Categories: News
Tags: ChatGPT

Tags:  How Secure is Code Generated by ChatGPT?

Tags:  Raphaël Khoury

Tags:  Anderson Avila

Tags:  Jacob Brunelle

Tags:  Baba Mamadou Camara

Tags:  Université du Québec

Tags:  ChatGPT makes insecure code

Researchers have found that ChatGPT, OpenAI's popular chatbot, is prone to generating insecure code.



(Read more...)




The post ChatGPT writes insecure code appeared first on Malwarebytes Labs.

Research by computer scientists associated with the Université du Québec in Canada has found that ChatGPT, OpenAI's popular chatbot, is prone to generating insecure code.

"_How Secure is Code Generated by ChatGPT?_" is the work of Raphaël Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara. The paper concludes that ChatGPT generates code that isn't robust, despite claiming awareness of its vulnerabilities. 

"The results were worrisome," the researchers say in the paper. "We found that, in several cases, the code generated by ChatGPT fell well below minimal security standards applicable in most contexts."

> "In fact, when prodded to whether or not the produced code was secure, ChatGPT was able to recognize that it was not. The chatbot, however, was able to provide a more secure version of the code in many cases if explicitly asked to do so."

In the experiment, the researchers assumed the role of a novice programmer who doesn't have security in mind. They asked ChatGPT to generate code, specifying in some cases that the code would be used in a "security-sensitive context." What they didn't do, however, was specifically ask the AI chatbot to create secure code or include certain security features.

ChatGPT generated 21 applications written in five programming languages: C, C++, HTML, Java, and Python. The programs are simple, with 97 lines of code at most.

In its first run, ChatGPT produced five secure applications out of 21. When prompted for changes, it made seven more secure applications from the remaining 16.

The authors note that ChatGPT can only create "secure" code when a user requests it. When tasked with creating a simple FTP server for file sharing, it generated code without applying input sanitization (where code is checked for harmful characters and removed where necessary). ChatGPT only added the security feature _after_ the authors prompted it to do so.

"Part of the problem seems to be that ChatGPT simply doesn't assume an adversarial model of execution," the authors say, explaining why the AI bot cannot create secure code by default. Despite this, the bot readily admits to errors in its code.

"If asked specifically on this topic, the chatbot will provide the user with a cogent explanation of why the code is potentially exploitable. However, any explanatory benefit would only be available to a user who 'asks the right questions'. i.e.; a security-conscious programmer who queries ChatGPT about security issues."

Additionally, the authors point to the chatbot's ethical inconsistency when it refuses to create attack code but _will_ create insecure code.

It might refuse to create attack code, but there are ways round it. Malwarebytes Security Evangelist Mark Stockley decided to try to create ransomware using ChatGPT. The AI bot refused to create malware code at first, but Stockley found his way around the initial safeguards and managed to get it to create (admittedly quite dubious) ransomware anyway.

In an interview with _The Register_, one of the Université du Québec researchers said he had concerns about ChatGPT. "We have actually already seen students use this, and programmers will use this in the wild," Khoury said. "So having a tool that generates insecure code is really dangerous. We need to make students aware that if code is generated with this type of tool, it very well might be insecure."

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ChatGPT writes insecure code

Red Hat Security Advisory 2023-1966-01 - The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: pki-core:10.6 security update  
Advisory ID:       RHSA-2023:1966-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1966  
Issue date:        2023-04-25  
CVE Names:         CVE-2022-2414  
====================================================================  
1. Summary:

An update for the pki-core:10.6 module is now available for Red Hat  
Enterprise Linux 8.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The Public Key Infrastructure (PKI) Core contains fundamental packages  
required by Red Hat Certificate System.

