Threat actors are increasingly placing malicious ads for Zoom within Google searches.

During the past month, we have observed an increase in the number of malicious ads on Google searches for “Zoom”, the popular piece of video conferencing software. Threat actors have been alternating between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared towards IT administrators.

While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks.

In this blog post, we chose to highlight two cases:

*   Case #1 is about a new loader which we have not seen mentioned publicly before called **_HiroshimaNukes_**. It drops an additional payload designed to steal user data.
*   Case #2 is a campaign dropping FakeBat loader where the threat actor tracked victims via a panel that was new to us, called **_Hunting panel 1.40_**. FakeBat is often used by threat actors as the initial entry point for hands on keyboard operations.

We have reported the malicious ads to Google.

**Advertiser profiles**

The threat actors are using a number of fake identities to create multiple advertiser accounts. We noticed that different ads had different advertiser IDs but the backend infrastructure was the same.

Fake advertiser profiles

They are also using what looks like existing advertising accounts (one of the accounts had over 30K ads) which may have been compromised:

Advertising account possibly hacked to insert malicious Zoom ad

While we don’t know how many people may have fallen for these Zoom malvertising campaigns, we can say that the number of ads and their positioning was prominent enough to generate a substantial amount of traffic.

**Cloaking via new services**

The threat actors are using tracking templates to cloak the redirection mechanism to either the legitimate Zoom website or a site or their choosing. They are abusing a service called AppsFlyer (onelink.me) and HYROS (l.hyros.com) for their redirects. We observed the following links for the Zoom campaigns:

*   aksdquwrqr\[.\]onelink\[.\]me
*   ntcrgfmmc3\[.\]onelink\[.\]me
*   169-zoona32\[.\]onelink\[.\]me
*   zoromonm\[.\]onelink\[.\]me
*   notetrest\[.\]onelink\[.\]me
*   putin-777\[.\]onelink\[.\]me
*   zoomus\[.\]onelink\[.\]me
*   mmozl\[.\]onelink\[.\]me
*   arnold\[.\]onelink\[.\]me
*   desktop-client\[.\]onelink\[.\]me
*   slovo-pacana\[.\]onelink\[.\]me
*   l\[.\]hyros\[.\]com/c8KqPHYKdt

Ad and redirection mechanism

**Case #1: HiroshimaNukes**

HiroshimaNukes is a name given by its author to a piece of malware that was new to us. It uses several techniques to bypass detection from DLL side-loading to very large payloads. Its goal is to drop additional malware, typically a stealer followed by data exfiltration.

HiroshimaNukes loader installation flow

**Distribution**

The threat actor is targeting users via Google ads related to a search for zoom:

Malicious ad for Zoom via Google search

Clicking on the ad redirects to a domain at _zoommaster\[.\]life_ that checks the IP address of the visitor and performs a redirect to _zoom.us_ (legitimate) site or _zoom-us\[.\]tech_ (malicious site) based on certain conditions. Intended targets will see a web page that looks similar to the real Zoom’s website:

Fake Zoom web page with malicious download

Users are tricked into downloading a file called _ZoomInstaller.zip_ which once extracted contains one main executable and several DLL files:

Content of the Zoom download archive

The _\_Zoom.exe_ file is a legitimate binary signed by Zoom Video Communications, Inc:

Main executable is legitimate

**DLL side-loading**

DLL side-loading is a technique used by threat actors to bypass detection. It consists of replacing a legitimate library file (DLL) used by a program (EXE) with a malicious one, using the same name and location.

When the main program is launched, it will automatically load the corresponding DLL without necessarily validating it. In this instance, _\_Zoom.exe_ side-loads _librcrypto-3-zm.dll_:

The malicious DLL that is loaded when the main executable runs

While DLL side-loading is commonly used by malware authors, it is also a unique TTP that we don’t see in all malvertising campaigns. We were able to search for previous similar attacks from the same threat actor. This time, the malicious DLL was side-loaded as if it was the FFmpeg library (_ffmpeg.dll_). As you can see from the screenshot below, the lure varied over time with for example brands such as TradingView, Notion or Obsidian.

Other examples of DLL side-loading

All the malicious DLLs we found were likely compiled by the same threat actor, who was either sloppy or wanted to leave the malware name in plain sight:

D:\\Projects\\General\\HiroshimaNukesDropper\\V2\\Dll\\x64\\Release\\Dll.pdb

This “HiroshimaNukes” dropper will spawn a new executable (_zoom\_crypted.exe_) that also attempts to evade detection due to its size:

Dropped file over 774 MB

The file has been inflated with junk code:

UnpacMe service’s analysis of the binary

Looking at its strings we can see that it is a stealer focusing on cryptocurrency wallets:

