From security em unicamp.br  Wed Mar 16 15:20:20 2022
From: security em unicamp.br (CSIRT Unicamp)
Date: Wed, 16 Mar 2022 15:20:20 -0300
Subject: [SECURITY-L] [Security-news] Drupal core - Moderately critical -
 Third-party libraries - SA-CORE-2022-005
Message-ID: <CAEsueBMT4Jo=+kthnkKeB2LpbVdSPsLucOQ+SL9GBD74G-dxNg@mail.gmail.com>

Project: Drupal core [1]
Date: 2022-March-16
Security risk: *Moderately critical* 13?25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Third-party libraries

CVE IDs: CVE-2022-24728CVE-2022-24729
Description:
The Drupal project uses the CKEditor [3] library for WYSIWYG editing.
CKEditor has released a security update that impacts Drupal [4].

Vulnerabilities are possible if Drupal is configured to allow use of the
CKEditor library for WYSIWYG editing. An attacker that can create or edit
content (even without access to CKEditor themselves) may be able to exploit
one or more Cross-Site Scripting (XSS) vulnerabilities to target users with
access to the WYSIWYG CKEditor, including site admins with privileged
access.

For more information, see CKEditor's security advisories:

   * CVE-2022-24728: HTML processing vulnerability allowing to execute
     JavaScript code [5]
   * CVE-2022-24729: Regular expression Denial of Service in dialog plugin
[6]

This advisory is not covered by Drupal Steward [7].

Solution:
Install the latest version:

   * If you are using Drupal 9.3, update to Drupal 9.3.8 [8].
   * If you are using Drupal 9.2, update to Drupal 9.2.15 [9].

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive
security coverage. Note that Drupal 8 has reached its end of life [10].

.... Instructions for Drupal 7 and contributed modules

Drupal 7 core is not affected, although Drupal 7, 8, and 9 site owners
should
review their site following the protocol for managing external libraries and
plugins [11] previously suggested by the Drupal Security Team, as
contributed
projects may use additional CKEditor plugins not packaged in Drupal core.

Users of the Webform module should ensure Webform's version of CKEditor 4 is
also up-to-date after updating Drupal core and libraries for any affected
contributed modules. If it is not, Webform users can try the following steps
to update it:

   1) If using Composer, run drush webform:libraries:composer >
      DRUPAL_ROOT/composer.libraries.json and run composer update
   2) If  using Drush without Composer, run drush webform:libraries:update.

Learn more about updating Webform libraries. [12]

Reported By:
   * Jacek Bogda?ski [13]

Fixed By:
   * Jess  [14] of the Drupal Security Team
   * Wim Leers [15]
   * Lee Rowlands [16] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://github.com/ckeditor/ckeditor4
[4]
https://ckeditor.com/blog/ckeditor-4.18.0-browser-bugfix-and-security-patches/
[5]
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
[6]
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh
[7] https://www.drupal.org/steward
[8] https://www.drupal.org/project/drupal/releases/9.3.8
[9] https://www.drupal.org/project/drupal/releases/9.2.15
[10] https://www.drupal.org/psa-2021-06-29
[11] https://www.drupal.org/psa-2011-002
[12]
https://www.drupal.org/docs/contributed-modules/webform/webform-libraries
[13] https://www.drupal.org/user/3683355
[14] https://www.drupal.org/user/65776
[15] https://www.drupal.org/user/99777
[16] https://www.drupal.org/user/395439
===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20220316/958dde96/attachment.html>

From security em unicamp.br  Wed Mar 16 17:05:09 2022
From: security em unicamp.br (CSIRT Unicamp)
Date: Wed, 16 Mar 2022 17:05:09 -0300
Subject: [SECURITY-L] [oss-security] Four vulnerabilities disclosed in BIND
 (CVE-2021-25220, CVE-2022-0396, CVE-2022-0635 and CVE-2022-0667)
Message-ID: <CAEsueBMmjZFJRgra+6YpNNVqTAEzC5etoMSOe5xs3N1dNn-Kug@mail.gmail.com>

