Red Hat Security Advisory 2024-4575-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4575.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: linux-firmware security update  
Advisory ID:        RHSA-2024:4575-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4575  
Issue date:         2024-07-16  
Revision:           03  
CVE Names:          CVE-2022-27635  
====================================================================

Summary: 

An update for linux-firmware is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The linux-firmware packages contain all of the firmware files that are required by various devices to operate.

Security Fix(es):

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-27635)

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-40964)

* hw: intel: Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi (CVE-2022-46329)

* hw: amd: INVD instruction may lead to a loss of SEV-ES guest machine memory integrity problem (CVE-2023-20592)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-27635

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2238960  
https://bugzilla.redhat.com/show_bug.cgi?id=2238961  
https://bugzilla.redhat.com/show_bug.cgi?id=2238962  
https://bugzilla.redhat.com/show_bug.cgi?id=2244590

Red Hat Security Advisory 2024-4575-03

Rabbit has introduced an option to erase all data from the r1 device before selling it on, but what if you lose it or it gets stolen?

Rabbit, the manufacturer of the Artificial Intelligence (AI) assistant r1 has issued a security advisory telling users it’s found a potential security risk. If a user loses or sells their device, a person in possession of the r1 could potentially jailbreak the device and gain access to files that contain logging information, chats, and photos.

To tackle the potential problem with sensitive data being left behind on the r1, Rabbit has taken the following measures:

*   A factory reset option is now available in the settings menu that lets you erase all data from the r1 prior to transferring ownership.
*   Pairing data is no longer logged to the device.
*   The amount of log data that gets stored on the device has been reduced.
*   Pairing data can no longer be used to read from the user’s Rabbithole journal section. It can only trigger actions.

Rabbit also says it is performing a full review of device logging practices to check whether additional technical controls are needed.

If you have an r1, you don’t need to do anything as the fix will be downloaded and installed automatically. While most updates to the r1 do not require any action of the user, updates that require you to accept them, including new features and more supported apps, will happen via over-the-air updates. For these, follow the prompt on your r1, make sure you’re connected to WiFi and a power source, and wait for it to update.

For those not familiar with the concept, the Rabbit r1 is an AI-powered gadget that can manage the use of your apps for you. It’s a standalone gadget with a 2.88-inch touchscreen, a rotating camera for taking photos and videos, and a scroll wheel/button designed to navigate the menu or allow you to talk to the built-in AI.

The Rabbithole mentioned earlier is an all-in-one web portal to manage the relationship with rabbit OS, and the device that you pair the r1 to. The Rabbit r1 uses a Large Action Model (LAM) to translate the user’s voice into actions on the device it’s paired with, whether that’s a handheld device, like a phone, or a desktop computer.

It’s still pretty much a project under development. Right now, the Rabbit r1 can answer questions, call an Uber, order DoorDash, play music on Spotify, translate speech, generate images on Midjourney, identify nearby objects with its camera and record voice memos. Nothing your phone can’t do, but Rabbit promises more options on the horizon and claims that all these actions are easier to accomplish when you’re using the r1.

The journal section of the Rabbithole web portal shows any visual searches you’ve conducted using the r1’s camera and voice memos you’ve recorded.

Rabbit says there’s no indication that pairing data has been abused to retrieve Rabbithole journal data belonging to a former device owner. Yet the possibility exists, and it’s good that users now have the ability to erase all data before selling the device. However, this doesn’t solve the issue if the r1 is stolen or lost.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

 AI device Rabbit r1 logged user interactions without an option to erase them before selling 

Russian hacktivists claim DDoS attacks against basic tourist websites. Is it real, or just smoke and mirrors?

Source: Hemis via Alamy Stock Photo

Against the backdrop of the upcoming Paris Olympics, Russian hacktivists have claimed denial-of-service (DoS) attacks against a few notable French websites.

For months now, the news media has warned of both physical and cyber threats to the upcoming Olympic Games. The fears are well-founded: Any major event these days is a target, and prior Olympics have seen their fair share of incidents.

A potential opening salvo rang out in June, Cyble notes in a new report, when the Russian hacktivist groups HackNeT and the People's Cyber Army claimed a series of distributed DoS attacks on their social media channels. The Sandworm-linked People's Cyber Army referred to the attacks as mere "training."

**Pre-Olympics DDoS Attacks**

On June 23, the hacker collectives posted a series of screenshots of victim websites, and website uptime monitoring tools to demonstrate their downing.