0x40284e: Cookies
0x40290a: Network\\Cookies
0x4029c2: DHistoryDDDDDDDsWeb Datassssssss
0x42c43b: TDiscord PTB\\Local Storage\\leveldbTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTC
0x42c51f: wDiscord Canary\\leveldbwwwwwwwwwwwwwwwwwwwwww-
0x42e1fd: Jkey3.dbJJJJJJJ
0x42e67c: Nformhistory.sqlite
0x42e798: Nformhistory.sqlite
0x433d69: WIMAP PasswordWWWWWWWWWWWWW
0x43515c:
0x44241d: oArmoryoooooo6
0x4426f4: 2bytecoin22222222
0x4427ba: ZJaxxClassicZZZZZZZZZZZ
0x4431f2: %Jaxx\\Local Storage\\leveldb%%%%%%%%%%%%%%%%%%%%%%%%%%
0x44347e: jEthereumjjjjjjjj2
0x443544: oEthereum\\keystoreooooooooooooooooo>
0x443621: #Electrum
0x443751: }Electrum\\wallets}}}}}}}}}}}}}}}}
0x443825: Electrum-LTC
0x4438ff: Electrum-LTC\\wallets
0x443a3c: Electrum-BCH
0x443b76: WElectrum-BCH\\walletsWWWWWWWWWWWWWWWWWWWW
0x443c5e: 2Atomic222222&
0x443d64: atomic\\Local Storage\\leveldb
0x443e5a: +Guarda
0x443f66: 9lGuarda\\Local Storage\\leveldb
0x4440ab: tWasabitttttt
0x444194: 7^WalletWasabi\\Client\\Wallets
0x444335: ,Daedalus,,,,,,,,f
0x444441: Daedalus Mainnet\\wallets
0x444523: Ledger Live
0x4445fc: )Ledger Live)))))))))))
0x444d50: /Litecoin////////

**Case #2: FakeBat and Hunting panel**

In this second case we look at a FakeBat loader payload which has an interesting addition to it. The threat actors are tracking victims from their campaigns using a control panel called Hunting panel 1.40 which was new to us.

FakeBat installation flow

**Distribution**

Unsuspecting users doing a Google search for “zoom” are deceived by a Sponsored result that looks authentic from the outside. While the ad display URL is **zoom.us** (which is the official website for Zoom), clicking on the menu beside the ad reveals an advertiser identified as “CHANDLER BONNY M”:

Malicious ad for Zoom via Google search

Web traffic following click on ad

On this landing page, users are tricked into downloading a malicious version of the Zoom installer:

Fake Zoom web page and malicious installer

The download process is initiated via a JavaScript event linking to the _ms-appinstaller_ URL where the MSIX file is hosted:

Source code processing the download of the MSIX installer

**Malware payload**

The malicious installer contains several files but the malicious components reside in the PowerShell scripts. This technique has been used by the threat actor for months already, probably because they get higher infection rates than with a traditional malware binary.

Contents of the MSIX file

The Base64-encoded PowerShell reveals the malware’s command and control server as well as a number of other commands such as reporting telemetry back about the machine and any security software installed, and more importantly a GPG encrypted payload decoded on the fly.

View of the malicious PowerShell script

**Panel and API**

Inspecting web traffic, we noticed that a new WebSocket was created to send data to a remote domain at api\[.\]huntingpanel\[.\]link. Some of this data includes a fileID, a project name and the domain that was used for the landing page.

Connection to WebSocket

This server is hosting a login page to “Hunting panel 1.40”, a control panel we had not heard of before. We surmise this is a way for the threat actor to track their malvertising and payload delivery campaigns. The panel’s background image is from the Firewatch video game.

Hunting panel 1.40 control panel

**Protection**

Malvertising continues to be a privileged malware delivery vector where threat actors are able to bypass ad verification checks, and often times security solutions as well.

We are actively tracking and reporting each new malvertising campaign we come across. As we can’t always control when third parties will take action on malicious ads, our top priority is to ensure our customers remain protected by blocking new malware domains and samples.

Both our consumer and enterprise users are protected agains these threats.

**Acknowledgements**

We would like to thank Sergei Frankoff, malware researcher and a co-founder of Open Analysis, for his help with the HiroshimaNukes dropper.

**Indicators of Compromise**

**Case #1 IOCs**

**_Description_**

**_Indicator_**

Fake Zoom site

zoom-us\[.\]tech

Download URL

zoom-us\[.\]tech/ZoomInstaller.zip

Fake Zoom archive (ZoomInstaller.zip)

fd524641d2be705d76feb0453374c5b2ad9582ced4f00bb3722b735401da2762

Malicious DLL (libcrypto-3-zm.dll)

30fda67726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5c

Stealer payload

5b917d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0b

Stealer C2

94.131.110\[.\]127

**Case #2 IOCs**

**_Description_**

**_Indicator_**

Fake Zoom site

z00nn.one-platform-to-connect\[.\]group

Fake Zoom site

info-zoomapp\[.\]com

Fake Zoom site

zoomnewsonly\[.\]site

Fake Zoom site

zoonn\[.\]virtual-meetings\[.\]cn\[.\]com

Fake Zoom site

promoapp-zoom\[.\]com

Download URL

youstorys\[.\]com/fonts/Zoom-x64.msix

Download URL

windows-rars\[.\]shop/bootstrap/Zoom-x64.msix

Download URL

scheta\[.\]site/apps.store/ZoomInstaller.msix

Installer (Zoom-x64.msix)

dcb80bd21bd6900fe87423d3fb0c49d8f140d5cf5d81b662cd74c22fca622893

Installer (Zoom-x64.msix)

44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5

Installer (ZoomInstaller.msix)

462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c

Encrypted payload URL

winkos\[.\]net/ld/zm.tar.gpg

FakeBat C2

2311foreign\[.\]xyz

 Malvertisers zoom in on cryptocurrencies and initial access 

A hacker group calling itself Solntsepek—previously linked to Russia’s notorious Sandworm hackers—says it carried out a disruptive breach of Kyivstar, a major Ukrainian mobile and internet provider.