On March 16 2022, we (Internet Systems Consortium) disclosed four
vulnerabilities affecting our BIND 9 software:

   CVE-2021-25220: DNS forwarders - cache poisoning vulnerability
   https://kb.isc.org/docs/CVE-2021-25220

   CVE-2022-0396: DoS from specifically crafted TCP packets
   https://kb.isc.org/docs/cve-2022-0396

   CVE-2022-0635: DNAME insist with synth-from-dnssec enabled
   https://kb.isc.org/docs/cve-2022-0635

   CVE-2022-0667: Assertion failure on delayed DS lookup
   https://kb.isc.org/docs/cve-2022-0667

New versions of BIND are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches
selectively can find individual vulnerability-specific patches in the
"patches" subdirectory of the release directories for our three stable
release branches (9.11. 9.16 and 9.18)

   https://downloads.isc.org/isc/bind9/9.11.37/patches/
   https://downloads.isc.org/isc/bind9/9.16.27/patches/
   https://downloads.isc.org/isc/bind9/9.18.1/patches/

With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.
-- 
Everett B. Fulton
ISC Support
===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20220316/ebfe1f10/attachment.html>

From security em unicamp.br  Fri Mar 25 15:39:38 2022
From: security em unicamp.br (CSIRT Unicamp)
Date: Fri, 25 Mar 2022 15:39:38 -0300
Subject: [SECURITY-L] [RNP/CAIS Alerta #0084] Vulnerabilidades exploradas
 pelo ransomware Conti
In-Reply-To: <657503576.1062417.1648232097100.JavaMail.zimbra@rnp.br>
References: <657503576.1062417.1648232097100.JavaMail.zimbra@rnp.br>
Message-ID: <CAEsueBNF6Li+oBZ89ZRf69QqgoUD8uw4nKP0Abj4=eC5FE8aPA@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CAIS-Alerta [25/03/2022]: Vulnerabilidades exploradas pelo ransomware Conti

Prezados,

O CAIS está alertando para 32 vulnerabilidades mencionadas em conversas dos
operadores do ransomware Conti. Os chats do grupo vazaram na internet após
um suposto desentendimento entre seus membros, permitindo uma análise das
táticas comentadas nessas tratativas. Os CVEs abaixo foram citados neste
contexto.

Descrição

A maioria das vulnerabilidades está relacionada à elevação de privilégio em
ambientes Windows. Embora a natureza do problema e o componente envolvido
sejam diferentes em cada caso, a consequência é a mesma: um usuário sem
privilégios alcança acesso administrativo ou de sistema (SYSTEM).

Um outro grupo menor de vulnerabilidades tem a capacidade de obter acesso
indevido ao ambiente por meio de execução de código. O sistema Windows, o
servidor de e-mails Exchange, o VMware vCenter e a biblioteca de chat
Texcore estão nesta lista.

Vale lembrar que este conjunto não é necessariamente exclusivo do grupo
Conti. A falha CVE-2021-26855, que atinge o Exchange, apareceu também em um
alerta do FBI para o ransomware AvosLocker[1]. Sendo assim, esta lista pode
ser compreendida como um fator adicional de risco decorrente do indício de
exploração real.

As vulnerabilidades não são inéditas e já existem atualizações para
corrigir todas elas. Nenhuma ação é necessária em sistemas que estão dentro
de seu ciclo de vida e com os patches mais recentes.

Como algumas das vulnerabilidades citadas atingem sistemas que já não têm
mais suporte regular (como é o caso dos Windows Vista e 7), é recomendado
que esses ambientes sejam migrados.

Para entender melhor o vazamento das conversas do Conti e a operação deste
grupo de ransomware, consulte os links em [Mais informações].

Sistemas impactados
Microsoft Windows
Microsoft Exchange
VMware vCenter
Texcore (biblioteca)

Versões afetadas
Microsoft Windows Vista / 7 / 8 / 10
Microsoft Windows Server 2008 / 2012 / 2016 / 2019
Microsoft Exchange 2010 / 2013 / 2016 / 2019
VMware vCenter 6.7 / 7.0
Texcore 0.1.9 a 0.1.11 / 0.2.0 a 0.2.12

Correções disponíveis
Atualizações estão disponíveis nos canais dos fabricantes.
A Texcore precisa ser atualizada pela distribuição Linux ou pelo software
que depende da biblioteca.

