In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack.

Summary

Git connection checker can initiate an SMB connection leading to NTLM relay attack (CVE-2022-2780)

Advisory Number

2022-20

Discovery Date

11 Aug 2022

Patch Release Date

27 Sep 2022

Advisory Release Date

14 Oct 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

High

CVE ID

CVE-2022-2780

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10640 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a high rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack.

The versions of Octopus Server affected by this vulnerability are:

*   All 2021.2.x versions after 2021.2.994
*   All 2021.3.x versions
*   All 2022.1.x versions before 2022.1.3180
*   All 2022.2.x versions before 2022.2.7965
*   All 2022.3.x versions before 2022.3.10586

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.3180
*   2022.2.7965
*   2022.3.10586

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10640). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10640):**

If you have feature version...

...then upgrade to this version

2021.2.994 and greater

2022.1.3180 or greater

2021.3.x

2022.1.3180 or greater

2022.1.x

2022.1.3180 or greater

2022.2.x

2022.2.7965 or greater

2022.3.x

2022.3.10586 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2780, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Justin Steven

CVE-2022-2780: Security Advisory 2022-20

Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.

'1204059?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-42720: Invalid Bug ID

A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.

CVE-2022-42721

In the Linux kernel 5.8 through 5.19.14, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices.

'1204125?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-42722: Invalid Bug ID

An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.

