Categories: News
Tags: week

Tags:  security

Tags:  September

Tags:  2023

Tags:  dependabot

Tags:  bard

Tags:  bing

A list of topics we covered in the week of September 25 to October 1 of 2023



(Read more...)




The post A week in security (September 25 - October 1) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

For Personal

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

See all

Company

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner  

Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (September 25 - October 1)

Plus: Mozilla patches 10 Firefox bugs, Cisco fixes a vulnerability with a rare maximum severity score, and SAP releases updates to stamp out three highly critical flaws.

Fall is here, but hot zero-day summer shows no signs of cooling down, with the likes of Apple, Microsoft, and Google fixing flaws being used in real-life attacks.

Some major enterprise fixes were released during the month, including a Cisco patch for a vulnerability with a maximum CVSS score of 10.

Spyware has been a prominent trend over the past couple of months, and it’s a threat everyone should take seriously. Attacks can reach devices without any interaction from the user, so it’s important to keep your operating system up to date.

Here’s everything you need to know about the patches issued in September.

Apple iOS and iPad OS

Apple didn’t release any security updates in August, but the iPhone maker sure made up for it in September. First came iOS 16.6.1, an emergency security update released on September 9 to fix two flaws already being used in so-called “zero-click” attacks.

Reported by researchers at the University of Toronto’s Citizen Lab, the vulnerabilities were used to plant spyware via attachments containing malicious images in an iMessage, in an attack the researchers called BLASTPASS.

In mid-September, Apple released its major software upgrade, iOS 17, followed by iOS 17.0.1 a few days later. The surprise iOS 17.0.1 upgrade was important because it fixed another three iPhone flaws being used in spyware attacks.

Tracked as CVE-2023-41992 and reported by security researchers at Citizen Lab and Google, the first issue is a flaw in the kernel that could allow an attacker to escalate privileges. The other two vulnerabilities in WebKit and Security could potentially be chained together to take over a user’s device.

The flaws patched in iOS 17.0.1 were also fixed in the iOS 16.7 release for users of older iPhones or people who don’t want to upgrade to the latest software.

At the end of September, Apple released iOS 17.0.2 to fix some early iOS 17 bugs, and this is the latest version of the software, as of publication.

Apple has also released macOS Sonoma 14 to fix over 60 vulnerabilities.

Google Android

September was a big security month for Google’s Android users, with the monthly patch fixing 33 flaws, including one already being used in attacks. Tracked as CVE-2023-35674, the vulnerability in the framework could allow an adversary to elevate privileges without any interaction from the user. “There are indications that CVE-2023-35674 may be under limited, targeted exploitation,” Google said in its Android Security Bulletin.

Another severe issue is a critical security vulnerability in the system component that could lead to remote code execution with no additional execution privileges needed.

The Android security update has already reached Google’s own Pixel devices as well as Samsung devices, including the Galaxy S23 and S22 series.

Google Chrome

At the end of September, Google updated its Chrome browser after fixing 10 vulnerabilities, one of which was already being exploited by adversaries. Tracked as CVE-2023-5217 and rated as having a high impact, the already-exploited bug is a heap buffer overflow flaw in vp8 encoding in libvpx. “Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the software giant said in an advisory.

The flaw was used in targeted spyware attacks, Google security researcher Maddie Stone later confirmed on Twitter.

Earlier in the month, Google fixed another zero-day flaw, a heap buffer overflow issue initially tracked as CVE-2023-4863, which it thought impacted only the Chrome browser. But two weeks after fixing the issue, researchers discovered it was worse than they thought, affecting the widely-used libwebp image library for rendering images in the WebP format.

Now tracked as CVE-2023-5129, it is thought the bug impacts every application that uses the libwebp library to process WebP images. “The scope of this vulnerability is much wider than initially assumed, affecting millions of different applications worldwide,” security firm Rezilion wrote in a blog.

The security outfit also thinks it is “highly likely” that the underlying issue in the libwebp library is the same issue resulting in CVE-2023-41064—one of the Apple flaws used as part of the BLASTPASS exploit chain to deploy the NSO Group’s Pegasus spyware.

