By Waqas
Another day, another critical vulnerability hits Cisco!
This is a post from HackRead.com Read the original post: New Cisco Web UI Vulnerability Exploited by Attackers

**Cisco is aware of the active exploitation of this vulnerability, but there are no workarounds available.**

Cisco has warned customers of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software that is being actively exploited by attackers. The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, which could further allow them to gain full control of the device.

The vulnerability (CVE-2023-20198) affects Cisco IOS XE Software if the web UI feature is enabled, which is done by default. Cisco recommends that customers disable the HTTP Server feature on all internet-facing systems to mitigate the risk of exploitation.

In its security advisory, Cisco said that the company is aware of the active exploitation of this vulnerability, and there are no workarounds available. Cisco is working on a software patch to address the vulnerability, but a release date has not yet been announced.

John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based security and operations analytics SaaS company commented on the advisory and warned that “The fact there isn’t a patch yet makes this issue all the more urgent and admins should take this opportunity to ensure their Cisco IOS devices either disable the Web UI or only have it accessible from private administrative LANs that are restricted to authorized users.”

Mayuresh Dani, Manager, Threat Research at Qualys, a Foster City, Calif.-based provider of disruptive cloud-based IT, security and compliance solutions stressed that Cisco has not provided the list of devices affected, which means that any switch, router or WLC running IOS XE and has the web UI exposed to the internet is vulnerable.”

Dani disclosed concerning statistics regarding Cisco devices with their web UI exposed to the internet. These findings indicate that more than 40,000 Cisco devices fall into this category, with the majority of them actively listening on port 80.

“Devices that have web UI and management services publicly exposed to the internet or to untrusted networks should be modified so that they are not exposed to untrusted networks by means of ACLs or other solutions. 2. Disable the web UI component on these devices,” Dani advised.

****Indicators of Compromise****

To determine whether a system may have been compromised, customers can check the system logs for the presence of the following log messages:

*   %SYS-5-CONFIG\_P: Configured programmatically by process SEP\_webui\_wsma\_http from console as user on line
*   %SEC\_LOGIN-5-WEBLOGIN\_SUCCESS: Login Success at 03:42:13 UTC Wed Oct 11 2023

Customers can also use the following command to check for the presence of the implant:

    curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"
    

If the request returns a hexadecimal string, the implant is present.

****Recommendations****

Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode.

Customers who cannot disable the HTTP Server feature should restrict access to those services to trusted networks.

Cisco is also working on a software patch to address the vulnerability, and customers are advised to apply the patch as soon as it is available.

****_RELATED ARTICLES_****

1.  Cisco’s new tool will detect malware in encrypted traffic
2.  New 19 CISA Advisories Highlight Vulnerabilities in Top ICS Products
3.  New Akira Ransomware Targets Businesses via Exploited CISCO VPNs
4.  Ex-employee hacked Cisco’s AWS Infrastructure; erased virtual machines
5.  Unpatched Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks

New Cisco Web UI Vulnerability Exploited by Attackers

The security principle of zero trust is the cornerstone of robust cloud security.

In an era where data breaches and cyberattacks continue to dominate headlines, the importance of robust security measures has never been more evident. As organizations increasingly migrate their data and operations to the cloud, a paradigm shift in security strategy is essential. Enter zero trust, a security concept that has emerged as the cornerstone of cloud security. This article will explore why zero trust is crucial for safeguarding cloud environments.

**The Cloud Security Challenge**

Adopting cloud computing has brought unprecedented flexibility, scalability, and cost efficiency for businesses; however, migration to the cloud has also opened new avenues for cyber threats. The traditional security perimeter model — protecting the network perimeter — must change. Security must adapt to the challenges of this dynamic landscape with data residing in remote data centers and users accessing resources from anywhere.

**What Is Zero Trust?**

Zero trust is not just a technology but a holistic security approach that fundamentally shifts the security paradigm. The core tenet of zero trust is simple: "Never trust, always verify." In essence, zero trust means security teams should not inherently trust anyone or anything, regardless of whether they are inside or outside the network.

The fundamental principles of zero trust include:

1.  **Continuous verification:** Every access request is verified, regardless of the user's location or device. This principle includes strong multifactor authentication (MFA) and device health checks.
2.  **Least privilege access:** Security teams grant users and systems only the minimum access required to perform their tasks, reducing the attack surface and potential damage in case of a breach.
3.  **Micro-segmentation:** Networks are divided into small, isolated segments with access controls enforced between them, preventing lateral movement by attackers.
4.  **Data-centric security:** Zero trust prioritizes data protection, ensuring data is encrypted, classified, and rigorously access-controlled.

