Moving to AWS Lambda? Here’s what you need to know

Serverless computing is transforming the way organizations build, ship, automate and scale applications. With no need to worry about infrastructure or who’s going to manage it, developers are free to focus on application development and innovation. The payoffs can be significant: Faster time to market: When you reduce operational overheads, development teams can release quickly, […]

The post Moving to AWS Lambda? Here’s what you need to know appeared first on Blog.

The post Moving to AWS Lambda? Here’s what you need to know appeared first on Security Boulevard.

Read More

The post Moving to AWS Lambda? Here’s what you need to know appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/moving-to-aws-lambda-heres-what-you-need-to-know/?utm_source=rss&utm_medium=rss&utm_campaign=moving-to-aws-lambda-heres-what-you-need-to-know

The Joy of Tech® ‘Reparative Ransomware!’

via the Comic Noggins of Nitrozac and Snaggy at The Joy of Tech®!

Permalink

The post The Joy of Tech® ‘Reparative Ransomware!’ appeared first on Security Boulevard.

Read More

The post The Joy of Tech® ‘Reparative Ransomware!’ appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/the-joy-of-tech-reparative-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=the-joy-of-tech-reparative-ransomware

Container Adoption Introduces Efficiency – and Vulnerabilities

The post Container Adoption Introduces Efficiency – and Vulnerabilities appeared first on Digital Defense, Inc..

The post Container Adoption Introduces Efficiency – and Vulnerabilities appeared first on Security Boulevard.

Read More

The post Container Adoption Introduces Efficiency – and Vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/container-adoption-introduces-efficiency-and-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=container-adoption-introduces-efficiency-and-vulnerabilities

S3 Ep40: Kaseya breach, PrintNightmare 0-day, and hacking versus the law [Podcast]

Latest episode – listen now!
Read More

The post S3 Ep40: Kaseya breach, PrintNightmare 0-day, and hacking versus the law [Podcast] appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/s3-ep40-kaseya-breach-printnightmare-0-day-and-hacking-versus-the-law-podcast/?utm_source=rss&utm_medium=rss&utm_campaign=s3-ep40-kaseya-breach-printnightmare-0-day-and-hacking-versus-the-law-podcast

SQLite Vulnerability May Be Putting Your Applications at Risk

Discovered first by Tencent’s security researchers (belonging to the Blade Team) in 2018, SQLite Vulnerability is continuing to expose millions of applications, software, IoT devices, and so on to the.

The post SQLite Vulnerability May Be Putting Your Applications at Risk appeared first on Indusface.

The post SQLite Vulnerability May Be Putting Your Applications at Risk appeared first on Security Boulevard.

Read More

The post SQLite Vulnerability May Be Putting Your Applications at Risk appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/sqlite-vulnerability-may-be-putting-your-applications-at-risk/?utm_source=rss&utm_medium=rss&utm_campaign=sqlite-vulnerability-may-be-putting-your-applications-at-risk

Kaseya Postpones Bringing ITSM Platforms Back Up

Kaseya has decided to postpone bringing its IT service management (ITSM) platform back online after a ransomware attack until Sunday afternoon July 11, 2021, Eastern Standard Time. Previously, the company had committed to bringing both the software-as-a-service (SaaS) platform and the on-premises edition of its platform back online earlier this week. However, on the advice..

The post Kaseya Postpones Bringing ITSM Platforms Back Up appeared first on Security Boulevard.

Read More

The post Kaseya Postpones Bringing ITSM Platforms Back Up appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/kaseya-postpones-bringing-itsm-platforms-back-up/?utm_source=rss&utm_medium=rss&utm_campaign=kaseya-postpones-bringing-itsm-platforms-back-up

How Fake Accounts and Sneaker-Bots Took Over the Internet

Jason Kent, hacker-in-residence at Cequence Security, discusses fake online accounts, and the fraud they carry out on a daily basis.
Read More

The post How Fake Accounts and Sneaker-Bots Took Over the Internet appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/how-fake-accounts-and-sneaker-bots-took-over-the-internet/?utm_source=rss&utm_medium=rss&utm_campaign=how-fake-accounts-and-sneaker-bots-took-over-the-internet

China ‘Eugenics’ Claim as BGI Hoards Prenatal Test DNA Data

Chinese genetics company BGI accused of misusing DNA harvested from prenatal testing.

