A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.
Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity

Botnet / Advanced Persistent Threat

A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.

Dubbed **KV-botnet** by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022.

"The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years," the company said.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

The two clusters – codenamed KY and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China.

While the bots part of JDY engages in broader scanning using less sophisticated techniques, the KY component, featuring largely outdated and end-of-life products, is assessed to be reserved for manual operations against high-profile targets selected by the former.

It's suspected that Volt Typhoon is at least one user of the KV-botnet and it encompasses a subset of their operational infrastructure, which is evidenced by the noticeable decline in operations in June and early July 2023, coinciding with the public disclosure of the adversarial collective's targeting of critical infrastructure in the U.S.

Microsoft, which first exposed the threat actor's tactics, said it "tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware."

The exact initial infection mechanism process used to breach the devices is currently unknown. It's followed by the first-stage malware taking steps to remove security programs and other malware strains so as to ensure that it's the "only presence" on these machines.

It's also designed to retrieve the main payload from a remote server, which, in addition to beaconing back to the same server, is also capable of uploading and downloading files, running commands, and executing additional modules.

Over the past month, the botnet's infrastructure has received a facelift, targeting Axis IP cameras, indicating that the operators could be gearing up for a new wave of attacks.

"One of the rather interesting aspects of this campaign is that all the tooling appears to reside completely in-memory," the researchers said. "This makes detection extremely difficult, at the cost of long-term persistence."

"As the malware resides completely in-memory, by simply power-cycling the device the end user can cease the infection. While that removes the imminent threat, re-infection is occurring regularly."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks

Everyone's New Year's Resolution should be to stop using passwords altogether.

Thursday, December 14, 2023 14:00

As you’ve probably seen by now, Talos released our 2023 Year in Review report last week. It’s an extremely comprehensive look at the top threats, attacker trends and malware families from the past year with never-before-seen Cisco Talos telemetry. 

We have podcasts, long-form videos and even Reddit AMAs to keep you covered and make it easy to digest our major takeaways from the report. Or, just kick back with a cup of coffee and read the full report — your choice! 

With this being the last Threat Source newsletter of the calendar year, I figured I’d do a Year in Review of my own. I don’t have the data or first-hand research to back any of these statements up, this is purely just _vibes_\-based or things I’ve discovered about myself and my cybersecurity habits over the past year, so while you may not be able to deploy any of these things on your firewall, I hope they serve as good advice to anyone thinking about the security landscape heading into the new year. 

