Malware Devil

Monday, May 24, 2021

ESB-2020.3822.5 – UPDATE [Cisco] Cisco AnyConnect Secure Mobility Client: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2020.3822.5
Cisco AnyConnect Secure Mobility Client Vulnerabilities
24 May 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: Cisco AnyConnect Secure Mobility Client
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Execute Arbitrary Code/Commands — Existing Account
Read-only Data Access — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-27123 CVE-2020-3556

Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-file-read-LsvDD6Uh

Revision History: May 24 2021: vendor updated BypassDownloader tagging examples for advisory:cisco-sa-anyconnect-ipc-KfQO9QhK
December 7 2020: vendor updated cisco-sa-anyconnect-ipc-KfQO9QhK
November 10 2020: Vendor updated mitigation information for advisory: cisco-sa-anyconnect-ipc-KfQO9QhK
November 6 2020: Vendor significantly updated advisory: cisco-sa-anyconnect-ipc-KfQO9QhK
November 5 2020: Initial Release

– ————————–BEGIN INCLUDED TEXT——————–

Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability

Priority: High
Advisory ID: cisco-sa-anyconnect-ipc-KfQO9QhK
First Published: 2020 November 4 16:00 GMT
Last Updated: 2021 May 21 18:06 GMT
Version 4.1: Final
Workarounds: Yes
Cisco Bug IDs: CSCvv30103
CVE Names: CVE-2020-3556
CWEs: CWE-20

Summary

o A vulnerability in the interprocess communication (IPC) channel of Cisco
AnyConnect Secure Mobility Client Software could allow an authenticated,
local attacker to cause a targeted AnyConnect user to execute a malicious
script.

The vulnerability is due to a lack of authentication to the IPC listener.
An attacker could exploit this vulnerability by sending crafted IPC
messages to the AnyConnect client IPC listener. A successful exploit could
allow an attacker to cause the targeted AnyConnect user to execute a
script. This script would execute with the privileges of the targeted
AnyConnect user.

Note: To successfully exploit this vulnerability, an attacker would need
all of the following:

Valid user credentials on the system on which the AnyConnect client is
being run by the targeted user.
To be able to log in to that system while the targeted user either has
an active AnyConnect session established or establishes a new
AnyConnect session.
To be able to execute code on that system.

Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK

Affected Products

o Vulnerable Products

This vulnerability affects all releases of Cisco AnyConnect Secure Mobility
Client Software earlier than Release 4.10.00093 for the following platforms
if they have a vulnerable configuration:

AnyConnect Secure Mobility Client for Windows
AnyConnect Secure Mobility Client for MacOS
AnyConnect Secure Mobility Client for Linux

The following subsections describe how to determine vulnerability for
specific releases of Cisco AnyConnect Secure Mobility Client Software. The
release of Cisco AnyConnect Secure Mobility Client Software that is running
on the end machine determines which configurations the user must check.

The configuration settings discussed in the following subsections are in
the AnyConnectLocalPolicy.xml file. This file is in the following
locations:

Windows::ProgramDataCiscoCisco AnyConnect Secure
Mobility Client
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/

Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053,
4.9.05042, and 4.9.06037

The vulnerability described in this advisory affects Cisco AnyConnect
Secure Mobility Client Software releases 4.9.04053, 4.9.05042, and
4.9.06037 if RestrictScriptWebDeploy is set to the default value of false .

To verify the RestrictScriptWebDeploy configuration setting on a VPN client
system, open the AnyConnectLocalPolicy.xml file and look for the following
line:

false

If RestrictScriptWebDeploy is set to false, RestrictScriptWebDeploy is
disabled and the device is affected by this vulnerability. If
RestrictScriptWebDeploy is set to true , RestrictScriptWebDeploy is enabled
and the device is not affected by this vulnerability.

See the Workarounds section for additional optional but recommended
settings.

Cisco AnyConnect Secure Mobility Client Software Releases Earlier than
Release 4.9.04053

The vulnerability described in this advisory affects all releases of Cisco
AnyConnect Secure Mobility Client Software earlier than Release 4.9.04053
if BypassDownloader is set to the default value of false.

To verify the BypassDownloader configuration setting on a VPN client
system, open the AnyConnectLocalPolicy.xml file and look for the following
line:

false

If BypassDownloader is set to false , BypassDownloader is disabled and the
device is affected by this vulnerability. If BypassDownloader is set to
true, BypassDownloader is enabled and the device is not affected by this
vulnerability.

Note: Setting BypassDownloader to true is not a recommended configuration.
See the Workarounds section for more details.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

This vulnerability does not affect Cisco AnyConnect Secure Mobility Client
for Apple iOS or Android platforms or for the Universal Windows Platform.

Details

o Details about the vulnerability are as follows.

This vulnerability is not exploitable on laptops used by a single user,
but instead requires valid logins for multiple users on the end-user
device.
This vulnerability is not remotely exploitable, as it requires local
credentials on the end-user device for the attacker to take action on
the local system.
This vulnerability is not a privilege elevation exploit. The scripts
run at the user level by default. If the local AnyConnect user manually
raises the privilege of the User Interface process, the scripts would
run at elevated privileges.
This vulnerability’s CVSS score is high because, for configurations
where the vulnerability is exploitable, it allows one user access to
another user’s data and execution space.

Workarounds

o Workarounds that address this vulnerability were introduced in Cisco bug ID
CSCvw48062 via new configuration settings. The new settings are available
in releases 4.9.04053 and later. Cisco recommends using additional settings
that were introduced in Release 4.10.00093 instead of using the settings
introduced in 4.9.04053.

The settings introduced in 4.10.00093 allow connections to trusted headends
only, without any functionality loss. Additional information about the new
settings is in the Recommendations section of this advisory.

Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093

Releases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103
with no additional configuration required. See the Recommendations section
for additional optional but recommended settings.

Upgrade instructions for systems where workarounds were previously applied

This section is relevant only to customers that had previously applied the
workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or
mitigation settings for releases earlier than Release 4.9.04053. If the
workarounds or mitigations listed on this advisory were not previously
used, use the normal upgrade process. More information about the normal
upgrade process is in the Release Notes or Configuration Guide .

The following instructions describe how to upgrade to Release 4.10.00093
and remove the previously applied settings in the AnyConnectLocalPolicy.xml
file. This file is in the following locations:

Windows::ProgramDataCiscoCisco AnyConnect Secure
Mobility Client
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/

AnyConnect AnyConnectLocalPolicy.xml Instructions
Secure Settings
Mobility
Client
Software
Release
Earlier Previously deployed 1. Upgrade to 4.10 using a
than AnyConnectLocalPolicy.xml predeploy method.
4.9.04053 settings: 2. Redistribute the
AnyConnectLocalPolicy.xml
o BypassDownloader= true file with new settings
using an out-of-band
New AnyConnectLocalPolicy.xml deployment method.
settings: 3. Apply the new 4.10
settings shown in the
o BypassDownloader=false Recommendations section.

4.9.04053, Previously deployed 1. Upgrade to 4.10 using
4.9.05042, AnyConnectLocalPolicy.xml either a predeploy or
4.9.06037 settings: webdeploy method.
2. Redistribute ^1 the
o RestrictScriptWebDeploy=true AnyConnectLocalPolicy.xml
o RestrictHelpWebDeploy=true file with new settings
o RestrictResourceWebDeploy= using an out-of-band
true deployment method.
o RestrictLocalizationWebDeploy 3. Apply the new 4.10
=true settings shown in the
o BypassDownloader=false Recommendations section.

New AnyConnectLocalPolicy.xml
settings:

o RestrictScriptWebDeploy=false
o RestrictHelpWebDeploy=false
o RestrictResourceWebDeploy=
false
o RestrictLocalizationWebDeploy
=false
o BypassDownloader=false

1. Customers may leave the settings intact for RestrictScriptWebDeploy,
RestrictHelpWebDeploy, RestrictResourceWebDeploy, and
RestrictLocalizationWebDeploy if the restricted functionality is not
required. If these settings remain true , files must be distributed using
an out-of-band deployment method.

Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053,
4.9.05042, and 4.9.06037

For customers who have already applied the RestrictScriptWebDeploy
workaround

For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have
already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy,
RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds,
nothing further needs to be done to help ensure protection against
exploitation of this vulnerability.

To restore full functionality to the product, customers should upgrade to
Release 4.10.00093 and apply the recommended settings shown in the
Recommendations section. After full functionality is restored, customers
can once again deploy files from the headend instead of using an
out-of-band deployment method.

For customers who cannot upgrade to Release 4.10.00093 or later

For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot
upgrade to Release 4.10.00093 or later, the recommended workaround for
these releases is to edit the AnyConnectLocalPolicy.xml file to set
RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to
false . The new AnyConnectLocalPolicy.xml file would then be deployed to
end machines using an out-of-band method of deployment.

There are additional configuration settings for releases 4.9.04053,
4.9.05042, and 4.9.06037 that are strongly recommended for increased
protection. The full set of custom web-deploy restrictions is listed below.
For more details about the new configuration settings and implications of
their use, refer to the Release Notes or Cisco bug ID CSCvw48062 . These
settings would allow profile updates and future software upgrades while
helping to protect against exploitation of this vulnerability.

