Red Hat Security Advisory 2024-7207-03 - An update for osbuild-composer is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7207.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: osbuild-composer security updateAdvisory ID:        RHSA-2024:7207-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7207Issue date:         2024-09-26Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for osbuild-composer is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud.  It is compatible with composer-cli and cockpit-composer clients.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7207-03

Red Hat Security Advisory 2024-7206-03 - An update for osbuild-composer is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7206.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: osbuild-composer security updateAdvisory ID:        RHSA-2024:7206-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7206Issue date:         2024-09-26Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for osbuild-composer is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud.  It is compatible with composer-cli and cockpit-composer clients.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7206-03

Red Hat Security Advisory 2024-7205-03 - An update for osbuild-composer is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7205.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: osbuild-composer security updateAdvisory ID:        RHSA-2024:7205-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7205Issue date:         2024-09-26Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for osbuild-composer is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:An image building service based on osbuild It is inspired by lorax-composer and exposes the same API. As such, it is a drop-in replacement.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7205-03

Red Hat Security Advisory 2024-7204-03 - An update for osbuild-composer is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7204.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: osbuild-composer security updateAdvisory ID:        RHSA-2024:7204-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7204Issue date:         2024-09-26Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for osbuild-composer is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud.  It is compatible with composer-cli and cockpit-composer clients.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7204-03

Red Hat Security Advisory 2024-7203-03 - An update for git-lfs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7203.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: git-lfs security updateAdvisory ID:        RHSA-2024:7203-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7203Issue date:         2024-09-26Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for git-lfs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7203-03

Red Hat Security Advisory 2024-7202-03 - An update for grafana is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7202.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: grafana security updateAdvisory ID:        RHSA-2024:7202-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7202Issue date:         2024-09-26Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for grafana is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7202-03

Ubuntu Security Notice 7040-1 - It was discovered that ConfigObj contains regex that is susceptible to catastrophic backtracking. An attacker could possibly use this issue to cause a regular expression denial of service.

==========================================================================  
Ubuntu Security Notice USN-7040-1  
September 26, 2024

configobj vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

ConfigObj could be made to crash if it received specially crafted input.

Software Description:  
- configobj: simple but powerful config file reader and writer for Python

Details:

It was discovered that ConfigObj contains regex that is susceptible to  
catastrophic backtracking. An attacker could possibly use this issue to  
cause a regular expression denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
  python3-configobj               5.0.6-5ubuntu0.1

Ubuntu 20.04 LTS  
  python3-configobj               5.0.6-4ubuntu0.1

Ubuntu 18.04 LTS  
  python-configobj                5.0.6-2ubuntu0.18.04.1~esm1  
                                  Available with Ubuntu Pro  
  python3-configobj               5.0.6-2ubuntu0.18.04.1~esm1  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  python-configobj                5.0.6-2ubuntu0.16.04.1~esm1  
                                  Available with Ubuntu Pro  
  python3-configobj               5.0.6-2ubuntu0.16.04.1~esm1  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7040-1  
  CVE-2023-26112

Package Information:  
  https://launchpad.net/ubuntu/+source/configobj/5.0.6-5ubuntu0.1  
  https://launchpad.net/ubuntu/+source/configobj/5.0.6-4ubuntu0.1

Ubuntu Security Notice USN-7040-1

Simple Online Banking System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Simple Online Banking System v1.0 Insecure Settings Vulnerability                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user = admin & pass = admin123[+] https://www/127.0.0.1/demo/site/loginGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Simple Online Banking System 1.0 Insecure Settings

As Superman has kryptonite, software has weaknesses — with misconfigurations leading the pack.

Mark Troester, Vice President of Strategy, Progress

September 27, 2024

4 Min Read

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY

The convergence of rising cyber threats, advanced artificial intelligence (AI), remote work, and hybrid infrastructures presents significant cybersecurity challenges in today's IT landscape. As a result, it's necessary to make your endpoints, cloud infrastructure, and remote access channels more secure. As cyber adversaries adopt new tactics, organizations worldwide respond by expanding the use of continuous threat exposure management (CTEM) systems, investing in robust security solutions, and leveraging cross-functional collaboration to mitigate risks and safeguard digital assets effectively.