*   **Do as I say, not as I do.** Before my daughter was born, I wrote in this newsletter about how I was skeptical about posting her face online and entering her personal data into various platforms while she’s so young and unable to even understand what a phone is. As soon as she was old enough to smile, I folded quickly. I’ll admit that I’ve posted her face all over Instagram, supplied her information to Gerber to enter her into the annual Gerber Baby competition (she came up short behind Maddie, apparently) and given personal information to who knows what sites while I was randomly trying to get answers to my first-time parent questions at 2 a.m. when she was getting her first tooth. None of these things are particularly smart in the long run, but as an unbiased observer, I can confidently say her cuteness on the internet only makes it a better place. 
*   **Just assume your passwords are going to get out there.** Several major password management services were hit with data breaches this year. And there were countless headlines about how brute-forcing password guesses led to others. The basic idea of a password manager is that your login information is inherently safer than just using the same password repeatedly, writing them down on a physical sheet of paper, or just hoping you remember each time you log in. At this point, I think it’s just safe to say that passwords are not your safest option. Passkeys and a passwordless approach to security are becoming increasingly popular, so where you can enroll in that, do it. Or if a traditional username and password combination is your only option, change that password as often as you can and make sure you have multi-factor authentication enabled to whatever password management service you use.  
*   **It’s time to get off Twitter.** Or X, whatever you want to call it. This platform has fully jumped the shark at this point and is rife with misinformation. The company has completely torn down any internal teams it has dedicated to fighting fake news or scams and searching for literally anything will surface misleading information, outright lies or offensive content. I miss the days when I could go to Twitter and search for a topic to get updates on a particular news item. I’m writing this on Dec. 13, and in the “Trending” sidebar on Twitter, I saw that “#cyberattack” was trending. Naturally, I wanted to see if there was an event going on I should be aware of, for obvious reasons. Instead, my results in the “Top” section included some word salad about the Bank of England targeting its own country’s critical infrastructure, a nonsensical clip from commentator Dan Bongino about woke leftists showing a cyber pandemic in a new movie, and a shocking amount of conspiracy theories about said new movie “Leave the World Behind.” It reminds me of the Michael Bluth line from “Arrested Development” when he grabs the bag out of the fridge that says, “Dead Dove DO NOT EAT.” 
*   **Don’t ever assume a threat is gone forever.** Over the past year, many major threat actors and malware operators that were once thought removed showed they could find a way back. The story of the FBI’s takedown of the Qakbot botnet was a major headline in August, and anyone who read the basic coverage would have thought, “Cool, don’t need to worry about those guys anymore!” However, subsequent research from Talos and other security firms found that remnants of Qakbot are still around, specifically services dedicated to sending spam. Trickbot, a major threat actor known for big game hunting, recently switched up its tactics and is actively targeting organizations in Ukraine, despite its developer being arrested and pleading guilty to several U.S. federal charges. And Emotet, which is known for its various stops-and-starts, is relatively quiet right now but was briefly active again earlier this year. This is not to say that these law enforcement server takedowns and arrests aren’t working — anything we can do to make the bad guys’ lives harder is a win in the end — but it’s continued proof that we can never really count any threat out.  

**The one big thing **

Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation Blacksmith,” employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. Our latest findings indicate a definitive shift in the tactics of the infamous North Korean state-sponsored actor. 

**Why do I care? **

This particular activity can be attributed to Andariel, a spinoff of the Lazarus Group. They’re actively exploiting the Log4shell vulnerability in Log4j, which is virtually everywhere. The hope is that most people have patched since the ubiquitous vulnerability was discovered in late 2021, but telemetry indicates there are many vulnerable instances still out there. Once infected, Andariel looks to install other malware loaders on the targeted machines and executes remote code that allows them to learn about the details of the system.  

**So now what? **

Talos’ blog outlines the numerous ways Cisco Secure products have protections in place to defend against Operation Blacksmith and other activities from Lazarus Group. 

**Top security headlines of the week **

**Hundreds of Windows and Linux devices from a range of manufacturers are vulnerable to a newly discovered attack called “LogoFAIL.”** The attack involves an adversary executing malicious firmware during the machines’ boot-up sequences, which means it’s difficult for traditional detection methods to block, or for users to even notice that it’s happening. The researchers who discovered this exploit wrote in their full paper that, once the attacker uses LogoFAIL to execute remote code during the Driver Execution Environment phase, it’s “game over for platform security.” Although there is no indication this type of attack has been used in the wild, it is being tracked through several CVEs. Potentially affected users should update to the latest version of UEFI by updating their firmware, including new patches from AMI, Intel, Insyde, Phoenix and Lenovo. Users can also lock down their machine’s EFI System Partition (ESP) so adversaries can’t access it, which is necessary to carry out LogoFAIL. (ArsTechnica, ZDNet) 

**The U.K. publicly charges Russia’s intelligence agency, the FSB, of a yearslong cyber espionage campaign targeting British government officials and other high-profile public citizens.** The U.K. Foreign Office said the FSB conducted "sustained unsuccessful attempts to interfere in U.K. political processes” over several years, including stealing information relating to the country’s national elections in 2019. The alleged campaigns involved trying to breach emails belonging to politicians, journalists, activists and academics, and fake social media profiles set up to impersonate the target’s contacts. One MP in British parliament said their emails had been stolen. Several individuals belonging to a group known as Star Blizzard have been sanctioned for their connections to these activities. (BBC, Politico) 