RestrictScriptWebDeploy
RestrictHelpWebDeploy
RestrictResourceWebDeploy
RestrictLocalizationWebDeploy

The following procedure is for editing the policy on a local machine. In
most deployment scenarios, the modification would be done to the
AnyConnectLocalPolicy.xml file and then deployed to all client machines
using an out-of-band method of deployment such as an enterprise software
management system. Any modifications to the AnyConnectLocalPolicy.xml file
must be done with sudo or admin rights.

1. Find the AnyConnectLocalPolicy.xml file on the client machine. This
file is in the following locations:
Windows::ProgramDataCiscoCisco AnyConnect Secure
Mobility Client
macOS:/opt/cisco/anyconnect/
Linux:/opt/cisco/anyconnect/
2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for
the following lines:

false
false
false
false

3. Change that setting to true , as shown in the following example:

true
true
true
true

4. Verify that the BypassDownloader setting is correct by looking for the
following line:

false

5. If the BypassDownloader setting is true , change it to false , as shown
in the following example:

false

6. Save the file to the original location. The network paths are noted
above.
7. Restart the VPN Agent service or reboot the client machine.

Cisco AnyConnect Secure Mobility Client Software Earlier than Release
4.9.04053

For customers who have already applied the BypassDownloader mitigation

For customers using releases earlier than Release 4.9.04053 who have
already applied the BypassDownloader mitigation, nothing further needs to
be done to enable protection against exploitation of this vulnerability.
Because this mitigation is not recommended , customers could upgrade to
Release 4.10.00093 and apply the recommended settings shown in the
Recommendations section.

For customers who cannot upgrade to Release 4.10.00093 or later

For customers using releases earlier than Release 4.9.04053 who cannot
upgrade to Release 4.10.00093 or later and/or do not require updated
content on the VPN headend device to be downloaded to the client, enabling
the BypassDownloader setting is a possible mitigation.

Warning: Changing the BypassDownloader setting is not recommended in most
customer environments. If the BypassDownloader is set to true , VPN users
could be refused a connection from the VPN headend if their local VPN XML
profiles are out of date with what is configured on the VPN headend.

Note: Enabling the BypassDownloader setting can be done only out-of-band on
the client devices and has a couple of implications:

All future updates to either Cisco AnyConnect Secure Mobility Client
Software or the AnyConnect profile would have to be done out-of-band.
AnyConnect will no longer download updated content from the headend
device.
AnyConnect profiles would still need to be in sync between the headend
device and the client. If the profiles are not in sync, the VPN
connection could be established with default settings instead of with
settings on the headend or client. The VPN headend could also refuse
the connection.

The procedure that follows is for editing the policy on a local machine. In
most deployment scenarios, the modification would be done to the
AnyConnectLocalPolicy.xml file and then deployed to all client machines
using an out-of-band method of deployment such as an enterprise software
management system. Any modifications to the AnyConnectLocalPolicy.xml file
must be done with sudo or admin rights.

1. Find the AnyConnectLocalPolicy.xml file on the client machine. This
file is in the following locations:
Windows::ProgramDataCiscoCisco AnyConnect Secure
Mobility Client
macOS:/opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for
the following line:

false

3. Change that setting to true , as shown in the following example:

true

4. Save the file to the original location. The network paths are noted
above.
5. Restart the VPN Agent service or reboot the client machine.

Fixed Software

o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.

When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.

In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco fixed this vulnerability in Cisco AnyConnect Secure Mobility Client
Software releases 4.10.00093 and later.

Recommendations

o Cisco AnyConnect Secure Mobility Client Software 4.10.00093 introduced new
settings. It is now possible to individually allow/disallow scripts, help,
resources, or localization updates in the local policy. These new settings
are strongly recommended for increased protection. The full set of
restrictions is listed below. For more details about the new configuration
settings and implications of their use, refer to the AnyConnect Local
Policy section of the administrator guide.

Configuration Setting Name Default Recommended
Value Configuration Setting
Value
StrictCertificateTrust False True
RestrictServerCertStore False True
AllowSoftwareUpdatesFromAnyServer True False
AllowComplianceUpdatesModuleFromAnyServer True False
AllowManagementVPNProfileUpdatesFromAnyServer True False
AllowISEPostureProfileUpdatesFromAnyServer True False
AllowServiceProfileUpdatesFromAnyServer True False
AllowScriptUpdatesFromAnyServer True False
AllowScriptUpdatesFromAnyServer True False
AllowHelpUpdatesFromAnyServer True False
AllowResourceUpdatesFromAnyServer True False
AllowLocalizationUpdatesFromAnyServer True False
List of authorized
servers.
ServerName Blank Can use wildcards,
for example
*.cisco.com

BypassDownloader is not a new setting, but ensure that it is set to false.

Configuration Setting Default Recommended Configuration Setting
Name Value Value
BypassDownloader False False

To configure the recommended settings on Release 4.10.00093 and later, edit
the AnyConnectLocalPolicy.xml file to change configuration values to the
recommended values listed in the preceding table. The new
AnyConnectLocalPolicy.xml file would then be deployed to end machines.

false
true
true
false
AllowSoftwareUpdatesFromAnyServer>
false
AllowComplianceUpdatesModuleFromAnyServer>
false
AllowManagementVPNProfileUpdatesFromAnyServer>
false
AllowISEPostureProfileUpdatesFromAnyServer>
false
AllowServiceProfileUpdatesFromAnyServer>
false
AllowScriptUpdatesFromAnyServer>
false
false
AllowResourceUpdatesFromAnyServer>
false
AllowLocalizationUpdatesFromAnyServer>

3. If the configuration setting values do not match the values shown
above, change them.
4. Add authorized server names to the configuration file:

*.example.com

5. Save the file to the original location. The network paths are noted
above.
6. Restart the VPN Agent service or reboot the client machine.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is aware that
proof-of-concept exploit code is available for the vulnerability described
in this advisory.

The Cisco PSIRT is not aware of any malicious use of the vulnerability that
is described in this advisory.

Source

o Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking
Lab (TU Darmstadt) for reporting this vulnerability.

Cisco Security Vulnerability Policy

o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK

Revision History

– ——————————————————————————–

Cisco AnyConnect Secure Mobility Client for Windows Arbitrary File Read
Vulnerability

Priority: Medium

Advisory ID: cisco-sa-anyconnect-file-read-LsvDD6Uh

First Published: 2020 November 4 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds available

Cisco Bug IDs: CSCvv66094

CVE-2020-27123

CWE-749

Summary

o A vulnerability in the interprocess communication (IPC) channel of Cisco
AnyConnect Secure Mobility Client for Windows could allow an authenticated,
local attacker to read arbitrary files on the underlying operating system
of an affected device.

The vulnerability is due to an exposed IPC function. An attacker could
exploit this vulnerability by sending a crafted IPC message to the
AnyConnect process on an affected device. A successful exploit could allow
the attacker to read arbitrary files on the underlying operating system of
the affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-anyconnect-file-read-LsvDD6Uh

Affected Products

o Vulnerable Products

At the time of publication, this vulnerability affected Cisco AnyConnect
Secure Mobility Client for Windows releases earlier than Release 4.9.03047.

See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.

Fixed Releases

At the time of publication, Cisco AnyConnect Secure Mobility Client for
Windows releases 4.9.03047 and later contained the fix for this
vulnerability.

See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o Cisco would like to thank Antoine Goichot of PwC Luxembourg’s Cybersecurity
team for reporting this vulnerability.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-anyconnect-file-read-LsvDD6Uh

Revision History

o +———-+—————————+———-+——–+————–+
| Version | Description | Section | Status | Date |
+———-+—————————+———-+——–+————–+
| 1.0 | Initial public release. | – | Final | 2020-NOV-04 |
+———-+—————————+———-+——–+————–+

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYKsaeuNLKJtyKPYoAQhFmw//VaeGJL2cMNKMqaZglV7ZdhprIpv3w62l
/hzL9sQv9Dwibba1sUPKC8ptTabjjUGMTCpJFC8kQBd6bjsFdM+J5GCzpYM03OtX
FPBESNOhdw82JOQnMmeT183vL80HFDXSMQACAosuZofb6vgyGxqqGCUIkFYOGA4u
fa6nXEgtNTpIdI3qqTmcDDWrc4Cx2cavyXc01GeacKRxIfDVo1qNVLuTsw5RVFqf
YuLE1V0Oa1gs1oiysCkc/1MjHmeptnShCJrsNKEYliCLPz2QCxMKN6tYeUsFF8fn
guWIhrUJVVrPY1UAtmz6Y7nP9mFVd6YLjPy4fARXTOxkpp3CtpzAWJ4nC6vV0lh3
LH836irjqCmiB70AvkiF/rIdftYlevXZq4u7SnihtRzCjmvMmCnz1keoatTapl95
LQROV7Fb/jJCq+iBNJzDJ3k6ITwVQxitRE1d+OGt8NEbKfdSuq4cufcFJkuz4UjO
O6RsiK+Pg0DkWPyvzNq1xBUvX2KR4sFfE8OeLZLtOasdSKuQC4YWYphLBYjmyacx
3R3hjawJvkwzs5ZnygJVExGL1x51oxYy2S97KqpmFCBmMqAkN00f77VqDTrc2kjl
meMUS9qoMHkDVwbiAQgBw0yr4z6w6NFWTme3ANcga6KJGuFjm6odPYyXccms01+Y
heIOetlsdi8=
=h42B
—–END PGP SIGNATURE—–

The post ESB-2020.3822.5 – UPDATE [Cisco] Cisco AnyConnect Secure Mobility Client: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/05/24/esb-2020-3822-5-update-cisco-cisco-anyconnect-secure-mobility-client-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3822-5-update-cisco-cisco-anyconnect-secure-mobility-client-multiple-vulnerabilities

ESB-2021.1328.2 – UPDATE [Juniper] Junos OS: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1328.2
JSA11147 – 2021-04 Security Bulletin: Junos OS: Remote code
execution vulnerability in overlayd service
24 May 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: Junos OS
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Denial of Service — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-0254

Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11147

Revision History: May 24 2021: Provide additional clarification on affected platforms, and how to determine if overlayd is running.
April 21 2021: Initial Release

– ————————–BEGIN INCLUDED TEXT——————–

2021-04 Security Bulletin: Junos OS: Remote code execution vulnerability in overlayd service (CVE-2021-0254)

Article ID : JSA11147
Last Updated: 21 May 2021
Version : 5.0

Product Affected:
This issue affects Junos OS 15.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1,
19.2, 19.3, 19.4, 20.1, 20.2, 20.3.
Problem:

A buffer size validation vulnerability in the overlayd service of Juniper
Networks Junos OS may allow an unauthenticated remote attacker to send
specially crafted packets to the device, triggering a partial Denial of Service
(DoS) condition, or leading to remote code execution (RCE). Continued receipt
and processing of these packets will sustain the partial DoS.

