In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.

Summary

Certain browsers can bypass authentication and redirect to the redirect url provided without any validation (CVE-2022-3614)

Advisory Number

2022-26

Discovery Date

05 Oct 2022

Patch Release Date

14 Nov 2022

Advisory Release Date

22 Dec 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Low

CVE ID

CVE-2022-3614

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10863 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a low rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.

The versions of Octopus Server affected by this vulnerability are:

*   All 3.x versions after 3.5.1
*   All 4.x versions
*   All 2018.x, 2019.x, 2020.x and 2021.x versions
*   All 2022.1.x and 2022.2.x versions
*   All 2022.3.x versions before 2022.3.10750
*   All 2022.4.x versions before 2022.4.8063

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.3.10750
*   2022.4.8063

As of the 27/09/2022 Octopus Server version 2022.4.x is only available on Octopus Cloud.

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10863). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10863):**

If you have feature version...

...then upgrade to this version

3.5 and greater

2022.3.10750 or greater

4.x, 2018.x, 2019.x, 2020.x, 2021.x

2022.3.10750 or greater

2022.1.x, 2022.2.x

2022.3.10750 or greater

2022.3.x

2022.3.10750 or greater

2022.4.x

2022.4.8063 or greater

**Mitigation**

There is no known mitigation for CVE-2022-3614, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was reported by an Octopus Deploy customer.

CVE-2022-3614: Security Advisory 2022-26

Categories: Android
Categories: Apple
Categories: News
Tags: devices

Tags:  recycle

Tags:  back up

Tags:  reset

Tags:  android

Tags:  mac

Tags:  apple

Tags:  iphone

Tags:  ipad

Tags:  windows

Tags:  chromebook

Before we hand down, sell on, or recycle our old device we will want to make sure all personal data are backed up and deleted from the device. Here's how...



(Read more...)




The post New device? Here's how to safely dispose of your old one appeared first on Malwarebytes Labs.

Until recently I had two old phones, one tablet and about 20 hard drives in storage that I was afraid to give up for recycling, or to pass on to someone that could use them. I wanted to dispose of them, but knowing how easy it is to retrieve data—such as personally identifiable information—even from apparently "clean" devices, I was cautious. Having researched the subject for this article I now feel a lot safer about disposing of them, and I hope you will feel a lot safer about disposing of your devices too.

Back in November I found out that it wasn’t just me. A survey in the Netherlands showed that 55% of the population keep their old phones in a drawer instead of selling them on or recycling them.

There are two reasons for people to hold on to old devices:

*   Keeping unique data on the device like pictures, etc.
*   Fear of spilling information that is left behind on the device.

So, what we need to cover for peace of mind when we do get rid of our old devices are **backups**, so you don't lose your data when you get rid of your device, and **scrubbing**, so that usable data isn't left on the device.

**Backups******Windows****

**For Windows users there are many software packages and built-in tools available to back up your old PC. The simplest method is to manually back up your files and settings to removable media or a network location. You can specify the files and settings that you want to back up and how often you want to perform a backup. Which tools and software are available to you very much depends on the Windows version you are using.**

To backup and wipe the old hard drives that came from my Windows computers, I bought a hard drive docking station that came with the software to do all that, so that was easy. If the number of hard drives is limited you could opt to keep the drives and use such a docking station to retrieve files when the need arises. But I had so many old, and small, hard drives, it was worth copying the data section to a large external drive. You can also choose to copy your data to a cloud account. Even if some of your drives are very old, you wouldn't want to end up being that person that threw away 150 million in Bitcoin.

****Mac****

There are 2 ways to make a backup of the most important files on your Mac device. Make a backup with Time Machine or make a backup with iCloud.

Time Machine is an Apple program with which you can easily copy the data on your Mac to an external storage device. When you make a backup, always choose a drive with a larger storage capacity than your Mac.

