Malware Devil

Monday, April 26, 2021

ISC Stormcast For Monday, April 26th, 2021 https://isc.sans.edu/podcastdetail.html?id=7472, (Mon, Apr 26th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post ISC Stormcast For Monday, April 26th, 2021 https://isc.sans.edu/podcastdetail.html?id=7472, (Mon, Apr 26th) appeared first on Malware Devil.

https://malwaredevil.com/2021/04/26/isc-stormcast-for-monday-april-26th-2021-https-isc-sans-edu-podcastdetail-htmlid7472-mon-apr-26th/?utm_source=rss&utm_medium=rss&utm_campaign=isc-stormcast-for-monday-april-26th-2021-https-isc-sans-edu-podcastdetail-htmlid7472-mon-apr-26th

ESB-2021.1390 – [SUSE] MozillaFirefox: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1390
Security update for MozillaFirefox
26 April 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: MozillaFirefox
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands — Remote with User Interaction
Increased Privileges — Remote with User Interaction
Denial of Service — Remote with User Interaction
Provide Misleading Information — Remote with User Interaction
Access Confidential Data — Remote with User Interaction
Reduced Security — Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-29946 CVE-2021-29945 CVE-2021-24002
CVE-2021-23999 CVE-2021-23998 CVE-2021-23995
CVE-2021-23994 CVE-2021-23961

Reference: ESB-2021.1380
ESB-2021.1327

Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20211307-1

– ————————–BEGIN INCLUDED TEXT——————–

SUSE Security Update: Security update for MozillaFirefox

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1307-1
Rating: important
References: #1184960
Cross-References: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998
CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946
Affected Products:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3
SUSE Linux Enterprise Module for Desktop Applications 15-SP2
______________________________________________________________________________

An update that fixes 8 vulnerabilities is now available.

Description:

This update for MozillaFirefox fixes the following issues:

o Firefox was updated to 78.10.0 ESR (bsc#1184960) * CVE-2021-23994: Out of
bound write due to lazy initialization * CVE-2021-23995: Use-after-free in
Responsive Design Mode * CVE-2021-23998: Secure Lock icon could have been
spoofed * CVE-2021-23961: More internal network hosts could have been
probed by a malicious webpage * CVE-2021-23999: Blob URLs may have been
granted additional privileges * CVE-2021-24002: Arbitrary FTP command
execution on FTP servers using an encoded URL * CVE-2021-29945: Incorrect
size computation in WebAssembly JIT could lead to null-reads *
CVE-2021-29946: Port blocking could be bypassed

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Linux Enterprise Module for Desktop Applications 15-SP3:
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1307=1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP2:
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1307=1

Package List:

o SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64
ppc64le s390x x86_64):
MozillaFirefox-78.10.0-8.38.1
MozillaFirefox-debuginfo-78.10.0-8.38.1
MozillaFirefox-debugsource-78.10.0-8.38.1
MozillaFirefox-translations-common-78.10.0-8.38.1
MozillaFirefox-translations-other-78.10.0-8.38.1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64
ppc64le x86_64):
MozillaFirefox-devel-78.10.0-8.38.1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64
ppc64le s390x x86_64):
MozillaFirefox-78.10.0-8.38.1
MozillaFirefox-debuginfo-78.10.0-8.38.1
MozillaFirefox-debugsource-78.10.0-8.38.1
MozillaFirefox-devel-78.10.0-8.38.1
MozillaFirefox-translations-common-78.10.0-8.38.1
MozillaFirefox-translations-other-78.10.0-8.38.1

References:

o https://www.suse.com/security/cve/CVE-2021-23961.html
o https://www.suse.com/security/cve/CVE-2021-23994.html
o https://www.suse.com/security/cve/CVE-2021-23995.html
o https://www.suse.com/security/cve/CVE-2021-23998.html
o https://www.suse.com/security/cve/CVE-2021-23999.html
o https://www.suse.com/security/cve/CVE-2021-24002.html
o https://www.suse.com/security/cve/CVE-2021-29945.html
o https://www.suse.com/security/cve/CVE-2021-29946.html
o https://bugzilla.suse.com/1184960

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYIZAtuNLKJtyKPYoAQgLng//Q3BVaubnWN7SnRpdcVlXC5Fhgxj4TDQf
pK5ugtP01BMt6h+MQ8ueFbN8xvGb4my+6Veu2KaYs2Nzz2it9cKaWneIQ8XDRJX9
VPgMmD/Cmks9TxElMFnsAHMr0VlSL3RAJ5xV1xTjAyOBZkw0rEqjStl5V3quWXOy
ObcfJtlICKJ1+FC9VxsfXVLUa7ZPtYZjAmD1QyMU/pEwR36pgWs+G2FtlS69eb2w
lONvlSDricy+zN+GzYQXCUdnfwFDsYJoBlGWbJGaWpBe7xcPLICM73wP/cq5/BEA
GKYR3U11Dcb93und8Ey7A/MDDdHqyZ90L6s0o0j85Vs5o+byUQHLFpW3xw/H1OED
4vM++p4gJZPFAwZ5sHNQt49VM9lDatYJwBtJXfxvVlpUn3i5tlLOsv3zcgBmeR5O
oYWUsrXsLYrhHUpPAVjlierAbRYSL9/I4p3xqHsMelgFlz6gd3T9ekfiJj2PXBmv
OX2bB1eH4bsMfN9KDrJ4mJ1qdZwlYnunu4nzBghV7mMVoFKJr9bnm89moTU3em+u
z5kSswVMf2d4UMHGs49CNHsYsgeJX2etvY275d2MynKvdNr9/TtYTQ72U7BxakPJ
95uBG7ROWUogvPnIQMAqINNkgxFtgES+C22LHRJfxcLr+NW5APZ+9dlqHhUlrtAD
YB/M7aIutrQ=
=FqMZ
—–END PGP SIGNATURE—–

