DerbyNet 9.0 suffers from a remote SQL injection vulnerability in ajax/query.slide.next.inc.

    CVE ID: CVE-2024-30928Description:An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, particularly within the `ajax/query.slide.next.inc` file. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information by exploiting the unvalidated `classids` parameter used in constructing SQL queries. This parameter is not properly sanitized before being included in the SQL statement, leading to a critical risk of SQL Injection.Vulnerability Type: SQL InjectionVendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: ajax/query.slide.next.incAttack Type: RemoteImpacts:- Code execution: True- Information Disclosure: TrueAttack Vectors:The vulnerability is primarily exploited by manipulating the `classids` parameter in the user's request to the `ajax/query.slide.next.inc` file. The lack of adequate input validation allows attackers to inject malicious SQL code through this parameter. Example attack vectors include:- Direct exploitation:- `http://127.0.0.1:8000/action.php?query=slide.next&mode=racer&classids=1`- Boolean-based blind SQL Injection:- Payload: `query=slide.next&mode=racer&classids=1) AND 4365=4365 AND (6880=6880`- UNION query SQL Injection:- Payload: `query=slide.next&mode=racer&classids=-3890) UNION ALL SELECT NULL,NULL,CHAR(113,107,120,122,113)||CHAR(79,97,117,85,112,79,82,85,75,114,65,66,118,100,117,107,79,118,111,104,67,105,87,86,72,110,107,119,113,86,106,107,115,100,110,109,98,77,85,115)||CHAR(113,118,120,120,113),NULL,NULL,NULL,NULL,NULL-- rDzQ`These vectors demonstrate how an attacker could manipulate SQL queries to potentially access or manipulate database information unauthorizedly.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 ajax/query.slide.next.inc SQL Injection

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in playlist.php.

    CVE ID: CVE-2024-30929Description:A Cross-Site Scripting (XSS) vulnerability has been found in DerbyNet version 9.0, affecting the `playlist.php` component. This issue allows remote attackers to execute arbitrary code by exploiting the `back` parameter. The application does not properly sanitize the `back` parameter before it is rendered on the page, thereby allowing the injection and execution of arbitrary JavaScript code.Vulnerability Type: Cross-Site Scripting (XSS)Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: playlist.phpAttack Type: RemoteImpact: Code executionAttack Vectors:The vulnerability can be exploited by crafting a URL that includes malicious JavaScript code as part of the `back` parameter. An example of such a URL is:- http://127.0.0.1:8000/playlist.php?back="><script>alert(1)</script>This example demonstrates how an attacker could inject and execute JavaScript within the context of the webpage, leading to potential security risks such as session hijacking, phishing, or unauthorized actions performed on behalf of the user.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 playlist.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in render-document.php.

    CVE ID: CVE-2024-30920Description:A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet v9.0, specifically within the `render-document.php` component. This vulnerability allows a remote attacker to execute arbitrary code via crafted URLs. The root cause of the vulnerability is the application's failure to properly sanitize user input in document rendering paths, which permits the injection of malicious scripts.Vulnerability Type: XSS (Cross Site Scripting)Vendor of Product:DerbyNet - https://github.com/jeffpiazza/derbynetAffected Product Code Base:DerbyNet - v9.0Affected Component:render-document.phpAttack Type:RemoteImpact:Code executionRoot Cause:The vulnerability arises from the application's display of debug information, including `ORIG_SCRIPT_FILENAME`, `DOCUMENT_URI`, `SCRIPT_NAME`, and `PHP_SELF`. These debug outputs improperly handle user-supplied input by not sanitizing it before inclusion in the output, leading directly to XSS vulnerabilities when malicious inputs are rendered by the browser.Attack Vectors:The vulnerability can be exploited with URLs such as:- `http://127.0.0.1:8000/render-document.php/racer/<img src=x onerror=alert(1)>`- `http://127.0.0.1:8000/render-document.php/<img src=x onerror=alert(1)>`Discoverer:Valentin LobsteinReferences:- http://derbynet.com- https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 render-document.php Cross Site Scripting

Ubuntu Security Notice 6710-2 - USN-6710-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Manfred Paul discovered that Firefox did not properly perform bounds checking during range analysis, leading to an out-of-bounds write vulnerability. A attacker could use this to cause a denial of service, or execute arbitrary code. Manfred Paul discovered that Firefox incorrectly handled MessageManager listeners under certain circumstances. An attacker who was able to inject an event handler into a privileged object may have been able to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6710-2  
April 04, 2024

firefox regressions  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

USN-6710-1 caused some minor regressions in Firefox.