At 8:30 UTC, for example, the People's Cyber Army claimed an attack on the website of the La Rochelle International Film Festival. Shortly thereafter, HackNet published news of another attack against the site for the Grand Palais. Cyble labeled these many claims as "possibly true" but couldn't confirm their legitimacy.

The pattern of targeting relatively mundane websites belonging to popular tourist attractions fits neatly into a picture of amateurish hacktivists seeking attention.

"I think it's mostly about being recognized as a formidable player in this whole space of cyber hacktivism — being seen taking up causes, and appearing to be fighting for it," says Kaustubh Medhe, head of research and intelligence at Cyble. "You have to keep your voice heard and be in the headlines all the time. And it's also a chance for groups to gather more mass support."

The People's Cyber Army in particular has historically done quite well on those fronts. Though it's only just over two years old, its Telegram channel sports more than 50,000 subscribers.

**Cyber Threats to the Paris Olympics**

When it comes to the myriad cyber threats to the Paris Olympics, "I delineate between risks that are scary, and those that are more of a nuisance," says Bojan Simic, co-founder and CEO of HYPR.

"Nuisance types of scenarios are: the Olympics app doesn't work and people don't know where the next event is and it's annoying. And taking down specific events from TV or streaming," he says. Politically motivated hacktivism against static websites — of the kind so boasted about by HackNet and the People's Cyber Army — also falls under this banner.

The problem, Medhe warns, is that nuisances can provide a screen for more ambitious attacks. "There have been instances in the past where DDoS attacks are a distraction to throw off a security team, to focus them on something less important, while some other threat groups are trying to get in some other way, and there is a more advanced attack in progress," he says.

Besides physical threats to athletes and fans, advanced cyber attacks might take the form of a major data breach, such as when Russia's Fancy Bear stole sensitive medical data on athletes at the 2016 games in Rio. This was a major interference, like the Olympic Destroyer attack at Pyeongchang 2018 that disrupted broadcasting, ticketing, various Olympics websites, and Wi-Fi at the host stadium. Attacks might also take some other form not yet seen at prior Games.

"I think they're generally reasonably well prepared," Simic says of the Olympic committee this time around, "but I think their preparations are going to be largely based off of previous attacks. I think they've been on the lookout for DDoS attacks, making sure that they have the ability to automatically scale the environment if they need to, to make sure that disruptions are minimized. Their ability to stop newer attacks is to be seen.

"We haven't really seen organizations adapt to modern, AI-based attacks involving malware and social engineering. That gives me some discomfort around the Olympic Committee being able to stop \[certain\] attacks."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'Trial' DDoS Attacks on French Sites Portend Greater Olympics Threats

Apple has sent a warning to people targeted by mercenary spyware in 98 countries.

In April 2024, we reported how Apple was warning people of mercenary attacks via its threat notification system. At the time it warned users in 92 countries. In a new round, Apple is now warning users in 98 countries of potential mercenary spyware attacks.

The message sent to the affected users says:

> “Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID.”

In the same message, Apple says that it is very likely that the person in question is being specifically targeted because of what they do or who they are. And, although there is a certain margin of error, the user should take this warning seriously.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

On the website that explains Apple threat notifications and protection against mercenary spyware, it specifically mentions Pegasus:

> “According to public reporting and research by civil society organizations, technology firms, and journalists, individually targeted attacks of such exceptional cost and complexity have historically been associated with state actors, including private companies developing mercenary spyware on their behalf, such as Pegasus from the NSO Group.”

Apple has sent out similar notifications multiple times a year since 2021 but doesn’t disclose how it determines who to send them to, since that might aid attackers in evading future detection.

Amnesty International urges those that have received such a notification to take it seriously. Amnesty’s Security Lab offers digital forensic support to potential victims like human rights defenders, activists, journalists and members of civil society.

If you are a member of civil society, and you have received an Apple notification, you can contact Amnesty International and request forensic support using the Get Help form.

Whether you’ve received that notification or not, every iPhone user should make sure they have the latest updates, protect the device with a passcode, use multi-factor authentication and a strong password for Apple ID, only install apps from the Apple Play store, use a mobile security product, and be careful what they open or tap on.

People that have reason to believe they might be individually targeted by mercenary spyware attacks, can enable Lockdown Mode on their Apple devices for additional protection.