AgeCommit message (Expand)AuthorFilesLines 2022-09-04Merge tag 'wireless-next-2022-09-03' of git://git.kernel.org/pub/scm/linux/ke...David S. Miller1\-1/+1 2022-09-03wifi: mac80211: fix double SW scan stopJohannes Berg1\-1/+1 2022-08-25wifi: mac80211: Fix UAF in ieee80211\_scan\_rx()Siddh Raman Pant1\-4/+7 2022-07-15wifi: mac80211: fix multi-BSSID element parsingJohannes Berg1\-4/+8 2022-06-20wifi: mac80211: move interface config to new structJohannes Berg1\-1/+1 2022-05-04mac80211: upgrade passive scan to active scan on DFS channels after beacon rxFelix Fietkau1\-0/+20 2021-09-23mac80211: always allocate struct ieee802\_11\_elemsJohannes Berg1\-6/+10 2021-05-31mac80211: fix skb length check in ieee80211\_scan\_rx()Du Cheng1\-5/+16 2020-09-28mac80211: convert S1G beacon to scan resultsThomas Pedersen1\-4/+13 2020-09-28mac80211: s1g: choose scanning width based on frequencyThomas Pedersen1\-0/+17 2020-09-28nl80211/cfg80211: support 6 GHz scanningTova Mussai1\-2/+7 2020-07-31mac80211: remove unused flags argument in transmit functionsMathy Vanhoef1\-1/+1 2020-07-31mac80211: use same flag everywhere to avoid sequence number overwriteMathy Vanhoef1\-4/+3 2020-07-31nl80211: S1G band and channel definitionsThomas Pedersen1\-0/+1 2020-05-31mac80211: Add HE 6GHz capabilities element to probe requestIlan Peer1\-8/+9 2020-05-31mac80211: avoid using ext NSS high BW if not supportedJohannes Berg1\-0/+6 2020-04-24mac80211: add freq\_offset to RX statusThomas Pedersen1\-1/+2 2020-04-24mac80211: handle channel frequency offsetThomas Pedersen1\-0/+1 2020-02-21cfg80211: remove support for adjacent channel compensationEmmanuel Grumbach1\-2/+1 2019-10-07mac80211: fix scan when operating on DFS channels in ETSI domainsAaron Komisar1\-2/+28 2019-06-19treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500Thomas Gleixner1\-4/+1 2019-02-08mac80211: support multi-bssidSara Sharon1\-2/+9 2019-02-08mac80211: move the bss update from elements to an helperSara Sharon1\-70/+80 2019-02-08mac80211: pass bssids to elements parsing functionSara Sharon1\-35/+40 2018-11-09mac80211: allow hardware scan to fall back to softwareJohannes Berg1\-4/+18 2018-06-30Merge tag 'mac80211-next-for-davem-2018-06-29' of git://git.kernel.org/pub/sc...David S. Miller1\-6/+50 2018-06-15mac80211: support scan features for improved scan privacyJohannes Berg1\-5/+30 2018-06-15mac80211: split ieee80211\_send\_probe\_req()Johannes Berg1\-2/+20 2018-06-15mac80211: add probe request building flagsJohannes Berg1\-3/+4 2018-06-12treewide: kzalloc() -> kcalloc()Kees Cook1\-1/+1 2018-03-21mac80211: inform wireless layer when frame RSSI is invalidTosoni1\-1/+3 2017-09-21mac80211: oce: enable receiving of bcast probe respRoee Zamir1\-9/+28 2017-04-28cfg80211: add request id to cfg80211\_sched\_scan\_\*() apiArend Van Spriel1\-2/+2 2017-04-28mac80211: separate encoding/bandwidth from flagsJohannes Berg1\-4/+4 2017-04-28mac80211: clean up rate encoding bits in RX statusJohannes Berg1\-4/+4 2016-12-13mac80211: Remove unused 'len' variableKirtika Ruchandani1\-5/+3 2016-09-15mac80211: fix scan completed tracingJohannes Berg1\-1/+1 2016-07-06mac80211: report failure to start (partial) scan as scan abortJohannes Berg1\-2/+3 2016-07-06mac80211: Add support for beacon report radio measurementAvraham Stern1\-8/+34 2016-07-06nl80211: support beacon report scanningAvraham Stern1\-2/+7 2016-04-12cfg80211: remove enum ieee80211\_bandJohannes Berg1\-6/+6 2016-04-05mac80211: Support a scan request for a specific BSSIDJouni Malinen1\-1/+3 2016-04-05mac80211: allow drivers to report CLOCK\_BOOTTIME for scan resultsJohannes Berg1\-1/+3 2016-01-26mac80211: Requeue work after scan complete for all VIF types.Sachin Kulkarni1\-1/+11 2016-01-14mac80211: handle sched\_scan\_stopped vs. hw restart raceEliad Peller1\-0/+8 2015-12-02mac80211: do not actively scan DFS channelsAntonio Quartulli1\-4/+5 2015-11-03mac80211: don't reconfigure sched scan in case of wowlanEliad Peller1\-5/+7 2015-10-14mac80211: remove PM-QoS listenerJohannes Berg1\-1/+0 2015-10-13mac80211: use new cfg80211\_inform\_bss\_frame\_data() APIJohannes Berg1\-10/+9 2015-06-10mac80211: convert HW flags to unsigned long bitmapJohannes Berg1\-5/+5 2015-06-09mac80211: ignore invalid scan RSSI valuesSara Sharon1\-1/+7 2015-06-02mac80211: rename single hw-scan flag to follow naming conventionJohannes Berg1\-3/+3 2015-03-30mac80211: IBSS fix scan requestJanusz.Dziedzic@tieto.com1\-9/+16 2015-01-23mac80211: complete scan work immediately if quiesced or suspendedLuciano Coelho1\-0/+5 2015-01-14mac80211: don't defer scans in case of radar detectionEliad Peller1\-1/+1 2015-01-14mac80211: remove local->radar\_detect\_enabledEliad Peller1\-1/+1 2015-01-14mac80211: let flush() drop packets when possibleEmmanuel Grumbach1\-2/+2 2014-11-19mac80211: allow drivers to support NL80211\_SCAN\_FLAG\_RANDOM\_ADDRJohannes Berg1\-10/+38 2014-11-19mac80211: rcu-ify scan and scheduled scan request pointersJohannes Berg1\-30/+49 2014-11-19mac80211: remove redundant checkEliad Peller1\-1/+1 2014-09-05mac80211: add Intel Mobile Communications copyrightJohannes Berg1\-0/+1 2014-08-26mac80211: scan: Replace rcu\_assign\_pointer() with RCU\_INIT\_POINTER()Andreea-Cristina Bernat1\-1/+1 2014-06-25mac80211: split sched scan IEsDavid Spinadel1\-23/+24 2014-06-25mac80211: support more than one band in scan requestDavid Spinadel1\-25/+60 2014-05-09mac80211: handle failed restart/resume betterJohannes Berg1\-5/+10 