When a drug kingpin named Microsoft tried to seize control of an encrypted phone company for criminals, he was playing right into its real owners’ hands.

Inside the Biggest FBI Sting Operation in History

A scammer tried to seduce us by offering the credentials to an account that held roughly half a million dollars.

This weekend a scammer tried his luck by reaching out to me on WhatsApp. It’s not that I don’t appreciate it, but trust me, it’s bad for your business.

I received one message from a number hailing from the Togolese Republic.

WhatsApp message from an unknow sender

> “Jay, your financial account has been added. Account Csy926. Password \[\*\*\*\*\*\*\*\*\] USDT Balance 1,660,086.50 EUR: 592,030.92 \[domain\] Keep it in a safe place.”

I asked them to send the message in English, pretending not to understand Dutch, but received no reply.

But since it was a rainy day and I’d never seen this type of WhatApp scam before, I decided to investigate.

Sometimes it takes some effort, especially when the domain is blocked for fraud by your favorite security software, but nothing was going to stop me now from looking for my new-found wealth.

Malwarebytes blocked the domain for fraud

To fully understand the message, it’s good to know that USTD stands for Tether, a cryptocurrency referred to as a stablecoin because its value is pegged to a flat currency. In the case of USTD the flat currency is the US dollar. The link makes a stablecoin’s value less volatile than that of other cryptocurrencies, which is attractive for traders that like to switch quickly between cryptocurrencies and flat currencies.

So, I visited the domain which, no surprise there, turned out to be a fake trading platform. I tried the login credentials which were so kindly provided to me.

Welcome to login

Once logged in I checked my wallet and lo and behold, I’m rich! (Or “Jay” is.)

Nice wallet

The wallet belongs to Csy926 who has VIP5 access and contains 1658670.31 USDT or $602,494.07.

I can either recharge, withdraw, or transfer my USDT tokens or transfer the cold hard cash in dollars. Knowing that in this type of scam the victim always has to invest a—relatively–small amount to get the bait, I knew what to expect.

The easiest way would have been if I could transfer the dollars to a bank account, so I tried that first.

Transfer form

Sadly, there were obstacles:

*   Transfers can only be done to other accounts on the platform and the recipient needs to be at least a VIP1 level.
*   Only VIP members can transfer without a key. Assuming Jay is the one with the key, it’s a good thing that the account has a VIP5 status.

So, to be a recipient of a US$ amount, I’ll need a VIP1 level account on the same platform.

Sadly, that’s not me. So I decided to see what I can do with the USDT tokens.

Withdraw form

The form shows a security tip warning users to fill in their withdrawal account accurately, as assets can’t be returned after transferring them out. That sucks for Jay.

But all in all, that looks promising, but again there are some problems.

*   I’ll need a TRC20 wallet. A TRC20 wallet app is an application, accessible on mobile/web or desktop devices, designed specifically for storing, managing, and engaging with TRC20 tokens.
*   Once I filled out the form and clicked on Withdraw, it turned out I needed a key.

Please enter KEY

Looks like it’s time to read the FAQs. Fortunately, this has the answers to all the “right” questions.

What should I do if I forget my KEY?

Long story short. You set the key when you open the account, and it cannot be retrieved. But…..if you have two VIP accounts you can transfer funds from the old account to your new account. And there is no need for a KEY if you have a VIP account. Considering Jay has a VIP5 account there lies an opportunity.

How to activate VIP?

And here comes the catch all of our regular readers saw coming by now, VIP accounts that are able to receive funds cost money. The cheapest—VIP1—requires a deposit of 50 USDT (roughly $50) which is not refundable and can’t be canceled. But with a VIP1 account I can only receive $30 per month and it’s only valid for 2 months. So, that’s not a big help when you are as rich as I am, sorry, Jay is.

VIP1 account is the lowest level and the cheapest

It would take me until the next ice age—4600 years—to transfer the entire amount at that rate, with the off chance that the rightful owner would drain the account or change the password as soon as they noticed the leak.