**Several major hardware and software vendors released their last patches of the calendar year this week.** Microsoft disclosed four critical vulnerabilities as part of its regular Patch Tuesday, three of which could lead to remote code execution. However, the total number of vulnerabilities included in December’s Patch Tuesday, 33, was the lowest in a single month since December 2019. Meanwhile on Monday, Apple released patches for its major pieces of hardware, disclosing security issues in iPhones, Macs and more. One of the vulnerabilities in macOS, CVE-2023-42914, is a kernel issue with the potential to allow apps to break out of their sandboxes. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory that attackers are actively exploiting a vulnerability in Adobe ColdFusion, which potentially poses a threat to government agencies. CVE-2023-26360 is an improper access control issue that could lead to arbitrary code execution. (Dark Reading, Talos, Security Boulevard) 

**Can’t get enough Talos? **

*   Network Infrastructure Is A Prime Target For Cyber Threats 
*   North Korean hackers using Log4J vulnerability in global campaign 
*   Video: Talos 2023 Year in Review highlights 
*   CCQ explores cybersecurity strategies for managing and responding to industrial incidents 
*   CW39 Houston: Protect Yourself from Cyber Attack 
*   Lazarus exploit Log4Shell vulnerability to deliver novel RAT malware 

**Upcoming events where you can find Talos **

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

> _The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725   
**MD5:** d47fa115154927113b05bd3c8a308201    
**Typical Filename:** mssqlsrv.exe   
**Claimed Product:** N/A     
**Detection Name:** Trojan.GenericKD.65065311 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd  

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5a6b089b1d2dd66948f24ed2d9464ce61942c19e98922dd77d36427f6cded634   
**MD5:** 05436c22388ae10b4023b8b721729a33   
**Typical Filename:** BossMaster.txt   
**Claimed Product:** N/A   
**Detection Name:** PS1.malware.to.talos 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

A personal Year in Review to round out 2023

The 2023 Talos Year in Review is full of insights on how the threat landscape has evolved. But what does that mean for defenders? This blog contains recommendations on how to gain more visibility across your network.

Thursday, December 14, 2023 07:21

The Talos Year in Review is available now and contains a wealth of insights about how the threat landscape has shifted in 2023. With new ransomware strains emerging from leaked source code, commodity loaders adding more reconnaissance measures to their belts, and geopolitical events influencing APT activity, there’s a lot to dissect.

From a defender’s point of view, what does that mean heading into 2024? Do you need to consistently shift tactics too, to stay one threat ahead? 

The thing is, we will never be “done” with cybersecurity. There will always be new threat actor groups. New strains. New tactics. And even if the defender community dismantles a botnet, like for example the takedown of Qakbot in August, it doesn’t mean the group behind it will cease to operate. We’ll never reach that scenario in the game of Battleship when you’ve found the final target and smugly mutter, “This is your last boat.”

There’s two ways of looking at that. You can either say, “What’s the point?” Or “We know we’ll probably get hit at some point. What can we do to ensure we eradicate the threat as quickly as possible?” So much of cybersecurity is about balancing and reducing risk. Knowing what risks you can accept, and what risks you absolutely can’t. 

That base visibility is key. As we at Talos commonly say, whomever knows the network best, owns the network.

For example, Veradigm, a healthcare IT organization that the Cisco Talos Incident Response (Talos IR) team has been working alongside for many years to proactively assess and constantly improve their security posture, recently detected an intrusion and potential information-stealing attack. Luckily, their preparedness coupled with their Talos IR partnership enabled them to swiftly pinpoint the issues before bad actors could execute their plan.

The key to Veradigm’s successful response? Visibility across the network, having a clear plan, and being able to answer these four questions as quickly as possible:

·      How did they get in?

·      Are they still in?

·      What did they do?

·      How could they get in again?

Veradigm has also participated in multiple Talos IR tabletop exercises to stress test processes and adjust as needed to respond and succeed more quickly.

Aligned to that, experts from across Cisco recently sat down to discuss proactive threat hunting in general, and the benefits this type of activity can have to help organizations find vulnerabilities and weak points that hadn't been spotted before. Check out the discussion below:

One of the newer cross-regional trends we observed this year (and wrote about in the 2023 Year in Review) is an increase in the targeting of network devices, from both APTs and cybercriminals. The intent can differ between these disparate adversaries: the former is more driven by espionage and secondary target selection while the latter aims more for financial gain.

Both groups rely on exploiting recently disclosed vulnerabilities as well as weak/default credentials. This is one of the reasons why use of valid accounts was a top MITRE ATT&CK technique observed this year, and consistently a top weakness in Talos Incident Response engagements.

Patching isn't easy, and isn't necessarily without risk. It all comes back to that balance again.

We got a question on the Reddit AMA thread that we ran earlier this week, about the difficulties of patching network infrastructure. I thought my colleague Lexi DiScola's response was such a good one I wanted to highlighted it here.

The question was, "Eventually these \[networking\] devices may get patched, but not without a significant planned downtime, ranting from org leaders, and/or hesitation from the networking team (if there is one). Especially in larger orgs, where the number of devices may be in the hundreds or thousands. What have you observed to be the biggest barriers to patch management that you see regarding network devices?"

Here was Lexi's answer:

> "One of the biggest barriers in securing these devices is that they are often not prioritized by security teams - whether that be for the reasons you listed, and/or because there is a lack of awareness around the significant level of access they can enable. As there is often limited monitoring of these devices, security teams may not even realize they are being leveraged as initial access vectors during large scale intrusions. This lack of awareness is further highlighted by the fact that many of these devices are vulnerable due to organizations using default passwords and configurations, vulnerabilities that are often quickly remediated in other network infrastructure. We recommend organizations improve monitoring and defensive measures for these devices, patch security flaws, remediate insecure default configurations, and improve employee awareness."

In terms of other recommendations based on the trends in the Year in Review Report? Well, if you thought you were about to read a blog about security recommendations without the mention of multi-factor authentication, I’m sorry to break it to you, because that’s about to happen. MFA really is one of the best things you can do to limit your threat surface.

In this episode of the Talos Takes podcast, we address the basics of implementing MFA in any environment, why any type of MFA is better than no MFA, the pitfalls of certain types of authentication, and whether going passwordless is the future. 

Read the full Year in Review below (no form filling necessary!):

Recommendations that defenders can use from Talos’ Year in Review Report

A missing permission check in Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Analysis Model API Plugin
*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   Nexus Platform Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin
*   Scriptler Plugin

**Descriptions****DoS vulnerability in Analysis Model API Plugin**

**SECURITY-3327 / CVE-2023-5072**  
**Severity (CVSS):** Medium  
**Affected plugin: analysis-model-api**  
**Description:**

Analysis Model API Plugin 11.11.0 and earlier bundles versions of JSON-Java vulnerable to CVE-2023-5072.

This may allow attackers able to control input to cause a Denial of Service (DoS) by parsing a crafted JSON document.

As of publication, Synopsys Rapid Scan Static is the only plugin the Jenkins security team is aware of whose report parser is potentially affected.

Analysis Model API Plugin 11.13.0 updates JSON-Java to version 20231013, which is unaffected by this issue.

**Arbitrary file deletion vulnerability in Scriptler Plugin**

**SECURITY-3205 / CVE-2023-50764**  
**Severity (CVSS):** High  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint.

This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 ensures that the file being deleted is located in the expected directory.

**Missing permission check in Scriptler Plugin**

**SECURITY-3206 / CVE-2023-50765**  
**Severity (CVSS):** Medium  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 requires the appropriate permission to read the contents of a Groovy script.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow XXE**

**SECURITY-3204 / CVE-2023-50766 (CSRF), CVE-2023-50767 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, so attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 configures its XML parser to prevent XML external entity (XXE) attacks.