**Why Zero Trust for Cloud Security?**

Reasons zero trust is important for securing cloud environments include:

1.  **Perimeterless environments:** Cloud environments are inherently perimeterless. Traditional security models that rely on securing the network perimeter are ineffective when data and applications are dispersed across multiple cloud providers and accessed from anywhere. Zero trust, which focuses on continuous verification, addresses this challenge by securing access at the individual request level.
2.  **Evolving threat landscape:** Cyber threats are constantly evolving, becoming more sophisticated and persistent. Zero trust's continuous monitoring and verification principle helps organizations stay one step ahead of these threats by detecting and responding to anomalies and breaches in real time.
3.  **Remote workforce:** The rise of remote work has blurred the lines between corporate networks and the public Internet. With employees accessing cloud resources from various locations and devices, zero trust ensures access is granted based on user identity and device trustworthiness, not just network location.
4.  **Data protection:** In cloud environments, data is the crown jewel. Zero trust places data protection at its core, ensuring that even if a breach occurs, sensitive data remains encrypted and inaccessible to unauthorized parties.
5.  **Compliance and regulations:** Many industries are subject to strict data protection regulations. Zero trust helps organizations meet these compliance requirements by enforcing stringent access controls, monitoring activities, and maintaining an audit trail.

**Implementing Zero Trust in Cloud Environments**

To implement zero trust in cloud security, organizations should consider:

1.  **Identity and access management (IAM):** Implement strong authentication methods and access controls based on user identity.
2.  **Continuous monitoring:** Utilize threat detection and response tools to monitor activities and identify anomalies.
3.  **Least privilege access:** Grant minimal access permissions to users and systems based on their roles and responsibilities.
4.  **Data encryption:** Encrypt data at rest and in transit and classify data based on sensitivity.
5.  **Micro-segmentation:** Implement network segmentation to control lateral movement within cloud environments.

**Zero Trust Is Not Optional**

As organizations continue their digital transformation journey by embracing cloud technologies, zero trust emerges as the bedrock of cloud security. The principles of continuous verification, least privilege access, and data-centric security align perfectly with cloud environments' dynamic and distributed nature. Embracing zero trust is not merely an option; it's necessary to protect sensitive data, mitigate risks, and ensure the security of cloud-based operations in an ever-evolving threat landscape. Zero trust isn't just a buzzword; it's the future of cloud security. To learn more about zero trust, AI, and other topics in the ever-evolving threat landscape, log into the #AskCyderes webcast.

**About the Author**

    

Patrick Carter has 15 years of industry experience across security architecture, cloud security, security program management, and strategic consulting. He has a strong understanding of multicloud security architecture, working with both commercial and enterprise-level clients in Azure, AWS, and GCP. He has extensive experience in practice development and service optimization utilizing multiple disciplines. Having consulted enterprises of multiple industries, Patrick is passionate about developing cloud security programs that meet clients' specific needs and building strong relationships that enable them to secure their cloud journey.

Why Zero Trust Is the Cloud Security Imperative

**PRESS RELEASE**

**(Lehi, UT) Oct. 12, 2023 —** DigiCert, a leading global provider of digital trust, today announced its next generation Discovery, a set of key capabilities in DigiCert® Trust Lifecycle Manager that enable customers to build a centralized book of record of their cryptographic keys and certificates. This centralized view, when coupled with management and automated provisioning and renewal, improves cryptoagility, reducing the time and resources needed to update algorithms, rotate keys and certificates and remediate threats.

"The majority of organizations have not yet implemented a centralized crypto-management solution," said DigiCert Chief Product Officer Deepika Chauhan. "This is becoming critical now, as IT leaders consider how to transition their cryptographic algorithms and certificates to quantum-safe standards in order to protect their organizations against 'harvest now, decrypt later' strategies."

In a recent Gartner® report1, Senior Director Analyst Brian Lowans wrote, "All cryptographic technologies will need to evolve to cope with the future threat of quantum computing, which is increasing the need for innovative technologies such as crypto-agility, postquantum cryptography and quantum key distribution."

Trust Lifecycle Manager Discovery employs a broad set of methods for finding certificates within an organization, including integration with private CAs, such as AWS Private CA and Microsoft CA, integration with vulnerability management solutions such as Qualys and Tenable, integrations with web servers and load balancers, and port-based scanning. 

"The integration of Qualys Vulnerability Management, Discovery and Response (VMDR) and DigiCert products enables our customers to manage and automate the cryptographic assets that they discover in their vulnerability scans," said Pinkesh Shah, Chief Product Officer, Qualys. "This seamless integration enables companies to tightly couple their vulnerability management and cryptoagility strategies, improving their security posture and agility while reducing their cyber risk."

Learn more about Trust Lifecycle Manager Discovery here. 