The post China ‘Eugenics’ Claim as BGI Hoards Prenatal Test DNA Data appeared first on Security Boulevard.

Read More

The post China ‘Eugenics’ Claim as BGI Hoards Prenatal Test DNA Data appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/china-eugenics-claim-as-bgi-hoards-prenatal-test-dna-data/?utm_source=rss&utm_medium=rss&utm_campaign=china-eugenics-claim-as-bgi-hoards-prenatal-test-dna-data

Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software

Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago.

On July 3, the REvil ransomware affiliate program began using a zero-day security hole (CVE-2021-30116) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA).

According to this entry for CVE-2021-30116, the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya had roughly three months to address the bug before it was exploited in the wild.

Also on July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net — was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser.

As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness.

The Kaseya customer support and billing portal. Image: Archive.org.

Mandiant notified Kaseya after hearing about it from Alex Holden, founder and chief technology officer of Milwaukee-based cyber intelligence firm Hold Security. Holden said the 2015 vulnerability was present on Kaseya’s customer portal until Saturday afternoon, allowing him to download the site’s “web.config” file, a server component that often contains sensitive information such as usernames and passwords and the locations of key databases.

“It’s not like they forgot to patch something that Microsoft fixed years ago,” Holden said. “It’s a patch for their own software. And it’s not zero-day. It’s from 2015!”

The official description of CVE-2015-2862 says a would-be attacker would need to be already authenticated to the server for the exploit to work. But Holden said that was not the case with the vulnerability on the Kaseya portal that he reported via Mandiant.

“This is worse because the CVE calls for an authenticated user,” Holden said. “This was not.”

Michael Sanders, executive vice president of account management at Kaseya, confirmed that the customer portal was taken offline in response to a vulnerability report. Sanders said the portal had been retired in 2018 in favor of a more modern customer support and ticketing system, yet somehow the old site was still left available online.

“It was deprecated but left up,” Sanders said.

In a written statement shared with KrebsOnSecurity, Kaseya said that in 2015 CERT reported two vulnerabilities in its VSA product.

“We worked with CERT on responsible disclosure and released patches for VSA versions V7, R8, R9 and R9 along with the public disclosure (CVEs) and notifications to our customers. Portal.kaseya.net was not considered by our team to be part of the VSA shipping product and was not part of the VSA product patch in 2015. It has no access to customer endpoints and has been shut down – and will no longer be enabled or used by Kaseya.”

“At this time, there is no evidence this portal was involved in the VSA product security incident,” the statement continued. “We are continuing to do forensic analysis on the system and investigating what data is actually there.”

The REvil ransomware group said affected organizations could negotiate independently with them for a decryption key, or someone could pay $70 million worth of virtual currency to buy a key that works to decrypt all systems compromised in this attack.

But Sanders said every ransomware expert Kaseya consulted so far has advised against negotiating for one ransom to unlock all victims.

“The problem is that they don’t have our data, they have our customers’ data,” Sanders said. “We’ve been counseled not to do that by every ransomware negotiating company we’ve dealt with. They said with the amount of individual machines hacked and ransomwared, it would be very difficult for all of these systems to be remediated at once.”

In a video posted to Youtube on July 6, Kaseya CEO Fred Voccola said the ransomware attack had “limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached.”

“While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated,” Voccola said.

The zero-day vulnerability that led to Kaseya customers (and customers of those customers) getting ransomed was discovered and reported to Kaseya by Wietse Boonstra, a researcher with the Dutch Institute for Vulnerability Disclosure (DIVD).

