Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.

  

> Read our Blog: https://goteleport.com/blog/

> Read our Documentation: https://goteleport.com/docs/getting-started/

**Table of Contents**

1.  Introduction
2.  Installing and Running
3.  Docker
4.  Building Teleport
5.  Why Did We Build Teleport?
6.  More Information
7.  Support and Contributing
8.  Is Teleport Secure and Production Ready?
9.  Who Built Teleport?

**Introduction**

Teleport is the easiest, most secure way to access all your infrastructure. Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, RDP, Kubernetes API, MySQL, MongoDB and PostgreSQL wire protocols.

On the server-side, Teleport is a single binary which enables convenient secure access to behind-NAT resources such as:

*   SSH nodes - SSH works in browsers too!
*   Kubernetes clusters
*   PostgreSQL, MongoDB, CockroachDB and MySQL databases
*   Internal Web apps
*   Windows Hosts
*   Networked servers

Teleport is trivial to set up as a Linux daemon or in a Kubernetes pod. It's rapidly replacing legacy sshd\-based setups at organizations who need:

*   Developer convenience of having instant secure access to everything they need across many environments and cloud providers.
*   Audit log with session recording/replay for multiple protocols
*   Easily manage trust between teams, organizations and data centers.
*   Role-based access control (RBAC) and flexible access workflows (one-time access requests)

In addition to its hallmark features, Teleport is interesting for smaller teams because it facilitates easy adoption of the best infrastructure security practices like:

*   No need to manage shared secrets such as SSH keys: Teleport uses certificate-based access with automatic certificate expiration time for all protocols.
*   Two-factor authentication (2FA) for everything.
*   Collaboratively troubleshoot issues through session sharing.
*   Single sign-on (SSO) for everything via Github Auth, OpenID Connect, or SAML with endpoints like Okta or Active Directory.
*   Infrastructure introspection: Use Teleport via the CLI or Web UI to view the status of every SSH node, database instance, Kubernetes cluster, or internal web app.

Teleport is built upon the high-quality Golang SSH implementation. It is _fully compatible with OpenSSH_, sshd servers, and ssh clients.

Project Links

Description

Teleport Website

The official website of the project.

Documentation

Admin guide, user manual and more.

Demo Video

3-minute video overview of Teleport.

Blog

Our blog where we publish Teleport news.

Forum

Ask us a setup question, post your tutorial, feedback, or idea on our forum.

Slack

Need help with your setup? Ping us in our Slack channel.

Cloud-hosted

We offer Enterprise with a Cloud-hosted option. For teams that require easy and secure access to their computing environments.

**Installing and Running**

| Follow the Installation Guide

Download the latest binary release, unpack the .tar.gz and run sudo ./install. This will copy Teleport binaries into /usr/local/bin.

Then you can run Teleport as a single-node cluster:

In a production environment, Teleport must run as root. For testing or non-production environments, run it as the $USER:

chown $USER /var/lib/teleport

*   In this case, you will not be able to log in as another user.

**Docker**

| Follow the Docker-Compose Getting Started Guide

**Deploy Teleport**

If you wish to deploy Teleport inside a Docker container:

    # This command will pull the Teleport container image for version 8
    docker pull public.ecr.aws/gravitational/teleport:8
    

View latest tags on Amazon ECR Public | gravitational/teleport

**For Local Testing and Development**

Follow the instructions in the docker/README file.

To run a full test suite locally, see the test dependecies list

**Building Teleport**

The teleport repository contains the Teleport daemon binary (written in Go) and a web UI written in Javascript (a git submodule located in the webassets/ directory).

If your intention is to build and deploy for use in a production infrastructure a released tag should be used. The default branch, master, is the current development branch for an upcoming major version. Get the latest release tags listed at https://goteleport.com/download/ and then use that tag in the git clone. For example git clone https://github.com/gravitational/teleport.git -b v9.1.2 gets release v9.1.2.

**Dockerized Build**

It is often easiest to build with Docker, which ensures that all required tooling is available for the build. To execute a dockerized build, ensure that docker is installed and running, and execute:

    make -C build.assets build-binaries
    

**Local Build****Dependencies**

Ensure you have installed correct versions of necessary dependencies:

*   Go version from go.mod
*   If you wish to build the Rust-powered features like Desktop Access, see the Rust and Cargo version in build.assets/Makefile (search for RUST_VERSION)
*   For tsh version > 10.x with FIDO support, you will need libfido and openssl 1.1 installed locally

For an example of Dev Environment setup on a Mac, see these instructions.

**Perform a build**

> **Important**
> 
> *   The Go compiler is somewhat sensitive to the amount of memory: you will need **at least** 1GB of virtual memory to compile Teleport. A 512MB instance without swap will **not** work.
> *   This will build the latest version of Teleport, **regardless** of whether it is stable. If you want to build the latest stable release, run git checkout and git submodule update --recursive to the corresponding tag (for example,
> *   run git checkout v8.0.0) **before** performing a build.