The post ESB-2021.1390 – [SUSE] MozillaFirefox: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/26/esb-2021-1390-suse-mozillafirefox-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1390-suse-mozillafirefox-multiple-vulnerabilities

ESB-2021.1391 – [SUSE] kvm: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1391
Security update for kvm
26 April 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: kvm
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Increased Privileges — Existing Account
Create Arbitrary Files — Existing Account
Denial of Service — Remote/Unauthenticated
Reduced Security — Remote/Unauthenticated
Access Confidential Data — Existing Account
Unauthorised Access — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20257 CVE-2021-20181 CVE-2020-29443
CVE-2020-29130 CVE-2020-25723 CVE-2020-25625
CVE-2020-25624 CVE-2020-25084 CVE-2020-14364
CVE-2020-13765 CVE-2020-13362 CVE-2020-13361
CVE-2020-12829 CVE-2020-8608 CVE-2020-7039
CVE-2020-1983 CVE-2019-15890 CVE-2019-12068
CVE-2019-6778 CVE-2015-1779 CVE-2014-3689

Reference: ESB-2021.1348
ESB-2021.1306
ESB-2021.0614

Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1

– ————————–BEGIN INCLUDED TEXT——————–

SUSE Security Update: Security update for kvm

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:14706-1
Rating: important
References: #1123156 #1146873 #1149811 #1161066 #1163018 #1170940
#1172383 #1172384 #1172385 #1172478 #1175441 #1176673
#1176682 #1176684 #1178934 #1179467 #1181108 #1182137
#1182425 #1182577
Cross-References: CVE-2014-3689 CVE-2015-1779 CVE-2019-12068 CVE-2019-15890
CVE-2019-6778 CVE-2020-12829 CVE-2020-13361 CVE-2020-13362
CVE-2020-13765 CVE-2020-14364 CVE-2020-1983 CVE-2020-25084
CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-29130
CVE-2020-29443 CVE-2020-7039 CVE-2020-8608 CVE-2021-20181
CVE-2021-20257
Affected Products:
SUSE Linux Enterprise Point of Sale 11-SP3
______________________________________________________________________________

An update that fixes 21 vulnerabilities is now available.

Description:

This update for kvm fixes the following issues:

o Fix OOB read and write due to integer overflow in sm501_2d_operation() in
hw/display/sm501.c (CVE-2020-12829, bsc#1172385)
o Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation
(CVE-2020-13362 bsc#1172383)
o Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#
1178934)
o Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#
1176673)
o Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
o Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#
1176684)
o Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
o Fix DoS in e1000 emulated device (CVE-2021-20257 bsc#1182577)
o Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)
o Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
o Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
o Fix package scripts to not use hard coded paths for temporary working
directories and log files (bsc#1182425)
o Fix use-after-free in slirp (CVE-2019-15890 bsc#1149811)
o Fix for similar problems as for the original fix prompting this issue
(CVE-2019-6778 bsc#1123156)
o Fix potential OOB accesses in slirp (CVE-2020-8608 bsc#1163018
CVE-2020-7039 bsc#1161066)
o Fix use after free in slirp (CVE-2020-1983 bsc#1170940)
o Fix potential DOS in lsi scsi controller emulation (CVE-2019-12068 bsc#
1146873)
o Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361
bsc#1172384)
o Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Linux Enterprise Point of Sale 11-SP3:
zypper in -t patch sleposp3-kvm-14706=1

Package List:

o SUSE Linux Enterprise Point of Sale 11-SP3 (i586):
kvm-1.4.2-53.38.1

References:

o https://www.suse.com/security/cve/CVE-2014-3689.html
o https://www.suse.com/security/cve/CVE-2015-1779.html
o https://www.suse.com/security/cve/CVE-2019-12068.html
o https://www.suse.com/security/cve/CVE-2019-15890.html
o https://www.suse.com/security/cve/CVE-2019-6778.html
o https://www.suse.com/security/cve/CVE-2020-12829.html
o https://www.suse.com/security/cve/CVE-2020-13361.html
o https://www.suse.com/security/cve/CVE-2020-13362.html
o https://www.suse.com/security/cve/CVE-2020-13765.html
o https://www.suse.com/security/cve/CVE-2020-14364.html
o https://www.suse.com/security/cve/CVE-2020-1983.html
o https://www.suse.com/security/cve/CVE-2020-25084.html
o https://www.suse.com/security/cve/CVE-2020-25624.html
o https://www.suse.com/security/cve/CVE-2020-25625.html
o https://www.suse.com/security/cve/CVE-2020-25723.html
o https://www.suse.com/security/cve/CVE-2020-29130.html
o https://www.suse.com/security/cve/CVE-2020-29443.html
o https://www.suse.com/security/cve/CVE-2020-7039.html
o https://www.suse.com/security/cve/CVE-2020-8608.html
o https://www.suse.com/security/cve/CVE-2021-20181.html
o https://www.suse.com/security/cve/CVE-2021-20257.html
o https://bugzilla.suse.com/1123156
o https://bugzilla.suse.com/1146873
o https://bugzilla.suse.com/1149811
o https://bugzilla.suse.com/1161066
o https://bugzilla.suse.com/1163018
o https://bugzilla.suse.com/1170940
o https://bugzilla.suse.com/1172383
o https://bugzilla.suse.com/1172384
o https://bugzilla.suse.com/1172385
o https://bugzilla.suse.com/1172478
o https://bugzilla.suse.com/1175441
o https://bugzilla.suse.com/1176673
o https://bugzilla.suse.com/1176682
o https://bugzilla.suse.com/1176684
o https://bugzilla.suse.com/1178934
o https://bugzilla.suse.com/1179467
o https://bugzilla.suse.com/1181108
o https://bugzilla.suse.com/1182137
o https://bugzilla.suse.com/1182425
o https://bugzilla.suse.com/1182577

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYIZHsuNLKJtyKPYoAQhq0xAArwBacYnUrpk8TaV5Oonv6E8pm3b40d49
HCC1W8zmu+Gtk2w4kkTs1wcEz4nroqJ1ZKFnv2t75zNAHFhSJ1zhd9YS1d6/U4jS
7w5dixcBPAsTFUbec6uzHwlcrks6uO8LUvYC0/43+nR43E9uQroWbozk7VzRVPpc
BVBwsvoneIkh3GPJ8RFxuxRUMwHgw+8ir7h99J1YrkfCnE0MKaXbyU6LK8fIpujY
veBYtLuefJZQPZU4CKplSCCBTHlFbgF5+YadYmlc1dCQcxE0H86GKLESL+3R7c++
D8bnSCzBHahv5avVg0EgEmh86bOI0vo1V3BitO4/ojhFNzcsGkaxmljn7dPjynIm
lw/DhwYQaLZeHbmYDsF01iSZStubdLfGW748ORCOxSKxEBshQgFyxEn5iVld+VI7
cFlHCd1Vfohyfp+vEbp/ZyXLiMvxWOnfwZdoukBF6aXsLPB69W0scdeQ9EwS/DwV
/0II6/ixEp4RHuezoOSOxC5EV5v7s2zR8m7fEUqSJDw4KOnUDgvtv2tnLD5LhcpU
uKBp07dyAriPopbnNzC9O3uAHJOMgG7uNmCj8ocBFh3O0oGdCGBJjofoRM9Udd1r
aWbWVYrlaPvvykCChyWGGj1nBuGUUU95SRE0s33ifvr/fcuZoNC/NL7BMOB9BmFi
WfUxcdvUJNQ=
=xRsW
—–END PGP SIGNATURE—–

The post ESB-2021.1391 – [SUSE] kvm: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/26/esb-2021-1391-suse-kvm-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1391-suse-kvm-multiple-vulnerabilities

ESB-2021.1392 – [Win][UNIX/Linux][SUSE] librsvg: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1392
Security update for librsvg
26 April 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: librsvg
Publisher: SUSE
Operating System: SUSE
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service — Remote/Unauthenticated
Access Confidential Data — Remote/Unauthenticated
Reduced Security — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-20991

Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20211310-1

Comment: This advisory references vulnerabilities in products which run on
platforms other than SUSE. It is recommended that administrators
running librsvg check for an updated version of the software for
their operating system.

– ————————–BEGIN INCLUDED TEXT——————–

SUSE Security Update: Security update for librsvg

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1310-1
Rating: moderate
References: #1148293 #1181571
Cross-References: CVE-2018-20991
Affected Products:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2
______________________________________________________________________________

An update that solves one vulnerability and has one errata is now available.

Description:

This update for librsvg fixes the following issues:

o librsvg was updated to 2.42.9: * Update dependent crates that had security
vulnerabilities: smallvec to 0.6.14 – RUSTSEC-2018-0003 – CVE-2018-20991
(bsc#1148293) -the bundled version of the cssparser crate now builds
correctly on Rust 1.43 (bsc#1181571).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-1310=
1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-1310=
1

Package List:

o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64
ppc64le s390x x86_64):
librsvg-debugsource-2.42.9-3.6.1
rsvg-view-2.42.9-3.6.1
rsvg-view-debuginfo-2.42.9-3.6.1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (aarch64
ppc64le s390x x86_64):
librsvg-debugsource-2.42.9-3.6.1
rsvg-view-2.42.9-3.6.1
rsvg-view-debuginfo-2.42.9-3.6.1

References:

o https://www.suse.com/security/cve/CVE-2018-20991.html
o https://bugzilla.suse.com/1148293
o https://bugzilla.suse.com/1181571