In a July 4 blog post, DIVD’s Victor Gevers wrote that Kaseya was “very cooperative,” and “asked the right questions.”

“Also, partial patches were shared with us to validate their effectiveness,” Gevers wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Still, Kaseya has yet to issue an official patch for the flaw Boonstra reported in April. Kaseya told customers on July 7 that it was working “through the night” to push out an update.

Gevers said the Kaseya vulnerability was discovered as part of a larger DIVD effort to look for serious flaws in a wide array of remote network management tools.

“We are focusing on these types of products because we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses,” he wrote.

Read More

The post Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/?utm_source=rss&utm_medium=rss&utm_campaign=kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software

MAR-10337802-1.v1: DarkSide Ransomware

AR21-189A
Read More

The post MAR-10337802-1.v1: DarkSide Ransomware appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/mar-10337802-1-v1-darkside-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=mar-10337802-1-v1-darkside-ransomware

API Security Need to Know: Top 5 Authentication Pitfalls

The recent rash of API security incidents (Peloton, Experian, Clubhouse, etc.) has no doubt forced many security and development teams to take a closer look at their API security posture to ensure they are not the next headline. Creating an inventory of all APIs exposed to external audiences is the most common starting point that […]

The post API Security Need to Know: Top 5 Authentication Pitfalls appeared first on Cequence.

The post API Security Need to Know: Top 5 Authentication Pitfalls appeared first on Security Boulevard.

Read More

The post API Security Need to Know: Top 5 Authentication Pitfalls appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/api-security-need-to-know-top-5-authentication-pitfalls/?utm_source=rss&utm_medium=rss&utm_campaign=api-security-need-to-know-top-5-authentication-pitfalls

What Is Your Digital Footprint? | Avast

If you’re active online, you have a digital footprint. Everyone does. Every comment made on social media, every news article shared, and every purchase made online contributes to a person’s data trail. Your data trail reveals a detailed picture of who you are and what you like. This data is valuable and often monetized by “free” services and apps like Facebook, Google, and Twitter. When you’re logged in, you’re being tracked across every page you visit. 

The post What Is Your Digital Footprint? | Avast appeared first on Security Boulevard.

Read More

The post What Is Your Digital Footprint? | Avast appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/what-is-your-digital-footprint-avast/?utm_source=rss&utm_medium=rss&utm_campaign=what-is-your-digital-footprint-avast

Using Sudo with Python For More Security Controls, (Thu, Jul 8th)

I’m a big fan of the Sudo[1] command. This tool, available on every UNIX flavor, allows system administrators to provide access to certain users/groups to certain commands as root or another user. This is performed with a lot of granularity in the access rights and logging/reporting features. I’m using it for many years and I’m still learning great stuff about it. Yesterday, at the Pass-The-Salt[2] conference, Peter Czanik presented a great feature of Sudo (available since version 1.9): the ability to extend features using Python modules! There are several scenarios where Python can be used: 

Approval
Audit
I/O
Policy

As usual, Python support is not enabled by default on many Linux distributions. You will have to recompile a local Sudo instance with the ‘–enable-python’ flag:

./configure –prefix=/usr/local –enable-python && make && make install

Once your new Sudo is ready, you just have to enable the Python interface you’d like to use. Edit your sudo.conf file and add a line like this one:

Plugin python_io python_plugin.so ModulePath=/usr/local/lib/sudo/sudo_isc_test.py ClassName=MyIOPlugin

ModulePath specifies the location of the Python script that will contain our code and ClassName is the class that will be defined in the script. In this case, I’m enabling the support for I/O operations.