Over nearly a decade, the hacker group within Russia's GRU military intelligence agency known as Sandworm has launched some of the most disruptive cyberattacks in history against Ukraine's power grids, financial system, media, and government agencies. Signs now point to that same usual suspect being responsible for sabotaging a major mobile provider for the country, cutting off communications for millions and even temporarily sabotaging the air raid warning system in the capital of Kyiv.

On Tuesday, a cyberattack hit Kyivstar, one of Ukraine's largest mobile and internet providers. The details of how that attack was carried out remain far from clear. But it “resulted in essential services of the company’s technology network being blocked,” according to a statement posted by Ukraine’s Computer Emergency Response Team, or CERT-UA.

Kyivstar's CEO, Oleksandr Komarov, told Ukrainian national television on Tuesday, according to Reuters, that the hacking incident “significantly damaged \[Kyivstar's\] infrastructure \[and\] limited access.”

“We could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy's access,” he continued. “War is also happening in cyberspace. Unfortunately, we have been hit as a result of this war.”

The Ukrainian government hasn't yet publicly attributed the cyberattack to any known hacker group—nor have any cybersecurity companies or researchers. But on Tuesday, a Ukrainian official within its SSSCIP computer security agency, which oversees CERT-UA, pointed out in a message to reporters that a group known as Solntsepek had claimed credit for the attack in a Telegram post, and noted that the group has been linked to the notorious Sandworm unit of Russia's GRU.

“We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 computers, more than 4 thousand servers, all cloud storage and backup systems,” reads the message in Russian, addressed to Ukrainian president Volodymyr Zelenskyy and posted to the group's Telegram account. The message also includes screenshots that appear to show access to Kyivstar's network, though this could not be verified. “We attacked Kyivstar because the company provides communications to the Ukrainian Armed Forces, as well as government agencies and law enforcement agencies of Ukraine. The rest of the offices helping the Armed Forces of Ukraine, get ready!”

Solntsepek has previously been used as a front for the hacker group Sandworm, the Moscow-based Unit 74455 of Russia's GRU, says John Hultquist, the head of threat intelligence at Google-owned cybersecurity firm Mandiant and a longtime tracker of the group. He declined, however, to say which of Solntsepek’s network intrusions have been linked to Sandworm in the past, suggesting that some of those intrusions may not yet be public. “It's a group that has claimed credit for incidents we know were carried out by Sandworm,” Hultquist says, adding that Solntsepek's Telegram post bolsters his previous suspicions that Sandworm was responsible. "Given their consistent focus on this type of activity, it's hard to be surprised that another major disruption is linked to them.”

If Solntsepek is a front for Sandworm, it would be far from the first. Over its years of targeting Ukrainian infrastructure, the GRU unit has used a wide variety of covers, hiding behind false flags such as independent hacktivist groups and cybercriminal ransomware gangs. It even attempted to frame North Korea for its attack on the 2018 Winter Olympics.

Today, Kyivstar countered some of Solntsepek's claims in a post on X, writing that “we assure you that the rumors about the destruction of our ‘computers and servers’ are simply fake.” The company had also written on the platform that it hoped to restore its network's operations by Wednesday, adding that it's working with the Ukrainian government and law enforcement agencies to investigate the attack. Kyivstar's parent company, Veon, headquartered in Amsterdam, didn't respond to WIRED's request for more information.

While the fog of war continues to obscure the exact scale of the Kyivstar incident, it already appears to be one of the most disruptive cyberattacks to have hit Ukraine since Russia's full-scale invasion began in February 2022. In the year that followed, Russia launched more data-destroying wiper attacks on Ukrainian networks than have been seen anywhere else in the world in the history of computing, though most have had far smaller effects than the Kyivstar intrusion. Other major Russian cyberattacks to hit Ukraine over the past 20 months include a cyberattack that crippled thousands of Viasat satellite modems across the country and other parts of Europe, now believed to have been carried out by the GRU. Another incident of cybersabotage, which Mandiant attributes to Sandworm specifically, caused a blackout in a Ukrainian city just as it was being hit by missile strikes, potentially hampering defensive efforts.

It's not yet clear if the Kyivstar attack—if it was indeed carried out by a Russian state-sponsored hacker group—was merely intended to sow chaos and confusion among the company's customers, or if it had a more specific tactical intention, such as disguising intelligence-gathering within Kyivstar's network, hampering Ukrainian military communications, or silencing its alerts to civilians about air raids.

“Telecoms offer intelligence opportunities, but they're also very effective targets for disruption," says Mandiant's Hultquist. “You can cause significant disruption to people's lives. And you can even have military impacts.”

