David “moose” Wolpoff, CTO at Randori, discusses security appliances and VPNs and how attackers only have to “pick one lock” to invade an enterprise through them.
Read More
The post Why I Love (Breaking Into) Your Security Appliances appeared first on Malware Devil.
A recent “Work From Anywhere” survey commissioned by Cato Networks revealed that IT has encountered many unexpected challenges supporting and securing remote users in the wake of the COVID-19 pandemic. The survey, which queried some 2,686 IT leaders, found a host of operational and budgetary challenges. “Work from anywhere has shifted business focus from the..
The post Remote Work Brings User Complaints and High IT Costs appeared first on Security Boulevard.
The post Remote Work Brings User Complaints and High IT Costs appeared first on Malware Devil.
Patch now! This security hole could allow almost anyone to take over your whole network from almost any account on almost any computer.
Read More
The post PrintNightmare official patch is out – update now! appeared first on Malware Devil.
At least 25 apps have lured in tens of thousands of victims with the promise of helping them cash in on the cryptomining craze.
Read More
The post Cloud Cryptomining Swindle in Google Play Rakes in Cash appeared first on Malware Devil.
The fix doesn’t cover the entire problem nor all affected systems however, so the company also is offering workarounds and plans to release further remedies at a later date.
Read More
The post Microsoft Releases Emergency Patch for PrintNightmare Bugs appeared first on Malware Devil.
Our previous story regarding WildPressure was dedicated to their campaign against industrial-related targets in the Middle East. By keeping track of their malware in spring 2021, we were able to find a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant with the same version (1.6.1) and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based a field in the C2 communication protocol that contains the “client” programming language.
Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named “Guard”. Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable across all three programming languages used by the authors.
The versioning system shows that the malware used by WildPressure is still under active development. Besides commercial VPS, this time the operators used compromised legitimate WordPress websites. With low confidence this time, we believe their targets to be in the oil and gas industry. If previously the operators used readable “clientids” like “HatLandid3”, the new ones we observed in the Milum samples appear to be randomized like “5CU5EQLOSI” and “C29QoCli33jjxtb”.
Although we couldn’t associate WildPressure’s activity with other threat actors, we did find minor similarities in the TTPs used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to make any attribution.
Python multi-OS Trojan
SHA1
72FC1D91E078F0A274CA604785117BEB261B870
File type
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size
3.3 MB
File name
svchost.exe
This PyInstaller Windows executable was detected in our telemetry on September 1, 2020, showing version 2.2.1. It contains an archive with all the necessary libraries and a Python Trojan that works both on Windows and macOS. The original name of the script inside this PyInstaller bundle is “Guard”. The malware authors extensively relied on publicly available third-party code[1] to create it. Near the entry point one can find the first operating system-dependent code, which checks on macOS if another instance of the Trojan is running.
macOS-specific code snippet to check if another Trojan instance is already running
The Guard class constructor contains initial values, such as an XOR key (enc_key field) to decrypt the configuration. In this sample, it is set to decimal 110 and the C2 message type (answer_type_value field) to “Check”. The code that initializes class members for encryption and network communications is OS independent, but persistence methods aren’t.
For macOS, Guard decodes an XML document and creates a plist file using its contents at $HOME/Library/LaunchAgents/com.apple.pyapple.plist to autorun itself; while for Windows, the script creates a RunOnce registry key SoftwareMicrosoftWindowsCurrentVersionRunOncegd_system. We provide the full list of persistence IoCs at the end of this article.
Malware decodes the XML, fills [pyscript] placeholder with its path and drops .plist file for persistence
For fingerprinting Windows and macOS operating systems, Guard uses standard Python libraries. Beacon data for the C2 contains the hostname, machine architecture, OS release name. To fingerprint Windows targets, Guard also uses WQL (WMI Query Language) requests similarly to Milum and WMIC command line utility features. For example, to distinguish the installed security products it executes the following command:
cmd /c wmic /NAMESPACE:\\rootSecurityCenter2 PATH AntiVirusProduct GET displayName,
productUptoDate /Format:List
On macOS, Guard enumerates running processes using the “ls /Applications” command and compares the results against a list of security solutions: [“kaspersky security.app”,”kaspersky anti-virus for mac.app” , “intego”, “sophos anti-virus.app” , “virusbarrier.app”,”mcafee internet security.app”]
The path to the file containing Guard’s configuration data is %APPDATA%Microsoftgrconf.dat under Windows and $HOME.appdatagrconf.dat under macOS.
Guard’s configuration data has to start with the string “*grds*”. Below is a comparison between different WildPressure sample parameters, including magic values used to pre- and post-fix the configuration data.
Parameter
C++ Milum
Python Guard
VBScript Tandis
Version
1.0.1 – 1.6.1
2.2.1
1.6.1
Serial
Comparable to “clientid” with values like “HatLandid3”
1——-C29QoCli————————
1——-Tandis_7————————
Relays
List of .php pages hosted on VPS
List of hacked WordPress websites
List of hacked WordPress websites
Encoded configuration startend
(ws32) (we32)
*grds* *grde*
Configuration embedded inside the script
These prefix and suffix values allowed us to decode Mulim and Guard configuration data as well as the self-decrypted Tandis with Bash and Python scripts. Following configuration parsing, the Trojan is ready for its main working cycle. It awaits commands from its C2 that are XML-based and XOR-encrypted with the aforementioned decimal value 110. Among them are typical Trojan functions: downloading files, uploading files, executing commands with the OS command interpreter, updating the Trojan and cleaning up the target.
VBScript self-decrypted variant
SHA1
CD7904E6D59142F209BD248D21242E3740999A0D
File type
Self-decrypting VBScript
File size
51 KB
File name
l2dIIYKCQw.vbs
We named the Tandis Trojan after its “serial” configuration parameter. This VBScript Trojan version is Windows-only and relies much more on WQL queries than Guard. It was first detected in our telemetry on September 1, 2020, showing version 1.6.1. The abilities, parameters and working cycle are quite similar to Guard and other WildPressure malware.
The persistence is again system registry-based (please check the IoCs at the end). The function HexToBin() is in charge of the additional encryption used inside the script for some strings and C2 communication. The basic unhexlify-XOR algorithm is the same as in the initial self-decryption; and to read plain text we used the same aforementioned script with corresponding key (again 110 decimal, stored in a class data member). The C2 communication protocol is “encrypted XML over HTTP” (using Msxml2.XMLHTTP and Msxml2.DOMDocument objects).
Below are the commands that Tandis supports:
Command
Description
1
Wait
2
Silently execute command with interpreter with cmd /c
3
Download file
4
Update the script from server
5
Clean up, remove persistence and the script file
6
Upload file
7
Update wait timings in the configuration
8
Fingerprint the host. In particular, Tandis gathers all the installed security products besides Defender with a WQL query
Plugin-based C++ malware
In addition to the already enumerated scripting implants that WildPressure uses, some findings are related to C++ developments. We discovered several, previously unknown, interconnected modules used to gather data on target hosts in our telemetry. The compilation times seen in this malware precedes our detection date by a large margin, and we therefore consider them to be tampered with.
The plugins we found are rather simplistic. We will therefore focus on the implemented interface between the orchestrator and its plugins.
Orchestrator
SHA1
FA50AC04D601BB7961CAE4ED23BE370C985723D6
File type
PE32 executable (console) Intel 80386, for MS Windows
File size
87 KB
File name
winloud.exe
This main module checks for the presence of a configuration file named “thumbnail.dat”. The precise directory of this configuration file varies across Windows versions:
%ALLUSERSPROFILE%systemthumbnail.dat
%ALLUSERSPROFILE%Application DatasystemWindowsthumbnail.dat
The orchestrator uses a timer function that runs every two minutes and parses the configuration file for the plugin file path, function name, etc., and attempts to execute the corresponding plugin.
The overall communication workflow between orchestrator and the plugins
Plugins come in the form of a DLL that exports a function named accessPluginInterface(), which returns a pointer to a class object to the orchestrator. This main module then runs the second function from the virtual functions table, passing it the pointer to instantiated class objects. The plugins we’ve seen so far contained RTTI information.
Fingerprinting plugin
SHA1
c34545d89a0882bb16ea6837d7380f2c72be7209
File type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size
194 KB
File name
GetClientInfo.dll
This plugin gathers really detailed data about the host with WQL queries and creates a JSON with a publicly available library. The data includes OS version and the set of installed hotfixes, BIOS and HDD manufacturers, installed and running software and security products separately, user accounts and network adapters settings, etc. The corresponding executed WQL queries look like this:
SELECT Domain, DomainRole, TotalPhysicalMemory, UserName, SystemType FROM
Win32_ComputerSystem
SELECT DHCPServer, DNSDomain, MACAddress, DHCPEnabled, DefaultIPGateway, IPAddress,
IPSubnet FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled =’TRUE'”
Keylogging and screenshotting plugins
SHA1
fb7f69834ca10fe31675bbedf9f858ec45c38239
File type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size
90.5 KB
File name
Keylogger.dll
SHA1
2bb6d37dbba52d79b896352c37763d540038eb25
File type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size
78 KB
File name
ScreenShot.dll
These plugins are quite straightforward. The keylogger sets a WH_KEYBOARD_LL hook to gather the keystrokes and gets clipboard content and Windows titles. The second takes screenshots by timer and by mouse events, setting a WH_MOUSE_LL hook.
Campaign infrastructure
The actor used both VPS and compromised servers in their infrastructure, most of which were WordPress websites. The legitimate, compromised websites served as Guard relay servers. In our previous 2019 investigation, we were able to sinkhole the Milum C2, upiserversys1212[.]com. During our current investigation we managed to sinkhole another Milum C2, mwieurgbd114kjuvtg[.]com. However, we haven’t registered any recent Milum requests sent to these domains with the corresponding main.php or url.php URI.
Domain
IP
First seen
ASN
Malware
N/A
107.158.154[.]66
2021-04-07
62904, EONIX
Milum
185.177.59[.]234
2021-04-07
44901, BELCLOUD
37.59.87[.]172
2014-12-26
16276, OVH
80.255.3[.]86
2019-08-28
201011, NETZBETRIEB
mwieurgbd114kjuvtg[.]com
139.59.250[.]183
(Sinkholed)
2021-04-07
(Sinkholed)
14061, DIGITALOCEAN
Legitimate, compromised Guard relay servers:
hxxp://adelice-formation[.]eu
hxxp://ricktallis[.]com/news
hxxp://whatismyserver123456[.]com
hxxp://www.glisru[.]eu
hxxp://www.mozh[.]org
We have very limited visibility for the samples described in this report. Based on our telemetry, we suspect that the targets in the same Middle East region were related to the oil and gas industry.
We consider with high confidence that the aforementioned Tandis VBScript, PyInstaller and C++ samples belong to the same authors that we dubbed WildPressure due to the very similar coding style and victim profile. However, another question remains: is WildPressure connected to other threat actors operating in the same region?
Among other actors that we’ve covered in the region Chafer and Ferocious Kitten are worth mentioning. Technically, there’s not much in common with their malware, but we observed some minor similarities with another actor in the region we haven’t described publicly so far. Minor similarities with WildPressure are:
The “pk” parameter in HTTP requests to distinguish the Trojan beacons from, for example, scanners;
The usage of hacked WordPress websites as relays.
Both tactics aren’t unique enough to come to any attribution conclusion – it’s possible both groups are simply using the same generic techniques and programming approaches.
Learn threat hunting and malware analysis with Denis Legezo and other GReAT experts.
Milum version 1.6.1
0efd03fb65c3f92d9af87e4caf667f8e
PyInstaller with Guard
92A11F0DCB973D1A58D45C995993D854 (svchost.exe)
Self-decrypting Tandis VBScript
861655D8DCA82391530F9D406C31EEE1 (l2dIIYKCQw.vbs)
Orchestrator
C116B3F75E12AD3555E762C7208F17B8 (winloud.exe)
Plugins
F2F6604EB9100F58E21C449AC4CC4249 (ScreenShot.dll)
D322FAA64F750380DE45F518CA77CA43 (Keylogger.dll)
9F8D77ECE0FF897FDFD8B00042F51A41 (GetClientInfo.dll)
File paths
macOS .plist files
$HOME/Library/LaunchAgents/com.apple.pyapple.plist
$HOME/Library/LaunchAgents/apple.scriptzxy.plist
Config files under Windows
%APPDATA%Microsoftgrconf.dat
%APPDATA%Microsoftvsdb.dat
%ALLUSERSPROFILE%systemthumbnail.dat
%ALLUSERSPROFILE%Application DatasystemWindowsthumbnail.dat
Config files under macOS
$HOME/.appdata/grconf.dat
Registry values
SoftwareMicrosoftWindowsCurrentVersionRunOncegd_system
WQL queries examples
SELECT * FROM Win32_Process WHERE Name = ‘<all enumerated names here>’
Select * from Win32_ComputerSystem
Select * From AntiVirusProduct
Select * From Win32_Process Where ParentProcessId = ‘<all enumerated ids here>’
Milum C2
hxxp://107.158.154[.]66/core/main.php
hxxp://185.177.59[.]234/core/main.php
hxxp://37.59.87[.]172/page/view.php
hxxp://80.255.3[.]86/page/view.php
hxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php
[1] E.g. https://gist.github.com/vaab/2ad7051fc193167f15f85ef573e54eb9 and https://code.activestate.com/recipes/65222-run-a-task-every-few-seconds/
The post Wildpressure targets the macOS platform appeared first on Malware Devil.