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYIZTlONLKJtyKPYoAQhg4hAAjur6XHRx4YIqUQuBVahT3wj8yO1QUJKL
bRwl6AIQOqjgWQO2O5pEzWC1f2j64zwfxyflJn8fhid98qYUTMPOUfGaJdDioi5M
buj3I3WrJJ2LM021up7qmu4s4LKPsC//wL6IPcfJ46L56jhAl+oaCbNZRzrAVljF
+oosLtu8eA+XhqqJyps4SVpS04GjqA5hcJpyBwR14Sssddu6XvtkKqVBe34nhW1j
aUX6K88zEC/5QaUb1Q+Xl77S+y7xe6peWLAJ7lwwEs1gKKOYzb7oCFa1oaQZFv0O
XMX1PYNFwYQ+o0grFlNJThuCk2asPAN2i41KpB+i8J21Op/ZPon++iQMlPMKqnXv
ajUis+Bvr3y6YR0LHG8PQMMOvyNgceG3yR/aARy8oHeqwg9wuTGep8lCdmUPytDx
ibPZfsKINs3QezMxM0jbgpxJbLv1ItXjawTIR9ZR42N6P65yvYksoj7ehBuu/1V9
rR7+8jU27ckcBZGp0MXxmiaKrTeIJzaHZBGHqeSQIapvImdUPRCS7RKR4B1/Gklt
zJNYraCVwuBZ51AvAMLTlxoARzFw/erNv5AdXB7KQr+2zbNIXnOtat/5Vr0p94Vx
q3qWmpaWQJEnHY7Kj2aB58gOh411cYCTteXuzq2FovgXz6kOHRXk8nOq0lmg3E5S
lrwjVMw628k=
=G6MZ
—–END PGP SIGNATURE—–

The post ESB-2021.1392 – [Win][UNIX/Linux][SUSE] librsvg: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/26/esb-2021-1392-winunix-linuxsuse-librsvg-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1392-winunix-linuxsuse-librsvg-multiple-vulnerabilities

ESB-2021.1393 – [Debian] firefox-esr: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1393
firefox-esr security update
26 April 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: firefox-esr
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands — Remote with User Interaction
Increased Privileges — Remote with User Interaction
Denial of Service — Remote with User Interaction
Provide Misleading Information — Remote with User Interaction
Access Confidential Data — Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-29946 CVE-2021-29945 CVE-2021-24002
CVE-2021-23999 CVE-2021-23998 CVE-2021-23995
CVE-2021-23994 CVE-2021-23961

Reference: ESB-2021.1344
ESB-2021.1327
ESB-2021.0291

Original Bulletin:
http://www.debian.org/lts/security/2021/dla-2633

– ————————–BEGIN INCLUDED TEXT——————–

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

– – ———————————————————————–
Debian LTS Advisory DLA-2633-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
April 23, 2021 https://wiki.debian.org/LTS
– – ———————————————————————–

Package : firefox-esr
Version : 78.10.0esr-1~deb9u1
CVE ID : CVE-2021-23961 CVE-2021-23994 CVE-2021-23995
CVE-2021-23998 CVE-2021-23999 CVE-2021-24002
CVE-2021-29945 CVE-2021-29946

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, information disclosure, privilege escalation or spoofing.

For Debian 9 stretch, these problems have been fixed in version
78.10.0esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
– —–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmCCpG0ACgkQgj6WdgbD
S5Yr6RAA14M8DuzUpFzC71cb3ESRZWUfXNb45xALf6FbSDCRmhlt0RRTAdM5FBxF
BP3xY/U/9rok5loov9zqAWk2U0Qnflpwubx87uvvkfVSDtBbYrKVYfCeDwr+xbAa
pZMWGk08zQVNbAMQc98MXgUx0FrpFl9d0EjXECX1NTQgLq+lX0I66sj85yEgrHJy
hoIu0dK00Cs1LQou4dePJgb6XhhRnkS0OORpskfnoWObFySglBxWJlKhwkz/Nkmc
k6OCixE4x2Up722kxKDQmWeIACbRw1xp0hcSEBrjkxJSJyofmHxJvVqyOOFXa/OZ
+qyx5tciiRKYRvVjRs35G/bF4upF4m5mWgtWQx0XsV5n3MBLpdhEK9h2I84qAEmQ
Ppk1F97DhwuJ8Oj/fm/68551k5yu6uYSPH+dBIKdYS7TINhKs5u5Q+sAuyaVF3K1
4fE6K1ZfC5ADAfj04R+9c4AFHppC6psDmyF3njQMINYZpQgQ+VjrsfV680KjKCQN
pn9MZB+8P2/j6wMl85W0cJoUmReUdoQQYvF30luQ/fuME2/vV0Md8zce9Q48xB9T
Hb1xZIwt2GFGl534q8ANssYcBShYzj/6UeD7QShbzp7/itaCXlI0SFSBNtEOGHt7
SHOK/G4wexDByS1loitFHgE6okGNbJzvgluYmW5/626XyQ4Bmlc=
=xvGp
– —–END PGP SIGNATURE—–