Let’s have a look at the script now:

# cat /usr/local/lib/sudo/sudo_isc_test.py
import sudo

VERSION = 1.0

class MyIOPlugin(sudo.Plugin):
def log_ttyout(self, buf: str) -> int:
if “root:x:0:” in buf:
sudo.log_info(“WARNING: Suspicious activity on passwd file detected!”)
return sudo.RC.REJECT
  if “8.8.8.8” in buf:
  sudo.log_info(“WARNING: Suspicious network activity detected!”)
  return sudo.RC.REJECT

And in practice, how it works:

# sudo cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:101:101::/nonexistent:/usr/sbin/nologin

WARNING: Suspicious activity on passwd file detected!

# sudo host 8.8.8.8
8.8.8.8.in-addr.arpa domain name pointer dns.google.

WARNING: Suspicious network activity detected!

Of course, you can do much more and also generate events. This is really powerful and helpful to better control what users/scripts do with Sudo. More information about the integration with python is available on the website[3].

[1] https://www.sudo.ws
[2] https://www.pass-the-salt.org
[3] https://www.sudo.ws/man/1.9.0/sudo_plugin_python.man.html

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Using Sudo with Python For More Security Controls, (Thu, Jul 8th) appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/using-sudo-with-python-for-more-security-controls-thu-jul-8th/?utm_source=rss&utm_medium=rss&utm_campaign=using-sudo-with-python-for-more-security-controls-thu-jul-8th

Real-Time Threat Assessment With In-Memory Computing

Today’s security information and event management (SIEM) solutions are inundated with incoming events and tracking potential threats to network infrastructure. Significant events must be identified and correlated to detect lateral movement and kill chains to signal when an attack has occurred or is in progress. Given the huge volume of data that must be processed,..

The post Real-Time Threat Assessment With In-Memory Computing appeared first on Security Boulevard.

Read More

The post Real-Time Threat Assessment With In-Memory Computing appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/real-time-threat-assessment-with-in-memory-computing/?utm_source=rss&utm_medium=rss&utm_campaign=real-time-threat-assessment-with-in-memory-computing

Automated Network Segmentation is a Security Service Away

Network segmentation is a practice as old as Ethernet. Though it was originally a practice to limit broadcast domains, as the number of connected devices and environments grew, the applicability of segmentation became a staple practice for security, as well. However, with environments adding or removing hundreds to thousands of devices daily in some organizations,..

The post Automated Network Segmentation is a Security Service Away appeared first on Security Boulevard.

Read More

The post Automated Network Segmentation is a Security Service Away appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/automated-network-segmentation-is-a-security-service-away/?utm_source=rss&utm_medium=rss&utm_campaign=automated-network-segmentation-is-a-security-service-away

Extending the Promise of SASE with MDR

Managed detection and response (MDR) services have recently gained attention as a way to deal with the growth in cyberthreats. MDR services are often classified as a turnkey solution for businesses looking to reduce response times to detected threats.  However, deploying an MDR service is not as easy as it seems. Deployment usually requires opening..

The post Extending the Promise of SASE with MDR  appeared first on Security Boulevard.

Read More

The post Extending the Promise of SASE with MDR  appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/extending-the-promise-of-sase-with-mdr/?utm_source=rss&utm_medium=rss&utm_campaign=extending-the-promise-of-sase-with-mdr

Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)

Summary

Last week Microsoft warned Windows users about vulnerabilities in the Windows Print Spooler service – CVE-2021-1675 and CVE-2021-34527 (also known as PrintNightmare). Both vulnerabilities can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers.

Kaspersky products protect against attacks leveraging these vulnerabilities. The following detection names are used:

HEUR:Exploit.Win32.CVE-2021-1675.*
HEUR:Exploit.Win32.CVE-2021-34527.*
HEUR:Exploit.MSIL.CVE-2021-34527.*
HEUR:Exploit.Script.CVE-2021-34527.*
HEUR:Trojan-Dropper.Win32.Pegazus.gen
PDM:Exploit.Win32.Generic
PDM:Trojan.Win32.Generic
Exploit.Win32.CVE-2021-1675.*
Exploit.Win64.CVE-2021-1675.*

Our detection logic is also successfully blocks attack technique from the latest Mimikatz framework v. 2.2.0-20210707.