1.  Gartner, Hype Cycle™ for Data Security, 2023, Brian Lowans, 14 July 2023

GARTNER and HYPE CYCLE are registered trademarks of Gartner, Inc. and/or its affiliates in the US and internationally and is used herein with permission. All rights reserved.

**About DigiCert, Inc.**  
DigiCert is a leading global provider of digital trust, enabling individuals and businesses to engage online with the confidence that their footprint in the digital world is secure. DigiCert® ONE, the platform for digital trust, provides organizations with centralized visibility and control over a broad range of public and private trust needs, securing websites, enterprise access and communication, software, identity, content and devices. DigiCert pairs its award-winning software with its industry leadership in standards, support and operations, and is the digital trust provider of choice for leading companies around the world. For more information, visit www.digicert.com or follow @digicert.

DigiCert Announces Comprehensive Discovery of Cryptographic Assets

**PRESS RELEASE**

**WATERLOO, ON, Oct. 10,2023 / PRNewswire/--** BlackBerry Limited (NYSE: BB; TSX: BB), the pioneer of enterprise mobility management, today announced two major new Unified Endpoint Management (UEM) innovations — BlackBerry UEM at the edge and BlackBerry UEM for the IoT.

BlackBerry® UEM software is used for managing, monitoring, and securing all of an organization's end-user devices. Taking BlackBerry UEM to the edge will enhance enterprise productivity and employee experience by placing workloads close to the end user and their device for ultra-low latency connectivity, while maintaining the highest security standards that customers rely on and trust BlackBerry to deliver – in testing users saw up to 87% decrease in latency. The solution brings the BlackBerry Network Operations Center (NOC), the company's unique secure connectivity infrastructure, to the edge and integrates with AWS Local Zones and Availability Zones to securely place compute, storage, and other services where data is being generated and consumed. BlackBerry UEM at the edge is compatible with BlackBerry UEM on-prem and cloud.

BlackBerry UEM for the Internet of Things (IoT) will expand unified endpoint management to IoT devices enabling organizations to realize the vast benefits of the IoT and reduce unknown risks in their environment. The solution integrates BlackBerry UEM with AWS IoT Greengrass, an open source edge runtime and cloud service used on millions of IoT endpoints across the connected world – in factories, vehicles, healthcare, enterprises – to provide IoT endpoint visibility and management and empower IT teams. Advancing the company's convergence vision, this new addition to BlackBerry UEM will enable organizations to seamlessly and securely inventory and manage their IT and IoT endpoints from a single console.

"BlackBerry founded and has been a leader in the enterprise mobility management market for over twenty years. We are once again revolutionizing the market, by leapfrogging the industry in endpoint management innovation and paving the way for convergence," said Neelam Sandhu, Chief Elite Customer Success Officer, BlackBerry. "It has been wonderful to collaborate with AWS to develop BlackBerry UEM at the edge and BlackBerry UEM for the IoT, to enable our customers to unlock new business value through digital technologies, which offer the potential to transform and advance every aspect of the connected world, spanning how we live and work." 

"IoT has advanced over the past years across different industries – automotive, enterprise, medical, manufacturing. The convergence of the IoT with security at the forefront of the conversation is now emerging as a must-have for the connected world. Bridging systems in the cloud provides scale, consistency, and flexibility to organizations to access data across the IoT and developers to innovate to deliver new value. AWS is delighted to collaborate with BlackBerry on UEM edge and IoT solutions to deliver unified and innovative endpoint management solution for the future of the connected world," said Dr. Sarah Cooper, General Manager for Industry Products at AWS.

The IoT is a foundational pillar of the future of digital transformation and unlocks new business opportunities for organizations by dramatically extending the reach of information technology. The value of enterprise IoT is largely untapped today due to the heavy compute requirements of the IoT and the complexity of the IoT network. Edge computing addresses the increasing demand for real-time data processing and analysis, and increased endpoint visibility provides valuable situational awareness and security benefits, enabling organizations to easily integrate IoT into their IT strategies. 

BlackBerry UEM holds the most security certifications in the industry and is the only UEM product to be named 2023 Customers Choice by Gartner® Peer Insights™.

AWS provides reliable, scalable, and inexpensive cloud computing services to organizations around the world. For more information on AWS products click here.

For more information on BlackBerry UEM at the edge or BlackBerry UEM for the IoT, including general availability dates, register for BlackBerry Summit, taking place on October 17, where speakers from industry, enterprise and BlackBerry will reveal the future of IoT, IT and Cybersecurity and showcase the latest BlackBerry innovations.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including over 235M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety, and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems. BlackBerry's vision is clear - to secure a connected future you can trust.

For more information, visit BlackBerry.com and follow @BlackBerry.

_Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited, and the exclusive rights to such trademarks are expressly reserved. All other trademarks are the property of their respective owners. BlackBerry is not responsible for any third-party products or services._

BlackBerry Unveils Next-Generation UEM Redefining the Endpoint Management Market

A malicious package hosted on the NuGet package manager for the .NET Framework has been found to deliver a remote access trojan called SeroXen RAT.
The package, named Pathoschild.Stardew.Mod.Build.Config and published by a user named Disti, is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig, software supply chain security firm Phylum said in a report today.
While

A malicious package hosted on the NuGet package manager for the .NET Framework has been found to deliver a remote access trojan called SeroXen RAT.

The package, named Pathoschild.Stardew.Mod.Build.Config and published by a user named Disti, is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig, software supply chain security firm Phylum said in a report today.

While the real package has received nearly 79,000 downloads to date, the malicious variant is said to have artificially inflated its download count after being published on October 6, 2023, to surpass 100,000 downloads.

The profile behind the package has published six other packages that have attracted no less than 2.1 million downloads cumulatively, four of which masquerade as libraries for various crypto services like Kraken, KuCoin, Solana, and Monero, but are also designed to deploy SeroXen RAT.

The attack chain is initiated during installation of the package by means of a tools/init.ps1 script that's designed to achieve code execution without triggering any warning, a behavior previously disclosed by JFrog in March 2023 as being exploited to retrieve next-stage malware.

"Although it is deprecated – the init.ps1 script is still honored by Visual Studio, and will run without any warning when installing a NuGet package," JFrog said at the time. "Inside the .ps1 file, an attacker can write arbitrary commands."

In the package analyzed by Phylum, the PowerShell script is used to download a file named x.bin from a remote server that, in reality, is a heavily-obfuscated Windows Batch script, which, in turn, is responsible for constructing and executing another PowerShell script to ultimately deploy the SeroXen RAT.

An off-the-shelf malware, SeroXen RAT is offered for sale for $60 for a lifetime bundle, making it easily accessible to cyber criminals. It's a fileless RAT that combines the functions of Quasar RAT, the r77 rootkit, and the Windows command-line tool NirCmd.

"The discovery of SeroXen RAT in NuGet packages only underscores how attackers continue to exploit open-source ecosystems and the developers that use them," Phylum said.

The development comes as the company detected seven malicious packages on the Python Package Index (PyPI) repository that impersonate legitimate offerings from cloud service providers such as Aliyun, Amazon Web Services (AWS), and Tencent Cloud to surreptitiously transmit the credentials to an obfuscated remote URL.

The names of the packages are listed below -

*   tencent-cloud-python-sdk
*   python-alibabacloud-sdk-core
*   alibabacloud-oss2
*   python-alibabacloud-tea-openapi
*   aws-enumerate-iam
*   enumerate-iam-aws
*   alisdkcore

"In this campaign, the attacker is exploiting a developer's trust, taking an existing, well-established codebase and inserting a single bit of malicious code aimed at exfiltrating sensitive cloud credentials," Phylum noted.

"The subtlety lies in the attacker's strategy of preserving the original functionality of the packages, attempting to fly under the radar, so to speak. The attack is minimalistic and simple, yet effective."

Checkmarx, which also shared additional details of the same campaign, said it's also designed to target Telegram via a deceptive package named telethon2, which aims to mimic telethon, a Python library to interact with Telegram's API.

A majority of the downloads of the counterfeit libraries have originated from the U.S., followed by China, Singapore, Hong Kong, Russia, and France.

"Rather than performing automatic execution, the malicious code within these packages was strategically hidden within functions, designed to trigger only when these functions were called," the company said. "The attackers leveraged Typosquatting and StarJacking techniques to lure developers to their malicious packages."

Earlier this month, Checkmarx further exposed a relentless and progressively sophisticated campaign aimed at PyPI to seed the software supply chain with 271 malicious Python packages in order to steal sensitive data and cryptocurrency from Windows hosts.

The packages, which also came fitted with functions to dismantle system defenses, were collectively downloaded approximately 75,000 times before being taken down.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malicious NuGet Package Targeting .NET Developers with SeroXen RAT

Cryptocurrency apps were the most high risk for exposing sensitive information, a reverse-engineering study shows.

Encryption, authentication, and signing keys are often exposed in mobile fintech apps used across Africa, according to researchers at Approov, who found passwords, application programming interface (API) keys, and private keys for cryptography when the most commonly used apps were reverse-engineered.

**Risky Mobile Business**

Approov examined the top 10 apps based on revenue and downloads. The fintech apps included those offering loans, mobile banking, P2P money transfer, investment, and cryptocurrency services.

