Malware Devil

Wednesday, June 9, 2021

ESB-2021.2028 – [RedHat] container-tools:2.0: Increased privileges – Existing account

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.2028
container-tools:2.0 security update
9 June 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: container-tools:2.0
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Increased Privileges — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-30465

Reference: ESB-2021.1866
ESB-2021.1857

Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:2291
https://access.redhat.com/errata/RHSA-2021:2292

Comment: This bulletin contains two (2) Red Hat security advisories.

– ————————–BEGIN INCLUDED TEXT——————–

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: container-tools:2.0 security update
Advisory ID: RHSA-2021:2291-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2291
Issue date: 2021-06-08
CVE Names: CVE-2021-30465
=====================================================================

1. Summary:

An update for the container-tools:2.0 module is now available for Red Hat
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) – aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The container-tools module contains tools for working with containers,
notably podman, buildah, skopeo, and runc.

Security Fix(es):

* runc: vulnerable to symlink exchange attack (CVE-2021-30465)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1954736 – CVE-2021-30465 runc: vulnerable to symlink exchange attack

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
buildah-1.11.6-8.module+el8.4.0+10193+e90fd8eb.src.rpm
cockpit-podman-11-1.module+el8.4.0+10193+e90fd8eb.src.rpm
conmon-2.0.15-1.module+el8.4.0+10193+e90fd8eb.src.rpm
container-selinux-2.130.0-1.module+el8.4.0+10193+e90fd8eb.src.rpm
containernetworking-plugins-0.8.3-4.module+el8.4.0+10193+e90fd8eb.src.rpm
criu-3.12-9.module+el8.4.0+10193+e90fd8eb.src.rpm
fuse-overlayfs-0.7.8-1.module+el8.4.0+10193+e90fd8eb.src.rpm
podman-1.6.4-26.module+el8.4.0+10193+e90fd8eb.src.rpm
python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.4.0+10193+e90fd8eb.src.rpm
runc-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.src.rpm
skopeo-0.1.41-4.module+el8.4.0+10193+e90fd8eb.src.rpm
slirp4netns-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.src.rpm
toolbox-0.0.7-1.module+el8.4.0+10193+e90fd8eb.src.rpm
udica-0.2.1-2.module+el8.4.0+10193+e90fd8eb.src.rpm

aarch64:
buildah-1.11.6-8.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
buildah-debuginfo-1.11.6-8.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
buildah-debugsource-1.11.6-8.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
buildah-tests-1.11.6-8.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
buildah-tests-debuginfo-1.11.6-8.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
conmon-2.0.15-1.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
containernetworking-plugins-0.8.3-4.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
containernetworking-plugins-debuginfo-0.8.3-4.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
containernetworking-plugins-debugsource-0.8.3-4.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
containers-common-0.1.41-4.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
crit-3.12-9.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
criu-3.12-9.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
criu-debuginfo-3.12-9.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
criu-debugsource-3.12-9.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
fuse-overlayfs-0.7.8-1.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
fuse-overlayfs-debuginfo-0.7.8-1.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
fuse-overlayfs-debugsource-0.7.8-1.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
podman-1.6.4-26.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
podman-debuginfo-1.6.4-26.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
podman-debugsource-1.6.4-26.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
podman-remote-1.6.4-26.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
podman-remote-debuginfo-1.6.4-26.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
podman-tests-1.6.4-26.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
python3-criu-3.12-9.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
runc-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.aarch64.rpm
runc-debuginfo-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.aarch64.rpm
runc-debugsource-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.aarch64.rpm
skopeo-0.1.41-4.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
skopeo-debuginfo-0.1.41-4.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
skopeo-debugsource-0.1.41-4.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
skopeo-tests-0.1.41-4.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
slirp4netns-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.aarch64.rpm
slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.aarch64.rpm

noarch:
cockpit-podman-11-1.module+el8.4.0+10193+e90fd8eb.noarch.rpm
container-selinux-2.130.0-1.module+el8.4.0+10193+e90fd8eb.noarch.rpm
podman-docker-1.6.4-26.module+el8.4.0+10193+e90fd8eb.noarch.rpm
python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.4.0+10193+e90fd8eb.noarch.rpm
toolbox-0.0.7-1.module+el8.4.0+10193+e90fd8eb.noarch.rpm
udica-0.2.1-2.module+el8.4.0+10193+e90fd8eb.noarch.rpm

ppc64le:
buildah-1.11.6-8.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
buildah-debuginfo-1.11.6-8.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
buildah-debugsource-1.11.6-8.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
buildah-tests-1.11.6-8.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
buildah-tests-debuginfo-1.11.6-8.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
conmon-2.0.15-1.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
containernetworking-plugins-0.8.3-4.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
containernetworking-plugins-debuginfo-0.8.3-4.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
containernetworking-plugins-debugsource-0.8.3-4.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
containers-common-0.1.41-4.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
crit-3.12-9.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
criu-3.12-9.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
criu-debuginfo-3.12-9.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
criu-debugsource-3.12-9.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
fuse-overlayfs-0.7.8-1.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
fuse-overlayfs-debuginfo-0.7.8-1.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
fuse-overlayfs-debugsource-0.7.8-1.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
podman-1.6.4-26.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
podman-debuginfo-1.6.4-26.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
podman-debugsource-1.6.4-26.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
podman-remote-1.6.4-26.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
podman-remote-debuginfo-1.6.4-26.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
podman-tests-1.6.4-26.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
python3-criu-3.12-9.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
runc-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.ppc64le.rpm
runc-debuginfo-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.ppc64le.rpm
runc-debugsource-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.ppc64le.rpm
skopeo-0.1.41-4.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
skopeo-debuginfo-0.1.41-4.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
skopeo-debugsource-0.1.41-4.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
skopeo-tests-0.1.41-4.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
slirp4netns-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm
slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.ppc64le.rpm

s390x:
buildah-1.11.6-8.module+el8.4.0+10193+e90fd8eb.s390x.rpm
buildah-debuginfo-1.11.6-8.module+el8.4.0+10193+e90fd8eb.s390x.rpm
buildah-debugsource-1.11.6-8.module+el8.4.0+10193+e90fd8eb.s390x.rpm
buildah-tests-1.11.6-8.module+el8.4.0+10193+e90fd8eb.s390x.rpm
buildah-tests-debuginfo-1.11.6-8.module+el8.4.0+10193+e90fd8eb.s390x.rpm
conmon-2.0.15-1.module+el8.4.0+10193+e90fd8eb.s390x.rpm
containernetworking-plugins-0.8.3-4.module+el8.4.0+10193+e90fd8eb.s390x.rpm
containernetworking-plugins-debuginfo-0.8.3-4.module+el8.4.0+10193+e90fd8eb.s390x.rpm
containernetworking-plugins-debugsource-0.8.3-4.module+el8.4.0+10193+e90fd8eb.s390x.rpm
containers-common-0.1.41-4.module+el8.4.0+10193+e90fd8eb.s390x.rpm
crit-3.12-9.module+el8.4.0+10193+e90fd8eb.s390x.rpm
criu-3.12-9.module+el8.4.0+10193+e90fd8eb.s390x.rpm
criu-debuginfo-3.12-9.module+el8.4.0+10193+e90fd8eb.s390x.rpm
criu-debugsource-3.12-9.module+el8.4.0+10193+e90fd8eb.s390x.rpm
fuse-overlayfs-0.7.8-1.module+el8.4.0+10193+e90fd8eb.s390x.rpm
fuse-overlayfs-debuginfo-0.7.8-1.module+el8.4.0+10193+e90fd8eb.s390x.rpm
fuse-overlayfs-debugsource-0.7.8-1.module+el8.4.0+10193+e90fd8eb.s390x.rpm
podman-1.6.4-26.module+el8.4.0+10193+e90fd8eb.s390x.rpm
podman-debuginfo-1.6.4-26.module+el8.4.0+10193+e90fd8eb.s390x.rpm
podman-debugsource-1.6.4-26.module+el8.4.0+10193+e90fd8eb.s390x.rpm
podman-remote-1.6.4-26.module+el8.4.0+10193+e90fd8eb.s390x.rpm
podman-remote-debuginfo-1.6.4-26.module+el8.4.0+10193+e90fd8eb.s390x.rpm
podman-tests-1.6.4-26.module+el8.4.0+10193+e90fd8eb.s390x.rpm
python3-criu-3.12-9.module+el8.4.0+10193+e90fd8eb.s390x.rpm
runc-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.s390x.rpm
runc-debuginfo-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.s390x.rpm
runc-debugsource-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.s390x.rpm
skopeo-0.1.41-4.module+el8.4.0+10193+e90fd8eb.s390x.rpm
skopeo-debuginfo-0.1.41-4.module+el8.4.0+10193+e90fd8eb.s390x.rpm
skopeo-debugsource-0.1.41-4.module+el8.4.0+10193+e90fd8eb.s390x.rpm
skopeo-tests-0.1.41-4.module+el8.4.0+10193+e90fd8eb.s390x.rpm
slirp4netns-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.s390x.rpm
slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.s390x.rpm
slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.s390x.rpm