Software Description:  
- firefox: Mozilla Open Source web browser

Details:

USN-6710-1 fixed vulnerabilities in Firefox. The update introduced  
several minor regressions. This update fixes the problem.

Original advisory details:

  Manfred Paul discovered that Firefox did not properly perform bounds  
  checking during range analysis, leading to an out-of-bounds write  
  vulnerability. A attacker could use this to cause a denial of service,  
  or execute arbitrary code. (CVE-2024-29943)

    Manfred Paul discovered that Firefox incorrectly handled MessageManager  
  listeners under certain circumstances. An attacker who was able to inject  
  an event handler into a privileged object may have been able to execute  
  arbitrary code. (CVE-2024-29944)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   firefox                         124.0.2+build1-0ubuntu0.20.04.1

After a standard system update you need to restart Firefox to make all the  
necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6710-2  
   https://ubuntu.com/security/notices/USN-6710-1  
   https://launchpad.net/bugs/2060171

Package Information:  
   https://launchpad.net/ubuntu/+source/firefox/124.0.2+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6710-2

New research has found that the CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct denial-of-service (DoS) attacks.
The technique has been codenamed HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who reported the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.
"Many HTTP/2 implementations do not properly limit or sanitize the

New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks

PRESS RELEASE

Austin, TX – April 3, 2024 – CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent test of eleven market leading Cloud Network Firewall vendors. Six products were Recommended, one product received a Neutral rating, and four received a Caution rating.

Cloud network firewalls are considered to be the first line of defense when deployed in public cloud providers such as Amazon Web Services, Google Cloud Platform and Microsoft Azure. But implementing security in the cloud can be complex, with multiple factors influencing effectiveness. 

CyberRatings tested the cloud firewall products to determine how they handled TLS/SSL (authentication) 1.2 and 1.3 cipher suites (algorithms), how they defended against 984 exploits (attacks that take advantage of a software flaw or install malware), and whether any of 1,645 evasions could bypass protection. At all times the devices needed to remain stable under adverse conditions. To provide a more realistic rating based on modern network traffic, both clear text (HTTP) and encrypted traffic (HTTPS) were measured. Amazon Web Services (AWS) was the public cloud service chosen to run the test.

The combination of Security Effectiveness and Value dictated where products landed on the Security Value Map™ (SVM). Six out of the eleven products were Recommended for their Security Effectiveness with scores ranging from 99.70% to 100%. Recommended ratings are based on threat prevention (how many exploits and evasions were blocked?), TLS/SSL functionality, routing and policy enforcement, and stability and reliability to achieve a final Security Effectiveness score. These same products also demonstrated competitive pricing in the Total Cost per Protected Mbps (Value). The product rated Neutral received a 48.44% Security Effectiveness score. Four products rated Caution had Security Effectiveness scores ranging from 5.39% to 48.37%. 

“We have been testing firewalls for years, and more recently cloud network firewalls,” said Vikram Phatak, CEO of CyberRatings.org. “All of the products chosen were market leaders and the range of scores clearly shows that building a product for the cloud is different than building a product on an appliance where you control the environment,” said Phatak. “We recommend that enterprises check with their service providers or IT teams to see which cloud firewall products are currently deployed in their networks.”

As part of the cloud firewall test, CyberRatings also checked to see if products were secure by default. It was discovered that some firewall evasion defenses are not on by default, potentially leaving customers at significant risk. In response, CyberRatings is providing a policy and configuration guide to help enterprises ensure that their firewalls are configured properly.

Encryption matters: roughly 80% of web traffic is encrypted. The top four cipher suites account for over 95% of HTTPS traffic. In some products, decryption was not on by default. Firewalls will not see attacks delivered via HTTPS unless configured to do so. Performance is significantly different when TLS/SSL is turned on. With the exception of one vendor that failed to handle TLS 1.3 despite claiming support, all other vendors supported encryption. 

Enterprises should monitor security and performance capabilities, and update firewalls regularly. With the everchanging cloud platform and agile development, something can go wrong even when the security vendor does not make a change. 