Trevor Henry Chiboora, research associate at CyLab-Africa, which conducted the study along with Approov, says some of the apps surveyed are used exclusively within Africa, and some are geolocked to regions within Africa. He also confirmed all the apps were downloaded from the Google Play Store.

The crypto apps were determined to be the worst when it comes to security, with 33.3% of them rated as high risk and 53.3% as medium risk.

The high-risk category is considered extremely dangerous if exposed, as they disclose private keys, keys for payment or transfer services, and "authentication" or "attestation" keys. Researchers said the exposure of these secrets could potentially lead to unauthorized access, data breaches, and compromised user privacy.

The medium-risk category secrets include sensitive data that, if exposed, could potentially compromise the confidentiality of user data and application functionality. Although not as critical as the high-severity secrets, the compromise of these secrets could still have significant repercussions.

Chiboora says there is neglect across the board when it comes to the levels of security in the apps, but crypto apps have a larger user base and geographical coverage than most other categories.

Research found 22.2% of personal finance apps were rated as high risk and 66.7% as medium risk. Payment and transfer apps were next worst, with 19.1% rated as high risk and 76.6% as medium risk. Of the total of 224 applications examined, only 5.4% revealed no details.

**The Secret Key Is Exposed**

To do the analysis, the researchers collected each app's ID and, using an automated script to download the Android Application Packages, the apps were reverse-engineered and scanned for risky items.

Cryptographic API keys, private keys, and passwords are used to authenticate the application and authorize access to protected resources or services, as well as to ensure the integrity and security of data exchanges between the application and a server.

Typically an API serves a dual purpose: It identifies the app to the backend API, and it validates the legitimacy of the requesting app, thereby establishing a clear link between the requesting entity and the API backend. This mechanism effectively prevents unauthorized or anonymous access attempts and provides a means to regulate the flow of data requests.

The researchers claimed that exposing API keys — especially those related to services like Google, AWS, and other cloud services — can result in unauthorized usage, which may incur unexpected costs or disrupt the functionality of integrated features.

"Keys are vital in the security and privacy of data as they authenticate and authorize access to services," Chiboora says, adding that most of the time these details are hidden from application users. "There are mobile cybersecurity methods that allow app developers to move these keys out of the app and into the cloud, which is a better approach and a recommendation for better security."

The researchers said this secret information is essential for verifying the identity of the application and protecting against unauthorized access, tampering, or data breaches. These secret keys are often present in the compiled source code of these applications and may also be inadvertently published to public repositories like GitHub.

Ted Miracco, CEO of Approov, said that as financial services become more digitized and accessible through mobile platforms across the world, the potential risks associated with the exposure of confidential information have escalated. "Developers can no longer depend on 'official' app stores or on native client OS security and must ensure that end-to-end security is built into the app itself," he said.

Pan-African Financial Apps Leak Encryption, Authentication Keys

An issue in Thecosy IceCMS v.1.0.0 allows a remote attacker to gain privileges via the Id and key parameters in getCosSetting.

\[CVE ID\]

CVE-2023-40833

\[PRODUCT\]

icecms

\[VERSION\]

v1.0.0

\[Vulnerability TYPE\]

Insecure Permissions

\[Root Cause\]

The icecms allows anyone to browser getSetting api,like my local test environment http://localhost:8181/WebSitting/getSetting,

and official website url:https://www.macwk.cc/api/Sitting/getCosSetting.

The official website content is :

{

"id": 1,

"beian": "鲁ICP备19036164号",

"banquan": "Macwk.com © 2019. All rights reserved.",

"comment\_show": false,

"sitTitle": "CMS",

"sitLogo": "",

"imageFormat": false,

"cosIntage": "https://icewk-1305088812.cos.ap-nanjing.myqcloud.com",

"cosBucketName": "icewk-1305088812",

"cosSecretId": "AKIDjDRQDrRXcA7TfQNk9LO3EJchbFeneY4U",

"cosSecretKey": "blgxyuiIfnCLaZXH5i6FB4gmDPilY8zb",

"cosClientConfig": "ap-nanjing",

"isCos": false

}

Attacker can get "cosSecretId": "AKIDjDRQDrRXcA7TfQNk9LO3EJchbFeneY4U","cosSecretKey": "blgxyuiIfnCLaZXH5i6FB4gmDPilY8zb",

From content above (cosIntage) link, we can know official website using Elastic Compute Cloud ,Tencent Cloud platform (like AWS cloud platform).

We can use such tool (https://wiki.teamssix.com/cf/) taking over the official user's Tencent cloud platform console,getting all cloud services.

\[Impact\]

Taking over the official user's Tencent cloud platform console,can poweroff the server ,getting server's all things including source code.