x86_64:
buildah-1.11.6-8.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
buildah-debuginfo-1.11.6-8.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
buildah-debugsource-1.11.6-8.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
buildah-tests-1.11.6-8.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
buildah-tests-debuginfo-1.11.6-8.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
conmon-2.0.15-1.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
containernetworking-plugins-0.8.3-4.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
containernetworking-plugins-debuginfo-0.8.3-4.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
containernetworking-plugins-debugsource-0.8.3-4.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
containers-common-0.1.41-4.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
crit-3.12-9.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
criu-3.12-9.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
criu-debuginfo-3.12-9.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
criu-debugsource-3.12-9.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
fuse-overlayfs-0.7.8-1.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
fuse-overlayfs-debuginfo-0.7.8-1.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
fuse-overlayfs-debugsource-0.7.8-1.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
podman-1.6.4-26.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
podman-debuginfo-1.6.4-26.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
podman-debugsource-1.6.4-26.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
podman-remote-1.6.4-26.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
podman-remote-debuginfo-1.6.4-26.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
podman-tests-1.6.4-26.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
python3-criu-3.12-9.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
runc-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.x86_64.rpm
runc-debuginfo-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.x86_64.rpm
runc-debugsource-1.0.0-65.rc10.module+el8.4.0+11031+7edfb656.x86_64.rpm
skopeo-0.1.41-4.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
skopeo-debuginfo-0.1.41-4.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
skopeo-debugsource-0.1.41-4.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
skopeo-tests-0.1.41-4.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
slirp4netns-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.x86_64.rpm
slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.4.0+10193+e90fd8eb.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-30465
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/RHSB-2021-004

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

iQIVAwUBYL9fz9zjgjWX9erEAQgpRQ//doZ7BaNXz/OqiLLwbCzPdcBxVSpzL9Bw
dYvH/IN5RHK0KDiwlMul0rypsFn6UASNp63tuoQk0zWzQerQZ1XLUS3LuUnRTBfG
lTxX1IEUyw1R97ZcRthoJ8V4B1rtAQF7HUN6MvcwPkwRA4e8gYNMcSF1O4YQ4ixk
5XwmqurtbaFpkGnyRQ4e0zprWDPW2HqauSVBwklM7wOGXUEZ1g17RKeQdKS6p/t6
xJ69bPw+UsgK1CPc9WpaFOMsd1IJtlilTAnYs9qQr3SgeH42zUe044k0Ia3yp8nW
gznUoLInYhxB/c1us4Zq589fDI1xTUibNhls6JQnfpcVn0aZbWcMhSgWXBjgFCjQ
A8wpEK/qdcV+K7fB6iWSaSecrfwEMhrQUqREk9ZiApuEgI6yMQECITtBWahHoJhg
n7hXUoTcYjFCuyaie8fYt34Z7obKi2zvCEopYZby6rj+nq4Bdd7RTfQI6bz3OJhu
1VQ/6CO8T9KkS9hRggUn+6ytIjeGQuvO0notwh4ORep4XrOdjhGs9p6Xs7+wyMfr
XICRNlYi8d1HaGQ0PoyHctD6ZHDqEEa/hfkX7MtUfc8WbNB7TgbIDO8FTMC61uJX
Dlmo6AmgFDju0fCrkhJBfuit2ei8MaY2CYHre6fPY5Z77mNyLj6Fnk8BLoM6n8QR
XQownVub8/8=
=dU1P
– —–END PGP SIGNATURE—–

– ——————————————————————————–

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: container-tools:2.0 security update
Advisory ID: RHSA-2021:2292-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2292
Issue date: 2021-06-08
CVE Names: CVE-2021-30465
=====================================================================

1. Summary:

An update for the container-tools:2.0 module is now available for Red Hat
Enterprise Linux 8.2 Extended Update Support.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) – aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The container-tools module contains tools for working with containers,
notably podman, buildah, skopeo, and runc.

Security Fix(es):

* runc: vulnerable to symlink exchange attack (CVE-2021-30465)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1954736 – CVE-2021-30465 runc: vulnerable to symlink exchange attack

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:
buildah-1.11.6-7.module+el8.2.0+11121+714aca16.src.rpm
cockpit-podman-11-1.module+el8.2.0+11121+714aca16.src.rpm
conmon-2.0.6-1.module+el8.2.0+11121+714aca16.src.rpm
container-selinux-2.124.0-1.module+el8.2.0+11121+714aca16.src.rpm
containernetworking-plugins-0.8.3-4.module+el8.2.0+11121+714aca16.src.rpm
criu-3.12-9.module+el8.2.0+11121+714aca16.src.rpm
fuse-overlayfs-0.7.2-5.module+el8.2.0+11121+714aca16.src.rpm
podman-1.6.4-19.module+el8.2.0+11121+714aca16.src.rpm
python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.2.0+11121+714aca16.src.rpm
runc-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.src.rpm
skopeo-0.1.40-9.module+el8.2.0+11121+714aca16.src.rpm
slirp4netns-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.src.rpm
toolbox-0.0.7-1.module+el8.2.0+11121+714aca16.src.rpm
udica-0.2.1-2.module+el8.2.0+11121+714aca16.src.rpm

aarch64:
buildah-1.11.6-7.module+el8.2.0+11121+714aca16.aarch64.rpm
buildah-debuginfo-1.11.6-7.module+el8.2.0+11121+714aca16.aarch64.rpm
buildah-debugsource-1.11.6-7.module+el8.2.0+11121+714aca16.aarch64.rpm
buildah-tests-1.11.6-7.module+el8.2.0+11121+714aca16.aarch64.rpm
buildah-tests-debuginfo-1.11.6-7.module+el8.2.0+11121+714aca16.aarch64.rpm
conmon-2.0.6-1.module+el8.2.0+11121+714aca16.aarch64.rpm
containernetworking-plugins-0.8.3-4.module+el8.2.0+11121+714aca16.aarch64.rpm
containernetworking-plugins-debuginfo-0.8.3-4.module+el8.2.0+11121+714aca16.aarch64.rpm
containernetworking-plugins-debugsource-0.8.3-4.module+el8.2.0+11121+714aca16.aarch64.rpm
containers-common-0.1.40-9.module+el8.2.0+11121+714aca16.aarch64.rpm
crit-3.12-9.module+el8.2.0+11121+714aca16.aarch64.rpm
criu-3.12-9.module+el8.2.0+11121+714aca16.aarch64.rpm
criu-debuginfo-3.12-9.module+el8.2.0+11121+714aca16.aarch64.rpm
criu-debugsource-3.12-9.module+el8.2.0+11121+714aca16.aarch64.rpm
fuse-overlayfs-0.7.2-5.module+el8.2.0+11121+714aca16.aarch64.rpm
fuse-overlayfs-debuginfo-0.7.2-5.module+el8.2.0+11121+714aca16.aarch64.rpm
fuse-overlayfs-debugsource-0.7.2-5.module+el8.2.0+11121+714aca16.aarch64.rpm
podman-1.6.4-19.module+el8.2.0+11121+714aca16.aarch64.rpm
podman-debuginfo-1.6.4-19.module+el8.2.0+11121+714aca16.aarch64.rpm
podman-debugsource-1.6.4-19.module+el8.2.0+11121+714aca16.aarch64.rpm
podman-remote-1.6.4-19.module+el8.2.0+11121+714aca16.aarch64.rpm
podman-remote-debuginfo-1.6.4-19.module+el8.2.0+11121+714aca16.aarch64.rpm
podman-tests-1.6.4-19.module+el8.2.0+11121+714aca16.aarch64.rpm
python3-criu-3.12-9.module+el8.2.0+11121+714aca16.aarch64.rpm
runc-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.aarch64.rpm
runc-debuginfo-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.aarch64.rpm
runc-debugsource-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.aarch64.rpm
skopeo-0.1.40-9.module+el8.2.0+11121+714aca16.aarch64.rpm
skopeo-debuginfo-0.1.40-9.module+el8.2.0+11121+714aca16.aarch64.rpm
skopeo-debugsource-0.1.40-9.module+el8.2.0+11121+714aca16.aarch64.rpm
skopeo-tests-0.1.40-9.module+el8.2.0+11121+714aca16.aarch64.rpm
slirp4netns-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.aarch64.rpm
slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.aarch64.rpm
slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.aarch64.rpm

noarch:
cockpit-podman-11-1.module+el8.2.0+11121+714aca16.noarch.rpm
container-selinux-2.124.0-1.module+el8.2.0+11121+714aca16.noarch.rpm
podman-docker-1.6.4-19.module+el8.2.0+11121+714aca16.noarch.rpm
python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.2.0+11121+714aca16.noarch.rpm
toolbox-0.0.7-1.module+el8.2.0+11121+714aca16.noarch.rpm
udica-0.2.1-2.module+el8.2.0+11121+714aca16.noarch.rpm