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYIZTwONLKJtyKPYoAQiVhw/+JGxprTS7IbEiT5Me+HuB010Fa2kAFlQ2
LtLRZxog0Wj3rpRxtjRlHhWIuVUJp3+CMM6ObFMzOFI5Lhb/XqDxvMAV0RGdeRPM
akRNaCoIanEEqjbPkOnR7gWjSxI+j47xe75bfJU6ZBww9OXFomL4bq6zKnSjVbo4
k12AWwHwRZ3itzSGBeRjSXBWeMC3+lvXnHxumYRdXGHlPmQRa7SC3Jx5zDbWh4EH
6hcPP+JP4kW9yZaMQ5mWouhSkzcDSNWJOH8OjOt9QJQJZ0MLfJ7V8ENxf1mK/xa+
ndQGNF6ItqbAwabhDsh99YDJ3L+mgmtkDB4qc/VwisCGqVyrZmEcqDpyLaOv9Fyh
G6DStS3vJgI/A68IptBGGbickvE8mSkMGtYAyFCgSrwj8kgmFgXdZseROCfZFEzi
afbllKzmBu3+efJe4/kQyyE5XKYdMq6qi8qDyDKjMqAKGHRQyvV97GcN7sYfm7X4
OjxDfCHIzpAUmTqKjiklTet8X5aHvw+Sjlk7ESHA/eiXAy9PmUwOAc/wk+F8efli
oAp038ZM9alPMYfwUefXma6XYymnXln7kExipNfJqkyxNtQtprzMqfUG1lrbszzs
TigCYC+1BgNTl6Cp9kZjKfAujn8BWr/i1pj8Gwa16B6amk8+Uq6I8r0ZRwWtYJRI
E0hGoOzyJVU=
=9LVi
—–END PGP SIGNATURE—–

The post ESB-2021.1393 – [Debian] firefox-esr: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/26/esb-2021-1393-debian-firefox-esr-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1393-debian-firefox-esr-multiple-vulnerabilities

ESB-2021.1394 – [Debian] openjdk-8: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1394
openjdk-8 security update
26 April 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: openjdk-8
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Modify Arbitrary Files — Remote/Unauthenticated
Access Confidential Data — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-2163 CVE-2021-2161

Reference: ASB-2021.0076
ESB-2021.1342

Original Bulletin:
http://www.debian.org/lts/security/2021/dla-2634

– ————————–BEGIN INCLUDED TEXT——————–

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

– – ————————————————————————-
Debian LTS Advisory DLA-2634-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 23, 2021 https://wiki.debian.org/LTS
– – ————————————————————————-

Package : openjdk-8
Version : 8u292-b10-0+deb8u1
CVE ID : CVE-2021-2161 CVE-2021-2163

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
resulting in bypass of sandbox restrictions.

For Debian 9 stretch, these problems have been fixed in version
8u292-b10-0+deb8u1.

We recommend that you upgrade your openjdk-8 packages.

For the detailed security status of openjdk-8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-8

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmCCsAYACgkQnUbEiOQ2
gwKYNg//arPlaFLkUretK5itp21A59z5n7ZLdCBCZ/x3F1UxBq0OhRWk7fVmz4Qh
iN07naw5Bu82dr87C5S8QUrC8qmv0NmQruPKsEZ9LeDw1sydN2mCgjPOgehMNYl9
Xtkb8tD3pvn0b5BnQ2a9HeqVWiXQ7R3h7KSGMwG9L01TBDb+uw+33JQd1Hy4vE7U
dXQQ/xfWfteyaYYm0zsBeU/BJZgwi5tIe5fFKf2MEycZasrOXpoLsl5SkzXXeeTt
C9oOQX9b0C8VZhh4rd0OV0YsX99JpgkADiMrdlZu02YRqBLtpFBVZsQasxO9cvBt
ToZDeiKNyWTZVvvN3FVXBypJIXAGcPpWe3Jt0Mhitsznqs2RDbXSFTYtD2eyX4EF
ctqY3dnzUzCgiaNIz6xfmKmU8Kn9jWVtjjDFCg53JRD4XrpyDufV6BQVfRgZt5ta
W4F3v04gAI25lDbu+6p9mRLur7GW37G1u7rtECLCZSBD2O61e7yjb8dqpdWrSlN+
vxnke28MOxORqtEx2cGRTW7mBa1dWPuI2KokLezmD+IZfHezkoxzD547LTLzFu/M
7XKEGmsiMpY4BsEYe5k3Ej57G7OvX3y1w2NDR9XsU5sQvSs4u84lCKpZ62ouaDHj
h2nP2sq9EQjcX3gNEGtFz4KKlJ1DPEYo0C6eRFYoQna+eXWdmRU=
=BcvF
– —–END PGP SIGNATURE—–

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYIZT0+NLKJtyKPYoAQhPAxAAgykYbapN78hQs9bgEBkMtGCv9UELGHtb
PFtwz1MAJXvQZvV0A5iiOeoKEiABTwWavyf7L0Krcw9peWQcMAd+pEcsMJCghi+h
Z65gWA9ZVYeo9LYYI/Qy8H4nWDeZ9lDc6SgX4Qet9m5sEdkmZpL65R/u0R9cz66o
BMRlUMe7JKLbZ+LZXzZfsjjhzNkG1scJUO06ycVxPs4fmAnqBZb1vA7NGeok16f1
dy/zyiZCJXrZ8Bs2K6r4Qjt4sumbLeqJKNQGCL22FVLC8LHKsWhSc2xzfBgMVRjc
UCa/OGWWliap88bndkl0qg1+gI/gC+BCorPAuHe6RpU3QHEfQnPwIL6lurbhPXgk
tr1LhiWP9syb0EN0kg8N/3OZWPH/LFJk0MAaja/HS/lZMc4956NWq2bDNMGSKWrj
yVS8+O9C6Jgq0u41jp7BI94MPSXyguZni6WAJjTLkbAOUdIy1I7ypt2dwaE0TRwT
P8sAKXxUN5IEPvUwi3qmDe9ACdYBErTP5K0yAI27M0zd2E4MP6OLNtz7NQIdEySO
BULaw89Jrd5/U6FI8UnYzrsqxgyil1Zkk6qS/4cFiWaxE90GutwvKRBAsvzeAyNd
trzrWyZFzsmPr5k8u087RHv4Je8HBtEl5L7vJbGyR2Dz9j+RWGJV3u1DSdz3Zwt8
RhUTEzFZJtU=
=C+r+
—–END PGP SIGNATURE—–