Microsoft

Microsoft’s September Patch Tuesday is one to remember, as it fixed around 65 flaws, two of which are already being exploited by attackers. Tracked as CVE-2023-36761, the first is a Microsoft Word information disclosure vulnerability that could allow NTLM hashes to be exposed.

The second and most severe flaw is a privilege-escalation vulnerability in Microsoft Streaming Service Proxy tracked as CVE-2023-36802. An attacker who successfully exploited this vulnerability could gain system privileges, Microsoft said, adding that exploitation of the flaw has been detected.

Both flaws are marked as important, so it’s a good idea to update your devices as soon as you can.

Mozilla Firefox

Firefox has had a hectic month after Mozilla fixed 10 flaws in its privacy-conscious browser. CVE-2023-5168 is an out-of-bounds write bug in FilterNodeD2D1 affecting Firefox on Windows, rated as having a high impact.

CVE-2023-5170 is a flaw that could result in memory leak from a privileged process. This could be used to effect a sandbox escape if the correct data was leaked, Firefox owner Mozilla said in an advisory.

Meanwhile, CVE-2023-5176 covers memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

Cisco

At the start of the month, Cisco issued a patch for a vulnerability in the single sign-on implementation of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform that could allow an unauthenticated, remote attacker to forge credentials to access an affected system. Tracked as CVE-2023-20238, the flaw has been given a maximum CVSS score of 10.

Also this month, Cisco patched a zero-day in Adaptive Security Appliance and Firepower Threat Defense software already exploited in Akira ransomware attacks. Tracked as CVE-2023-20269 and with a medium severity CVSS score of 5, the vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute-force attack to identify valid username and password combinations.

SAP

Enterprise software firm SAP has issued several important fixes as part of its September Security Patch Day. This includes a patch for CVE-2023-40622, an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 9.9. “A successful exploit provides information that can be used in subsequent attacks, leading to a complete compromise of the application,” security firm Onapsis said.

CVE-2023-40309 is a missing authorization check issue in SAP CommonCryptoLib with a CVSS score of 9.8. The flaw can result in an escalation of privileges and in the worst case, attackers can compromise the affected application completely, Onapsis said.

Meanwhile, CVE-2023-42472 is an insufficient file type validation flaw in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 8.7.

Apple, Microsoft, and Google Just Fixed Multiple Zero-Day Flaws

Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah.
"The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy

Cyber Espionage / Malware

Sophisticated cyber actors backed by Iran known as **OilRig** have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah.

"The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy said in a Friday report.

The victimology of the attacks is not immediately known, although the use of decoys indicates at least one of the targets is an organization located in Saudi Arabia.

Also tracked under the names APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, OilRig is an Iranian advanced persistent threat (APT) group that specializes in covert intelligence gathering operations to infiltrate and maintain access within targeted networks.

The revelation builds on recent findings from NSFOCUS, which uncovered an OilRig phishing attack resulting in the deployment of a new variant of SideTwist malware, indicating that it's under continuous development.

In the latest infection chain documented by Trend Micro, the lure document is used to create a scheduled task for persistence and drop an executable ("Menorah.exe") that, for its part, establishes contact with a remote server to await further instructions. The command-and-control server is currently inactive.

UPCOMING WEBINAR

Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

The .NET malware, an improved version of the original C-based SideTwist implant discovered by Check Point in 2021, is armed with various features to fingerprint the targeted host, list directories and files, upload selected files from the compromised system, execute shell commands, and download files to the system.

"The group consistently develops and enhances tools, aiming to reduce security solutions and researchers' detection," the researchers said.

"Typical of APT groups, APT34 demonstrates their vast resources and varied skills, and will likely persist in customizing routines and social engineering techniques to use per targeted organization to ensure success in intrusions, stealth, and cyber espionage."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian APT Group OilRig Using New Menorah Malware for Covert Operations

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 22 and Sept. 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for September 22 to September 29

By Deeba Ahmed
Chinese hackers have struck again!
This is a post from HackRead.com Read the original post: Chinese Hackers Stole 60,000 US State Department Emails from Microsoft

Thousands of emails belonging to the US State Department were stolen in a data breach targeting Microsoft Outlook accounts.