The overlayd daemon handles Overlay OAM packets, such as ping and traceroute,
sent to the overlay. The service runs as root by default and listens for UDP
connections on port 4789. This issue results from improper buffer size
validation, which can lead to a buffer overflow. Unauthenticated attackers can
send specially crafted packets to trigger this vulnerability, resulting in
possible remote code execution.

overlayd runs by default on MX Series, QFX Series, and certain ACX Series (e.g.
ACX5445, but not the ACX5048) platforms.
Platforms such as the SRX Series and PTX Series do not run overlayd and are
therefore not vulnerable to this issue.
Additionally, while some EX Series platforms do run overlayd, no model of EX
Series switch has been shown to be exploitable to this vulnerability.

To summarize, if overlayd is not running on a particular platform, the system
is not vulnerable to this issue. Users can confirm the presence of the overlayd
process by issuing the following command:

user@junos> show system processes extensive | match overlay
2030 root 4 0 28984K 5004K kqread 0:00 0.00% overlayd

This issue affects Juniper Networks Junos OS:

o 15.1 versions prior to 15.1R7-S9;
o 17.3 versions prior to 17.3R3-S11;
o 17.4 versions prior to 17.4R2-S13, 17.4R3-S4;
o 18.1 versions prior to 18.1R3-S12;
o 18.2 versions prior to 18.2R2-S8, 18.2R3-S7;
o 18.3 versions prior to 18.3R3-S4;
o 18.4 versions prior to 18.4R1-S8, 18.4R2-S7, 18.4R3-S7;
o 19.1 versions prior to 19.1R2-S2, 19.1R3-S4;
o 19.2 versions prior to 19.2R1-S6, 19.2R3-S2;
o 19.3 versions prior to 19.3R3-S1;
o 19.4 versions prior to 19.4R2-S4, 19.4R3-S1;
o 20.1 versions prior to 20.1R2-S1, 20.1R3;
o 20.2 versions prior to 20.2R2, 20.2R2-S1, 20.2R3;
o 20.3 versions prior to 20.3R1-S1.

There is no minimum configuration required to be vulnerable to this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered during external security research.

This issue has been assigned CVE-2021-0254 .

Solution:

The following software releases have been updated to resolve this specific
issue: Junos OS 15.1R7-S9, 17.3R3-S11, 17.4R2-S13, 17.4R3-S4, 18.1R3-S12,
18.2R2-S8, 18.2R3-S7, 18.3R3-S4, 18.4R1-S8, 18.4R2-S7, 18.4R3-S7, 19.1R2-S2,
19.1R3-S4, 19.2R1-S6, 19.2R3-S2, 19.3R3-S1, 19.4R2-S4, 19.4R3-S1, 20.1R2-S1,
20.1R3, 20.2R2, 20.2R2-S1, 20.2R3, 20.3R1-S1, 20.4R1, and all subsequent
releases.

This fix has also been proactively committed into other releases that might not
be vulnerable to this issue.

This issue is being tracked as 1548415 .

Workaround:

Two methods exist to mitigate this issue:

1. Limit the exploitable attack surface of critical infrastructure networking
equipment by using access lists or firewall filters to limit access to the
device via UDP only from trusted, administrative networks or hosts.
2. Disable Overlay OAM packet via the configuration command: ‘ set system
processes overlay-ping-traceroute disable ‘

Implementation:
Software releases or updates are available for download at https://
support.juniper.net/support/downloads/
Modification History:

2021-04-14: Initial Publication.
2021-04-20: Explicitly state that the SRX Series is not vulnerable.
2021-05-21: Provide additional clarification on affected platforms, and how to determine if overlayd is running.

CVSS Score:
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Severity Level:
Critical
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 “Common
Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories.”
Acknowledgements:
Juniper SIRT would like to acknowledge and thank Hoang Thach Nguyen (d4rkn3ss)
of STAR Labs for responsibly reporting this vulnerability.

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYKsapuNLKJtyKPYoAQgPsg/8Cbtu+ROXlGo9z+93AzDEhhfLkaYlfWIG
1+nvVcgMta70EmWspjYYFw5JvJH1Qy9OV7sLhIL5Kk1KPVave1yUjAXln+/qNAGX
Nt1eba4FEKAzwQrTBjns0IgQVfSBdz1Dnt2tLyGrt8R700CHfBkeyKImE1gHIZP6
RaTPtf27OvfYH6YULgDuRIf6WBTWPZoUlDzmyWmP9Ug6e4ceCb/ZAYZj73H8kNu/
uqeWGCuXgHRxBDHfGT+xFsI41MAMSpiHYb83Ru/LMZ8RidZDxItWUp+hFYBz4ytX
a5H6PxfLn49cdf/d5AxT7lAUw3khvgB56ltj4xCPhXZo33uRkfU0YnEwCG0+h3vM
y+IJtXl0kXUl2kKLMgmsW5HmH8tXx+vwxix3Kw1OyLnyZP/WBVutFTPACdqQtsUa
n8YRI7GSdIcw8y5CanSLRvmWGNet+Iu2EY2TJK0zPBYfLSeGsyFyX3qem/re9NBX
jF1EPYOlRUbBloGg1otIwcjCmHcngVXoYKbenYk96V4aynCTp7SPyuaTFQCa3Gbe
I1R9Zj6satZOwGNBUZIIqAIkmk8EcVhqapnZmjS34JugJYHTQ/UaLFvm9R7cksEr
CEiw27wSuPHnINzPIO54VQuTVCo0BW3EImZ2uJSjcLsnc04kG6U/5OirbbpbsoCI
2aQQQ0zB+lg=
=nQiZ
—–END PGP SIGNATURE—–

The post ESB-2021.1328.2 – UPDATE [Juniper] Junos OS: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/05/24/esb-2021-1328-2-update-juniper-junos-os-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1328-2-update-juniper-junos-os-multiple-vulnerabilities

ESB-2021.1790 – [Debian] ring: Denial of service – Remote with user interaction

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1790
ring security update
24 May 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: ring
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Denial of Service — Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21375

Reference: ESB-2021.1396

Original Bulletin:
https://lists.debian.org/debian-lts-announce/2021/05/msg00020.html

– ————————–BEGIN INCLUDED TEXT——————–

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– – ————————————————————————-
Debian LTS Advisory DLA-2665-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
May 23, 2021 https://wiki.debian.org/LTS
– – ————————————————————————-

Package : ring
Version : 20161221.2.7bd7d91~dfsg1-1+deb9u1
CVE ID : CVE-2021-21375

An issue has been found in ring, a secure and distributed voice, video and
chat platform. Actually the embedded copy of pjproject is affected by this
CVE.
Due to bad handling of two consecutive crafted answers to an INVITE, the
attacker is able to crash the server resulting in a denial of service.

For Debian 9 stretch, this problem has been fixed in version
20161221.2.7bd7d91~dfsg1-1+deb9u1.

We recommend that you upgrade your ring packages.