Hacker Group Linked to Russian Military Claims Credit for Cyberattack on Kyivstar

PDF24 Creator versions 11.15.1 and below suffer from a local privilege escalation vulnerability via the MSI installer.

SEC Consult Vulnerability Lab Security Advisory < 20231211-0 >  
=======================================================================  
               title: Local Privilege Escalation via MSI installer  
             product: PDF24 Creator (geek Software GmbH)  
  vulnerable version: <=11.15.1  
       fixed version: 11.15.2  
          CVE number: CVE-2023-49147  
              impact: High  
            homepage: https://tools.pdf24.org/en/creator/  
               found: 2023-10-16  
                  by: Lukas Donaubauer (Office Munich)  
                      Mario Keck (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"pdf24.org is a project of geek software GmbH, a German company based in Berlin,  
that was founded in 2006. PDF24 offers free and easy to use PDF solutions for  
many PDF problems, online and as software for download. Solutions include the  
well-known PDF24 Creator and PDF24 Online Tools."

Source: https://www.pdf24.org/en/about-us

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)  
The configuration of the PDF24 Creator MSI installer file was found to  
produce a visible cmd.exe window running as the SYSTEM user when using  
the repair function of msiexec.exe. This allows a local attacker to use  
a chain of actions, to open a fully functional cmd.exe with the privileges  
of the SYSTEM user.

Note: This attack does not work using a recent version of the Edge Browser or  
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be  
used. Also make sure, that Edge or IE have not been set to the default browser.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)  
For the exploit to work, the PDF24 Creator has to be installed via the MSI file.  
Afterwards, any low-privileged user can run the following command to start the  
repair of PDF24 Creator and trigger the vulnerable actions without a UAC popup:

msiexec.exe /fa <PATH TO INSTALLERFILE>\pdf24-creator-11.14.0-x64.msi

At the very end of the repair process, the sub-process pdf24-PrinterInstall.exe gets  
called with SYSTEM privileges and performs a write action on the file  
"C:\Program Files\PDF24\faxPrnInst.log". This can be used by an attacker by simply  
setting an oplock on the file as soon as it gets read. To do that, one can use the  
'SetOpLock.exe' tool from "https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:

SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r

If the oplock is set, the cmd window that gets opened when pdf24-PrinterInstall.exe  
is executed doesn't close. The attacker can then perform the following actions to  
spawn a SYSTEM shell:  
- right click on the top bar of the cmd window  
- click on properties  
- under options click on the "Legacyconsolemode" link  
- open the link with a browser other than internet explorer or edge (both don't open as SYSTEM when on Win11)  
- in the opened browser window press the key combination CTRL+o  
- type cmd.exe in the top bar and press Enter

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 11.14.0 (pdf24-creator-11.14.0-x64.msi)  
* 11.15.1 (pdf24-creator-11.15.1-x64.msi)

A new version was released during our contact attempts (v11.15.1) which is  
also affected by the vulnerability.

The tests were conducted on an up to date Windows 10 system.

Vendor contact timeline:  
------------------------  
2023-10-20: Contacting vendor through team@pdf24.org; no response.  
2023-11-14: Contacting vendor again through team@pdf24.org and stefan@pdf24.org  
             No response.  
2023-11-17: Requesting CVE number  
2023-11-23: Received CVE number  
2023-11-27: Sending vendor CVE number and setting preliminary deadline for  
             advisory release (11th December)  
2023-11-27: Identified that latest version 11.15.1 is also vulnerable.  
2023-11-28: Vendor response, seems our emails ended up in spam.  
             Sending advisory unencrypted upon vendor request.  
2023-12-04: Asking for a status update. Further questions from vendor.  
             Providing more details, clarification regarding Windows 11, browser  
             usage and recommendation for fix.  
2023-12-08: Vendor releases fixed version 11.15.2.  
2023-12-11: Coordinated release of advisory.

Solution:  
---------  
The vendor provides a patched version 11.15.2 which can be downloaded from the  
vendor's website:

https://tools.pdf24.org/en/creator

Also check out the changelog from the vendor for further information:  
https://creator.pdf24.org/changelog/en.html

Workaround:  
-----------  
Use the available EXE installer.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF L. Donaubauer, M. Keck / @2023

PDF24 Creator 11.15.1 Local Privilege Escalation

Apple Security Advisory 12-11-2023-8 - watchOS 10.2 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-8 watchOS 10.2

watchOS 10.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214041.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accounts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

ExtensionKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may disclose sensitive information. Apple  
is aware of a report that this issue may have been exploited against  
versions of iOS before iOS 16.7.1.  
Description: An out-of-bounds read was addressed with improved input  
validation.  
WebKit Bugzilla: 265041  
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been exploited  
against versions of iOS before iOS 16.7.1.  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
WebKit Bugzilla: 265067  
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3quQACgkQX+5d1TXa  
IvoPPhAAgReQjt/dYzFqQbyMQQPLK1iDWh9s0M+PbHz5x+eS6vSX/OpkLNFy6MC1  
kHQI1EaV37/3sRqko8eX+f/deKqPi59tSV3BALedLV2v8F+4ioXIzsyGWsSYzor4  
U1l4h7fNA64060MR35dlvYnB2FsNnyVI6hlhEyfEEZXVMX4cX0KX5l5a7m/wKmQK  
tpDOak7WVEIj5aLk/e0IQBjpOJW8c2Moa8PTtERr1jJsp+PVrXNu9zZfHWhsCn02  
KPa26RRDtiru7KpXlRy2vzOQeCgJmRZH1CKVWKSiLEjTZnKWM1IF1LTYBJalDGbS  
nOvV6BcVD4rdbbi4cYlPic+Z65YKw+ctW0bNAgnim8RyOF28VNQX8DOcYKZnyqPS  
jYLG5rAq0oKtJztwDkIKc2nc0FrxZzV3f4QwTaFWbVzN0koYJJpVKDs5GgGQ/2MG  
4MtuxRuK2j5eibLInW33K58XCVpAidhiU5YaeIG5dbzf0YKXsUmKImmXap5SKnSe  
fwf6kEFR7keGiu8tlEOnBonDIOhFyWeiK785WhxdwrWMJNHQUegTTYItNrtrzaZr  
Q/lDfMQ9/1L38Jj/OuR1WSdBpDKmT9jepE2mLZb4fQasALJlGh9g1uFTaTl883QG  
uADzZx+TIGO2RIlMGPxwwr4+I2kpi1x/amwRjzCzvwr9+nQDyyk=  
=MttV  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-8

Apple Security Advisory 12-11-2023-7 - tvOS 17.2 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-7 tvOS 17.2

tvOS 17.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214040.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AVEVideoEncoder  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42884: an anonymous researcher

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may disclose sensitive information. Apple  
is aware of a report that this issue may have been exploited against  
versions of iOS before iOS 16.7.1.  
Description: An out-of-bounds read was addressed with improved input  
validation.  
WebKit Bugzilla: 265041  
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been exploited  
against versions of iOS before iOS 16.7.1.  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
WebKit Bugzilla: 265067  
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qngACgkQX+5d1TXa  
Ivrv3RAAuQY01CVjPIhf1IVMNryEZAW+NEm29U419ldBlHWNENHiXD7dF5cPNcDd  
fVlyxJ4zXCjIMflrS5oOGjqtsJvMfL99QaF9of5elxBjF8wA3d3bslESVveUw4/n  
OflBE44Ghbg2nNd/wQiiLCDWCbKyVk9R5Vm1c2L5+afg4dyppaNME4oxq7itnyjr  
UmNv7Sb2pxjjew0L9YAV15DaZmH30By6jRIKynS0+P1Eys/Vx3JVwC6QOOba6ixF  
OxO/Ki4vFAuwxnC9hGbYon6QTpMAuI0nzQAD/RYtpQMtkPkZ3dPPeA7DBs8TIxIo  
8QKfABYt5QY+VKFaTbNclzMu0/l/l3AcaZsbKTsyM1rEH8hACZKlkVQxQ3GhVXbe  
Hmc6JqOA+fpVJya7RUNCyo3Kq4jKf8Rgj+rDJyHSqZ8vEHr/qrLmgvEsHfhAPq46  
tUZMuVrHtcREKzxLh2Os4hCs68kcEG3w9Q2n5a5UHskLBYimhFTsp5ajClNC1l1w  
KiVW8SmDL7zt5ApNWRNa1Pc3ZxvAUousVbuMWt6VP40mz9AHKs8VsoscMwQkzscs  
OMkrHUJdQfki+GLsd4Zk54/VjQR1CFtr1xBPZkKPW4WCinjAiw73fuOCzTz4f+rZ  
Dwvd0BGIGPWaRewZhcxPXrSHDj91bbBLRkOPn5JVDkbP3eXRbAU=  
=IKXm  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-7

One Identity Password Manager versions prior to 5.13.1 suffer from a kiosk escape privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20231206-0 >  
=======================================================================  
               title: Kiosk Escape Privilege Escalation  
             product: One Identity Password Manager Secure Password Extension  
  vulnerable version: <5.13.1  
       fixed version: 5.13.1  
          CVE number: CVE-2023-48654  
              impact: critical  
            homepage: https://www.oneidentity.com/products/password-manager/  
               found: 2023-10-09  
                  by: Stefan Schweighofer (Office Vienna)  
                      Constantin Schieber-Knöbl (Office Vienna)  
                      Armin Weihbold (Office Linz)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"One Identity delivers solutions that help customers strengthen operational  
efficiency, reduce risk surface, control costs and enhance their  
cybersecurity. Our Unified Identity Platform brings together best-in-class  
software to enable organizations to shift from a fragmented identity strategy  
to a holistic approach."

Source: https://www.oneidentity.com/company/

Business recommendation:  
------------------------  
The vendor provides a patch version 5.13.1 which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
The Password Manager Application by One Identity enables users to reset  
their Active Directory passwords on the login screen of a Windows client, with  
the Secure Password Extension. The Secure Password Manager Extension launches a  
Chromium based browser in Kiosk mode to provide the reset functionality.

Due to application-specific functionalities the Password Manager Extension  
suffers from two exploitable Kiosk Escape vulnerabilities which allow a local,  
pre-authenticated attacker to escalate the privileges to SYSTEM.