The following products were evaluated:

Cloud Network Firewall

Rating

Security

Effectiveness

Rated Throughput

(Mbps)

Price per Protected Mbps

Amazon Web Services (AWS) Network Firewall

Caution

5.39%

1,000

$601.34

Barracuda CloudGen Firewall

Caution

11.38%

441

$287.86 

Check Point CloudGuard

Recommended

99.80%

1,180

$12.70 

Cisco Secure Firewall Threat Defense Virtual 

Caution

20.86%

373

$76.91 

Forcepoint NGFW

Recommended

99.80%

698

$8.45 

Fortinet FortiGate-VM

Recommended

100%

1,458

$10.56 

Juniper Networks vSRX

Recommended

99.70%

1,228

$5.72 

Palo Alto Networks VM-Series Next-Generation Firewall w/ Advanced Threat Prevention

Recommended

100%

1,036

$5.83 

Sophos Firewall

Caution

48.37%

135

$83.16 

Versa Networks NGFW

Recommended

99.90%

2,553

$7.58 

WatchGuard Firebox Cloud

Neutral

48.44%

291

$27.06 

Additional Resources:

Cloud Network Firewall Comparative Report and Test Reports

2024 Best Practices for Cloud Network Firewall Deployment

Exploring the Landscape of Cloud Network Firewalls Available on AWS

Why Firewalls Should be Secure by Default

About CyberRatings.org 

CyberRatings.org is a 501(c)6 non-profit organization dedicated to providing confidence in cybersecurity products and services through our research and testing programs. We provide enterprises with independent, objective ratings of security product efficacy to make informed decisions. To become a member, visit www.cyberratings.org and follow us on LinkedIn.

CyberRatings.org Announces Test Results for Cloud Network Firewall

While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.

Tuesday, April 2, 2024 08:00

*   Remote system management/desktop access tools such as AnyDesk and TeamViewer have grown in popularity since 2020. While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.
*   There is no easy way to effectively block all unauthorized remote management tools, but security can be greatly improved through a combination of policy and technical controls.
*   Early warning alerts can be configured to alert defenders to remote management software activity that may have circumvented the technical controls.

**The remote management/access software problem**

Since 2020, the use of remote system management/access tools such as AnyDesk and TeamViewer has exploded in popularity due to forced work-from-home during the COVID-19 pandemic.

Whether used by an IT help desk technician to fix a user’s remote system or by co-workers for collaboration, these tools play an essential role in most corporations’ digital functions. However, this convenience comes at a cost. These tools introduce the ability for an adversary to potentially take full remote control of a system, are easy to download and install, and can be very difficult to detect since they are considered legitimate software. 

Further complicating the task of recognizing the malicious use of these tools, many organizations struggle to combat “shadow IT” in which individual users or overly proactive IT personnel might install unauthorized remote management tools to accomplish a benign goal.

Cisco Talos Incident Response (Talos IR) is seeing adversaries capitalize on this opportunity in the wild. We recently noted in our Quarterly Trends report for the third quarter of 2023, “AnyDesk was observed in all ransomware and pre-ransomware engagements \[. . .\], underscoring its role in ransomware affiliates' attack chains.”

While AnyDesk is a legitimate application, it highlights the tremendous value that can be gained through a security program that intentionally focuses on preventing unauthorized use of these tools. Talos is referencing AnyDesk for the purposes of this blog post, but any remote management tool is at risk of these exploits. There are several policy changes, technical countermeasures and security alerts that admins and defenders can use to ensure that AnyDesk, and similar pieces of software, are only used for legitimate purposes when deployed.

Adopting one, or at most two, approved remote management solutions will allow the organization to thoroughly test and deploy in the most secure possible configuration.

If possible, integration with other organizational technology such as Active Directory or multi-factor authentication (MFA) will provide additional layers of protection and verification. Tying the approved remote management solutions into these already structured security solutions can make it easier to build “early warning” detections and alerts around unauthorized connectivity and use.

Once a solution is approved and championed for the organization, other remote management/access tools should be explicitly banned by policy. Ideally, this should be accompanied by a software inventory audit and published guidance on approved/non-approved software for the organization. Training and consistent enforcement of this policy will help reduce the “shadow IT” noise in the environment and leave network defenders with more time to investigate true anomalies.

**Technical controls**

While very worthwhile, preventing unauthorized use of these tools is not simple. First, the scores of commercially available remote access tools make it difficult to address every option an adversary might use. Many of those tools are frequently updated, meaning that blocking the executables by their hash value is not as effective. 

