Weather Effect – Christmas Santa Snow Falling Security Vulnerabilities

Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin

Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at....

AsyncSSH vulnerable to Prefix Truncation Attack (a.k.a. Terrapin Attack) against ChaCha20-Poly1305 and Encrypt-then-MAC

Summary AsyncSSH v2.14.1 and earlier is vulnerable to a novel prefix truncation attack (a.k.a. Terrapin attack), which allows a man-in-the-middle attacker to strip an arbitrary number of messages right after the initial key exchange, breaking SSH extension negotiation (RFC8308) in the process and.....

AsyncSSH vulnerable to Prefix Truncation Attack (a.k.a. Terrapin Attack) against ChaCha20-Poly1305 and Encrypt-then-MAC

Summary AsyncSSH v2.14.1 and earlier is vulnerable to a novel prefix truncation attack (a.k.a. Terrapin attack), which allows a man-in-the-middle attacker to strip an arbitrary number of messages right after the initial key exchange, breaking SSH extension negotiation (RFC8308) in the process and.....

CVE-2023-48795

A flaw was found in the SSH channel integrity. By manipulating sequence numbers during the handshake, an attacker can remove the initial messages on the secure channel without causing a MAC failure. For example, an attacker could disable the ping extension and thus disable the new countermeasure...

QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry

A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Microsoft, which made the discovery, described it as a low-volume...

Chrome starts the countdown to the end of tracking cookies

Google has announced that it will start rolling its Chrome web browser's new Tracking Protection feature from January of 2024. Tracking Protection is part of Google’s Privacy Sandbox initiative to phase out third-party cookies. The Tracking Protection feature aims to disable third-party cookies...

Crypto Hardware Wallet Ledger's Supply Chain Breach Results in $600,000 Theft

Crypto hardware wallet maker Ledger published a new version of its "@ledgerhq/connect-kit" npm module after unidentified threat actors pushed malicious code that led to the theft of more than $600,000 in virtual assets. The compromise was the result of a former employee falling victim to a...

ALPHV ransomware gang returns, sorta

The ALPHV ransomware gang, arguably the second most dangerous "big game" ransomware operator, appears to be back in business after its infrastructure went down for five days. But all does not appear to be going well for group. ALPHV's dark web leak site may be back but it is only showing a single.....

Imperva Detects Undocumented 8220 Gang Activities

Imperva Threat Research has detected previously undocumented activity from the 8220 gang, which is known for the mass deployment of malware using a variety of continuously evolving TTPs. This threat actor has been known to target both Windows and Linux web servers with cryptojacking malware. In...

Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....

HackerOne: How the Arch Angel stole Live Events

Summary: I figured I'm well overdue for this. Looking forward to the 2024 LHE season! I <3 you Hackerone, & Community Team! Description: ``` Every hacker on Hackerone liked Live Hacking a lot… But ArchAngel who’d been to fifteen did NOT! The Angel hated hacking! The whole live event season! Now,...

Ransomware review: December 2023

This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim did not pay a ransom. This provides the best overall picture of...

OpenNMS Horizon Authenticated RCE

This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions...

CVE-2023-6660

When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever...

CVE-2023-6660

When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever...

Design/Logic Flaw

When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever...

CVE-2023-6660 NFS client data corruption and kernel memory disclosure

When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever...

Unbreakable Enterprise kernel security update

[5.15.0-201.135.6] - Revert ncsi: Propagate carrier gain/loss events to the NCSI controller (Johnathan Mantey) - netfilter: nf_tables: split async and sync catchall in two functions (Pablo Neira Ayuso) - netfilter: nf_tables: remove catchall element in GC sync path (Pablo Neira Ayuso) - scsi:...

FreeBSD : FreeBSD -- NFS client data corruption and kernel memory disclosure (8eefff69-997f-11ee-8e38-002590c1f29c)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 8eefff69-997f-11ee-8e38-002590c1f29c advisory. In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the performance of...

Non-Human Access is the Path of Least Resistance: A 2023 Recap

2023 has seen its fair share of cyber attacks, however there's one attack vector that proves to be more prominent than others - non-human access. With 11 high-profile attacks in 13 months and an ever-growing ungoverned attack surface, non-human identities are the new perimeter, and 2023 is only...

Intercepting MFA. Phishing and Adversary in The Middle attacks

3 of my last 5 business email compromise investigations have involved an Adversary in The Middle (AiTM) attack. Even the more security-aware people with bolstered Microsoft 365 (M365) configurations are coming up blank as to how their comprehensive MFA policies have been bypassed. It’s a technique....

FreeBSD -- NFS client data corruption and kernel memory disclosure

Problem Description: In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the performance of IO_APPEND writes, that is, writes which add data to the end of a file and so extend its size. This uncovered an old bug in some routines which copy userspace data into the...

Calls to get_virtual_price() are vulnerable to read-only reentrancy

Lines of code 117 Vulnerability details get_virtual_price() was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified...

Calls to get_virtual_price() are vulnerable to read-only reentrancy

Lines of code 117 Vulnerability details get_virtual_price() was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified...

FreeBSD-SA-23:18.nfsclient

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:18.nfsclient Security Advisory The FreeBSD Project Topic: NFS client data corruption and kernel memory disclosure Category: core Module: nfsclient Announced:.....

Calls to get_virtual_price() are vulnerable to read-only reentrancy

Lines of code 117 Vulnerability details get_virtual_price() was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified...

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we're calling "Operation Blacksmith," employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command...