Security Fix(es):

* pki-core: access to external entities when parsing XML can lead to XXE  
(CVE-2022-2414)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2104676 - CVE-2022-2414 pki-core: access to external entities when parsing XML can lead to XXE

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
jss-4.8.1-2.module+el8.4.0+10451+3e5b5448.src.rpm  
ldapjdk-4.22.0-1.module+el8.3.0+6784+6e1e4c62.src.rpm  
pki-core-10.10.5-6.module+el8.4.0+17580+3370c7a3.src.rpm  
tomcatjss-7.6.1-1.module+el8.4.0+8778+d07929ff.src.rpm

aarch64:  
jss-4.8.1-2.module+el8.4.0+10451+3e5b5448.aarch64.rpm  
jss-debuginfo-4.8.1-2.module+el8.4.0+10451+3e5b5448.aarch64.rpm  
jss-debugsource-4.8.1-2.module+el8.4.0+10451+3e5b5448.aarch64.rpm  
jss-javadoc-4.8.1-2.module+el8.4.0+10451+3e5b5448.aarch64.rpm  
pki-core-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm  
pki-core-debugsource-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm  
pki-symkey-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm  
pki-symkey-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm  
pki-tools-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm  
pki-tools-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.aarch64.rpm

noarch:  
ldapjdk-4.22.0-1.module+el8.3.0+6784+6e1e4c62.noarch.rpm  
ldapjdk-javadoc-4.22.0-1.module+el8.3.0+6784+6e1e4c62.noarch.rpm  
pki-acme-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
pki-base-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
pki-base-java-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
pki-ca-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
pki-kra-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
pki-server-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
python3-pki-10.10.5-6.module+el8.4.0+17580+3370c7a3.noarch.rpm  
tomcatjss-7.6.1-1.module+el8.4.0+8778+d07929ff.noarch.rpm

ppc64le:  
jss-4.8.1-2.module+el8.4.0+10451+3e5b5448.ppc64le.rpm  
jss-debuginfo-4.8.1-2.module+el8.4.0+10451+3e5b5448.ppc64le.rpm  
jss-debugsource-4.8.1-2.module+el8.4.0+10451+3e5b5448.ppc64le.rpm  
jss-javadoc-4.8.1-2.module+el8.4.0+10451+3e5b5448.ppc64le.rpm  
pki-core-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm  
pki-core-debugsource-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm  
pki-symkey-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm  
pki-symkey-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm  
pki-tools-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm  
pki-tools-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.ppc64le.rpm

s390x:  
jss-4.8.1-2.module+el8.4.0+10451+3e5b5448.s390x.rpm  
jss-debuginfo-4.8.1-2.module+el8.4.0+10451+3e5b5448.s390x.rpm  
jss-debugsource-4.8.1-2.module+el8.4.0+10451+3e5b5448.s390x.rpm  
jss-javadoc-4.8.1-2.module+el8.4.0+10451+3e5b5448.s390x.rpm  
pki-core-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm  
pki-core-debugsource-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm  
pki-symkey-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm  
pki-symkey-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm  
pki-tools-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm  
pki-tools-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.s390x.rpm

x86_64:  
jss-4.8.1-2.module+el8.4.0+10451+3e5b5448.x86_64.rpm  
jss-debuginfo-4.8.1-2.module+el8.4.0+10451+3e5b5448.x86_64.rpm  
jss-debugsource-4.8.1-2.module+el8.4.0+10451+3e5b5448.x86_64.rpm  
jss-javadoc-4.8.1-2.module+el8.4.0+10451+3e5b5448.x86_64.rpm  
pki-core-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm  
pki-core-debugsource-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm  
pki-symkey-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm  
pki-symkey-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm  
pki-tools-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm  
pki-tools-debuginfo-10.10.5-6.module+el8.4.0+17580+3370c7a3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2414  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEe/PNzjgjWX9erEAQg4CQ//RnrpSmI7T6BcHybiaeWTeQzwZb0BpQX8  
vEQCJ9LRyHuuFZSsGH0yTNg6/i9tHBms3CJUKsyf4BvdeUTEl1lRFbVC1yqRfbbh  
Fq6+AqFe28mjG6DeJAlH+zZcpRnDwsBLQxnMKi30JAzcZKSXVa5imBS3EFx64HnG  
uvHuRu9Tf7FJiJAwWJhmZN7Njrqs/GbKNBHvIOjkWgDlpBPpAEl4nW7MZSZiuQ5I  
q5MAf9gcRwToYPV1tgAUTbYPbEXFA+0SsIrhC++y8+SRCkcdYfJzJB32N4hQenPa  
ErKC5zZ31AmwVdg6yIuDokUHkVFl0TPOPWwJEIAdn184dTmEyohCnIyPwakikc2v  
QSZ/3pUtc5q3b2fCgUxCGG17jrlg8kxtNCjmXlmAPcdRMG40SMme7djNXJRPvAQO  
me9ezRvlFKpESEklYg0AznDeZmEnYh3Wir5Xqmuoe2xgS5T9ZWvVDWR7X6Y2Zb8R  
xi3DCZIFWI5TRaZlPqI82MMFwxeI9nl88KjCZZ+eig3Hs/OiL7qE1bSBLerviq8j  
tLdXqTPV3Dc9FNHZWTvEAOXcKplmCNbd1w+ipq0Koxz5/FPsj1V7XpYBOOZngzXI  
u6umMRmxF8i+yjhosOy2wBLHl7uwXLghhBc0u3Wz0HRI9T5RgmzV9DHT1B/rEarc  
jhTEpvPmreA=EN+k  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1966-01