ppc64le:
buildah-1.11.6-7.module+el8.2.0+11121+714aca16.ppc64le.rpm
buildah-debuginfo-1.11.6-7.module+el8.2.0+11121+714aca16.ppc64le.rpm
buildah-debugsource-1.11.6-7.module+el8.2.0+11121+714aca16.ppc64le.rpm
buildah-tests-1.11.6-7.module+el8.2.0+11121+714aca16.ppc64le.rpm
buildah-tests-debuginfo-1.11.6-7.module+el8.2.0+11121+714aca16.ppc64le.rpm
conmon-2.0.6-1.module+el8.2.0+11121+714aca16.ppc64le.rpm
containernetworking-plugins-0.8.3-4.module+el8.2.0+11121+714aca16.ppc64le.rpm
containernetworking-plugins-debuginfo-0.8.3-4.module+el8.2.0+11121+714aca16.ppc64le.rpm
containernetworking-plugins-debugsource-0.8.3-4.module+el8.2.0+11121+714aca16.ppc64le.rpm
containers-common-0.1.40-9.module+el8.2.0+11121+714aca16.ppc64le.rpm
crit-3.12-9.module+el8.2.0+11121+714aca16.ppc64le.rpm
criu-3.12-9.module+el8.2.0+11121+714aca16.ppc64le.rpm
criu-debuginfo-3.12-9.module+el8.2.0+11121+714aca16.ppc64le.rpm
criu-debugsource-3.12-9.module+el8.2.0+11121+714aca16.ppc64le.rpm
fuse-overlayfs-0.7.2-5.module+el8.2.0+11121+714aca16.ppc64le.rpm
fuse-overlayfs-debuginfo-0.7.2-5.module+el8.2.0+11121+714aca16.ppc64le.rpm
fuse-overlayfs-debugsource-0.7.2-5.module+el8.2.0+11121+714aca16.ppc64le.rpm
podman-1.6.4-19.module+el8.2.0+11121+714aca16.ppc64le.rpm
podman-debuginfo-1.6.4-19.module+el8.2.0+11121+714aca16.ppc64le.rpm
podman-debugsource-1.6.4-19.module+el8.2.0+11121+714aca16.ppc64le.rpm
podman-remote-1.6.4-19.module+el8.2.0+11121+714aca16.ppc64le.rpm
podman-remote-debuginfo-1.6.4-19.module+el8.2.0+11121+714aca16.ppc64le.rpm
podman-tests-1.6.4-19.module+el8.2.0+11121+714aca16.ppc64le.rpm
python3-criu-3.12-9.module+el8.2.0+11121+714aca16.ppc64le.rpm
runc-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.ppc64le.rpm
runc-debuginfo-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.ppc64le.rpm
runc-debugsource-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.ppc64le.rpm
skopeo-0.1.40-9.module+el8.2.0+11121+714aca16.ppc64le.rpm
skopeo-debuginfo-0.1.40-9.module+el8.2.0+11121+714aca16.ppc64le.rpm
skopeo-debugsource-0.1.40-9.module+el8.2.0+11121+714aca16.ppc64le.rpm
skopeo-tests-0.1.40-9.module+el8.2.0+11121+714aca16.ppc64le.rpm
slirp4netns-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.ppc64le.rpm
slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.ppc64le.rpm
slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.ppc64le.rpm

s390x:
buildah-1.11.6-7.module+el8.2.0+11121+714aca16.s390x.rpm
buildah-debuginfo-1.11.6-7.module+el8.2.0+11121+714aca16.s390x.rpm
buildah-debugsource-1.11.6-7.module+el8.2.0+11121+714aca16.s390x.rpm
buildah-tests-1.11.6-7.module+el8.2.0+11121+714aca16.s390x.rpm
buildah-tests-debuginfo-1.11.6-7.module+el8.2.0+11121+714aca16.s390x.rpm
conmon-2.0.6-1.module+el8.2.0+11121+714aca16.s390x.rpm
containernetworking-plugins-0.8.3-4.module+el8.2.0+11121+714aca16.s390x.rpm
containernetworking-plugins-debuginfo-0.8.3-4.module+el8.2.0+11121+714aca16.s390x.rpm
containernetworking-plugins-debugsource-0.8.3-4.module+el8.2.0+11121+714aca16.s390x.rpm
containers-common-0.1.40-9.module+el8.2.0+11121+714aca16.s390x.rpm
crit-3.12-9.module+el8.2.0+11121+714aca16.s390x.rpm
criu-3.12-9.module+el8.2.0+11121+714aca16.s390x.rpm
criu-debuginfo-3.12-9.module+el8.2.0+11121+714aca16.s390x.rpm
criu-debugsource-3.12-9.module+el8.2.0+11121+714aca16.s390x.rpm
fuse-overlayfs-0.7.2-5.module+el8.2.0+11121+714aca16.s390x.rpm
fuse-overlayfs-debuginfo-0.7.2-5.module+el8.2.0+11121+714aca16.s390x.rpm
fuse-overlayfs-debugsource-0.7.2-5.module+el8.2.0+11121+714aca16.s390x.rpm
podman-1.6.4-19.module+el8.2.0+11121+714aca16.s390x.rpm
podman-debuginfo-1.6.4-19.module+el8.2.0+11121+714aca16.s390x.rpm
podman-debugsource-1.6.4-19.module+el8.2.0+11121+714aca16.s390x.rpm
podman-remote-1.6.4-19.module+el8.2.0+11121+714aca16.s390x.rpm
podman-remote-debuginfo-1.6.4-19.module+el8.2.0+11121+714aca16.s390x.rpm
podman-tests-1.6.4-19.module+el8.2.0+11121+714aca16.s390x.rpm
python3-criu-3.12-9.module+el8.2.0+11121+714aca16.s390x.rpm
runc-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.s390x.rpm
runc-debuginfo-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.s390x.rpm
runc-debugsource-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.s390x.rpm
skopeo-0.1.40-9.module+el8.2.0+11121+714aca16.s390x.rpm
skopeo-debuginfo-0.1.40-9.module+el8.2.0+11121+714aca16.s390x.rpm
skopeo-debugsource-0.1.40-9.module+el8.2.0+11121+714aca16.s390x.rpm
skopeo-tests-0.1.40-9.module+el8.2.0+11121+714aca16.s390x.rpm
slirp4netns-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.s390x.rpm
slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.s390x.rpm
slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.s390x.rpm

x86_64:
buildah-1.11.6-7.module+el8.2.0+11121+714aca16.x86_64.rpm
buildah-debuginfo-1.11.6-7.module+el8.2.0+11121+714aca16.x86_64.rpm
buildah-debugsource-1.11.6-7.module+el8.2.0+11121+714aca16.x86_64.rpm
buildah-tests-1.11.6-7.module+el8.2.0+11121+714aca16.x86_64.rpm
buildah-tests-debuginfo-1.11.6-7.module+el8.2.0+11121+714aca16.x86_64.rpm
conmon-2.0.6-1.module+el8.2.0+11121+714aca16.x86_64.rpm
containernetworking-plugins-0.8.3-4.module+el8.2.0+11121+714aca16.x86_64.rpm
containernetworking-plugins-debuginfo-0.8.3-4.module+el8.2.0+11121+714aca16.x86_64.rpm
containernetworking-plugins-debugsource-0.8.3-4.module+el8.2.0+11121+714aca16.x86_64.rpm
containers-common-0.1.40-9.module+el8.2.0+11121+714aca16.x86_64.rpm
crit-3.12-9.module+el8.2.0+11121+714aca16.x86_64.rpm
criu-3.12-9.module+el8.2.0+11121+714aca16.x86_64.rpm
criu-debuginfo-3.12-9.module+el8.2.0+11121+714aca16.x86_64.rpm
criu-debugsource-3.12-9.module+el8.2.0+11121+714aca16.x86_64.rpm
fuse-overlayfs-0.7.2-5.module+el8.2.0+11121+714aca16.x86_64.rpm
fuse-overlayfs-debuginfo-0.7.2-5.module+el8.2.0+11121+714aca16.x86_64.rpm
fuse-overlayfs-debugsource-0.7.2-5.module+el8.2.0+11121+714aca16.x86_64.rpm
podman-1.6.4-19.module+el8.2.0+11121+714aca16.x86_64.rpm
podman-debuginfo-1.6.4-19.module+el8.2.0+11121+714aca16.x86_64.rpm
podman-debugsource-1.6.4-19.module+el8.2.0+11121+714aca16.x86_64.rpm
podman-remote-1.6.4-19.module+el8.2.0+11121+714aca16.x86_64.rpm
podman-remote-debuginfo-1.6.4-19.module+el8.2.0+11121+714aca16.x86_64.rpm
podman-tests-1.6.4-19.module+el8.2.0+11121+714aca16.x86_64.rpm
python3-criu-3.12-9.module+el8.2.0+11121+714aca16.x86_64.rpm
runc-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.x86_64.rpm
runc-debuginfo-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.x86_64.rpm
runc-debugsource-1.0.0-65.rc10.module+el8.2.0+11121+714aca16.x86_64.rpm
skopeo-0.1.40-9.module+el8.2.0+11121+714aca16.x86_64.rpm
skopeo-debuginfo-0.1.40-9.module+el8.2.0+11121+714aca16.x86_64.rpm
skopeo-debugsource-0.1.40-9.module+el8.2.0+11121+714aca16.x86_64.rpm
skopeo-tests-0.1.40-9.module+el8.2.0+11121+714aca16.x86_64.rpm
slirp4netns-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.x86_64.rpm
slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.x86_64.rpm
slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.2.0+11121+714aca16.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-30465
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/RHSB-2021-004