Lockdown Mode does the following:

*   Blocks most message attachments
*   Blocks incoming FaceTime calls from people you have not called previously
*   Blocks some web technologies and browsing features
*   Excludes location from shared phots and removes Shared Albums
*   Blocks wired connections when the device is locked
*   Blocks auto-joining non-secure WiFi networks
*   Blocks incoming invitations from people you have not previously invited
*   Blocks installation of configuration profiles you may require for work or school

**How to turn on Lockdown Mode on iPhone or iPad**

1.  Open the **Settings** app.
2.  Tap **Privacy & Security**.
3.  Scroll down, tap **Lockdown Mode.**
4.  Tap **Turn On Lockdown Mode**.
5.  Read what it does and tap **Turn On Lockdown Mode** if that is what you want.
6.  Tap **Turn On & Restart**, then enter your device passcode.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

 iPhone users in 98 countries warned about spyware by Apple 

Microsoft Corp. today issued software updates to plug 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.

**Microsoft Corp.** today issued software updates to plug at least 139 security holes in various flavors of **Windows** and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.

The first Microsoft zero-day this month is CVE-2024-38080, a bug in the **Windows Hyper-V** component that affects **Windows 11** and **Windows Server 2022** systems. CVE-2024-38080 allows an attacker to increase their account privileges on a Windows machine. Although Microsoft says this flaw is being exploited, it has offered scant details about its exploitation.

The other zero-day is CVE-2024-38112, which is a weakness in **MSHTML**, the proprietary engine of Microsoft’s **Internet Explorer** web browser. **Kevin Breen**, senior director of threat research at **Immersive Labs**, said exploitation of CVE-2024-38112 likely requires the use of an “attack chain” of exploits or programmatic changes on the target host, a la Microsoft’s description: “Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.”

“Despite the lack of details given in the initial advisory, this vulnerability affects all hosts from **Windows Server 2008 R2** onwards, including clients,” Breen said. “Due to active exploitation in the wild this one should be prioritized for patching.”

**Satnam Narang**, senior staff research engineer at **Tenable**, called special attention to CVE-2024-38021, a remote code execution flaw in **Microsoft Office**. Attacks on this weakness would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or “pass the hash” attack, which lets an attacker masquerade as a legitimate user without ever having to log in.

“One of the more successful attack campaigns from 2023 used CVE-2023-23397, an elevation of privilege bug in Microsoft Outlook that could also leak NTLM hashes,” Narang said. “However, CVE-2024-38021 is limited by the fact that the Preview Pane is not an attack vector, which means that exploitation would not occur just by simply previewing the file.”

The security firm **Morphisec**, credited with reporting CVE-2024-38021 to Microsoft, said it respectfully disagrees with Microsoft’s “important” severity rating, arguing the Office flaw deserves a more dire “critical” rating given how easy it is for attackers to exploit.

“Their assessment differentiates between trusted and untrusted senders, noting that while the vulnerability is zero-click for trusted senders, it requires one click user interaction for untrusted senders,” Morphisec’s **Michael Gorelik** said in a blog post about their discovery. “This reassessment is crucial to reflect the true risk and ensure adequate attention and resources are allocated for mitigation.”

In last month’s Patch Tuesday, Microsoft fixed a flaw in its Windows WiFi driver that attackers could use to install malicious software just by sending a vulnerable Windows host a specially crafted data packet over a local network. **Jason Kikta** at **Automox** said this month’s CVE-2024-38053 — a security weakness in **Windows Layer Two Bridge Network** — is another local network “ping-of-death” vulnerability that should be a priority for road warriors to patch.

“This requires close access to a target,” Kikta said. “While that precludes a ransomware actor in Russia, it is something that is outside of most current threat models. This type of exploit works in places like shared office environments, hotels, convention centers, and anywhere else where unknown computers might be using the same physical link as you.”

Automox also highlighted three vulnerabilities in Windows Remote Desktop a service that allocates Client Access Licenses (CALs) when a client connects to a remote desktop host (CVE-2024-38077, CVE-2024-38074, and CVE-2024-38076). All three bugs have been assigned a CVSS score of 9.8 (out of 10) and indicate that a malicious packet could trigger the vulnerability.

**Tyler Reguly** at **Forta** noted that today marks the End of Support date for **SQL Server 2014**, a platform that according to Shodan still has ~110,000 instances publicly available. On top of that, more than a quarter of all vulnerabilities Microsoft fixed this month are in SQL server.