1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)  
The Password Manager Extension uses Google ReCAPTCHA, which enables an  
attacker to escape the Kiosk Mode of the browser and gain  
"nt authority\system" permissions on the login screen of the targeted machine.  
This is possible due to the fact that Google ReCAPTCHA links to external  
websites, which open in a new browser window and enable an attacker to  
navigate to other external websites.

2) Password Manager Kiosk Escape after Session Timeout  
The Password Manager application provides a link to a help page of  
One Identity. This link references an external site and is therefore hidden  
in the Kiosk Mode browser of the Password Manager Extension. If the Password  
Manager Extension website is loaded after an active session expires the  
link to the external One Identity websites gets shown. This enables an  
attacker to escape the Kiosk Mode of the browser and gain  
"nt authority\system" permissions on the login screen of the targeted machine.

Proof of concept:  
-----------------  
1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)  
An attacker requires access to a locked machine, where the Password Manger  
Extension is installed, either via physical (pre-auth) or remote (RDP) access.  
 From the login screen the Password Manger Extension Kiosk mode browser can  
be launched.

Since Google ReCAPTCHA is used on the Password Manger website the Google  
ReCAPTCHA icon is also shown on the website and provides a link to an  
external website via the "Privacy" button of the Google ReCAPTCHA field.

2) Password Manager Kiosk Escape after Session Timeout  
An attacker requires access to a username to login to either the Password Manager  
website or a logged in user, which leaves the session open until the session  
expires. Since the Password Manager uses Active Directory credentials, the  
username from the Windows login screen can be used to log into the website.  
For this attack the session of a logged-in user has to expire.

After the session expiration the Password Manager website gets reloaded and displays  
a help icon that is usually hidden. The help icon links to the external  
One Identity website., from witch it is possible to navigate to the Google Search  
website using the Sign In option of the One Identity website. The Sign In page  
has the option to login with a Facebook account and information about cookies  
is displayed on this page, which links to a Google Chrome website.

For both vulnerability 1 and 2, an attacker can use the Google Search website and  
trigger the "search by image" feature. This "search by image" feature can be used  
to trigger an upload, which then opens a file explorer window for file selection.

The file explorer window makes it possible to input "cmd" in the path field  
of the file explorer to open a command prompt. The created command prompt  
is executed with highest "nt authority\system" permissions.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 5.13

It is assumed that all previous versions are affected as well.

Vendor contact timeline:  
------------------------  
2023-11-06: Contacting vendor through vendor security contact form  
             https://support.oneidentity.com/de-de/essentials/reporting-security-vulnerability  
2023-11-07: Vendor is able to reproduce both escapes, internal discussion with  
             product team needed.  
2023-11-14: Vendor notifies us that the product team fixed the vulnerabilities  
             and will release an update soon. Asking for CVE numbers.  
2023-11-15: Vendor will not assign CVE numbers, we are going to request them.  
             Patch release scheduled for 17th or the week after.  
2023-11-17: Receiving one CVE number from MITRE, asking about the second one;  
             No response.  
2023-11-20: Asking for status update as no patch was released on 17th.  
2023-11-21: Patch was postponed to 1st December, setting our release date to  
             6th December.  
2023-12-01: Vendor releases fixed version v5.13.1.  
2023-12-06: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides a patch which can be downloaded from  
https://support.oneidentity.com/password-manager/5.13.1

The release notes of the vendor can be found here:  
https://support.oneidentity.com/technical-documents/password-manager/5.13.1/release-notes/

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Schweighofer, C. Schieber-Knöbl, A. Weihbold / @2023

One Identity Password Manager Kiosk Escape Privilege Escalation

Apple Security Advisory 12-11-2023-4 - macOS Sonoma 14.2 addresses code execution, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-4 macOS Sonoma 14.2

macOS Sonoma 14.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214036.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: macOS Sonoma  
Impact: Secure text fields may be displayed via the Accessibility  
Keyboard when using a physical keyboard  
Description: This issue was addressed with improved state management.  
CVE-2023-42874: Don Clarke

Accounts  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

AppleEvents  
Available for: macOS Sonoma  
Impact: An app may be able to access information about a user's contacts  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

AppleGraphicsControl  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: Multiple memory corruption issues were addressed with  
improved input validation.  
CVE-2023-42901: Ivan Fratric of Google Project Zero  
CVE-2023-42902: Ivan Fratric of Google Project Zero, and Michael  
DePlante (@izobashi) of Trend Micro Zero Day Initiative  
CVE-2023-42912: Ivan Fratric of Google Project Zero  
CVE-2023-42903: Ivan Fratric of Google Project Zero  
CVE-2023-42904: Ivan Fratric of Google Project Zero  
CVE-2023-42905: Ivan Fratric of Google Project Zero  
CVE-2023-42906: Ivan Fratric of Google Project Zero  
CVE-2023-42907: Ivan Fratric of Google Project Zero  
CVE-2023-42908: Ivan Fratric of Google Project Zero  
CVE-2023-42909: Ivan Fratric of Google Project Zero  
CVE-2023-42910: Ivan Fratric of Google Project Zero  
CVE-2023-42911: Ivan Fratric of Google Project Zero  
CVE-2023-42926: Ivan Fratric of Google Project Zero

