CyberAlerts

Description: Bill discusses how to find 'the helpers' and the importance of knowledge sharing. Plus, there's a lot to talk about in our latest vulnerability roundup.

Source: Cisco Talos Blog

January 16th, 2025 (6 months ago)

Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts

Source: TheRegister

January 16th, 2025 (6 months ago)

Russian Star Blizzard Shifts Tactics to Exploit WhatsApp QR Codes for Credential Harvesting

Description: The Russian threat actor known as Star Blizzard has been linked to a new spear-phishing campaign that targets victims' WhatsApp accounts, signaling a departure from its longstanding tradecraft in a likely attempt to evade detection. "Star Blizzard's targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations

Source: TheHackerNews

January 16th, 2025 (6 months ago)

US cracks down on North Korean IT worker army with more sanctions

Description: The U.S. Treasury Department has sanctioned a network of individuals and front companies linked to North Korea's Ministry of National Defense that have generated revenue via illegal remote IT work schemes. [...]

Source: BleepingComputer

January 16th, 2025 (6 months ago)

CVE-2024-5138

[github.com/snapcore/snapd] CVE-2024-5138: snapd snapctl auth bypass

Description: Impact A snap with prior permissions to create a mount entry on the host, such as firefox, normally uses the permission from one of the per-snap hook programs. A unprivileged users cannot normally trigger that behaviour by using snap run --shell firefox followed by snapctl mount, since snapd validates the requesting user identity (root or non-root). The issue allows unprivileged users to bypass that check by crafting a malicious command line vector which confuses snapd into thinking the help message is requested. Unprivileged user on a default installation of Ubuntu, where firefox is as provided as a snap, may cause a denial-of-service attack by repeatedly mounting hunspell database over and over and eventually exhausting system memory. Other attacks, reliant on the same underying mechanism (mount), are possible. In all cases the snap must be installed and grated permission to perform this action (by connecting an appropriate snap interface), which requires administrative privileges. As such we are focusing on the case of default installation where an unprivileged user may exploit this behavior. Patches Patch: https://github.com/canonical/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14 Release: Available from Snapd 2.64 Workarounds Users may disconnect any instances of the mount-control interface to prevent snapd from creating such mount points. For example, the firefox snap has the host-hunspell plug, which is of type mount-control. The interface can be disconnected...

Source: Github Advisory Database (Go)

January 16th, 2025 (6 months ago)

IntelBroker, zjj, and EnergyWeaponUser are Allegedly Selling the Data of Hewlett Packard Enterprise (HPE)

Description: IntelBroker, zjj, and EnergyWeaponUser are Allegedly Selling the Data of Hewlett Packard Enterprise (HPE)

Source: DarkWebInformer

January 16th, 2025 (6 months ago)

[librenms/librenms] LibreNMS Display Name 2 Stored Cross-site Scripting vulnerability

Description: StoredXSS-LibreNMS-Display Name 2 Description: XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):/device/$DEVICE_ID/edit -> param: display of Librenms versions 24.11.0 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Add a new device through the LibreNMS interface. Edit the newly created device by going to the "Device Settings" section. In the "Display Name" field, enter the following payload: "><img src onerror="alert(document.cookie)">. Save the changes. The XSS payload is triggered when navigating to the path /device/$DEVICE_ID/logs and hovering over a type containing a tag (such as Core 1 in the image). Impact: Execution of Malicious Code References https://github.com/librenms/librenms/security/advisories/GHSA-2f4w-6mc7-4w78 https://github.com/librenms/librenms/pull/16886 https://github.com/librenms/librenms/commit/c63c912d86098bcefd52a28328482b94632eadf8 https://github.com/advisories/GHSA-2f4w-6mc7-4w78

Source: Github Advisory Database (Composer)

January 16th, 2025 (6 months ago)

[librenms/librenms] LibreNMS Display Name Stored Cross-site Scripting vulnerability

Description: Description: XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):/device/$DEVICE_ID/edit -> param: display of Librenms versions 24.9.0, 24.10.0, and 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Add a new device through the LibreNMS interface. Edit the newly created device by going to the "Device Settings" section. In the "Display Name" field, enter the following payload: "><script>alert(1)</script>. Save the changes. The XSS payload triggers when accessing the "/apps" path (if an application was previously added). Additional PoC: In the "Display Name" field, enter the following payload: "><img src onerror="alert(1)">. The XSS vulnerability is triggered when accessing the "/ports" path, and the payload executes when hovering over the modified value in the "Port" field. on /device/$DEVICE_ID/ports/arp path: on /device/$DEVICE_ID/logs path: on /search/search=arp/ path: Impact: Execution of Malicious Code References https://github.com/librenms/librenms/security/advisories/GHSA-pm8j-3v64-92cq https://github.com/librenms/librenms/commit/afe92dbf4321f107012690d476685603d1ccb013 https://github.com/advisories/GHSA-pm8j-3v64-92cq