Any unsuspecting victim that has come this far and is willing to steal from the treasure dropped in their lap, now realizes that before they can enjoy all that money, they first:

1.  Need to open a new account.
2.  Make a deposit to turn it into a VIP account. The amount depends on their greed and impatience because the higher the VIP level, the larger the amount you can transfer in one day and per month.
3.  Transfer the funds from Jay’s account to their own account.
4.  Set up a TRC20 account.
5.  Withdraw the money from the new account to their TRC20 wallet.

We decided not to sponsor the scammers, so this is as far as we were willing to go, but we have a distinct feeling that along the steps we outlined there might be other fees and deposits needed.

**Don’t fall for scammers**

*   Any unsolicited WhatsApp message from an unknown person is suspect. No matter how harmless or friendly it may seem. Most pig butchering scams start with what seems a misdirected message.
*   Don’t follow links that reach you in any unexpected way, and certainly not from an untrusted source.
*   If it’s too good to be true, then it’s very likely not true.
*   Scammers bank on the fact that the more time and money you have invested, the more determined you will become to get to the desired end result.
*   Use a web filtering app to shield you from known malicious websites. Preferably Malwarebytes Premium or Malwarebytes Browser Guard.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 WhatsApp cryptocurrency scam goes for the cash prize 

Sitefinity version 15.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Sitefinity 15.0 - Cross-Site Scripting (XSS)# Date: 2023-12-05# Exploit Author: Aldi Saputra Wahyudi# Vendor Homepage: https://www.progress.com/sitefinity-cms# Version: < 15.0.0# Tested on: Windows/Linux# CVE : CVE-2023-27636# Description: In the backend of the Sitefinity CMS, a Cross-site scripting vulnerability has been discovered in all features that use SF-Editor# Steps To Reproduce:Attacker as lower privilegeVictim as Higher privilege1. Login as an Attacker2. Go to the function using the SF Editor, go to the news page as example3. Create or Edit news item4. On the content form, insert the XSS payload as HTML5. After the payload is inserted, click on the content form (just click) and publish or save6. If the victim visits the page with XSS payload, XSS will be triggeredPayload: <noalert><iframe src="javascript:alert(document.domain);">

Sitefinity 15.0 Cross Site Scripting

Red Hat Security Advisory 2024-3530-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3530.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel-rt security and bug fix updateAdvisory ID:        RHSA-2024:3530-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3530Issue date:         2024-05-31Revision:           03CVE Names:          CVE-2023-52578====================================================================Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.Security Fix(es):* kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086)* kernel: net: bridge: data races indata-races in br_handle_frame_finish() (CVE-2023-52578)Bug Fix(es):* kernel-rt: update RT source tree to the latest RHEL-8.4.z Batch 25 (JIRA:RHEL-36724)* [RHEL-8.4] kernel-rt-debug: BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:968 (JIRA:RHEL-8758)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-52578References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2262126https://bugzilla.redhat.com/show_bug.cgi?id=2267758

Red Hat Security Advisory 2024-3530-03

Red Hat Security Advisory 2024-3529-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3529.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel security updateAdvisory ID:        RHSA-2024:3529-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3529Issue date:         2024-05-31Revision:           03CVE Names:          CVE-2023-52578====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086)* kernel: net: bridge: data races indata-races in br_handle_frame_finish() (CVE-2023-52578)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-52578References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2262126https://bugzilla.redhat.com/show_bug.cgi?id=2267758

Red Hat Security Advisory 2024-3529-03

Donald Trump has vowed to go after political enemies, undocumented immigrants, and others if he wins. Experts warn he could easily turn the surveillance state against his targets.

Every president of the United States has within their grasp the power of a vast surveillance state that has grown significantly over the past few decades and has beaten back any real effort to rein it in. Through America’s numerous enigmatic intelligence agencies, presidents possess the ability to dive deeply into the communications, movements, and relationships of everyday Americans. Presidents of both parties have abused the surveillance state, but under a second Trump administration, this power could be abused in ways it has never been before.

Donald Trump, a now convicted felon and the presumptive 2024 Republican presidential nominee, has said he plans to prosecute his political opponents should he return to the White House. He’s said he would allow states to monitor pregnant women and prosecute those who seek abortions. Trump wants to deport millions of undocumented immigrants. He plans to invoke the Insurrection Act to quell civil unrest, which means sending the military into the streets. The much publicized Project 2025 outlines how he would quickly replace thousands of career civil servants in the federal government with loyalists.