Adversaries also commonly rename the executables, meaning that filename blocks aren’t going to be helpful, either. 

Many popular solutions operate over common ports and protocols, such as ports 80 and 443, making them difficult to block at the firewall, and remote access tool creators often decline to publish their central server IP addresses due to frequently changing resolutions, which limits the effectiveness of static IP address blocks. A combination of approaches and techniques is necessary to limit the opportunity for an adversary to use remote access/management tools in any given environment.

**DNS security controls**

One of the most effective methods for detecting, and sometimes blocking, the activities of unauthorized remote management/access software, is by auditing and blocking DNS queries associated with these tools.

If your organization uses Cisco Umbrella for DNS security, it’s fairly easy to review and block DNS queries related to unauthorized traffic.

To review what might already be on your network, log into the Umbrella console and view “Reporting > App Discovery > Unreviewed Apps,” filtered by the “Collaboration” and “IT Services Management” categories, this is an excellent starting point to identify unexpected remote access software.

Simply clicking “Block this app” gives the administrator the ability to block future DNS requests associated with any particular result. If you prefer to take an even more proactive approach, going to “Policies > Policy Components > Application Settings” allows you to search all applications currently categorized by Umbrella, whether they have been seen on your network or not, and block them by policy. Again, the “Collaboration” and “IT Services Management” categories should be the areas of focus for policy review.

As with all of these technical controls, there are a few limitations. The first major caveat is that this only works if the DNS queries are evaluated by your security stack. In the case of DNS traffic from a home user’s system not traveling over the corporate network, the activity would be invisible. The second major caveat is that some remote management software has direct peer-to-peer capabilities, meaning the software might not send a DNS query to an easily identifiable domain when initiating a connection. 

**Firewall controls**

While less scalable and reliable, basic IP address blocking can be beneficial for preventing unauthorized remote software connections. Some vendors list static IP addresses for their central servers on their support sites that can be leveraged to control this access. However, many vendor IP addresses change periodically, making the task a bit challenging.

Another potentially fruitful approach to firewall traffic blocking is by port number. For example, TeamViewer prefers to use port 5938, although it can fall back on the practically unblockable port 443. While blocking port 5938 would not stop the connection, a properly configured alert would provide defenders with an early warning that TeamViewer was trying to connect out.

Some firewalls also provide additional functionality around session content, similar to Umbrella’s capabilities. Firewalls such as Cisco’s Meraki provide an allow/block URL listing that can be configured to prevent connectivity to unapproved remote management software sites. Cisco Meraki can provide content filtering options that may be helpful in blocking remote management/access sites.

Administrators should consider that firewall controls to combat unauthorized remote software management connections can have unintended consequences and should be heavily tested and piloted prior to implementation.

Verify that IP addresses are dedicated to that application prior to blocking in order to avoid blocking Content Delivery Network (CDN) nodes or other cloud computing shared resources. 

Finally, network segmentation or micro-segmentation can be useful in blocking unauthorized remote management software usage. For instance, categorizing and organizing server resources separate from workstation resources can allow for more tailored options around blocking all unnecessary traffic at the firewall, include that which may be associated with remote management tools. Some organizations already do this well by integrating with group policy configurations.

**Host-based controls****Windows Defender Application Control (WDAC) and AppLocker**

Of all the controls discussed in this post, WDAC and AppLocker are the only ones that can offer almost 100 percent protection against unauthorized remote management/access software execution.

In their most secure configuration, which allows only pre-approved software to run, users or adversaries can't run unexpected executables. However, this comes at a cost, as the approved software baseline maintenance level of effort can be high, and the user experience can be very limited if they are not allowed to install applications as needed.

WDAC and AppLocker offer considerable flexibility in their policies, so some organizations choose to only lock down their critical servers, such as domain controllers, which leaves user system policies more flexible. This approach has benefits far beyond simply blocking remote access/management software, as it will stop most malware from executing, as well.

Keep in mind that, while WDAC is currently more difficult to configure, it has more advanced capabilities and Microsoft is positioning it as the replacement for AppLocker. At the moment, AppLocker is receiving security updates, but no new feature updates.

**Registry filename blocks**

It is possible to block remote management/access software execution by filename via a registry “DisallowRun” key. However, Talos IR does not recommend this approach, except as a containment measure during incident response, since it is not scalable as a preventative measure and is trivially easy to bypass by renaming the executable or modifying the registry. 