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

iQIVAwUBYL9ds9zjgjWX9erEAQjEjBAAg86cKEOkYpdDkCMjeD+kf+Wr34/2bS76
y/2+55pmvY4um+65OpbZT6Cjg7CFjzeEMRDir2G/Bx7TuVIkPokGumtcaP9btfQ9
oZkzXeoQzVCT+II72xZfENF8aA3cpIT/l+Hswco/vT9bQuM+QvX0xEr5GsRrKxlX
BeLZD/BppAOZtsPf3tQLw/k1flc0n+6RM/U3XdDY6LQBEOXtaby1z4YILG1O1j6Z
HN5F3nQZWh63GcclrLVML5mNRfsywRFClu6GFanI7rUDbKdLFOufZ9aFj92q7csi
tiM+/Gv9u27KxtZdd9UQq5U/HJP8xn0ybI6A86OItskwQng3Oi9azmjM2tGq4cQF
uAtNwt3WXKfgmEdz9uE6O98VR0a5Cul75xFDHCRxTO7T1yVn/aY2cMRrbNfdI4Ac
SUNhpZKhaJGTDxCo/k4xR8ikEpyj6ILZzITKyr1bIr+Vuo5BblEowQEq/5zrRSDK
BDt3TjPU2xxDRDEWWcKiIyHD37eqqsa421nadRy7y64LKcXzryr19kc2AdonuSvs
S/6ptzz+UXyb7ARfQVMJGzS7CbWDZzdowfb0+04BAKENn/ToaldLrwU7jWAdN9bZ
6HOdXwNndqREaynjILGkeY87bXlFgelqiFDOvRwiiWbfyYXZmRtrsG1OlEx8ksKJ
VF6uBtUIgyE=
=oKnu
– —–END PGP SIGNATURE—–

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYMBO6uNLKJtyKPYoAQgwlA/8Cd+3Tb99ImuV4k/I7Q5P46kREsNvJQNG
PZhirPGgaBsa14f2ZINoZDYfak0Up9bpYQurjH0DNLFb9lhA5Rln2pWI0SJSmtlC
g5q72p9eLjreW+5j1SyQAfUSj+p09Ypm0S8WsDLUliEUPavaQJBETKg0kRYINTSf
6Nrdpt2FwSaQXvxq+1vkhVQlTe2zd4xrwsh89qcnhFTBorhag1WczpMUwwsF/ueh
4m8avGNwDlS2N5DQZuGiHJgmGwgyH8/edHDtIGEPnlGANTcY84Ca5CKXSoxy6nqH
qurdaQvrEN73hCO4hI/ATN5hJ+dtEnMcimVyrQT7yML8RdOkQ6ZEkhKfs4xMfXiz
iZ0wg6ajTGvd2yv4nNqbGPBjWffIMZSiJPKnUazSoJAddvnRaqGyDffnlKl1rMTm
llsfjLAirzFZW1guJkW0STtSBqRzyrYUW/zNAGQW4ztBok7NWgdLdm2/R13clqIm
dJpRZkIbSBLtApjc/nPGBQB/ITdLBIQSp3imebbXavqQ14Ifo6sMjvboBN8CVFZO
8qTbfTlrvlRiStkGy6TYQT8rsSl34OOu52AzswzQcyxdUUf4GpzP/J7svt01BULC
UNFTF2xwM6nLNiQmGv2fZhZ5p+COTMD0C8Z+bDYiWAw7tRi8bNnwPmJE3oHQ4iS/
xyyOw5EHgLU=
=a8Xg
—–END PGP SIGNATURE—–

The post ESB-2021.2028 – [RedHat] container-tools:2.0: Increased privileges – Existing account appeared first on Malware Devil.

https://malwaredevil.com/2021/06/09/esb-2021-2028-redhat-container-tools2-0-increased-privileges-existing-account/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-2028-redhat-container-tools2-0-increased-privileges-existing-account

Network Security News Summary for Wednesday June 9th, 2021

Microsoft Patch Tuesday; PuzzleMaker Chrome Exploit; Intel Patches; Adobe Updates; CentOS 7 and Letsencrypt

Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+June+2021+Patch+Tuesday/27506/

PuzzleMaker Attacks With Chrome Zero-Day Exploit Chain
https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/

Intel Patches
https://www.intel.com/content/www/us/en/security-center/default.html

Adobe Updates
https://helpx.adobe.com/security.html

Let’s Encrypt and CentOS 7
https://blog.devgenius.io/lets-encrypt-change-affects-openssl-1-0-x-and-centos-7-49bd66016af3

keywords: lets encrypt; centos 7; adobe; intel; patches; puzlemaker; microsoft; patch tuesday

The post Network Security News Summary for Wednesday June 9th, 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/06/09/network-security-news-summary-for-wednesday-june-9th-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-wednesday-june-9th-2021

Dancho Danchev’s Disappearance – 2010 – Official Complaint Against Republic of Bulgaria – Part Four

Dear friends.

I never really had the chance to elaborate or actually explain what really took place with me in 2010 when I was what appears to be illegally arrested using a stolen ID and a molestion and home robbery attempt courtesy of local police officers from Troyan Police where Troyan is my home town including a kidnapping attempt where I was taken into a car by the same people – one of them is the mayor of a village called Debnevo and the other two are running local pizza businesses and are actually involved with my town’s administration as advisers. It appears that I was then drugged and sedated without my knowledge for a period of 5 years where under a physical violence pressure I’ve lost approximately $85,000 due to physical harassment without no legal action on behalf of my country or any other country involved which leaves me with home molestation kidnapping attempt and a physical robbery attempt by police officers from the town of Troyan with no legal action besides a DANS agent visit who asked me to attend a doctor session and actually advised me to take a pension. The same people that robbed and kidnapped me and basically ruined my money and well-being are currently still supposed to be working in the local police department with no legal action on behalf of my country or any other country involved leaving me with no money and a steady flow of loans which I try to take care of by working on a part-time or contractor basis.

Sample Facebook profile IDs of the people responsible for my illegal kidnapping illegal arrest home molestation and the stealing of my personal ID from my place and holding me hostage for a period of couple of months an injecting me on a daily basis:

https://www.facebook.com/profile.php?id=100030506870037

https://www.facebook.com/profile.php?id=100005932519460

Primary points of contacts in case someone is worried about well-being and whereabouts in this case should be:

Email: dans@dans.bg

Telefon za korupciq na slujiteli na MVR – 02 / 982 22 22

GDBOP – Signal za korupciq i izpirane na pari – gdbop@mvr.bg

Nachalnik RPU Troyan – rutr.lo@mvr.bg

Troyan Police – Email: police_troyan@abv.bg

Troyan Hospital – Email: mbal_troyan@abv.bg

Lovech Psychiatry Clinic – Email: dpblovech@abv.bg

Troyan Municipality – Email: mail@troyan.bg

Dancho Danchev’s Disappearance – 2010 – Official Complaint Against Republic of Bulgaria – Part Three

Dancho Danchev’s Disappearance – 2010 – Official Complaint Against Republic of Bulgaria – Part Two

How I Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria?

Dancho Danchev’s Disappearance – 2010 – Official Complaint Against Republic of Bulgaria

The post Dancho Danchev’s Disappearance – 2010 – Official Complaint Against Republic of Bulgaria – Part Four appeared first on Security Boulevard.

The post Dancho Danchev’s Disappearance – 2010 – Official Complaint Against Republic of Bulgaria – Part Four appeared first on Malware Devil.

https://malwaredevil.com/2021/06/09/dancho-danchevs-disappearance-2010-official-complaint-against-republic-of-bulgaria-part-four/?utm_source=rss&utm_medium=rss&utm_campaign=dancho-danchevs-disappearance-2010-official-complaint-against-republic-of-bulgaria-part-four

VERT Threat Alert: June 2021 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s June 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-947 on Wednesday, June 9th. In-The-Wild & Disclosed CVEs CVE-2021-31955 This is one of two vulnerabilities fixed in today’s patch drop which were reported by Kaspersky Lab after detecting exploitation by threat actor […]… Read More

The post VERT Threat Alert: June 2021 Patch Tuesday Analysis appeared first on The State of Security.

The post VERT Threat Alert: June 2021 Patch Tuesday Analysis appeared first on Security Boulevard.

The post VERT Threat Alert: June 2021 Patch Tuesday Analysis appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/vert-threat-alert-june-2021-patch-tuesday-analysis/?utm_source=rss&utm_medium=rss&utm_campaign=vert-threat-alert-june-2021-patch-tuesday-analysis

Tuesday, June 8, 2021

Top 10 Privacy and Security Features Apple Announced at WWDC 2021

Apple on Monday announced a number of privacy and security-centric features to its upcoming versions of iOS and macOS at its all-online Worldwide Developers Conference.
Here is a quick look at some of the big-ticket changes that are expected to debut later this fall:
1 — Just Patches, Not Entire OS Update Every Time: As rumored before, users now have a choice between two software update versions
Read More

The post Top 10 Privacy and Security Features Apple Announced at WWDC 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/top-10-privacy-and-security-features-apple-announced-at-wwdc-2021-2/?utm_source=rss&utm_medium=rss&utm_campaign=top-10-privacy-and-security-features-apple-announced-at-wwdc-2021-2

What is a Prototype Pollution vulnerability and how does page-fetch help?

Prototype Pollution is a problem that can affect JavaScript applications. That means both applications running in web browsers, and under Node.js on the server-side, but today we’re going to focus on the web side of things.

We’ll also take a look at page-fetch: a new open source tool released (jump to tool) by the Detectify Security Research team that can, amongst other things, help you hunt for prototype pollution issues in the wild!