Get the source

git clone https://github.com/gravitational/teleport.git
cd teleport

To perform a build

To build tsh with Apple TouchID support enabled:

> **Important**
> 
> tsh binaries with Touch ID support are only functional using binaries signed with Teleport's Apple Developer ID and notarized by Apple. If you are a Teleport maintainer, ask the team for access.

make build/tsh TOUCHID=yes

To build tsh with libfido:

make build/tsh FIDO2=dynamic

*   On a Mac, with libfido and openssl 1.1 installed via homebrew
    
    export PKG\_CONFIG\_PATH="$(brew --prefix openssl@1.1)/lib/pkgconfig"
    make build/tsh FIDO2=dynamic
    

**Build output and running locally**

If the build succeeds, the installer will place the binaries in the build directory.

Before starting, create default data directories:

sudo mkdir -p -m0700 /var/lib/teleport
sudo chown $USER /var/lib/teleport

**Web UI**

The Teleport Web UI resides in the Gravitational Webapps repo.

**Rebuilding Web UI for development**

To clone this repository and rebuild the Teleport UI package, run the following commands:

git clone git@github.com:gravitational/webapps.git
cd webapps
make build-teleport

Then you can replace Teleport Web UI files with the files from the newly-generated /dist folder.

To enable speedy iterations on the Web UI, you can run a local web-dev server.

You can also tell Teleport to load the Web UI assets from the source directory. To enable this behavior, set the environment variable DEBUG=1 and rebuild with the default target:

# Run Teleport as a single-node cluster in development mode:
DEBUG=1 ./build/teleport start -d

Keep the server running in this mode, and make your UI changes in /dist directory. For instructions about how to update the Web UI, read the webapps README file.

**Updating Web UI assets**

After you commit a change to the webapps repo, you need to update the Web UI assets in the webassets/ git submodule.

Run make update-webassets to update the webassets repo and create a PR for teleport to update its git submodule.

You will need to have the gh utility installed on your system for the script to work. For installation instructions, read the GitHub CLI installation documentation.

**Managing dependencies**

All dependencies are managed using Go modules. Here are the instructions for some common tasks:

**Add a new dependency**

Latest version:

go get github.com/new/dependency

and update the source to use this dependency.

To get a specific version, use go get github.com/new/dependency@version instead.

**Set dependency to a specific version**

go get github.com/new/dependency@version

**Update dependency to the latest version**

go get -u github.com/new/dependency

**Update all dependencies****Debugging dependencies**

Why is a specific package imported?

go mod why $pkgname

Why is a specific module imported?

go mod why -m $modname

Why is a specific version of a module imported?

go mod graph | grep $modname

**Why did We Build Teleport?**

The Teleport creators used to work together at Rackspace. We noticed that most cloud computing users struggle with setting up and configuring infrastructure security because popular tools, while flexible, are complex to understand and expensive to maintain. Additionally, most organizations use multiple infrastructure form factors such as several cloud providers, multiple cloud accounts, servers in colocation, and even smart devices. Some of those devices run on untrusted networks, behind third-party firewalls. This only magnifies complexity and increases operational overhead.

We had a choice, either start a security consulting business or build a solution that's dead-easy to use and understand. A real-time representation of all of your servers in the same room as you, as if they were magically _teleported_. Thus, Teleport was born!

**More Information**

*   Teleport Getting Started
*   Teleport Architecture
*   Reference
*   FAQ

**Support and Contributing**

We offer a few different options for support. First of all, we try to provide clear and comprehensive documentation. The docs are also in Github, so feel free to create a PR or file an issue if you have ideas for improvements. If you still have questions after reviewing our docs, you can also:

*   Join Teleport Discussions to ask questions. Our engineers are available there to help you.
*   If you want to contribute to Teleport or file a bug report/issue, you can create an issue here in Github.
*   If you are interested in Teleport Enterprise or more responsive support during a POC, we can also create a dedicated Slack channel for you during your POC. You can reach out to us through our website to arrange for a POC.

**Is Teleport Secure and Production Ready?**

Teleport is used by leading companies to enable engineers to quickly access any computing resource anywhere. Teleport has completed several security audits from the nationally recognized technology security companies. We make some our audits public, view our latest audit reports.. We are comfortable with the use of Teleport from a security perspective.

You can see the list of companies who use Teleport in production on the Teleport product page.

You can find the latest stable Teleport build on our Releases page.

**Who Built Teleport?**

Teleport was created by Gravitational Inc. We have built Teleport by borrowing from our previous experiences at Rackspace. Learn more about Teleport and our history.

CVE-2022-36633: GitHub - gravitational/teleport: The easiest, most secure way to access infrastructure.

Ubuntu Security Notice 5578-1 - It was discovered that Open VM Tools incorrectly handled certain requests. An attacker inside the guest could possibly use this issue to gain root privileges inside the virtual machine.

==========================================================================  
Ubuntu Security Notice USN-5578-1  
August 24, 2022

open-vm-tools vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

open-vm-tools could be made to run programs as an administrator.