Cyberattacks on hospitals are rising, and patients are worried. Is my personal data at risk? Could ransomware or hackers effectively shut down the ER near me? Consider these findings from a March 2021 report by cybersecurity provider Morphisec: About one in five Americans said their health care was affected by cyberattacks last year. Nearly..
The post How to Protect Medical Devices from Ransomware appeared first on Security Boulevard.
The post How to Protect Medical Devices from Ransomware appeared first on Malware Devil.
Security is all about closing gaps—between attacker tactics and your defensive capabilities, for instance, or the known and unknown user identities in your cloud infrastructure. An important gap that too many organizations overlook actually starts at the top, between the business and the technical approaches to governance in cybersecurity. With one side focused on the..
The post 4 Ways to Improve Governance in Product Security appeared first on Security Boulevard.
The post 4 Ways to Improve Governance in Product Security appeared first on Malware Devil.
The pandemic paved the way for expanded remote work possibilities, but companies looking to ensure employees remain on the job while at home have led some to consider technologies to digitally monitor worker activity, in some cases through AI. Those initiatives come laden with thorny privacy concerns, legal landmines and, more than likely, stiff resistance..
The post Remote Workforce Monitoring Brings Up Privacy Concerns appeared first on Security Boulevard.
The post Remote Workforce Monitoring Brings Up Privacy Concerns appeared first on Malware Devil.
The newborn platform was inundated by Sonic the Hedgehog-themed porn and had prominent users’ profiles defaced. Next, hackers posted its user database online.
Read More
The post Pro-Trump ‘Gettr’ Social Platform Hacked On Day One appeared first on Malware Devil.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post ISC Stormcast For Wednesday, July 7th, 2021 https://isc.sans.edu/podcastdetail.html?id=7574, (Wed, Jul 7th) appeared first on Malware Devil.
Printnightmare Patch; Kaseya; Kaspersky Password Manager; Amazon Echo Dot Forensics
Microsoft Releases Printnightmare Patch
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Kaseya Update
https://www.kaseya.com/potential-attack-on-kaseya-vsa/
Kaspersky Password Manager
https://donjon.ledger.com/kaspersky-password-manager/
Amazon Echo Dot After Reset Artifacts
https://dl.acm.org/doi/pdf/10.1145/3448300.3467820
keywords: kaspesky; password; manager; random numbers; amazone; echo; dot; forensics; microsoft; printnightmare
The post Network Security News Summary for Wednesday July 7th, 2021 appeared first on Malware Devil.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2021.0123.3
Windows Print Spooler Remote Code Execution Vulnerability
7 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: Microsoft Print Spooler
Operating System: Windows
Impact/Access: Administrator Compromise — Existing Account
Execute Arbitrary Code/Commands — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-34527 CVE-2021-1675
Reference: ASB-2021.0116
ASB-2021.0115
Revision History: July 7 2021: Microsoft revised advisory to announce patches are now available for CVE-2021-34527
July 5 2021: Microsoft revised advisory to update the FAQ, add a mitigation, and add CVSS score
July 2 2021: Initial Release
OVERVIEW
Microsoft has released an out-of-band critical update to address a
Windows Print Spooler Remote Code Execution Vulnerability.
Microsoft has assigned CVE-2021-34527 to this vulnerability and
acknowledges it has been referred to publicly as PrintNightmare.[1]
This vulnerability has received significant media attention in the past day.
[2] [3] [4] [5]
IMPACT
Microsoft has stated the following:
“Microsoft is aware of and investigating a remote code execution
vulnerability that affects Windows Print Spooler and has assigned
CVE-2021-34527 to this vulnerability. This is an evolving situation
and we will update the CVE as more information is available.
A remote code execution vulnerability exists when the Windows Print
Spooler service improperly performs privileged file operations.
An attacker who successfully exploited this vulnerability could run
arbitrary code with SYSTEM privileges. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights.
An attack must involve an authenticated user calling RpcAddPrinterDriverEx().”
[1]
= Update by Microsoft 20210703 =
Microsoft updated advisory to confirm that client systems and non domain
controller member servers are affected under certain specified conditions. [1]
MITIGATION
Microsoft recommends applying the latest security updates released
on June 8 AND determining if the Print Spooler service is running
and either disabling it or disabling inbound remote printing through
Group Policy. [1]
Microsoft acknowledges this vulnerability is similar to but distinct
from the recent Print Spooler vulnerability reported as
CVE-2021-1675 and addressed by the June 2021 security updates, and
that they are still investigating the issue and will update the page
as more information becomes available. [1]