Red Hat Security Advisory 2023-1907-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: java-1.8.0-openjdk security update  
Advisory ID:       RHSA-2023:1907-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1907  
Issue date:        2023-04-25  
CVE Names:         CVE-2023-21930 CVE-2023-21937 CVE-2023-21938  
                   CVE-2023-21939 CVE-2023-21954 CVE-2023-21967  
                   CVE-2023-21968  
====================================================================  
1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise  
Linux 8.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v. 8.4) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime  
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper connection handling during TLS handshake (8294474)  
(CVE-2023-21930)

* OpenJDK: Swing HTML parsing issue (8296832) (CVE-2023-21939)

* OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
(CVE-2023-21954)

* OpenJDK: certificate validation issue in TLS session negotiation  
(8298310) (CVE-2023-21967)

* OpenJDK: missing string checks for NULL characters (8296622)  
(CVE-2023-21937)

* OpenJDK: incorrect handling of NULL characters in ProcessBuilder  
(8295304) (CVE-2023-21938)

* OpenJDK: missing check for slash characters in URI-to-path conversion  
(8298667) (CVE-2023-21968)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2187435 - CVE-2023-21930 OpenJDK: improper connection handling during TLS handshake (8294474)  
2187441 - CVE-2023-21954 OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
2187704 - CVE-2023-21967 OpenJDK: certificate validation issue in TLS session negotiation (8298310)  
2187724 - CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832)  
2187758 - CVE-2023-21938 OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304)  
2187790 - CVE-2023-21937 OpenJDK: missing string checks for NULL characters (8296622)  
2187802 - CVE-2023-21968 OpenJDK: missing check for slash characters in URI-to-path conversion (8298667)

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
java-1.8.0-openjdk-1.8.0.372.b07-1.el8_4.src.rpm

aarch64:  
java-1.8.0-openjdk-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-src-1.8.0.372.b07-1.el8_4.aarch64.rpm

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.372.b07-1.el8_4.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.372.b07-1.el8_4.noarch.rpm

ppc64le:  
java-1.8.0-openjdk-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-src-1.8.0.372.b07-1.el8_4.ppc64le.rpm

s390x:  
java-1.8.0-openjdk-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-demo-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-devel-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-headless-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.372.b07-1.el8_4.s390x.rpm  
java-1.8.0-openjdk-src-1.8.0.372.b07-1.el8_4.s390x.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.372.b07-1.el8_4.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v. 8.4):

aarch64:  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.aarch64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.372.b07-1.el8_4.aarch64.rpm