**EDR blocks**

Almost every modern EDR can block file hashes, which gives defenders the capability to block the hashes associated with remote management/access software installers and/or installed executables. However, similarly to the filename GPO blocks, this is not scalable or reliable as a proactive measure, since every new version of every software distribution will have a new hash value. This measure should be restricted to containment during incident response only. 

Some EDR solutions offer methods to block vulnerable or unauthorized software, albeit with significant caveats regarding the limitations of those capabilities. The authors of this article have not tested those capabilities but note them here for the sake of completeness.

**Host-based firewalls**

The recommendations for host-based firewall rules are much the same as standalone firewalls, covered above. These can be useful where administrators expect users to roam outside of the boundary of the corporate network, such as home workers off the corporate VPN or using a split-tunnel VPN implementation. 

**Administrator permission restriction**

Restricting administrator permissions so that most users cannot conduct administrator actions on their work computer, such as installing remote access/management software, can help limit an adversary’s ability to install this software after the initial compromise.

Applying the principle of least privilege, which includes both locking down local administrator permissions and limiting the permissions of users’ domain accounts, is considered standard best practice.

**NAC controls**

While network access control (NAC) solutions do not directly block the use of remote management software, they can ensure that all other technical controls are working properly before admitting an endpoint to the network. If the device is a rogue system or lacks EDR, for example, NAC would prevent it from joining.

Another benefit offered by a NAC solution is software version enforcement through custom rules. In Cisco ISE, for example, there are Posture Checks. Organizations can use this to ensure that only the approved version(s) of their approved remote management tool are allowed on the network, directly addressing the threat of an adversary introducing an older version of the approved solution to the network for malicious purposes.

**Alerts and forensics**

Due to the complexity of implementing all these controls, detection rules can serve as a backup in case an adversary finds a way to circumvent the previous mitigations we discussed. The possibilities for these “tripwire” detections are endless, and SOCs/threat-hunting teams should continuously think of ways to improve them, but some ideas are listed below.

**Central log collection**

The first prerequisite for any successful detections is to have centralized log aggregation. At the very minimum, this should ingest firewall logs, EDR alerts and Windows Event logs for key servers. 

**SIEM alerts for suspicious strings**

Setting up a simple alert that triggers upon observation of strings associated with unauthorized remote access/management software product names (e.g., “AnyDesk”) can be an effective way to proactively identify unexpected product installations that were not otherwise blocked.

For example, an MSI installation would generate an Event 11707 entry in the Windows Application Event logs containing the software product name. If the SIEM were ingesting and evaluating those event logs, it would fire an alert, thereby alerting the SOC to a potential installation. This rule would need to be tuned to avoid excessive false positives, but it could result in a valuable early detection method. 

**SIEM alerts for firewall blocks on unique ports**

Enhanced alerting may be necessary to draw a SOC’s attention to firewall blocks associated with remote management/access traffic. Firewalls continuously block traffic, generally dropping thousands or millions of packets per hour. With that in mind, SOCs are not alerted every time a firewall rule drops traffic — especially if the rule that drops the traffic is the Implicit Deny rule blocking all traffic that was not specifically allowed. However, if an internal host attempts to communicate over a port dedicated to remote access/management software, that might merit attention from the SOC. 

It's worth considering creating an SIEM rule that alerts on any firewall block event involving outbound traffic to certain key ports, for example, 5938 (associated with TeamViewer). That alert, while an indication that the network blocks are working as intended, would be a good indication that the SOC needs to investigate the system originating the traffic.

The level of effort required to properly secure remote management/access software is daunting. However, the frequency of use by adversaries makes that effort a necessity. In the wrong hands, these tools serve as a ready-made command and control mechanism. If an organization can afford to secure its VPN solution, it should almost certainly devote resources to locking down unauthorized remote management software, as well.