If a president was interested in prosecuting their political opponents, crushing protests, targeting undocumented immigrants, and had the right people in place to help them carry out those plans, surveillance could become a valuable tool for accomplishing those goals. Like former US president Richard Nixon in the late 1960s and early 1970s, Trump could use the surveillance powers available to him to monitor his political opponents, disrupt protest movements, and more.

Nixon and former FBI director J. Edgar Hoover famously surveilled the president’s political opponents and activists, including Martin Luther King Jr., through a program called COINTELPRO. One of the main goals of the program was to “expose, disrupt, misdirect, discredit, or otherwise neutralize” civil rights groups.

If he so desired, Trump could create his own version of this program, but he’d be working with much more advanced technology—and it’d be in a time when there are countless data points available on every American. Hoover could have only dreamed of a world where everyone was walking around with tracking devices.

“So much of what we depend on, in terms of the rule of law, depends on norms. When those norms are ignored, that’s when things start to fall apart,” says Jeffrey L. Vagle, an assistant professor of law at Georgia State University. “Some of the norms, like prosecutorial discretion, might be eroded or disappear entirely. That could mean a number of things in terms of surveillance.”

Vagle says that if a second Trump administration wanted to defend its abuse of surveillance powers, it could stretch the use of national security as a justification for doing so. He says presidents have done this in the past in other ways.

“Administrations from both parties have invoked the term ‘national security’ and have used national security loopholes to justify surveillance and profiling,” says Patrick Toomey, deputy director of the American Civil Liberties Union’s National Security Project. “They have too often used national security as a pretext for law enforcement to target Muslims, communities of color, and immigrants.”

Toomey says Trump has sent “mixed signals” when it comes to how he feels about surveillance, but he’s made it clear he plans to target his political opponents in various ways if he’s elected again.

“A second Trump administration could be disastrous for many of our most fundamental freedoms,” Toomey says.

The administration may not even need to come up with a justification for surveilling Americans without a warrant, because it could simply purchase scores of people's personal data. The federal government has been known to purchase data from private brokers in the past, and doing so doesn’t require a warrant.

“We are just awash in data, and data brokers can just collect and sell these data,” Vagle says. “Law enforcement or quasi-law enforcement can collect that information.”

Surveillance can be done in secret so that the people being surveilled don’t realize they’re being surveilled, or it can be done openly as a way to stifle free expression, Vagle says. The government might tell you they’re keeping an eye on people, and then you might be less likely to speak out.

“If you think you’re being watched, you act differently,” Vagle says. “You could see a Trump version of COINTELPRO—only maybe not so covert. They might be more open about it with the idea that it might chill speech.”

As for the abortion issue, some of what may occur will depend on the future legal status of abortion, which could involve a US Supreme Court decision or congressional action. A major change in its legal status would likely affect how the federal government approaches the issue. If it remains a state issue, the federal government wouldn’t typically get involved in how a state is implementing a law it’s passed, but that’s not to say it couldn’t. If a state wanted help tracking people who are crossing state lines for abortions, for example, the federal government could conceivably assist with that.

“The federal government is not in the business of enforcing state laws, but there are a lot of what-ifs. How crazy might a Trump administration be willing to be?” Vagle says.

Whether it’s monitoring political opponents, activists, immigrants, or pregnant people, there are many ways in which a second Trump administration could utilize surveillance powers to exert more control over the populace. If the FBI and the Department of Justice are staffed with people who won’t push back when Trump orders them to do things that might be legally or morally questionable, they may carry out his wishes, and Americans may discover how much their privacy rights have eroded over the years.

“One of the things about Project 2025 is that it’s clear that the Trump camp, and more broadly the Republican Party that’s behind Trump, want to make it a more organized presidency than his first presidency was,” Vagle says. “It would be very unsurprising if the Department of Justice and the FBI dismissed anyone if they even had a whiff of disloyalty.”

How Donald Trump Could Weaponize US Surveillance in a Second Term

In seemingly the first case of its kind, the US Justice Department has charged a Chinese national with using a drone to photograph a Virginia shipyard where the US Navy was assembling nuclear submarines.