AppleVA  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42882: Ivan Fratric of Google Project Zero

Archive Utility  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42924: Mickey Jin (@patch1t)

AVEVideoEncoder  
Available for: macOS Sonoma  
Impact: An app may be able to disclose kernel memory  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42884: an anonymous researcher

Bluetooth  
Available for: macOS Sonoma  
Impact: An attacker in a privileged network position may be able to  
inject keystrokes by spoofing a keyboard  
Description: The issue was addressed with improved checks.  
CVE-2023-45866: Marc Newlin of SkySafe

CoreMedia Playback  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-42900: Mickey Jin (@patch1t)

CoreServices  
Available for: macOS Sonoma  
Impact: A user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

ExtensionKit  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

IOKit  
Available for: macOS Sonoma  
Impact: An app may be able to monitor keystrokes without user permission  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42891: an anonymous researcher

Kernel  
Available for: macOS Sonoma  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

ncurses  
Available for: macOS Sonoma  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2020-19185  
CVE-2020-19186  
CVE-2020-19187  
CVE-2020-19188  
CVE-2020-19189  
CVE-2020-19190

SharedFileList  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2023-42842: an anonymous researcher

TCC  
Available for: macOS Sonoma  
Impact: An app may be able to access protected user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42932: Zhongquan Li (@Guluisacat)

Vim  
Available for: macOS Sonoma  
Impact: Opening a maliciously crafted file may lead to unexpected  
application termination or arbitrary code execution  
Description: This issue was addressed by updating to Vim version  
9.0.1969.  
CVE-2023-5344

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: macOS Sonoma  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

Additional recognition

Memoji  
We would like to acknowledge Jerry Tenenbaum for their assistance.

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

macOS Sonoma 14.2 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qdUACgkQX+5d1TXa  
Ivp5JQ/9FhhIgATXMT6vd3gK4Bqn3JRODRK+rBcNBjb0zMKWh42fXqZA81K86Ksv  
FB6/OxqYmdo9NI2g7VMj0I7vS8cQf2ZE0sjSYObkuZ32As5y7Ov+xvNnrCjLuwV3  
vrDlBFRRS7KWNskNEV4ciT+ECHUYU6Jkrpt/TqpmR/B/fFxNfjE2Ibeuy56CSlGi  
FYCasHeyI5pC4kfetYG6Jo7RwcK1nCbNWHB3+zKQItvkkwV3nVBF+QjJGD/aEzz3  
X8Jp/hf3taYesK45lr6HWGcuuAGLAAYkjfxz8lLYDQ4AoQ5Xi9WCTjEX9shdKgoF  
oo1JQDCEuhLXK+1vOxoYEmUAKMRQMMlRMtZgft8hPh6Pce8gYcI0Rez3RT5+m2+U  
C7d0+97gnpssZkq2JRdyjogl5ACNHGD81jBHg33PppnjTptKNn8JSyXIZLBM3zK/  
jQRLmEAlJkl6MgnWKiy+pyzPxCsoFJnOJG481sLTEfQbiQONFIUV3YTesxbIv2a0  
8yAM0cFf5cqF6frS81zn8vYfdPJU6HJ3OQGmumLQ4UJAbWY7zg9XbyyZTFw2woGj  
0IvoSEBuP4e25JznB1/nchP7W4MJ9VfAzMe/MyBqOibHgomkY1UQqdvWz7olK3Bb  
5NkKt5PVTVjAH+R5wVnnXPlWq7Rgfg2m0Y9g3FwTm4WPrIUT5Us=  
=c6Yv  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-4

Ubuntu Security Notice 6549-2 - It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service. Lin Ma discovered that the Netlink Transformation subsystem in the Linux kernel did not properly initialize a policy data structure, leading to an out-of-bounds vulnerability. A local privileged attacker could use this to cause a denial of service or possibly expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6549-2  
December 12, 2023

linux-gkeop, linux-gkeop-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems  
- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that the USB subsystem in the Linux kernel contained a  
race condition while handling device descriptors in certain situations,  
leading to a out-of-bounds read vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-37453)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel did not properly initialize a policy data structure, leading  
to an out-of-bounds vulnerability. A local privileged attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information (kernel memory). (CVE-2023-3773)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate some attributes passed from userspace. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Sunjoo Park discovered that the netfilter subsystem in the Linux kernel did  
not properly validate u32 packets content, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39192)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate SCTP data, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39193)

Lucas Leong discovered that the Netlink Transformation (XFRM) subsystem in  
the Linux kernel did not properly handle state filters, leading to an out-  
of-bounds read vulnerability. A privileged local attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-39194)

It was discovered that a race condition existed in QXL virtual GPU driver  
in the Linux kernel, leading to a use after free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-39198)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did  
not properly handle socket buffers (skb) when performing IP routing in  
certain circumstances, leading to a null pointer dereference vulnerability.  
A privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-42754)