Chinese hackers are responsible for breaching the security of Microsoft’s cloud-based Exchange email platform, which occurred in May 2023. Apart from stealing tens of thousands of emails from official accounts, the attackers obtained a list of all email accounts belonging to the State Department, Reuters reported.

As reported by Hackread.com, Microsoft revealed the breach in July 2023, explaining that threat actors breached Outlook accounts used by 25 organizations, including the US State and Commerce Departments, and other charges linked to these entities. The tech giant didn’t disclose the names of the impacted organizations and government entities.

The scope of the breach was disclosed at a Senate staff briefing on September 28, 2023. It was revealed at least 60,000 emails belonging to state department officials stationed in the Pacific, East Asia, and Europe were stolen. The compromised accounts mainly belonged to personnel focusing on Indo-Pacific diplomacy.

In a press briefing, State Department’s spokesperson Matthew Miller confirmed the data breach, explaining that “classified systems” weren’t hacked in that incident. Miller also added that the department is yet to make an attribution, but there’s no reason to doubt Microsoft’s attribution.

“Again, this was a hack of Microsoft systems that the State Department uncovered and notified Microsoft about,” Miller told reporters.

On the other hand, Senator Eric Schmitt said in his official statement that there’s a growing need to “harden” security defences against such intrusions in the future. Moreover, Schmitt believes that the federal government’s dependence on a single vendor should also be reviewed as this could be a weak link.

Microsoft has blamed the Chinese cyber-espionage group called Storm-0558 for the email breach. This group is known for infiltrating email systems of its targets to steal sensitive data.

According to a Microsoft representative, Storm-0558 accessed a Windows crash dump and obtained a consumer signing key, which could be used to compromise Exchange Online and Azure Active Directory accounts. The key was obtained by exploiting an already patched zero-day validation flaw that affected the GetAccessTokenForResourceAPI.

By exploiting this flaw, the attackers could create counterfeited signed access tokens and impersonate any account belonging to their target organizations. With this technique, Storm-0558 compromised the corporate account of a Microsoft engineer and managed to access the government email accounts.

Microsoft has revoked the stolen signing key and launched an investigation into the incident. The company has confirmed no further evidence of repeated unauthorized access to customer accounts using the same access token counterfeiting method.

Upon CISA’s insistence, Microsoft agreed to expand access to cloud logging data, which so far was only available to users having Purview Audit (Premium) logging licenses, free of charge so that network defenders can quickly identify breach attempts.

Mike Newman, CEO of My1Login, has commented on this incident, stating that this attack is crucial because hackers accessed sensitive government data from Outlook.

“Attackers appear to have accessed highly sensitive information in this breach by coupling together a number of attack vectors. These are complex and sophisticated techniques that signal Microsoft was facing a determined adversary that was highly motivated to carry out this attack.”

Newman further noted that encryption is the best defence against such incidents, and the workforce shouldn’t be allowed to access user credentials so that they cannot be lost or solved. Moreover, Microsoft shouldn’t have access to consumers’ private keys in the first place. 

“It should be mandatory for security that customer data (i.e. emails, stored credentials, documents) is encrypted using keys that are only known to the customer, meaning they cannot be accessed by the cloud software provider or an external, malicious actor.”

**RELATED ARTICLES**

1.  Chinese Group Storm-0558 Hacked European Govt Emails
2.  Chinese APT Flax Typhoon uses legit tools for cyber espionage
3.  Chinese Hackers Stole Signing Key to Breach Outlook Accounts
4.  Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
5.  Chinese APT Slid Fake Signal, Telegram Apps onto Official App Stores

Chinese Hackers Stole 60,000 US State Department Emails from Microsoft

Gentoo Linux Security Advisory 202309-14 - Multiple vulnerabilities have been found in libarchive, the worst of which could result in denial of service. Versions greater than or equal to 3.7.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libarchive: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #882521, #911486  
       ID: 202309-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in libarchive, the worst of  
which could result in denial of service.