But like Superman has kryptonite, even the best software has weaknesses, with misconfigurations leading the pack.

Consider this: Microsoft research indicates that a staggering 80% of ransomware attacks can be attributed to common configuration errors in software and devices. 

Misconfigurations now hold an unenviable fifth place on the Open Worldwide Application Security Project Top 10 — a crucial vulnerability reference for the cybersecurity community. OWASP found 208,000 occurrences of common weakness enumeration (CWE) within 90% of applications tested for misconfiguration, highlighting the widespread nature of this vulnerability.

OWASP says, "Without a concerted, repeatable application security configuration process, systems are at a higher risk."

With this evidence, it's no wonder that organizations are paying more attention to "misconfigurations."

**Picture This ... **

You're sitting down with your morning cuppa and stories of a data leak hit the headlines. The company affected is a leading insurance firm, and the personal information of thousands of customers has been made available on the Internet for months. With a little research, you learn that the firm left several customer records unprotected on one of its clouds, making it easy for anyone to access this information through a simple SQL command. While digging through the tabloids you stumble upon the cause of such a tremendously ironic turn of events. Turns out, it was a simple misconfiguration error: The system administrator left the cloud open to the public since they missed updating the privacy settings and permissions for the cloud storage in question.

We learn that human errors, despite stringent protocols, are difficult to control and, consequentially, remove. The increasing complexity of distributed and component-based systems and common misunderstandings of system requirements and design will likely lead to more problems. While humans play a critical role in decision-making and monitoring systems, manual updates are no longer viable.

**So, What Can You Do About It?**

With all that's happening in cybersecurity, can you confidently say you have all your endpoints covered? And by all, I mean all — including the data on third-party systems. If your answer to this is yes, congratulations! You're doing better than most organizations in the world! But if your answer is no, I would like you to consider the following measures to improve the security of your systems: 

1.  Employ automation that extends DevOps from application delivery to IT operations to DevSecOps. Automation is the remedy that will help organizations avoid manual errors. It will allow employees to use their precious time for more important tasks while confirming that initial and ongoing configurations are error-free. By automating audits on configurations, you can create a repeatable system hardening process that will potentially save you a lot of time and money in the future. Automation will enable you to reduce human error, improve reliability, maintain consistency, and support collaboration across teams. It will also give all stakeholders visibility over the security posture of your IT estate.
    
2.  Use a policy-as-code approach to help frame your security and compliance policies or rules. Organizations can configure systems by encoding security rules in human-readable and machine-enforceable policies and continuously checking for and remediating drift. In fact, policy-as-code brings both configuration and compliance management into a single step. This removes the security silo and brings all stakeholders into a shared pipeline and framework, enabling collaboration among team members and allowing for security to be shifted left in the development process. The policy-as-code approach can help detect misconfigurations, increase efficiency and speed, and reduce the risk of production errors.
    

While there is a technical aspect to DevSecOps, there is also a human aspect that involves collaboration and planning. A multiprong approach that starts with collaboration across IT operations and security and compliance teams, while discussing the appropriate external and internal compliance requirements, is a critical starting point.

After understanding the configuration and policies, you can start with pre-packaged policies that align with standards such as the Center for Internet Security (CIS) Benchmarks and the Department of Defense Systems Agency-Security Technical Implementation Guides (DISA-STIG). Consider using an automated system to verify if your configurations are continuously accurate. This, in turn, will allow your organization to address complex and heterogeneous environments, including cloud-native public cloud services, Kubernetes configurations, and any on-premises or hybrid cloud workload.