For the detailed security status of ring please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ring

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

– —–BEGIN PGP SIGNATURE—–

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmCqaKtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEeTfQ//TA/OkWOAXn1K3nBtM7qpsmJhUjPHHRhQF8PTw27cnPgmcoXLKXjdtK8q
i0qmb8DnV2aOmum866X4Po8CzYCZIsVOvlyDEkbyx3dV32oBK8w6i6Ka7Nfp8WeF
TEI2we6iL+Hk83Y2E4sgkfyPYGsLxq+oSQOE9vtphYDbQnUTf3K9WFz4s04/1vB3
vaxJzGQPaWTqa/ukHpKaW3VJAO+n+X2oUpOpbObTLMzKMIF+hYwqKDRYMNGz1Bbp
c/buYBwseQy9DRTg0dvg+9BI02IhtZ64wkiSsYwserwgH0gEm8Kkg4g0oza8PUCx
oeL9P1cw2wj2UpCXm2Ckd5xqbKHhIgcsu75HG5mQVcfQslnH+T44+O8x1uOribLU
fTFDEiDoiFOADSCSDuSYcxwXBNu5pmBQN3EMY+4tPvdphuBLJYYc6bhZceL+aJ4s
lpLHAnW9icFUZH3qAl2t6bldFFbx+6jTTgPaiwx28GJVJHN4Hv3fJPUaGib5/nLL
/b9fYszhKAgdY/cXI7oCOQXkf6emv1NFh33e7vOTSjYDZBuyDNg0jV9WjiXSHhgR
9rQWUsLcztAWRc7lz8E7QOn5YmjGkZ2kQNSU0qD+pmqhybJ+taJD+tbtaTBJhjBG
Bb5MBfrdvfoybL9zxFfYBIwZ5CnLsC9/dxoziwsJwdk6SCpPA58=
=1l+j
– —–END PGP SIGNATURE—–

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYKsUgeNLKJtyKPYoAQgjIQ/+PTg8gv5Zrv6UZqzyReZZI0svjReVQIhd
vXCGH1iGe1sW5/KGJ06WLIoyWcxg/viKk88MWF+i4tg7XC/dttKUPcMRDq+YonER
Pv2SIhCftQvHB75d0QWICGdH6AC7Iij3L3Z0tOHgJGjBeXpWzTZdlMjStQebixDd
7eW478ZnPHJw5lrKNG2E/pPrZ3B1VVk3aUXOl3ld/fMe63FF65r5/iDbKMHokGUH
8J0ZeVJoErqoBvqGW9rqyqg5bxYU6cu6OasAzkxxu0U2wvr7e4+TcRGa2Tz/8Qw0
ojO6j1ipu8wjsGyt7H94AI/L0tR6KO1OvPMmssP1JhM13DORGwouS9I2Tr9MdiTq
ePdvsgo3GEN8nGqxapnAvj+FEeEHs3f5T1zsNfSs+MXAD95dInG2WHxGBbmmlYhf
246LJpAWiiCY5SghZt5bXrBJohP6YkqipyQnON9Qlf9yMgMt7sxEmLgrhQqkTQp/
qeh47OFCfUx24kN57o9onXD0dxno9OEFUl5iugDN4VNerzPxjecmqkxrlSldL0Lq
dSL84AxWd1/dTVmnyWP2RDmI1gwCGOgVeitL5D6FJK4kZ5mL4LQNCJt1KW55AfWm
dTcNLSRF9Seb0j2U45cT0ZgGjMg3pIHEhxr7YPwknR0LJbPfY4C7eHJM94jXCgL/
JuhxF2uuLIk=
=IPYi
—–END PGP SIGNATURE—–

The post ESB-2021.1790 – [Debian] ring: Denial of service – Remote with user interaction appeared first on Malware Devil.

https://malwaredevil.com/2021/05/24/esb-2021-1790-debian-ring-denial-of-service-remote-with-user-interaction/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1790-debian-ring-denial-of-service-remote-with-user-interaction

ESB-2021.1791 – [Debian] lz4: Denial of service – Remote/unauthenticated

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1791
lz4 security update
24 May 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: lz4
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Denial of Service — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-3520

Reference: ESB-2021.1748
ESB-2021.1661
ESB-2021.1637

Original Bulletin:
http://www.debian.org/security/2021/dsa-4919

– ————————–BEGIN INCLUDED TEXT——————–

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– – ————————————————————————-
Debian Security Advisory DSA-4919-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 21, 2021 https://www.debian.org/security/faq
– – ————————————————————————-

Package : lz4
CVE ID : CVE-2021-3520
Debian Bug : 987856

Jasper Lievisse Adriaanse reported an integer overflow flaw in lz4, a
fast LZ compression algorithm library, resulting in memory corruption.

For the stable distribution (buster), this problem has been fixed in
version 1.8.3-1+deb10u1.

We recommend that you upgrade your lz4 packages.

For the detailed security status of lz4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/lz4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

– —–BEGIN PGP SIGNATURE—–

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmCnrLxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qs8Q/7B2cSOJauVyaBvOcOY0CVy1C4LjzD+FMhizy/9WOnOTeSzCEstoZPN0j5
Cw1kVqvkyQvzGIy6lcOpeR9FiWGvAzdW28tWh2e7iCgRnUynIFt9o4kAYet/flNA
0t+QQbSwMgTX0mMCkcqToZxcRpnjCNmrmfu459qGw0zrKQ7uhgjA0QrcTQhVpr4p
Xj7NeCS7303ZjV5D+UwdEnYM/vGFNWSAQ0o9veWFwj4+K+AkgwzyeZL3ghAEsS2L
WFpX/cMg2WuaEQtA2y6y9UsUPh8hQLN5P6MRnmZoWWXQXrpLOkSN7/rmK1GCeHRJ
qc8V1HF6yIPYhpFt+GZJvwc/hnjRYXzvv7k4AtQCCPDTrKbAfwpiPYFdvdrXGfqi
2wy3WdoAQbnRbIujbSBw1NI75tzJm2aAgl6NZ3TrmZ1proNJzWDwvrqGNYPtn6vn
xYAZcGeH5JXmXRngfXbQLOXTapniBknaY+c6Eq/LE9WNn169hlfr/OxXwAesTycS
skKvWIr6c5pyF9ZGg6FcvWqMI/Hl6zDW1sl5dVlj/o2eQrN6i2zIlhFdSiEVU2UX
A1sE4cxEiA0eoZJBg8rdg6A9Ck4MoLuEKVz0HuYsj18+VDAtOz2bvBOLMr3EgV3k
AC2Gi1HReVMBihewrnMtiIqu1ZxYVPCkvpKvyzD1R0IxNJofLWE=
=+5P6
– —–END PGP SIGNATURE—–

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYKsU3+NLKJtyKPYoAQi1qg//SlpBkcGVeRyLRhX0hi4FC+EN7Cw+jeFq
CJkcnvCCvTIOZt3ssoMusTvQ+14iZx8g6Yjq2So8W4yBG4BkYS8nMrk5IOBIQOsa
9hjx5ZdPISU/VVH5GEIAsHFpgdnDCbSXUz08zGf17ZtQe6RztcOsBxfUaz1U/pIl
MSVtE9dI3tr4alvFfnLNIuil8Th8uFQ2Pfc8Z7kElh97aElOLT6Irmat6P8YsWpM
C6kwADC2vIiRS/mVCkZf9Iq0Rem8pahvjToYIrMsw7nG7AnmHa0wBfEwR2+pRhrY
fNk4g5XY54yAHcLQtxZgiJ9OUtvJ6bkv/PLAKqDx9kV2e21no88oRVXIYGG8CQvc
5SXC19FPjblY6JJrUQ7RozLxDEx7M+h5ZVWv1QWZn8qkMpF2k9MNvb7j1timSEB3
B9Ku8y6awIiaPh5K+zp7UrxEM4x1pkmecnV6uiTcvj1W/sZOwpzhGCL6m9qe017F
+uWJoVrSfi/IlNueSf0e8OPosh1RHaxC5LnQl7ZteaU7QFVMNpJlaRBADLPvgfID
iyil+trLl5YTvknuVKsSfO94nu4CLy/wMWcK/z/xb9XrTzqV3jRcvmIy/hi2aYvn
/epdUjRVauO8/yl637ht92fZqh2rNNuPecWVEXDJRTpNRhWgRKLhJ/Syvqla4aPo
3BaU03GXuXw=
=FAxv
—–END PGP SIGNATURE—–

The post ESB-2021.1791 – [Debian] lz4: Denial of service – Remote/unauthenticated appeared first on Malware Devil.

https://malwaredevil.com/2021/05/24/esb-2021-1791-debian-lz4-denial-of-service-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1791-debian-lz4-denial-of-service-remote-unauthenticated

ESB-2021.1788 – [SUSE] SUSE Manager Client Tools: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1788
Security Beta update for SUSE Manager Client Tools
24 May 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: SUSE Manager Client Tools
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Increased Privileges — Existing Account
Access Confidential Data — Remote/Unauthenticated
Reduced Security — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-31607 CVE-2021-25284 CVE-2021-25283
CVE-2021-25282 CVE-2021-25281 CVE-2021-3197
CVE-2021-3148 CVE-2021-3144 CVE-2020-35662
CVE-2020-28972 CVE-2020-28243

Reference: ESB-2021.0975
ESB-2021.0727

Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20211694-1
https://www.suse.com/support/update/announcement/2021/suse-su-20211693-1
https://www.suse.com/support/update/announcement/2021/suse-su-202114734-1
https://www.suse.com/support/update/announcement/2021/suse-su-202114733-1
https://www.suse.com/support/update/announcement/2021/suse-su-202114732-1

Comment: This bulletin contains five (5) SUSE security advisories.

– ————————–BEGIN INCLUDED TEXT——————–

SUSE Security Update: Security Beta update for SUSE Manager Client Tools

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1694-1
Rating: moderate
References: #1099976 #1171257 #1172110 #1174855 #1176293 #1177474
#1179831 #1180101 #1180818 #1181290 #1181347 #1181368
#1181550 #1181556 #1181557 #1181558 #1181559 #1181560
#1181561 #1181562 #1181563 #1181564 #1181565 #1182281
#1182293 #1182740 #1185092 #1185281
Cross-References: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-25281
CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-3144
CVE-2021-3148 CVE-2021-31607 CVE-2021-3197
Affected Products:
SUSE Manager Debian 10-CLIENT-TOOLS-BETA
______________________________________________________________________________

An update that solves 11 vulnerabilities, contains one feature and has 17 fixes
is now available.

