It was discovered that Linux PTP did not properly perform a length check
when forwarding a PTP message between ports. A remote attacker could
possibly use this issue to access sensitive information, execute
arbitrary code, or cause a denial of service.
A vulnerability was found in ITRS Group monitor-ninja up to 2021.11.1. It has been rated as critical. Affected by this issue is some unknown functionality of the file modules/reports/models/scheduled_reports.php. The manipulation leads to sql injection. Upgrading to version 2021.11.30 is able to address this issue. The name of the patch is 6da9080faec9bca1ca5342386c0421dca0a6c0cc. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230084.
A vulnerability classified as critical was found in mback2k mh_httpbl Extension up to 1.1.7 on TYPO3. This vulnerability affects the function moduleContent of the file mod1/index.php. The manipulation leads to sql injection. The attack can be initiated remotely. Upgrading to version 1.1.8 is able to address this issue. The name of the patch is 429f50f4e4795b20dae06735b41fb94f010722bf. It is recommended to upgrade the affected component. VDB-230086 is the identifier assigned to this vulnerability.
A vulnerability classified as critical has been found in Portfolio Gallery Plugin up to 1.1.8 on WordPress. This affects an unknown part. The manipulation leads to sql injection. It is possible to initiate the attack remotely. Upgrading to version 1.1.9 is able to address this issue. The name of the patch is 58ed88243e17df766036f4857041edaf358076d3. It is recommended to upgrade the affected component. The identifier VDB-230085 was assigned to this vulnerability.
Two security issues were discocvered in LibreOffice, which could
potentially result in the execution of arbitrary code when loading a
malformed spreadsheet document or unacknowlegded loading of linked
documents within a floating frame.
xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.
FortiGuard Labs is aware of a report that a new malware “CosmicEnergy” designed to disrupt electric power systems was discovered. CosmicEnergy was specifically crafted to target IEC-104-compliant Remote Terminal Units (RTUs) used to control power transmission and distribution in Europe and Asia.Why is this Significant?This is significant because the new malware “CosmicEnergy” is capable of interacting with the devices responsible for managing power grids leading to potential power outages. Reportedly, potentially affected devices are primarily located in Europe, the Middle East and Asia. What is CosmicEnergy?CosmicEnergy is a new malware that is designed to disrupt devices used for managing power grids. Reportedly the malware may have been developed as a red team tool by a Russian cyber security company for power disruption drills.CosmicEnergy consists of two components: one is PIEHOP designed to access a MSSQL server within the victim’s network and upload files to the server, the other is LIGHTWORK used capable of sending commands via the IEC-104 protocol to the connected Remote Terminal Units (RTUs).Note to successfully carry out the attack using CosmicEnergy, attackers are required to have various credentials beforehand, such as logins and IP addresses of the target MSSQL server, which considerably raises the attack hurdle.How WideSpread is CosmicEnergy?FortiGuard Labs is not aware of any reports of CosmicEnergy used in the wild.What is the Status of Coverage?FortiGuard Labs has the following AV signatures in place for the PIEHOP installer and LIGHTWORK samples called out in the report:W32/Agent.HOP!trW32/Agent.ORK!tr
FortiGuard Labs is aware of a report that the Blacktail threat actor exploited the recently patched PaperCut vulnerability (CVE-2023-27350) to distribute the Windows version of Buhti ransomware. The IBM Aspera Faspex code execution vulnerability (CVE-2022-47986) is also being reportedly exploited by the same threat actor.Why is this Significant?This is significant because the Blacktail threat actor reportedly exploited the recently patched PaperCut vulnerability to deploy the Windows version of Buhti ransomware. As such the patch should be applied as soon as possible.What is Buhti Ransomware?Buhti is a ransomware variant that was first spotted in February 2023 and is designed to encrypt files on compromised machines. Blacktail, a threat actor behind the Buhti ransomware, is believed to use a unique data exfiltration tool to steal various files prior to ransomware deployment. The group demands ransom from victims for file decryption tostop the stolen files from being made available to the public.Blacktail reportedly exploited the PaperCut MF/NG Improper Access Control vulnerability (CVE-2023-27350) to distribute the Windows version of Buhti ransomware, which is believed to be based on leaked Lockbit 3.0 ransomware code. Another Buhti variant supports Linux platforms and is based on the leaked Babuk ransomware code.Another report indicates that the Blacktail group also exploited the IBM Aspera Faspex code execution vulnerability (CVE-2022-47986).What is the PaperCut Vulnerability (CVE-2023-27350)?CVE-2023-27350 is an authentication bypass vulnerability in PaperCut NG due to improper access control in the vulnerable application. An unauthenticated, remote attacker may be able to exploit this via a crafted request. Successful exploitation could lead to arbitrary code execution within the security context of the affected system.CISA added CVE-2023-27350 to the Known Exploited Vulnerabilities catalog on April 21st, 2023.FortiGuard Labs published an Outbreak Alert for the PaperCut vulnerability. Please see the Appendix for a link to “Oubreak Alert: PaperCut MF/NG Improper Access Control Vulnerability”.What is the IBM Aspera Faspex code execution vulnerability (CVE-2022-47986)?CVE-2022-47986 is a code execution vulnerability in IBM Aspera Faspex stemmed from improper handling of user request. A remote attacker could exploit this vulnerability by sending a crafted message to the target system. Successfully exploiting this vulnerability could result in remote code execution.CISA added CVE-2022-47986 to the Known Exploited Vulnerabilities catalog on February 21st, 2023.FortiGuard Labs published Outbreak Alert for the IBM Aspera Faspex code execution vulnerability. Please see the Appendix for a link to “Outbreak Alert: IBM Aspera Faspex Code Execution Vulnerability”.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for the known Buhti ransomware samples:Linux/Filecoder.BQ!trW32/Lockbit.K!tr.ransomFortiGuard Labs has the following IPS signatures in place for CVE-2023-27350 and CVE-2022-47986 respectively:PaperCut.NG.SetupCompleted.Authentication.BypassIBM.Aspera.Faspex.CVE-2022-47986.Remote.Code.Execution
Several vulnerabilities were discovered in libraw, a library for reading
RAW files obtained from digital photo cameras, which may result in
denial of service or the execution of arbitrary code if specially
crafted files are processed.
Jose Gomez discovered that the Catalog API endpoint in the Docker
registry implementation did not sufficiently enforce limits, which
could result in denial of service.