ppc64le:  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.372.b07-1.el8_4.ppc64le.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.372.b07-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-21930  
https://access.redhat.com/security/cve/CVE-2023-21937  
https://access.redhat.com/security/cve/CVE-2023-21938  
https://access.redhat.com/security/cve/CVE-2023-21939  
https://access.redhat.com/security/cve/CVE-2023-21954  
https://access.redhat.com/security/cve/CVE-2023-21967  
https://access.redhat.com/security/cve/CVE-2023-21968  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEe/PtzjgjWX9erEAQjNMA//bpp1jGrB3u5Q2khidQCghVv1Ggpr0Pzl  
n/9ujekG6aztyaTFSfJsX2CFZJmlCVT8v6UncZgSxeQ7KiOqNhESoTVQr+KyxVoZ  
YmpDr0HXWsa6y3KNERUBUdJ4vlbegky1jDvBPsQkzO9rijAl7/KRcP/cxntWupk0  
LyYrZWD9G8mBAalNDMozQD2C0DwFsi/R+GOQRFcP5GdIUUE+/676Xnloua+5W2wJ  
7MDi0LDQ2DpIm2DjYxpDOEgvxxMdy2OitDVJMs49xEvUkTKQtW0wNi3afMZhnvVJ  
SuWiqeavY7L9x6IAphIZXt2Ox9H3gCCflF1gk+00V0UI1OpKTTsTeZrHBN9QMy+F  
Bfq5No79e/tP5eK+NIcaWW7vHtTp3RIf08KBj4Vfh0tY4iSRx5NzQrJD94tQiZTj  
CnooNmgwOiZ6u5C9EoEpe6lkEsBXqzT3MdrxDr1m2gbGU6i4xWK9xmCYhMaoZ4XA  
mwJauSnF6z2WeET6U/qA7N816aRe2dDwTwUox8XQIdJDd2fFCi70OkbKMmyMzrGM  
GggQdCv0doE18/+g352FnsGgVVM2dsKY/Kmn5Ow+cyJLyvmu5D+3Z/8uzjJzgKr0  
1RBrVDjOL+VJv1NMi6PtjSWvuxD4JiXx4MW4yYksAoN9LGjbcgDxOc8vgGGmkqUG  
U/hqThgIrAE=jYFe  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1907-01

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the function parse_expr5 at /nasm/nasm-parse.c.

CVE-2023-29583: stack-overflow yasm/modules/parsers/nasm/nasm-parse.c:1303 in parse_expr5 · Issue #218 · yasm/yasm

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the function parse_expr1 at /nasm/nasm-parse.c.

CVE-2023-29582: fuzz_vuln/readme.md at main · z1r00/fuzz_vuln

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the component yasm/yasm+0x43b466 in vsprintf.

**stack-buffer-overflow yasm/yasm+0x43b466 in vsprintf****project address**

https://github.com/yasm/yasm

**info**

OS：Ubuntu20.04 TLS

Build: ./autogen.sh && make distclean && CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" ./configure --prefix=$PWD/build --disable-shared && make -j && make install

**Poc**

https://github.com/z1r00/fuzz\_vuln/blob/main/yasm/stack-buffer-overflow/yasm/id:000055%2Csig:06%2Csrc:008089%2B007532%2Cop:splice%2Crep:128

**ASAN Info**

./yasm id:000055,sig:06,src:008089+007532,op:splice,rep:128

yasm: file name already has no extension: output will be in \`yasm.out'
\=================================================================
\==1107138==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffb43ff890 at pc 0x00000043b467 bp 0x7fffb43ff760 sp 0x7fffb43feef8
WRITE of size 21 at 0x7fffb43ff890 thread T0
    #0 0x43b466 in vsprintf (/home/z1r0/fuzzing/yasm/yasm/yasm+0x43b466)
    #1 0x43c3f3 in sprintf (/home/z1r0/fuzzing/yasm/yasm/yasm+0x43c3f3)
    #2 0x54e503 in x86\_dir\_cpu /home/z1r0/fuzzing/yasm/yasm/modules/arch/x86/x86arch.c:169:17
    #3 0x539e14 in yasm\_object\_directive /home/z1r0/fuzzing/yasm/yasm/libyasm/section.c:377:5
    #4 0x57bfe2 in nasm\_parser\_directive /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:1569:10
    #5 0x579361 in parse\_line /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:377:17
    #6 0x579361 in nasm\_parser\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parse.c:231:18
    #7 0x577618 in nasm\_do\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parser.c:66:5
    #8 0x577618 in nasm\_parser\_do\_parse /home/z1r0/fuzzing/yasm/yasm/modules/parsers/nasm/nasm-parser.c:83:5
    #9 0x4c6eae in do\_assemble /home/z1r0/fuzzing/yasm/yasm/frontends/yasm/yasm.c:521:5
    #10 0x4c6eae in main /home/z1r0/fuzzing/yasm/yasm/frontends/yasm/yasm.c:753:12
    #11 0x7f833dc86082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x41c47d in \_start (/home/z1r0/fuzzing/yasm/yasm/yasm+0x41c47d)
Address 0x7fffb43ff890 is located in stack of thread T0 at offset 48 in frame
    #0 0x54e38f in x86\_dir\_cpu /home/z1r0/fuzzing/yasm/yasm/modules/arch/x86/x86arch.c:153
  This frame has 1 object(s):
    \[32, 48) 'strcpu' (line 168) <== Memory access at offset 48 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/z1r0/fuzzing/yasm/yasm/yasm+0x43b466) in vsprintf
Shadow bytes around the buggy address:
  0x100076877ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
\=>0x100076877f10: 00 00\[f3\]f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f30: f1 f1 f1 f1 f8 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100076877f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100076877f50: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f8 f8 f2 f2
  0x100076877f60: f8 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==1107138==ABORTING