Software Description:  
- open-vm-tools: Open VMware Tools for virtual machines hosted on VMware

Details:

It was discovered that Open VM Tools incorrectly handled certain requests.  
An attacker inside the guest could possibly use this issue to gain root  
privileges inside the virtual machine.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  open-vm-tools                   2:11.3.5-1ubuntu4.1

Ubuntu 20.04 LTS:  
  open-vm-tools                   2:11.3.0-2ubuntu0~ubuntu20.04.3

Ubuntu 18.04 LTS:  
  open-vm-tools                   2:11.0.5-4ubuntu0.18.04.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5578-1  
  CVE-2022-31676

Package Information:  
  https://launchpad.net/ubuntu/+source/open-vm-tools/2:11.3.5-1ubuntu4.1  
  https://launchpad.net/ubuntu/+source/open-vm-tools/2:11.3.0-2ubuntu0~ubuntu20.04.3  
  https://launchpad.net/ubuntu/+source/open-vm-tools/2:11.0.5-4ubuntu0.18.04.2

Ubuntu Security Notice USN-5578-1

Red Hat Security Advisory 2022-6103-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.1.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.1 bug fix and security update  
Advisory ID:       RHSA-2022:6103-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6103  
Issue date:        2022-08-23  
CVE Names:         CVE-2022-1012 CVE-2022-1292 CVE-2022-1586  
                   CVE-2022-1785 CVE-2022-1897 CVE-2022-1927  
                   CVE-2022-2068 CVE-2022-2097 CVE-2022-30629  
                   CVE-2022-30631 CVE-2022-32250  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.11.1 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.11.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.1. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2022:6102

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)  
* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

You may download the oc tool and use it to inspect release image metadata  
as follows:

(For x86_64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.1-x86_64

The image digest is  
sha256:97410a5db655a9d3017b735c2c0747c849d09ff551765e49d5272b80c024a844

(For s390x architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.1-s390x

The image digest is  
sha256:13734de7e796e46f5403ef9ee918be88c12fdc9b73acb8777e0cc7c56a276794

(For ppc64le architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.1-ppc64le

The image digest is  
sha256:d0019b6b8b32cc9fea06562e6ce175086fa7de7b2b7dce171a8ac1a57f92f10b

(For aarch64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.1-aarch64

The image digest is  
sha256:3394a79e173ac17bc96a7256665701d3d7e2a95535a12f2ceb19ceb41dcd6b79

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2033256 - openshift-installer intermittent failure on AWS with "Error: Provider produced inconsistent result after apply" when creating the module.vpc.aws_route_table.private_routes resource  
2040715 - post 1.23 rebase: regression in service-load balancer reliability  
2063622 - Failed to install the podman package from repo rhocp-4.10-for-rhel-8-x86_64-rpms  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2102576 - [4.11] [Cluster storage Operator] DefaultStorageClassController report fake message "No default StorageClass for this platform" on azure and openstack  
2103638 - No need to pass to-image-base for `oc adm release new` command when use --from-release  
2103899 - [OVN] bonding fails after active-backup fail-over and reboot,  kargs static IP  
2104386 - OVS-Configure doesn't iterate connection names containing spaces correctly  
2104435 - [dpu-network-operator] Updating images to be consistent with ART  
2104510 - Update ose-machine-config-operator images to be consistent with ART  
2104687 - MCP upgrades can stall waiting for master node reboots since MCC no longer gets drained  
2105056 - Openshift-Ansible RHEL 8 CI update  
2105444 - [OVN] Node to service traffic is blocked if service is "internalTrafficPolicy: Local" even backed pod is on the same node  
2106772 - openshift4/ose-operator-registry image is vulnerable to multiple CVEs  
2106795 - crio umask sometimes set to 0000  
2107003 - The bash completion doesn't work for get subcommand  
2107045 - OLM updates namespace labels even if they haven't changed  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107777 - Pipeline status filter and status colors doesn't work correctly with non-english languages  
2107871 - Import: Advanced option sentence is splited into two parts and headlines has no padding  
2108021 - Machine Controller stuck with Terminated Instances while Provisioning on AWS  
2109052 - Add to application dropdown options are not visible on application-grouping sidebar action dropdown.  
2109205 - HTTPS_PROXY ENV missing in some CSI driver operators  
2109270 - Kube controllers crash when nodes are shut off in OpenStack  
2109489 - Reply to arp requests on interfaces with no ip  
2109709 - Namespace value is missing on the list when selecting "All namespaces" for operators  
2109731 - alertmanager-main pods failing to start due to startupprobe timeout  
2109866 - Cannot delete a Machine if a VM got stuck in ERROR  
2109977 - storageclass should not be created for unsupported vsphere version  
2110482 - [vsphere] failed to create cluster if datacenter is embedded in a Folder  
2110723 - openshift-tests: allow -f to match tests for any test suite  
2110737 - Master node in SchedulingDisabled after upgrade from 4.10.24 -> 4.11.0-rc.4  
2111037 - Affinity rule created in console deployment for single-replica infrastructure  
2111347 - dummy bug for 4.10.z bz2111335  
2111471 - Node internal DNS address is not set for machine  
2111475 - Fetch internal IPs of vms from dhcp server  
2111587 - [4.11] Export OVS metrics  
2111619 - Pods are unable to reach clusterIP services, ovn-controller isn't installing the group mod flows correctly  
2111992 - OpenShift controller manager needs permissions to get/create/update leases for leader election  
2112297 - bond-cni: Backport "mac duplicates" 4.11  
2112353 - lifecycle.posStart hook does not have network connectivity.  
2112908 - Search resource "virtualmachine" in "Home -> Search" crashes the console  
2112912 - sum_irate doesn't work in OCP 4.8  
2113926 - hypershift cluster deployment hang due to nil pointer dereference for hostedControlPlane.Spec.Etcd.Managed  
2113938 - Fix e2e tests for [reboots][machine_config_labels] (tsc=nowatchdog)  
2114574 - can not upgrade. Incorrect reading of olm.maxOpenShiftVersion  
2114602 - Upgrade failing because restrictive scc is injected into version pod  
2114964 - kola dhcp.propagation test failing  
2115315 - README file for helm charts coded in Chinese shows messy characters when viewing in developer perspective.  
2115435 - [4.11] INIT container stuck forever  
2115564 - ClusterVersion availableUpdates is stale: PromQL conditional risks vs. slow/stuck Thanos  
2115817 - Updates / config metrics are not available in 4.11  
2116009 - Node Tuning Operator(NTO) - OCP upgrade failed due to node-tuning CO still progressing  
2116557 - Order of config attributes are not maintained during conversion of PT4l from ptpconfig to ptp4l.0.config file  
2117223 - kubernetes-nmstate-operator fails to install with error "no channel heads (entries not replaced by another entry) found in channel"  
2117324 - catalog-operator fatal error: concurrent map writes  
2117353 - kola dhcp.propagation test out of memory  
2117370 - Migrate openshift-ansible to ansible-core  
2117746 - Bump to latest k8s.io 1.24 release  
2118214 - dummy bug for 4.10.z bz2118209  
2118375 - pass the "--quiet" option via the buildconfig for s2i

