Hírolvasó

NVD: all CVE · 2021. április 17.

CVE-2021-3493

The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.
NVD: all CVE · 2021. április 17.

CVE-2021-3492

Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562.
ECHO Network · 2021. április 17.

NA - CVE-2021-29451 - Portofino is an open source web development...

Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release. Url : http://cve.mitre.org/cgi-bin/cvename.
ECHO Network · 2021. április 17.

NA - CVE-2021-29452 - a12n-server is an npm package which aims to...

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change.
NVD: all CVE · 2021. április 17.

CVE-2020-2509

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later
NVD: all CVE · 2021. április 17.

CVE-2020-36195

An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on. QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later QTS 4.4.x and later: Multimedia Console 1.3.4 and later We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively: QTS 4.3.3.1624 Build 20210416 or later QTS 4.3.6.1620 Build 20210322 or later
ECHO Network · 2021. április 17.

Links 17/4/2021: GNOME 40 in Tumbleweed, Devuan 4.0 Alpha, Kate Editor Makes a Leap

In this tutorial, we will show you how to install Apache Subversion on CentOS 8. For those of you who didn’t know, The Apache Subversion (SVN) is a free and open-source version control system used to manage and track changes in files and directories. Any time you change, add or delete a file or....
SANS · 2021. április 17.

Querying Spamhaus for IP reputation, (Fri, Apr 16th)

Way back in 2018 I posted a diary describing how I have been using the Neutrino API to do IP reputation checks.  In the subsequent 2+ years that python script has evolved some which hopefully I can go over at some point in the future, but for now I would like to show you the most recent capability I added into that script.

As most of you know, The Spamhaus Project has been forefront in the fight against Spam for over 20 years. But did you know they provide a DNS query based api that can be used, for low volume non-commercial use, to query all of the Spamhaus blocklists at once. The interface is zen.spamhaus.org. Because it is DNS query based you can perform the query using nslookup or dig and the returned IP address is the return code.

For example say we want to test whether or not 196.16.11.222 is on a Spamhaus list.  First because the interface takes a DNS query we would need to reverse the IP address and then add .zen.spamhaus.org.  i.e. the DNS query would look like 222.11.16.196.zen.spamhaus.org

$ nslookup 222.11.16.196.zen.spamhaus.org Non-authoritative answer: Name: 222.11.16.196.zen.spamhaus.org Address: 127.0.0.2 Name: 222.11.16.196.zen.spamhaus.org Address: 127.0.0.9

or with dig...

$ dig 222.11.16.196.zen.spamhaus.org ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.4 <<>> 222.11.16.196.zen.spamhaus.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64622 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;222.11.16.196.zen.spamhaus.org. IN A ;; ANSWER SECTION: 222.11.16.196.zen.spamhaus.org. 41 IN A 127.0.0.2 222.11.16.196.zen.spamhaus.org. 41 IN A 127.0.0.9

As you can see in both cases the DNS response returned two results. 127.0.0.2 and 127.0.0.9.  In practicality just the fact that you receive return codes tells you that this IP is on Spamhaus's lists, and has recently been involved in naughty behavior. However to know which Spamhaus lists in particular the return codes apply to:

Return Code Zone Description 127.0.0.2 SBL Spamhaus SBL Data 127.0.0.3 SBL Spamhaus SBL CSS Data 127.0.0.4 XBL CBL Data 127.0.0.9 SBL Spamhaus DROP/EDROP Data 127.0.0.10 PBL ISP Maintained 127.0.0.11 PBL Spamhaus Maintained

If you query an IP which is not on any Spamhaus lists the result will be Non-Existent Domain (NXDOMAIN)

nslookup 222.11.16.1.zen.spamhaus.org ** server can't find 222.11.16.1.zen.spamhaus.org: NXDOMAIN

I have created a Python script which performs this lookup and have integrated this code into my ip reputation script. 

$ python3 queryspamhaus.py 196.16.11.222 196.16.11.222 127.0.0.2 ['SBL'] $ python3 queryspamhaus.py 1.16.11.222 1.16.11.222 0 ['Not Found']

The script does have a bug.  The socket.gethostbyname() function only returns one result, so is returning an incomplete result for IPs which are on multiple Spamhaus lists. Since usually all I am looking for is if the IP is on any list I have never bothered to research how to fix this bug.