2014-04-09mac80211: use RCU\_INIT\_POINTERMonam Agarwal1\-5/+5 2014-03-19mac80211: release sched\_scan\_sdata when stopping sched scanAlexander Bondar1\-2/+4 2014-02-20mac80211: allow driver to return error from sched\_scan\_stopJohannes Berg1\-1/+1 2014-02-11mac80211: fix IE buffer lenDavid Spinadel1\-5/+2 2013-12-16mac80211: reschedule sched scan after HW restartDavid Spinadel1\-14/+39 2013-12-16Merge remote-tracking branch 'wireless-next/master' into mac80211-nextJohannes Berg1\-1/+1 2013-12-06Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+1 2013-12-05mac80211: start\_next\_roc only if scan was actually runningEliad Peller1\-1/+3 2013-12-05mac80211: determine completed scan type by defined opsEliad Peller1\-8/+7 2013-12-03mac80211: remove duplicate codeEliad Peller1\-8/+0 2013-11-25cfg80211: consolidate passive-scan and no-ibss flagsLuis R. Rodriguez1\-5/+5 2013-11-25mac80211: fix scheduled scan rtnl deadlockJohannes Berg1\-1/+1 2013-11-04Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-0/+19 2013-10-23Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netDavid S. Miller1\-0/+19 2013-10-09mac80211: correctly close cancelled scansEmmanuel Grumbach1\-0/+19 2013-09-26mac80211: change beacon/connection pollingStanislaw Gruszka1\-2/+1 2013-07-16mac80211: allow scanning for 5/10 MHz channels in IBSSSimon Wunderlich1\-6/+39 2013-07-16mac80211: select and adjust bitrates according to channel modeSimon Wunderlich1\-2/+25 2013-06-13mac80211: track AP's beacon rate and give it to the driverAlexander Bondar1\-0/+9 2013-04-16mac80211: parse VHT channel switch IEsJohannes Berg1\-1/+1 2013-04-08mac80211: check ERP info IE length in parserJohannes Berg1\-3/+2 2013-03-25mac80211: Use a cfg80211\_chan\_def in ieee80211\_hw\_conf\_chanKarl Beldan1\-3/+3 2013-03-18mac80211: pass queue bitmap to flush operationJohannes Berg1\-2/+2 2013-03-11mac80211: remove a few set but unused variablesJohannes Berg1\-3/+0 2013-02-15mac80211: add radar detection command/eventSimon Wunderlich1\-0/+3 2013-02-11mac80211: Add flushes before going off-channelSeth Forshee1\-0/+3 2013-02-11mac80211: Fix tx queue handling during scansSeth Forshee1\-3/+6 2013-02-11mac80211: introduce beacon-only timing dataJohannes Berg1\-1/+4 2013-02-11cfg80211: pass wiphy to cfg80211\_ref\_bss/put\_bssJohannes Berg1\-1/+2 2013-01-31mac80211: improve latency and throughput while software scanningStanislaw Gruszka1\-27/+5 2013-01-31mac80211: start auth/assoc timeout on frame statusJohannes Berg1\-1/+2 2013-01-31mac80211: remove unused mesh data from bssJohannes Berg1\-9/+0 2013-01-31mac80211: remove last\_probe\_resp from bssJohannes Berg1\-3/+0 2013-01-28Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-10/+5 2013-01-16mac80211: synchronize scan off/on-channel and PS statesStanislaw Gruszka1\-10/+5 2013-01-03mac82011: use frame control to differentiate probe resp/beaconEmmanuel Grumbach1\-5/+4 2013-01-03mac80211: fix dtim\_period in hidden SSID AP associationJohannes Berg1\-12/+0 2013-01-03mac80211: fix ibss scanningStanislaw Gruszka1\-10/+24 2012-12-11Merge branch 'for-john' of git://git.sipsolutions.net/mac80211-nextJohn W. Linville1\-1/+1 2012-12-10mac80211: a few whitespace fixesJohannes Berg1\-1/+1 2012-12-06Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jber...John W. Linville1\-9/+12 2012-11-30mac80211: make ieee80211\_build\_preq\_ies saferJohannes Berg1\-9/+12 2012-11-26Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jber...John W. Linville1\-8/+1 2012-11-23cfg80211: use DS or HT operation IEs to determine BSS channelJohannes Berg1\-8/+1 2012-11-21Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+1 2012-10-31mac80211: init sched\_scan\_iesDavid Spinadel1\-1/+1 2012-10-18mac80211: add support for tx to abort low priority scan requestsSam Leffler1\-4/+17 2012-10-17mac80211: use channel contextsJohannes Berg1\-2/+2 2012-10-16mac80211: track whether to use channel contextsJohannes Berg1\-0/+4 2012-09-07net/mac80211/scan.c: removes unnecessary semicolonPeter Senna Tschudin1\-1/+1 2012-09-06mac80211: don't hang on to sched\_scan\_iesJohannes Berg1\-25/+14 2012-09-06Merge remote-tracking branch 'mac80211/master' into mac80211-nextJohannes Berg1\-2/+1 2012-08-20mac80211: pass channel to ieee80211\_send\_probe\_reqJohannes Berg1\-1/+2 2012-08-20mac80211: check operating channel in scanJohannes Berg1\-5/+4 2012-07-30mac80211: don't clear sched\_scan\_sdata on sched scan stop requestEliad Peller1\-1/+0 2012-07-30Merge remote-tracking branch 'wireless/master' into mac80211Johannes Berg1\-58/+65 2012-07-24mac80211: fix scan\_sdata assignmentJohannes Berg1\-1/+1 2012-07-20Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-54/+62 2012-07-12mac80211: add time synchronisation with BSS for assocJohannes Berg1\-1/+2 2012-07-12mac80211: redesign scan RXJohannes Berg1\-34/+23 2012-07-12mac80211: track scheduled scan virtual interfaceJohannes Berg1\-10/+10 2012-07-12mac80211: make scan\_sdata pointer usable with RCUJohannes Berg1\-9/+24 2012-07-12mac80211: fix invalid band deref building preq IEsArik Nemtsov1\-0/+3 2012-06-12Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-2/+2 2012-06-06mac80211: unify SW/offload remain-on-channelJohannes Berg1\-2/+2 2012-06-04net: Remove casts to same typeJoe Perches1\-2/+1 2012-05-09mac80211: Convert compare\_ether\_addr to ether\_addr\_equalJoe Perches1\-1/+1 2012-04-23mac80211: Support on-channel scan option.Ben Greear1\-26/+69 2012-04-13mac80211: remove