Source: Github Advisory Database (Composer)

January 16th, 2025 (6 months ago)

[librenms/librenms] LibreNMS Ports Stored Cross-site Scripting vulnerability

Description: StoredXSS-LibreNMS-Ports Description: Stored XSS on the parameter: /ajax_form.php -> param: descr Request: POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=update-ifalias&descr=%22%3E%3Cimg+src+onerror%3D%22alert(1)%22%3E&ifName=lo&port_id=1&device_id=1 of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Add a new device through the LibreNMS interface. Edit the newly created device and select the "ports" section. In the "Description" field, enter the following payload: "><img src onerror="alert(1)">. Save the changes. The XSS vulnerability is triggered when accessing the "ports" tab, and the payload is executed again when hovering over the modified value in the "Port" field. Payload: Executes: The script execution vulnerability in the description field, as shown in the image, occurs at Line 63 of functions.inc.php $overlib_content = '<div class=overlib><span class=overlib-text>' . $text . '</span><br />'; Impact: Execution of Malicious Code References https://github.com/librenms/librenms/security/advisories/GHSA-27vf-3g4f-6jp7 https://github.com/librenms/librenms/...

Source: Github Advisory Database (Composer)

January 16th, 2025 (6 months ago)

[librenms/librenms] LibreNMS Misc Section Stored Cross-site Scripting vulnerability

Description: StoredXSS-LibreNMS-MiscSection Description: Stored XSS on the parameter: ajax_form.php -> param: state Request: POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)"> of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. The vulnerability in the line: $attrib_val = get_dev_attrib($device, $name); within the dynamic_override_config function arises because the value of $attrib_val is retrieved from untrusted data without any sanitization or encoding (at Line 778). When dynamic_override_config is called, the unescaped $attrib_val is injected directly into the HTML (at misc.inc.php). Proof of Concept: Add a new device through the LibreNMS interface. Edit the newly created device and select the Misc section. In any of the following fields: "Override default ssh port", "Override default telnet port", "Override default http port" or "Unix agent port", enter the payload: "><img src onerror="alert(document.cookie)">. Save the changes. Observe that when the page loads, the XSS payload executes, triggering ...

Source: Github Advisory Database (Composer)

January 16th, 2025 (6 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	Find the helpers Description: Bill discusses how to find 'the helpers' and the importance of knowledge sharing. Plus, there's a lot to talk about in our latest vulnerability roundup. Source: Cisco Talos Blog January 16th, 2025 (6 months ago)
	Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts Source: TheRegister January 16th, 2025 (6 months ago)
	Russian Star Blizzard Shifts Tactics to Exploit WhatsApp QR Codes for Credential Harvesting Description: The Russian threat actor known as Star Blizzard has been linked to a new spear-phishing campaign that targets victims' WhatsApp accounts, signaling a departure from its longstanding tradecraft in a likely attempt to evade detection. "Star Blizzard's targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations Source: TheHackerNews January 16th, 2025 (6 months ago)
	US cracks down on North Korean IT worker army with more sanctions Description: The U.S. Treasury Department has sanctioned a network of individuals and front companies linked to North Korea's Ministry of National Defense that have generated revenue via illegal remote IT work schemes. [...] Source: BleepingComputer January 16th, 2025 (6 months ago)
CVE-2024-5138	[github.com/snapcore/snapd] CVE-2024-5138: snapd snapctl auth bypass Description: Impact A snap with prior permissions to create a mount entry on the host, such as firefox, normally uses the permission from one of the per-snap hook programs. A unprivileged users cannot normally trigger that behaviour by using snap run --shell firefox followed by snapctl mount, since snapd validates the requesting user identity (root or non-root). The issue allows unprivileged users to bypass that check by crafting a malicious command line vector which confuses snapd into thinking the help message is requested. Unprivileged user on a default installation of Ubuntu, where firefox is as provided as a snap, may cause a denial-of-service attack by repeatedly mounting hunspell database over and over and eventually exhausting system memory. Other attacks, reliant on the same underying mechanism (mount), are possible. In all cases the snap must be installed and grated permission to perform this action (by connecting an appropriate snap interface), which requires administrative privileges. As such we are focusing on the case of default installation where an unprivileged user may exploit this behavior. Patches Patch: https://github.com/canonical/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14 Release: Available from Snapd 2.64 Workarounds Users may disconnect any instances of the mount-control interface to prevent snapd from creating such mount points. For example, the firefox snap has the host-hunspell plug, which is of type mount-control. The interface can be disconnected... Source: Github Advisory Database (Go) January 16th, 2025 (6 months ago)
	IntelBroker, zjj, and EnergyWeaponUser are Allegedly Selling the Data of Hewlett Packard Enterprise (HPE) Description: IntelBroker, zjj, and EnergyWeaponUser are Allegedly Selling the Data of Hewlett Packard Enterprise (HPE) Source: DarkWebInformer January 16th, 2025 (6 months ago)
	[librenms/librenms] LibreNMS Display Name 2 Stored Cross-site Scripting vulnerability Description: StoredXSS-LibreNMS-Display Name 2 Description: XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):/device/$DEVICE_ID/edit -> param: display of Librenms versions 24.11.0 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Add a new device through the LibreNMS interface. Edit the newly created device by going to the "Device Settings" section. In the "Display Name" field, enter the following payload: "><img src onerror="alert(document.cookie)">. Save the changes. The XSS payload is triggered when navigating to the path /device/$DEVICE_ID/logs and hovering over a type containing a tag (such as Core 1 in the image). Impact: Execution of Malicious Code References https://github.com/librenms/librenms/security/advisories/GHSA-2f4w-6mc7-4w78 https://github.com/librenms/librenms/pull/16886 https://github.com/librenms/librenms/commit/c63c912d86098bcefd52a28328482b94632eadf8 https://github.com/advisories/GHSA-2f4w-6mc7-4w78 Source: Github Advisory Database (Composer) January 16th, 2025 (6 months ago)
	[librenms/librenms] LibreNMS Display Name Stored Cross-site Scripting vulnerability Description: Description: XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):/device/$DEVICE_ID/edit -> param: display of Librenms versions 24.9.0, 24.10.0, and 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Add a new device through the LibreNMS interface. Edit the newly created device by going to the "Device Settings" section. In the "Display Name" field, enter the following payload: "><script>alert(1)</script>. Save the changes. The XSS payload triggers when accessing the "/apps" path (if an application was previously added). Additional PoC: In the "Display Name" field, enter the following payload: "><img src onerror="alert(1)">. The XSS vulnerability is triggered when accessing the "/ports" path, and the payload executes when hovering over the modified value in the "Port" field. on /device/$DEVICE_ID/ports/arp path: on /device/$DEVICE_ID/logs path: on /search/search=arp/ path: Impact: Execution of Malicious Code References https://github.com/librenms/librenms/security/advisories/GHSA-pm8j-3v64-92cq https://github.com/librenms/librenms/commit/afe92dbf4321f107012690d476685603d1ccb013 https://github.com/advisories/GHSA-pm8j-3v64-92cq Source: Github Advisory Database (Composer) January 16th, 2025 (6 months ago)
	[librenms/librenms] LibreNMS Ports Stored Cross-site Scripting vulnerability Description: StoredXSS-LibreNMS-Ports Description: Stored XSS on the parameter: /ajax_form.php -> param: descr Request: POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=update-ifalias&descr=%22%3E%3Cimg+src+onerror%3D%22alert(1)%22%3E&ifName=lo&port_id=1&device_id=1 of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Add a new device through the LibreNMS interface. Edit the newly created device and select the "ports" section. In the "Description" field, enter the following payload: "><img src onerror="alert(1)">. Save the changes. The XSS vulnerability is triggered when accessing the "ports" tab, and the payload is executed again when hovering over the modified value in the "Port" field. Payload: Executes: The script execution vulnerability in the description field, as shown in the image, occurs at Line 63 of functions.inc.php $overlib_content = '<div class=overlib><span class=overlib-text>' . $text . '</span><br />'; Impact: Execution of Malicious Code References https://github.com/librenms/librenms/security/advisories/GHSA-27vf-3g4f-6jp7 https://github.com/librenms/librenms/... Source: Github Advisory Database (Composer) January 16th, 2025 (6 months ago)
	[librenms/librenms] LibreNMS Misc Section Stored Cross-site Scripting vulnerability Description: StoredXSS-LibreNMS-MiscSection Description: Stored XSS on the parameter: ajax_form.php -> param: state Request: POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)"> of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. The vulnerability in the line: $attrib_val = get_dev_attrib($device, $name); within the dynamic_override_config function arises because the value of $attrib_val is retrieved from untrusted data without any sanitization or encoding (at Line 778). When dynamic_override_config is called, the unescaped $attrib_val is injected directly into the HTML (at misc.inc.php). Proof of Concept: Add a new device through the LibreNMS interface. Edit the newly created device and select the Misc section. In any of the following fields: "Override default ssh port", "Override default telnet port", "Override default http port" or "Unix agent port", enter the payload: "><img src onerror="alert(document.cookie)">. Save the changes. Observe that when the page loads, the XSS payload executes, triggering ... Source: Github Advisory Database (Composer) January 16th, 2025 (6 months ago)