CVE-2023-40833: CVE-2023-40833

It was discovered that the IP-VLAN network driver for the Linux kernel did not properly initialize memory in some situations, leading to an out-of- bounds write vulnerability. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that the virtual terminal driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 16.04 ESM  
-   Ubuntu 22.04 LTS  
-   Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems

Details

It was discovered that the IP-VLAN network driver for the Linux kernel  
did not properly initialize memory in some situations, leading to an  
out-of- bounds write vulnerability. An attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-3090)

It was discovered that the virtual terminal driver in the Linux kernel  
contained a use-after-free vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information (kernel memory). (CVE-2023-3567)

It was discovered that the universal 32bit network packet classifier  
implementation in the Linux kernel did not properly perform reference  
counting in some situations, leading to a use-after-free vulnerability.  
A local attacker could use this to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-3609)

It was discovered that the network packet classifier with  
netfilter/firewall marks implementation in the Linux kernel did not  
properly handle reference counting, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-3776)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel  
did not properly handle table rules flush in certain circumstances. A  
local attacker could possibly use this to cause a denial of service  
(system crash) or execute arbitrary code. (CVE-2023-3777)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel  
did not properly handle rule additions to bound chains in certain  
circumstances. A local attacker could possibly use this to cause a  
denial of service (system crash) or execute arbitrary code.  
(CVE-2023-3995)

It was discovered that the netfilter subsystem in the Linux kernel did  
not properly handle PIPAPO element removal, leading to a use-after-free  
vulnerability. A local attacker could possibly use this to cause a  
denial of service (system crash) or execute arbitrary code.  
(CVE-2023-4004)

It was discovered that some network classifier implementations in the  
Linux kernel contained use-after-free vulnerabilities. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4128)

Ye Zhang and Nicolas Wu discovered that the io_uring subsystem in the  
Linux kernel did not properly handle locking for rings with IOPOLL,  
leading to a double-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2023-21400)

It was discovered that the bluetooth subsystem in the Linux kernel did  
not properly handle L2CAP socket release, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-40283)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 98.1  
    azure - 98.1  
    gcp - 98.1  
    generic - 98.1  
    gke - 98.1  
    gkeop - 98.1  
    ibm - 98.1  
    lowlatency - 98.1

Ubuntu 18.04 LTS  
    aws - 98.1  
    azure - 98.1  
    gcp - 98.1  
    generic - 98.1  
    generic - 98.2  
    lowlatency - 98.1  
    lowlatency - 98.2

Ubuntu 16.04 ESM  
    aws - 98.1  
    azure - 98.1  
    gcp - 98.1  
    generic - 98.1  
    lowlatency - 98.1

Ubuntu 22.04 LTS  
    aws - 98.1  
    aws - 98.2  
    azure - 98.1  
    azure - 98.2  
    gcp - 98.1  
    gcp - 98.3  
    generic - 98.1  
    generic - 98.2  
    gke - 98.1  
    ibm - 98.1

Ubuntu 14.04 ESM  
    generic - 98.1  
    lowlatency - 98.1

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period  
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS  
kernel version will receive upgrades for a period of up to 9 months  
after the build date of the kernel, or until the end of support for that  
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2023-3090  
-   CVE-2023-3567  
-   CVE-2023-3609  
-   CVE-2023-3776  
-   CVE-2023-3777  
-   CVE-2023-3995  
-   CVE-2023-4004  
-   CVE-2023-4128  
-   CVE-2023-21400  
-   CVE-2023-40283

Kernel Live Patch Security Notice LSN-0098-1

By Deeba Ahmed
Google, Cloudflare, and AWS Disclosed Digital History’s Largest Ever DDoS Attack- Courtesy HTTP/2 Zero-day.
This is a post from HackRead.com Read the original post: Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History

The largest DDoS attack on the Internet has occurred, following the exploitation of a new zero-day vulnerability by hackers.

*   **Google, Cloudflare, and AWS have confirmed that unknown adversaries exploited a new zero-day vulnerability called HTTP/2 Rapid Reset to launch digital history’s largest-ever record DDoS attack.**

*   **The attack peaked at 398 million RPS, which is 7 times higher than the previous largest DDoS attack recorded by Google.**

*   **AWS and Cloudflare had previously recorded DDoS attacks peaking at 200 million RPS.**

*   **The zero-day flaw lets adversaries send specially designed HTTP/2 requests to a target server, triggering an extensive response, which is further amplified by sending it to vulnerable IoT devices or misconfigured servers.**

*   **This novel technique is based on stream multiplexing.**

*   **In this case, threat actors sent amplified traffic to diverse targets, including financial entities, gaming corporations, and government agencies, causing significant damage to several of them.**

Three of the world’s leading tech firms, Google, Amazon Web Services (AWS), and Cloudflare, have jointly disclosed a new 0-day flaw exploited by unknown threat actors to launch the largest Distributed Denial of Service attack (DDoS attack) recorded to date.

