Avalanche 6.3.2 Release What's New in This Version: Printer management. Discover printers in the warehouse and bring them under management with a streamlined, remote provisioning process. Once your printers are managed by Avalanche, push files and settings to them, receive real-time alerts from them, and view their status remotely. Velocity configuration manifests. Create Velocity manifests to distribute Velocity configuration files from the Central File Store to your Android Enterprise devices. NFC provisioning for Android Enterprise. Use NFC provisioning to send Wi-Fi and enrollment information from an enrolled fully managed Android Enterprise device to new devices. QR code provisioning for Android Enterprise. Use QR code provisioning to send Wi-Fi and enrollment information from an enrolled fully managed Android Enterprise device to new devices. Android Enterprise enabler customization. Use an Android Enterprise enabler customization payload to configure the appearance of the enabler. Credentials certificate payload for Android. Use credentials certificate payloads with Wi-Fi payloads to verify the user or server identity when connecting to enterprise networks with Android and Android Enterprise devices. Temporarily disable lock task mode. To ease troubleshooting, temporarily disable lock task mode on a device from the console or the enabler. Android Enterprise provisioning profile. Use Android Enterprise provisioning profiles to create provisioning QR codes. Scan a provisioning QR code to enroll new fully managed devices with a reduced amount of device interaction. Reboot Android devices from the Avalanche Console. Launch apps on install or reboot. When creating an Android Enterprise software payload, you can select to launch the app on install or reboot. This option is important for installing remote control software. Fixes: Fix: Removed drag and drop in the folder tree. Drag and drop will continue to function when applying Smart Device and Printer profiles. Fix: Custom property changes to an individual device in the device details will not update all devices that share the same custom property. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.1 Description: Avalanche Premise 6.3.1 for Windows Version: v6.3.1.1507 Notes: Avalanche 6.3.1 Release New Features and Improvements: Android Enterprise Support \*Support for Fully Managed and Dedicated Device (Kiosk) modes \*File Payload \*Restriction Payload (Fully Managed and Dedicated Device modes) \*Disable factory reset from settings \*Remove factory reset protection data \*System Update Policy Payload (Fully Managed and Dedicated Device modes) \*Wi-Fi Payload \*Scan to enroll support using the device camera \*Factory reset wipe command can remove factory reset protection data and wipe the SD card. \*Log file retrieval from device \*New Android Enterprise Enabler https://play.google.com/store/apps/details?id=com.ivanti.enterprise UI performance and user experience \*Load time improvements for Inventory, Profiles, and Rugged Device Details pages \*Inventory page has been split to three tabs: Device Inventory, Server Inventory, and Mobile Device Groups \*Smart Device Payloads have been moved to their own tab \*All Smart Device Payloads have been redesigned from a dialog based UI to a modern page design \*Smart Device Profile has been redesigned from a dialog based UI to a modern page design Velocity config support added for both Android and Android Enterprise management Create scan to enroll QR codes directly from Enrollment Rules UserVoice for Avalanche link UTC data model for custom columns to allow timestamp to be displayed as date and time. Fixes: Fix: Custom properties can now be saved in network and scan to configure profiles. Fix: Scan to configure, custom properties, and registry keys can now be edited after creation. Fix: Certificate Manager improvements \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.0 Description: Avalanche Premise 6.3.0 for Windows Version: v6.3.0.555 Notes: Avalanche 6.3.0 Release New Features and Improvements: Android Enterprise Work Profile Support \*Create new or enroll an existing Google Play Android Enterprise account \*Support for multiple enterprise accounts \*Enrollment Rules reference Google Play Android Enterprise accounts \*Passcode settings support for both Device and Work Profile \*Support for Google Enterprise Play Store apps, including configuration \*Runtime Permissions settings for Apps (Account wide for Google Enterprise or granular per app settings) \*Lock, Unenroll, Delete Work Profile \*New Android Enterprise Enabler https://play.google.com/store/apps/details?id=com.ivanti.enterprise FCM Notification Service support Panasonic OS Updates APN Payload for Android License upgrade from 6.2 to 6.3 (requires a restart of the eserver) Subscription License support HTTP/HTTPS Webserver configuration added to install Prerequisite Software settings for Manifest URL Software Payloads Outgoing IP address of router is reported as IP address setting added to Smart Device Profile Removed: Compliance Payload (Compliance status is now based on Android Enterprise Passcode Compliance) Fixes: Fix: Improved CFS logging Fix: Certificate Manager settings on reboot Fix: CFS access token expiration extended Fix: Android App Name handling with special characters Fix: CFS access token renewal Fix: Reduction in SDS device sync time with selection criteria Fix: Accessing device details from search no longer causes an error Fix: AIDC software profile now shows correct package type \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.2.2 Description: Avalanche Premise 6.2.2 for Windows Version: v6.2.2.197 Notes: Avalanche 6.2.2 Release New Features and Improvements: License upgrade option added to the web console (6.2.2 Only) Removed: Removed support for Java 7, Java 8 is now required Fixes: Security Fixes for CVE-2018-8901 and CVE-2018-8902 Security Fixes for Remote Control Web UI including JQuery updates Fixes to Central File Store configuration page \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.2.0 Description: Avalanche Premise 6.2.0 for Windows Version: v6.2.0.602 Notes: Avalanche 6.2.0 Release Key New/Changed features Overview: Enrollment Enrollment rules now determine whether the enabler will use ANS or GCM as the notification service on android. A new type of enrollment rule has been created called a reference Enrollment Rule (Global Enrollment Rule) has been added that allows rules to be added at regions and deployed to multiple SDservers. You may add a folder that will be created and deployed at the root of all SDservers below the rules region. Broadcast to enroll When a enroll.prf file has been placed on the device with ‘broadcast’ as the server address, it will now perform a UDP broadcast to find a listening SDServer on the same subnet. Multiple Smart Device Servers The SDS node has been altered to have a local Inforail, SDServer, ANServer and File Store. In order to allow this, a SDServer profile has been created. SDS Profile The settings for the central SDS have been moved from the system settings page into a new Smart Device Server Profile. These include: APNS Cert, Google GCM Info, HTTPS Cert, SDS Public Address, Automatic Smart Device Check In, Smart Device Client Administrator Password. SDS Profiles Inheritance has changed, they will aggregate settings instead of overwriting. This allows you to set things like APNS, GCM and wildcard HTTPS certs at a higher level and have them set at lower SDS in the tree. You can then set specific settings such as the SDS public address, or check in times at a locally applied SDS profile. Device Folder Assignment setting allows the enrollment to be placed in a static folder or dynamically place based on folder selection criteria UDP Service Discovery allows the SDS to listen for enrollment broadcasts from the enabler. Central File Store These settings allow you to point to a file share. Files can be uploaded and managed via the Central File Store. You can then use these files in Android manifest URL software payloads, Android file payloads and Android OS Update payloads. Upon deployment of these payloads to an SDS the files will be cached in a file store local to the SDS. Implemented Zebra MX Extensions Now Android Agent applies StageNow config file "avamxmf.xml" placed specific location on SD card "/sdcard/Ivanti/MXMF" using MX framework. Log "MXMS configuration XML file applied successfully" will be displayed when MX config file applied. New Features and Improvements: Scalability - multiple SDS support Improved ANS reliability Distributed file caching Upgrade to Tomcat 8.5 Android device restrictions for post Kitkat devices Vendor specific enablers - Panasonic, Datalogic, Zebra GCM and ANS enabler functionality combined into single enabler Hide Google search box Zebra MX Extensions Reference (Global) enrollment rules Updated passcode payload Updated Restrictions payloads Restrict access to setting application Updated Application whitelisting Updated Application blacklisting Combined GCM and ANS enabler Device wiped if device admin is disabled Devices can broadcast to find their local Avalanche instance and enroll Set NTP server and time zone on device Ivanti Rebrand Removed: DEP Support (system settings and enrollment rule) VPP (Tools>VPP) Windows Phone 8 support (payloads, system settings) LDAP for Login and Enrollment + LDMS connection info (system settings) LDAP Enrollment (Enrollment rule) User Targeting (system settings, user tree) LD Portal (software payload deployment option, link payload deployment option) Media Payload Check for updates (Tools>Check for updates) Android Remote Control Settings (System Settings) Wavelink Remote Control Button in Inventory Page Tiny URL column on enrollment rule page Enabler: Home screen with Remote Control Server Address Enabler: About Screen Enabler: Remote Control capability Fixes: Fix: Improved data validation for java beans Fix: Manifest app installation in android client Fix: Improved functionality with self-signed certificates Fix: Deployments rolled back in large systems Fix: Devices Overwriting one another on Enroll Fix: IP Ranges in selection criteria were treated as a string and not numerically Fix: Data from other payloads sometimes displayed in a new payload

Tag

#web