**Reference**

https://github.com/z1r00/fuzz\_vuln/blob/main/yasm/stack-buffer-overflow/yasm/readmd.md

CVE-2023-29579: stack-buffer-overflow yasm/yasm+0x43b466 in vsprintf · Issue #214 · yasm/yasm

Bento4 v1.6.0-639 was discovered to contain an out-of-memory bug in the mp42aac component.

out-of-memory (/home/ubuntu/fuzz/asan\_bento4/Bento4/cmakebuild/mp42aac+0x4c44dd) in operator new(unsigned long)

    export CC=clang
    export CXX=clang++
    export CFLAGS="-fsanitize=address -g"
    export CXXFLAGS="-fsanitize=address -g"
    mkdir build
    cd build
    cmake -DCMAKE_BUILD_TYPE=Release ..
    make
    

    ./mp42aac poc4.mp4 /dev/null
    
    =================================================================
    ==1258592==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x800000010 bytes
        #0 0x4c44dd in operator new(unsigned long) (/home/ubuntu/fuzz/asan_bento4/Bento4/cmakebuild/mp42aac+0x4c44dd)
        #1 0x6054ee in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity(unsigned int) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4Array.h:172:25
        #2 0x6054ee in AP4_Array<AP4_TrunAtom::Entry>::SetItemCount(unsigned int) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4Array.h:210:25
        #3 0x6054ee in AP4_TrunAtom::AP4_TrunAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:150:9
        #4 0x604de2 in AP4_TrunAtom::Create(unsigned int, AP4_ByteStream&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:51:16
        #5 0x53a0dd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:438:20
        #6 0x5390e1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #7 0x57718b in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #8 0x5763de in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #9 0x5763de in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #10 0x53a8dc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #11 0x5390e1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #12 0x57718b in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #13 0x5763de in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #14 0x5763de in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #15 0x53a8dc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #16 0x5390e1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #17 0x53890b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
        #18 0x4ceffe in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4File.cpp:104:12
        #19 0x4cf50a in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Core/Ap4File.cpp:78:5
        #20 0x4c7232 in main /home/ubuntu/fuzz/asan_bento4/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
        #21 0x7fb9e650c082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    
    ==1258592==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory (/home/ubuntu/fuzz/asan_bento4/Bento4/cmakebuild/mp42aac+0x4c44dd) in operator new(unsigned long)
    ==1258592==ABORTING

CVE-2023-29575: fuzz_vuln/readme.md at main · z1r00/fuzz_vuln

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.
Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a "software supply chain attack lead to another software

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.

Google-owned Mandiant, which is tracking the attack event under the moniker **UNC4736**, said the incident marks the first time it has seen a "software supply chain attack lead to another software supply chain attack."

The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer.

"The malicious application next attempts to steal sensitive information from the victim user's web browser," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an analysis of the malware. "Specifically it will target the Chrome, Edge, Brave, or Firefox browsers."

Select attacks targeting cryptocurrency companies also entailed the deployment of a next-stage backdoor referred to as Gopuram that's capable of running additional commands and interacting with the victim's file system.

Mandiant's investigation into the sequence of events has now revealed the patient zero to be a malicious version of a now-discontinued software provided by a fintech company called Trading Technologies, which was downloaded by a 3CX employee to their personal computer.

It described the initial intrusion vector as "a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X\_TRADER."

This rogue installer, in turn, contained a setup binary that dropped two trojanized DLLs and an innocuous executable, the latter of which is used to side-load one of the DLLs that's camouflaged as a legitimate dependency.

The attack chain then made use of open source tools like SIGFLIP and DAVESHELL to ultimately extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that's capable of sending data, executing shellcode, and terminating itself.

The initial compromise of the employee's personal computer using VEILEDSIGNAL enabled the threat actor to obtain the individual's corporate credentials, two after which the first unauthorized access to its network took place via a VPN by taking advantage of the stolen credentials.