Description:

This update fixes the following issues:
salt:

o Update to Salt release version 3002.2 (jsc#ECO-3212)
o Drop support for Python2. Obsoletes “python2-salt” package
o Virt module updates * network: handle missing ipv4 netmask attribute * more
network support * PCI/USB host devices passthrough support
o Set distro requirement to oldest supported version in requirements/base.txt
o Bring missing part of async batch implementation back
o Always require python3-distro (bsc#1182293)
o Remove deprecated warning that breaks minion execution when
“server_id_use_crc” opts is missing
o Remove msgpack = 1.0.0 (bsc#1171257)
o Fix issue parsing errors in ansiblegate state module
o Prevent command injection in the snapper module (bsc#1185281)
(CVE-2021-31607)
o Remove duplicate directories from specfile
o Improvements on “ansiblegate” module (bsc#1185092): * New methods:
ansible.targets / ansible.discover_playbooks
o Add support for Alibaba Cloud Linux 2 (Aliyun Linux)
o Regression fix of salt-ssh on processing targets
o Update target fix for salt-ssh and avoiding race condition on salt-ssh
event processing (bsc#1179831, bsc#1182281)
o Add notify beacon for Debian/Ubuntu systems
o Fix zmq bug that causes salt-call to freeze (bsc#1181368)
o Add core grains support for AlmaLinux
o Allow vendor change option with zypper
o Virt: virtual network backports to Salt 3000
o Do not monkey patch yaml loaders: Prevent breaking Ansible filter modules
(bsc#1177474)
o Only require python-certifi for CentOS7
o Fix race conditions for corner cases when handling SIGTERM by minion (bsc#
1172110)
o Implementation of suse_ip execution module to prevent issues with
network.managed (bsc#1099976)
o Fix recursion false detection in payload (bsc#1180101)
o Add sleep on exception handling on minion connection attempt to the master
(bsc#1174855)
o Allows for the VMware provider to handle CPU and memory hot-add in newer
versions of the software. (bsc#1181347)
o Always require python-certifi (used by salt.ext.tornado)
o Exclude SLE 12 from requiring python-certifi
o Do not crash when unexpected cmd output at listing patches (bsc#1181290)
o Fix behavior for “onlyif/unless” when multiple conditions (bsc#1180818)
o Fix regression on cmd.run when passing tuples as cmd (bsc#1182740)
o Allow extra_filerefs as sanitized kwargs for SSH client
o Fix errors with virt.update
o Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972)
(CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281)
(CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#
1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#
1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#
1181565)
o Virt: search for grub.xen path
o Xen spicevmc, DNS SRV records backports: Fix virtual network generated DNS
XML for SRV records Don’t add spicevmc channel to xen VMs
o Virt UEFI fix: virt.update when efi=True
o Revert wrong zypper patch to support vendorchanges flags on pkg.install

spacecmd:

o Rename system migration to system transfer
o Rename SP to product migration

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Manager Debian 10-CLIENT-TOOLS-BETA:
zypper in -t patch SUSE-Debian-10-CLIENT-TOOLS-BETA-x86_64-2021-1694=1

Package List:

o SUSE Manager Debian 10-CLIENT-TOOLS-BETA (all):
salt-common-3002.2+ds-1+2.24.1
salt-minion-3002.2+ds-1+2.24.1
spacecmd-4.2.8-2.15.1

References:

o https://www.suse.com/security/cve/CVE-2020-28243.html
o https://www.suse.com/security/cve/CVE-2020-28972.html
o https://www.suse.com/security/cve/CVE-2020-35662.html
o https://www.suse.com/security/cve/CVE-2021-25281.html
o https://www.suse.com/security/cve/CVE-2021-25282.html
o https://www.suse.com/security/cve/CVE-2021-25283.html
o https://www.suse.com/security/cve/CVE-2021-25284.html
o https://www.suse.com/security/cve/CVE-2021-3144.html
o https://www.suse.com/security/cve/CVE-2021-3148.html
o https://www.suse.com/security/cve/CVE-2021-31607.html
o https://www.suse.com/security/cve/CVE-2021-3197.html
o https://bugzilla.suse.com/1099976
o https://bugzilla.suse.com/1171257
o https://bugzilla.suse.com/1172110
o https://bugzilla.suse.com/1174855
o https://bugzilla.suse.com/1176293
o https://bugzilla.suse.com/1177474
o https://bugzilla.suse.com/1179831
o https://bugzilla.suse.com/1180101
o https://bugzilla.suse.com/1180818
o https://bugzilla.suse.com/1181290
o https://bugzilla.suse.com/1181347
o https://bugzilla.suse.com/1181368
o https://bugzilla.suse.com/1181550
o https://bugzilla.suse.com/1181556
o https://bugzilla.suse.com/1181557
o https://bugzilla.suse.com/1181558
o https://bugzilla.suse.com/1181559
o https://bugzilla.suse.com/1181560
o https://bugzilla.suse.com/1181561
o https://bugzilla.suse.com/1181562
o https://bugzilla.suse.com/1181563
o https://bugzilla.suse.com/1181564
o https://bugzilla.suse.com/1181565
o https://bugzilla.suse.com/1182281
o https://bugzilla.suse.com/1182293
o https://bugzilla.suse.com/1182740
o https://bugzilla.suse.com/1185092
o https://bugzilla.suse.com/1185281

– ———————————————————————————————————————————–

SUSE Security Update: Security Beta update for SUSE Manager Client Tools

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1693-1
Rating: moderate
References: #1185092 #1185281
Cross-References: CVE-2021-31607
Affected Products:
SUSE Manager Debian 9.0-CLIENT-TOOLS-BETA
______________________________________________________________________________

An update that solves one vulnerability and has one errata is now available.

Description:

This update fixes the following issues:
salt:

o Fix issue parsing errors in ansiblegate state module
o Prevent command injection in the snapper module (bsc#1185281)
(CVE-2021-31607)
o Transactional_update: detect recursion in the executor
o Add subpackage salt-transactional-update
o Remove duplicate directories from specfile
o Improvements on “ansiblegate” module (bsc#1185092): * New methods:
ansible.targets / ansible.discover_playbooks * General bugfixes

spacecmd:

o Rename system migration to system transfer
o Rename SP to product migration

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Manager Debian 9.0-CLIENT-TOOLS-BETA:
zypper in -t patch SUSE-Debian-9.0-CLIENT-TOOLS-BETA-x86_64-2021-1693=1

Package List:

o SUSE Manager Debian 9.0-CLIENT-TOOLS-BETA (all):
salt-common-3000+ds-1+2.15.1
salt-minion-3000+ds-1+2.15.1
spacecmd-4.2.8-2.15.1

References:

o https://www.suse.com/security/cve/CVE-2021-31607.html
o https://bugzilla.suse.com/1185092
o https://bugzilla.suse.com/1185281

– ——————————————————————————————————————————–

SUSE Security Update: Security Beta update for SUSE Manager Client Tools

______________________________________________________________________________

An update that solves one vulnerability and has one errata is now available.

Description:

This update fixes the following issues:
salt:

spacecmd:

o Rename system migration to system transfer
o Rename SP to product migration

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Manager Debian 9.0-CLIENT-TOOLS-BETA:
zypper in -t patch SUSE-Debian-9.0-CLIENT-TOOLS-BETA-x86_64-2021-1693=1

Package List:

o SUSE Manager Debian 9.0-CLIENT-TOOLS-BETA (all):
salt-common-3000+ds-1+2.15.1
salt-minion-3000+ds-1+2.15.1
spacecmd-4.2.8-2.15.1

References:

o https://www.suse.com/security/cve/CVE-2021-31607.html
o https://bugzilla.suse.com/1185092
o https://bugzilla.suse.com/1185281

– ————————————————————————————————————————————–

SUSE Security Update: Security Beta update for SUSE Manager Client Tools

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:14733-1
Rating: moderate
References: #1099976 #1171257 #1172110 #1174855 #1176293 #1177474
#1179831 #1180101 #1180818 #1181290 #1181347 #1181368
#1181550 #1181556 #1181557 #1181558 #1181559 #1181560
#1181561 #1181562 #1181563 #1181564 #1181565 #1182281
#1182293 #1182740 #1185092 #1185281
Cross-References: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-25281
CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-3144
CVE-2021-3148 CVE-2021-31607 CVE-2021-3197
Affected Products:
SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA
______________________________________________________________________________

An update that solves 11 vulnerabilities, contains one feature and has 17 fixes
is now available.