Prototypes

Before we can talk about Prototype Pollution, we should probably start with what a Prototype is. JavaScript, like many languages, has objects: a set of keys and values grouped together:

var myObject = {
name: “My super awesome object”,
isAwesome: true
rating: 10,
}

Those values can be basic types like numbers or strings, but also functions, arrays, or other objects. It’s pretty common in the world of Object Oriented Programming to want one object to be a “descendant” of another; the descendant inheriting the properties of its parent. Let’s look at an example:

var webPage = {
title: “Detectify Labs”,
navigation: [“/home”, “/search”, “/contact”],
content: “Welcome to Detectify Labs!”
}

var blogPost = {
title: “Detectify Labs”,
navigation: [“/home”, “/search”, “/contact”],
content: “This is a super interesting blog post…”,
comments: [“Nice work”, “Best thing I ever read!”]
}

These two objects, webPage and blogPost, have a lot in common. The title and navigation properties are both identical! Wouldn’t it be nice if that data didn’t have to be duplicated? The good news is that JavaScript lets us “connect” one object to another.

Let’s rewrite the code above and make it so that the webPage object is the prototype of the blogPost object:

var webPage = {
title: “Detectify Labs”,
navigation: [“/home”, “/search”, “/contact”],
content: “Welcome to Detectify Labs!”
}

var blogPost = {
content: “This is a super interesting blog post…”,
comments: [“Nice work”, “Best thing I ever read!”]
}

blogPost.__proto__ = webPage

Note that we didn’t include the title or navigation parts in the blogPost object this time, but we did do this extra bit:

blogPost.__proto__ = webPage

That __proto__ property is special! It’s a link to the “prototype” of an object, and by assigning the webPage object to it, the webPage object becomes the prototype of the blogPost object. That means if we try to access properties like title or navigation on the blogPost object, JavaScript realises that they don’t exist and so looks at the prototype object’s properties instead:

// This prints “Detectify Labs” to the console – the value came from
// the blogPost object’s prototype: the webPage object!
console.log(blogPost.title)

One thing that’s worth noting here: we “overrode” the “content” property. So if we look at the content property of the blogPost object, we’ll see:

// This prints “This is a super interesting blog post…” to the console
console.log(blogPost.content)

Now, if you happen to be a professional JavaScript developer you might be cringing a little, or perhaps even penning an email to let me know that this isn’t the right way to do things – and you’d be right!

MDN covers this better than I could hope to here, but this functionality is technically deprecated, and not really the right way to write modern JavaScript code. For our purposes though, knowing just this way of doing things is what we need in order to understand Prototype Pollution.

The Global Object

When JavaScript runs in a web browser, there’s always this thing lurking in the background called the Global Object, and its name is “window”.

When you make a new variable, like this one:

var myVariable = 123

It’s actually a property of the global object:

var myVariable = 123

// This prints “123” to the console
console.log(window.myVariable)

This is relevant to our interests because by default all objects share the same prototype, including the global object. The interesting part for us is: that means if we are able to set properties on the prototype of one object, we can affect the properties of all other objects, the window object included!

As an example, if we set a property on the prototype of an empty object, that property becomes available on the window object:

var emptyObject = {}
emptyObject.__proto__.myProperty = “my value”

// Prints “my value” to the console
console.log(window.myProperty)

// Also prints “my value” to the console
console.log(myProperty)

// Even this prints “my value” to the console too!
var newObject = {}
console.log(newObject.myProperty)

Having control over the properties of other objects, especially the window object, gives us a great deal of possibilities for vulnerabilities to occur – and we’ll look at some examples in a while – but first: how could this happen anyway?

Vulnerable Code

One of the most common places for Prototype Pollution to rear its ugly head is in processing the query string. You’re probably fairly used to seeing query strings like this one:

?id=456123&theme=dark&food=cheese

They’re used on just about every web application there is to provide user input. Often they are processed by something like PHP or Ruby on the server-side, but they can be just as easily processed by JavaScript running in the browser too.

A query string like the one above would often be turned into a JavaScript object like this one so the application can more easily refer to the values:

{
id: 456123,
theme: “dark”,
food: “cheese”
}

That’s all fine, but sometimes values are a little more complex than that. You might have seen a query string that looks more like this:

?user[id]=456123&user[food]=cheese&theme=dark

This notation lets us group values together; in this case the id and food parameters are “grouped” so that they pertain to a user. Ideally we’d like a query string like that to be turned into a JavaScript object like this:

{
user: {
id: 456123,
food: “cheese”
},
theme: “dark”
}

Here’s some code that performs that very transformation:

// This is the object we wish to create :)
const query = {}

const u = new URL(location)
for (const [key, value] of u.searchParams){

if (!key.includes(‘[‘)){
query[key] = value
continue
}

// We have a key/value pair like k1[k2]=value
const [k1, k2] = key.split(‘[‘).map(kn => kn.replace(‘]’, ”))

if (query[k1] == undefined){
query[k1] = {}
}

// This could be a problem!
query[k1][k2] = value
}

Don’t worry too much if you get a little lost in the code. The part we really need to pay attention to is this:

// This could be a problem!
query[k1][k2] = value

Given a query string key/value pair like user[id]=456123, k1 becomes user, k2 becomes id, and value becomes 456123, equivalent to this:

query[“user”][“id”] = “456123”

You may be able to see how this could be an issue. If we provided a query string that swapped user for __proto__, the id property would be set on the prototype of the query object – the same one shared by all other objects by default, including the global window object.

As for why that could be a problem: let’s add a little more code:

const messages = {
error: “Error: something went wrong”,
success: “Everything worked as expected :)”
}

if (query.message != undefined){
document.querySelector(‘#message’).innerHTML = messages[query.message]
}

This is a fairly normal looking bit of code: use a user supplied value to decide which of a predefined list of messages to display. Under normal circumstances it would be perfectly secure too, but that is not the case in the presence of Prototype Pollution.

Because the messages object shares a prototype with the query object, we can pollute it with any value we desire – say, an XSS payload perhaps.

If we were to provide a query string that looked like this for example, we would have the ability to run arbitrary JavaScript in the context of the webpage in question:

?__proto__[payload]=<img%20src%20onerror=alert(document.domain)>&message=payload

The payload parameter pollutes the prototype, making it available on the messages object, and the message parameter is used to choose our payload to be displayed and ultimately have our JavaScript executed.

This was just a small example, but there are quite a few JavaScript libraries in the wild that are vulnerable to Prototype Pollution. We’d like to give a big shout-out to Sergey Bobrov for collating a really great list of some of them here.

Detection

“Traditional” web vulnerability scanning (if there is such a thing) tends to work by sending requests to web servers, and analysing the response – be it HTML, JSON, XML, or something else entirely. This can work just fine for vulnerabilities such as reflected XSS, where a user-supplied parameter is reflected in the response without adequate output escaping, because the response changes when the user input changes. This is often not the case for client-side vulnerabilities like DOM XSS and Prototype Pollution.

To detect client-side vulnerabilities we need to use a browser to actually run the JavaScript in a page. It would be fairly time-consuming to do that manually, but thankfully it’s relatively easy to automate such things with a headless browser.

image: Detectify Deep Scan has security tests to find Prototype Pollution vulnerabilities in your web apps.

Tools for prototype pollution and client-side vulnerabilities

Of course, Detectify can already find these issues for you if you’re running the Deep Scan DAST scanner, and we’ve already found hundreds of prototype pollution issues for our customers!

If you’re a pentester, bug bounty hunter, or security researcher you’re in luck too. We’ve just released a tool called page-fetch that you can, amongst other things, use to help you look for prototype pollution and other client-side issues. This tool follows up the web scanner, Ugly Duckling, which Detectify released for the ethical hacker community.

Page-fetch is a fairly simple tool. It takes a list of URLs as its input, fetches them using a headless Chrome browser, and stores a copy of every response it saw – all the JavaScript files, CSS files, images, API requests etc.

Having a local copy of these resources makes it a great deal easier to search through them, use them to build custom word lists or whatever else you might want to do. There’s filters to exclude third-party requests, save only third party requests, and to include or exclude requests based on their content-type.

The bit that’s interesting to us here though, is that you can also provide a snippet of JavaScript that will be executed on every web page that is fetched. The return value of that JavaScript snippet will be displayed in the tool’s output.

Let’s look at how to install the tool and use it to detect a prototype pollution vulnerability.

How it works

Page-fetch is written in Go. The easiest way to install it is with go get:

? go get github.com/detectify/page-fetch

Provided you have Go set up properly, you shouldn’t have to do anything else other than making sure you have a Chrome or Chromium browser installed.

The most simple way to use the tool is to echo a single URL into it, like this:

? echo https://detectify.com | page-fetch
GET https://detectify.com/ 200 text/html; charset=utf-8
GET https://detectify.com/site/themes/detectify/css/detectify.css?v=1619009098 200 text/css
GET https://detectify.com/site/themes/detectify/img/detectify_logo_black.svg 200 image/svg+xml
GET https://fonts.googleapis.com/css?family=Merriweather:300i 200 text/css; charset=utf-8
…

The output shows every request that was made while rendering the input URL, and the response for each request is stored in a directory called out by default:

For each file stored there’s also a .meta file that contains the request and response headers, the HTTP method that was used etc.