= Update by Microsoft 20210703 = Microsoft updated advisory to
include further mitigation options as an alternative to disabling
printing which involves modifying various group memberships, but
notes this does risk compatibility problems. [1]
= Update by Microsoft 20210706 = Microsoft updated advisory to
announce an update is being released for several versions of
Windows to address this vulnerability. Updates are not yet available
for Windows 10 version 1607, Windows Server 2016, or Windows Server
2012. Microsoft have stated that security updates for these versions
of Windows will be released at a later date. Microsoft advise the
updates should be applied immediately. [1]
REFERENCES
[1] Windows Print Spooler Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
[2] ‘PrintNightmare’ Stuxnet-style zero-day
https://www.itnews.com.au/news/researchers-accidentally-publish-printnightmare-stuxnet-style-zero-day-566767
[3] Public Windows PrintNightmare 0-day exploit allows domain takeover
https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/
[4] Researchers accidentally release exploit code for new Windows
‘zero-day’ bug PrintNightmare
https://portswigger.net/daily-swig/researchers-accidentally-release-exploit-code-for-new-windows-zero-day-bug-printnightmare
[5] PrintNightmare, Critical Windows Print Spooler Vulnerability
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation’s site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOULR+NLKJtyKPYoAQgH7RAAnhGhlpppVOasXOjfko75M4scsMHuZNXH
y5BVwKMg31+S8w1j/j7D2B+ocp4/Chxp7T66ncklOjNILzN6viIcYSE+xShxiqFL
vdkZADBMwKkMi8D+wnRL9+9DRITeLeqt0n9bzdyOahcZt3cdzEQTQA1PQzvppqdn
1SZCLKEgwhxfIrq6xE3lUR8XJ61qIwRUkKHbcJyR65Z00KDq/FlVhTfSP+qOzWbX
+CzUgYMaXc2QADYTycv0kmY1tWJay+e6pJVxmNXTAnkLbDDNy9qz0OlUXVo8uQjz
t5Gtulc0dFG6i6Kuendxo985eYx6KS3vCD+LK4GqklVaQH4QMwHxNSbSJxIColWf
PSHt1sh3EL2rvtdxCawXSdo8OeMw0C/WyRxKlhMjN3AeuN1t1SEDdKvSAmU2b0kR
Hg72Ci6H1nuZihERPNxud11S+uzxJD4LLUUGHRX/EiSYCyTP2yAv3T4M4S0/1NJk
ZObjM9FO5nkgItfwZ71UGEG6bVJwxvrYGkje1885JPSrBSiIm4paTSxcZ1kbs5Gt
VY+oIMVR9w7BAJwsGA+vTkR/pVbA2ntBDBtk4EZotoZJ2sNp/4CObw+8nSTczbzW
IMw8B1aOzXq2OkuWHohkpw6++S03PDi1rSSYADnCMw5pLTDL9dHV7UyzowDGZLHF
pTHn4uSq+Ds=
=GEtk
—–END PGP SIGNATURE—–
The post ASB-2021.0123.3 – UPDATE ALERT [Win] Microsoft Print Spooler: Multiple vulnerabilities appeared first on Malware Devil.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2320
OpenShift Container Platform 4.7.19 packages and security update
7 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: OpenShift
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Increased Privileges — Existing Account
Denial of Service — Remote/Unauthenticated
Reduced Security — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-25217 CVE-2021-3560
Reference: ESB-2021.2201
ESB-2021.1950
ESB-2021.1943
ESB-2021.1940
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:2555
– ————————–BEGIN INCLUDED TEXT——————–
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Container Platform 4.7.19 packages and security update
Advisory ID: RHSA-2021:2555-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2555
Issue date: 2021-07-06
CVE Names: CVE-2021-3560 CVE-2021-25217
=====================================================================
1. Summary:
Red Hat OpenShift Container Platform release 4.7.19 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container
Platform 4.7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 4.7 – noarch, ppc64le, s390x, x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.7.19. See the following advisory for the container images for
this release:
https://access.redhat.com/errata/RHSA-2021:2554
Security Fix(es):
* polkit: local privilege escalation using
polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)
* dhcp: stack-based buffer overflow when parsing statements with
colon-separated hex digits in config or lease files in dhcpd and dhclient
(CVE-2021-25217)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster
– – -between-minor.html#understanding-upgrade-channels_updating-cluster-between
– – -minor
4. Solution:
For OpenShift Container Platform 4.7 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster
– – -cli.html
5. Bugs fixed (https://bugzilla.redhat.com/):
1961710 – CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync()
1963258 – CVE-2021-25217 dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient
1976688 – Placeholder bug for OCP 4.7.0 rpm release
6. Package List:
Red Hat OpenShift Container Platform 4.7:
Source:
cri-o-1.20.3-6.rhaos4.7.git0d0f863.el7.src.rpm
openshift-clients-4.7.0-202106252127.p0.git.8b4b094.el7.src.rpm
x86_64:
cri-o-1.20.3-6.rhaos4.7.git0d0f863.el7.x86_64.rpm
cri-o-debuginfo-1.20.3-6.rhaos4.7.git0d0f863.el7.x86_64.rpm
openshift-clients-4.7.0-202106252127.p0.git.8b4b094.el7.x86_64.rpm
openshift-clients-redistributable-4.7.0-202106252127.p0.git.8b4b094.el7.x86_64.rpm
Red Hat OpenShift Container Platform 4.7:
Source:
cri-o-1.20.3-6.rhaos4.7.git0d0f863.el8.src.rpm
dhcp-4.3.6-41.el8_3.1.src.rpm
openshift-clients-4.7.0-202106252127.p0.git.8b4b094.el8.src.rpm
openshift-kuryr-4.7.0-202106232224.p0.git.c7654fb.el8.src.rpm