“A lot of companies don’t update quickly, but this may leave them scrambling to update those environments to supported versions of MS-SQL,” Reguly said.

It’s a good idea for Windows end-users to stay current with security updates from Microsoft, which can quickly pile up otherwise. That doesn’t mean you have to install them on Patch Tuesday. Indeed, waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches. It’s also smart to back up your data and/or image your Windows drive before applying new updates.

For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out the SANS Internet Storm Center’s list. For those admins responsible for maintaining larger Windows environments, it often pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.

As ever, if you experience any problems applying any of these updates, consider dropping a note about it in the comments; chances are decent someone else reading here has experienced the same issue, and maybe even has a solution.

Microsoft Patch Tuesday, July 2024 Edition

Red Hat Security Advisory 2024-4352-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Issues addressed include double free, memory leak, null pointer, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4352.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security and bug fix update  
Advisory ID:        RHSA-2024:4352-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4352  
Issue date:         2024-07-08  
Revision:           03  
CVE Names:          CVE-2020-26555  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

[Updated 03 July 2024]

The text of this advisory has been updated with the correct product name (Red  
Hat Enterprise Linux 8) in the Topics section. In the Problem Description  
section, CVEs of the same sub-components have been grouped together. The  
packages included in this revised update have not been changed in any way from  
the packages included in the original advisory.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: tls (CVE-2024-26585,CVE-2024-26584, CVE-2024-26583

* kernel-rt: kernel: PCI interrupt mapping cause oops [rhel-8] (CVE-2021-46909)

* kernel: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry (CVE-2021-47069)

* kernel: hwrng: core - Fix page fault dead lock on mmap-ed hwrng (CVE-2023-52615)

* kernel-rt: kernel: drm/amdgpu: use-after-free vulnerability (CVE-2024-26656)

* kernel: Bluetooth: Avoid potential use-after-free in hci_error_reset CVE-2024-26801)

* kernel: Squashfs: check the inode number is not the invalid value of zero  (CVE-2024-26982)

* kernel: netfilter: nf_tables: use timestamp to check for set element timeout (CVE-2024-27397)

* kernel: wifi: mac80211: (CVE-2024-35789, CVE-2024-35838, CVE-2024-35845)

* kernel: wifi: nl80211: reject iftype change with mesh ID change (CVE-2024-27410)

* kernel: perf/core: Bail out early if the request AUX area is out of bound (CVE-2023-52835)

* kernel:TCP-spoofed ghost ACKs and leak initial sequence number (CVE-2023-52881)

* kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555)

* kernel: ovl: fix leaked dentry (CVE-2021-46972)

* kernel: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (CVE-2021-47073)

* kernel: mm/damon/vaddr-test: memory leak in damon_do_test_apply_three_regions() (CVE-2023-52560)

* kernel: ppp_async: limit MRU to 64K (CVE-2024-26675)

* kernel: mm/swap: fix race when skipping swapcache (CVE-2024-26759)

* kernel: RDMA/mlx5: Fix fortify source warning while accessing Eth segment (CVE-2024-26907)

* kernel: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (CVE-2024-26906)

* kernel: net: ip_tunnel: prevent perpetual headroom growth (CVE-2024-26804)

* kernel: net/usb: kalmia: avoid printing uninitialized value on error path (CVE-2023-52703)

* kernel: KVM: SVM: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs (CVE-2023-5090)

* kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c (CVE-2023-52464)

* kernel: ipv6: sr: fix possible use-after-free and null-ptr-deref (CVE-2024-26735)

* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

* kernel: net/bnx2x: Prevent access to a freed page in page_pool (CVE-2024-26859)

* kernel: crypto: (CVE-2024-26974, CVE-2023-52813)

* kernel: can: (CVE-2023-52878, CVE-2021-47456)

* kernel: usb: (CVE-2023-52781, CVE-2023-52877)

* kernel: net/mlx5e: fix a potential double-free in fs_any_create_groups (CVE-2023-52667)

* kernel: usbnet: sanity check for maxpacket (CVE-2021-47495)

* kernel: gro: fix ownership transfer (CVE-2024-35890)

* kernel: erspan: make sure erspan_base_hdr is present in skb->head (CVE-2024-35888)

* kernel: tipc: fix kernel warning when sending SYN message (CVE-2023-52700)

* kernel: net/mlx5/mlxsw: (CVE-2024-35960, CVE-2024-36007, CVE-2024-35855)