*   Click on the Apple logo in the upper left corner and click on System Preferences
*   Click on Time Machine
*   Click on Select Disk
*   Select the hard drive you want to use for the backup
*   Confirm the drive you're going to use. It's possible the drive has to be emptied, formatted, or configurated first
*   Check Back Up Automatically to keep making backups

With iCloud, you can store files in the cloud on the Apple server. You have access to iCloud with your Apple ID. As opposed to Time Machine, which makes a complete backup, you can only use iCloud to store the parts that fall within iCloud. That are your Contacts, Calendar, Keychain, Photos, and iCloud Drive, for example.

*   Click on the Apple logo in the bottom left and click on System Preferences
*   Click on Apple ID
*   Click on iCloud on the left, and click on what you want to store in iCloud on the right
*   Also select iCloud Drive and click on Options. You can select all programs, files, and data you want to store in your iCloud here
*   iCloud Drive is now available in Finder. You can manually drag the files you want to keep there.

****Android****

You can back up content, data and settings from your phone to your Google Account and you can restore your backed up information to the original phone or to some other Android phone. To create a backup:

*   Open your phone's Settings app.
*   Tap Google and then Backup.
*   Tap Back up now.

Because there are lots of variations of Android, the procedure for your device might be slightly different. If these steps don't match your phone's settings, try searching your Settings app for "Backup" or get help from your device manufacturer.

****iPhone/iPad****

There are basically three methods you can use to create backups of the information on your iPhone or iPad, depending on your preferences and what you have available.

*   Copy your data to iCloud
*   Copy your data to a Mac
*   Use iTunes to copy your data to your PC

****Chromebook****

To create a backup of your Chromebook:

*   On your Chromebook, at the bottom right, select the time.
*   Select Settings, and then Advanced, then Developers.
*   Select Linux and then Back up and restore.
*   To manually back up your Linux apps and files, select Back up.
*   At the left, under "My files," choose where to save your files.
*   Write your file name and select Save.
*   At the bottom right, a backup progress notification will appear.

**Scrubbing**

One thing to remember for all kinds of devices is to disable any Find My Device options, and remove them from any lists of services that associates the device with your account.

Then, uninstall any banking apps manually before wiping the device, because you may be prompted to perform some important steps during the removal process. This depends on your bank and the type of app.

****Windows:****

If the drive is still in a working Windows machine, your safest bet is to install and use wiper software, because deleting files only removes the pointer to a file, so it could be possible to use recovery software to make them accessible again. The same is true for formatting, since that does not actually wipe data either. If you are not afraid someone will scrutinize your hard drive with recovery software, Windows 8.1 and later do have a built-in utility you can use:

1.  Select **Settings**
2.  Select **Update & Security**, then **Recovery** > **Reset this PC** > **Get Started**.
3.  Choose **Remove everything**, then **Remove files and clean the drive**
4.  Then click **Next > Reset > Continue**

****Mac:****

Apple has a support page that tells you what to do before you sell, give away, or trade in your Mac. But if the machine has File Vault turned on, you can save a few steps. Since all the data is encrypted anyway, a simple erase will work. What we typically do is just:

*   Reboot in recovery mode
*   Open Disk Utility
*   Erase the hard drive
*   Quit Disk Utility
*   Reinstall macOS

On the most recent Macs, there's even an Erase All Content and Settings option that should make it all easier.

But if that option is not there and you do not have File Vault enabled that could turn out to be a problem. If the machine is equipped with a spinning hard drive rather than an SSD, then using Disk Utility's secure erase option will work. There are several levels of secure erase, with the most secure overwriting all data with random 1s and 0s multiple times.

Unfortunately, if it came with an SSD, the wear leveling technology will prevent secure erase from working properly. Since wear leveling will try to spread writes out evenly, there's no way to guarantee that you've overwritten specific bytes in the SSD. You'd be able to overwrite some bytes, at random, but not all, so any unencrypted data could remain intact and recoverable.