polkit-0.115-11.el8_3.2.src.rpm
noarch:
dhcp-common-4.3.6-41.el8_3.1.noarch.rpm
openshift-kuryr-cni-4.7.0-202106232224.p0.git.c7654fb.el8.noarch.rpm
openshift-kuryr-common-4.7.0-202106232224.p0.git.c7654fb.el8.noarch.rpm
openshift-kuryr-controller-4.7.0-202106232224.p0.git.c7654fb.el8.noarch.rpm
python3-kuryr-kubernetes-4.7.0-202106232224.p0.git.c7654fb.el8.noarch.rpm
ppc64le:
cri-o-1.20.3-6.rhaos4.7.git0d0f863.el8.ppc64le.rpm
cri-o-debuginfo-1.20.3-6.rhaos4.7.git0d0f863.el8.ppc64le.rpm
cri-o-debugsource-1.20.3-6.rhaos4.7.git0d0f863.el8.ppc64le.rpm
openshift-clients-4.7.0-202106252127.p0.git.8b4b094.el8.ppc64le.rpm
s390x:
cri-o-1.20.3-6.rhaos4.7.git0d0f863.el8.s390x.rpm
cri-o-debuginfo-1.20.3-6.rhaos4.7.git0d0f863.el8.s390x.rpm
cri-o-debugsource-1.20.3-6.rhaos4.7.git0d0f863.el8.s390x.rpm
openshift-clients-4.7.0-202106252127.p0.git.8b4b094.el8.s390x.rpm
x86_64:
cri-o-1.20.3-6.rhaos4.7.git0d0f863.el8.x86_64.rpm
cri-o-debuginfo-1.20.3-6.rhaos4.7.git0d0f863.el8.x86_64.rpm
cri-o-debugsource-1.20.3-6.rhaos4.7.git0d0f863.el8.x86_64.rpm
dhcp-client-4.3.6-41.el8_3.1.x86_64.rpm
dhcp-client-debuginfo-4.3.6-41.el8_3.1.x86_64.rpm
dhcp-debuginfo-4.3.6-41.el8_3.1.x86_64.rpm
dhcp-debugsource-4.3.6-41.el8_3.1.x86_64.rpm
dhcp-libs-4.3.6-41.el8_3.1.x86_64.rpm
dhcp-libs-debuginfo-4.3.6-41.el8_3.1.x86_64.rpm
dhcp-relay-debuginfo-4.3.6-41.el8_3.1.x86_64.rpm
dhcp-server-debuginfo-4.3.6-41.el8_3.1.x86_64.rpm
openshift-clients-4.7.0-202106252127.p0.git.8b4b094.el8.x86_64.rpm
openshift-clients-redistributable-4.7.0-202106252127.p0.git.8b4b094.el8.x86_64.rpm
polkit-0.115-11.el8_3.2.x86_64.rpm
polkit-debuginfo-0.115-11.el8_3.2.x86_64.rpm
polkit-debugsource-0.115-11.el8_3.2.x86_64.rpm
polkit-libs-0.115-11.el8_3.2.x86_64.rpm
polkit-libs-debuginfo-0.115-11.el8_3.2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3560
https://access.redhat.com/security/cve/CVE-2021-25217
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBYOQ/BtzjgjWX9erEAQgfkQ//TlUPnKM3+xeXBzfxbgcoDDGt+RwONCGb
ckrQylnESf5h4he3hdhkxfxYPui78uhIg8ViY/F5oxmfLBNPs6HdObvAA0IYjBiE
+sHEnkXhdNCMfDowelF5yJtQ5b3d7wy1+0801JZFDSCrbiXP2MQqUMbPt5jMqKzY
hA2/JaFJH0HxdUbiFXtIcYybIsWpwEZwXTmEttSeFSqj6/mJmRCoLIfLhZOUnjPg
IFSoJOrGr92w1Fyq+5pldkFUei8OKneev6MU/+fhTaqGjuoy+bEasQBLz0a6TZ4e
y2vbKY8wqKaM5xnd49JvuyEa4t1QzEzZ9OJipRmvgUCwbnGhov6AIGzzYExjDAyj
l34Saucy5hsnkd0a+IUpomuKi1z5kcLRdWz7awFSrWeiU0c4uvs4hRH7TZm1k2bt
KhWe+DhMSOBPL2xeGIqTKWcX7kzS3/L5w3yMPL5iIYu6+Zv1clNxZAQ/hZG899ZC
VPOAr7g3WaKww+Z7fINPHcZ0MiU72o6zjkHD0tJEl+2Fn6U8atGxP6rSf+VNkRjx
qonP0y/bM2ZiGQMjHuEXz0KtdGl1NC/CKM7B3wZCdhhpYAN1OVk6/qmTHnLO4IVg
86WRTnI6+IDHRCqPVnzJwgzisfRS68yBJqihuJ5gtF6e7xApa149Y6Mb8DMJP/ka
cdmIvB4pthE=
=pvaB
– —–END PGP SIGNATURE—–
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOT+cONLKJtyKPYoAQhODA/+LHd5p6o8JC1z5dDU6Zl0kSbSN+uXYyFk
4yGcL6fauAUjkJiMDcbL/W7EjWNe5zIl4ZX1WCtcUB1te71FBVnO5Ds+JYJbgu09
lfjGy1JAg9Z727ZwII85MuBsDWUYhsCmW/p5LBlwncBq8ZlqiEOcuJhgDmhpcbir
xyBaSDrHFLU3VCcluH0dGff9qDCVIdx9wb41wAFDty+Vf4Z97FbxXo7VuF1MAFWY
JpuUtwDrDp8ZnBUAm06RhHjuTWW2oNItuRv5J6mCezuh9kVSFiwAcggtBaWeEH/+
iN//cQcqpMZaYEVzYZkUTeh17JwX7Ojwa5hzpr1VcJrif2iEibzmFheEoKhyDLol
zrMMEH/f7XSgpORpZhOHnH3rBm9wTaKuqLYlVrs+oddkfJl12tzYGIfVjduZMgYp
SaWZt80ORhlAaSlO3Pd+T50cWo7rmHWT+/OY8N7F+c+wkG7S7N5B7Sx4JLG25ed+
jr+mv4BDfqEAs84O9oF2o9EsupEU9nktL4nV79H/BrPPHZDrd364MkX2gaTB9G0M
Fi03tNtcj0C9grPq60PnCOCueNKRFIlVmOpkwl/TKCXBas+SJG9rExYRlAQFq666
3LtILNapFm289X7BVmZI0CzKl8kyevi4peLPPLDTgkTYBxwrdNTMioV+T+kdpuTe
XHE+n2YSdWk=
=vrU7
—–END PGP SIGNATURE—–
The post ESB-2021.2320 – [RedHat] OpenShift: Multiple vulnerabilities appeared first on Malware Devil.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2318
linuxptp security update
7 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: linuxptp
Publisher: Red Hat
Operating System: Red Hat
Linux variants
Impact/Access: Execute Arbitrary Code/Commands — Existing Account
Denial of Service — Existing Account
Access Confidential Data — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-3570
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:2657
https://access.redhat.com/errata/RHSA-2021:2658
https://access.redhat.com/errata/RHSA-2021:2659
https://access.redhat.com/errata/RHSA-2021:2660
Comment: This bulletin contains four (4) Red Hat security advisories.
This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running linuxptp check for an updated version of the software for
their operating system.
– ————————–BEGIN INCLUDED TEXT——————–
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: linuxptp security update
Advisory ID: RHSA-2021:2657-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2657
Issue date: 2021-07-06
CVE Names: CVE-2021-3570
=====================================================================
1. Summary:
An update for linuxptp is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.2) – aarch64, ppc64le, s390x, x86_64
3. Description:
The linuxptp packages provide Precision Time Protocol (PTP) implementation
for Linux according to IEEE standard 1588 for Linux. The dual design goals
are to provide a robust implementation of the standard and to use the most
relevant and modern Application Programming Interfaces (API) offered by the
Linux kernel.
