Category Archives: Advisories

CVE-2021-23556

Read Time:22 Second

The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method. **Note:** Exploitation requires the user to have installed another malicious program that will be able to send dbus signals or run terminal commands.

Read More

kernel-5.16.15-101.fc34

Read Time:24 Second

FEDORA-2022-9342e59a98

Packages in this update:

kernel-5.16.15-101.fc34

Update description:

The 5.16.15 stable kernel update includes a number of important fixes across the tree. It also includes a temporary revert of the feature that makes QNAP NFS mounts fail. We will carry this revert through the 5.16 series in attempt to give the vendor more time to come out with an update, or upstream to come out with a solution.

Read More

kernel-5.16.15-201.fc35

Read Time:24 Second

FEDORA-2022-de4474b89d

Packages in this update:

kernel-5.16.15-201.fc35

Update description:

The 5.16.15 stable kernel update includes a number of important fixes across the tree. It also includes a temporary revert of the feature that makes QNAP NFS mounts fail. We will carry this revert through the 5.16 series in attempt to give the vendor more time to come out with an update, or upstream to come out with a solution.

Read More

USN-5333-1: Apache HTTP Server vulnerabilities

Read Time:49 Second

Chamal De Silva discovered that the Apache HTTP Server mod_lua module
incorrectly handled certain crafted request bodies. A remote attacker could
possibly use this issue to cause the server to crash, resulting in a denial
of service. (CVE-2022-22719)

James Kettle discovered that the Apache HTTP Server incorrectly closed
inbound connection when certain errors are encountered. A remote attacker
could possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-22720)

It was discovered that the Apache HTTP Server incorrectly handled large
LimitXMLRequestBody settings on certain platforms. In certain
configurations, a remote attacker could use this issue to cause the server
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2022-22721)

Ronald Crane discovered that the Apache HTTP Server mod_sed module
incorrectly handled memory. A remote attacker could use this issue to cause
the server to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2022-23943)

Read More

USN-5332-1: Bind vulnerabilities

Read Time:23 Second

Xiang Li, Baojun Liu, Chaoyi Lu, and Changgen Zou discovered that Bind
incorrectly handled certain bogus NS records when using forwarders. A
remote attacker could possibly use this issue to manipulate cache results.
(CVE-2021-25220)

It was discovered that Bind incorrectly handled certain crafted TCP
streams. A remote attacker could possibly use this issue to cause Bind to
consume resources, leading to a denial of service. This issue only affected
Ubuntu 21.10. (CVE-2022-0396)

Read More

Joint CyberSecurity Advisory Alert on Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability (AA22-074A)

Read Time:3 Minute, 54 Second

FortiGuard Labs is aware of a recent report issued by the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) that Russian state-sponsored cyber actors have gained network access to a non-governmental organization (NGO) through exploitation of default Multi-Factor Authentication (MFA) protocols and the “PrintNightmare” vulnerability (CVE-2021-34527). The attack resulted in data exfiltration from cloud and email accounts of the target organization.Why is this Significant?This is significant because the advisory describes how a target organization was compromised by Russian state-sponsored cyber actors. The advisory also provides mitigations.How did the Attack Occur?The advisory provides the following attack sequence:”Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527) to obtain administrator privileges. The actors also modified a domain controller file, c:windowssystem32driversetc hosts, redirecting Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate MFA login-this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. Note: “fail open” can happen to any MFA implementation and is not exclusive to Duo.After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity. Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim’s cloud storage and email accounts and access desired content.”What is the “PrintNightmare” vulnerability (CVE-2021-34527)?The “PrintNightmare” vulnerability” was a critical vulnerability affecting Microsoft Windows Print Spooler. Microsoft released an out-of-bound advisory for the vulnerability on July 6th, 2021.Has Microsoft Released a Patch for the “PrintNightmare” vulnerability (CVE-2021-34527)?Yes, Microsoft released an out-of-bound patch for the “PrintNightmare” vulnerability in July, 2021.Due to its severity, Microsoft made the patches available for unsupported OS such as Windows 7 and Windows Server 2012.Successful exploitation of the vulnerability allows an attack to run arbitrary code with SYSTEM privileges.FortiGuard Labs released an Outbreak Alert and Threat Signal for PrintNightmare. See the Appendix for a link to “Fortinet Outbreak Alert: Microsoft PrintNightmare” and “#PrintNightmare Zero Day Remote Code Execution Vulnerability”.What is the Status of Coverage?FortiGuard Labs has IPS coverage in place for the “PrintNightmare” vulnerability (CVE-2021-34527):MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.EscalationAll known network IOC’s are blocked by the FortiGuard WebFiltering client.Any Other Suggested Mitigation?The advisory recommends the following mitigations:Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.Implement time-out and lock-out features in response to repeated failed login attempts.Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).

Read More