* kernel: net/mlx5e: (CVE-2024-35959, CVE-2023-52626, CVE-2024-35835)

* kernel: mlxsw: (CVE-2024-35854, CVE-2024-35853, CVE-2024-35852)

* kernel: net: (CVE-2024-35958, CVE-2021-47311, CVE-2021-47236, CVE-2021-47310)

* kernel: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2024-36004)

* kernel: mISDN: fix possible use-after-free in HFC_cleanup() (CVE-2021-47356)

* kernel: udf: Fix NULL pointer dereference in udf_symlink function (CVE-2021-47353)

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-8.10.z kernel (JIRA:RHEL-40882)

* [rhel8.9][cxgb4]BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/54735 (JIRA:RHEL-8779)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-26555

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1918601  
https://bugzilla.redhat.com/show_bug.cgi?id=2248122  
https://bugzilla.redhat.com/show_bug.cgi?id=2258875  
https://bugzilla.redhat.com/show_bug.cgi?id=2265517  
https://bugzilla.redhat.com/show_bug.cgi?id=2265519  
https://bugzilla.redhat.com/show_bug.cgi?id=2265520  
https://bugzilla.redhat.com/show_bug.cgi?id=2265800  
https://bugzilla.redhat.com/show_bug.cgi?id=2266408  
https://bugzilla.redhat.com/show_bug.cgi?id=2266831  
https://bugzilla.redhat.com/show_bug.cgi?id=2267513  
https://bugzilla.redhat.com/show_bug.cgi?id=2267518  
https://bugzilla.redhat.com/show_bug.cgi?id=2267730  
https://bugzilla.redhat.com/show_bug.cgi?id=2270093  
https://bugzilla.redhat.com/show_bug.cgi?id=2271680  
https://bugzilla.redhat.com/show_bug.cgi?id=2272692  
https://bugzilla.redhat.com/show_bug.cgi?id=2272829  
https://bugzilla.redhat.com/show_bug.cgi?id=2273204  
https://bugzilla.redhat.com/show_bug.cgi?id=2273278  
https://bugzilla.redhat.com/show_bug.cgi?id=2273423  
https://bugzilla.redhat.com/show_bug.cgi?id=2273429  
https://bugzilla.redhat.com/show_bug.cgi?id=2275604  
https://bugzilla.redhat.com/show_bug.cgi?id=2275633  
https://bugzilla.redhat.com/show_bug.cgi?id=2275635  
https://bugzilla.redhat.com/show_bug.cgi?id=2275733  
https://bugzilla.redhat.com/show_bug.cgi?id=2278337  
https://bugzilla.redhat.com/show_bug.cgi?id=2278354  
https://bugzilla.redhat.com/show_bug.cgi?id=2280434  
https://bugzilla.redhat.com/show_bug.cgi?id=2281057  
https://bugzilla.redhat.com/show_bug.cgi?id=2281113  
https://bugzilla.redhat.com/show_bug.cgi?id=2281157  
https://bugzilla.redhat.com/show_bug.cgi?id=2281165  
https://bugzilla.redhat.com/show_bug.cgi?id=2281251  
https://bugzilla.redhat.com/show_bug.cgi?id=2281253  
https://bugzilla.redhat.com/show_bug.cgi?id=2281255  
https://bugzilla.redhat.com/show_bug.cgi?id=2281257  
https://bugzilla.redhat.com/show_bug.cgi?id=2281272  
https://bugzilla.redhat.com/show_bug.cgi?id=2281350  
https://bugzilla.redhat.com/show_bug.cgi?id=2281689  
https://bugzilla.redhat.com/show_bug.cgi?id=2281693  
https://bugzilla.redhat.com/show_bug.cgi?id=2281920  
https://bugzilla.redhat.com/show_bug.cgi?id=2281923  
https://bugzilla.redhat.com/show_bug.cgi?id=2281925  
https://bugzilla.redhat.com/show_bug.cgi?id=2281953  
https://bugzilla.redhat.com/show_bug.cgi?id=2281986  
https://bugzilla.redhat.com/show_bug.cgi?id=2282394  
https://bugzilla.redhat.com/show_bug.cgi?id=2282400  
https://bugzilla.redhat.com/show_bug.cgi?id=2282471  
https://bugzilla.redhat.com/show_bug.cgi?id=2282472  
https://bugzilla.redhat.com/show_bug.cgi?id=2282581  
https://bugzilla.redhat.com/show_bug.cgi?id=2282609  
https://bugzilla.redhat.com/show_bug.cgi?id=2282612  
https://bugzilla.redhat.com/show_bug.cgi?id=2282653  
https://bugzilla.redhat.com/show_bug.cgi?id=2282680  
https://bugzilla.redhat.com/show_bug.cgi?id=2282698  
https://bugzilla.redhat.com/show_bug.cgi?id=2282712  
https://bugzilla.redhat.com/show_bug.cgi?id=2282735  
https://bugzilla.redhat.com/show_bug.cgi?id=2282902  
https://bugzilla.redhat.com/show_bug.cgi?id=2282920