We are closely monitoring the situation and improving generic detection of these vulnerabilities using our Behavior Detection and Exploit Prevention components. As part of our Managed Detection and Response service Kaspersky SOC experts are able to detect exploitation of these vulnerabilities, investigate such attacks and report to customers.

Technical details

CVE-2021-34527

When using RPC protocols to add a new printer (RpcAsyncAddPrinterDriver [MS-PAR] or RpcAddPrinterDriverEx [MS-RPRN]) a client has to provide multiple parameters to the Print Spooler service:

pDataFile – a path to a data file for this printer;
pConfigFile – a path to a configuration file for this printer;
pDriverPath – a path to a driver file that’s used by this printer while it’s working.

The service makes several checks to ensure pDataFile and pDriverPath are not UNC paths, but there is no corresponding check for pConfigFile, meaning the service will copy the configuration DLL to the folder %SYSTEMROOT%system32spooldriversx643 (on x64 versions of the OS).

Now, if the Windows Print Spooler service tries to add a printer again, but this time sets pDataFile to the copied DLL path (from the previous step), the print service will load this DLL because its path is not a UNC path, and the check will be successfully passed. These methods can be used by a low-privileged account, and the DLL is loaded by the NT AUTHORITYSYSTEM group process.

CVE-2021-1675

The local version of PrintNightmare uses the same method for exploitation as CVE-2021-34527, but there’s a difference in the entrypoint function (AddPrinterDriverEx). This means an attacker can place a malicious DLL in any locally accessible directory to run the exploit.

Mitigations

Kaspersky experts anticipate a growing number of exploitation attempts to gain access to resources inside corporate perimeters accompanied by a high risk of ransomware infection and data theft.

Therefore, it is strongly recommended to follow Microsoft guidelines and apply the latest security updates for Windows.

Quoting Microsoft (as of July 7th, 2021):
“Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object (GPO).
While this security assessment focuses on domain controllers, any server is potentially at risk to this type of attack.”

The post Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare) appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/?utm_source=rss&utm_medium=rss&utm_campaign=quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare

ISC Stormcast For Thursday, July 8th, 2021 https://isc.sans.edu/podcastdetail.html?id=7576, (Thu, Jul 8th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post ISC Stormcast For Thursday, July 8th, 2021 https://isc.sans.edu/podcastdetail.html?id=7576, (Thu, Jul 8th) appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/isc-stormcast-for-thursday-july-8th-2021-https-isc-sans-edu-podcastdetail-htmlid7576-thu-jul-8th/?utm_source=rss&utm_medium=rss&utm_campaign=isc-stormcast-for-thursday-july-8th-2021-https-isc-sans-edu-podcastdetail-htmlid7576-thu-jul-8th

ESB-2021.2337 – [Win][UNIX/Linux] Ruby products: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.2337
Ruby 2.6.8, 2.7.4 and 3.0.2 Released
8 July 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: Ruby 2.6.8
Ruby 2.7.4
Ruby 3.0.2
Publisher: Ruby
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands — Remote with User Interaction
Provide Misleading Information — Unknown/Unspecified
Access Confidential Data — Unknown/Unspecified
Reduced Security — Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2021-32066 CVE-2021-31810 CVE-2021-31799

Reference: ESB-2021.1496

Original Bulletin:
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/

Comment: This bulletin contains three (3) Ruby security advisories.

– ————————–BEGIN INCLUDED TEXT——————–

Ruby 2.6.8 Released

Posted by usa on 7 Jul 2021

Ruby 2.6.8 has been released.

This release includes security fixes. Please check the topics below for
details.

o CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
o CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
o CVE-2021-31799: A command injection vulnerability in RDoc

We ordinally do not fix Ruby 2.6 except security fixes, but this release also
includes some regressed bugs and build problem fixes. See the commit logs for
details.