The United States Department of Justice is quietly prosecuting a novel Espionage Act case involving a drone, a Chinese national, and classified nuclear submarines.

The case is such a rarity that it appears to be the first known prosecution under a World War II–era law that bans photographing vital military installations using aircraft, showing how new technologies are leading to fresh national security and First Amendment issues.

“This is definitely not something that the law has addressed to any significant degree,” Emily Berman, a law professor at the University of Houston who specializes in national security, tells WIRED. “There’s definitely no reported cases.”

On January 5, 2024, Fengyun Shi flew to Virginia while on leave from his graduate studies at the University of Minnesota and rented a Tesla at the airport. His research focused on using AI to detect signs of crop disease in photos. Shi’s subject that week wasn’t plants, however, but allegedly the local shipyards—the only ones manufacturing the latest generation of Navy carrier ships in the country, and nuclear submarines as well.

According to an affidavit filed by FBI special agent Sara Shalowitz in February, a shipyard security officer alerted the Naval Criminal Investigative Service to Shi’s actions. The affidavit alleges that on January 6, Shi was flying a drone in “inclement weather” before it got stuck in a neighbor’s tree. When Shi, who is a Chinese citizen, approached the neighbor for help, he was questioned about his nationality and purpose for being in the area. The unnamed resident took photos of Shi, his license plate, and his ID, and called the police. The affidavit alleges that Shi was “very nervous” when questioned by police and “did not have any real reasons” for flying a drone in bad weather. The police gave Shi the number for the fire department and said he would need to stay on the scene. Instead, he returned the rental car an hour later and left Hampton Roads, Virginia, abandoning the drone.

When the FBI seized the drone and pulled the photos off its memory card, they discovered images that special agent Shalowitz said she recognized as being taken at Newport News Shipyard and BAE Systems, which is a 45-minute drive away. The affidavit states that on the day Shi took the photos, the Newport News Shipyard was “actively manufacturing” aircraft carriers and Virginia class nuclear submarines.

“Naval aircraft carriers have classified and sensitive systems throughout the carriers,” the affidavit states. “The nuclear submarines present on that date also have highly classified and sensitive Navy Nuclear Propulsion Information (‘NNPI’) and those submarines even in the design and construction phase are sensitive and classified.”

The DOJ is charging Shi with six Espionage Act misdemeanors under two statutes: one banning photographing a vital military installation and one banning the use of an aircraft to do so. Each misdemeanor can result in up to a year in prison upon conviction. While he awaits trial, Shi is restricted to living in Virginia under probation. He was forced to surrender his passport. According to court filings, he appears to require a translator.

Shi’s case, filed in federal court in Virginia’s Eastern District, was first spotted by Court Watch in February. Its rarity became apparent in March, after prosecutors filed a motion for a time extension. The judge agreed, writing that it was justified because the case is “so unusual due to the nature of the prosecution and the novel questions of both law and fact.”

Indeed, Shi is being charged “under two statutes which have been rarely prosecuted” to the degree that “the Court has been able to only find one reported case,” the judge wrote. That case, _Genovese v. Town of Southampton,_ centered on just one of the two statutes Shi is being charged under—photographing a military installation, without an aircraft.

The DOJ declined to comment when WIRED posed questions about Shi’s case, including whether the Chinese government is being engaged on the issue.

According to a filing from US prosecutors, both parties wish to end the case in a plea agreement. Shi’s attorney did not respond to multiple requests for comment.

WIRED found multiple social media accounts connected to Shi. He appears to have a small online footprint and few interactions with others online, portraying a life of quiet normalcy. He appears to be a soccer fan who enjoys campus and is a devoted _League of Legends_ player. He even attended the competitive online game’s 2022 World Championship tournament in San Francisco. In fact, according to online records, he often plays _League of Legends_ multiple times a day while awaiting trial in Virginia. His university research is similarly innocuous: He’s developing an app for detecting crop diseases in photos called Gopher Eye, which is being funded by the National Science Foundation, and has applied for a patent. He describes himself as a “startup manager” on LinkedIn.

