firefox-stable-3720221121104457.1
flatpak-runtime-f37-3720221117153339.2
flatpak-sdk-f37-3720221117153339.2
Firefox 107.0 release, together with required flatpak runtime update. For details, see https://www.mozilla.org/en-US/firefox/107.0/releasenotes/
It was discovered that FLAC was not properly performing memory management
operations, which could result in a memory leak. An attacker could possibly
use this issue to cause FLAC to consume resources, leading to a denial of
service. (CVE-2017-6888)
It was discovered that FLAC was not properly performing bounds checking
operations when encoding or decoding data. If a user or automated system
were tricked into processing a specially crafted file, an attacker could
possibly use this issue to expose sensitive information or to cause FLAC
to crash, leading to a denial of service. (CVE-2020-0499, CVE-2021-0561)
heimdal-7.7.1-3.fc36
Fixes:
Delay service starts until after network is online (rhbz#2005501)
Restart services on package update (will apply when updating from this release)
This release fixes the following Security Vulnerabilities:
CVE-2022-42898 PAC parse integer overflows
CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
CVE-2022-41916 Fix Unicode normalization read of 1 bytes past end of array
CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
CVE-2021-3671 A null pointer de-reference when handling missing sname in TGS-REQ
CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System (CVSS) v3.
heimdal-7.7.1-3.fc35
Fixes:
Delay service starts until after network is online (rhbz#2005501)
Restart services on package update (will apply when updating from this release)
This release fixes the following Security Vulnerabilities:
CVE-2022-42898 PAC parse integer overflows
CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
CVE-2022-41916 Fix Unicode normalization read of 1 bytes past end of array
CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
CVE-2021-3671 A null pointer de-reference when handling missing sname in TGS-REQ
CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System (CVSS) v3.
heimdal-7.7.1-3.fc37
Fixes:
Delay service starts until after network is online (rhbz#2005501)
Restart services on package update (will apply when updating from this release)
This release fixes the following Security Vulnerabilities:
CVE-2022-42898 PAC parse integer overflows
CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
CVE-2022-41916 Fix Unicode normalization read of 1 bytes past end of array
CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
CVE-2021-3671 A null pointer de-reference when handling missing sname in TGS-REQ
CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System (CVSS) v3.
USN-5686-1 fixed vulnerabilities in Git. This update provides the corresponding
updates for Ubuntu 22.10.
Original advisory details:
Cory Snider discovered that Git incorrectly handled certain symbolic links.
An attacker could possibly use this issue to cause an unexpected behaviour.
(CVE-2022-39253)
Kevin Backhouse discovered that Git incorrectly handled certain command strings.
An attacker could possibly use this issue to arbitrary code execution.
(CVE-2022-39260)
Brian Krebs writes about how the Zeppelin ransomware encryption scheme was broken:
The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects.
“If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!” they wrote. “The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key.”
Unit 221B ultimately built a “Live CD” version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys.
A company offered recovery services based on this break, but was reluctant to advertise because it didn’t want Zeppelin’s creators to fix their encryption flaw.
Technical details.
The Five Star Restaurant Reservations WordPress plugin before 2.4.12 does not have authorisation when changing whether a payment was successful or failed, allowing unauthenticated users to change the payment status of arbitrary bookings. Furthermore, due to the lack of sanitisation and escaping, attackers could perform Cross-Site Scripting attacks against a logged in admin viewing the failed payments
The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as admin
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Humans are considered the weakest link in cybersecurity. No matter how much a company invests in firewalls, antivirus, and other security software to detect, deter, and prevent attacks humans will always be the main vectors for compromise. If no adequate user-security training is provided within the organization, they will always be at risk. Phishing is one of the oldest cyber-attacks yet one of the most used by attackers due to its effectiveness and low cost.
The Managed Extended Detection and Response (MXDR) team received an alarm indicating a user had successfully logged in from a country outside of the United States (US. Upon further review, this was the first time the user had logged in from outside of the US. The analyst team created an investigation in which the customer responded and took the necessary steps to recover the account from the attacker.
The initial alarm was triggered as a result of the account being accessed from outside of the United States. Due to the recent shift of remote working, it is common to see users accessing their accounts from different countries that could be caused by Virtual Private Network (VPN) or because of travel activity.
When investigating potentially malicious behavior, it is important to understand what the baseline of a user’s activity looks like. While looking at the historic data for their activity, logs showed this was the first instance the account has been accessed from outside of the United States.
The logs did not show any failed login attempts from another country, which is usually seen whenever an attacker attempts to compromise an account.
After gathering enough information, an investigation was created for the customer to confirm if this should be expected from this user.
Within minutes of the investigation being created, the customer confirmed the user had clicked a phishing email and input their credentials, which the attacker then used to successfully logged in into their account.
The phishing email contained a URL to the following site:
Once clicked, this site would send the user to a page that impersonated a login for an email account that was used to harvest credentials.
For this investigation, the MXDR team did not have full visibility into the Microsoft Office 365 Exchange environment, hindering visibility into the initial attack. We were unable able to see the phishing email being sent to this account. The only events being observed by the SOC were the successful log ins from outside of the United States.