Security Fix(es):
* linuxptp: missing length check of forwarded messages (CVE-2021-3570)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1966240 – CVE-2021-3570 linuxptp: missing length check of forwarded messages
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.2):
Source:
linuxptp-2.0-4.el8_2.1.src.rpm
aarch64:
linuxptp-2.0-4.el8_2.1.aarch64.rpm
linuxptp-debuginfo-2.0-4.el8_2.1.aarch64.rpm
linuxptp-debugsource-2.0-4.el8_2.1.aarch64.rpm
ppc64le:
linuxptp-2.0-4.el8_2.1.ppc64le.rpm
linuxptp-debuginfo-2.0-4.el8_2.1.ppc64le.rpm
linuxptp-debugsource-2.0-4.el8_2.1.ppc64le.rpm
s390x:
linuxptp-2.0-4.el8_2.1.s390x.rpm
linuxptp-debuginfo-2.0-4.el8_2.1.s390x.rpm
linuxptp-debugsource-2.0-4.el8_2.1.s390x.rpm
x86_64:
linuxptp-2.0-4.el8_2.1.x86_64.rpm
linuxptp-debuginfo-2.0-4.el8_2.1.x86_64.rpm
linuxptp-debugsource-2.0-4.el8_2.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3570
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBYOR5JtzjgjWX9erEAQjSlA/+I3W/LzzWNyT9L78L03rgZlqq9VsQAwVu
do/IO0xl9aUOVRP/9A1oD8+PlFdHHu3QxqwJeVD4OeP+M9PslthN1fy3RzpCiVPn
6gos1jrP0rdBuMFhouux0ESp6L5gxnIymEfnYZW7hjCi627ZoBSw77W5rdjt9ebm
+qmY2Acon8tq6OiA25tcbSYS/MAhh09TX+QWUN/egt+vyXUutofDpXUq11PfjbGV
kycRMYDqDts33usP9M8Qs0aDYqjDNDIwLwuaFHsyyMWXhGLUBNFWEcukbVp3zixZ
Kgu3Mb9a1DKEqQvVKowmNw5w4hNd7ILPIFwDwOS8o9PkRLj1u4uRBcCqeSkl9SLP
r3Dv3pMNUdfsZ1CA+hkJh+R7zD17H2+/9Iv+z3kESGZA9qx2R7QE34aWI33Noami
+Puj2CXBe5b/drdzPpFkqGJg3kZNVkZh7EjAC+3V3WoTIeJrmXbKU5qWScejBfrY
NgPGWF/2EdTdF9XG/AuFzP64H6Gv9WrWlUaYwkt/cZwkHjySwt+wVrG/+2aULoMs
kXpZY5ojIu6HoFotTE3MrhxpvFdda4A889DEguO+314lcn6ytLwzAIuyucNBW/Ep
Rks+dsrP5XZKn+zSHLITcheL0652jM97xRhTrJuRLi2UId3offbFMOT5FwcKW0NM
EpbNhidzK7o=
=He0u
– —–END PGP SIGNATURE—–
– ——————————————————————————–
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: linuxptp security update
Advisory ID: RHSA-2021:2658-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2658
Issue date: 2021-07-06
CVE Names: CVE-2021-3570
=====================================================================
1. Summary:
An update for linuxptp is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) – x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) – x86_64
Red Hat Enterprise Linux Server (v. 7) – ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) – x86_64
3. Description:
The linuxptp packages provide Precision Time Protocol (PTP) implementation
for Linux according to IEEE standard 1588 for Linux. The dual design goals
are to provide a robust implementation of the standard and to use the most
relevant and modern Application Programming Interfaces (API) offered by the
Linux kernel.
Security Fix(es):
* linuxptp: missing length check of forwarded messages (CVE-2021-3570)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1966240 – CVE-2021-3570 linuxptp: missing length check of forwarded messages
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
linuxptp-2.0-2.el7_9.1.src.rpm
x86_64:
linuxptp-2.0-2.el7_9.1.x86_64.rpm
linuxptp-debuginfo-2.0-2.el7_9.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
linuxptp-2.0-2.el7_9.1.src.rpm
x86_64:
linuxptp-2.0-2.el7_9.1.x86_64.rpm
linuxptp-debuginfo-2.0-2.el7_9.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
linuxptp-2.0-2.el7_9.1.src.rpm
ppc64:
linuxptp-2.0-2.el7_9.1.ppc64.rpm
linuxptp-debuginfo-2.0-2.el7_9.1.ppc64.rpm
ppc64le:
linuxptp-2.0-2.el7_9.1.ppc64le.rpm
linuxptp-debuginfo-2.0-2.el7_9.1.ppc64le.rpm
s390x:
linuxptp-2.0-2.el7_9.1.s390x.rpm
linuxptp-debuginfo-2.0-2.el7_9.1.s390x.rpm
x86_64:
linuxptp-2.0-2.el7_9.1.x86_64.rpm
linuxptp-debuginfo-2.0-2.el7_9.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
linuxptp-2.0-2.el7_9.1.src.rpm
x86_64:
linuxptp-2.0-2.el7_9.1.x86_64.rpm
linuxptp-debuginfo-2.0-2.el7_9.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3570
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBYOR/ttzjgjWX9erEAQjzww/8C0QIizxbouhNiATEy5y/c7TDlX4Nl82T
QMfTZEgMkRwetikapIKIiYI5tzVIdwsnJACAiGxW/XGC/29pFQCx+NbcYocCz3dh
hOKtBFCWtuTP+2E7WdS0YLBQMIGhHMLspvIikNbutIk4TAQAaB3MmOiyMq3eeEFG
4iFpR7n4kfm0rHwAfykpXz6DXL7wD2bx1pnhzZXXcJKlDTwqOdmL9745P7i9o0ZR
HnpyTTMOluzWX6gpgrSTzVKdzbCVIW48ztpI+yboFnf0sUoQXniEN2t9b1V6mSoK
5pLLOi/vg/oc/XLXVXLfLx9oe41aK1QXMtgF8eeCZRG3mUdKY5Yhi2ZGiIc2HXyj
/Zg/RAiDh+v3PEnCtnYuH9B+b+JDjtvB6nAwO8CCpHs9JiEt8skcPl2wK5atlzaK
cAhbAjG+O80UXvt2AQcSxW87xA/Pl6WINmm6AHkxuvjNkmMPe964i2D8bSWGq2EK
aR0hAHLZo/lPUIGYMmUJPuN9cVEevMnCha7SE9nfCSfCr+A066fVJGmsIwt6F7Dd
Y0yNZC2wW7yWYaklyjCiY3s5sUTWeU7RfULmP7rUEWM4te8+oEK2vBgL+npVigWO
HyYZG3JmbAQ2gKf7LwvygAraT2wXe6JpUcBvXwtvGTlcm7f/5Uyf6+o/ULHD+snY
d+aTRjqiimM=
=m3KD
– —–END PGP SIGNATURE—–
– ——————————————————————————–
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: linuxptp security update
Advisory ID: RHSA-2021:2659-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2659
Issue date: 2021-07-06
CVE Names: CVE-2021-3570
=====================================================================
1. Summary:
An update for linuxptp is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.1) – aarch64, ppc64le, s390x, x86_64
3. Description:
The linuxptp packages provide Precision Time Protocol (PTP) implementation
for Linux according to IEEE standard 1588 for Linux. The dual design goals
are to provide a robust implementation of the standard and to use the most
relevant and modern Application Programming Interfaces (API) offered by the
Linux kernel.