Besides identifying tactical similarities between the compromised X\_TRADER and 3CXDesktopApp apps, Mandiant found that the threat actor subsequently laterally moved within the 3CX environment and breached the Windows and macOS build environments.

"On the Windows build environment, the attacker deployed a TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL side-loading through the IKEEXT service and ran with LocalSystem privileges," Mandiant said. "The macOS build server was compromised with POOLRAT backdoor using Launch Daemons as a persistence mechanism."

POOLRAT, previously classified by the threat intelligence firm as SIMPLESEA, is a C/C++ macOS implant capable of collecting basic system information and executing arbitrary commands, including carrying out file operations.

UNC4736 is suspected to be a threat group with North Korean nexus, an assessment that's been reinforced by ESET's discovery of an overlapping command-and-control (C2) domain (journalide\[.\]org) employed in the supply chain attack and that of a Lazarus Group campaign called Operation Dream Job.

Evidence gathered by Mandiant shows that the group exhibits commonalities with another intrusion set tracked as Operation AppleJeus, which has a track record of carrying out financially motivated attacks.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

What's more, the breach of Trading Technologies' website is said to have taken place in early February 2022 by weaponizing a then zero-day flaw in Google Chrome (CVE-2022-0609) to activate a multi-stage infection chain responsible for serving unknown payloads to the site visitors.

"The site www.tradingtechnologies\[.\]com was compromised and hosting a hidden IFRAME to exploit visitors, just two months before the site was known to deliver a trojanized X\_TRADER software package," Mandiant explained.

Another link connecting it to AppleJeus is the threat actor's previous use of an older version of POOLRAT as part of a long-running campaign disseminating booby-trapped trading applications like CoinGoTrade to facilitate cryptocurrency theft.

The entire scale of the campaign remains unknown, and it's currently not clear if the compromised X\_TRADER software was used by other firms. The platform was purportedly decommissioned in April 2020, but it was still available to download from the site in 2022.

3CX, in an update shared on April 20, 2023, said it's taking steps to harden its systems and minimize the risk of nested software-in-software supply chain attacks by enhancing product security, incorporating tools to ensure the integrity of its software, and establishing a new department for Network Operations and Security.

"Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea's interests," Mandiant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX

The notorious North Korea-aligned state-sponsored actor known as the Lazarus Group has been attributed to a new campaign aimed at Linux users.
The attacks are part of a persistent and long-running activity tracked under the name Operation Dream Job, ESET said in a new report published today.
The findings are crucial, not least because it marks the first publicly documented example of the

The notorious North Korea-aligned state-sponsored actor known as the **Lazarus Group** has been attributed to a new campaign aimed at Linux users.

The attacks are part of a persistent and long-running activity tracked under the name **Operation Dream Job**, ESET said in a new report published today.

The findings are crucial, not least because it marks the first publicly documented example of the adversary using Linux malware as part of this social engineering scheme.

Operation Dream Job, also known as DeathNote or NukeSped, refers to multiple attack waves wherein the group leverages fraudulent job offers as a lure to trick unsuspecting targets into downloading malware. It also exhibits overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.

The attack chain discovered by ESET is no different in that it delivers a fake HSBC job offer as a decoy within a ZIP archive file that's then used to launch a Linux backdoor named SimplexTea distributed via an OpenDrive cloud storage account.

While the exact method used to distribute the ZIP file is not known, it's suspected to be either spear-phishing or direct messages on LinkedIn. The backdoor, written in C++, bears similarities to BADCALL, a Windows trojan previously attributed to the group.

Furthermore, ESET said it identified commonalities between artifacts used in the Dream Job campaign and those unearthed as part of the supply chain attack on VoIP software developer 3CX that came to light last month.

UPCOMING WEBINAR

Defend with Deception: Advancing Zero Trust Security

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

This also includes the command-and-control (C2) domain "journalide\[.\]org," which was listed as one of the four C2 servers used by malware families detected within the 3CX environment.

Indications are that preparations for the supply chain attack had been underway since December 2022, when some of the components were committed to the GitHub code-hosting platform.

The findings not only strengthen the existing link between Lazarus Group and the 3CX compromise, but also demonstrates the threat actor's continued success with staging supply chain attacks since 2020.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job

A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.