Additionally, POST requests and Overall/Administer permission are required for the affected HTTP endpoints.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow capturing credentials**

**SECURITY-3203 / CVE-2023-50768 (CSRF), CVE-2023-50769 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 requires POST requests and Overall/Administer permission for the affected form validation methods.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**Password stored in a recoverable format by OpenId Connect Authentication Plugin**

**SECURITY-3168 / CVE-2023-50770**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins.

In OpenId Connect Authentication Plugin 2.6 and earlier the password to that account is stored in a recoverable format.

This allows attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.

**Open redirect vulnerability in OpenId Connect Authentication Plugin**

**SECURITY-2979 / CVE-2023-50771**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

**Tokens stored and displayed in plain text by Dingding JSON Pusher Plugin**

**SECURITY-3184 / CVE-2023-50772 (storage), CVE-2023-50773 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: dingding-json-pusher**  
**Description:**

Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability in HTMLResource Plugin allows deleting arbitrary files**

**SECURITY-3183 / CVE-2023-50774**  
**Severity (CVSS):** High  
**Affected plugin: htmlresource**  
**Description:**

HTMLResource Plugin 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system.

**CSRF vulnerability in Deployment Dashboard Plugin**

**SECURITY-3092 / CVE-2023-50775**  
**Severity (CVSS):** Medium  
**Affected plugin: ec2-deployment-dashboard**  
**Description:**

Deployment Dashboard Plugin 1.0.10 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy jobs.

**Tokens stored and displayed in plain text by PaaSLane Estimate Plugin**

**SECURITY-3182 / CVE-2023-50776 (storage), CVE-2023-50777 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability and missing permission checks in PaaSLane Estimate Plugin**

**SECURITY-3179 / CVE-2023-50778 (CSRF), CVE-2023-50779 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2979: Medium
*   SECURITY-3092: Medium
*   SECURITY-3168: Medium
*   SECURITY-3179: Medium
*   SECURITY-3182: Medium
*   SECURITY-3183: High
*   SECURITY-3184: Medium
*   SECURITY-3203: Medium
*   SECURITY-3204: High
*   SECURITY-3205: High
*   SECURITY-3206: Medium
*   SECURITY-3327: Medium

**Affected Versions**

*   **Analysis Model API Plugin** up to and including 11.11.0
*   **Deployment Dashboard Plugin** up to and including 1.0.10
*   **Dingding JSON Pusher Plugin** up to and including 2.0
*   **HTMLResource Plugin** up to and including 1.02
*   **Nexus Platform Plugin** up to and including 3.18.0-03
*   **OpenId Connect Authentication Plugin** up to and including 2.6
*   **PaaSLane Estimate Plugin** up to and including 1.0.4
*   **Scriptler Plugin** up to and including 342.v6a\_89fd40f466

**Fix**

*   **Analysis Model API Plugin** should be updated to version 11.13.0
*   **Nexus Platform Plugin** should be updated to version 3.18.1-01
*   **Scriptler Plugin** should be updated to version 344.v5a\_ddb\_5f9e685

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3179, SECURITY-3182, SECURITY-3183, SECURITY-3184, SECURITY-3203, SECURITY-3204, SECURITY-3205, SECURITY-3206
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2979, SECURITY-3092
*   **Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG** for SECURITY-3168

CVE-2023-50765: Jenkins Security Advisory 2023-12-13

Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.

CVE-2023-50779: Jenkins Security Advisory 2023-12-13

A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system.

CVE-2023-50774: Jenkins Security Advisory 2023-12-13

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.

CVE-2023-50770: Jenkins Security Advisory 2023-12-13

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

CVE-2023-50771: Jenkins Security Advisory 2023-12-13

Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

CVE-2023-50777: Jenkins Security Advisory 2023-12-13

Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.

Tag

#cisco