**About the Author**

Vice President of Strategy, Progress

Mark Troester is the vice president of strategy at Progress. He helped guide the strategic go-to-market efforts for Progress before transitioning into a leadership role for the Progress Infrastructure Management division, which includes DevOps/DevSecOps, network management, network detection and response, and application delivery control offerings. Previously, he worked with both upstarts and stalwarts like Sonatype, SAS, and Progress DataDirect. Before these positions, Mark worked as a developer and developer manager for startups and enterprises alike. Mark has extensive speaking experience on topics at the intersection of business and technology, including industry events hosted by Gartner, Forrester, TDWI, and more.

Could Security Misconfigurations Become No. 1 in OWASP Top 10?

A new set of security vulnerabilities has been disclosed in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems that could permit remote command execution under certain conditions.
"A remote unauthenticated attacker can silently replace existing printers' (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print

A new set of security vulnerabilities has been disclosed in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems that could permit remote command execution under certain conditions.

"A remote unauthenticated attacker can silently replace existing printers' (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)," security researcher Simone Margaritelli said.

CUPS is a standards-based, open-source printing system for Linux and other Unix-like operating systems, including ArchLinux, Debian, Fedora, Red Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux.

The list of vulnerabilities is as follows -

*   **CVE-2024-47176** - cups-browsed <= 2.0.1 binds on UDP INADDR\_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL
*   **CVE-2024-47076** - libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system
*   **CVE-2024-47175** - libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD
*   **CVE-2024-47177** - cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter

A net consequence of these shortcomings is that they could be fashioned into an exploit chain that allows an attacker to create a malicious, fake printing device on a network-exposed Linux system running CUPS and trigger remote code execution upon sending a print job.

"The issue arises due to improper handling of 'New Printer Available' announcements in the 'cups-browsed' component, combined with poor validation by 'cups' of the information provided by a malicious printing resource," network security company Ontinue said.

"The vulnerability stems from inadequate validation of network data, allowing attackers to get the vulnerable system to install a malicious printer driver, and then send a print job to that driver triggering execution of the malicious code. The malicious code is executed with the privileges of the lp user – not the superuser 'root.'"

RHEL, in an advisory, said all versions of the operating system are affected by the four flaws, but noted that they are not vulnerable in their default configuration. It tagged the issues as Important in severity, given that the real-world impact is likely to be low.

"By chaining this group of vulnerabilities together, an attacker could potentially achieve remote code execution which could then lead to theft of sensitive data and/or damage to critical production systems," it said.

Cybersecurity firm Rapid7 pointed out that affected systems are exploitable, either from the public internet or across network segments, only if UDP port 631 is accessible and the vulnerable service is listening.

Palo Alto Networks has disclosed that none of its products and cloud services contain the aforementioned CUPS-related software packages, and therefore are not impacted by the flaws.

Patches for the vulnerabilities are currently being developed and are expected to be released in the coming days. Until then, it's advisable to disable and remove the cups-browsed service if it's not necessary, and block or restrict traffic to UDP port 631.

"It looks like the embargoed Linux unauth RCE vulnerabilities that have been touted as doomsday for Linux systems, may only affect a subset of systems," Benjamin Harris, CEO of WatchTowr, said in a statement shared with The Hacker News.

"Given this, while the vulnerabilities in terms of technical impact are serious, it is significantly less likely that desktop machines/workstations running CUPS are exposed to the Internet in the same manner or numbers that typical server editions of Linux would be."

Satnam Narang, senior staff research engineer at Tenable, said these vulnerabilities are not at a level of a Log4Shell or Heartbleed.

"The reality is that across a variety of software, be it open or closed source, there are a countless number of vulnerabilities that have yet to be discovered and disclosed," Narang said. "Security research is vital to this process and we can and should demand better of software vendors."

"For organizations that are honing in on these latest vulnerabilities, it's important to highlight that the flaws that are most impactful and concerning are the known vulnerabilities that continue to be exploited by advanced persistent threat groups with ties to nation states, as well as ransomware affiliates that are pilfering corporations for millions of dollars each year."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#vulnerability