This vulnerability allows remote attackers to execute arbitrary code on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
Category Archives: Advisories
ZDI-22-1155: (Pwn2Own) Softing Secure Integration Server Cleartext Transmission of Sensitive Information Authentication Bypass Vulnerability
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Softing Secure Integration Server. User interaction is required to exploit this vulnerability.
Widespread Redlnk Malware Hides Its Code In .NET Metadata
FortiGuard Labs has found an active and widespread attack campaign that distributes a malware it dubs “RedInk”, using the RegAsm.exe LOLBIN for execution and sandbox Evasion. The attack is carried out in three stages, in which the final stage, acting as both Remote Access Trojan (RAT) and botnet component, is installed on the victim’s machine. What is this Significant?This is significant because FortiGuard Labs observed widespread distribution of Redlnk malware in an ongoing campaign. The final payload observed is a Remote Access Trojan (RAT) that enables a remote attacker to take control of the victim’s machine.How Widespread is the Campaign?We have observed more than 3,600 unique samples of the first stage, with new samples being constantly served to evade detection from security solutions. FortiGuard Labs observed Redlnk malware distributed to Canada, Australia, the UK, and Japan. How does the Attack Work?While the initial infection vector has not been found, FortiGuard Labs observed the first stage malware were downloaded from the internet.The campaign’s first stage is a 6 KB small .NET loader, manipulated to be able to run properly only using Regasm.exe. Some of the samples of the first stage found (from 3600 in total) hide part of the crucial malicious logic inside the metadata of the file: By using this way, the base64 encoded data isn’t part of the .NET strings of the file and enables the attacker to partially evade detection.The aforementioned samples are compiling the following code at runtime (decoded from the “AssemblyDescription” base64) in order to download the next payload: The next stage we observed, called “loader.dll” by the attackers, is mainly used to kill the previous stage and load the next stage, encrypted, using a randomly generated AES key, from the server. The third stage, called “client.core” is a fully fledged malicious toolkit, functioning as both RAT and botnet component, able to install VNC on the victim to enable remote control of the computer by the attacker. Why Can only Regasm.exe Run the Redlnk Malware?RedInk doesn’t have a standard DLL entry point, but rather a “ComUnregisterFunction”, which rundll does not call, but RegAsm (T1218.009) does. This technique is useful both for sandbox evasion (T1497) and to bypass application control (UAC – T1548.002). What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the malware samples used in the campaign:• MSIL/Cerbu.CA89!tr• MSIL/Dropper.E5B0!tr• MSIL/GenericKDZ.5CA8!tr• MSIL/Tedy.1448!tr• W32/Dloader.X!tr• W32/PossibleThreat• MSIL/Asbit.C!trAll network IOCs associated with this attack are blocked by the WebFiltering client.FortiEDR blocks the first stage of RedInk upon the initiation of a network connection: FortiEDR Threat Hunting customers can additionally query for it using the following query:Source.Process.Name:Regasm.exe AND Source.Process.CommandLine:*.txt*
CVE-2019-25075
HTML injection combined with path traversal in the Email service in Gravitee API Management before 1.25.3 allows anonymous users to read arbitrary files via a /management/users/register request.
varnish-modules-0.19.0-5.fc36
FEDORA-2022-99702d9bdd
Packages in this update:
varnish-modules-0.19.0-5.fc36
Update description:
Rebuilt for varnish-7.0.3
CVE-2020-27834
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-27836
A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability..
java-latest-openjdk-18.0.2.0.9-1.rolling.el7
FEDORA-EPEL-2022-21ae60f43a
Packages in this update:
java-latest-openjdk-18.0.2.0.9-1.rolling.el7
Update description:
CPU update for JDK latest
OpenImageIO-2.2.21.0-2.fc35 ctk-0.1-0.24.20190721.fc35 dcmtk-3.6.7-1.fc35
FEDORA-2022-d9f1bb102d
Packages in this update:
ctk-0.1-0.24.20190721.fc35
dcmtk-3.6.7-1.fc35
OpenImageIO-2.2.21.0-2.fc35
Update description:
Update to dcmtk 3.6.7 and re-build dependent packages.
Please note that dcmtk 3.6.7 includes security fixes, so this update is highly recommended.
OpenImageIO-2.3.18.0-2.fc36 ctk-0.1-0.24.20190721.fc36 dcmtk-3.6.7-1.fc36
FEDORA-2022-eaeeb0ca2b
Packages in this update:
ctk-0.1-0.24.20190721.fc36
dcmtk-3.6.7-1.fc36
OpenImageIO-2.3.18.0-2.fc36
Update description:
Update dcmtk to 3.6.7 and rebuild dependent packages.
The dcmtk update contains security fixes, so this update is highly recommended.