****Android:****

To remove all data from your Android device, you can reset your device to factory settings. Factory resets are also called formatting or hard resets.  On most phones, you can reset your phone through the settings app. If you can't find the option in your phone's settings app, you can try factory resetting your phone using its power and volume buttons. We recommend checking your manufacturer's support site for device-specific instructions.

****iPhone/iPad:****

Apple has a support page that tells you what to do before you sell, give away, or trade in your iPhone or iPad. Make sure to unpair any other devices like your AppleWatch and sign out of iTunes, iCoud, and the App Store. Then go to Settings and tap General > Transfer or Reset \[device\] > Erase All Content and Settings and follow the instructions from there.

****Chromebook:****

A factory reset for a Chromebook is called a Powerwash. A powerwash will erase everything on your device, apps and files included.

*   Click the time in the bottom-right corner of your screen to open the quick settings menu.
*   Click the gear icon near the top-right corner of this menu to open your device's full settings menu.
*   In the left sidebar, click Advanced to reveal more options, and then click Reset settings.
*   You'll see a Powerwash option. Click Reset, and then Restart in the pop-up that appears.
*   Your Chromebook will restart automatically. Once it turns back on, your lock screen will be replaced by a screen labeled Reset this Chromebook.
*   Click Powerwash in the bottom-right corner, and then click Continue.

Once it's done, you'll be prompted to set it up again, just like you did when you first got it.

**Recycle**

Once you have created a backup and removed all the data from your device, it is now safe to hand it down, sell it on, or have it recycled.

There are plenty of nonprofit organizations and local communities that offer options to help you recycle old electronics.

If you don’t feel like giving them away for free, Amazon offers gift cards for just about any kind of electronics device. Apple's GiveBack program offers gift cards or in-store credit for qualifying products. And many other companies will give you store credit for your old devices, no matter where you bought them.

New device? Here's how to safely dispose of your old one

In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.

Summary

Certain types of sensitive variables may be displayed as plain text in variable preview (CVE-2022-3460)

Advisory Number

2022-25

Discovery Date

10 Oct 2022

Patch Release Date

14 Nov 2022

Advisory Release Date

21 Dec 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-3460

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10863 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.

The versions of Octopus Server affected by this vulnerability are:

*   All 2018.x versions after 2018.3
*   All 2019.x, 2020.x and 2021.x versions
*   All 2022.1.x versions
*   All 2022.2.x versions before 2022.2.8552
*   All 2022.3.x versions before 2022.3.10750
*   All 2022.4.x versions before 2022.4.8221

As of the 27/09/2022 Octopus Server version 2022.4.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.2.8552
*   2022.3.10750
*   2022.4.8221

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10863). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10863):**

If you have feature version...

...then upgrade to this version

2018.3 and greater

2022.2.8552 or greater

2019.x, 2020.x, 2021.x and 2022.1.x

2022.2.8552 or greater

2022.2.x

2022.2.8552 or greater

2022.3.x

2022.3.10750 or greater

2022.4.x

2022.4.8221 or greater

**Mitigation**

There is no known mitigation for CVE-2022-3460, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was reported by an Octopus Deploy customer.

CVE-2022-3460: Security Advisory 2022-25

Inappropriate implementation in File System API in Google Chrome on Windows prior to 97.0.4692.71 allowed a remote attacker to obtain potentially sensitive information via a crafted HTML page. (Chrome security severity: High)

**Chrome Releases**

Release updates from the Chrome team

CVE-2022-0337: Stable Channel Update for Desktop

A vulnerability has been found in trampgeek jobe up to 1.6.4 and classified as problematic. This vulnerability affects the function runs_post of the file application/controllers/Restapi.php. The manipulation of the argument sourcefilename leads to an unknown weakness. Upgrading to version 1.6.5 is able to address this issue. The name of the patch is 694da5013dbecc8d30dd83e2a83e78faadf93771. It is recommended to upgrade the affected component. VDB-217174 is the identifier assigned to this vulnerability.

