FEDORA-2022-66b65beccb

Packages in this update:

python3.8-3.8.14-1.fc36

Update description:

Update to 3.8.14
Contains security fix for CVE-2020-10735

Read More

Posted by malvuln on Sep 08

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/d871836f77076eeed87eb0078c1911c7_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Autoit.fhj
Vulnerability: Named Pipe Null DACL
Family: Autoit
Type: PE32
MD5: d871836f77076eeed87eb0078c1911c7
Vuln ID: MVID-2022-0638
Disclosure: 09/06/2022
Description: The malware creates two processes…

Read More

Posted by malvuln on Sep 08

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/44aba241dd3f0d156c6ed82a0ab3a9e1.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Ransom.Win32.Hive.bv
Vulnerability: Arbitrary Code Execution
Description: Hive Ransomware will load and execute arbitrary .EXE PE files
if a third-party adversary or defender uses the vulnerable naming
convention of…

Read More

Posted by malvuln on Sep 08

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/8c0e6ec6b8ac9eb1169e63df71f24456.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Spy.Win32.Pophot.bsl
Vulnerability: Insecure Permissions
Description: The malware writes a BATCH file “.bat” to c drive granting
change (C) permissions to the authenticated user group. Standard users can
rename the…

Read More

Posted by malvuln on Sep 08

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/121bf601275e2aed0c3a6fe7910f9826.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Hupigon.aspg
Vulnerability: Insecure Service Path
Description: The malware creates a service with an unquoted path. Attackers
who can place an arbitrary executable named “Program.exe” under c: drive
can…

Read More

Posted by malvuln on Sep 08

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/5bc5f72d19019a2fa3b75896e82ae1e5.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Winshell.5_0
Vulnerability: Weak Hardcoded Credentials
Description: The malware is UPX packed, listens on TCP port 5277 and
requires authentication for remote access. However, the password
“123456789” is weak…

Read More

Posted by malvuln on Sep 08

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/d871836f77076eeed87eb0078c1911c7.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Autoit.fhj
Vulnerability: Insecure Permissions
Description: The malware writes two hidden DLL files “vp8decoder.dll” and
“vp8encoder.dll” to its installation directory granting full (F)
permissions to…

Read More

Posted by Jens Regel | CRISEC on Sep 08

Title:
======
AVEVA InTouch Access Anywhere Secure Gateway – Path Traversal

Author:
=======
Jens Regel, CRISEC IT-Security

CVE:
====
CVE-2022-23854

Advisory:
=========
https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal/

Timeline:
=========
25.06.2021 Vulnerability discovered
25.06.2021 Send details to custfirstsupport () aveva com
21.09.2021 Vendor response, fix is available until Q1/2022
25.09.2021 Vendor…

Read More

Posted by Georgi Guninski on Sep 08

sagemath 9.0 and reportedly later on ubuntu 20.

sagemath gives access to the python interpreter,
so code execution is trivial.

We give DoS attacks, which terminates the sagemath process
with abort(), when raising symbolic expression to large integer power.

We get abort() with stack:

gmp: overflow in mpz type

#6 0x00007f55c83ee72e in __GI_abort () at
/build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79
#7 0x00007f55c56e0d20 in __gmpz_realloc ()…

Read More

FortiGuard Labs has observed a new wave of ransomware threats belonging to the Conti malware family, active in Mexico. These variants appear to target the latest Linux and ESX systems and enable the attacker to encrypt files on the victim’s machine and guest virtual machines. The variants are all dynamically linked 64-bit ELF samples written in C.A similar sample to the ones in this campaign was documented previously by Trellix.Why is this Significant?This is significant because the newly observed campaign was launched by the Conti ransomware group who are known for taking encrypted files and stolen information belonging to countless companies from varying sectors hostage for profits. The group announced it plans to retaliate against western targets after the Russian invasion into Ukraine adding a political motivation on top of financial gain.This new campaign seems to be similar to the previous campaigns however, some of the samples involved have much lower detection rates at the time of this writing.What Does the Malware Do?Conti ransomware variants used in the new campaign performs activities identical to the previous ones; it encrypts files on the compromised machine and adds a “.conti” file extension to them after the threat actor exfiltrates information from victim’s network. It will then demand a ransom payment from the victim in order to recover the affected files and to prevent stolen information from being released to the public.It leaves a ransom note that reads:All of your files are currently encrypted by CONTI strain. If you don’t know who we are – just “Google it”.As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly.DONT’T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try – we recommend choosing the data of the lowest value.DON’T TRY TO IGNORE us. We’ve downloaded a pack of your internal data and are ready to publich it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.DON’T TRY TO CONTACT feds or any recovery companies.We have our informants in these as a hostile intent and initiate the publication of whole compromised data immediatly.To prove that we REALLY CAN get your data back – we offer you to decrypt two random files completely free of charge.You can contact our team directly for further instructions through our website :TOR VERSION :(you should download and install TOR browser first https://torproject.org)http://[Removed].onion/-YOU SHOULD BE AWAREWe will speak only with an authorized person. It can be the CEO, top management, etc.In case you are not such a person – DON’T CONTACT USYour decisions and action can result in serious harm to your companyInform your supervisors and stay calmThe malware can also be run on ESX environments and has the ability to shut down and encrypt the associated virtual machines.The malware has a detailed helper dialog. This provides another indication for the fact Conti group consists of many people.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for the Conti ransomware samples observed in the new campaign:Linux/Filecoder_Conti.083E!tr.ransomLinux/Filecoder_Conti.0B97!tr.ransomLinux/Filecoder_Conti.14E3!tr.ransomLinux/Filecoder_Conti.3233!tr.ransomLinux/Filecoder_Conti.3691!tr.ransomLinux/Filecoder_Conti.3FA2!tr.ransomLinux/Filecoder_Conti.5DE1!tr.ransomLinux/Filecoder_Conti.638B!tr.ransomLinux/Filecoder_Conti.65AB!tr.ransomLinux/Filecoder_Conti.919D!tr.ransomLinux/Filecoder_Conti.BDC5!tr.ransomLinux/Filecoder_Conti.C2F5!tr.ransomLinux/Filecoder_Conti.C3D1!tr.ransomLinux/Filecoder_Babyk.H!trPossibleThreatFortiEDR blocks the Conti samples pre-execution.

Read More