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-1 - Test Bug

6. References:

https://access.redhat.com/security/cve/CVE-2022-1012  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32250  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYwUXddzjgjWX9erEAQhaVQ/+LoSAe5mCgjPe0+gupmu0jxSmErna51Gz  
LBlcOWhmgSi2LDYiLl0x5fIg1rQuFX87rSqo0397m7k4Wcon7ztOeDBAtc120fbP  
i3N+2C+t2wrRPkObvGYKwiCj15+CZP/pIoTQqBlwzqcMAOBLPkXmyXgPaGiA12W7  
MoZlSyeEfyx2r636op+e9GC6ysmP2Jq7v+IU2H5/fK7fwPb2lnEIqZV/VXQB4+n7  
U7x4Rlng+iLwqalJjCgWY8VLHBQPbIkAQoWS1rMj4f/VEzdbJf7tXNwJOBlPaaJ0  
qn8aVZt0b0DMnW0NERm08jg6SYIx8jwMjC/E9Y+JkLdI4nO7f22TOEXgocKHpSMi  
jm6yLG6Klvjio8rT0+tYB9QBgo8owR5QxhTH3+ffcdlNqDWk33wt8da2n0vCKY4w  
iC1p3bTxCFdxkPz8FkF/p+nVrI5ZGTNd94Q29YiK+BtlGVAVGGqk208YVcQ85RH2  
8YQminXLeLt/RA4cKm/4eq5PlGW7lXAsKVM4UxiYZdqWe/WFuW5zoaF1IdcbNL1p  
dZaaS1Dy9KvEzF6LPeVFcBg7ouGkdWtBwWQcEGV4bzPjbik8HkiIOkd4J1uT6KHs  
di3yYWJc3Q1mHuXV7byNUhaQQtpkiB/jDAUiQ0ggOfTawBbwleBMgxwUt38sMtpV  
6FmWxlUydm8=6nTC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6103-01

Flooding SNS firewall 3.7.0 to 3.7.26 with udp or icmp randomizing the source through an internal to internal or external to internal interfaces will lead the firewall to overwork. It will consume 100% CPU, 100 RAM and won't be available and can crash.

Advisory ID

CVE Number

Date discovered

Severity

Advisory revision

STORM-2022-009

CVE-2022-27812

11/22/2021

medium

v2

**Vulnerability details**

Risk of DoS on SNS

**Impacted products**

Products

Severity

Detail

Stormshield Network Security

medium

SNS is impacted

**Revisions**

Version

Date

Description

v1

04/06/2022

Reserved Publication

v2

07/26/2022

Updated and disclosed

**Stormshield Network Security**

**CVSS v3.1 Overall Score: 5.3      **

**Analysis**

**Impacted version**

Flooding the firewall with specific forged traffic, can lead to SNS DoS.

*   SNS 3.7.0 to 3.7.29
    
*   SNS 3.11.0 to 3.11.17
    
*   SNS 4.2.0 to 4.2.10
    
*   SNS 4.3.0 to 4.3.6
    

**Workaround solution**

**Solution**

There is no workaround solution.