@@ -149,10 +149,12 @@ public function runs\_post() {

$this\->error('runs\_post: missing or invalid run\_spec parameter', 400);

}

if (!is\_array($run) || !isset($run\['sourcecode'\]) ||

!isset($run\['language\_id'\])

) {

!isset($run\['language\_id'\]) ) {

$this\->error('runs\_post: invalid run specification', 400);

}

if (isset($run\->sourcefilename) && !self::is\_valid\_source\_filename($run\->sourcefilename)) {

$this\->error('runs\_post: invalid sourcefilename');

}

  

// REST\_Controller has called to\_array on the JSON decoded

// object, so we must first turn it back into an object.

@@ -273,6 +275,24 @@ public function languages\_get()

// \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

// Support functions

// \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

  

// Return true unless the given filename looks dangerous, e.g. has '/' or '..'

// substrings. Uses code from https://stackoverflow.com/questions/2021624/string-sanitizer-for-filename

private function is\_valid\_source\_filename($filename) {

$sanitised = preg\_replace(

'~

\[<>:"/\\\\|?\*\]| # file system reserved https://en.wikipedia.org/wiki/Filename#Reserved\_characters\_and\_words

\[\\x00-\\x1F\]| # control characters http://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx

\[\\x7F\\xA0\\xAD\]| # non-printing characters DEL, NO-BREAK SPACE, SOFT HYPHEN

\[#\\\[\\\]@!$&\\'()+,;=\]| # URI reserved https://tools.ietf.org/html/rfc3986#section-2.2

\[{}^\\~\`\] # URL unsafe characters https://www.ietf.org/rfc/rfc1738.txt

~x',

'-', $filename);

// Avoid ".", ".." or ".hiddenFiles"

$sanitised = ltrim($sanitised, '.-');

return $sanitised === $filename;

}

  

private function is\_valid\_filespec($file) {

return (count($file) == 2 || count($file) == 3) &&

is\_string($file\[0\]) &&

CVE-2021-4297: Prevent privilege escalation attacks via sourcefilename [issue #46](h… · trampgeek/jobe@694da50

Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.

The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare. 

Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December.

Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2

Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.

None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code. 

Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2.

Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure. 

The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.

Google Android 

December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin. 

Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December. 

The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range. 

Google Chrome 108

Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog.

The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible.

Microsoft Patch Tuesday 

Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.

Update Android Right Now to Fix a Scary Remote-Execution Flaw

NVIDIA GPU Display Driver for Windows contains a vulnerability where a regular user can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

CVE-2022-42267: Security Bulletin: NVIDIA GPU Display Driver - November 2022

There are a few reasons that the topic of API security has been popping up more and more as 2022 comes to a close.

Back in July 2021, Gartner predicted that by 2022, application programming interface (API) attacks will become the most frequent attack vector, causing data breaches for enterprise web applications.

Was the analyst firm right? It's too early to know for sure since OWASP is still tallying the results.

API attacks are back in the news. It turns out the likely ingress point for the Optus breach was a lowly REST API. And someone has leaked all of the data stolen from the Twitter breach — which also involved an API.

When we talk about API security, we're referring to the measures and practices that we use to secure APIs and the data they transmit. We might be worried about unauthorized access, adverse reaction to a DDoS (more than one API has fallen over and left the underlying system wide open and completely insecure), or other malicious attacks.

There's an art to securing APIs; a light touch and a delicate combination of technical and organizational skills are required to do it right.

On the technical side we’re looking at measures such as authentication and authorization, encryption, automated testing, and monitoring. On the organizational side, you need to know exactly who in the org chart the API was designed to serve, and tailor access accordingly. For external APIs, you need to know how much data should be available to the outside world, and how that data needs to be curated and presented.

**How Are APIs Protected?**

There's a sane order of operations when you're trying to secure your company's APIs.

First, find and catalog every API. The number of companies that actually do this and keep their API inventory up to date is small indeed. Developer convenience, rapid website development, and the increasing push towards federated services all contribute to mystery APIs popping up out of the blue without any kind of compulsory registration structure in place.