To run JavaScript on each page, we can use the -j or –javascript option. As an example, let’s use it to pull out the page title on detectify.com:

? echo https://detectify.com | page-fetch -j ‘document.querySelector(“title”).innerText’ | grep ^JS
JS (https://detectify.com): Website vulnerability scanner – scan web assets | Detectify

The return value is printed on a line starting with JS so that it’s easy to grep for.

To look for prototype pollution then, all we need to do is pick a payload to try in the query string of our input URL, and then test to see if the value was set as we expected:

? echo ‘http://poc-tools-storage.s3-website.eu-west-2.amazonaws.com/pp.html?__proto__[testparam]=testval’ | page-fetch -j ‘window.testparam == “testval”? “vulnerable” : “not vulnerable”‘ | grep ^JS
JS (http://poc-tools-storage.s3-website.eu-west-2.amazonaws.com/pp.html?__proto__[testparam]=testval): vulnerable

Our test code just checks to see if window.testparam is equal to testval, and if it is: returns the string vulnerable, and returns not vulnerable otherwise. Let’s check a known non-vulnerable page to make sure we aren’t seeing a false-positive:

? echo ‘https://example.com?__proto__[testparam]=testval’ | page-fetch -j ‘window.testparam == “testval”? “vulnerable” : “not vulnerable”‘ | grep ^JS
JS (https://example.com?__proto__[testparam]=testval): not vulnerable

All looks to be well! Example.com doesn’t load any JavaScript at all so we can be pretty confident that no prototype pollution vulnerabilities exist there!

Hopefully you’ve now got a pretty good idea of what prototype pollution is, why it matters, and how it can be detected. Until next time!

How can Detectify help?

image: Detectify UI. Detectify collaborates with Crowdsource ethical hackers to bring your more than a DAST.

Detectify is a crowd-based web vulnerability scanner that goes beyond version and signature-testing. The testbed is payload-based and checks for actively exploited web vulnerabilities like Prototype Pollution, the OWASP Top 10, undocumented vulns, CORS misconfigurations and more. Curious to see what Detectify will find in your web apps? Sign up for a 2-week free trial today.

The post What is a Prototype Pollution vulnerability and how does page-fetch help? appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/what-is-a-prototype-pollution-vulnerability-and-how-does-page-fetch-help-2/?utm_source=rss&utm_medium=rss&utm_campaign=what-is-a-prototype-pollution-vulnerability-and-how-does-page-fetch-help-2

How to redirect traffic from an incoming TCP port using the Portbender utility

Overview

In a previous article titled “Active Directory Computer Account SMB Relaying Attack,” we discussed how an attacker could leverage computers assigned administrative rights to other computers to escalate privileges or move laterally using the printer spooler service. Colloquially we often refer to this as a “Computer AdminTo Computer” vulnerability.

Exploiting this issue in practice during a red team engagement has often historically been difficult. Often, we need to perform this attack from a compromised Windows system where the built-in SMB service is already listening on port 445/TCP. Furthermore, it is not uncommon for our team to perform name resolution poisoning during red team engagements to harvest credentials within an environment. Unfortunately, in previous scenarios, we have been primarily limited to passive credential collection and unable to perform relaying attacks when obtaining credentials through SMB.

To overcome this operational hurdle, we have developed a custom utility named “PortBender” [7] which allows us to redirect traffic from an incoming TCP port to an alternative TCP port. For example, a user may wish to modify traffic destined for the 445/TCP port to 8445/TCP. We have also included a feature in PortBender which allows an attacker to simulate the PortServ.sys persistence technique leveraged by the Duqu 2.0 threat actor.

Methods for Performing SMB Relaying on Windows

Our initial attempt at performing SMB relaying through Cobalt Strike attempted to use the “NetSh PortProxy” mechanism [2] to redirect traffic destined for port 445/TCP. However, in this case, it appears that this mechanism doesn’t work for redirecting traffic destined for the SMB service running on port 445/TCP. Francisco Dominguez also notes this limitation of the “NetSh PortProxy” interface in his article titled “Remote NTLM relaying through meterpreter on Windows port 445” [1].

Another option we considered was disabling SMB services on the host and rebooting. However, we typically try to avoid making any permanent system changes or modifications during red team operations (and avoid rebooting production systems). Therefore, this option, while viable, was not sufficient for our requirements.

We wanted a tool that we could run for a short period to redirect traffic without rebooting and then subsequently stop redirecting traffic after performing an attack. Furthermore, we wanted to execute the tool entirely in memory with a minimum on-disk footprint. We also needed to integrate the capability with multiple C2 frameworks, so any mechanism for implementing in-memory execution should be portable across various C2 frameworks.

PortBender Design Overview

To satisfy these requirements we have developed the PortBender utility. When designing PortBender, we based much of the initial design on the DivertTCPConn tool by Arno0x0x [5]. However, in this case, we decided to create a new and separate utility to satisfy some of our unique requirements. These requirements included factors such as the ability to execute the tool in memory as a reflective DLL, integration with Cobalt Strike, support for Duqu 2.0 style backdoor persistence, leveraging static linking for all dependencies, and the use of an object-oriented design using C++ to promote modularity and code reuse.

When designing PortBender, we decided to leverage the existing WinDivert driver by Basil00 [4] for performing network traffic interception and modification. We considered several alternative designs, including writing a custom device driver, but these introduced operational hurdles for deployment. For example, a custom driver would require obtaining a code signing certificate to load the driver. Alternatively, we could bypass driver signing protections by loading an existing vulnerable signed driver and exploiting it to get ring0 code execution. However, both scenarios had a distinct disadvantage to leveraging an established tool for performing this interception and inspection.

Design Decision #1: Intercepting Network Traffic

The first option of developing a custom driver and signing it with a code signing certificate was non-ideal, primarily due to cost (time) concerns. Furthermore, suppose a defender ever discovered the driver. In that case, defenders would have a high-fidelity IOC they could leverage across multiple systems as the code signing certificate for the driver would only ever be used for malicious purposes.

One advantage of WinDivert is that it leverages a signed device driver that is legitimately used by several enterprise software applications. For example, Cloudflare’s Warp VPN agent (part of the Cloudflare Teams/Zero Trust product lineup) for Windows leverages the WinDivert framework for intercepting and modifying network traffic. Therefore, the usage of WinDivert is probably not a sufficient indicator to differentiate between normal and abnormal activity.

The second option (loading a driver by exploiting a signed vulnerable driver) was undesirable mainly due to system stability concerns. Because we have an extremely low tolerance for any activities that may disrupt or crash a system, we decided to avoid this approach.

Design Decision #2: Integrating with Cobalt Strike

To integrate PortBender with Cobalt Strike, we leverage the “Reflective DLL Injection” project developed by Stephen Fewer [6]. We included the source code for the reflective loader in the PortBender project. It exports a function named “ReflectiveLoader,” which functions as a bundled PE loader for injecting the module into a remote process. We can then leverage aggressor scripting in Cobalt Strike with the “bdllspawn” functionality to register the PortBender utility as a new post-exploitation job. Additionally, this functionality supports passing an argument string to the reflective loader which is then passed to the DLLMain function within the PortBender application. By building the PortBender utility as a reflective DLL, it can more easily be integrated into any C2 framework that supports loading a reflective DLL as an external plugin.

TCP Port Redirection Using the PortBender Utility

PortBender leverages a connection manager subsystem to track redirected connections and their state. It accomplishes this by monitoring the flags set on incoming TCP packets to track connection states. When a new incoming TCP session is detected, it adds that session to the list of established connections within the connection manager subsystem. The session is removed from this list when the client sends a TCP packet with the RST flag set.

PortBender monitors both inbound and outbound connections. It modifies the destination port for inbound packets to point to the redirected port (e.g., changing a packet destined for port 445/TCP to 8445/TCP. For outbound connections, it modifies the source port of the message back to the original destination port (e.g., modifying the source port from 8445/TCP to 445/TCP).

Because the application leverages a modular object-oriented approach, it is relatively straightforward to add additional behavior to customize this mechanism. For example, one could implement support for conditional rules-based redirection without majorly refactoring the existing code-base.

Duqu 2.0 PortServ.sys Persistence: TCP Port Redirection

In an article titled “The Duqu 2.0 Persistence Module,” Kaspersky discusses a persistence method used whereby the attacker installs a malicious NDIS filter-driver (PortServ.sys) on a compromised internet-facing web server [3]. Kaspersky describes a scenario where if the attacker sends a specially crafted TCP packet with a given keyword in the data section of the TCP packet, in this case, the password was either “romanian.antihacker” or “ugly.gorilla” the backdoor activates. When activated, the backdoor then redirects traffic from an attacker IP address to an alternative service on the compromised host (e.g., RDP).

For example, an attacker may deploy this style of payload on a compromised internet-facing IIS server to redirect all traffic from port 443/TCP to port 3389/TCP. This mechanism allows the attacker to bypass any network-based firewalls as the traffic leverages a port permitted through the victim’s firewall. The diagram given below outlines this use-case.

In this scenario, the attacker has compromised an Internet-facing Microsoft Exchange server and deployed the PortBender backdoor on the compromised system. Here we assume the compromised Microsoft Exchange server is directly exposed on the Internet (i.e. not behind an F5 load balancer). The attacker has installed the PortBender backdoor on the compromised system (in the diagram this is shown as a separate component but in reality this is running on the compromised server).