ieee80211\_rx\_bss\_getMohammed Shafi Shajakhan1\-14/+0 2012-04-13mac80211: do not scan and monitor connection in parallelStanislaw Gruszka1\-1/+28 2012-03-28mac80211: fix oper channel timestamp updationRajkumar Manoharan1\-1/+1 2012-03-07mac80211: Filter duplicate IE idsPaul Stewart1\-20/+51 2012-03-05mac80211: use compare\_ether\_addr on MAC addresses instead of memcmpFelix Fietkau1\-1/+2 2012-01-05Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+1 2012-01-04mac80211: fix scan state machineMohammed Shafi Shajakhan1\-1/+1 2011-12-19net: fix assignment of 0/1 to bool variables.Rusty Russell1\-1/+1 2011-11-30mac80211: revert on-channel work optimisationsJohannes Berg1\-2/+2 2011-11-22Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torval...John W. Linville1\-0/+1 2011-11-11mac80211: simplify scan state machineJohannes Berg1\-122/+77 2011-10-31net: Add export.h for EXPORT\_SYMBOL/THIS\_MODULE to non-modulesPaul Gortmaker1\-0/+1 2011-10-25Merge branch 'pm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/...Linus Torvalds1\-1/+1 2011-10-11mac80211: pass no-CCK flag through to HW scanJohannes Berg1\-0/+1 2011-09-27mac80211: Send the management frame at requested rateRajkumar Manoharan1\-1/+2 2011-08-25PM QoS: Move and rename the implementation filesJean Pihet1\-1/+1 2011-07-19mac80211: implement scan supported ratesJohannes Berg1\-3/+3 2011-07-11Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-1/+2 2011-07-07mac80211: fix ie memory allocation for scheduled scansLuciano Coelho1\-1/+2 2011-06-27mac80211: Drop DS Channel PARAM in directed probePaul Stewart1\-1/+2 2011-06-27mac80211: restrict advertised HW scan ratesJohannes Berg1\-2/+3 2011-06-17mac80211: add cancel\_hw\_scan() callbackEliad Peller1\-16/+21 2011-05-27mac80211: Remove duplicate linux/slab.h include from net/mac80211/scan.cJesper Juhl1\-1/+0 2011-05-16mac80211: abort scan\_work immediately when the device goes downRajkumar Manoharan1\-0/+5 2011-05-12cfg80211/mac80211: avoid bounce back mac->cfg->mac on sched\_scan\_stoppedLuciano Coelho1\-6/+27 2011-05-11mac80211: add support for HW scheduled scanLuciano Coelho1\-0/+99 2011-05-10mac80211: don't drop frames where skb->len < 24 in ieee80211\_scan\_rx()Luciano Coelho1\-1/+1 2011-03-07mac80211: fix scan race, simplify codeJohannes Berg1\-40/+24 2011-02-09mac80211: Ensure power-level set properly for scanning.Ben Greear1\-1/+8 2011-02-09mac80211: Allow scanning on existing channel-type.Ben Greear1\-4/+2 2011-02-04mac80211: Optimize scans on current operating channel.Ben Greear1\-25/+63 2011-01-21cfg80211: Extend channel to frequency mapping for 802.11jBruno Randolf1\-1/+2 2010-10-07mac80211: fix sw scan lockingJohannes Berg1\-2/+1 2010-10-06mac80211: avoid uninitialized var warning in ieee80211\_scan\_cancelJohn W. Linville1\-3/+4 2010-10-06mac80211: compete scan to cfg80211 if deferred scan fail to startStanislaw Gruszka1\-0/+2 2010-10-06mac80211: do not requeue scan work when not neededStanislaw Gruszka1\-12/+3 2010-10-06mac80211: assure we also cancel deferred scan requestStanislaw Gruszka1\-10/+25 2010-10-06mac80211: keep lock when calling \_\_ieee80211\_scan\_completed()Stanislaw Gruszka1\-36/+39 2010-10-06mac80211: reduce number of \_\_ieee80211\_scan\_completed callsStanislaw Gruszka1\-22/+29 2010-09-24mac80211: Add DS Parameter Set into Probe Request on 2.4 GHzJouni Malinen1\-1/+2 2010-09-24mac80211: Filter ProbeReq SuppRates based on TX rate maskJouni Malinen1\-1/+1 2010-08-27mac80211: allow scan to complete from any contextJohannes Berg1\-8/+26 2010-08-16mac80211: per interface idle notificationJohannes Berg1\-0/+2 2010-08-16mac80211: unify scan and work mutexesJohannes Berg1\-15/+15 2010-08-04mac80211: fix scan locking wrt. hw scanJohannes Berg1\-14/+0 2010-07-29mac80211: allow drivers to request DTIM periodJohannes Berg1\-0/+4 2010-07-28Revert "mac80211: fix sw scan bracketing"Luis R. Rodriguez1\-2/+2 2010-06-21mac80211: Fix compile warning in scan.c.Gertjan van Wingerde1\-1/+1 2010-06-18mac80211: fix sw scan bracketingJohannes Berg1\-2/+2 2010-05-20Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6Linus Torvalds1\-19/+107 2010-05-05Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-13/+40 2010-05-03mac80211: improve IBSS scanningJohannes Berg1\-1/+27 2010-04-28mac80211: do not wip out old supported ratesStanislaw Gruszka1\-10/+11 2010-04-27mac80211: give virtual interface to hw\_scanJohannes Berg1\-2/+2 2010-04-15Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-0/+2 2010-04-11Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/ne...David S. Miller1\-0/+1 2010-04-08mac80211: enhance tracingJohannes Berg1\-0/+2 2010-03-30include cleanup: Update gfp.h and slab.h includes to prepare for breaking imp...Tejun Heo1\-0/+1 2010-03-09mac80211: Improve software scan timingHelmut Schaa1\-6/+65 2010-02-08Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linvil...John W. Linville1\-8/+19 2010-02-08mac80211: fix deferred hardware scan requestsJohannes Berg1\-8/+10 2010-01-26mac80211: wait for beacon before enabling powersaveJohannes Berg1\-4/+0 2010-01-12mac80211: add U-APSD client supportKalle Valo1\-0/+18 2010-01-12mac80211: fix a few work bugsJohannes Berg1\-0/+1 2010-01-06Revert "mac80211: replace netif\_tx\_{start,stop,wake}\_all\_queues"John W. Linville1\-5/+5 2010-01-05mac80211: No need to include WEXT headers hereJouni Malinen1\-1/+0 2009-12-28mac80211: Generalize off-channel operation helpers from scan codeJouni Malinen1\-150/+6

CVE-2022-41674: git/torvalds/linux.git - Linux kernel source tree

A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.14 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.

CVE-2022-42719

The comprehensive, multiplatform framework comes loaded with weapons, and it is likely another effort by a China-based threat group to develop an alternative to Cobalt Strike and Sliver.

Researchers have uncovered a potentially dangerous cyberattack framework targeting Windows, Linux, and Mac systems that they assess is likely already being used in the wild.

The framework consists of a new, stand-alone, command-and-control (C2) tool dubbed "Alchimist," a previously unseen remote access Trojan (RAT) called "Insekt," and several bespoke tools like a custom backdoor and malware for exploiting vulnerabilities in macOS. It also includes reverse proxies and several dual-use tools such as netcat, psexec, and an intranet-scanning tool called fscan.

"Alchimist is a new C2 framework that can be rapidly deployed and operated with relatively low technical expertise by a threat actor," says Nick Biasini, head of outreach at Cisco Talos.

**A Cobalt Strike Alternative?**

Researchers from Cisco Talos who discovered the attack framework described Alchimist as another example of threat actors trying to develop alternatives to popular post-exploit tools such as Cobalt Strike and, more recently, Sliver. 

"The emergence of such frameworks in the wild suggests that threat actors are actively trying to develop alternative solutions to popular attack frameworks ... whose increasing popularity has led to rigorous detection efforts," Biasini says. 

In a blog post on Oct. 13, Cisco Talos described Alchimist as a 64-bit Linux executable written in GoLang with a Web interface written in Simplified Chinese, the official written script for mainland China. The Insekt RAT, Alchimist's primary implant, is also implemented in GoLang. The malware features several remotely accessible capabilities that allow it to be customized via the C2 server.

"\[Alchimist\] can generate a configured payload, establish remote sessions, deploy payloads to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands," the report noted. Giving it those capabilities are a variety of malware tools, including a Mach-0 backdoor for macOS and a separate macOS malware dropper that exploits a known vulnerability in a root program associated with major Linux distributions (CVE-2021-4034).

Of note, the Insekt RAT implants that Alchimist generates features a wide range of capabilities that essentially makes it a Swiss Army knife for the attackers on the infected system, Biasini says.

A campaign utilizing the attack framework has been active since at least January. 

"Although Talos does not have information on the precise targeting intended in this campaign, the intention of the attacks is to compromise and establish long-term access into victim environments," Biasini says.

**Stand-Alone Frameworks**

Cisco Talos has compared the Alchimist framework with another attack framework it discovered recently, dubbed Manjusaka. In a report in August, the company described Manjusaka as a Chinese sibling of Cobalt Strike and Sliver that a threat actor was actively using in a campaign involving COVID-19 and China-themed lure documents.

Both Alchimist and Manjusaka are stand-alone, single-file-based C2 frameworks with similar design philosophies but different implementations. Both come ready to use with no installation required, and both can patch and generate implants such as the Insekt RAT on the fly, Cisco Talos said.

One feature of the new C2 that the company highlighted as being notable is its ability to generate PowerShell and wget code snippets for Windows and Linux.

The snippets give threat actors the ability to create an infection vector for Insekt RAT without having to author custom code or utilize additional tools, Biasini says. Attackers can simply add the PowerShell/wget code to a delivery vector such as a malicious document's VBA Macro or to a malicious shortcut file and then distribute it to victims for infection. 

"This offering may be an attempt by the authors to provide bonus features in the C2 framework and make it more enticing to threat actors," he notes.

Feature-Rich 'Alchimist' Cyberattack Framework Targets Windows, Mac, Linux Environments

Red Hat Advanced Cluster Management for Kubernetes 2.5.3 General
Availability release images, which fix security issues and bugs, as well as update container images.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-2238: search-api: SQL injection leads to remote denial of service


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-10-13

Updated:

2022-10-13

**RHSA-2022:6954 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Moderate: Red Hat Advanced Cluster Management 2.5.3 security fixes and bug fixes

**Type/Severity**

Security Advisory: Moderate

**Topic**

Red Hat Advanced Cluster Management for Kubernetes 2.5.3 General  
Availability release images, which fix security issues and bugs, as well as update container images.  

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

**Description**

Red Hat Advanced Cluster Management for Kubernetes 2.5.3 images  

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.  

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix security issues and several bugs. See the following Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:  

https://access.redhat.com/documentation/en-us/red\_hat\_advanced\_cluster\_management\_for\_kubernetes/2.5/html/release\_notes/

Security fix:  

*   search-api-container: search-api: SQL injection leads to remote denial of service (CVE-2022-2238)

Bug fixes:  

*   search-aggregator pod is continuously getting OOMkilled on the hub (BZ# 2092863)
*   ACM 2.5 cannot create known\_hosts file when pulling from ssh git repo (BZ# 2105885)
*   Production RHACM upgrade from v2.4.2 to 2.5.1 (BZ# 2121063)
*   No errors shown for failed helm deployments (BZ# 2124636)
*   In topology, cluster deploy status is shown as not deployed however new project is created on the cluster (BZ# 2125441)

**Affected Products**

*   Red Hat Advanced Cluster Management for Kubernetes 2 for RHEL 8 x86\_64

**Fixes**

*   BZ - 2092863 - search-aggregator pod is continuously getting OOMkilled on the hub
*   BZ - 2101669 - CVE-2022-2238 search-api: SQL injection leads to remote denial of service
*   BZ - 2105885 - ACM 2.5 cannot create known\_hosts file when pulling from ssh git repo
*   BZ - 2121063 - Production RHACM upgrade from v2.4.2 to 2.5.1
*   BZ - 2124636 - no errors shown for failed helm deployments
*   BZ - 2125441 - In topology, cluster deploy status is shown as not deployed however new project is created on the cluster

**CVEs**

*   CVE-2015-20107
*   CVE-2022-0391
*   CVE-2022-2238
*   CVE-2022-21123
*   CVE-2022-21125
*   CVE-2022-21166
*   CVE-2022-34903

**Red Hat Advanced Cluster Management for Kubernetes 2 for RHEL 8**

SRPM

x86\_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:6954: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5.3 security fixes and bug fixes

From the basics to advanced techniques, here's what you should know.

Cybersecurity has been compared to a never-ending game of whack-a-mole, with an ever-changing cast of threats and threat actors. While the attacks that make headlines may change from year to year, the basic fact remains: Any network, no matter how obscure the organization it supports, most likely will come under attack at some point. Thus, attaining and maintaining a strong security posture is of critical importance for organizations of any size.

An organization's security posture, however, is constantly changing. Employees join or leave the company; endpoints are added and discarded; and network and security technologies are deployed, decommissioned, configured, and updated. Each change in network elements can represent a potential attack vector for malware and other threats.

That's why security teams should review their security processes periodically and keep aligned with new developments in defensive and offensive testing and modeling. Doing so can help move the needle on security maturity from the most basic to an advanced, much stronger security posture, and from a reactive to a proactive model.

**The Basics: Vulnerability Scanning**

The first step most IT organizations undertake is vulnerability scanning, which seeks out potential weaknesses in the network and endpoints that could be exploited by attackers. There's a wide variety of scanners available as open source or commercial software, as managed services, and on cloud platforms like AWS and Alibaba. Some of the more popular scanners include Nessus, Burp Suite, Nmap, and Qualys, though each has its own area of focus. Several offer automatic patch remediation, as well.

Another consideration is whether to perform an external scan — which can discover potential vulnerabilities that hackers can exploit — or internal scanning that can find potential paths attackers would take once inside the network. Many, if not most, IT teams will do both.

While vulnerability scanning is relatively easy to use, it's not the end-all, be-all of a security strategy. For example, scanning might not detect subtle misconfigurations or the more complicated attack paths that advanced persistent threats (APTs) might take. They're also often prone to false positives and must be updated consistently.

Overall, though, vulnerability scanning is an important baseline step. Once it's running well, the next step is penetration testing.

**Penetration Testing**

Penetration testing typically entails human ethical hackers who attempt to gain access to the network interior, much as an outside hacker would. Here, too, there's a wide variety of tools and services available — many of the aforementioned vulnerability scanners offer tools that can be used in pen testing. Others include Metasploit, Kali Linux, Cobalt.io, and Acunetix.

Run periodically, pen testing can uncover weaknesses that aren't found by vulnerability scanners. Furthermore, human-managed pen testing can explore more complex pathways and technique combinations that hackers increasingly leverage to exploit victims, such as phishing.

Not surprisingly, the biggest trends impacting networking and cybersecurity are essentially the same trends noted in penetration testing this year: rampant ransomware attacks, the newly distributed workforce, and the rise of Web applications and cloud usage to support remote workers. Each of these trends will require thoughtful consideration in choosing tools and designing plans for penetration testing.

While penetration testing can provide a great deal of benefit, it's a good idea to periodically review the wealth of information on best practices available online.

**Red Team/Purple Team**

The third step in the quest for security maturity is usually the establishment of a red team that will manually attempt to attack and penetrate the organization's security defenses. This may be a completely separate team, or it may be closely allied with the blue team (the defenders) in a combination called a purple team. As another option, some vendors offer red-team services on a subscription or one-off basis.

A red team will imitate the tactics, techniques, and procedures (TTPs) that attackers use — which usually turns up more points of vulnerability than penetration testing can reveal. The blue team can then begin to resolve these weaknesses, further hardening the network against attack.

But too often, red and blue teams devolve into an adversarial relationship that's counterproductive. It's also quite expensive to set up a red team, and given the shortage of cybersecurity professionals, it may not be feasible. Therefore, many CISOs are investigating two newer trends: adversary emulation and adversary simulation.

**Using Adversary TTPs for Good**

There are vast, freely available libraries of common tactics, techniques, and procedures used during attacks, such as MITRE's ATT&CK framework. Adversary emulation and simulation leverage these libraries to evaluate security based on intelligence for specific attacks and then simulating the TTPs used.

For example, MITRE developed a sample adversary emulation plan for APT3, an advanced persistent threat that previously targeted mostly US entities. The emulation plan covers three phases from command-and-control setup to initial access; from host compromise through to execution; and data collection through exfiltration. The Center for Threat-Informed Defense has posted other emulation plans.

Adversary emulation lets security teams assess their defenses against real-world attacks. It can also be used to test the security infrastructure's detection and response rates.

**Looking Ahead**

Security vendors are moving beyond simply advocating the concept of MITRE's ATT&CK and MITRE Shield. Many vendors are leveraging one or both to improve their own products and services. For example, some security vendors map anomalies and events to the ATT&CK framework, making it easier for security teams to respond.

MITRE's CALDERA also deserves attention. It provides an intelligent, automated adversary emulation system that can be programmed for a specific attack profile and launched into the network to test its defenses. Caldera can also be used to train blue teams on detecting and remediating specific attacks.

There are also open source projects for adversary behavior simulation in development. A few of them of note include Uber's Metta, Nextron Systems' APT Simulator, Elastic/Endgame's Red Team Automation, CyberMonitor's Invoke-Adversary, and Red Canary's Atomic Red Team.

**Conclusion**

Keeping abreast of developments in key security processes is important for security teams as they strive to defend the network against changing threats. By so doing, they can move the organization closer to a far stronger security posture.

What You Need for a Strong Security Posture

Red Hat Security Advisory 2022-6921-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: expat security update  
Advisory ID:       RHSA-2022:6921-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6921  
Issue date:        2022-10-12  
CVE Names:         CVE-2022-40674  
====================================================================  
1. Summary:

An update for expat is now available for Red Hat Enterprise Linux 6  
Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 6 ELS) - i386, s390x, x86_64

3. Description:

Expat is a C library for parsing XML documents.

Security Fix(es):

* expat: a use-after-free in the doContent function in xmlparse.c  
(CVE-2022-40674)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, applications using the Expat library  
must be restarted for the update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c

6. Package List:

Red Hat Enterprise Linux Server (v. 6 ELS):

Source:  
expat-2.0.1-15.el6_10.src.rpm

i386:  
expat-2.0.1-15.el6_10.i686.rpm  
expat-debuginfo-2.0.1-15.el6_10.i686.rpm  
expat-devel-2.0.1-15.el6_10.i686.rpm

s390x:  
expat-2.0.1-15.el6_10.s390.rpm  
expat-2.0.1-15.el6_10.s390x.rpm  
expat-debuginfo-2.0.1-15.el6_10.s390.rpm  
expat-debuginfo-2.0.1-15.el6_10.s390x.rpm  
expat-devel-2.0.1-15.el6_10.s390.rpm  
expat-devel-2.0.1-15.el6_10.s390x.rpm

x86_64:  
expat-2.0.1-15.el6_10.i686.rpm  
expat-2.0.1-15.el6_10.x86_64.rpm  
expat-debuginfo-2.0.1-15.el6_10.i686.rpm  
expat-debuginfo-2.0.1-15.el6_10.x86_64.rpm  
expat-devel-2.0.1-15.el6_10.i686.rpm  
expat-devel-2.0.1-15.el6_10.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY0bVodzjgjWX9erEAQi1rA/+L5xp0XGX2BYxBgdx2lCqLs7R4/Cwut7P  
qfanGm1E7uDsZufFtsm4uNXIb4iCVpOPYKb25nTuztFTUazOde/YQOtScdieUZqw  
R1eLmXnP7GmgMDg4JONtFi49bx3XdBQYi24u5GkKuQ4c7pQhDJAeq3/+qrxip/yc  
/wuc63W1d30JJsyW9VBs8Jjbu8fktZqtfYEn+THnYnwXkvOVLZKfXnLlSD4u9zCw  
uyiijMuWkvgyKFZ65DMYE9gss/jylsBARni1dIZxvEnRymqKNaqhc5hG20sN+5tz  
Vag1LKGRp8X/8v+Hv8/spcSTpd0VKXYqBdcHS8LRMkF2QwW74l0FSPQT0fHzSmbA  
8uNMc2Pp9AA5odklJunIyasyO1k/a18PvSIwhkf3Ah/s1b4vRyAJtkD/GzVlW+vO  
oTZNpvo+LCYXs7GI/ZwgfPvXwaPiUOk2coyjjAsH7JcLmSh3+6vfOPhVAawMtZCH  
iZA6l/spdD1mT8JKyAH3JIsWuCN48AgeocZehgdkeCzzWmUHI/VUxFs5H/TwYz7n  
KV0SFXp0pikEw7+gehkbFhrJZ6ivRFmLF9Wm9EmzEnAXg5yCU/VejnIjvTZd1Abg  
lLnLRwBX9y1Yinj+DEc8TQtfKujHbV06WRQeCiznM/Mt20C5D9xtjIZOVNCTC5k/  
4nDmzyC1heo=Y2Td  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#linux