The post ESB-2021.1394 – [Debian] openjdk-8: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/26/esb-2021-1394-debian-openjdk-8-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1394-debian-openjdk-8-multiple-vulnerabilities

Patch Shortcuts: Interpretable Proxy Models Efficiently Find Black-Box Vulnerabilities

The post Patch Shortcuts: Interpretable Proxy Models Efficiently Find Black-Box Vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/26/patch-shortcuts-interpretable-proxy-models-efficiently-find-black-box-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=patch-shortcuts-interpretable-proxy-models-efficiently-find-black-box-vulnerabilities

ClepsydraCache — Preventing Cache Attacks with Time-Based Evictions

The post ClepsydraCache — Preventing Cache Attacks with Time-Based Evictions appeared first on Malware Devil.

https://malwaredevil.com/2021/04/26/clepsydracache-preventing-cache-attacks-with-time-based-evictions/?utm_source=rss&utm_medium=rss&utm_campaign=clepsydracache-preventing-cache-attacks-with-time-based-evictions

Sunday, April 25, 2021

Network Security News Summary for Monday April 26th, 2021

Compacts VBA Macro; Top Honeypot PW; Clickstudios compromise; homebrew vulnerability; Apple AirDrop Privacy

Compact VBA Macros
https://isc.sans.edu/forums/diary/Malicious+PowerPoint+AddOn+Small+Is+Beautiful/27342/

Base64 Strings Used in Web Scanning
https://isc.sans.edu/forums/diary/Base64+Hashes+Used+in+Web+Scanning/27346/

Clickstudios Password Manager Compromise
https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/

Homebrew Code Execution Vulnerability
https://brew.sh/2021/04/21/security-incident-disclosure/

Apple AirDrop Shares Personal Data
https://www.informatik.tu-darmstadt.de/fb20/ueber_uns_details_231616.en.jsp

keywords: airdrop; apple; privacy; homebrew; git; clickstudios; base64; vba; macros; ppt

The post Network Security News Summary for Monday April 26th, 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/04/25/network-security-news-summary-for-monday-april-26th-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-monday-april-26th-2021

Dan Kaminsky

Image Credit: Souce: Wikipedia

Saddened by news of the death of Dan Kaminsky, a member of the ICANN Trusted Community Representatives group (Recovery Key Holder) for DNSSEC Root, and Chief Scientist of White Ops. Dan’s work was typically behind the scenes, he became well known in the security community with his discovery of the highly pernicious DNS Cache Poisoning Flaw and at CERT (and, of course, the fix thereto). He is missed by all who knew him, may he rest in peace.

‘As part of the joint effort to secure the domain name system (DNS) and the Root DNSSEC key management process, a number of persons acting as trusted representatives of the Internet community participate in the root key generation and signing ceremonies. These persons are called Trusted Community Representatives (TCRs).’ – via ICANN

H/T

The post Dan Kaminsky appeared first on Security Boulevard.

The post Dan Kaminsky appeared first on Malware Devil.

https://malwaredevil.com/2021/04/25/dan-kaminsky/?utm_source=rss&utm_medium=rss&utm_campaign=dan-kaminsky

CPDP 2021 – Moderator: Merve Hickok ‘Ai Regulation In Europe & Fundamental Rights’

Speakers: Peggy Valcke, Friederike Reinhold, Oreste Pollicino, Alexandra Geese

Our sincere thanks to CPDP 2021 – Computers, Privacy & Data Protection Conference for publishing their well-crafted videos on the organization’s YouTube channel. Enjoy!

Permalink

The post CPDP 2021 – Moderator: Merve Hickok ‘Ai Regulation In Europe & Fundamental Rights’ appeared first on Security Boulevard.

The post CPDP 2021 – Moderator: Merve Hickok ‘Ai Regulation In Europe & Fundamental Rights’ appeared first on Malware Devil.

https://malwaredevil.com/2021/04/25/cpdp-2021-moderator-merve-hickok-ai-regulation-in-europe-fundamental-rights/?utm_source=rss&utm_medium=rss&utm_campaign=cpdp-2021-moderator-merve-hickok-ai-regulation-in-europe-fundamental-rights

Robert M. Lee’s & Jeff Haas’ Little Bobby Comics – ‘WEEK 326’

via the respected information security capabilities of Robert M. Lee & the superlative illustration talents of Jeff Haas at Little Bobby Comics

Permalink

The post Robert M. Lee’s & Jeff Haas’ Little Bobby Comics – ‘WEEK 326’ appeared first on Security Boulevard.