To avoid this kind of API creep, every single one of them should be registered centrally with the following information:

*   Name
*   Tools and packages used to build the API
*   Servers that it runs on
*   Services that rely on that API
*   Documentation of all valid uses and error codes
*   Typical performance metrics
*   Expected uptime or downtime windows

All of this information goes into a repository run by the cybersecurity team.

Second, set up security and performance automation for every API. This is why you asked for all of that information, and this is how you keep everything secure. Using the data provided by the developers (and DevOps team, the Web team, etc.), the cybersecurity and/or testing team can put together automation that tests the API regularly.

Functional tests are important because they make sure that everything is working as expected. Non-functional tests are important because they probe the reliability and security of the API. Remember that APIs must fail securely. It isn't enough to know that one has fallen over — you need to know the consequences of that failure.

Finally, add the API to the normal threat prevention suite. If any of the tools or packages used to build the API are found to be buggy, you need to know. If any of the protocols that it uses are deemed insecure when you do detect trouble, you need to have the team shut the APIs down until they can be examined and rebuilt.

Doing these things once is great; creating a programming and security culture that allows you to maintain fully cataloged and documented APIs is the long-term goal.

**Specific API Behaviors to Note**

When pen testing and securing an API, some techniques are more useful than others.

1.  **Start with behavioral analysis.** This tests whether or not the reality matches the documentation in terms of the level of access granted, the protocols and ports used, the results of successful and unsuccessful queries, and what happens to the system as a whole when the API itself stops functioning.
2.  **Next is service levels.** This involves the priority of the process itself on the server, rate limiting for transactional APIs, minimum and maximum request latency settings, and availability windows. Some of these details are important for DDoS prevention (or blunting). Others are useful to monitor whether there are any slow memory leaks or garbage collection issues that might be a long-term threat to the integrity of the server itself.
3.  **Authentication and sanitation issues** speak directly to the level of trust you have for the API's users. As you would with any service, queries need to be sanitized before they're accepted. This prevents code injection, buffer overflows, and the like.

There needs to be some level of authentication with APIs that are designed for a specific user base. However, this can get complex. Federation is one issue that you need to deal with, determining which central identification and authentication servers you'll accept. You might want to have two-factor authentication for particularly sensitive or powerful APIs. And of course authentication itself isn't necessarily a password these days; biometrics is a valid way to wall off an API. To make a long story short: Apply the standards that you find reasonable, and test the limitations that you've set on a regular basis.

Finally, encryption and digital signatures need to be part of the conversation. If it's on the Web, then we're talking about TLS at minimum (repeat the mantra: We don't REST without TLS!). Other interfaces also need encryption, so pick your protocols wisely. Remember that the static information, be it a database or a pool of files somewhere, also needs to be encrypted. No flat text files anywhere, no matter how "innocent"; salt and hash should be the standard. And checksums are a must when providing or receiving files that are known entities (size, contents, etc.).

Finally, key management can be difficult to get right. Don't expect every DevOps person to have perfect digital key implementation when a decent portion of the cybersecurity folks are half-assing it themselves. When in doubt, go back to the OWASP Cheat Sheet! That's what it's there for.

**Responding to an API Attack**

The cardinal rule is: If your API is going to fail, pinch off access. Under no circumstance should services fail in an open or accessible state. Remember to rate-limit and keep error messages short and generic. Don't worry about honey pots or API jails — worry about survival.

Custom-crafted API attacks on an individual basis need to be treated like any other breach attempt. Whether you caught the attempt yourself or via AI/ML analysis, follow your SOP. Don't cut corners because it's "just" an API.

API security separates the mediocre CISO who focuses solely on infrastructure from the masterful CISO who addresses actual business threats and ensures survivability. Create a system for API security, create reusable interface testing automation, and keep your API inventory up to date.

API Security Is the New Black

CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.

Back in November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities (KEV) Catalog to help federal agencies and critical infrastructure organizations identify and remediate vulnerabilities that are actively being exploited. CISA added 548 new vulnerabilities to the catalog across 58 updates from January to end of November 2022, according to Grey Noise in its first-ever "GreyNoise Mass Exploits Report."

Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalog's existence.

Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalog in 2022, Grey Noise found. Seventy-seven percent of the updates to the KEV catalog were older vulnerabilities dating back to before 2022.

"Many were published in the previous two decades," noted Grey Noise's vice president of data science, Bob Rudis, in the report.

Several of the vulnerabilities in the KEV catalog are from products that have already entered end-of-life (EOL) and end-of-service-life (EOSL), according to an analysis by a team from Cyber Security Works. Even though Windows Server 2008 and Windows 7 are EOSL products, the KEV catalog lists 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.

"The fact that they are a part of CISA KEV is quite telling as it indicates that many organizations are still using these legacy systems and therefore become easy targets for attackers," CSW wrote in its "Decoding the CISA KEV" report.

Even though the catalog was originally intended for critical infrastructure and public-sector organizations, it has become the authoritative source on which vulnerabilities are – or have been – exploited by attackers. This is key because the National Vulnerability Database (NVD) assigned Common Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it would be unwieldy for enterprise defenders to assess every single one to identify the ones relevant to their environments. Enterprise teams can use the catalog's curated list of CVEs under active attack to create their priority lists.

In fact, CSW found a bit of a delay between when a CVE Numbering Authority (CNA), such as Mozilla or MITRE, assigned a CVE to a vulnerability and when the vulnerability was added to the NVD. For example, a vulnerability in Apple WebKitGTK (CVE-2019-8720) received a CVE from Red Hat in October 2019 was added to the KEV catalog in March because it was being exploited by BitPaymer ransomware. It had not been added to the NVD as of early November (the cutoff date for CSW's report).

An organization relying on the NVD to prioritize patching would miss issues that are under active attack.

Thirty-six percent of the vulnerabilities in the catalog are remote code execution flaws and 22% are privilege execution flaws, CSW found. There were 208 vulnerabilities in CISA’s KEV Catalog associated with ransomware groups and 199 being used by APT groups, CSW found. There was an overlap, as well, where 104 vulnerabilities were being used by both ransomware and APT groups.

For instance, a medium-severity information disclosure vulnerability in Microsoft Silverlight (CVE-2013-3896) is associated with 39 ransomware groups, CSW said. The same analysis from CSW found that a critical buffer overflow vulnerability in the ListView/TreeView ActiveX controls used by Office documents (CVE-2012-0158) and a high-severity memory corruption issue in Microsoft Office (CVE-2017-11882) are being exploited by 23 APT groups, including most recently by the Thrip APT group (Lotus Blossom/BitterBug), in November 2022.

The spike in March 2022 is the result of Russia invading Ukraine in February – and the updates included many legacy vulnerabilities that nation-state actors had been known to exploit in businesses, governments, and critical infrastructure organizations, Grey Noise said. The vast majority – 94% – of the vulnerabilities added to the catalog in March were assigned a CVE before 2022.

CISA updates the KEV catalog only if the vulnerability is under active exploitation, has an assigned CVE, and there is clear guidance on how to remediate the issue. In 2022, enterprise defenders had to deal with an update to the KEV catalog on an almost weekly basis, with a new alert typically issued every four to seven days, Rudis wrote. The defenders were just as likely to have just a single day between updates, and the longest break defenders had in 2022 between updates was 17 days.

Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog

BDWeb-Link LMS version 1.11.5 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : BDWeb-Link Lms v1.11.5 SQL Injection Vulnerability                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              | | # Vendor    : https://bdweblink.com                                                                                              |  | # Dork      : Developed by Developed by BD Web Link                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] http://127.0.0.1/single-page.php?id=71 <====| inject here[+] https://127.0.0.1/Dashboard <====| LoginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Tag

#windows