Tag
Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT. "CountLoader is being used either as part of an Initial Access Broker's (IAB) toolset or by a ransomware affiliate with ties to the LockBit,
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.8 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: Saitel DR RTU Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could enable an attacker to execute arbitrary shell commands on the affected devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric Saitel DR RTU: Versions 11.06.29 and prior Schneider Electric Saitel DP RTU: Versions 11.06.33 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78 An OS command injection vulnerability exists that could cause the execution of any shell command when executing a netstat command using BLMon Console in an SSH session. CVE-2025-9996 has been assigned to this vulnerability. A CVSS v3.1 base sc...
In the current cycle, Bitcoin has anchored most of the capital inflow. In 2025, 66% of investors selected…
### Impact The code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. Due to the use of weak integrity checks (TOB-DF2-15), this modification of the data may go unnoticed. ```golang // DownloadTinyFile downloads tiny file from peer without range. func (p *Peer) DownloadTinyFile() ([]byte, error) { ctx, cancel := context.WithTimeout(context.Background(), downloadTinyFileContextTimeout) defer cancel() // Download url: http://${host}:${port}/download/${taskIndex}/${taskID}?peerId=${peerID} targetURL := url.URL{ Scheme: } "http", fmt.Sprintf("%s:%d", p.Host.IP, p.Host.DownloadPort), fmt.Sprintf("download/%s/%s", p.Task.ID[:3], p.Task.ID), Host: Path: RawQuery: fmt.Sprintf("peerId=%s", p.ID), ``` A network-level attacker who cannot join a peer-to-peer network p...
### Impact The DragonFly2 uses a variety of hash functions, including the MD5 hash. This algorithm does not provide collision resistance; it is secure only against preimage attacks. While these security guarantees may be enough for the DragonFly2 system, it is not completely clear if there are any scenarios where lack of the collision resistance would compromise the system. There are no clear benefits to keeping the MD5 hash function in the system. ```golang var pieceDigests []string for i := int32(0); i < t.TotalPieces; i++ { pieceDigests = append(pieceDigests, t.Pieces[i].Md5) } digest := digest.SHA256FromStrings(pieceDigests...) if digest != t.PieceMd5Sign { t.Errorf("invalid digest, desired: %s, actual: %s", t.PieceMd5Sign, digest) t.invalid.Store(true) return ErrInvalidDigest } ``` Alice, a peer in the DragonFly2 system, creates two images: an innocent one, and one with malicious code. Both images consist of two pieces, and Alice generates the pieces ...
### Impact A peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request. ```golang if addr, ok := p.Addr.(*net.TCPAddr); ok { ip = addr.IP.String() } else { ip, _, err = net.SplitHostPort(p.Addr.String()) if err != nil { return nil, err } } // Parse csr. [skipped] // Check csr signature. // TODO check csr common name and so on. if err = csr.CheckSignature(); err != nil { return nil, err } [skipped] // TODO only valid for peer ip // BTW we need support both of ipv4 and ipv6. ips := csr.IPAddresses if len(ips) == 0 { // Add default connected ip. ips = []net.IP{net.ParseIP(ip)} } ``` ### Patches - Dragonfy v2.1.0...
### Impact A peer exposes the gRPC API and HTTP API for consumption by other peers. These APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine. ```golang file, err := os.OpenFile(t.DataFilePath, os.O_RDWR, defaultFileMode) if err != nil { return 0, err } defer file.Close() if _, err = file.Seek(req.Range.Start, io.SeekStart); err != nil { return 0, err } n, err := io.Copy(file, io.LimitReader(req.Reader, req.Range.Length)) ``` ### Patches - Dragonfy v2.1.0 and above. ### Workarounds There are no effective workarounds, beyond upgrading. ### References A third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf). If ...
### Impact We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function returns an error (figures 9.1 and 9.2). This can result in a nil dereference, and cause code to panic. The codebase may contain additional instances of the bug. ```golang request, err := source.NewRequestWithContext(ctx, parentReq.Url, parentReq.UrlMeta.Header) if err != nil { log.Errorf("generate url [%v] request error: %v", request.URL, err) span.RecordError(err) return err } ``` Eve is a malicious actor operating a peer machine. She sends a dfdaemonv1.DownRequest request to her peer Alice. Alice’s machine receives the request, resolves a nil variable in the server.Download method, and panics. ### Patches - Dragonfy v2.1.0 and above. ### Workarounds There are no effective workarounds, beyond upgrading. ### References A third party security audit was performed by Trail of Bits, you can see the [full report](https://g...
### Impact The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. The vulnerability is shown in figure 8.1, where both the username and password are compared with a short-circuiting equality operation. ```golang if user != proxy.basicAuth.Username || pass != proxy.basicAuth.Password { ``` It is currently undetermined what an attacker may be able to do with access to the proxy password. ### Patches - Dragonfy v2.1.0 and above. ### Workarounds There are no effective workarounds, beyond upgrading. ### References A third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf). If you have any ...
### Impact DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. Eve has unprivileged access to the machine where Alice uses DragonFly2. Eve watches the commands executed by Alice and introduces new directories/paths with 0777 permissions before DragonFly2 does so. Eve can then delete and forge files in that directory to change the results of further commands executed by Alice. ### Patches - Dragonfy v2.1.0 and above. ### Workarounds There are no effective workarounds, beyond upgrading. ### References A third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/mai...