The post Robert M. Lee’s & Jeff Haas’ Little Bobby Comics – ‘WEEK 326’ appeared first on Malware Devil.

https://malwaredevil.com/2021/04/25/robert-m-lees-jeff-haas-little-bobby-comics-week-326/?utm_source=rss&utm_medium=rss&utm_campaign=robert-m-lees-jeff-haas-little-bobby-comics-week-326

Take A Moment To Hug Your Friends & Family, RIP Dan Kaminsky

The security world was rocked this weekend when word came out that one of the best of us, Dan Kaminsky passed away. Dan was only 42 years old. To say way too soon, doesn’t even come close here. No cause of his demise has been released. Frankly, speculating about it doesn’t do any of us..

The post Take A Moment To Hug Your Friends & Family, RIP Dan Kaminsky appeared first on Security Boulevard.

The post Take A Moment To Hug Your Friends & Family, RIP Dan Kaminsky appeared first on Malware Devil.

https://malwaredevil.com/2021/04/25/take-a-moment-to-hug-your-friends-family-rip-dan-kaminsky/?utm_source=rss&utm_medium=rss&utm_campaign=take-a-moment-to-hug-your-friends-family-rip-dan-kaminsky

CPDP 2021 – Moderator: Théodore Christakis ‘Government Access To Data After Schrems Ii, Brexit And The Cloud Act’

Speakers: Joe Jones, Florence Raynal, Ralf Sauer, Peter Swire

Our sincere thanks to CPDP 2021 – Computers, Privacy & Data Protection Conference for publishing their well-crafted videos on the organization’s YouTube channel. Enjoy!

Permalink

The post CPDP 2021 – Moderator: Théodore Christakis ‘Government Access To Data After Schrems Ii, Brexit And The Cloud Act’ appeared first on Security Boulevard.

The post CPDP 2021 – Moderator: Théodore Christakis ‘Government Access To Data After Schrems Ii, Brexit And The Cloud Act’ appeared first on Malware Devil.

https://malwaredevil.com/2021/04/25/cpdp-2021-moderator-theodore-christakis-government-access-to-data-after-schrems-ii-brexit-and-the-cloud-act/?utm_source=rss&utm_medium=rss&utm_campaign=cpdp-2021-moderator-theodore-christakis-government-access-to-data-after-schrems-ii-brexit-and-the-cloud-act

Sysinternals: Procmon and Sysmon update, (Sun, Apr 25th)

New versions of Procmon and Sysmon were released.

Sysmon supports a new rule: FileDeletedDetected. Use it to log deletions (without archiving the deleted file).

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Sysinternals: Procmon and Sysmon update, (Sun, Apr 25th) appeared first on Malware Devil.

https://malwaredevil.com/2021/04/25/sysinternals-procmon-and-sysmon-update-sun-apr-25th/?utm_source=rss&utm_medium=rss&utm_campaign=sysinternals-procmon-and-sysmon-update-sun-apr-25th

Wireshark 3.4.5 Released, (Sun, Apr 25th)

Wireshark version 3.4.5 was released.

There’s one vulnerability fix and many bug fixes.

For Windows, Npcap is still at version 1.10

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Wireshark 3.4.5 Released, (Sun, Apr 25th) appeared first on Malware Devil.

https://malwaredevil.com/2021/04/25/wireshark-3-4-5-released-sun-apr-25th/?utm_source=rss&utm_medium=rss&utm_campaign=wireshark-3-4-5-released-sun-apr-25th

[MTN Group] critical – Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-10271]

Google Chrome

Mozilla Firefox

Opera

Apple Safari

Microsoft Internet Explorer

Download latest

The post [MTN Group] critical – Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-10271] appeared first on Malware Devil.

https://malwaredevil.com/2021/04/25/mtn-group-critical-remote-os-command-execution-on-oracle-weblogic-server-via-cve-2017-10271/?utm_source=rss&utm_medium=rss&utm_campaign=mtn-group-critical-remote-os-command-execution-on-oracle-weblogic-server-via-cve-2017-10271

[MTN Group] critical – Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-3506]

Google Chrome

Mozilla Firefox

Opera

Apple Safari

Microsoft Internet Explorer

Download latest

The post [MTN Group] critical – Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-3506] appeared first on Malware Devil.

https://malwaredevil.com/2021/04/25/mtn-group-critical-remote-os-command-execution-on-oracle-weblogic-server-via-cve-2017-3506/?utm_source=rss&utm_medium=rss&utm_campaign=mtn-group-critical-remote-os-command-execution-on-oracle-weblogic-server-via-cve-2017-3506

Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux

A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users’ machines that have Homebrew installed.

The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository were handled, resulting in a scenario where a malicious pull request — i.e., the proposed changes — could be automatically reviewed and approved. The flaw was fixed on April 19.

Homebrew is a free and open-source software package manager solution that allows the installation of software on Apple’s macOS operating system as well as Linux. Homebrew Cask extends the functionality to include command-line workflows for GUI-based macOS applications, fonts, plugins, and other non-open source software.

“The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically,” Homebrew’s Markus Reiter said. “This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection. Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.”

In other words, the flaw meant malicious code injected into the Cask repository was merged without any review and approval.

The researcher also submitted a proof-of-concept (PoC) pull request demonstrating the vulnerability, following which it was reverted. In light of the findings, Homebrew has also removed the “automerge” GitHub Action as well as disabled and removed the “review-cask-pr” GitHub Action from all vulnerable repositories.

In addition, the ability for bots to commit to homebrew/cask* repositories has been removed, with all pull requests requiring a manual review and approval by a maintainer going forward. No user action is required.