Identificadores CVE (http://cve.mitre.org)
[Microsoft Windows]
CVE-2015-2546
CVE-2016-3309
CVE-2017-0101
CVE-2018-8120
CVE-2019-0543
CVE-2019-0841
CVE-2019-1064
CVE-2019-1069
CVE-2019-1129
CVE-2019-1130
CVE-2019-1215
CVE-2019-1253
CVE-2019-1315
CVE-2019-1322
CVE-2019-1385
CVE-2019-1388
CVE-2019-1405
CVE-2019-1458
CVE-2020-0609
CVE-2020-0638
CVE-2020-0787
CVE-2020-0796
CVE-2020-1472
CVE-2021-1675
CVE-2021-1732
CVE-2021-34527

[Microsoft Exchange]
CVE-2020-0688
CVE-2021-26855

[VMware]
CVE-2021-21972
CVE-2021-21985
CVE-2021-22005

[Texcore]
CVE-2021-44847

Mais informações
[1] https://www.ic3.gov/Media/News/2022/220318.pdf

https://socradar.io/an-overview-on-conti-ransomware-leaks-is-this-the-end-
for-conti/
<https://socradar.io/an-overview-on-conti-ransomware-leaks-is-this-the-end-for-conti/>
https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-
procedures-by-esentires-threat-response-unit-tru
<https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru>


O CAIS recomenda que os administradores mantenham seus sistemas e
aplicativos sempre atualizados, de acordo com as últimas versões e
correções oferecidas pelos fabricantes.


Os alertas do CAIS também podem ser acompanhados pelas redes sociais da
RNP. Siga-nos!!
Twitter: @RedeRNP
Facebook: facebook.com/RedeNacionaldeEnsinoePesquisaRNP.

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.rnp.br/servicos/seguranca  #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v2.6.2
Comment: https://openpgpjs.org

wsFcBAEBCAAQBQJiPgZcCRDU96v9U5pXgAAAXL8P/3gM+NcNvQyv5W3GzmFS
vrZA4l4PXRQIPI2sDU0ogPZodalfFcsfxsRvn9lmZmqyU5ApCkrDPgmoDg/b
DJVeR1d7vTeQgEkJ/26FFsEOf1ULw+DNwpFcvDTMSJDSez198PhTBBCHAyoz
5URIsOvIyNkFuonE9bG9/fWm+kzK3zcq1zuUAQf60QwlzicBj6Pz4WhMeZCk
K2cqUvVBmTbLbuRkSLXnUmkOjo2up1xBL3YwhHC2I631DmVsGTs4sNDvEo8h
1Yuo3X2PVmc9mWClvJEn5vmRVRds3PJyP6cAe6d6tSaplqLDvRKWZbtCuxD5
3hepdg9aWkZEGaey9gcZbvukGfG5wF1WkY+ZlTwPpyo0SxF4DqwGlyDoHpxB
X6xKeEGShWdB4rA56+2MgDHqYMOsaEaLh6SYBaemXPQ7QqugMwk2BT6fOy7r
4fhF+Btzv8VVDjQtELrwaPCMmaWegVrotmFeZpsu5xz2VDPbVRZJIzOkb9zW
u5acNGmPAiBhRcqFWOBBxvezx5kx2R2+zDClzNtA/f0Y5TCOlrdCBAMCAHyz
qN1zQKjkl36CjgAjYS9/s3PTPPDIr0GS1ciDLc1225ZlfZ0gen8N5CLMvSHE
2Nk2JBlEYezycxijR6doz2A6xqRwCot7bA1NgCquzM6KyegmAAiujtmnUQ4K
V4px
=U+Xy
-----END PGP SIGNATURE-----
_______________________________________________
RNP-Alerta
rnp-alerta em listas.rnp.br
https://listas.rnp.br/mailman/listinfo/rnp-alerta

===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20220325/bcbb80dc/attachment-0001.html>