Description:

This update fixes the following issues:
salt:

o Update to Salt release version 3002.2 (jsc#ECO-3212)
o Drop support for Python2. Obsoletes `python2-salt` package
o Virt module updates * network: handle missing ipv4 netmask attribute * more
network support * PCI/USB host devices passthrough support
o Set distro requirement to oldest supported version in requirements/base.txt
o Bring missing part of async batch implementation back
o Always require python3-distro (bsc#1182293)
o Remove deprecated warning that breaks minion execution when
“server_id_use_crc” opts is missing
o Remove msgpack = 1.0.0 (bsc#1171257)
o Fix issue parsing errors in ansiblegate state module
o Prevent command injection in the snapper module (bsc#1185281)
(CVE-2021-31607)
o Transactional_update: detect recursion in the executor
o Add subpackage salt-transactional-update
o Remove duplicate directories from specfile
o Improvements on “ansiblegate” module (bsc#1185092): * New methods:
ansible.targets / ansible.discover_playbooks * General bugfixes
o Add support for Alibaba Cloud Linux 2 (Aliyun Linux)
o Regression fix of salt-ssh on processing targets
o Update target fix for salt-ssh and avoiding race condition on salt-ssh
event processing (bsc#1179831, bsc#1182281)
o Add notify beacon for Debian/Ubuntu systems
o Fix zmq bug that causes salt-call to freeze (bsc#1181368)
o Add core grains support for AlmaLinux
o Allow vendor change option with zypper
o Virt: virtual network backports to Salt 3000
o Do not monkey patch yaml loaders: Prevent breaking Ansible filter modules
(bsc#1177474)
o Only require python-certifi for CentOS7
o Fix race conditions for corner cases when handling SIGTERM by minion (bsc#
1172110)
o Implementation of suse_ip execution module to prevent issues with
network.managed (bsc#1099976)
o Fix recursion false detection in payload (bsc#1180101)
o Add sleep on exception handling on minion connection attempt to the master
(bsc#1174855)
o Allows for the VMware provider to handle CPU and memory hot-add in newer
versions of the software. (bsc#1181347)
o Always require python-certifi (used by salt.ext.tornado)
o Exclude SLE 12 from requiring python-certifi
o Do not crash when unexpected cmd output at listing patches (bsc#1181290)
o Fix behavior for “onlyif/unless” when multiple conditions (bsc#1180818)
o Fix regression on cmd.run when passing tuples as cmd (bsc#1182740)
o Allow extra_filerefs as sanitized kwargs for SSH client
o Fix errors with virt.update
o Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972)
(CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281)
(CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#
1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#
1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#
1181565)
o Virt: search for grub.xen path
o Xen spicevmc, DNS SRV records backports: Fix virtual network generated DNS
XML for SRV records Don’t add spicevmc channel to xen VMs
o Virt UEFI fix: virt.update when efi=True
o Revert wrong zypper patch to support vendorchanges flags on pkg.install

spacecmd:

o Rename system migration to system transfer
o Rename SP to product migration

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA:
zypper in -t patch suse-ubu184ct-client-tools-beta-202105-14733=1

Package List:

o SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA (all):
salt-common-3002.2+ds-1+27.42.1
salt-minion-3002.2+ds-1+27.42.1
spacecmd-4.2.8-2.24.1

References:

– —————————————————————————————————————————————————-

SUSE Security Update: Security Beta update for SUSE Manager Client Tools

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:14732-1
Rating: moderate
References: #1177884 #1185178 #1185281
Cross-References: CVE-2021-31607
Affected Products:
SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA
SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA
______________________________________________________________________________

An update that solves one vulnerability and has two fixes is now available.

Description:

This update fixes the following issues:
mgr-daemon:

o Update translation strings

mgr-osad:

o Change the log file permissions as expected by logrotate (bsc#1177884)
o Change deprecated path /var/run into /run for systemd (bsc#1185178)

salt:

o Prevent command injection in the snapper module (bsc#1185281)
(CVE-2021-31607)

spacecmd:

o Rename system migration to system transfer
o Rename SP to product migration

spacewalk-client-tools:

o Update translations string

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA:
zypper in -t patch slesctsp4-client-tools-beta-202105-14732=1
o SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA:
zypper in -t patch slesctsp3-client-tools-beta-202105-14732=1

Package List:

o SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA (i586 ia64 ppc64
s390x x86_64):
mgr-daemon-4.2.7-8.12.1
mgr-osad-4.2.5-8.15.1
python2-mgr-osa-common-4.2.5-8.15.1
python2-mgr-osad-4.2.5-8.15.1
python2-spacewalk-check-4.2.10-30.30.1
python2-spacewalk-client-setup-4.2.10-30.30.1
python2-spacewalk-client-tools-4.2.10-30.30.1
salt-2016.11.10-46.18.1
salt-doc-2016.11.10-46.18.1
salt-minion-2016.11.10-46.18.1
spacecmd-4.2.8-21.24.1
spacewalk-check-4.2.10-30.30.1
spacewalk-client-setup-4.2.10-30.30.1
spacewalk-client-tools-4.2.10-30.30.1
o SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA (i586 ia64 ppc64
s390x x86_64):
mgr-daemon-4.2.7-8.12.1
mgr-osad-4.2.5-8.15.1
python2-mgr-osa-common-4.2.5-8.15.1
python2-mgr-osad-4.2.5-8.15.1
python2-spacewalk-check-4.2.10-30.30.1
python2-spacewalk-client-setup-4.2.10-30.30.1
python2-spacewalk-client-tools-4.2.10-30.30.1
salt-2016.11.10-46.18.1
salt-doc-2016.11.10-46.18.1
salt-minion-2016.11.10-46.18.1
spacecmd-4.2.8-21.24.1
spacewalk-check-4.2.10-30.30.1
spacewalk-client-setup-4.2.10-30.30.1
spacewalk-client-tools-4.2.10-30.30.1

References:

o https://www.suse.com/security/cve/CVE-2021-31607.html
o https://bugzilla.suse.com/1177884
o https://bugzilla.suse.com/1185178
o https://bugzilla.suse.com/1185281

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYKsCI+NLKJtyKPYoAQjfRBAAqkNEoCpar/ib+fw/LZ6I4/BoZH/ZHjJ2
9EsRoJ+syTFEiKPLzTLF+/iKZfYT2h0vY03F9k0crSDJi/gMkLf1CoqmmunfD0iF
HcNieFD5tjHUrly19K05EWVHGOu/BaA2+NPDGnY6jhy+nIkqEdYQxDm2oLOk2G1E
1u2XnOfj4YLL6E8fyvt0OAxSEGO8KzE04eFuzQyth1btc4yBLjxNgqyaxSIRq7aY
Hpi+fDEoe6WHznqhx7+7xGVljX1Muebm57ZlpKc1cz8jBy5d7PXYyVdAvyDJ3QE2
hUx4Uq9gAYngRLtwwHbNKf1s72/TB484Yne2/cXDW+gZCf6V2Aggj8h3P6mOwCYM
Q/BV3HHhPMa0YzpcSUjCI6XfKPW4lU+bEmFRUtvAamuZ092PyTqBHtLHRQusFw8y
pRlwh/n+8VENPLzPqtZtNWdwc8CpjTbtxB7vFp03Oej4WCyms7gpMjXBOeySjcdN
QCfdFD7Dy4MOcKz2i0Wk7mmoeAOENdSD5o2tot3RDYJswte8x5pOLkIGqSjJ85TE
uCFF+nHvLu+0jm2jF2WhBtJW+Ixr7pVrbte0b0IULlxvxy6BhkLz0ptOY18nbmwN
h4B6gAL0TEBKGDkOdSTxC4rLrROTriE1xMo7J4Z7w1gSdupg5BZaCAGk9u0XqaKh
AF8NRyMLWCE=
=mywY
—–END PGP SIGNATURE—–

The post ESB-2021.1788 – [SUSE] SUSE Manager Client Tools: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/05/24/esb-2021-1788-suse-suse-manager-client-tools-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1788-suse-suse-manager-client-tools-multiple-vulnerabilities

ESB-2021.1789 – [SUSE] Salt: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1789
Security Beta update for Salt
24 May 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: Salt
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Increased Privileges — Existing Account
Access Confidential Data — Remote/Unauthenticated
Reduced Security — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-31607 CVE-2021-25284 CVE-2021-25283
CVE-2021-25282 CVE-2021-25281 CVE-2021-3197
CVE-2021-3148 CVE-2021-3144 CVE-2020-35662
CVE-2020-28972 CVE-2020-28243

Reference: ESB-2021.0740
ESB-2021.0727

Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20211690-1
https://www.suse.com/support/update/announcement/2021/suse-su-20211688-1

Comment: This bulletin contains two (2) SUSE security advisories.

– ————————–BEGIN INCLUDED TEXT——————–

SUSE Security Update: Security Beta update for Salt

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1690-1
Rating: moderate
References: #1099976 #1171257 #1172110 #1174855 #1176293 #1177474
#1179831 #1180101 #1180818 #1181290 #1181347 #1181368
#1181550 #1181556 #1181557 #1181558 #1181559 #1181560
#1181561 #1181562 #1181563 #1181564 #1181565 #1182281
#1182293 #1182740 #1185092 #1185281
Cross-References: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-25281
CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-3144
CVE-2021-3148 CVE-2021-31607 CVE-2021-3197
Affected Products:
SUSE Manager Tools 15-BETA
______________________________________________________________________________

An update that solves 11 vulnerabilities, contains one feature and has 17 fixes
is now available.