Ruby 2.6 is now under the state of the security maintenance phase, until the
end of March of 2022. After that date, maintenance of Ruby 2.6 will be ended.
We recommend you start planning the migration to newer versions of Ruby, such
as 3.0 or 2.7.

Download

o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.tar.bz2

SIZE: 14131671
SHA1: 7d38cacb6a0779f04b9f19f94406da97e95bbec4
SHA256: dac96ca6df8bab5a6fc7778907f42498037f8ce05b63d20779dce3163e9fafe6
SHA512: 51806d48187dfcce269ff904943dd008df800216ad4797f95481bdeecc2fbac40016bc02eabfff32414839ebb2087511d25eebfd6acead1a1d3813be6c10edf7

o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.tar.gz

SIZE: 16202660
SHA1: 949dce34bba3ae93fd302fe705017b03d13b69ab
SHA256: 1807b78577bc08596a390e8a41aede37b8512190e05c133b17d0501791a8ca6d
SHA512: 4f8b8736bdae8bb4b2b63d576232d376b4c87239d25bf7aa807d3eeea704cb8b06f465c37050be79b57a52b9bde65a5cc05679dd6df0f443c8e00a19513f882a

o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.tar.xz

SIZE: 11599488
SHA1: fa5ad518ef31bbf5c3386dbcec7b57196a1e618e
SHA256: 8262e4663169c85787fdc9bfbd04d9eb86eb2a4b56d7f98373a8fcaa18e593eb
SHA512: d040ad2238523587d8f356fcb796b8b6ad7f8caff7dd6df09e3f7efcbfa0369e33600e78c7f2bc713ae77c040757cce5c4fec223cb9070209f2bf741899c556d

o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.zip

SIZE: 19868666
SHA1: ece4908dd84c7aaefbe6b188c0aca39eaedb2a77
SHA256: d5da2d7e1b9a6b570c66b3bb0cfa2de3ce21d002d2385a1fdf7195e2d0d1d5c7
SHA512: 143ee01da2cba85a2dcb394b1a64b18a748aeb0eda4d6d2d83638706ce4bb05f60f3e80a0429878f823437e0dfba285f8080637523a552eb04aca87df63831dc

Release Comment

Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.

– ——————————————————————————–

Ruby 2.7.4 Released

Posted by usa on 7 Jul 2021

Ruby 2.7.4 has been released.

This release includes security fixes. Please check the topics below for
details.

o CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
o CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
o CVE-2021-31799: A command injection vulnerability in RDoc

See the commit logs for details.

Download

o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.tar.bz2

SIZE: 14804934
SHA1: f5bdecded2d68e4f2f0ab1d20137e8b4b0614e52
SHA256: bffa8aec9da392eda98f1c561071bb6e71d217d541c617fc6e3282d79f4e7d48
SHA512: f144c32c9cb0006dfcfa7d297f83f88b881f68c94f0130346c74dfd8758583a68d22accfd0fc9f31db304ab5ff0bc135bfb2868145c0dec1ee6cec5ac6c3725d

o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.tar.gz

SIZE: 16915699
SHA1: 86ec4a97bc43370050b5aef8d6ea3ed3938fb344
SHA256: 3043099089608859fc8cce7f9fdccaa1f53a462457e3838ec3b25a7d609fbc5b
SHA512: a317752e9a32c8d1261e67ca89c396722ee779ec8ba4594987812d065b73751f51485a1ede8044aae14b3b16e8d049c6953cef530ae1b82abb135b446c653f8a

o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.tar.xz

SIZE: 12067588
SHA1: 6e044d835f9f432cfa9441241c1ef66e3d607cbf
SHA256: 2a80824e0ad6100826b69b9890bf55cfc4cf2b61a1e1330fccbcb30c46cef8d7
SHA512: 2cbb70ecfdd69120e789023ddb2b25cab0d03bc33fdc367a8f74ca8a3ee785c18c8ded9de3ecee627c7e275ffb85147e6abf921b6a61e31851b37c7fedf45bf9

o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.zip

SIZE: 20701195
SHA1: 32bdd5288dcc1e531832c14d26ff7cd218b55bc3
SHA256: a4fe29bfc6a8338fe4b017705aa9d3358225ea305359520d4995096a4382034e
SHA512: 2877b809bafe72cba789add85993a1954008012afcfb5fc4645e482478479bb02166b0d5ee12263983a6c828e6970eb1385632409793dcbc5185d7bbc9c4f349

Release Comment

Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.

