dhcp-4.4.3-4.P1.fc38
Automatic update for dhcp-4.4.3-4.P1.fc38.
* Wed Oct 5 2022 Martin Osvald <mosvald@redhat.com> – 12:4.4.3-4.P1
– New version 4.4.3-P1 (rhbz#2132240)
– Fix for CVE-2022-2928 (rhbz#2132429)
– Fix for CVE-2022-2929 (rhbz#2132430)
The web browser has long been the security sinkhole of enterprise infrastructure. While email is often cited as the most common entry point, malware often enters via the browser and is more difficult to prevent. Phishing, drive-by attacks, ransomware, SQL injections, man-in-the-middle (MitM), and other exploits all take advantage of the browser’s creaky user interface and huge attack surface, and the gullibility of most end users.
It is this last item — humans — that is the problem, and we need to be protected against ourselves. This is especially true as SaaS applications grow in usage, not to mention that every piece of hardware seems to come with a web server (and therefore a browser) to configure it. These use cases are aided and abetted by the increasing number of work-from-home staffers who depend on more browser-based apps, thanks to the pandemic.
Posted by Matthias Deeg on Oct 08
Advisory ID: SYSS-2022-046
Product: Store ‘n’ Go Secure Portable SSD
Manufacturer: Verbatim
Affected Version(s): #53402 (GDMSLK02 C-INIC3637-V1.1)
Tested Version(s): #53402 (GDMSLK02 C-INIC3637-V1.1)
Vulnerability Type: Expected Behavior Violation (CWE-440)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2022-06-29
Solution Date:…
Posted by Matthias Deeg on Oct 08
Advisory ID: SYSS-2022-045
Product: Store ‘n’ Go Secure Portable SSD
Manufacturer: Verbatim
Affected Version(s): #53402 (GDMSLK02 C-INIC3637-V1.1)
Tested Version(s): #53402 (GDMSLK02 C-INIC3637-V1.1)
Vulnerability Type: Missing Immutable Root of Trust in Hardware
(CWE-1326)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification:…
Posted by Matthias Deeg on Oct 08
Advisory ID: SYSS-2022-044
Product: Store ‘n’ Go Secure Portable SSD
Manufacturer: Verbatim
Affected Version(s): #53402 (GDMSLK02 C-INIC3637-V1.1)
Tested Version(s): #53402 (GDMSLK02 C-INIC3637-V1.1)
Vulnerability Type: Use of a Cryptographic Primitive with a Risky
Implementation (CWE-1240)
Risk Level: Low
Solution Status:…
Posted by Matthias Deeg on Oct 08
Advisory ID: SYSS-2022-043
Product: Store ‘n’ Go Secure Portable SSD
Manufacturer: Verbatim
Affected Version(s): #53402 (GDMSLK02 C-INIC3637-V1.1)
Tested Version(s): #53402 (GDMSLK02 C-INIC3637-V1.1)
Vulnerability Type: Use of a Cryptographic Primitive with a Risky
Implementation (CWE-1240)
Risk Level: High
Solution Status:…
llhttp-6.0.10-1.fc37
Update to v6.0.10
Disable chunked on obs (https://github.com/nodejs/llhttp/pull/196)
FortiGuard Labs is aware of reports that a new backdoor called “Maggie” targets Microsoft SQL servers. Maggie connects to Command and Control (C2) servers for remote commands and supports a variety of commands such as downloading, executing,and deleting files and propagates to other SQL servers through bruteforcing as well as unknown exploit commands. Based on external reports, most infected Microsoft SQL servers are in Asia.Why is this Significant?This is significant because Maggie is a new backdoor malware that has reportedly infected Microsoft SQL servers around the globe, with heavy concentration in Asia. The backdoor allows a remote attacker to control infected SQL servers. Maggie also supports commands to propagate to other SQL servers through bruteforcing.What is Maggie malware?Maggie is a backdoor malware that targets Microsoft SQL servers. The backdoor allows a remote attacker to control infected servers and supports commands such as downloading, executing and deleting files, turning on and off remote desktop services (TermService) as well as propagating to other SQL servers through bruteforcing. Reportedly, Maggie is also capable of accepting unidentified exploit related commands.The attacker disguised Maggie as “sqlmaggieAntiVirus_64.dll” signed with a digital certificate belonging to a company in South Korea. The file is an Extended Stored Procedure (ESP) DLL that the malware abuses for backdoor activities.At the time of this writing, an initial infection vector has not been identified.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for Maggie malware and relevant files:W64/JuicyPotato.AI!trRiskware/Inject.HEUR!tr.pwsAll network IOCs are blocked by the WebFiltering client.