The following versions fix this vulnerability:

*   3.7.30
*   3.11.18
*   4.2.11
*   4.3.7

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability impact

Network

Low

None

None

Unchanged

None

None

High

CVSS Base score: 7.5

CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Exploit Code Maturity

Remediation Level

Report Confidence

Functional exploit exists

Official fix

Confirmed

CVSS Temporal score: 7

CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C)

Confidentiality Requirement

Integrity Requirement

Availability Requirement

Low

Low

Low

CVSS Environmental score: 5.3

CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

CVE-2022-27812: SNS : risk of DOS on SNS firewall

Categories: Explained
Categories: Personal
Tags: Mac

Tags:  Parental Controls

Tags:  Screen Time

If you want to know how to secure your Mac so your kids can use it safely, we're here to help.



(Read more...)




The post How to secure a Mac for your kids appeared first on Malwarebytes Labs.

If you want to know how to secure your Mac so your kids can use it safely, I can help.

In 2018 I decided to give my kids an old Apple laptop to share, and I documented the steps I took to secure it. They were still a few years short of their tenth birthdays, and it was their first computer, so I looked into every child safety feature in macOS and dialled everything up to eleven.

It’s now four years later—my kids have changed, the laptop has died and been replaced by another Mac, and we have been through the acid test of several periods of computer-based home schooling, thanks to the pandemic.

As a result I’ve learned a few things about how Apple’s parental controls worked out in practice. In the article I’ll tell you how you can secure your Mac for your kids, and what I found useful about Apple’s safety features.

**Basic security**

Securing a computer for a child is not the same as securing a computer for an adult, although there are significant overlaps and similarities. Malware and malicious websites don’t care if it’s an adult or a child at the screen, so every Mac needs the same basic security precautions in place, no matter who’s using it:

*   **Apply macOS security updates promptly**. All the software on the computer needs to be maintained by installing the latest security updates when they become available. To ensure your Mac is installing macOS updates automatically, choose **Apple menu > System Preferences**, then click **Software Update**, and tick **Automatically keep my Mac up to date**. You can automatically download and install app updates from the App Store by opening App Store and going to **App Store > Preferences** and selecting **Automatic Updates**.
*   **Use security software**. Macs don’t see as much malware as Windows, but it is out there, and you don’t want it on your computer. We strongly recommend that you install a third-party security solution like Malwarebytes Premium for Mac.
*   **Start backing up**. The only backup people ever regret is the one they didn't make. They are your last line of defense against system-altering malware, bad software updates, hardware failure and theft, and simple mistakes. Read Apple’s introduction to Time Machine and get yours working now, before you need it.
*   **Install a password manager**. A password manager is software for creating and remember strong passwords. Good ones also provide a safe way for users to share passwords with other people. Proper password handling is something lots of adults struggle with, so get your kids doing the right thing from day one!

**Security for kids**

In addition to the threats adults face, kids also have to struggle with growing up online. They may have to deal with peer bullying, predatory adults, and harmful content. They may struggle to turn off their devices willingly, and while they may not be as interested as you in invoices from UPS or riches from Nigerian princes, they are naïve and vulnerable to other scams.

For that reason there are a lot of specialist tools for protecting children. On a Mac, they are called Screen Time. But before we look at Screen Time, I want to tell you what I think the most important thing you can do for your kids is, whatever computer they use:

**Set up separate accounts**

The first thing I did on my kids’ laptop was give each child their own separate user account. They each had their own virtual space to arrange as they liked, and it meant I could use different parental control setups for each child if necessary. Most importantly to me, it meant each child would have their own password.

It is much harder to learn good habits if you’ve already been taught bad ones, so I wanted my children to start out expecting they would always have their own account, and that they’d have a password that nobody else knew.

You will need at least two accounts: An admin account for yourself, and a separate account for each child.

Log on to your Mac using your admin account and go to **System Preferences** > **Users & Groups**. On the left side is a list of users. Under your name it should say **Admin**.

Create an account for each child by clicking the padlock, entering your password, and then clicking on the **+** button, choosing a **Standard** account, and filling in the child’s details. When it’s time to enter the password, have the child do it and make a point of looking away.

**My perspective**

Ensuring that both kids had their own account was the best decision I’ve made about securing the Mac. I was concerned that they might find it a drag to log out when they’d finished, or to log the other child out and enter their own password. In fact, they embraced having their own digital space, with their own avatar and wallpaper, and their own mess. Without realising, they have established an important expectation about their digital privacy and security. I hope that when they are older they’ll find it odd if somebody wants to share their account, or expects them to share theirs.

Using separate accounts also allowed me to teach the kids about the importance of keeping passwords secret from the very start. It is very hard to teach a young child how to make a strong password, but it is easy to teach them that a password is a secret.

We made a game of out of picking a password that nobody else was allowed to know, not even me. Over the days and weeks that followed I’d ask “what’s your password” and they delighted in refusing to tell me.

**Screen Time (Parental controls)**

Apple provides parents with controls for restricting what children can and can’t do on their devices.

The functionality was once clearly signposted under the name Parental Controls but is now available through the far-less-obviously named Screen Time, which you’ll find in **System Preferences** > **Screen Time**.

The change from Parental Controls to Screen Time is a shift from a paradigm that imagines adults placing limits on their children, to a paradigm that imagines users placing computer-enforced guardrails _around themselves_ and others. Personally, I find it hard to view this as a step forward, but it acknowledges the reality that it isn’t just kids that can get carried away with screen time.

