Skip to content

v1.5.40
Compare
Choose a tag to compare
@github-actions github-actions released this 20 Jun 18:32
· 1293 commits to master since this release
v1.5.40
This tag was signed with the committer’s verified signature.
moloch-- Joe
SSH Key Fingerprint: X2OO4DaiRLdMsw1KAlIpum1nf9GWWtiE/5o/9/ojcho Learn about vigilant mode.
c17c378
This commit was signed with the committer’s verified signature.
moloch-- Joe
SSH Key Fingerprint: X2OO4DaiRLdMsw1KAlIpum1nf9GWWtiE/5o/9/ojcho Learn about vigilant mode.

⚠️ Backwards incompatible changes ⚠️

This release fixes a vulnerability (CVE-2023-34758) in the Sliver Key Encapsulation Mechanism (KEM), where improper use of Nacl Box (libsodium) could allow a MitM attacker with a copy of the implant binary to recover the session key and arbitrarily encrypt/decrypt C2 messages. Note that the Sliver KEM is only used over insecure protocols such as HTTP and DNS, and does not affect mTLS or Wireguard.

The issue was addressed by switching to a combination age for the KEM and HMAC-SHA2-256 to verify the implant.

More details: GHSA-8jxm-xp43-qh3q

Special thanks to Ting-Wei Hsieh from CHT Security Co. Ltd. for reporting the vulnerability.

Assets 18
Loading