Story of the year: the impact of AI on cybersecurity

In the whirlwind of technological advancements and societal transformations, the term "AI" has undoubtedly etched itself into the forefront of global discourse. Over the past twelve months, this abbreviation has resonated across innumerable headlines, business surveys and tech reports, firmly...

Popup Builder < 4.2.3 - Unauthenticated Stored XSS

Description The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS...

Popup Builder < 4.2.3 - Unauthenticated Stored XSS

Description The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. PoC 1) Create a popup using the plugin 2) Run the following curl command, switching $POPUPID with that popup's ID: ``` curl --url...

Multiple re-entrancy issues allowing stealing of funds and bypassing protocol mint limits

Lines of code https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L196-L254 Vulnerability details Impact Multiple re-entrancy issues exist in the codebase, that break core functionality and allow stealing of user funds. In.....

Unwrap Fee Rounding Down: Revenue Loss, User Unfairness, and Reduced Confidence

Lines of code Vulnerability details Impact The issue with the unwrap fee rounding down can have several detrimental impacts on the Ocean protocol: Revenue Loss: Due to rounding down, the contract loses out on potential unwrap fees, particularly for smaller unwrap amounts. This can significantly...

Security Analysis of a Thirteenth-Century Venetian Election Protocol

Interesting analysis: This paper discusses the protocol used for electing the Doge of Venice between 1268 and the end of the Republic in 1797. We will show that it has some useful properties that in addition to being interesting in themselves, also suggest that its fundamental design principle is.....

Cueing up a calculator: an introduction to exploit development on Linux

In this follow-up to my previous blog post, I'll explain how to exploit CVE-2023-43641 (a memory corruption vulnerability in libcue) to create a reliable 1-click RCE on Ubuntu 23.04 and Fedora 38. I have also published the source code of the proof of concept. To quickly recap the previous blog...

ICANN Launches Service to Help With WHOIS Lookups

More than five years after domain name registrars started redacting personal data from all public domain registration records, the non-profit organization overseeing the domain industry has introduced a centralized online service designed to make it easier for researchers, law enforcement and...

Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare

As Russia's invasion of Ukraine entered its first winter in late 2022, nearly half of Ukraine's energy infrastructure had been destroyed, leaving millions without power. The resulting energy deficit has exacerbated something that hasn't had much media attention: The effects of electronic GPS...

Social media giants to testify over failing to protect kids

US senators have urgently invited the CEOs of five of the major social media giants to testify about their failure to protect children online. The Senate Judiciary Committee said it will hear from Meta CEO Mark Zuckerberg, X (formerly Twitter) CEO Linda Yaccarino, TikTok CEO Shou Zi Chew, Snap CEO....

Ruby: DoS in bigdecimal's sqrt function due to miscalculation of loop iterations

Vulnerability Affected Product: bigdecimal extension in https://github.com/ruby/ruby Affected Versions: At least version 3.2.2, I didn't test any previous versions The current implementation of BigDecimal#sqrt in ext/bigdecimal/bigdecimal.c erroneously checks its parameter and allows users of the.....

Amazon Linux 2 : glibc (ALAS-2023-2371)

The version of glibc installed on the remote host is prior to 2.26-57. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2371 advisory. The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the...

Calls to get_virtual_price() are vulnerable to read-only reentrancy

Lines of code 117 Vulnerability details get_virtual_price() was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified...

Amazon Linux 2 : jettison (ALAS-2023-2363)

The version of jettison installed on the remote host is prior to 1.3.3-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2023-2363 advisory. Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser...

Exploit for Command Injection in Dlink Go-Rt-Ac750 Firmware

CVE-2023-48842 Source : D-Link Go-RT-AC750 revA_v101b03...

Security Bulletin: Vulnerabilities in Logstash affect IBM Operations Analytics - Log Analysis (CVE-2022-29181, CVE-2022-23476)

Summary There are multple nokogiri vulnerabilities in Logstash that effect IBM Operations Analytics - Log Analysis. These have been addressed. Vulnerability Details ** CVEID: CVE-2022-29181 DESCRIPTION: **Nokogiri is vulnerable to a denial of service, caused by improper handling of unexpected...

Explained: Domain fronting

Domain fronting is a technique of using different domain names on the same HTTPS connection. Put simply, domain fronting hides your traffic when connecting to a specific website. It routes traffic through a larger platform, masking the true destination in the process. The technique became popular.....

Calls to get_virtual_price() are vulnerable to read-only reentrancy

Lines of code 117 Vulnerability details get_virtual_price() was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack, where the Curve contract could be put into a partially-modified...

Improper File Execution

firefox-esr,thunderbird vulnerable to Improper File Execution. The vulnerability due to a file is not present when downloading .msix, .msixbundle, .appx, and .appxbundle files. It allows an attacker could execute a malicious file will effect on windows operating...

Securing our home labs: Home Assistant code review

Introduction In July, the GitHub Security Lab team conducted a collaborative review of one of our favorite software pieces. While it's not uncommon for our Security Lab researchers to work together on audits and research projects, we found that conducting team audits occasionally provides a...

OPSEC failures when threat hunting

Over the last few years I’ve carried out a lot of phishing, and have some interesting observations on how organisations respond. However, the purpose of this blog is to highlight a worrying (and amusing) trend in response actions taken by the blue team and researchers when threat hunting a...

Medium: glibc

Issue Overview: 2023-12-14: CVE-2021-33574 was added to this advisory. The mq_notify function in the GNU C Library (aka glibc) has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to....

Medium: jettison

Issue Overview: Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of...