Screen Time controls can be extended to children via Apple’s Family Sharing, accessible via **Preferences** > **Family Sharing**, and across multiple devices, using iCloud, which brings needed parity with Microsoft’s multi-device view of parental control.

Exhaustive and up-to-date details about how to set up Screen Time are available on Apple’s Use Screen Time on your Mac support page so I will not repeat them here. Suffice to say, the major features offered by Screen Time are:

*   Monitor how much time your child spends on certain apps and websites
*   Schedule downtime, so that certain apps aren’t available at certain times
*   Limit how much time your child can spend on certain apps
*   Restrict what type of content they can see in apps or websites
*   Set limits on who they can communicate with
*   Disallow access to features that might impact privacy, such as the camera

Similar, but less granular features were available via Parental Controls four years ago when I set up my kids’ laptop and I used all of them.

Their accounts would only work at times they were supposed to be awake, and for a maximum of one hour per day.

They were restricted to using a short list of pre-approved websites and apps, and a very short list of people they were allowed to exchange emails with. Whenever there was an option to turn on a content filter, such as restricting access to adult websites or blocking explicit language in music, I turned it on and dialled it up.

**My perspective**

Within a year of setting up the parental controls I removed them all, for two reasons.

Some of the controls simply proved unnecessary. For example, the children already had an established routine around when they could use screens, so it turned out there was simply no need for automatic enforcement of it. And while automatic enforcement didn’t make the kids any safer, it did give us an unwelcome hurdle to clear if we wanted to be flexible and give the children an extra 15 minutes of time.

The other controls I simply found too restrictive. Operating an allow list of websites seems like a great idea until you find yourself adding endless exceptions. Similarly, operating an allow list of apps seems like a great idea until you discover that some apps have dependencies on other apps that aren’t immediately clear. Knowing exactly _what_ you have to add to the allow list in order for something to work was often not as clear as it needed to be.

The straw that finally broke the camel’s back on parental controls for me was school homework tasks.

It is important to understand that I felt I didn’t need the parental controls because we had already created a set of guardrails for our kids and how they use screens. Software restrictions can be useful, but they can only ever be a tool that helps with parenting and not a substitute.

For the next three years I found one other thing helped a great deal.

Because the children didn’t have access to a credit card, and didn’t have the access rights they needed to install software, they had to ask if they wanted to install something or buy something. That provided a bottleneck to prevent a lot of problems. For example, one of my children wanted to buy a game and came to me very excited about it, knowing they could afford it. The child hadn’t realised that the game was a pre-release that asked customers to part with their money and then wait (and hope) for the game to be released. As disappointed as they were, it was a great opportunity to talk about how some things aren’t what they seem.  

All of which is to say Parental Controls didn’t work for us, and our children, in our situation, at a particular age. I would encourage any concerned parent to play with the controls, try them for a reasonable period, and see what works for you. It is unlikely you will hit the bullseye with the first try.

And me? I will be taking another look at Screen Time this summer because one of my children is now racing towards teenage, and is about to get their first phone. This is the biggest change in their access to computing since I gave them the laptop and I will be thinking hard about appropriate rules and guidance, and then looking to see if software can help me.

How to secure a Mac for your kids

The package opcua from 0.0.0 are vulnerable to Denial of Service (DoS) via the ExtensionObjects and Variants objects, when it allows unlimited nesting levels, which could result in a stack overflow even if the message size is less than the maximum allowed.


**Denial of Service (DoS) Affecting opcua package, versions **\>=0.0.0****

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-RUST-OPCUA-2988750
    
*   **published**
    
    22 Aug 2022
    
*   **disclosed**
    
    22 Aug 2022
    
*   **credit**
    
    Vera Mens, Uri Katz, Sharon Brizinov of Team82 (Claroty Research)
    

**How to fix?**

A fix was pushed into the master branch but not yet published.

**Overview**

opcua is an OPC UA server / client API implementation for Rust.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the ExtensionObjects and Variants objects, when it allows unlimited nesting levels, which could result in a stack overflow even if the message size is less than the maximum allowed.

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-25903: Snyk Vulnerability Database | Snyk

The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.


**Denial of Service (DoS) Affecting node-opcua package, versions **<2.74.0****

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-NODEOPCUA-2988725
    
*   **published**
    
    22 Aug 2022
    
*   **disclosed**
    
    22 Aug 2022
    
*   **credit**
    
    Vera Mens, Uri Katz, Sharon Brizinov of Team82 (Claroty Research)
    

**How to fix?**

Upgrade node-opcua to version 2.74.0 or higher.

**Overview**

node-opcua is an implementation of a OPC UA stack fully written in javascript and nodejs

Affected versions of this package are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-24375: Snyk Vulnerability Database | Snyk

By Waqas
This article discusses essential keys to successfully implementing the least privilege policy.
This is a post from HackRead.com Read the original post: 5 Keys To Successful Least Privilege Policy Implementation

The invention of the internet and the latest technologies allows business owners to simplify operations and enhance the efficiency of their businesses. However, it comes with some risks. For instance, it can allow outsiders to access business networks, thus increasing the chances of online or **cybersecurity attacks**. 