Within PortBender, we have added the “backdoor” command, which allows a red team operator to simulate this technique leveraged by the Duqu 2.0 threat actor for persistence. In this scenario, PortBender will listen on a given port (e.g., 443/TCP), and when it sees a TCP packet with both the SYN and RST flags set, it inspects the data section of the payload for a given keyword. If that keyword matches, it adds the attacker IP to a list of backdoor client IP addresses and redirects all future traffic to the user-specified redirect port (e.g., 3389/TCP). The attacker can then disable the backdoor by sending another TCP packet with the SYN and RST flags set and the keyword included, which instructs PortBender that it should stop redirecting traffic from this IP.

Using PortBender to Perform an SMB Relay Attack

In this section, we walk through an SMB relaying attack through a compromised Windows 10 system using PortBender and NTLMRelayX in conjunction with Cobalt Strike’s remote port-forwarding feature. Administrative access to the underlying Windows 10 system is required in this case because the WinDivert driver requires administrative rights to load successfully.

We start by creating a socks proxy using the “socks” command. Next, we leverage the “rportfwd” command given below to forward all incoming traffic to 8445/TCP on the victim host to port 445/TCP on the TeamServer.

rportfwd 8445 127.0.0.1 445

Then we install both Impacket and proxychains and configure proxychains to leverage our socks proxy on the TeamServer. We then execute the following command to perform an SMB relaying attack targeting another internal system (192.168.109.9 in this example).

sudo proxychains python3 examples/ntlmrelayx.py -t smb://192.168.109.9 -smb2support

Next, we download [7] and import the “PortBender.cna” aggressor script into Cobalt Strike. This is shown in the image given below:

We must then upload the “WinDivert32.sys” or “WinDivert64.sys” device driver onto the target system depending on if the operating system architecture is 32-bit or 64-bit, respectively. In this case, we must upload the device driver file to the current working directory associated with the beacon process. Unfortunately, Windows does not appear to provide an API or mechanism to load a device driver without writing it to disk.

In most cases, this isn’t a significant concern. As previously mentioned, enterprise products, such as Cloudflare Warp, legitimately use this driver. Therefore, it is unlikely an antivirus or endpoint detection and response (EDR) solution will flag the presence of this file on a system. To upload the file we use the upload command in Cobalt Strike as shown below:

Next, we execute the PortBender utility using the command “PortBender redirect 445 8445” to redirect connections to 445/TCP to 8445/TCP (our remote port forwarded port). This is shown below:

Next, we simulate an SMB authentication from a domain administrator account for testing purposes. An SMB relaying attack is performed targeting another internal host for demonstration purposes. The expected output from a successful relaying attack is below:

To stop the PortBender service we then use the jobkill and kill commands to kill the job and the process. From our testing, killing the job is not a sufficient measure to exit the process completely. We accomplish this by leveraging the “jobkill” and “kill” commands within beacon. The expected output is shown in the image below.

Leveraging PortBender for Duqu 2.0 Style Persistence

The PortBender backdoor mode can be leveraged for Duqu 2.0 style persistence as described previously. In this instance, the command takes as input a fake destination port, redirect port, and a password/keyword to leverage to activate the backdoor.

We first execute the “PortBender backdoor 443 3389 praetorian.antihacker” command to deploy the persistence mechanism. This command instructs the backdoor to redirect traffic destined for 443/TCP to 3389/TCP when the backdoor is activated using the keyword “praetorian.antihacker”.

To activate the backdoor we must send a TCP packet with both the SYN and RST flags set and the keyword/password included in the data portion of the TCP packet and the src address set to the host we want to be able to access the RDP service over 443/TCP. We can accomplish this with Python using the scapy library with the script given below:

import argparsefrom scapy.all import *TCP_ACTIVATE=TCP(dport=445, flags=”SR”, seq=100)data = “praetorian.antihacker”a = IP(dst=”192.168.109.10″, src=”192.168.109.8”)/TCP_ACTIVATE/datasend(a)

We can then run the script as shown in the image below:

We then see the output given below within the Cobalt Strike console showing a new client connection was registered successfully:

Then we query the RDP configuration by querying the registry key used to configure the RDP service. In this case, the key is “HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp”. We observe that the configured port is 3389/TCP (0xD3D in base 16). The image below shows the expected output for this configuration:

Next, we RDP from the attacker system to 443/TCP and authenticate using valid domain user account credentials as shown below:

After the attacker finishes accessing the system, they can re-run the “activate.py” script to disconnect. The expected output is shown below:

Future Work

Several opportunities exist for future work and extensions to the PortBender utility. First, we could improve the persistence module by adding additional security checks. Additionally, we could also improve the algorithms’ performance for performing lookups as they currently use linear-time searching algorithms. Finally, there may be an undocumented Windows API or another mechanism to load the WinDivert driver without writing it to disk.

Conclusion

This article discussed how red team operators could leverage our recently released PortBender tool to perform attacks, such as an SMB relay attack, that have historically been difficult to accomplish through a C2 framework such as Cobalt Strike. We also discussed how an attacker could leverage TCP port redirection with PortBender to establish covert persistence on an Internet-facing Windows server to better simulate certain threat actors such as the Duqu 2.0 APT.

References

[1] https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/
[2] https://parsiya.net/blog/2016-06-07-windows-netsh-interface-portproxy/
[3] https://securelist.com/the-duqu-2-0-persistence-module/70641/
[4] https://github.com/basil00/Divert
[5] https://github.com/Arno0x/DivertTCPconn
[6] https://github.com/stephenfewer/ReflectiveDLLInjection
[7] https://github.com/praetorian-inc/PortBender

Network

Tools & Techniques

The post How to redirect traffic from an incoming TCP port using the Portbender utility appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/how-to-redirect-traffic-from-an-incoming-tcp-port-using-the-portbender-utility/?utm_source=rss&utm_medium=rss&utm_campaign=how-to-redirect-traffic-from-an-incoming-tcp-port-using-the-portbender-utility

A Microservice Overdose: When Engineering Trends Meet the Startup Reality

Engineering in startups is different. With lower product maturity, fewer resources, and less certainty about the future, startups have a whole bunch of constraints that must be taken into account when designing the product’s architecture and engineering procedures. Simply sticking to the latest engineering trends – will not necessarily be ideal for startups, and might … Continued

The post A Microservice Overdose: When Engineering Trends Meet the Startup Reality appeared first on Hysolate.

The post A Microservice Overdose: When Engineering Trends Meet the Startup Reality appeared first on Security Boulevard.

The post A Microservice Overdose: When Engineering Trends Meet the Startup Reality appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/a-microservice-overdose-when-engineering-trends-meet-the-startup-reality/?utm_source=rss&utm_medium=rss&utm_campaign=a-microservice-overdose-when-engineering-trends-meet-the-startup-reality

Top 10 Privacy and Security Features Apple Announced at WWDC 2021

Apple on Monday announced a number of privacy and security-centric features to its upcoming versions of iOS and macOS at its all-online Worldwide Developers Conference.

Here is a quick look at some of the big-ticket changes that are expected to debut later this fall:

1 — Just Patches, Not Entire OS Update Every Time: As rumored before, users now have a choice between two software update versions in the Settings app. Users can either opt to update to the latest version of iOS 15 for all the latest features and most complete set of security updates or continue on iOS 14 and still get important security updates until they are ready to migrate to the next major version.

2 — Built-in 2-Factor Authenticator: The new versions of iOS and macOS come with new options that allow users to generate two-factor authentication codes for each of the online accounts saved to iCloud Keychain (Settings > Passwords) without the need for downloading additional apps like Google Authenticator or Authy.

3 — Private Relay – To come as part of Apple iCloud+ for existing iCloud subscribers at no extra cost, Private Relay is akin to a VPN in that it routes users’ internet traffic on Safari browser through two relays in order to mask who’s browsing and where that data is coming from.

Unlike traditional VPNs who are still privy to users’ real IP addresses and the websites they visit, iCloud Private Relay employs a dual-hop architecture that effectively shields IP address, location, and browsing activity that can be used to create a detailed profile.

The feature ensures that traffic leaving the device is encrypted before forwarding the requests through two internet relays, thus creating a simplified version of Tor, which employs at least a minimum of three relays to achieve anonymity.

“All the user’s requests are then sent through two separate internet relays,” Apple says. “The first assigns the user an anonymous IP address that maps to their region but not their actual location. The second decrypts the web address they want to visit and forwards them to their destination. This separation of information protects the user’s privacy because no single entity can identify both who a user is and which sites they visit.”

The feature, however, will not be available in China, Belarus, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda, and the Philippines due to regulatory reasons.

4 — Hide My Email – Also included as part of the iCloud+ bundle and built into Safari and Mail apps, the feature enables the ability to generate one-off burner emails when signing up for a service on the web without having to give away the actual email address. Apple already offers a similar feature through Sign In With Apple.

5 — Mail Privacy Protection – Apple is taking on the invisible tracking pixels embedded in emails with its new Mail Privacy Protection feature. A tracking pixel — typically a single-pixel image — is how marketers know whether an email gets opened. When an email containing an invisible pixel is opened, the image connects to the sender’s server, while also funneling back sensitive data like users’ IP address, device location, and the email client used.

Should users choose to turn the feature on, “it hides your IP address so senders can’t link it to your other online activity or determine your location. And it prevents senders from seeing if you’ve opened their email.”