Red Hat Security Advisory 2024-4352-03

308 different models of Sharp Multi-Function Printers (MFP) are vulnerable to 18 different vulnerabilities including remote code execution, local file inclusion, credential disclosure, and more.

Sharp Multi-Function Printer 18 Vulnerabilities

A China-nexus cyber espionage group named Velvet Ant has been observed exploiting a zero-day flaw in Cisco NX-OS Software used in its switches to deliver malware.
The vulnerability, tracked as CVE-2024-20399 (CVSS score: 6.0), concerns a case of command injection that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected

Cyber Espionage / Vulnerability

A China-nexus cyber espionage group named Velvet Ant has been observed exploiting a zero-day flaw in Cisco NX-OS Software used in its switches to deliver malware.

The vulnerability, tracked as CVE-2024-20399 (CVSS score: 6.0), concerns a case of command injection that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.

"By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices," cybersecurity firm Sygnia said in a statement shared with The Hacker News.

Cisco said the issue stems from insufficient validation of arguments that are passed to specific configuration CLI commands, which could be exploited by an adversary by including crafted input as the argument of an affected configuration CLI command.

What's more, it enables a user with Administrator privileges to execute commands without triggering system syslog messages, thereby making it possible to conceal the execution of shell commands on hacked appliances.

Despite the code execution capabilities of the flaw, the lower severity is due to the fact that successful exploitation requires an attacker to be already in possession of administrator credentials and have access to specific configuration commands. The following devices are impacted by CVE-2024-20399 -

*   MDS 9000 Series Multilayer Switches
*   Nexus 3000 Series Switches
*   Nexus 5500 Platform Switches
*   Nexus 5600 Platform Switches
*   Nexus 6000 Series Switches
*   Nexus 7000 Series Switches, and
*   Nexus 9000 Series Switches in standalone NX-OS mode

Velvet Ant was first documented by the Israeli cybersecurity firm last month in connection with a cyber attack targeting an unnamed organization located in East Asia for a period of about three years by establishing persistence using outdated F5 BIG-IP appliances in order to stealthily steal customer and financial information.

"Network appliances, particularly switches, are often not monitored, and their logs are frequently not forwarded to a centralized logging system," Sygnia said. "This lack of monitoring creates significant challenges in identifying and investigating malicious activities."

The development comes as threat actors are exploiting a critical vulnerability affecting D-Link DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS score: 9.8) – a path traversal issue leading to information disclosure – to gather account information such as names, passwords, groups, and descriptions for all users.

"The exploit's variations \[...\] enable the extraction of account details from the device," threat intelligence firm GreyNoise said. "The product is End-of-Life, so it won't be patched, posing long-term exploitation risks. Multiple XML files can be invoked using the vulnerability."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware

An Australian man has been charged with running a fake Wi-Fi access point during a domestic flight with an aim to steal user credentials and data.
The unnamed 42-year-old "allegedly established fake free Wi-Fi access points, which mimicked legitimate networks, to capture personal data from unsuspecting victims who mistakenly connected to them," the Australian Federal Police (AFP) said in a press

Data Theft / Wi-Fi Security

An Australian man has been charged with running a fake Wi-Fi access point during a domestic flight with an aim to steal user credentials and data.

The unnamed 42-year-old "allegedly established fake free Wi-Fi access points, which mimicked legitimate networks, to capture personal data from unsuspecting victims who mistakenly connected to them," the Australian Federal Police (AFP) said in a press release last week.

The agency said the suspect was charged in May 2024 after it launched an investigation a month earlier following a report from an airline about a suspicious Wi-Fi network identified by its employees during a domestic flight.