Adversaries are leveraging remote access tools now more than ever — here’s how to stop them

ARIS: Business Process Management version 10.0.21.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored Cross-Site Scripting (XSS) in ARIS: BusinessProcess Management# Edition Version 10.0.21.0# Exploit Author: Seid Yassin# Date: 2024-03-28# Vendor: Software AG# Software Link: https://aris.com/# Version: ARIS: Business Process Management## Description:Discovered a file upload feature lacking proper file extension validation.This vulnerability allows attackers to upload any type of file, includingmalicious ones. To demonstrate this, we successfully uploaded an SVG fileto carry out a Cross-Site Scripting (XSS) attack. In XSS attacks, maliciousscripts are injected into web pages viewed by other users, potentiallyleading to data theft or unauthorized actions leading to potential theft ofcookies and session tokens.## Background:Cross-site scripting (XSS) is a common web security vulnerability thatcompromises user interactions with a vulnerable application. Stored XSSoccurs when user input is stored in the application and executed whenever auser triggers or visits the page.## Issue:A stored cross-site scripting (XSS) vulnerability in ARIS: Business ProcessManagement  software enables a malicious authenticated user to store a xsspayload(via SVG) using the web interface. Then, when viewed by a properlyauthenticated user or administrator, the JavaScript payload executes withinSVG and disguises all associated actions as performed by that unsuspectingauthenticated user/administrator.## Steps To Reproduce:1. Log into the ARIS application.2. Navigate to my tasks and select any of the task and upload documents(change request form)3. Insert any svg file with xss script in it . eg.https://gist.github.com/rudSarkar/76f1ce7a65c356a5cd71d058ab76a344## Expected Result:After a user uploads a new document in the Change Request Form, they canutilize the link for the SVG file and UUID to access another path at{{url}}/documents/api/documents/{{UUID}}/content## Actual Result:The ARIS application is vulnerable to Stored Cross-Site Scripting, asevidenced by the successful execution of the injected payload.## Proof of Concept:Attached Screenshots for the reference.

ARIS: Business Process Management 10.0.21.0 Cross Site Scripting

Debian Linux Security Advisory 5650-1 - Skyler Ferrante discovered that the wall tool from util-linux does not properly handle escape sequences from command line arguments. A local attacker can take advantage of this flaw for information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5650-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
March 31, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : util-linux  
CVE ID         : CVE-2024-28085  
Debian Bug     : 1067849

Skyler Ferrante discovered that the wall tool from util-linux does not  
properly handle escape sequences from command line arguments. A local  
attacker can take advantage of this flaw for information disclosure.

With this update wall and write are not anymore installed with setgid  
tty.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.36.1-8+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.38.1-5+deb12u1.

We recommend that you upgrade your util-linux packages.

For the detailed security status of util-linux please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/util-linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYJTYpfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Sm+A//cJhy/p0UGnSP5MYNc1a1sLeAMcNJm4lwxqR3zDYYqPWAe0jwsspaguNY  
1QPdaqa3d/Vm8pDO8WCnqxuzwqDjwyKNLUYmFbOyDx+U4EyVxC6wsUq936XMvx/5  
xiuTJripQm8urnvCaa7lGLhNSWHOc2jHWCqLnXC2AKwAtSGT7LWFKzC8csHxtRYO  
5A5iUaDONPWJtGpNDx1cczfIuEUvGpANQWOgxrcyAmHb1kjpGHm0RTikpkqKNm4W  
VH+DbgzuXlLtzUn0/YUXJPJkZtPe1LDshhUwFhU13K2lIUk3hWBWyGIrXgG+OZhu  
XgPc/5yAZHjmffHawUPE0LWGA3U6xOWV3pvBIi07XF/kFwR00PXGfMdv9WrTUxxV  
V6Fv5/kd2MsWvZQSYJ9Bn/6Wo5O9w8M3Lfso2OYx01OFRQHQfn4rfRek0ED81155  
qqPaemJYeUIJsDEmiwdr+eh0LZm7+3oMOgdfKDc9ARm9fasWxA7SFg4w5P1h0IWO  
lzuwEzm2W0az9YJ/BFMaZfoTTn/DW9FJHL7Fo5F2vO9CLAihxMYUDM3mUZNBexY8  
Z6XzhdWOSkOAiYI4khDK/TK8jQxSpEjNiFh7Z2pIZs4F6COjI94xtIn+N5nyJxnk  
AweXW0GGSZxt1sXD99JeD27Rv0UXNKyHfcQRPaYo9FyHntkVxi4=  
=jL1I  
-----END PGP SIGNATURE-----

Debian Security Advisory 5650-1

JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class.

**JJWT improperly generates signing keys**

Moderate severity GitHub Reviewed Published Apr 1, 2024 to the GitHub Advisory Database • Updated Apr 1, 2024

Tag

#perl