6 — Improved Intelligent Tracking Prevention — Intelligent Tracking Prevention, which is Apple’s privacy feature aimed at reducing fingerprinting and cross-site tracking on Safari, is getting stronger protections by also hiding the user’s IP address from trackers, thereby curtailing their ability to utilize the user’s IP address as a unique identifier to connect their activity across websites and build a profile about them.

7 — App Privacy Report – Similar to the new Privacy dashboard Google introduced in Android 12, this new section in Settings lets users check how often apps have accessed sensitive data such as location, photos, camera, microphone, and contacts during the last seven days, in addition to highlighting “which apps have contacted other domains and how recently they have contacted them.” App Privacy Report is set to arrive as part of a future software update to iOS 15, iPadOS 15, and watchOS 8 later this year.

8 — On-Device Speech Processing – Not only is Siri now capable of handling offline requests, but the audio requests are also now fully processed on the device itself, with the virtual voice assistant putting “on-device personalization” to use in order to tailor content based on device usage patterns. “This addresses one of the biggest privacy concerns for voice assistants, which is unwanted audio recording,” Apple notes.

9 — Microphone indicator in macOS — Starting with macOS Monterey, users can also see which apps have access to their Mac’s microphone in the Control Center. A new orange-color recording indicator is displayed whenever an app has access to the microphone, mirroring similar changes Apple introduced in iOS 14.

10 — Find My – While Apple didn’t elaborate on the implementation specifics, Find My — the company’s Bluetooth-powered location tracking system — is gaining two new features that allows device owners to locate their iPhones, iPads, or Airtags even when the devices have been powered off or erased.

It’s no surprise that Apple has used privacy as a crucial weapon to differentiate itself from its data-hungry rivals, projecting itself as a privacy-sensitive company that treats privacy as a “fundamental human right.” The newly announced features make it clear that Apple is building a scaling a business model that revolves around privacy.

By once again taking aim at the digital advertising industry and baking privacy into its design, Apple’s privacy infrastructure allows it to expand into new markets as well as launch new services, while also strengthening its position as a gatekeeper, a move that could further put it at odds with Facebook.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

The post Top 10 Privacy and Security Features Apple Announced at WWDC 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/top-10-privacy-and-security-features-apple-announced-at-wwdc-2021/?utm_source=rss&utm_medium=rss&utm_campaign=top-10-privacy-and-security-features-apple-announced-at-wwdc-2021

DOJ recovers pipeline ransom, signals more aggressive approach to cybercrime

The US Department of Justice announced Monday that it recovered much of the ransomware payment that Colonial Pipeline paid to free itself from the attack that derailed the oil and gas supplier’s operations for several days last month.

The seizure of 63.7 of the initial 75 paid bitcoins represented the first success of the Justice Department’s Ransomware and Digital Extortion Task Force, a team formalized just months ago, according to reporting from The Wall Street Journal. The value of the recovered bitcoins stands at roughly $2.3 million.

Justice Department Seizes $2.3 Million in Cryptocurrency Paid to Ransomware Extortionists: @TheJusticeDept today announced that it has seized 63.7 bitcoins that allegedly represent the proceeds of a May 8 ransom payment to DarkSide cyber actors. https://t.co/qnCAN8oibW pic.twitter.com/brNopjSN3E

— FBI (@FBI) June 7, 2021

Some commentators have speculated that the discrepancy between what was paid and what was recovered may be accounted for by the fact that Darkside ransomware is sold under the Ransomware-as-a-Service (RaaS) model. The missing money (about 15% of the total) may be the fee the attackers paid the Darkside creators for using their malware.

In statements prepared Monday, US Deputy Attorney General Lisa Monaco characterized the operation as a victory and a representation of the Justice Department’s full powers.

“Following the money remains one of the most basic, yet powerful tools we have,” Monaco said. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”

Monaco added that the Department of Justice’s actions showcased the “value of early notification to law enforcement”—a clear signal that the federal government is now operating in lockstep to curb the threat of ransomware. In mid-May, the White House emphasized the importance of cyberattack notification when President Joe Biden signed an Executive Order that requires such warnings from technology companies that sell their products to the federal government, and weeks later, the Transportation Security Administration (TSA) rolled out a new cybersecurity directive for all US pipeline companies that will require pipelines to notify the government of any cyberattacks.

According to a sworn affidavit in support of a “seizure warrant” that was revealed Monday, Monaco’s statement about “following the money” was surprisingly literal. According to the affidavit, law enforcement tracked Colonial Pipeline’s payment across the public Bitcoin ledger until much of the payment landed in one specific Bitcoin address, which the outlet The Record identified here. After the funds arrived at the Bitcoin address—which law enforcement referred to as the “Subject Address”—they were not touched for days.

Then, a bit of mystery happened.

According to the affidavit, the Justice Department was able to retrieve funds from the Subject Address because the FBI obtained that address’s related “private key.”

Private keys are somewhat like passwords, in that they not to be shared, but they are also more complex than that. Private keys are randomized strings of letters and numbers that are cryptographically related to the Bitcoin address that they access. Reverse engineering a private key is technically infeasible, which means that somehow, the FBI obtained an example of possibly the most closely guarded secret for any cryptocurrency user today.

Some users keep their private keys on exchanges (websites for trading bitcoins). If the Colonial Pipeline attackers kept their key on a US-based exchange it would be an easy matter for the FBI to seize it. However, security-conscious Bitcoin users tend to keep their keys where they can see and secure them, on computers they own.

How the FBI managed managed to get the key is unclear, but a week after the Colonial Pipeline attack, Darkside said it lost control of some of its servers. In the same announcement, the threat actors also said they lost some ransom payments.

Whether the US government removed Darkside’s server access is not known, but the FBI’s ability to obtain a Bitcoin address private key still reveals a new attitude in America’s fight against cybercrime—a fierce, antagonistic approach that potentially crosses ethical lines.

In April, the Department of Justice revealed that the FBI had obtained the somewhat extraordinary authority to access servers it did not own or control so that it could remove web shells placed by cybercriminals who exploited zero-day vulnerabilities in on-premises versions of Microsoft Exchange Server software. These web shell removals were performed with no notification to the servers’ owners.

Similarly, in January, after the international law enforcement agency Europol announced that it had taken control of the Emotet botnet, cybersecurity researchers spotted something hidden. The law enforcement agencies responsible for the takedown had already planned to deploy an update to remove Emotet from infected machines, and law enforcement agencies themselves wrote the code for the deployment.

In speaking on our podcast Lock and Code, Malwarebytes Security Evangelist Adam Kujawa said this was a new tactic from government authorities.

“I’ve seen people maybe misuse or abuse or modify how a particular malware Command & Control infrastructure would work, but I’ve never seen law enforcement deploy brand new code, and that’s kind of worrying a lot of folks,” Kujawa said. “A lot of people might consider it illegal.”

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post DOJ recovers pipeline ransom, signals more aggressive approach to cybercrime appeared first on Malwarebytes Labs.

The post DOJ recovers pipeline ransom, signals more aggressive approach to cybercrime appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/doj-recovers-pipeline-ransom-signals-more-aggressive-approach-to-cybercrime/?utm_source=rss&utm_medium=rss&utm_campaign=doj-recovers-pipeline-ransom-signals-more-aggressive-approach-to-cybercrime

What is a Prototype Pollution vulnerability and how does page-fetch help?

The post What is a Prototype Pollution vulnerability and how does page-fetch help? appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/what-is-a-prototype-pollution-vulnerability-and-how-does-page-fetch-help/?utm_source=rss&utm_medium=rss&utm_campaign=what-is-a-prototype-pollution-vulnerability-and-how-does-page-fetch-help

Malware Devil

Malware Devil

Wednesday, June 9, 2021

ESB-2021.2028 – [RedHat] container-tools:2.0: Increased privileges – Existing account

Network Security News Summary for Wednesday June 9th, 2021

Dancho Danchev’s Disappearance – 2010 – Official Complaint Against Republic of Bulgaria – Part Four

VERT Threat Alert: June 2021 Patch Tuesday Analysis

Tuesday, June 8, 2021

Top 10 Privacy and Security Features Apple Announced at WWDC 2021

What is a Prototype Pollution vulnerability and how does page-fetch help?

Prototypes

The Global Object

Vulnerable Code

Detection

Tools for prototype pollution and client-side vulnerabilities

How it works

How can Detectify help?

How to redirect traffic from an incoming TCP port using the Portbender utility

Overview

Methods for Performing SMB Relaying on Windows

PortBender Design Overview

Design Decision #1: Intercepting Network Traffic

Design Decision #2: Integrating with Cobalt Strike

TCP Port Redirection Using the PortBender Utility

Duqu 2.0 PortServ.sys Persistence: TCP Port Redirection

Using PortBender to Perform an SMB Relay Attack

Leveraging PortBender for Duqu 2.0 Style Persistence

Future Work

Conclusion

References

A Microservice Overdose: When Engineering Trends Meet the Startup Reality

Top 10 Privacy and Security Features Apple Announced at WWDC 2021

DOJ recovers pipeline ransom, signals more aggressive approach to cybercrime

What is a Prototype Pollution vulnerability and how does page-fetch help?

Barbary Pirates and Russian Cybercrime

Blog Archive

About Me