From: Wei Chen <harperchen1110@gmail.com>
To: socketcan@hartkopp.net, mkl@pengutronix.de,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	netdev@vger.kernel.org, linux-can@vger.kernel.org,
	linux-kernel@vger.kernel.org, Paolo Abeni <pabeni@redhat.com>,
	syzkaller-bugs@googlegroups.com,
	syzbot <syzkaller@googlegroups.com>
Subject: BUG: unable to handle kernel paging request in can\_rcv\_filter
Date: Tue, 6 Dec 2022 23:25:36 +0800	\[thread overview\]
Message-ID: <CAO4mrfcV\_07hbj8NUuZrA8FH-kaRsrFy-2metecpTuE5kKHn5w@mail.gmail.com> (raw)

Dear Linux Developers,

Recently, when using our tool to fuzz kernel, the following crash was triggered.

HEAD commit: 147307c69ba
git tree: linux-next
compiler: clang 12.0.0
console output:
https://drive.google.com/file/d/1\_c7TZ6WzCT-VLBimUP3xnkMpJPhjOAPY/view?usp=share\_link
kernel config: https://drive.google.com/file/d/1NAf4S43d9VOKD52xbrqw-PUP1Mbj8z-S/view?usp=share\_link

Unfortunately, I didn't have a reproducer for this crash.

I'm wondering if there is a data race between can\_receive and
sock\_close, which leads to the invalid null value of dev and
dev\_rcv\_lists. I hope the following report is helpful.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@gmail.com>

BUG: unable to handle page fault for address: 0000000000006020
#PF: supervisor read access in kernel mode
#PF: error\_code(0x0000) - not-present page
PGD 132110067 P4D 132110067 PUD 1320b6067 PMD 0
Oops: 0000 \[#1\] PREEMPT SMP
CPU: 0 PID: 13844 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:can\_rcv\_filter+0x44/0x4e0 net/can/af\_can.c:584
Code: 00 00 00 e8 3e 86 0f fd 49 8b 9e d8 00 00 00 48 89 df e8 af 81
0f fd 44 8b 23 48 8d bd 20 60 00 00 e8 a0 81 0f fd 48 89 2c 24 <8b> 9d
20 60 00 00 45 31 ed 31 ff 89 de e8 9a 1c fc fc 85 db 0f 84
RSP: 0018:ffffc90000003d50 EFLAGS: 00010246
RAX: ffff88813bc274d8 RBX: ffff8881310c5a10 RCX: ffffffff842b9940
RDX: 0000000000000522 RSI: 0000000000000000 RDI: 0000000000006020
RBP: 0000000000000000 R08: 0000000000006023 R09: 0000000000000000
R10: 0001ffffffffffff R11: 00018881310c5a04 R12: 0000000000000000
R13: ffff888106fb8880 R14: ffff8881308cba00 R15: 0000000000000000
FS:  00007fc9368b0700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000006020 CR3: 0000000132249000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000020000180 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 can\_receive+0x182/0x1f0 net/can/af\_can.c:664
 canfd\_rcv+0x9a/0x120 net/can/af\_can.c:703
 \_\_netif\_receive\_skb\_one\_core net/core/dev.c:5482 \[inline\]
 \_\_netif\_receive\_skb+0x8b/0x1b0 net/core/dev.c:5596
 process\_backlog+0x23f/0x3b0 net/core/dev.c:5924
 \_\_napi\_poll+0x65/0x420 net/core/dev.c:6485
 napi\_poll net/core/dev.c:6552 \[inline\]
 net\_rx\_action+0x37e/0x730 net/core/dev.c:6663
 \_\_do\_softirq+0xf2/0x2c9 kernel/softirq.c:571
 do\_softirq+0xb1/0xf0 kernel/softirq.c:472
 </IRQ>
 <TASK>
 \_\_local\_bh\_enable\_ip+0x6f/0x80 kernel/softirq.c:396
 local\_bh\_enable+0x1b/0x20 include/linux/bottom\_half.h:33
 netif\_rx+0x63/0x1c0 net/core/dev.c:5003
 can\_send+0x521/0x5b0 net/can/af\_can.c:286
 bcm\_can\_tx+0x2f0/0x3f0 net/can/bcm.c:302
 bcm\_tx\_setup net/can/bcm.c:1020 \[inline\]
 bcm\_sendmsg+0x1f78/0x2c50 net/can/bcm.c:1351
 sock\_sendmsg\_nosec net/socket.c:714 \[inline\]
 sock\_sendmsg net/socket.c:734 \[inline\]
 \_\_\_\_sys\_sendmsg+0x38f/0x500 net/socket.c:2476
 \_\_\_sys\_sendmsg net/socket.c:2530 \[inline\]
 \_\_sys\_sendmsg+0x197/0x230 net/socket.c:2559
 \_\_do\_sys\_sendmsg net/socket.c:2568 \[inline\]
 \_\_se\_sys\_sendmsg net/socket.c:2566 \[inline\]
 \_\_x64\_sys\_sendmsg+0x42/0x50 net/socket.c:2566
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x4697f9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc9368afc48 EFLAGS: 00000246 ORIG\_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9
RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000006
RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffe26483e60
 </TASK>
Modules linked in:
CR2: 0000000000006020
---\[ end trace 0000000000000000 \]---
RIP: 0010:can\_rcv\_filter+0x44/0x4e0 net/can/af\_can.c:584
Code: 00 00 00 e8 3e 86 0f fd 49 8b 9e d8 00 00 00 48 89 df e8 af 81
0f fd 44 8b 23 48 8d bd 20 60 00 00 e8 a0 81 0f fd 48 89 2c 24 <8b> 9d
20 60 00 00 45 31 ed 31 ff 89 de e8 9a 1c fc fc 85 db 0f 84
RSP: 0018:ffffc90000003d50 EFLAGS: 00010246
RAX: ffff88813bc274d8 RBX: ffff8881310c5a10 RCX: ffffffff842b9940
RDX: 0000000000000522 RSI: 0000000000000000 RDI: 0000000000006020
RBP: 0000000000000000 R08: 0000000000006023 R09: 0000000000000000
R10: 0001ffffffffffff R11: 00018881310c5a04 R12: 0000000000000000
R13: ffff888106fb8880 R14: ffff8881308cba00 R15: 0000000000000000
FS:  00007fc9368b0700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000006020 CR3: 0000000132249000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000020000180 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
   0: 00 00                add    %al,(%rax)
   2: 00 e8                add    %ch,%al
   4: 3e 86 0f              xchg   %cl,%ds:(%rdi)
   7: fd                    std
   8: 49 8b 9e d8 00 00 00 mov    0xd8(%r14),%rbx
   f: 48 89 df              mov    %rbx,%rdi
  12: e8 af 81 0f fd        callq  0xfd0f81c6
  17: 44 8b 23              mov    (%rbx),%r12d
  1a: 48 8d bd 20 60 00 00 lea    0x6020(%rbp),%rdi
  21: e8 a0 81 0f fd        callq  0xfd0f81c6
  26: 48 89 2c 24          mov    %rbp,(%rsp)
\* 2a: 8b 9d 20 60 00 00    mov    0x6020(%rbp),%ebx <-- trapping instruction
  30: 45 31 ed              xor    %r13d,%r13d
  33: 31 ff                xor    %edi,%edi
  35: 89 de                mov    %ebx,%esi
  37: e8 9a 1c fc fc        callq  0xfcfc1cd6
  3c: 85 db                test   %ebx,%ebx
  3e: 0f                    .byte 0xf
  3f: 84                    .byte 0x84

Best,
Wei

next             reply	other threads:\[~2022-12-06 15:26 UTC|newest\]

**Thread overview:** 2+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
**2022-12-06 15:25 Wei Chen \[this message\]**
2022-12-06 16:35 \` BUG: unable to handle kernel paging request in can\_rcv\_filter Eric Dumazet

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=CAO4mrfcV\_07hbj8NUuZrA8FH-kaRsrFy-2metecpTuE5kKHn5w@mail.gmail.com \\
    --to=harperchen1110@gmail.com \\
    --cc=davem@davemloft.net \\
    --cc=edumazet@google.com \\
    --cc=kuba@kernel.org \\
    --cc=linux-can@vger.kernel.org \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=mkl@pengutronix.de \\
    --cc=netdev@vger.kernel.org \\
    --cc=pabeni@redhat.com \\
    --cc=socketcan@hartkopp.net \\
    --cc=syzkaller-bugs@googlegroups.com \\
    --cc=syzkaller@googlegroups.com \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

Tag

#c++