A successful online attack can harm your business in various ways. For instance, you can lose your critical data. 

Data forms an integral part of your company. Without it, you might not be able to make strategic decisions. As a result, your business will barely take off from the ground. 

Furthermore, customers won’t trust your brand if it’s prone to cybersecurity attacks. This significantly affects the reputation of your company.  Therefore, you should find effective ways to enhance your cybersecurity strategy. 

You can consider various strategies to increase your business’s online security. One of them is the **principle** of least privilege.

This article discusses essential keys to successfully implementing the least privilege policy. But before delving into the details, here is an overview of this strategy.  

**An Overview Of Least Privilege Principle **

The least privilege principle is an **online security strategy** that gives ordinary users the bare minimum level of access needed to perform a particular task. In simple terms, it ensures employees are given only the level of access necessary to complete the assigned tasks or authorized activities. 

There are several benefits of implementing the least privilege principle. For instance, it can protect your company against common attacks like malware and Structured Query Language **(SQL) injections**.

Also, the least privilege principle involves classifying data and assigning various permissions to different employees. This goes a long way in helping you create a healthy and secure network.  

In addition to that, the strategy allows for better online security and audit capabilities. All these enhance your company’s cybersecurity strategy.  

**Implementing The Least Privilege Principle In Your Business **

As you’ve seen above, implementing the least privilege principle offers considerable benefits. However, the policy of least privilege comes with its **own set of operational challenges**, thus making it hard for organizations to embrace it. But with the right strategies, you can be sure to adopt the least privilege policy in your business successfully and reap its benefits.  

That said, here are five keys to the successful implementation of the least privilege policy: 

*   **Build A Privileged Password Policy**

Passwords form an integral part of running your company’s systems securely. They ensure that only people with specific rights can access certain information. This goes a long way in boosting your business’s online security. 

Therefore, you must build privileged and clear password policies. This ensures everyone using your passwords understands how to protect them. 

In addition to that, you should consider establishing solid passwords for all your accounts. As a result, no non-user can correctly guess them. 

You can adopt numerous strategies to help build strong passwords. First of all, your passwords must be reasonably long. For instance, you can **consider creating passwords** of more than 12 characters.  

In addition, make sure you include a variety of characters in your passwords. These include numerals, letters (upper and lower case), and non-standard characters. Furthermore, you should change passwords regularly. Promoting the use of uncrackable passwords is part of a robust **cybersecurity strategy**.  

*   **Involve Various Stakeholders When Determining Privilege Access Levels**

Being a business owner means handling numerous activities on the same day. For instance, you may want to supervise your team, connect with clients, attend business forums, and even address private matters. That means you may lack enough time to develop and effectively implement the **least privilege policy** in your company systems. For that reason, you may consider working with other company stakeholders. Doing so helps you to complete the task in no time.  

Stakeholders like the human resources manager and department heads can help determine which workers need access and to what extent. Such collaboration can help streamline the implementation of the principle of least privilege than doing the work alone.  

*   **Set All New Accounts With Least Privilege** 

Today, you may be running a small business with just a few employees. However, this may change as your company starts to grow. That means giving more **employees the right to access** your business information. And to achieve that, you need to create new accounts.  

When you decide to build new accounts, you should set their privilege as low as possible. In simple terms, you should give new employees the right to access only what is necessary to complete their assigned tasks. You’ll only need to add specific higher-level access as the job demands. Therefore, ensure the default setting for all newly created account privileges is set to the bare minimum access.  

*   **Determine And Remove Any Inactive User Accounts** 

Inactive user accounts can pose a significant danger to your organization. Such accounts are less monitored. Therefore, hackers can use them to access your business without being caught. 

Besides hackers, employees who no longer work for you may use such dormant accounts to access company information without your knowledge (_**Remember that ex-Cisco employee who Cisco’s AWS Infrastructure; erased virtual machines**_). It’s therefore essential to identify and remove them before implementing the least privilege policy in your organization.  

*   **Select The Right Managed Service Provider** 

Adopting the least privilege policy is one of the best approaches to dealing with cybersecurity attacks. However, this strategy might not work if you partner with the wrong access management service provider. 

There are **numerous managed service providers** you can partner with. However, not all can effectively and seamlessly implement your least privilege policy. Strive to find a service provider with the best solution.  

You can consider various factors to ensure you find the best partner in the market. These include expertise, experience, availability, and technology used, among others. 

Aside from these, the selected service provider should have your company’s best interests at heart. Only by selecting the best identity and data security solution can you have a hassle-free least privilege implementation process. 

**Takeaway**

Implementing the principle of least privilege in your company’s systems is one of the best approaches to access management. It ensures that permissions or ‘privileges’ are given only as needed and revoked when access is no longer necessary. Hence, only the minimum level of access is granted to ordinary users, while **privileged users** have a higher level of access. Their respective roles determine access.

Although it sounds simple, implementing the least privilege policy isn’t easy. However, adopting the abovementioned strategies can help you successfully enforce this security policy in your business systems.