Description:

This update fixes the following issues:
salt:

o Update to Salt release version 3002.2 (jsc#ECO-3212)
o Drop support for Python2. Obsoletes “python2-salt” package
o Virt module updates * network: handle missing ipv4 netmask attribute * more
network support * PCI/USB host devices passthrough support
o Set distro requirement to oldest supported version in requirements/base.txt
o Bring missing part of async batch implementation back
o Always require python3-distro (bsc#1182293)
o Remove deprecated warning that breaks minion execution when
“server_id_use_crc” opts is missing
o Remove msgpack = 1.0.0 (bsc#1171257)
o Fix issue parsing errors in ansiblegate state module
o Prevent command injection in the snapper module (bsc#1185281)
(CVE-2021-31607)
o Transactional_update: detect recursion in the executor
o Add subpackage salt-transactional-update
o Remove duplicate directories from specfile
o Improvements on “ansiblegate” module (bsc#1185092): * New methods:
ansible.targets / ansible.discover_playbooks
o Add support for Alibaba Cloud Linux 2 (Aliyun Linux)
o Regression fix of salt-ssh on processing targets
o Update target fix for salt-ssh and avoiding race condition on salt-ssh
event processing (bsc#1179831, bsc#1182281)
o Add notify beacon for Debian/Ubuntu systems
o Fix zmq bug that causes salt-call to freeze (bsc#1181368)
o Add core grains support for AlmaLinux
o Allow vendor change option with zypper
o Virt: virtual network backports to Salt 3000
o Do not monkey patch yaml loaders: Prevent breaking Ansible filter modules
(bsc#1177474)
o Only require python-certifi for CentOS7
o Fix race conditions for corner cases when handling SIGTERM by minion (bsc#
1172110)
o Implementation of suse_ip execution module to prevent issues with
network.managed (bsc#1099976)
o Fix recursion false detection in payload (bsc#1180101)
o Add sleep on exception handling on minion connection attempt to the master
(bsc#1174855)
o Allows for the VMware provider to handle CPU and memory hot-add in newer
versions of the software. (bsc#1181347)
o Always require python-certifi (used by salt.ext.tornado)
o Exclude SLE 12 from requiring python-certifi
o Do not crash when unexpected cmd output at listing patches (bsc#1181290)
o Fix behavior for “onlyif/unless” when multiple conditions (bsc#1180818)
o Fix regression on cmd.run when passing tuples as cmd (bsc#1182740)
o Allow extra_filerefs as sanitized kwargs for SSH client
o Fix errors with virt.update
o Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972)
(CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281)
(CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#
1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#
1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#
1181565)
o Virt: search for grub.xen path
o Xen spicevmc, DNS SRV records backports: Fix virtual network generated DNS
XML for SRV records Don’t add spicevmc channel to xen VMs
o Virt UEFI fix: virt.update when efi=True
o Revert wrong zypper patch to support vendorchanges flags on pkg.install

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Manager Tools 15-BETA:
zypper in -t patch SUSE-SLE-Manager-Tools-15-2021-1690=1

Package List:

o SUSE Manager Tools 15-BETA (aarch64 ppc64le s390x x86_64):
python3-salt-3002.2-8.41.1
salt-3002.2-8.41.1
salt-api-3002.2-8.41.1
salt-cloud-3002.2-8.41.1
salt-doc-3002.2-8.41.1
salt-master-3002.2-8.41.1
salt-minion-3002.2-8.41.1
salt-proxy-3002.2-8.41.1
salt-ssh-3002.2-8.41.1
salt-standalone-formulas-configuration-3002.2-8.41.1
salt-syndic-3002.2-8.41.1
o SUSE Manager Tools 15-BETA (noarch):
salt-bash-completion-3002.2-8.41.1
salt-fish-completion-3002.2-8.41.1
salt-zsh-completion-3002.2-8.41.1

References:

– ————————————————————————————————————————————-

SUSE Security Update: Security Beta update for Salt

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1688-1
Rating: moderate
References: #1173692 #1185092 #1185281
Cross-References: CVE-2021-31607
Affected Products:
SUSE Manager Tools 12-BETA
______________________________________________________________________________

An update that solves one vulnerability and has two fixes is now available.

Description:

This update fixes the following issues:
salt:

o Parsing Epoch out of version provided during pkg remove (bsc#1173692)
o Fix issue parsing errors in ansiblegate state module
o Prevent command injection in the snapper module (bsc#1185281)
(CVE-2021-31607)
o Transactional_update: detect recursion in the executor
o Add subpackage salt-transactional-update
o Remove duplicate directories from specfile
o Improvements on “ansiblegate” module (bsc#1185092): * New methods:
ansible.targets / ansible.discover_playbooks * General bugfixes

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Manager Tools 12-BETA:
zypper in -t patch SUSE-SLE-Manager-Tools-12-2021-1688=1

Package List:

o SUSE Manager Tools 12-BETA (aarch64 ppc64le s390x x86_64):
python2-salt-3000-49.35.1
python3-salt-3000-49.35.1
salt-3000-49.35.1
salt-doc-3000-49.35.1
salt-minion-3000-49.35.1

References:

o https://www.suse.com/security/cve/CVE-2021-31607.html
o https://bugzilla.suse.com/1173692
o https://bugzilla.suse.com/1185092
o https://bugzilla.suse.com/1185281

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYKsDd+NLKJtyKPYoAQif7w/+PCMD4gzeqC0IGWiGsUMEKWXob6ahyZJ1
wynHKVUBiTtOiw77DFRWchRssK7rWeKhEeydnfHgm/ieDLcS/+hWgzoLZPfui4Ez
pRaeDUzdn0AEkv/DrIdlbRGOQVRTv3Us9x4ShJa5ZhS8Qj5pGD3AdQeE9GViK+Qj
PDhxmQ1I3MUKbCcxnZlN97z6lArVofyMe/hopK95ctRhMiVHwO4MMlkLJ+FkEYig
EKbjsLbYctbFDmuaCGAeWOkjxa0HyNu5FBuhznOB9RpFKqyscm3eGjtiEy10/Vrt
4UXbfK8CUSBahSdBq83DzeGxnHNWUU297AM1dva0QQfoMrWH6s7NKPIx0K23de5c
BSC7Hq7F6YCZ6/yA4M/yKFmu/wDhcXqCcGgtGCfpxCwdFhOeDdnfZ8RwuAWVRF8U
vszm/omp96XgkV2vpDFhcvNZ45RNuCZXf1Boihkt5o7CmBtqYsCDFkE2DhtTidtK
pfqoqFhnARYG+I9ureDFtjgAgnTIJ30/ZiUHcMVl1K4scP5rwngwxQ6mJdwLFiCw
uzgiNn7NRHeSCAxsqs4JQ+RM80a1IbEaV5Jjvygl8v0dbjXXMnkgRl5qpk/CqOlT
Qkgh5CIMqOmdJuiMOGnLGNTuQyEmCGNEeKiRzz9pAQbiXcrdk/niS4tj3mhNfQjL
u5mw600sVX4=
=I9aI
—–END PGP SIGNATURE—–

The post ESB-2021.1789 – [SUSE] Salt: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/05/24/esb-2021-1789-suse-salt-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1789-suse-salt-multiple-vulnerabilities

ESB-2021.1785.2 – UPDATE [Linux] IBM Resilient SOAR: Reduced security – Remote/unauthenticated

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1785.2
Security Bulletin: IBM Resilient SOAR is Using Components
with Known Vulnerabilities – Java SE (CVE-2020-14782)
24 May 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: IBM Resilient SOAR
Publisher: IBM
Operating System: Linux variants
Impact/Access: Reduced Security — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14782

Reference: ASB-2020.0175
ESB-2021.1216
ESB-2021.1146
ESB-2021.0914

Original Bulletin:
https://www.ibm.com/support/pages/node/6454197

Revision History: May 24 2021: Minor text fixes
May 21 2021: Initial Release

– ————————–BEGIN INCLUDED TEXT——————–

IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE
(CVE-2020-14782)

Document Information

Document number : 6454197
Modified date : 18 May 2021
Product : IBM Resilient
Software version : IBM Resilient SOAR v38.0
Operating system(s): Linux

Summary

IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE
(CVE-2020-14782)

Vulnerability Details

CVEID: CVE-2020-14782
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause no confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
190100 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

+——————-+—————–+
|Affected Product(s)|Version(s) |
+——————-+—————–+
|Resilient OnPrem |IBM Security SOAR|
+——————-+—————–+

Remediation/Fixes

Users must upgrade to v41.0 of IBM Resilient in order to obtain a fix for this
vulnerability. This upgrades the version of IBM Java SDK to 8.0 Service Refresh
6 Fix Pack 26.

You can upgrade the platform by following the instructions in the ” Upgrade
Procedure ” section in the IBM Knowledge Center.

Workarounds and Mitigations

None

Change History

17 May 2021: Initial Publication

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYKr16eNLKJtyKPYoAQiXLw/5AYroO2dlOqlTuFUMgOgwc9X1SMuBLkeT
sSd1zrLI4tcXG0gmgWmGVpvA8y3p7WfWON6XnXauw6vviNU0/Itg350ub+0EYXqd
88hBKtLEin8d8cCrdD4hPDXy1Zmlb+kmiLFiJ1X5lNusIXVgdFDI8EhW/vNtKZ82
0Dd8pEj9zxvO+n/CSgZjUh9BvJzZbZY5JL/3+AN7eMN48nBCrToCqWGrC/qhr9Hz
USbkfzy7hhWbraEAjV6NQb/+nuUE6eQxFmNlK50qm23vPaONuloCMxDOf5VM8SNt
NdWydZAC2r0Jhv/RCCMF+8LLJhuMkM5qV37Pvnmvls4hQbJF5dt2LAH2eA402aRP
HI8bTXSNdIC2S12Ol2WGgVHuAec2rhAXZuu0z5oq6TaIbHGbOByNZ1ER9OlW61ZQ
PR0AdXlsZVVxKEcxd9p7oDn552pAJ60iegViqTJ9eML0xdRso9K7xfLGyACMZ+BV
9deKHtix3PPCSaVxwposEJRD6nIj24/EObOKLXSSp9aElcuEET6ZHVQUlU70/4Aw
d74sd6R0O/Ao7DRH2+WLZ0x3Au8sao6iS/exluQyoOnSdvuHfP2e1CaCYVd1q+Tc
MoT9IL7Cyiv+JFOq1ZZHo9BGQqj1HfpNr8llxCmsrbgeVvDrcWUjwGqv8JrQ6j/D
TwGWyvjdLAs=
=jigH
—–END PGP SIGNATURE—–

The post ESB-2021.1785.2 – UPDATE [Linux] IBM Resilient SOAR: Reduced security – Remote/unauthenticated appeared first on Malware Devil.

https://malwaredevil.com/2021/05/24/esb-2021-1785-2-update-linux-ibm-resilient-soar-reduced-security-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1785-2-update-linux-ibm-resilient-soar-reduced-security-remote-unauthenticated

A Rule Mining-Based Advanced Persistent Threats Detection System

The post A Rule Mining-Based Advanced Persistent Threats Detection System appeared first on Malware Devil.

https://malwaredevil.com/2021/05/24/a-rule-mining-based-advanced-persistent-threats-detection-system/?utm_source=rss&utm_medium=rss&utm_campaign=a-rule-mining-based-advanced-persistent-threats-detection-system

Design and Prototype Implementation of a Blockchain-Enabled LoRa System With Edge Computing

The post Design and Prototype Implementation of a Blockchain-Enabled LoRa System With Edge Computing appeared first on Malware Devil.

https://malwaredevil.com/2021/05/24/design-and-prototype-implementation-of-a-blockchain-enabled-lora-system-with-edge-computing/?utm_source=rss&utm_medium=rss&utm_campaign=design-and-prototype-implementation-of-a-blockchain-enabled-lora-system-with-edge-computing

Sunday, May 23, 2021

Excellent Conversions (and downloads)

This one was on a back burner for a while too. C:Program Files*Microsoft OfficerootOffice*excelcnv.exe is a program that helps to convert various documents to XLSX format. While playing around with […]
Read More

The post Excellent Conversions (and downloads) appeared first on Malware Devil.

https://malwaredevil.com/2021/05/23/excellent-conversions-and-downloads-2/?utm_source=rss&utm_medium=rss&utm_campaign=excellent-conversions-and-downloads-2

Excellent Conversions (and downloads)

This one was on a back burner for a while too.

C:Program Files*Microsoft OfficerootOffice*excelcnv.exe is a program that helps to convert various documents to XLSX format. While playing around with it I noticed it accepts URLs hence you can use it to download stuff from the internet. The caveat is that this downloaded data will be stored inside a UTF8-encoded stream embedded inside the XLSX Zip archive.

Example binary data (favicon.ico):

and data downloaded as a stream:

The command line arguments for excelcnv.exe are not documented well. Many examples online refer to “-oice” argument followed by the input and output file names. That’s it. And yeah, this actually works, so since I have already mentioned that input parameter can be an URL, the downloader invocation can be as follows:

excelcnv.exe -oice <URL> <OUPUT>

Still, there is more to discover.

For instance, what the heck is ‘oice’? After googling around I eventually discovered it stands for Office Isolated Conversion Environment.

Other interesting stuff to look at are other, undocumented command line arguments used by excelcnv.exe – these I found so far are as follows:

-oics – don’t know how it is being used at the moment-bcs – you can use it to convert INPUT file to .ods e.g. excelcnv.exe -bcs <XLSX> <ODS>-repair-o – orientation (for PDF)-ps – paper size (for PDF)-dps – default paper size (for PDF)-scl – scaling option (for PDF)-wtp – what to print (for PDF)-preview – preview quality (for PDF)-pofo – automatic print on file open (for PDF)-nafap – use named action setting (for PDF)-pglim – page limit (for PDF)-rv – unknown (for PDF)

There are probably more, but this is what I explored so far.

The default OUTPUT file type is XLSX. The file format can be changed using a dedicated file extension accepted by the program:

.xltx.xlam.xlsm.ods.xls*.pdf.xlsx.png.jpg

but not sure yet how to use all of them as not all of them worked for me (good news is that all the *.xl* work well with “-oice” command).

The post Excellent Conversions (and downloads) appeared first on Malware Devil.

https://malwaredevil.com/2021/05/23/excellent-conversions-and-downloads/?utm_source=rss&utm_medium=rss&utm_campaign=excellent-conversions-and-downloads

[VK.com] critical – CSRF на установку своей почты к аккаунту.

The post [VK.com] critical – CSRF на установку своей почты к аккаунту. appeared first on Malware Devil.

https://malwaredevil.com/2021/05/23/vk-com-critical-csrf-%d0%bd%d0%b0-%d1%83%d1%81%d1%82%d0%b0%d0%bd%d0%be%d0%b2%d0%ba%d1%83-%d1%81%d0%b2%d0%be%d0%b5%d0%b9-%d0%bf%d0%be%d1%87%d1%82%d1%8b-%d0%ba-%d0%b0%d0%ba%d0%ba%d0%b0%d1%83%d0%bd/?utm_source=rss&utm_medium=rss&utm_campaign=vk-com-critical-csrf-%25d0%25bd%25d0%25b0-%25d1%2583%25d1%2581%25d1%2582%25d0%25b0%25d0%25bd%25d0%25be%25d0%25b2%25d0%25ba%25d1%2583-%25d1%2581%25d0%25b2%25d0%25be%25d0%25b5%25d0%25b9-%25d0%25bf%25d0%25be%25d1%2587%25d1%2582%25d1%258b-%25d0%25ba-%25d0%25b0%25d0%25ba%25d0%25ba%25d0%25b0%25d1%2583%25d0%25bd

Network Security News Summary for Monday May 24th, 2021

Phishing without Server; Anti-Debugging; WinRM exposes http.sys; Firefox Exploit

Serverless Phishing Campaign
https://isc.sans.edu/forums/diary/Serverless+Phishing+Campaign/27446/

Locking Kernel32.dll As Anti-Debugging Technique
https://isc.sans.edu/forums/diary/Locking+Kernel32dll+As+AntiDebugging+Technique/27444/

WinRM Vulnerable to http.sys Vulnerability

I finally found time to answer my own question. WinRM *IS* vulnerable. This really expands the number of vulnerable systems, although no one would intentionally put that service on the internet.

— Jim DeVries (@JimDinMN) May 19, 2021

Mozilla Firefox “Content-Type Confusion” Unsafe Code Execution
https://besteffortteam.it/mozilla-firefox-content-type-confusion-unsafe-code-execution/

keywords: mozilla; firefox; winrm; anti-debugging; serverless; phishing

The post Network Security News Summary for Monday May 24th, 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/05/23/network-security-news-summary-for-monday-may-24th-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-monday-may-24th-2021

XKCD ‘In Your Classroom’

via the comic delivery system monikered Randall Munroe resident at XKCD!

Permalink

The post XKCD ‘In Your Classroom’ appeared first on Security Boulevard.

The post XKCD ‘In Your Classroom’ appeared first on Malware Devil.

https://malwaredevil.com/2021/05/23/xkcd-in-your-classroom/?utm_source=rss&utm_medium=rss&utm_campaign=xkcd-in-your-classroom

CPDP 2021 – Moderator: Sophie in ‘t Veld ‘I Spy With My Little Eye…’

Speakers: Jan-Jaap Oerlemans, Edin Omanovic

Our sincere thanks to CPDP 2021 – Computers, Privacy & Data Protection Conference for publishing their well-crafted videos on the organization’s YouTube channel. Enjoy!

Permalink

The post CPDP 2021 – Moderator: Sophie in ‘t Veld ‘I Spy With My Little Eye…’ appeared first on Security Boulevard.

The post CPDP 2021 – Moderator: Sophie in ‘t Veld ‘I Spy With My Little Eye…’ appeared first on Malware Devil.

https://malwaredevil.com/2021/05/23/cpdp-2021-moderator-sophie-in-t-veld-i-spy-with-my-little-eye/?utm_source=rss&utm_medium=rss&utm_campaign=cpdp-2021-moderator-sophie-in-t-veld-i-spy-with-my-little-eye

Malware Devil

Malware Devil

Monday, May 24, 2021

ESB-2020.3822.5 – UPDATE [Cisco] Cisco AnyConnect Secure Mobility Client: Multiple vulnerabilities

ESB-2021.1328.2 – UPDATE [Juniper] Junos OS: Multiple vulnerabilities

ESB-2021.1790 – [Debian] ring: Denial of service – Remote with user interaction

ESB-2021.1791 – [Debian] lz4: Denial of service – Remote/unauthenticated

ESB-2021.1788 – [SUSE] SUSE Manager Client Tools: Multiple vulnerabilities

ESB-2021.1789 – [SUSE] Salt: Multiple vulnerabilities

ESB-2021.1785.2 – UPDATE [Linux] IBM Resilient SOAR: Reduced security – Remote/unauthenticated

A Rule Mining-Based Advanced Persistent Threats Detection System

Design and Prototype Implementation of a Blockchain-Enabled LoRa System With Edge Computing

Sunday, May 23, 2021

Excellent Conversions (and downloads)

Excellent Conversions (and downloads)

[VK.com] critical – CSRF на установку своей почты к аккаунту.

Network Security News Summary for Monday May 24th, 2021

XKCD ‘In Your Classroom’

CPDP 2021 – Moderator: Sophie in ‘t Veld ‘I Spy With My Little Eye…’

Barbary Pirates and Russian Cybercrime

Blog Archive

About Me