Background  
=========  
libarchive is a library for manipulating different streaming archive  
formats, including certain tar variants, several cpio formats, and both  
BSD and GNU ar variants.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
app-arch/libarchive  < 3.7.1       >= 3.7.1

Description  
==========  
Multiple vulnerabilities have been discovered in libarchive. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libarchive users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.7.1"

References  
=========  
[ 1 ] CVE-2022-36227  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36227

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-14

Gentoo Linux Security Advisory 202309-13 - A buffer overflow vulnerability has been found in GMP which could result in denial of service. Versions greater than or equal to 6.2.1-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: GMP: Buffer Overflow Vulnerability  
     Date: September 29, 2023  
     Bugs: #823804  
       ID: 202309-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A buffer overflow vulnerability has been found in GMP which could result  
in denial of service.

Background  
=========  
The GNU Multiple Precision Arithmetic Library is a library forarbitrary-  
precision arithmetic on different types of numbers.

Affected packages  
================  
Package       Vulnerable    Unaffected  
------------  ------------  ------------  
dev-libs/gmp  < 6.2.1-r2    >= 6.2.1-r2

Description  
==========  
There is an integer overflow leading to a buffer overflow when  
processing untrusted input via GMP's mpz_inp_raw function.

Impact  
=====  
Untrusted input can cause a denial of service via segmentation fault.

Workaround  
=========  
Users can ensure no untrusted input is passed into GMP's mpz_inp_raw  
function.

Resolution  
=========  
All GMP users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/gmp-6.2.1-r2"

References  
=========  
[ 1 ] CVE-2021-43618  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43618

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-13

Gentoo Linux Security Advisory 202309-12 - Multiple vulnerabilities have been found in sudo, the worst of which can result in root privilege escalation. Versions greater than or equal to 1.9.13_p2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: sudo: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #898510, #905322  
       ID: 202309-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in sudo, the worst of which can  
result in root privilege escalation.

Background  
=========  
sudo allows a system administrator to give users the ability to run  
commands as other users.

Affected packages  
================  
Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
app-admin/sudo  < 1.9.13_p2   >= 1.9.13_p2

Description  
==========  
Multiple vulnerabilities have been discovered in sudo. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All sudo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.13_p2"

References  
=========  
[ 1 ] CVE-2023-27320  
      https://nvd.nist.gov/vuln/detail/CVE-2023-27320  
[ 2 ] CVE-2023-28486  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28486  
[ 3 ] CVE-2023-28487  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28487

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-12

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-12

Gentoo Linux Security Advisory 202309-11 - Multiple vulnerabilities have been found in libsndfile, the worst of which could result in arbitrary code execution. Versions greater than or equal to 1.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libsndfile: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #803065  
       ID: 202309-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in libsndfile, the worst of  
which could result in arbitrary code execution.

Background  
=========  
libsndfile is a C library for reading and writing files containing  
sampled sound.

Affected packages  
================  
Package                Vulnerable    Unaffected  
---------------------  ------------  ------------  
media-libs/libsndfile  < 1.1.0       >= 1.1.0

Description  
==========  
Multiple vulnerabilities have been discovered in libsndfile. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libsndfile users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libsndfile-1.1.0"

References  
=========  
[ 1 ] CVE-2021-3246  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3246  
[ 2 ] CVE-2021-4156  
      https://nvd.nist.gov/vuln/detail/CVE-2021-4156

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-11

Gentoo Linux Security Advisory 202309-10 - A vulnerability was discovered in Fish when handling git repository configuration that may lead to execution of arbitrary code Versions greater than or equal to 3.4.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Fish: User-assisted execution of arbitrary code  
     Date: September 29, 2023  
     Bugs: #835337  
       ID: 202309-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability was discovered in Fish when handling git repository  
configuration that may lead to execution of arbitrary code

Background  
=========  
Smart and user-friendly command line shell for macOS, Linux, and the  
rest of the family. It includes features like syntax highlighting,  
autosuggest-as-you-type, and fancy tab completions that just work, with  
no configuration required.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
app-shells/fish  < 3.4.0       >= 3.4.0

Description  
==========  
A vulnerability have been discovered in Fish. Please review the CVE  
identifiers referenced below for details.

Impact  
=====  
A user may be enticed to cd into a git repository under control by an  
attacker (e.g. on a shared filesystem or by unpacking an archive) and  
execute arbitrary commands.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All fish users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-shells/fish-3.4.0"

References  
=========  
[ 1 ] CVE-2022-20001  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20001

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac