A vulnerability was found in Dropbox merou. It has been classified as critical. Affected is the function add_public_key of the file grouper/public_key.py of the component SSH Public Key Handler. The manipulation of the argument public_key_str leads to injection. It is possible to launch the attack remotely. The name of the patch is d93087973afa26bc0a2d0a5eb5c0fde748bdd107. It is recommended to apply a patch to fix this issue. VDB-216906 is the identifier assigned to this vulnerability.

@@ -11,7 +11,7 @@

get\_public\_keys\_of\_user,

PublicKeyParseError,

)

from tests.constants import SSH\_KEY\_1, SSH\_KEY\_BAD

from tests.constants import SSH2\_KEY\_BAD, SSH\_KEY\_1, SSH\_KEY\_BAD, SSH\_KEY\_BAD\_MULTILINE

from tests.fixtures import session, users \# noqa: F401

  

  

@@ -41,6 +41,16 @@ def test\_bad\_key(session, users): # noqa: F811

assert get\_public\_keys\_of\_user(session, user.id) \== \[\]

  

  

@pytest.mark.parametrize("key", \[SSH\_KEY\_BAD\_MULTILINE, SSH2\_KEY\_BAD\])

def test\_multiline\_key(key, session, users): \# noqa: F811

user \= users\["cbguder@a.co"\]

  

with pytest.raises(PublicKeyParseError, match\="Public key cannot have newlines"):

add\_public\_key(session, user, key)

  

assert get\_public\_keys\_of\_user(session, user.id) \== \[\]

  

  

@patch("grouper.public\_key.get\_plugin\_proxy")

def test\_rejected\_key(get\_plugin\_proxy, session, users): \# noqa: F811

get\_plugin\_proxy.return\_value \= PluginProxy(\[PublicKeyPlugin()\])

CVE-2022-4768: Block injection attack in ssh public key handling (#673) · dropbox/merou@d930879

Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable interface, an attacker could exploit the victim server to launch ICMP request attack to the designated target host.

**Advisory ID****：**DHCC-SA-202212-001

**First Published****：**2022-12-20

Cybersecurity is an on-going challenge for all IoT connected device manufacturers and users, as it is for all digital products and services. Dahua Technology is committed to developing and maintaining state-of-the-art cybersecurity practices, including through our product design process and our customer-facing Dahua Cybersecurity Center (DHCC) for transparent vulnerability reporting and handling.

In response to security issues reported by Bashis from IPVM, Dahua immediately conducted a comprehensive investigation of affected product models and has developed patches and firmware that fix the vulnerabilities. Please download from https://software.dahuasecurity.com/en/download or contact Dahua local technical support to upgrade.

We strongly suggest, consistent with cybersecurity best practice, that all Dahua customers follow our security advisory, in order to ensure their systems are up-to-date and maximally protected. In the meantime, customers with other concerns on cybersecurity related issues, please feel free to contact us at cybersecurity@dahuatech.com.

**Summary**

1.    CVE-2022- 45423

Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials. An attacker can obtain encrypted MQTT credentials by sending a specially crafted packet to the vulnerable interface (the credentials cannot be directly exploited).

2.    CVE-2022- 45424

Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key. An attacker can obtain the AES crypto key by sending a specially crafted packet to the vulnerable interface.

3.    CVE-2022- 45425

Some Dahua software products have a vulnerability of using of hard-coded cryptographic key. An attacker can obtain the AES crypto key by exploiting this vulnerability.

4.    CVE-2022- 45426

Some Dahua software products have a vulnerability of unrestricted download of file. After obtaining the permissions of ordinary users, by sending a specially crafted packet to the vulnerable interface, an attacker can download arbitrary files.

5.    CVE-2022- 45427

Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specially crafted packet to the vulnerable interface, an attacker can upload arbitrary files.

6.    CVE-2022- 45428

Some Dahua software products have a vulnerability of sensitive information leakage. After obtaining the permissions of administrators, by sending a specially crafted packet to the vulnerable interface, an attacker can obtain the debugging information.

7.    CVE-2022- 45429

Some Dahua software products have a vulnerability of server-side request forgery (SSRF). An Attacker can access internal resources by concatenating links (URL) that conform to specially rules.

8.    CVE-2022- 45430

Some Dahua software products have a vulnerability of unauthenticated enable or disable SSHD service. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could enable or disable the SSHD service.

Note: This vulnerability affects Linux based system only.

9.    CVE-2022- 45431

Some Dahua software products have a vulnerability of unauthenticated restart of remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could unauthenticated restart of remote DSS Server.

Note: This vulnerability affects Linux based system only.

10.   CVE-2022- 45432

Some Dahua software products have a vulnerability of unauthenticated search for devices. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could unauthenticated search for devices in range of IPs from remote DSS Server.

Note: This vulnerability affects Windows based system only.

11.   CVE-2022- 45433

Some Dahua software products have a vulnerability of unauthenticated traceroute host from remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could get the traceroute results.

Note: This vulnerability affects Windows based system only.

12.   CVE-2022- 45434

Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could exploit the victim server to launch ICMP request attack to the designated target host.

Note: This vulnerability affects Windows based system only.

**Vulnerability Score**

The vulnerability classification has been performed by using the CVSSv3.1 scoring system (http://www.first.org/cvss/speciallyation-document).

CVE-2022-45423

Base Score: 5.3(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Temporal Score: 4.8(E:P/RL:O/RC:C)

CVE-2022-45424

Base Score: 7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 6.7(E:P/RL:O/RC:C)

CVE-2022-45425

Base Score: 7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 6.7(E:P/RL:O/RC:C)

CVE-2022-45426

Base Score: 7.7(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Temporal Score: 6.9(E:P/RL:O/RC:C)

CVE-2022-45427

Base Score: 8.7(AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H)

Temporal Score: 7.8(E:P/RL:O/RC:C)

CVE-2022-45428

Base Score: 4.9(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 4.4(E:P/RL:O/RC:C)

CVE-2022-45429

Base Score: 9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal Score: 8.8(E:P/RL:O/RC:C)

CVE-2022-45430

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45431

Base Score: 8.6(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Temporal Score: 7.7(E:P/RL:O/RC:C)

CVE-2022-45432

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45433

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45434

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

Temporal Score: 5.2(E:P/RL:O/RC:C)

**Affected Products & Fix Software**

The following product series and models are currently known to be affected.

Affected Model

Affected Version

Fix Software

Affected Area

DSS Professional

V7.002.1760000.2

Patch Installer for DSS Professional V7

Overseas

V8.0.2

Patch Installer for DSS Professional V8.0.2

V8.0.4

Patch Installer for DSS Professional V8.0.4

V8.1

Patch Installer for DSS Professional V8.1

V8.1.1

Patch Installer for DSS Professional V8.1.1

DSS Express

V1.000.175J000.2

Patch Installer for DSS Express V7

Overseas

V8.0.2

Patch Installer for DSS Express V8.0.2

V8.0.4

Patch Installer for DSS Express V8.0.4

V8.1

Patch Installer for DSS Express V8.1

V8.1.1

Patch Installer for DSS Express V8.1.1

DHI-DSS7016D-S2/DHI-DSS7016DR-S2

V1.001.0000001.2

Patch Install for DSS7016D/R-S2 V7

Overseas

V8.0.2

Patch Installer for DSS7016D/DR-S2 V8.0.2

V8.0.4

Patch Installer for DSS7016D/DR-S2 V8.0.4

V8.1

DSS7016D/DR-S2 V8.1

DHI-DSS4004-S2

V1.001.0000000.2

Patch Install for DSS4004-S2 V7

Overseas

V8.0.2

Patch Installer for DSS4004-S2 V8.0.2

V8.0.4

Patch Installer for DSS4004-S2 V8.0.4

V8.1

DSS4004-S2 V8.1

Note: To view the version, please log in to the Web and view it on the “About” page.

**Fix Software Download**

Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.

• Dahua Official website: https://software.dahuasecurity.com/en/download

• Dahua Technical Support Personnel.

**Support Resources**

For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.

**Acknowledgment**

We acknowledge the support of Bashis from IPVM who discovered these vulnerabilities and reported them to DHCC.

**Revision History**

Version

Description

Date

V1.0

Initial public release

2022-12-20

CVE-2022-45434: Security Advisory – Vulnerabilities found in Dahua software products

The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain.

Last week Okta announced a security breach that involved an attacker gaining access to its source code hosted in GitHub. That's just the latest example in a long string of attacks gaining access to company source code in GitHub. Dropbox, Gentoo Linux, and Microsoft have all had their GitHub accounts targeted before.

With 90 million active users, GitHub is the most popular source code management tool for both open source and private enterprise code repositories. It's a major piece of fundamental infrastructure and the keeper of some of the most sensitive assets and data in the world.

It's no wonder that attackers are increasingly going after source code. In some cases, such as Okta, they might be trying to gain access to the source code. More often, the attackers are looking for sensitive information to use in a subsequent attack.

An attacker who can gain access to private source code can examine it for vulnerabilities and then exploit those vulnerabilities in subsequent attacks. Attackers can also harvest hardcoded keys, passwords, and other credentials that might be stored in GitHub to gain access to cloud services and databases hosted in AWS, Azure, or GCP. A single stolen repository can yield intellectual property, valid credentials, and a nice list of vulnerabilities in production software that are ready to be exploited.

Shiny Hunters, an attack group known to specifically target private GitHub repositories, has breached tens of companies using this technique, and sold their data across various Dark Web marketplaces.

**Securing the Organization's GitHub Environment**

There is no question that GitHub is a critical part of the organization's infrastructure, but locking it down is a complex and challenging identity security problem. The beauty of the GitHub model is that it allows for unfettered collaboration, but that also creates one of the biggest headaches in modern IT security.

Just think about it: Anyone remotely technical in 2022 has a GitHub account. And you can use your GitHub account for everything. We can use these accounts for personal side projects, open source contributions, and our work in public and private code repositories that are ultimately owned by our employers. That is a lot of heavy lifting for a single identity!

You can also use the "Sign in with GitHub" feature to use your GitHub identity in other websites and services outside of just GitHub itself. And there's more: GitHub is unique in that you don't just sign in to their website, you also pull, push, and clone code from GitHub's servers down to your local machine via git operations over HTTPS and SSH, which themselves require your GitHub identity.

Clearly GitHub picked up on these security implications when it announced the deprecation of usernames and passwords for git operations last year — a step in the right direction.

**7 Tips for Securing Your GitHub**

While GitHub provides tools to lock down the environment, organizations need to know how to use them. Unfortunately, some of the most important security capabilities require GitHub Enterprise. Nonetheless, here are seven principles for better GitHub security.

1.  **Don't allow personal accounts for work.** We get it, your company has a few public repositories and you can build your credibility by showing off some public contributions in your next job interview. Your personal GitHub account is part of your brand. Unfortunately, this is also one of the biggest holes in organizations using GitHub today: They do not strictly govern the use of personal accounts for work purposes. As tempting as it might be, personal accounts should not be used for work. There's just no way to control who has access to that personal Gmail address that you used to create your personal GitHub account.
2.  **Require authentication via company SSO.** Unfortunately, GitHub shows up prominently on the SSO Wall of Shame. That's right — you need to pay extra for SSO integration. Once you have GitHub Enterprise, you can connect GitHub to your company SSO, such as Okta or Azure AD or Google Workspace, and you can lock down your organization to only allow authentication via SSO.
3.  **Require 2FA on all accounts.** Even if you enforce two-factor authentication (2FA, aka MFA) via your SSO and also require SSO authentication, the safest option is to still enforce 2FA for all GitHub users in your organization. Exemption groups and policy exceptions in your SSO provider can make SSO MFA easy to bypass.
4.  **Use SSH Keys for git operations.** While GitHub has introduced fine-grained permissions control with personal access tokens (PATs), they remain susceptible to phishing as these tokens are often copied around in plaintext. By using SSH keys for authentication for git operations, your organization can use thoughtful PKI to govern how SSH keys are provisioned, and can also tie this to your company's device management and your own certificate authority (CA).
5.  **Restrict repository member privileges using roles.** GitHub offers several different repository roles that can be assigned based on the principle of least privilege. Base permissions can be controlled at the organization level. Always take care to assign the least privileged role that a member needs to be productive. Don't make everyone an admin.
6.  **Don't allow outside collaborators.** Working with contractors is a normal part of managing large software projects. However, the governance surrounding outside collaborators in GitHub is insufficient to keep your organization secure. Instead, force outside collaborators to authenticate via your company SSO, and do not allow repository admins to invite them directly to your organization's repositories.
7.  **Audit, analyze, and audit again.** No organization is perfect; even with the best policies in place, accounts fall through the cracks and mistakes are made. Even before locking down your GitHub organization, take the time to implement a regular audit process to look for dormant accounts that are not using their access and to limit the number of privileged roles in your repositories. Once your environment is locked down, keep an eye out for policy violations, such as a user who is somehow still authenticating outside of your SSO or not using 2FA.

The breach of Okta's GitHub repository is a powerful example of just how hard it is to protect identities within enterprises, but it isn't a unique one. Every day we see what happens when employees and contractors experience account takeover. We see the effects of weak authentication, lax policies for personal email accounts, and the ever-expanding size of the identity attack surface.

Unfortunately, this latest incident is just one part of a growing trend of identity-related breaches to watch for in 2023.

Why Attackers Target GitHub, and How You Can Secure It

In rdiffweb prior to 2.5.5, lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection that could allow attacker to redirect victim to malicious websites.

**rdiffweb vulnerable to Special Element Injection**

Moderate severity GitHub Reviewed Published Dec 27, 2022 • Updated Dec 30, 2022

GHSA-83pm-7v48-5jp4: rdiffweb vulnerable to Special Element Injection

Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5.

@@ -325,15 +325,47 @@ def test\_add\_authorizedkey\_without\_file(self):

def test\_add\_authorizedkey\_duplicate(self):

\# Read the pub key

key \= self.\_read\_ssh\_key()

\# Add the key to the user

\# Given a user with a SSH Key

userobj \= UserObject.get\_user(self.USERNAME)

userobj.add\_authorizedkey(key)

userobj.commit()

\# Add the same key

  

\# When adding the same identical key.

\# Then an error is raised

with self.assertRaises(DuplicateSSHKeyError):

userobj.add\_authorizedkey(key)

userobj.commit()

  

def test\_add\_authorizedkey\_duplicate\_new\_comment(self):

\# Read the pub key

key \= self.\_read\_ssh\_key()

\# Given a user with a SSH Key

userobj \= UserObject.get\_user(self.USERNAME)

userobj.add\_authorizedkey(key)

userobj.commit()

  

\# When adding the same key with a different comment

\# Then an error is raised

with self.assertRaises(DuplicateSSHKeyError):

userobj.add\_authorizedkey(key, comment\="new comment")

userobj.commit()

  

def test\_add\_authorizedkey\_duplicate\_new\_user(self):

\# Read the pub key

key \= self.\_read\_ssh\_key()

\# Given a user with a SSH Key

userobj \= UserObject.get\_user(self.USERNAME)

userobj.add\_authorizedkey(key)

userobj.commit()

  

\# When adding the same key to a different user

\# Then an error is raised

newuser \= UserObject.add\_user("newuser")

newuser.commit()

with self.assertRaises(DuplicateSSHKeyError):

newuser.add\_authorizedkey(key, comment\="new comment")

newuser.commit()

  

def test\_add\_authorizedkey\_with\_file(self):

"""

Add an ssh key for a user with an authorizedkey file.

CVE-2022-4724: Make sure that all ssh keys are unique, regardless of the user · ikus060/rdiffweb@c4a19cf

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository ikus060/rdiffweb prior to 2.5.5.

**Description**

Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection that could allow attacker to redirect victim to malicious websites

**Proof of Concept**

    1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys 
    2) Add SSH key
    3) Enter the name evil.com 
    4) Due to lack of sanitisation , this might cause a hyperlink injection attack once email is triggered successfully on adding SSH key
    
    
    
    
    # Impact
    
    This issue allows an attacker to redirect victim to malicious website and cause a phishing attack

CVE-2022-4721: Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection in rdiffweb

Authentication Bypass by Primary Weakness in GitHub repository ikus060/rdiffweb prior to 2.5.5.

@@ -15,74 +15,91 @@ \# You should have received a copy of the GNU General Public License \# along with this program. If not, see <http://www.gnu.org/licenses/>.  
import logging import sys  
import cherrypy from sqlalchemy import event from sqlalchemy.exc import IntegrityError  
from .\_repo import RepoObject \# noqa from .\_session import DbSession, SessionObject \# noqa from .\_sshkey import SshKey \# noqa from .\_token import Token \# noqa from .\_user import DuplicateSSHKeyError, UserObject \# noqa from .\_user import DuplicateSSHKeyError, UserObject, user\_username\_index \# noqa  
Base \= cherrypy.tools.db.get\_base()  
logger \= logging.getLogger(\_\_name\_\_)  
  
def \_column\_add(connection, column): if \_column\_exists(connection, column): return table\_name \= column.table.fullname column\_name \= column.name column\_type \= column.type.compile(connection.engine.dialect) connection.engine.execute('ALTER TABLE %s ADD COLUMN %s %s' % (table\_name, column\_name, column\_type))  
  
def \_column\_exists(connection, column): table\_name \= column.table.fullname column\_name \= column.name if 'SQLite' in connection.engine.dialect.\_\_class\_\_.\_\_name\_\_: sql \= "SELECT COUNT(\*) FROM pragma\_table\_info('%s') WHERE LOWER(name)=LOWER('%s')" % ( table\_name, column\_name, ) else: sql \= "SELECT COUNT(\*) FROM information\_schema.columns WHERE table\_name='%s' and column\_name='%s'" % ( table\_name, column\_name, ) data \= connection.engine.execute(sql).first() return data\[0\] \>= 1  
  
def \_index\_exists(connection, index\_name): if 'SQLite' in connection.engine.dialect.\_\_class\_\_.\_\_name\_\_: sql \= "SELECT name FROM sqlite\_master WHERE type = 'index' AND name = '%s';" % (index\_name) else: sql \= "SELECT \* FROM pg\_indexes WHERE indexname = '%s'" % (index\_name) return connection.engine.execute(sql).first() is not None  
  
@event.listens\_for(Base.metadata, 'after\_create') def db\_after\_create(target, connection, \*\*kw): """ Called on database creation to update database schema. """  
def exists(column): table\_name \= column.table.fullname column\_name \= column.name if 'SQLite' in connection.engine.dialect.\_\_class\_\_.\_\_name\_\_: sql \= "SELECT COUNT(\*) FROM pragma\_table\_info('%s') WHERE LOWER(name)=LOWER('%s')" % ( table\_name, column\_name, ) else: sql \= "SELECT COUNT(\*) FROM information\_schema.columns WHERE table\_name='%s' and column\_name='%s'" % ( table\_name, column\_name, ) data \= connection.engine.execute(sql).first() return data\[0\] \>= 1  
def add\_column(column): if exists(column): return table\_name \= column.table.fullname column\_name \= column.name column\_type \= column.type.compile(connection.engine.dialect) connection.engine.execute('ALTER TABLE %s ADD COLUMN %s %s' % (table\_name, column\_name, column\_type))  
if getattr(connection, '\_transaction', None): connection.\_transaction.commit()  
\# Add repo's Encoding add\_column(RepoObject.\_\_table\_\_.c.Encoding) add\_column(RepoObject.\_\_table\_\_.c.keepdays) \_column\_add(connection, RepoObject.\_\_table\_\_.c.Encoding) \_column\_add(connection, RepoObject.\_\_table\_\_.c.keepdays)  
\# Create column for roles using "isadmin" column. Keep the \# original column in case we need to revert to previous version. if not exists(UserObject.\_\_table\_\_.c.role): add\_column(UserObject.\_\_table\_\_.c.role) if not \_column\_exists(connection, UserObject.\_\_table\_\_.c.role): \_column\_add(connection, UserObject.\_\_table\_\_.c.role) UserObject.query.filter(UserObject.\_is\_admin \== 1).update({UserObject.role: UserObject.ADMIN\_ROLE})  
\# Add user's fullname column add\_column(UserObject.\_\_table\_\_.c.fullname) \_column\_add(connection, UserObject.\_\_table\_\_.c.fullname)  
\# Add user's mfa column add\_column(UserObject.\_\_table\_\_.c.mfa) \_column\_add(connection, UserObject.\_\_table\_\_.c.mfa)  
\# Re-create session table if Number column is missing if not exists(SessionObject.\_\_table\_\_.c.Number): if not \_column\_exists(connection, SessionObject.\_\_table\_\_.c.Number): SessionObject.\_\_table\_\_.drop() SessionObject.\_\_table\_\_.create()  
if getattr(connection, '\_transaction', None): connection.\_transaction.commit()  
\# Remove preceding and leading slash (/) generated by previous \# versions. Also rename '.' to '' result \= RepoObject.query.all() @@ -101,3 +118,22 @@ def add\_column(column): row.delete() else: prev\_repo \= (row.userid, row.repopath)  
\# Fix username case insensitive unique if not \_index\_exists(connection, 'user\_username\_index'): duplicate\_users \= ( UserObject.query.with\_entities(func.lower(UserObject.username)) .group\_by(func.lower(UserObject.username)) .having(func.count(UserObject.username) \> 1) ).all() try: user\_username\_index.create() except IntegrityError: msg \= ( 'Failure to upgrade your database to make Username case insensitive. ' 'You must downgrade and deleted duplicate Username. ' '%s' % '\\n'.join(\[str(k) for k in duplicate\_users\]), ) logger.error(msg) print(msg, file\=sys.stderr) raise SystemExit(12)

CVE-2022-4722: Make username case-insensitive · ikus060/rdiffweb@d1aaa96

Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.5.

@@ -45,6 +45,7 @@ def start(self): self.bus.log('Start Notification plugin') self.bus.publish('schedule\_job', self.execution\_time, self.notification\_job) self.bus.subscribe('access\_token\_added', self.access\_token\_added) self.bus.subscribe('authorizedkey\_added', self.authorizedkey\_added) self.bus.subscribe('user\_attr\_changed', self.user\_attr\_changed) self.bus.subscribe('user\_password\_changed', self.user\_password\_changed)  
@@ -54,6 +55,7 @@ def stop(self): self.bus.log('Stop Notification plugin') self.bus.publish('unschedule\_job', self.notification\_job) self.bus.unsubscribe('access\_token\_added', self.access\_token\_added) self.bus.unsubscribe('authorizedkey\_added', self.authorizedkey\_added) self.bus.unsubscribe('user\_attr\_changed', self.user\_attr\_changed) self.bus.unsubscribe('user\_password\_changed', self.user\_password\_changed)  
@@ -77,6 +79,21 @@ def access\_token\_added(self, userobj, name): ) self.bus.publish('queue\_mail', to\=userobj.email, subject\=\_("A new access token has been created"), message\=body)  
def authorizedkey\_added(self, userobj, fingerprint, comment, \*\*kwargs): if not self.send\_changed: return  
if not userobj.email: logger.info("can't sent mail to user \[%s\] without an email", userobj.username) return  
\# If the email attributes was changed, send a mail notification. body \= self.app.templates.compile\_template( "email\_authorizedkey\_added.html", \*\*{"header\_name": self.app.cfg.header\_name, 'user': userobj, 'comment': comment, 'fingerprint': fingerprint} ) self.bus.publish('queue\_mail', to\=userobj.email, subject\=\_("A new SSH Key has been added"), message\=body)  
def user\_attr\_changed(self, userobj, attrs\={}): if not self.send\_changed: return

CVE-2022-4719: Send notification on new SSH Key · ikus060/rdiffweb@bc4bed8

Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.

It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.

But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.

Organizations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.

However, a recent Aite-Novarica Group report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.

Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.

"The risks include the potential for interruptions, unauthorized access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information," says Craig Lurey, CTO and co-founder at Keeper Security.

**Threats Targeting Video Communications Platforms Multiply**

The use of videoconferencing software by remote workers makes it an easy target for various types of attacks in the wild. For instance, "Zoom-bombing" and other attacks came to the fore in the wake of the first work-from-home wave during the pandemic.

Other threats include DDoS attacks, according to the FBI's Internet Crime Report, and malware. In May, for instance, threat hunters discovered a vulnerability chain in Zoom's chat functionality that could be exploited to allow zero-click remote code execution (RCE).

Security firm Vectra also recently discovered a vulnerability in Microsoft Teams, which found that the platform stores authentication tokens unencrypted, allowing any user to access the secrets file without the need for special permissions. The weakness gives attackers the ability to move through a company’s network much more easily.

But while zero-day exploits and other high-profile attacks get a lot of attention, Mike Parkin, senior technical engineer at Vulcan Cyber points out that many, if not most, attacks still target the users.

"That usually means phishing emails or other social engineering attacks that lead to compromise, or business email compromise attacks that can lead to direct losses through fraud," he says.

**SMBs at Particular Risk From Videoconferencing Threats**

The risk is especially piquant for small and medium-sized businesses (SMBs), researchers say. This segment relied heavily on video collaboration to cut travel costs even before the pandemic, and now represents a class of superusers.

At the same time, SMBs may not have the security awareness or in-house expertise necessary to shore up their defenses. Parkin says SMBs often wrestle to implement and manage a proper cybersecurity program.

"That lack of resources can manifest in not knowing, or being able to implement, proper security on their videoconferencing usage," he says.

George Waller, co-founder and executive vice president of Zerify, agrees that SMBs typically don't have the financial and technical resources that larger companies have.

"Therefore, they are far more vulnerable to even the most basic attacks such as email, phishing and ransomware," he says. "Post-pandemic, many SMBs are still working with limited staff and budgets. Therefore, it's easier to trip them up and cause a devastating data breach."

Meanwhile, this sector often faces financial constraints that could make a cyberattack an extinction-level event. According to a recent IBM breach report, the average size of a data breach in the US is now $9.44 million, and 60% of small businesses go out of business within six months of a data breach.

"When cybercriminals steal sensitive, confidential, or classified data, they can make you pay a ransom to get it back," Waller explains. "They can also sell it to other nefarious people, who can use that data to embarrass or profit from your organization."

Unfortunately, amid the challenges, SMBs are often more of a target than they realize.

"While an attacker’s potential take is smaller, the effort is low, the risk is low, and SMB organizations often have less investment in cybersecurity than a larger organization," Parkin explains. "They can be particularly susceptible to ransomware and business email compromise attacks."

**2FA, Zero Trust Help Secure Video Conferencing**

Fortunately, there are some basic steps that businesses of any size can take to ensure the videoconferencing system they're using doesn't fall into the "low-hanging fruit" category for cybercriminals.

For one, they should ensure their platforms and apps offer two-factor authentication (2FA) for both the meeting creator as well as for the meeting participant, and make sure that login links cannot be shared; most videoconferencing platforms have such basic security features and offer advice on how to use them.

Ricardo Villadiego, CEO and founder of Lumu, says businesses for instance should enable security features such as ID and password and end-to-end encryption that allow SMBs to control access to conversations.

"Avoid repeating passwords, lock down microphones and speakers, and authenticate every user prior to entering a videoconference," he says. "Limit the kind of files and links that can be shared via videoconferencing tools, keep meeting recordings only accessible with a password, and don't discuss information that you wouldn't discuss over the telephone."

Waller adds that snooping on video calls via spyware is a threat that SMBs should be aware of, too.

"Make sure that your camera, microphone, and audio-out data streams are locked down and cannot be spied on with malware," he says. "Organizations should also use an anti-keylogging and anti-screen scraping technology and make sure that AV software is up to date."

Lurey, meanwhile, advises SMBs to protect videoconferencing platforms with a zero-trust security architecture that requires all users be authenticated, authorized, and continuously validated before they can access the application.

"Choose a provider wisely and check that it provides end-to-end encryption," he says. "Most major platforms do."

He adds that it's also imperative to configure the platform correctly by enabling built-in security capabilities and providing consistent enforcement to ensure those security features are never disabled.

Finally, Parkin advises that there are other vulnerabilities in some videoconferencing platforms that require specific steps to counter and stresses the importance of keeping the videoconferencing software up to date. Security teams should also proactively monitor network behavior for anomalous activity and make sure to read terms and conditions of the videoconferencing platform being used.

He adds that with a changing threat landscape, the challenge for SMBs in particular is finding the balance between defending against known threats, being positioned to stay ahead of emerging ones, and managing the risk specific to their environment.

"Small businesses are often resource restricted when it comes to cybersecurity, which means they need to be efficient with the resources they do have," he says. "But focusing on things like user education, which can deliver a lot of value for the investment, can help."

Videoconferencing Worries Grow, With SMBs in Cyberattack Crosshairs

What is the worst that can happen when a developer's machine is compromised? Depending on the developer's position, attackers gain access to nearly everything: SSH keys, credentials, access to CI/CD pipelines and production infrastructure, the works.

**Question: What kind of data can an attacker steal after compromising a developer?**

**Louis Lang, security researcher, CTO of Phylum**: We have spent a long time convincing people they shouldn’t open email attachments from unknown senders. We have spent considerably less time convincing the wider developer community that installing packages from unknown sources is a terrible idea.

While phishing campaigns remain effective, they often land the attacker in some unrelated part of the organization and still require a pivot to the final target. Supply chain attacks cut to the heart of the organization, compromising the developer and their privileged accesses. In some cases, like typosquatting and dependency confusion, these attacks are carried out without direct communication between the attacker and the developer. There is no email attachment to open since the developer willingly pulls in the code (which contains the malware).

So what can an attacker steal if they compromise a developer? Depending on the developer's position, nearly everything. Assuming a compromise has occurred, in the absolute best case, the attacker may have gained access to a junior engineer's machine. We’d expect this engineer to, at the very least, have commit access to source code. If the organization has poor software engineering practices (e.g., no code reviews and no limits on who can commit to the main branch), the attacker has free reign to modify the organization's source code at will; to modify and infect the product that you ship to customers.

In the worst and equally likely case, the attacker will gain access to a senior developer with more privileges. This developer will have access to source code, SSH keys, secrets, credentials, CI/CD pipelines, and production infrastructure and likely the ability to bypass certain code checks. This scenario, where this kind of an engineer is compromised, would be devastating for an organization.

This is not hypothetical, either. Malware packages are routinely being published into open-source ecosystems. Nearly all of this malware is tailor-made to exfiltrate credentials and other files deemed sensitive or important. In more recent campaigns, attackers have even attempted to drop ransomware directly onto developer machines as a way to extort cryptocurrency from the organization.

Software developers sit in a privileged position in any technical organization. With their upstream access to the products shipped to customers and access to production systems and infrastructure, they are the lynchpin in any modern organization. A failure to defend the developer is a failure of the security organization as a whole and could lead to catastrophic consequences.

Tag

#ssh