5 Keys To Successful Least Privilege Policy Implementation

Almost half of teams develop and deploy software using a DevSecOps approach, but security remains the top area of investment, a survey finds.

Software developers and operations teams continue to adopt DevOps and other agile methodologies as well as automation and low-code services, but they still struggle with security, the fallout of the COVID-19 pandemic, and a shortage of skilled security workers, according to a newly published annual survey from GitLab.

DevSecOps results in better code quality, higher developer productivity, and improved operational efficiency, according to the survey of more than 5,000 software developers, operations specialists, and application security professionals. Security still is a problem, however. While more than half (57%) of those surveyed considered security to be a performance metric, nearly the same number said it was "difficult to get devs to actually prioritize fixing code vulnerabilities."

The survey conducted by the toolchain provider underscores that all participants in the development and deployment process still need to improve the communications and relationships between groups, says Johnathan Hunt, vice president of information security and cybersecurity at GitLab.

"Getting developers and security professionals to work better together requires a culture-first approach to software development through the creation of a DevOps culture," Hunt says. "A DevOps platform lends itself well to this approach by granting organizations seamless collaboration across DevSecOps teams, shared ownership of security and compliance, and strategic uses of technologies such as automation and AI/ML."

**Mix and Match**

The survey found that no single dominant approach to software development exists, and most teams use a mix of approaches. While a majority of development teams (47%) used DevOps and DevSecOps, other agile approaches accounted for significant shares as well: 34% of teams used Scrum, 24% used Kanban, and 29% used Lean methodologies. Teams even expanded their use of Waterfall development, with more than a quarter (26%) adopting that approach.

"DevOps teams are not limiting themselves to any one way of working," Hunt says. "They are flexible and willing to adjust their approaches to meet various business and project needs."

The increase in agile approaches to software development and deployment has resulted in faster deployment of software. Seven in 10 survey respondents said their teams deploy at least once every few days or more frequently, a jump of 11 points from 2021. Integrating automated testing, deployment, and security controls into the development pipeline is a key factor in speeding application deployment, with nearly half (47%) of teams asserting that their testing is fully automated today, up from 25% in 2021.

The adoption of low-code and no-code APIs for development has also made teams more efficient. Two-thirds (66%) of survey takers are using at least one low-code or no-code tool in their DevOps practice, a significant increase from the 25% of those surveyed in 2021.

Yet the expanding number of options for development, deployment, and securing of software has resulted in more confusion, leading DevOps teams to look to simplify their pipeline and toolsets, GitLab's study found. While 44% of DevOps teams use two to five tools to manage the software development process, 41% use between six and 10 tools.

"That's a lot of tools, and 69% of survey takers told us they'd like to consolidate their toolchains," GitLab stated in the survey report.

**AI and Machine Learning 'On the Rise'**

Artificial intelligence and machine-learning technologies have seen mixed adoption among developers and application-security specialists. While AI/ML is at the bottom of the list of priorities for developers' future careers, a majority of security pros (54%) said AI/ML will help them most in their future careers. AI/ML particularly suits the security domain. For example, AI/ML systems can be trained to detect and respond to threats, generate alerts, and trigger rule sets.

"But AI/ML is far from falling off of developers' radars. In fact, its use is on the rise," Hunt says, adding: "This is especially helpful when it comes to detecting and defending against attacks and malicious actors, since security professionals cannot watch every packet and connection that transverses a network."

Security continues to take a larger role in the software development pipeline, with 57% of companies shifting security responsibility "left" and making developers more responsible for the vulnerabilities in their code. Yet there is still a ways to go, with a significant number of developers blaming security for delays and the division of responsibility for software security very much in flux.

"While dev and ops are taking on a larger share of security ownership, it's not so straightforward on the sec team," GitLab stated in the report. "In 2020 and 2021, the percentage of security pros who said they were fully responsible for security was roughly the same as those who said everyone was responsible."

DevSecOps Gains Traction — but Security Still Lags

VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.

Advisory ID: VMSA-2022-0024

CVSSv3 Range: 7.0

Issue Date: 2022-08-23

Updated On: 2022-08-23 (Initial Advisory)

CVE(s): CVE-2022-31676

Synopsis: VMware Tools update addresses a local privilege escalation vulnerability (CVE-2022-31676)

Share this page on social media

Sign up for Security Advisories

****1\. Impacted Products****

*   VMware Tools

****2\. Introduction****

VMware Tools was impacted by a local privilege escalation vulnerability. Updates are available to remediate this vulnerability in affected VMware products.

****3\. Local privilege escalation vulnerability (CVE-2022-31676)****

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.0.

A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.

To remediate CVE-2022-31676 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware Tools 10.3.25 only applies to the older Linux releases.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools

12.x.y, 11.x.y

Windows

CVE-2022-31676

7.0

important

12.1.0

None

None

VMware Tools

12.x.y, 11.x.y

Linux

CVE-2022-31676

7.0

important

12.1.0

None

None

VMware Tools

10.x.y

Linux

CVE-2022-31676

7.0

important

10.3.25

None

None

****4\. References****

****5\. Change Log****

**2022-08-23 VMSA-2022-0024  
**Initial security advisory.

****6\. Contact****

Tag

#mac