On October 6, 2022, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a joint advisory that has a list of the most exploited vulnerabilities since 2020 by threat actors sponsored by China. The list includes 20 vulnerabilities across 13 vendors that were used against the U.S. and its allies.Why is this Significant?This is significant because the list contains vulnerabilities that are known to be exploited by Chinese threat actors. Patches and workarounds should be applied to the vulnerabilities as soon as possible.What Vulnerabilities are on the List?The list includes the following vulnerabilities:CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability via OGNL InjectionCVE-2022-24112: APISIX Admin API default access token Remote Code Execution VulnerabilityCVE-2022-1388: F5 BIG-IP iControl REST Authentication Bypass VulnerabilityCVE-2021-44228: Apache Log4j Error Log Remote Code Execution VulnerabilityCVE-2021-42237: Sitecore XP Insecure Deserialization Remote Code Execution VulnerabilityCVE-2021-41773: Apache HTTP Server Path Traversal VulnerabilityCVE-2021-40539: Zoho ManageEngine ADSelfService Plus RESTAPI Authentication Bypass VulnerabilityCVE-2021-36260: Hikvision Product SDK WebLanguage Tag Command Injection VulnerabilityCVE-2021-27065: Microsoft Exchange Server CVE-2021-27065 Remote Code Execution VulnerabilityCVE-2021-26858: Microsoft Exchange Server CVE-2021-26858 Remote Code Execution VulnerabilityCVE-2021-26857: Microsoft Exchange Server CVE-2021-26857 Remote Code Execution VulnerabilityCVE-2021-26855: Microsoft Exchange Server ProxyRequestHandler Remote Code Execution VulnerabilityCVE-2021-26084: Atlassian Confluence CVE-2021-26084 Remote Code Execution VulnerabilityCVE-2021-22205: GitLab Community and Enterprise Edition Remote Command Execution VulnerabilityCVE-2021-22005: VMware vCenter Analytics Service Arbitrary File Upload VulnerabilityCVE-2021-20090: Buffalo WSR2533DHP Arbitrary Directory Traversal VulnerabilityCVE-2021-1497: Cisco HyperFlex HX Auth Handling Remote Command Execution VulnerabilityCVE-2020-5902: F5 BIG-IP Traffic Management User Interface Directory Traversal VulnerabilityCVE-2019-19781: Citrix ADC and Gateway Directory Traversal VulnerabilityCVE-2019-11510: Pulse Secure SSL VPN HTML5 Information DisclosureWhat is the Status of Protection?FortiGuard Labs has the following IPS protection in place for the vulnerabilities listed in the CISA advisory:Atlassian.Confluence.OGNL.Remote.Code.Execution (CVE-2022-26134)APISIX.Admin.API.default.token.Remote.Code.Execution (CVE-2022-24112)F5.BIG-IP.iControl.REST.Authentication.Bypass (CVE-2022-1388)Apache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-44228)Sitecore.XP.Insecure.Deserialization.Remote.Code.Execution (CVE-2021-42237)Apache.HTTP.Server.cgi-bin.Path.Traversal (CVE-2021-41773)Zoho.ManageEngine.ADSelfService.Plus.Authentication.Bypass (CVE-2021-40539)Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection (CVE-2021-36260)MS.Exchange.Server.CVE-2021-27065.Remote.Code.Execution (CVE-2021-27065)MS.Exchange.Server.CVE-2021-26858.Remote.Code.Execution (CVE-2021-26858)MS.Exchange.Server.UM.Core.Remote.Code.Execution (CVE-2021-26857)MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution (CVE-2021-26855)Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution (CVE-2021-26084)GitLab.Community.and.Enterprise.Edition.Command.Injection (CVE-2021-22205)VMware.vCenter.Server.Analytics.Arbitrary.File.Upload (CVE-2021-22005)Arcadyan.Routers.images.Path.Authentication.Bypass (CVE-2021-20090)Cisco.HyperFlex.HX.Auth.Handling.Command.Injection (CVE-2021-1497)F5.BIG.IP.Traffic.Management.User.Interface.Directory.Traversal (CVE-2020-5902)Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal (CVE-2019-19781)Pulse.Secure.SSL.VPN.HTML5.Information.Disclosure (CVE-2019-11510)
FortiGuard Labs is aware of a report that the LilithBot malware is being sold as Malware-as-a-Service (MaaS) by a group called “Eternity”. LilithBot is a multi-functional malware that can act as infostealer, cryptominer and clipper. The Eternity group is said to sell other malware types such as ransomware.Why is this Significant?This is significant as LilithBot is multi-functional and is sold as Malware-as-a-Service. This means that LilithBot provides various buyers the instant ability to control infected machines for malicious purposes.What is LilithBot ?LilithBot is a malware variant that is being sold by the Eternity group and has built-in functionalities that contain the following:Infostealer that collects pictures and information from browsers. It also uploads collected information to its C2 servers.Cryptominer that mines Monero (XMR) cryptocurrency.Clipper that monitors a user’s clipboard and replaces user’s crypto addresses with the attacker’s addresses.What is the Eternity Group?According to reports, Eternity is a cybercriminal group that sells various malware including LilithBot and ransomware as a combined Malware-as-a-Service on Tor. Bitcoins and various altcoins such as Monero and Ethereum are reportedly accepted as payment for usage.What is the Status of Protection?FortiGuard Labs provides the following AV coverage for LilithBot malware:MSIL/Agent.AES!tr.spyW64/GenKryptik.FQTL!trW32/PossibleThreatAll reported network IOCs are blocked by the WebFiltering client.