A subsequent search of his baggage on April 19 led to the seizure of a portable wireless access device, a laptop, and a mobile phone. He was arrested on May 8 after a search warrant was executed at his home.

The individual is said to have staged what's called an evil twin Wi-Fi attack across various locations, including domestic flights and airports in Perth, Melbourne, and Adelaide, to impersonate legitimate Wi-Fi networks.

Users who attempted to connect to the free, phony network were prompted to enter their email address or social media credentials through a captive portal web page.

"The email and password details harvested could be used to access more personal information, including a victim's online communications, stored images and videos, or bank details," the AFP said.

The defendant has been charged with three counts of unauthorized impairment of electronic communication and three counts of possession or control of data with the intent to commit a serious offense.

He has also been charged with one count of unauthorized access or modification of restricted data, one count of dishonestly obtaining or dealing in personal financial information, and one count of possession of identification information. If convicted, he faces up to a maximum of 23 years in prison.

"To connect to a free Wi-Fi network, you shouldn't have to enter any personal details -- such as logging in through an email or social media account," AFP Western Command Cybercrime Detective Inspector Andrea Coleman said.

"If you do want to use public Wi-Fi hotspots, install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Australian Man Charged for Fake Wi-Fi Scam on Domestic Flights

An Australian man was arrested for alleged evil twin attacks. What are they and what can you do about them?

The Australian Federal Police (AFP) have charged a man for setting up fake free WiFi access points in order to steal personal data from people.

The crime was discovered when an airline reported a suspicious WiFi network identified by its employees during a domestic flight. When the alleged perpetrator landed at Perth airport, his bags were searched and authorities found a portable wireless access device, a laptop, and a mobile phone in his hand luggage.

The police say that the man, 42, used a portable wireless access device to create ‘evil twin’ free WiFi networks; so called because criminals set up free WiFi access points that mimic the name of legitimate public WiFi networks.

When people tried to connect their devices to the free WiFi networks, they were taken to a fake webpage requiring them to sign in using their email or social media logins. Those details were then allegedly saved to the man’s devices.

The email and password details harvested could then be used to access more personal information, including bank accounts, emails and messages, photos and videos, and more. 

AFP cybercrime investigators have identified data relating to the use of the alleged fraudulent WiFi pages at airports in Perth, Melbourne and Adelaide, on domestic flights, and at locations linked to the man’s previous employment.

The investigation is ongoing but the man can expect to face nine charges for the alleged cybercrime offences.

‘Evil twin’ attacks are a type of “machine-in-the-middle” attack, where all traffic is routed through a server under the attacker’s control, giving them access to all of the submitted information.

Cybercriminals favour places where people expect to have free WiFi, such as airports, planes, coffee, shops, and libraries. The attacker finds the legitimate network name—known as the SSID (service set identifier)—and creates an access point with the same name.

Access points and wireless router networks broadcast their SSIDs to identify themselves, but the identifiers are not unique. Your device can connect to any SSID if the network has no security options enabled, and it will not be able to differentiate between the legitimate and the fake one.

Evil twin attacks are based on the fact that when two networks have the same SSID and security settings, your device will either connect to the one with the strongest signal or the one it sees first.

**How to stay safe from evil twin attacks**

There are a few things you can do to protect yourself against this kind of attack.

*   Firstly, do not allow your device to auto-connect to public or unsecure networks. See below on how to turn this off.
*   Look out for unexpected behavior. To connect to a free WiFi network, you shouldn’t have to enter any personal details—such as logging in through an email or social media account.
*   Install a trusted VPN to encrypt the traffic regardless of the network you are using, and even when you’re not visiting websites that HTTPS (Hypertext transfer protocol secure) which encrypts the traffic between a browser and the website.
*   And my personal favorite: Use your own personal hotspot. I use a portable 5G Mifi router, which provides me with reliable high-speed WiFi throughout my domestic journeys.

**How to disable auto-connect**

When you’re travelling it may be safer to disable auto-connect on Wi-Fi altogether.

On Android it works roughly like this (steps may be slightly different depending on your Android version, device type, and vendor):

**Settings** > **Network & Internet** (or **Connections**) > **Wi-Fi** > **Wi-Fi preferences** (or **Advanced**). Toggle off **Connect to public networks**.

On iOS you can disable auto-connect by doing this:

**Settings** > **Wi-Fi**. Tap the **(i)** next to the network name and then toggle off **Auto-Join**.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#wifi