Security Fix(es):
* linuxptp: missing length check of forwarded messages (CVE-2021-3570)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1966240 – CVE-2021-3570 linuxptp: missing length check of forwarded messages
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.1):
Source:
linuxptp-2.0-4.el8_1.1.src.rpm
aarch64:
linuxptp-2.0-4.el8_1.1.aarch64.rpm
linuxptp-debuginfo-2.0-4.el8_1.1.aarch64.rpm
linuxptp-debugsource-2.0-4.el8_1.1.aarch64.rpm
ppc64le:
linuxptp-2.0-4.el8_1.1.ppc64le.rpm
linuxptp-debuginfo-2.0-4.el8_1.1.ppc64le.rpm
linuxptp-debugsource-2.0-4.el8_1.1.ppc64le.rpm
s390x:
linuxptp-2.0-4.el8_1.1.s390x.rpm
linuxptp-debuginfo-2.0-4.el8_1.1.s390x.rpm
linuxptp-debugsource-2.0-4.el8_1.1.s390x.rpm
x86_64:
linuxptp-2.0-4.el8_1.1.x86_64.rpm
linuxptp-debuginfo-2.0-4.el8_1.1.x86_64.rpm
linuxptp-debugsource-2.0-4.el8_1.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3570
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBYOR1KtzjgjWX9erEAQhEiw//bZOxyvml5weLfv+s+5o60xLjekOSFcO4
6psy7ldwlaZyJnk0/FtRxre2itgFtGaAng+o7lQb9l5jw672Xq62w98ObULz/ifq
6SWvfrtLWCQ7kHwn1I29+C3BWnm96t+k3va8Ooue5EH2l7J4pEbhSyz59N9PzCc/
lc1aW+wxQ6yNO9zPqr2A/bL3XzvDhGJUDxz1zcP+0CuyJTRSRjodmzJMzdqxSkNa
6PtyHPG4h86CrEqc0UFzhvy/zj8ViXFc0jNfm67f3j6ryPvzAzgp6HZ8DFB/hTJl
9EJptZsEW2+xwKlVovCY2qImLJNPh2GTnud2k8lIXbLWDUS6spYBPNqtS4Gzh1aQ
9XL01DIP6QtuKbcVgr09A19VwjpcXsltbvyWsWCsWXNetlXpRW0PWvT5eYqU00J2
tYCs+a0S25YDmu0nRwHjlB9bNyiUKSGStxvfKDxWJSUtr/8DBhSnVBGfHYjBVxKB
YTBqNNGzTEKyXUiYWL+PhmRom8Qse4XlGrFAJKs6QDRDEWFNXzW0wOtrTQq4hVzQ
wK9Z3r439yAecPrnXhYEWvWauGO6fM2mtzkMCEFUfykSU2g8QvWqxaiP6uKd0DnK
P6f+VnoWIyc/WbwRltF4q2uF2RDRiTzEBQWCpAeo/6MEw18TSUYBvl++OeDpVFlp
TF/zdqXUyCM=
=FNrZ
– —–END PGP SIGNATURE—–
– ——————————————————————————–
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: linuxptp security update
Advisory ID: RHSA-2021:2660-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2660
Issue date: 2021-07-06
CVE Names: CVE-2021-3570
=====================================================================
1. Summary:
An update for linuxptp is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) – aarch64, ppc64le, s390x, x86_64
3. Description:
The linuxptp packages provide Precision Time Protocol (PTP) implementation
for Linux according to IEEE standard 1588 for Linux. The dual design goals
are to provide a robust implementation of the standard and to use the most
relevant and modern Application Programming Interfaces (API) offered by the
Linux kernel.
Security Fix(es):
* linuxptp: missing length check of forwarded messages (CVE-2021-3570)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1966240 – CVE-2021-3570 linuxptp: missing length check of forwarded messages
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
linuxptp-2.0-5.el8_4.1.src.rpm
aarch64:
linuxptp-2.0-5.el8_4.1.aarch64.rpm
linuxptp-debuginfo-2.0-5.el8_4.1.aarch64.rpm
linuxptp-debugsource-2.0-5.el8_4.1.aarch64.rpm
ppc64le:
linuxptp-2.0-5.el8_4.1.ppc64le.rpm
linuxptp-debuginfo-2.0-5.el8_4.1.ppc64le.rpm
linuxptp-debugsource-2.0-5.el8_4.1.ppc64le.rpm
s390x:
linuxptp-2.0-5.el8_4.1.s390x.rpm
linuxptp-debuginfo-2.0-5.el8_4.1.s390x.rpm
linuxptp-debugsource-2.0-5.el8_4.1.s390x.rpm
x86_64:
linuxptp-2.0-5.el8_4.1.x86_64.rpm
linuxptp-debuginfo-2.0-5.el8_4.1.x86_64.rpm
linuxptp-debugsource-2.0-5.el8_4.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3570
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBYOR52tzjgjWX9erEAQjqzBAAkTYKSORU6iNM8LLBIQVsq2LNSqNvCLaM
RqmRIFkNfxiN5OQOjFHkb5p8TOFM3yRWWW5KAOxyfyVDWEFAeZZd771zGgLAnwzH
KL3aE2/VQcNYf3JG+VjsdkcRyGfdEI+moHw2EveLq4mAlA5mswXmhvPGrxslm6B4
2NSaWQfM1ZGZvukCeLz8nLguC0GSm7B28mSmjuoDE5tj6TfhDjzFYWDL4OMPTWPp
AtBFVJClvq1BdSrxF+t73sNRb5+5L8s5trzYCHvBJzk4cIfSc/mK3YpRsMm6KSez
L+JHYBCVeX4k6wCUjhac0oNFABDl2XRxvc6Hxn+pE371BFru5Ai3hOIF3n8K7skb
q8hpNZGZr6iaCLIX5Jr85y5qEcZVOIFwB2uaZM2yluYxsjHOWd1BGrP9Kb7ISls4
TYwiQE40a6Arf1lpsjx+BWIkZmDGQRTrie2kDVQYBktJSD/HWx5l3ZjQWav/eiQ2
AXJHeIAnvLbdOit9IbfZy96RKDPLr2fjwN0jVpGAGASUIBnvMpK5vsBhUxy2fKK2
TAy7Qyyh4LSd6BBBl7nv8O8hmWO9F7Dwvaq0K6IymNmZPmHWRht9fJggE/C4Wjmi
hoAFJsnu6rgSwrDGFnLrAjkMmiOrF5BFhRJMcozyZ4nYk1WbaysjB9FK0f2Ef4Ky
KBg8wxDteNE=
=bFX3
– —–END PGP SIGNATURE—–
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOT7keNLKJtyKPYoAQiAsg//f1u+Doj8zXphHj7ZtjDTB1bKIsqnjWqY
TFuanhYc5nJvPxRsIbH+u/cLCmtyr1wFlFbri1lJ7vC3Yb9tHpmnS+Xao6tqqTSy
1t9obmV6R2MwjoOg45tBU9EHnlTbgNbttMRfIgb0C7qrXLhBtWC+GL1r7xkY05DC
aE1EQllXE1KEdTbLFzI5nDCCW88eM2NCUHYZLaNz0SfHle6H0ceD/ASP5M2tAoLC
d8Rmzt0TIempX/EgkzphaP0SuwmJdjVWCt1z8Yro6ZcNZmDsbXEiPnG57FjHahJl
MNz9K5QZesMXpUk/r8r+ZrcQokROjB96jq87CYJP5vgUyIOPxLQRB8eYgl3E5mYS
Vl+S92OTMcrgfao5Lfn+FcvfgTDqxKgsFI6YH48owGvEMrMGoY+H9Rv8yRzAjB9z
EzcdTXz8mxrXUS1i8TCkBXaOEIX8O7xKHUB7qkrxu/os5q7mS+akZL+ZaQNFEYO1
xy02/3KMyhHK8aNm/KXOF6oYscxVSH6wvAIuZJ65IsDnBBSbLUOCFOr/7Cdel6U8