One of Shi’s colleagues at the University of Minnesota, who spoke to WIRED under the condition of anonymity, says that he was a “typical” kid who was “very passionate” about his research. In the fall of 2023, however, financial and familial strife compounded by mounting pressure from lagging grades led to a break. The colleague said that Shi soon all but disappeared, taking leave from his studies and “basically hiding from all of his normal relationships.” He’s been difficult to contact since then, they say, adding that they did not know that Shi is currently in the US—much less embroiled in a rare national security case.

“From my point of view, he’s had very bad luck,” they say. “I don’t think that he did anything wrong intentionally.”

The question of why the DOJ is prosecuting Shi in the first place looms large over his case. After all, satellites originating in China photograph the US daily, including military sites and aircraft carriers. The degree to which Shi’s nationality played a role in the DOJ’s decision to prosecute the case isn’t clear. The case is proceeding amid rising animosity between China and the US, but Shi isn’t being charged under any laws related to collecting intelligence for a foreign government. He is not being accused of acting as a spy. His only alleged crime is taking photos with a drone.

“The Justice Department has guidelines that say \[nationality\] is not supposed to play a role in a criminal investigation, but there are exceptions to that rule for national security and border-related investigations,” Berman says. “It certainly seems likely that the fact Shi is a Chinese national raises red flags for investigators that wouldn't necessarily go up in the same way if he was an American citizen, rightly or wrongly.”

Cases prosecuted under statutes banning photographing military bases can have implications for First Amendment rights, Berman says. Photographing in a public place is a constitutionally protected activity.

“It would be a good thing to litigate some of these cases and clarify what the rules actually are about what you can and can't do,” she says. “Any time there is uncertainty, that may make people hesitant to do things that they are constitutionally entitled to do.”

The few occasions where statutes banning photographing military installations have come up illustrate this concern. In _Genovese v. Town of Southampton,_ Nancy Genovese sued law enforcement officials who arrested her for photographing an airport—part of which was a military base—while having guns in her car. A jury agreed that law enforcement was maliciously prosecuting Genovese, and she landed a settlement amounting to more than $1 million in 2016. In another incident, in 2014, reporters for The Blade in Ohio filed a federal lawsuit after they were unlawfully detained for taking photos outside a military base. In that case, too, the law favored the plaintiffs, and the reporters were awarded $18,000.

Shi’s case is scheduled to start on June 20.

The Unusual Espionage Act Case Against a Drone Photographer

### Impact
Template authors could inject php code by choosing a malicous file name for an extends-tag. Users that cannot fully trust template authors should update asap.

### Patches
Please upgrade to the most recent version of Smarty v4 or v5. There is no patch for v3.



Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-35226

**Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag**

High severity GitHub Reviewed Published May 28, 2024 in smarty-php/smarty • Updated May 29, 2024

**Package**

composer smarty/smarty (Composer)

**Affected versions**

\>= 5.0.0, < 5.1.1

\>= 3.0.0, < 4.5.3

**Patched versions**

5.1.1

4.5.3

**Description**

Published to the GitHub Advisory Database

May 29, 2024

Last updated

May 29, 2024

GHSA-4rmg-292m-wg3w: Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag

Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014) expose serial shells on multiple PLCs. A serial interface can be accessed with physical access to the PCB. After connecting to the interface, access to a shell with various debug functions as well as a login prompt is possible. The hardware is no longer produced nor offered to the market.

SEC Consult Vulnerability Lab Security Advisory < 20240524-0 >  
=======================================================================  
               title: Exposed Serial Shell on multiple PLCs  
             product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014)  
  vulnerable version: All hardware revisions  
       fixed version: Hardware is EOL, no fix  
          CVE number: -  
              impact: Low  
            homepage: https://www.siemens.com  
               found: ~2023-06-01  
                  by: Steffen Robertz (Office Vienna)  
                      Gerhard Hechenberger (Office Vienna)  
                      Constantin Schieber-Knöbl (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"We are a technology company focused on industry, infrastructure,  
transport, and healthcare. From more resource-efficient factories,  
resilient supply chains, and smarter buildings and grids, to cleaner  
and more comfortable transportation as well as advanced healthcare,  
we create technology with purpose adding real value for customers."

Source: https://new.siemens.com/global/en/company/about.html

Business recommendation:  
------------------------  
The hardware is no longer produced nor offered to the market. Hence  
HW adaptions resulting in modified products are not possible anymore.  
The described HW behavior on this generation of devices cannot be  
corrected by means of FW patches.

The risk of successful exploitation is considered low as physical access to  
those devices is needed.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Exposed Serial Shell on multiple Siemens PLCs  
A serial interface can be accessed with physical access to the PCB. After  
connecting to the interface, access to a shell with various debug functions  
as well as a login prompt is possible.

Proof of concept:  
-----------------  
1) Exposed Serial Shell on multiple Siemens PLCs

* CP-2016 (Figure 1)  
The serial interface on the CP-2016 can be accessed by connecting to the  
following through hole pins of an unpopulated header:

  +-+  
  |o|  
  |o|RX  
  |o|TX  
  |o|  
  |o|  
  |o|GND  
  +-+

* CP-2019 (Figure 2)  
The serial interface on the CP-2019 can be accessed by connecting to the  
following through hole pins of an unpopulated header:

  +-+  
  |o|  
  |o|RX  
  |o|TX  
  |o|  
  |o|  
  |o|GND  
  +-+

  * CP-2014 (Figure 3)  
The serial interface on the CP-2014 can be accessed by connecting to the  
following through hole pins of an unpopulated header:

  +-+  
  |o|GND  
  |o|  
  |o|  
  |o|RX  
  |o|TX  
  |o|  
  +-+

  * CP-2017 (Figure 4)  
The serial interface on the CP-2017 can be accessed on the compute module  
by connecting to pins 9 and 10 on the populated SMD connector:

   1              TX RX  
   '-'-'-'-'-'-'-'-'-'  
  /-------------------\  
  |                   |  
  |-------------------|  
  +'-'-'-'-'-'-'-'-'-'+  
   11                20

* CP-5014 (Figure 5)  
The serial interface on the CP-5014 can be accessed on the compute module  
by connecting to pins 1 and 2 on the populated SMD connector:

  RX TX              10  
   '-'-'-'-'-'-'-'-'-'  
  /-------------------\  
  |                   |  
  |-------------------|  
  +'-'-'-'-'-'-'-'-'-'+  
   11                20

All serial connections allow access to the SH1703 shell in version 1.00.  
The shell requires no authentication and allows the usage of multiple  
commands.

The following output can be seen on all devices:

---------------------------------------------------  
    XXXXX  XXX XXX      X     XXXXX    XXX     XXX  
   X     X  X   X     XXX     X   X   X   X   X   X  
   X        X   X       X        X    X   X       X  
    XXXXX   XXXXX       X        X    X   X     XX  
         X  X   X       X       X     X   X       X  
   X     X  X   X       X      X      X   X   X   X  
    XXXXX  XXX XXX    XXXXX    X       XXX     XXX  
---------------------------------------------------

1703 Shell [V1.00]  
(c) by 1703 Development Team

type 'help' or '?' or press 'F1' for help

SH1703>

Initialize system ..  
. Init Done.

system startup after Power-Up ...  
Install device 'USB Server'.

  RTC time not valid

  RTC time not valid

  RTC time not valid  
Reg: 100 Komp: 2 BSE: 20  
Hello from <R#100 / K#2 / BSE#2> FW-ID: 2019 FW-Version: 0.06A01  
Startup ZBGs ... done.

system ready  
SH1703>help  
Available commands:  
  hist                             Display command history  
!<n>                             Execute <n> command from stack  
  ?        [<cmd>]                 Display this message  
  help     [<cmd>]                 Display this message  
  echo     <text>                  Displays text  
  call     <file>                  Run script file  
  cls                              Clear screen  
  loop     <cmd>                   Loop-execution of cmd  
  ldfile   <file>                  Load ascii file  
  db       <a> [-b|w|d<x> [-n<x>]] Display memory byte/word/dword  
  wb       <a> <val> [-b|w|d<x>]   Write memory byte/word/dword  
  mb       <a> [-b|w|d<x> [-n<x>]] Monitoring memory byte/word/dword  
  login                            Login  
  logoff                           Logoff  
  pci      ...                     PCI Commands  
  bemrk                            Run Benchmark  
  drv                              List installed drives  
  dir                              List files in directory  
  del      [<drv:>]<file>          Delete file  
  ren      <src> <dest>            Rename or move file  
  cd       <dir>|<..>              Change current directory or drive  
  md       <dir>                   Make directory  
  rd       <dir>                   Remove directory  
  type     [<drv:>]<file>          Displays the contents of a file  
  copy     <src> <dest>            Copy a file  
  findstr  <file> <str>            Find a string in a textfile  
  mkdisk   <drvname> <size>        Make a Ramdisk  
  uidisk   <drvname>               Close and uninstall a disk  
  format   <drvname>               Format drive  
  mem_wr   <addr> <size> <des>     Write mem to file  
  idr                              Read from diagnostic ring  
  icr                              Clear diagnostic ring  
  idd                              Debug-Trace ON  
  bp                               Read all breakpoint settings  
  bpf      [<file>]                Set File for Debugprint (no arg = stdout)  
  is       ...                     Debugger settings  
  ig       [f|s]                   Display BPs / Clear all BPs  
  idb                              Read DB-Breaks  
  idt                              Read DB-Trace Settings  
  icz                              Clear breakpoint counters  
  dev      ...                     ZIO-Device commands  
  bsp      ...                     bsp commands  
  ftrc     ...                     FTRC Commands  
  banner                           Display the banner  
  pl                               Display process list  
  pi       [<appl_nr>]             Display process info  
  ad       -c|d|k|s                APP-Debug Create|Detach|Kill|Start  
  tl                               Display task list (all processes)  
  tm       [-r]                    Display task monitor (-r = runtime)  
  tc       <taskname>              Display task context  
  td       <taskID>                Display task descriptor  
  tq                               Display task queues  
  sysztsk                          Display ZOS-tasks of system process  
  appztsk  [<appl_nr>]             Display ZOS-tasks of appl-process(es)  
  stack                            Display stack usage of all tasks  
  stsk     -c|d|e|s|r              ZOS-Task Create|Del|Exch|Suspend|Resume  
  tsktrc   -s|r|c                  ZOS-Task-Trace Start|Read|Clear  
  set      [<name>=<val>]          Display, set or remove environment variables  
  time                             Display the current time  
  timeset                          Set the current time  
  mem                              Display memory usage  
  status                           Display system status informations  
  ver                              Display version informations  
  r                                Reset system element (R,R Cxx,R Pxx,R Zxx  
  klog     [dis|ena|all]           Display, disable or enable kernel logging  
  psp_info                         Display prozessor configuration infos  
  int_info                         Interrupt-Info-List  
  int_gen                          Generate Interrupt (for Admin only)  
  tlbs                             Display TLBs  
  ga       [<appl_nr>]             Start Subshell of application  
  tsd                              Debug Timeserver  
  mci                              MCI Commands  
  usb      <cmd>                   USB commands  
  mmc      <cmd>                   MMC Commands  
  zhs                              ZHS commands  
  zpv                              Parameter infos  
  zdt                              data transporter  
  fsn                              ZIO/FSN statistics  
  net      <enet|emac|mal> <dev>   Network statistics  
  prd      <pg> <reg> <len>        Read PHY register (len: 8|16|32)  
  pwr      <pg> <reg> <len> <data> Write PHY register (len: 8|16|32)  
  rmib                             Reset all statistic counters  
  scfg                             Display broadcom switch registers  
  ipaddr   <dev>                   Display ip addresses on interface  
  route                            Display routing table  
  socket                           Display socket statistic  
  tcp                              Display tcp statistic  
  udp                              Display udp statistic  
  arp                              Display arp cache  
  ping     host-ipaddr             send ICMP ECHO_REQUEST to a host  
  arl                              Switch Address Resolution table  
  ebuf                             Statistic for Buffer handling FSN  
  tls_ciph                         print cipher suites for all connections  
  tls_obj  idx                     print connection objects  
  tls_log                          log level for tls lib  
  tls_deb  idx                     print connection debug cnts  
  tlscache                         print cert/key cache  
  opensslm                         print mem pool statistic for openssl  
  tlsdeb_s                         START mem pool debug function  
  tlsdeb_e                         END mem pool debug function  
  tlsdeb_r                         print mem pool debug for openssl  
  tlsdeb_c                         CLEAR mem pool debug function  
  sap                              special application function  
Available Function-Keys:  
  F1     Help  
  F2     Display system status informations  
  F3     Display Last command  
  F5     Display the current time  
  F7     History  
  F8     Display memory usage  
  F9     Display ZOS-Task Infos  
  F10    Display Tasklist  
  F11    Execute Last command  
SH1703>

----------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested which were the latest version available  
at the time of the test:  
* CP-2016: CPCX26 V0.06A01  
* CP-2019: PCCX26 V0.06A01  
* CP-2014: CPCX25 V0.05A04  
* CP-2017: PCCX25 V0.11A10  
* CP-5056: CPCX55 V0.10A04

Vendor contact timeline:  
------------------------  
2024-03-05: Contacting vendor through productcert@siemens.com  
2024-03-06: Siemens tracks this issue as case #04393  
2024-04-03: Requested status update.  
2024-04-03: Product is EOL, no fix planned.  
2024-04-29: Informed Siemens about planned publication of advisory.  
2024-04-30: Siemens, requests draft of advisory. Advisory is sent for review.  
2024-05-07: Siemens requested small changes in the Solution and Business  
             Recommendation.  
2024-05-24: Public release of security advisory.

Solution:  
---------  
The hardware is no longer produced nor offered to the market. Hence HW  
adaptions resulting in modified products are not possible anymore. The  
described HW behavior on this generation of devices cannot be corrected  
by means of FW patches.

The risk of successful exploitation is considered low as physical access to  
those devices is needed.

Workaround:  
-----------  
Make sure to strictly limit physical access to the PLC during and also  
after its life cycle.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knöbl / @2024

Siemens CP-XXXX Series Exposed Serial Shell

Debian Linux Security Advisory 5698-1 - Multiple security issues were found in Rack, an interface for developing web applications in Ruby, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5698-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 24, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ruby-rackCVE ID         : CVE-2024-25126 CVE-2024-26141 CVE-2024-26146Multiple security issues were found in Rack, an interface for developingweb applications in Ruby, which could result in denial of service.For the oldstable distribution (bullseye), these problems have been fixedin version 2.1.4-3+deb11u2.For the stable distribution (bookworm), these problems have been fixed inversion 2.2.6.4-1+deb12u1.We recommend that you upgrade your ruby-rack packages.For the detailed security status of ruby-rack please refer toits security tracker page at:https://security-tracker.debian.org/tracker/ruby-rackFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZQw0YACgkQEMKTtsN8TjaEDQ/+In6arFD5sCgR6IZW2RiwAgBlLY9SAPlcuSI4qYkoN3JDMsm3dWV38UEOIwhvEiNpOXRiHCi4V15Eo92I1ayKJIZYM9n5B1pjGQrci5tl1cnFIfhfkIEjRET7OFRgL6TYgzsc5PKmlBNmff/yQOPXdw2q8dfgJkBb9Nc7GUxrhnsAdy/5mrW9NgSPerd65rYZ3NcGpSCiKcUcweatBalf2GycXFXSNzUlYw4nGuEOM5P4uyB8TI0lhaxy+hQA24fVGfKIldSHvQu4gs2jN2CaCNp4KyV5SkAtK7lBTxWMihmXwhzvpGeKF/ABokicqj4AC/T1BhjqS7S5/CjScmJwwkOcpaNhcqoI9wmFkx/bVYbQGmFuYPibziBHfBeucZhCFW2zhxSGYX/oWx/V4J3kBwMMUll4pI3AM0SEs/loeU3k+eLR7mq1ElcLt+IOmQpwNIIuvy/r8wvSySBLXu07b1lS29LMtqk3qXdb3HO6e2QznIdW6CatcewEc6uWOAzUBSFwvA1kgXWFqT9gj17RQ6VdMAdOw+5dkWIbJrWeJfiDdlT6R0KWpAfExQFzLbywtKJAtOnS7v+jyBkPlTg5Rz6z7o6PCf5fYA42FnI6p5AAryPvEupbiE6N72K1+8x+mDeiPFLlmrlP3tUsdhVwSfD5AEO+Qiyi04rYY7w55RM==9BYJ-----END PGP SIGNATURE-----

Tag

#sap