The maintenance of Ruby 2.7, including this release, is based on the
Agreement for the Ruby stable version of the Ruby Association.

– ——————————————————————————–

Ruby 3.0.2 Released

Posted by nagachika on 7 Jul 2021

Ruby 3.0.2 has been released.

This release includes security fixes. Please check the topics below for
details.

o CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
o CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
o CVE-2021-31799: A command injection vulnerability in RDoc

See the commit logs for details.

Download

o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.2.tar.gz

SIZE: 19941179
SHA1: e00784956ed2083a40e269d8b14e571b8fae9a0f
SHA256: 5085dee0ad9f06996a8acec7ebea4a8735e6fac22f22e2d98c3f2bc3bef7e6f1
SHA512: e1fba6f5429b5fca9c3f52a32535615fcf95fafa415efc71c46db4cce159f249112c01574c305026be5c50140335696042e47a74194caea045acbfaa4da738cd

o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.2.tar.xz

SIZE: 14746080
SHA1: cd04711ed3adecbe244c3b4391e67430d11fa9f8
SHA256: 570e7773100f625599575f363831166d91d49a1ab97d3ab6495af44774155c40
SHA512: 0f702e2d8ca1342a9d4284dbdd234a3588e057b92566353aa7c21835cf09a3932864b2acf459a976960a1704e9befa562155d36b98b7cda8bd99526e10a374c4

o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.2.zip

SIZE: 24293508
SHA1: 9cde469fec5c9f8edd1d055fc4a9cc90b9611700
SHA256: 79e34f7fab000cb64ede8c39724ae240e36ee5905c752d77ec61a067d5e4e1dd
SHA512: 2eb1ce4d66b06ccdee835a017c0edd4028fff99a29f4a631ffb5b39289afcb6a88f79eb24cf09e78d2baaa7c3e494448e2701a0a976bb092de6f2929f1934325

Release Comment

Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYOZ6RuNLKJtyKPYoAQgLrxAAhcEL2gHe5S4qyIh6Q35IHuAVBG4m3vFK
wPSuzTD0UftM/44CrFLz+pXNQWtF2jbNlSyiSto3gyoNrGINnCiJ0FUwBFyfVxM8
jAZWVwDl91qX59qqHe+9Xpq6edH8hBFdNDAW1LGCXT2J2e7CDdmp4laS9IBPY/Ef
jy1hse1Grt16w+zVvW2e9kCxo2OD5Dz4lc+6RTAGIp+hZ+ceMR//xnYU2sDBygLs
awREJUSsyADGhPuBYbPsP7DXLvlmSUAkVm+AZ3WioRreBnlE/9KqxXSjp/GRGrqQ
l8gnjekV0ZUHah2s5h96MHINMl4vQnp258hY0oxGu0lYBzVF0nbDcSln8mkntMHN
b/xNhGdgWnMF2Y9j5gKjwpzpJ0sVuOmtPF+85Ocp8oAeIEhX4XtnKD+phxhTifhn
p0k0gIyQdSBgSNxzhr4VzP0KfTatMsX+oLq/FJl9Kq0C1Vw2m82n4FB4aqN9svYK
JMlv4ibttf3ukQ9zKol2mmQcJ3CQDykDFg/AEldzJu9clCqKnZlfFr2K8LSs3MtS
62AUOxk8J592XnI9XqiDyDX+38YCAqVTlzfckAlgjFMjf5PiJiw2reMCRNxVN0D4
q0ATGx+4idtQfkKVp9GcnhO6Wz3Y2gCADinGIHjeZFddsnv7RyRoFrItuR2PpuWk
QjBQVtIWY6g=
=Bl9D
—–END PGP SIGNATURE—–