Dubbed HTTP/2 Rapid Reset, the vulnerability lets attacker send specially designed HTTP/2 requests to their target server and trigger a large-scale response. They can further amplify this response by sending the same request to as many vulnerable IoT devices and misconfigured servers as they want. The vulnerability is tracked as CVE-2023-44487 and has been assigned a CVSS score of 7.5 out of 10, rated High Severity.

The largest ever DDoS attack resulting from HTTP/2 Rapid Reset’s exploitation peaked at 398 million requests per second (RPS), seven times higher than the previous largest attack recorded by Google.

Cloudflare and AWS had previously recorded DDoS attacks peaking at slightly over 200 million RPS. Cloudflare claims to have mitigated over 1,100 other attacks, peaking at 10 million RPS until August 2023, and 184 of them were greater than the company’s previously reported DDoS record of 71 million RPS. These are still startling revelations compared to last year when the highest recorded DDoS attack peaked at 46 million RPS.

A wide range of targets have been identified, including financial institutions, government agencies, and gaming companies. The attack caused massive damage to many of these targets, but most were able to mitigate them through filtering, rate limiting, and other techniques.

In its blog post, Google noted that this is a ‘hyper volumetric novel attack that relies on stream multiplexing. The attack exploits a weakness in the HTTP2 protocol, which lets clients identify the server a previous stream has to cancel by sending an RST\_STREAM frame. It is worth noting that the protocol doesn’t require client-server coordination for this cancellation, and the client performs it unilaterally.

The attack is dubbed Rapid Reset because when the RST\_STREAM frame is sent from one endpoint right after sending a request frame, the other endpoint starts working and rapidly resets the request. The request gets cancelled later, but the HTTP/2 connection remains open.

HTTP/1.1 and HTTP/2 request and response pattern (Source: Google)

This is a concerning issue because HTTP/2 protocol is a critical element of around 0% of all web apps and facilitates interaction between a browser and a website. It is responsible for determining the quality and speed of how visitors interact with websites.

Exploitation of such a critical protocol indicates that DDoS attack remains a potent and growing threat. Organizations must take necessary steps such as promptly patching systems, upgrading their security mechanisms, and using rate limiting and filtering or at least having an incident response plan to deal with DDoS attacks.

1.  Cloudflare thwarts largest reported HTTP DDoS attack
2.  10 Top DDoS Attack Protection and Mitigation Companies in 2023
3.  Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai

Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History

Ongoing Rapid Reset DDoS flood attacks exposed organizations need to patch CVE-2023-44487 immediately to head off crippling outages and business disruption.

An Internet-wide security vulnerability is at the root of a zero-day attack dubbed "HTTP/2 Rapid Reset," which resulted in a distributed denial-of-service (DDoS) flood that was orders of magnitude larger than any previous attack ever recorded. It marks a new chapter in the evolution of DDoS threats, researchers noted.

Amazon Web Services, Cloudflare, and Google Cloud each independently observed the attack in question, which featured multiple waves of traffic that lasted for just minutes each. They targeted cloud and Internet infrastructure providers, and the attack took place over Aug. 28–29. Unknown perpetrators are behind the event, but it's clear that they exploited a bug in the HTTP/2 protocol, which is used in about 60% of all Web applications.

AWS, Cloudflare, and Google worked with other cloud, DDoS security, and infrastructure vendors in a coordinated effort to minimize any real-world impact of the Rapid Reset attacks, mainly with load balancing and other edge strategies. But that doesn't mean the Internet is protected; plenty of organizations are still susceptible to the attack vector and will need to proactively patch their HTTP/2 instances to be immune to the threat.

The pioneering attack vector represents an important evolution of the DDoS landscape, according to Alex Forster, Cloudflare's technical lead over DDoS engineering.

"The threat of DDoS attacks is evolving quickly, and are far from a low-level annoyance that they used to be thought of as," he says. "This attack – the largest in the history of the Internet – shows just how critical it is to increasingly pay mind to and consider DDoS as a key way for threat actors to disrupt businesses and wreak havoc."  

**How the Rapid Reset DDoS Attacks Work**

The susceptibility to the attack within HTTP/2 is tracked as CVE-2023-44487, and it carries a high-severity CVSS score of 7.5 out of 10.

According to Cloudflare, HTTP/2 is "a fundamental piece to how the Internet and most websites operate. HTTP/2 is responsible for how browsers interact with a website, allowing them to 'request' to view things like images and text quickly, and all at once no matter how complex the website."