kdnQoWSfwKCegvC8VVq9AP7j5+TgvYn3cVx82mOocrOlVNq6LG1cCW8i0IZx8i5A
KGMh6PvKdV2xEdranDvZQibzbYzkg8dyW0cSOs2aoF5jRGR/x61LrM0kSmjZ84tv
2nkbgSoVM44=
=Zt1/
—–END PGP SIGNATURE—–
The post ESB-2021.2318 – [Linux][RedHat] linuxptp: Execute arbitrary code/commands – Existing account appeared first on Malware Devil.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2319
Security update for python-rsa
7 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: python-rsa
Publisher: SUSE
Operating System: SUSE
Impact/Access: Access Confidential Data — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13757
Reference: ESB-2021.2169
ESB-2020.2990
ESB-2020.2943
Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20212253-1
– ————————–BEGIN INCLUDED TEXT——————–
SUSE Security Update: Security update for python-rsa
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:2253-1
Rating: important
References: #1172389
Cross-References: CVE-2020-13757
Affected Products:
SUSE OpenStack Cloud Crowbar 9
SUSE OpenStack Cloud 9
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for python-rsa fixes the following issues:
o CVE-2020-13757: Proper handling of leading ” bytes during decryption of
ciphertext (bsc#1172389)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
o SUSE OpenStack Cloud Crowbar 9:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-2253=1
o SUSE OpenStack Cloud 9:
zypper in -t patch SUSE-OpenStack-Cloud-9-2021-2253=1
Package List:
o SUSE OpenStack Cloud Crowbar 9 (noarch):
python-rsa-3.4.2-4.4.1
o SUSE OpenStack Cloud 9 (noarch):
python-rsa-3.4.2-4.4.1
References:
o https://www.suse.com/security/cve/CVE-2020-13757.html
o https://bugzilla.suse.com/1172389
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOT7sONLKJtyKPYoAQiLUBAAl1S5F6MvG79v/e2X2RTmjpVTTe4znlAo
hRpBpev67vbvCGGghqgxkBavJQqKZb8IRg6nPMPkfjpQKTewjeHq19zUq5jlJMsL
SsK+swtDFmbSx3thQ/Ay0/sSJr7aeOyZBXPSvenfX7Niw9IXamI42+gQVCSYsM2E
qBCZR86oZt0N6osF4Z/M7kzi47dN2yM8R5nTV02YkwXNGZsnz3vXN2onbCdOmD4s
3HVQJHR9NVMrb2y2bn0EWcGM8WKgHuMSWaJestNxEVAD18kdrhe/OubtqHy1tAk+
Cb0bZ3xnVEv9Lwl7pYwOuO541UsxSmZAhIBzvZyXPEaiDzz3YQZiFvkcKcIl5O7P
C8to+6Qjz+lX6EIWaJnJ0ANEV59/hLbkB42tWqV2Em+kt9yYjGS5uY1RJlanCfsI
Q63Wn6XLmHB2KFXPoe5DC7g0Ll4wPyWCtWVAcKVmtvzpsuawWGrtkoHsK6hmXHXB
XKRulUf5/Z6wF2GWD7eSC7vC9U0bNEK3iJmeXNNZ6IvsdQXYtzpv+ujNq5R8VCBp
LhfsLe3H2wqpYA1RmUeaueAFD/yRta58JsYfIuiB9gQJ1GrfF6wa4FMz1+GCrQRK
yWdBgDPdIVwgAdmReFA2Q13tHDOvp2KN2ok013ha3t7xelRvXYZPA9XDJz3OvWSG
/dp9Eh2zDOA=
=V+dB
—–END PGP SIGNATURE—–
The post ESB-2021.2319 – [SUSE] python-rsa: Access confidential data – Remote/unauthenticated appeared first on Malware Devil.
Microsoft today released patches for CVE-2021-34527, the vulnerability also known as “printnightmare”. Patches are currently available for these versions of Windows:
Windows 10 Version 21H1 (32-bit, x64, ARM64)
Windows 10 Version 2004 (32-bit, x64, ARM64)
Windows 10 Version 1909 (32-bit, x64, ARM64)
Windows 10 Version 1809 (32-bit, x64, ARM64)
Windows 10 (32-bit and x64)
Windows RT 8.1
Windows 8.1 (32-bit and x64)
Windows 7 SP1 (32-bit and x64)
Windows Server, version 20H2 (ARM, 32-bit, x64, Server Core)
Windows Server, version 2004 (ARM, 32-bit, x64, Server Core)
Windows Server 2019 (including Server Core)
Windows Server 2012 R2 (including Server Core)
Windows Server 2008 R2 SP1 and SP2
Patches for other versions will follow shortly. Please apply them as soon as they are released. This will affect Windows 10 version 1607, Windows Server 2016, and Windows Server 2012.
Applying the update will also patch the older CVE-2021-1675 vulnerability.
For details, see Microsoft’s updated advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post Microsoft Releases Patches for CVE-2021-34527, (Wed, Jul 7th) appeared first on Malware Devil.
Kaseya is now reporting the software-as-a-service (SaaS) instance of its Virtual System Administrator (VSA) platform will be back online sometime between 4:00 p.m. and 7:00 p.m. EST today. It expects the on-premises editions of VSA to be patched within 24 hours after that. The company has also committed to providing access to an independent security..
The post Kaseya Starts Recovery After REvil Attack appeared first on Security Boulevard.
The post Kaseya Starts Recovery After REvil Attack appeared first on Malware Devil.
The apps all used an unusual tactic of loading a legitimate Facebook page as part of the data theft.
Read More
The post Android Apps in Google Play Harvest Facebook Credentials appeared first on Malware Devil.
Say hello to one more zero-day and yet more potential remote data death for those who can’t/won’t upgrade their My Cloud storage devices.
Read More
The post Western Digital Users Face Another RCE appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