Read More

The post ESB-2021.2337 – [Win][UNIX/Linux] Ruby products: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/esb-2021-2337-winunix-linux-ruby-products-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-2337-winunix-linux-ruby-products-multiple-vulnerabilities

ESB-2021.2338 – [Win][UNIX/Linux] Ruby: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.2338
CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
8 July 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: Ruby
Publisher: Ruby
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Provide Misleading Information — Unknown/Unspecified
Access Confidential Data — Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2021-31810

Reference: ESB-2021.2337

Original Bulletin:
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/

– ————————–BEGIN INCLUDED TEXT——————–

CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP

Posted by shugo on 7 Jul 2021

A trusting FTP PASV responses vulnerability was discovered in Net::FTP. This
vulnerability has been assigned the CVE identifier CVE-2021-31810 . We strongly
recommend upgrading Ruby.

net-ftp is a default gem in Ruby 3.0.1 but it has a packaging issue, so please
upgrade Ruby itself.

Details

A malicious FTP server can use the PASV response to trick Net::FTP into
connecting back to a given IP address and port. This potentially makes Net::FTP
extract information about services that are otherwise private and not disclosed
(e.g., the attacker can conduct port scans and service banner extractions).

Affected Versions

o Ruby 2.6 series: 2.6.7 and earlier
o Ruby 2.7 series: 2.7.3 and earlier
o Ruby 3.0 series: 3.0.1 and earlier

Credits

Thanks to Alexandr Savca for reporting the issue.

History

o Originally published at 2021-07-07 09:00:00 UTC

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYOZ6beNLKJtyKPYoAQhymxAAnR9S5cbrq/rvn3V2Ah9K2nNZ4oF1hkdA
0Wc8Ggvm8LqomTtmLHsk9Q1wpIfAa5U4jM5WOQgBHSUg79uFU214VknOjvljRgxh
fQ9tG1D6RTwnXiOOpzIctscvSzOOFN1rcVQ06knmCjgtZxRKXdL9S2a/PAg7e6Ao
kjh6LkTI/hSPV9xsUh8JHOVlX+MEu0zgldEydrp1pxUkDSf9LhCs6kuFul2we+/O
frWlUeZoXZN7pt1C+RuRAvw8YQLoLn5bbzXHY1eW9V9uhW8hmzDuJn0igHT/cVLc
PQcNlxmNxtVeKtq8BpTgMcYscBq+hY4z1ZvsiRU9S6HUnEHFkCiv8G0+Rq6Gn5GQ
2bDz+HRMrfpZx38o9xLrAAie/zQaHiGSxAENq057U1WrribyHb9Bg6FO+OuJ0UI5
ySnHWIshbGQeFwPU+FW+NDD1slZi40kZZVl9PPsy/cP570CDCNzsoa12Vt3GverU
ejEMsYxhT8X6TKt8jOJycWIJj+gNo91z1z+kZTId0lgwWLkRLI0PKwaUtGqssWUR
ggYhm9BSBVEEEswrvK4QMI0mdY6/5SOF6Br7zYw6o2lbBHkq6auY2tgZuqk0gUpS
DaX3lTcXO4zZU59O/0w/21d+q6AyeDCvqx3IQpsznCyU8my2AwYOTjrv6uItzjs8
rKVwLno/Lc4=
=RZgW
—–END PGP SIGNATURE—–

Read More

The post ESB-2021.2338 – [Win][UNIX/Linux] Ruby: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/07/08/esb-2021-2338-winunix-linux-ruby-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-2338-winunix-linux-ruby-multiple-vulnerabilities