For those of you who are interested, the script is below.  As usual, I only build these scripts for my own use/research, so a real python programmer could very likely code something better.

#!/usr/bin/env/python3 # # queryspamhaus.py import os import sys, getopt, argparse import socket def check_spamhaus(ip): hostname = ".".join(ip.split(".")[::-1]) + ".zen.spamhaus.org" try: result = socket.gethostbyname(hostname) except socket.error: result = 0 rdict = {"127.0.0.2": ["SBL"], "127.0.0.3": ["SBL CSS"], "127.0.0.4": ["XBL"], "127.0.0.6": ["XBL"], "127.0.0.7": ["XBL"], "127.0.0.9": ["SBL"], "127.0.0.10": ["PBL"], "127.0.0.11": ["PBL"], 0 : ["Not Found"] } return result, rdict[result] def main(): parser = argparse.ArgumentParser() parser.add_argument('IP', help="IP address") args=parser.parse_args() ip=args.IP result,tresult = check_spamhaus(ip) print('{} {} {}'.format(ip, result, tresult)) main()

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ECHO Network · 2021. április 17.

NSA Discovers New Vulnerabilities Affecting Microsoft Exchange Servers

In its April slate of patches, Microsoft rolled out fixes for a total of 114 security flaws , including an actively exploited zero-day and four remote code execution bugs in Exchange Server. Chief among them is CVE-2021-28310 , a privilege escalation vulnerability in Win32k that's said to be under....
ECHO Network · 2021. április 17.

Keep ransomware at bay with Sophos Managed Threat Response

has been at the forefront of next-generation cybersecurity for many years, leveraging cloud-native solutions and (artificial intelligence) AI-powered solutions to secure endpoints and networks to protect 400,000 organizations of all sizes in more than 150 countries from cyber threats.
ECHO Network · 2021. április 17.

US takes sweeping action against Russia for years of hacking

In an executive order released Thursday morning, President Joe Biden cited Russian “efforts to undermine the conduct of free and fair democratic elections” as well as their “malicious cyber-enabled activities against the United States and its allies and partners.
ECHO Network · 2021. április 17.

Smugglers using Facebook to advertise trips to U.S., says report

By Kaylee Greenlee Daily Caller News Foundation. Human smugglers advertised illegal border crossing services to migrants looking to enter the U.S. on Facebook, the Tech Transparency Project reported Friday. Facebook’s algorithm has recommended pages linked to human smugglers despite community....
ECHO Network · 2021. április 17.

Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs)

Share this post: There are vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 8 that is used by Tivoli Netcool/OMNIbus. These were disclosed as part of the IBM Java SDK updates in October 2020 and January 2021. Affected product(s) and affected version(s): Apr 16, 2021....
ECHO Network · 2021. április 17.

Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential code injection vulnerability (CVE-2020-5268)

Share this post: The third party Dojo library could allow a remote attacker to inject arbitrary code on the system, caused by a prototype pollution flaw. By injecting other values, an attacker could exploit this vulnerability to overwrite, or pollute, a JavaScript application object prototype of the base object.
ECHO Network · 2021. április 17.

Security Bulletin: Multiple vulnerabilities in Apache Tika affects Apache Solr shipped with IBM Operations Analytics – Log Analysis

Share this post: There are different types of vulnerabilities in various versions of Apache Tika that affect Apache Solr. The vulnerabilities are in Vulnerability Details section. Affected product(s) and affected version(s): IBM Product Security Vulnerabilities.
ECHO Network · 2021. április 17.

What Are the Connections to Identified Hafnium Malicious IP Addresses?

Sorin Mustaca's aggregated IT Security News and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches. Read the original article: What Are the Connections to Identified Hafnium Malicious IP Addresses? Cyber attackers are very skilled at infiltration.
ECHO Network · 2021. április 17.

Medium CVE-2021-31162: Rust-lang RUST

Description: In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
ECHO Network · 2021. április 17.

Low CVE-2021-27989: Appspace Appspace

Appspace 6.2.4 is vulnerable to stored cross-site scripting (XSS) in multiple parameters within /medianet/sgcontentset.aspx.
ECHO Network · 2021. április 17.

Low CVE-2020-21087: X2engine X2crm

Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.
ECHO Network · 2021. április 17.

Medium CVE-2020-36120: Libsixel project Libsixel

Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsixel v1.8.6 allows attackers to cause a Denial of Service (DoS).