The attack technique involves making hundreds of thousands of HTTP/2 requests at once, then immediately canceling them, according to the company's analysis.

"By automating this 'request, cancel, request, cancel' pattern at scale, threat actors overwhelm websites and are able to knock anything that uses HTTP/2 offline," according to Cloudflare's advisory on the Rapid Reset attacks, posted on Oct. 10.

During the peak of the August campaign, Cloudflare saw more than 201 million requests per second (rps), it said in a media statement provided to Dark Reading, "with some organizations witnessing even larger numbers due to the timing of their mitigations." That's triple the size of the previous record holder, a DDoS attack last year that peaked at 71 million rps.

Google, meanwhile, observed a peak of 398 million rps, seven and a half times larger than any previous attack against its resources; AWS detected a peak of more than 155 million rps targeted at the Amazon CloudFront service.

"For a sense of scale, this \[peak\] two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September," Google researchers pointed out in a post on Oct. 10.

"We can't predict the future of DDoS attacks, but this recent series of attacks moves the trend in observed attacks closer to the anticipated exponential growth of doubling every 18 months or so," a Google spokesperson tells Dark Reading. "Defending services from attacks like these requires consistent capacity planning, as well as the ability to monitor for attacks and respond quickly."

The power of the method is such that the August tsunami was launched using a modestly sized botnet — fewer than 20,000 nodes. This makes Rapid Reset not only a powerful weapon but a highly efficient one as well.

"Cloudflare regularly detects botnets that are orders of magnitude larger than this — comprising hundreds of thousands and even millions of machines," according to the company's analysis. "For a relatively small botnet to output such a large volume of requests, with the potential to incapacitate nearly any server or application supporting HTTP/2, underscores how menacing this vulnerability is for unprotected networks."  

**Rapid Reset Mitigation**

While the Rapid Reset attacks haven't had the critical impact that the cyberattackers behind them may have hoped, the fact that threat actors were able to pioneer the technique in the first place should put companies on notice, especially given that DDoS attacks continue to be an important tool in cyberattackers' arsenals.

"Cybersecurity is a race," Forster explains. "While attackers carry out increasingly sophisticated and more impactful attacks, defenders develop cutting-edge methods and technology to combat them...After today, threat actors will be largely aware of the HTTP/2 vulnerability. It will inevitably become trivial to exploit and kick off the race between defenders and attacks — first to patch vs. first to exploit. Organizations of all sizes should assume that systems will be tested, and take proactive measures to ensure protection."

And indeed, attackers are launching DDoS attempts on an ongoing basis using the bug, despite extensive mitigations being put into place by cloud providers and DDoS security vendors in the wake of the initial zero-day offensive in August.

"Over those two days, AWS observed and mitigated over a dozen HTTP/2 rapid reset events, and through the month of September, continued to see this new type of HTTP/2 request flood," the cloud giant said in a post today.  

According to Google researchers, "any enterprise or individual that is serving an HTTP-based workload to the Internet may be at risk from this attack. Web applications, services, and APIs on a server or proxy able to communicate using the HTTP/2 protocol could be vulnerable."

They added, "Organizations that are managing or operating their own HTTP/2-capable server (open source or commercial) should apply vendor patches for CVE-2023-44487 when available."

While the HTTP/2 Rapid Reset vulnerability may have been record-breaking in size, the broader takeaways are not novel, Forster adds: "Turn incident management, patching, and evolving your security protections into ongoing processes. Patches for each variant of a vulnerability reduce risk, but they never fully eliminate it."

Forster provided Dark Reading a list of actionable recommendations for shoring up defenses against Rapid Reset and other DDoS threats:

*   Understand your external and partner network’s external connectivity to remediate any Internet facing systems with the mitigations provided by vendors;
*   Understand your existing security protection and capabilities you have to protect, detect, and respond to an attack, and immediately remediate any issues you have in your network;
*   Ensure your DDoS protection resides outside of your data center, because if the traffic gets to your data center, it will be difficult to mitigate a DDoS attack;
*   Ensure you have DDoS protection for applications (Layer 7), and ensure you have Web Application Firewalls. Additionally as a best practice, ensure you have complete DDoS protection for DNS, network traffic (Layer 3), and API firewalls;
*   Ensure Web server and operating system patches are deployed across all Internet-facing Web servers. Also, ensure all automation like Terraform builds and images are fully patched, so older versions of Web servers are not deployed into production over the secure images by accident;
*   As a last resort, consider turning off HTTP/2 and HTTP/3 (potentially also vulnerable) to mitigate the threat. This is a last resort only, because there will be a significant performance issues if you downgrade to HTTP/1.1;
*   And, consider a secondary, cloud-based DDoS Layer 7 provider at perimeter for resilience.

Tag

#aws