“If this vulnerability was abused by a malicious actor, it could be used to compromise the machines that run brew before it gets reverted,” the researcher said. “So I strongly feel that a security audit against the centralized ecosystem is required.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

The post Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux appeared first on Malware Devil.

https://malwaredevil.com/2021/04/24/critical-rce-bug-found-in-homebrew-package-manager-for-macos-and-linux-2/?utm_source=rss&utm_medium=rss&utm_campaign=critical-rce-bug-found-in-homebrew-package-manager-for-macos-and-linux-2

Passwordstate Password Manager Update Hijacked to Install Backdoor on Thousands of PCs

Click Studios, the Australian software company behind the Passwordstate password management application, has notified customers to reset their passwords following a supply chain attack.

The Adelaide-based firm said a bad actor used sophisticated techniques to compromise the software’s update mechanism and used it to drop malware on user computers.

The breach is said to have occurred between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC, for a total period of about 28 hours.

“Only customers that performed In-Place Upgrades between the times stated above are believed to be affected,” the company said in an advisory. “Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.”

The development was first reported by the Polish tech news site Niebezpiecznik. It’s not immediately clear who the attackers are or how they compromised the password manager’s update feature. Click Studios said an investigation into the incident is ongoing but noted “the number of affected customers appears to be very low.”

Passwordstate is an on-premise web-based solution used for enterprise password management, enabling businesses to securely store passwords, integrate the solution into their applications, and reset passwords across a range of systems, among others. The software is used by 29,000 customers and 370,000 security and IT professionals globally, counting several Fortune 500 companies spanning verticals such as banking, insurance, defense, government, education, and manufacturing.

According to an initial analysis shared by Denmark-based security firm CSIS Group, the malware-laced update came in the form of a ZIP archive file, “Passwordstate_upgrade.zip,” which contained a modified version of a library called “moserware.secretsplitter.dll” (VirusTotal submissions here and here).

This file, in turn, established contact with a remote server to fetch a second-stage payload (“upgrade_service_upgrade.zip”) that extracted Passwordstate data and exported the information back to the adversary’s CDN network. Click Studios said the server was taken down as of April 22 at 7:00 AM UTC.

The full list of compromised information includes computer name, user name, domain name, current process name, current process id, names and IDs of all running processes, names of all running services, display name and status, Passwordstate instance’s Proxy Server Address, usernames and passwords..

Click Studios has released a hotfix package to help customers remove the attacker’s tampered DLL and overwrite it with a legitimate variant. The company is also recommending that businesses reset all credentials associated with external facing systems (firewalls, VPN) as well as internal infrastructure (storage systems, local systems) and any other passwords stored in Passwordstate.

Passwordstate’s breach comes as supply chain attacks are fast emerging, a new threat to companies that depend on third-party software vendors for their day-to-day operations. In December 2020, a rogue update to the SolarWinds Orion network management software installed a backdoor on the networks of up to 18,000 customers.

Last week, software auditing startup Codecov alerted customers that it discovered its software had been infected with a backdoor as early as January 31 to gain access to authentication tokens for various internal software accounts used by developers. The incident didn’t come to light until April 1.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

The post Passwordstate Password Manager Update Hijacked to Install Backdoor on Thousands of PCs appeared first on Malware Devil.

https://malwaredevil.com/2021/04/24/passwordstate-password-manager-update-hijacked-to-install-backdoor-on-thousands-of-pcs-2/?utm_source=rss&utm_medium=rss&utm_campaign=passwordstate-password-manager-update-hijacked-to-install-backdoor-on-thousands-of-pcs-2

Malware Devil

Malware Devil

Monday, April 26, 2021

ISC Stormcast For Monday, April 26th, 2021 https://isc.sans.edu/podcastdetail.html?id=7472, (Mon, Apr 26th)

ESB-2021.1390 – [SUSE] MozillaFirefox: Multiple vulnerabilities

ESB-2021.1391 – [SUSE] kvm: Multiple vulnerabilities

ESB-2021.1392 – [Win][UNIX/Linux][SUSE] librsvg: Multiple vulnerabilities

ESB-2021.1393 – [Debian] firefox-esr: Multiple vulnerabilities

ESB-2021.1394 – [Debian] openjdk-8: Multiple vulnerabilities

Patch Shortcuts: Interpretable Proxy Models Efficiently Find Black-Box Vulnerabilities

ClepsydraCache — Preventing Cache Attacks with Time-Based Evictions

Sunday, April 25, 2021

Network Security News Summary for Monday April 26th, 2021

Dan Kaminsky

CPDP 2021 – Moderator: Merve Hickok ‘Ai Regulation In Europe & Fundamental Rights’

Robert M. Lee’s & Jeff Haas’ Little Bobby Comics – ‘WEEK 326’

Take A Moment To Hug Your Friends & Family, RIP Dan Kaminsky

CPDP 2021 – Moderator: Théodore Christakis ‘Government Access To Data After Schrems Ii, Brexit And The Cloud Act’

Sysinternals: Procmon and Sysmon update, (Sun, Apr 25th)

Wireshark 3.4.5 Released, (Sun, Apr 25th)

[MTN Group] critical – Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-10271]

[MTN Group] critical – Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-3506]

Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux

Passwordstate Password Manager Update Hijacked to Install Backdoor on Thousands of PCs

Barbary Pirates and Russian Cybercrime

Blog Archive

About Me