Jason Wang discovered that the virtio ring implementation in the Linux  
kernel did not properly handle iov buffers in some situations. A local  
attacker in a guest VM could use this to cause a denial of service (host  
system crash). (CVE-2023-5158)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel  
did not properly handle queue initialization failures in certain  
situations, leading to a use-after-free vulnerability. A remote attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-5178)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did  
not properly handle event groups, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1034-gkeop   5.15.0-1034.40  
   linux-image-gkeop               5.15.0.1034.33  
   linux-image-gkeop-5.15          5.15.0.1034.33

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1034-gkeop   5.15.0-1034.40~20.04.1  
   linux-image-gkeop-5.15          5.15.0.1034.40~20.04.30

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6549-2  
   https://ubuntu.com/security/notices/USN-6549-1  
   CVE-2023-37453, CVE-2023-3773, CVE-2023-39189, CVE-2023-39192,  
   CVE-2023-39193, CVE-2023-39194, CVE-2023-39198, CVE-2023-42754,  
   CVE-2023-5158, CVE-2023-5178, CVE-2023-5717

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1034.40  
   https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1034.40~20.04.1

Ubuntu Security Notice USN-6549-2

Apple Security Advisory 12-11-2023-3 - iOS 16.7.3 and iPadOS 16.7.3 addresses code execution and out of bounds read vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-12-11-2023-3 iOS 16.7.3 and iPadOS 16.7.3iOS 16.7.3 and iPadOS 16.7.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214034.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.AccountsAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-42919: Kirin (@Pwnrin)AVEVideoEncoderAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to disclose kernel memoryDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42884: an anonymous researcherFind MyAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to read sensitive location informationDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)ImageIOAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing an image may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung LeeKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to break out of its sandboxDescription: The issue was addressed with improved memory handling.CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv(@Synacktiv)WebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing an image may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 263349CVE-2023-42883: Zoom Offensive Security TeamWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to arbitrary code execution.Apple is aware of a report that this issue may have been exploitedagainst versions of iOS before iOS 16.7.1.Description: A memory corruption vulnerability was addressed withimproved locking.WebKit Bugzilla: 265067CVE-2023-42917: Clément Lecigne of Google's Threat Analysis GroupWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may disclose sensitive information. Appleis aware of a report that this issue may have been exploited againstversions of iOS before iOS 16.7.1.Description: An out-of-bounds read was addressed with improved inputvalidation.WebKit Bugzilla: 265041CVE-2023-42916: Clément Lecigne of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7.3 and iPadOS 16.7.3".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qXoACgkQX+5d1TXaIvoPShAAjPSR538Ul0j+LcQE0x90MRfNyylza/kJygxDUojXji7lvnUB0s7Ft3CfPAIOPSqfyR1wAVhBPjeAPut+xp5553BBg0lUqSFldKWbP0y68zFAhc7DRIxLhqEs2N3/Dy5UYu834IQ1CaIlkAgwR4lh7Eni1he5thOyXjPzCoGo6ucGXHCoZO7JrsR5zkUFXVfdbE+k8fZVxlROFX7nBw/j9k8bDvrLPqcx4wupvTWsJI8FctUHeYQebK+77G0gJwBfwkdrYbOOCnI4RcRNranAhrr3h+oVgxVgZu+lJOLeooMfwlN/fujjEvKVPfNO/7UAP3m6Qtv8ZogHedN3pKKgvN0xn/FG9gKf2Y+EwgUOnjvWr15IIAku5M4jESTagyfYz8y+Q4qbrSgV1lC3DSgDoJQPp2civp6bqcsNXajGF00F95iQysx0wHaaKMIJazVnoN0bjZ4yk1xiTjPkft3Jn+kfPd1cjWprGlGKn92XPYLDbwXcxvnCkagVa4eJ6GY7DQ8HJJLClawx4OQE1K+VULTPLDOoJnwI5BA2RdU9LRm1h+YOM31jc47zupr+YHdebroeLerLX/KNNT5GUtfs0p794FwVyoQzwsKOiQXHMxzug3lCGdkGdg5ErMHcIGwZXq+Ko2sUn59Gub+7MGetPjU7OlAwU2h3nFOf3JEt8ww==khhF-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-3

The threat actors behind the BazaCall call back phishing attacks have been observed leveraging Google Forms to lend the scheme a veneer of credibility.
The method is an "attempt to elevate the perceived authenticity of the initial malicious emails," cybersecurity firm Abnormal Security said in a report published today.
BazaCall (aka BazarCall), which was first

Cyber Threat / Phishing Attack

The threat actors behind the **BazaCall** call back phishing attacks have been observed leveraging Google Forms to lend the scheme a veneer of credibility.

The method is an "attempt to elevate the perceived authenticity of the initial malicious emails," cybersecurity firm Abnormal Security said in a report published today.

BazaCall (aka BazarCall), which was first observed in 2020, refers to a series of phishing attacks in which email messages impersonating legitimate subscription notices are sent to targets, urging them to contact a support desk to dispute or cancel the plan, or risk getting charged anywhere between $50 to $500.

By inducing a false sense of urgency, the attacker convinces the target over a phone call to grant them remote access capabilities using remote desktop software and ultimately establish persistence on the host under the guise of offering help to cancel the supposed subscription.

Some of the popular services that are impersonated include Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

In the latest attack variant detected by Abnormal Security, a form created using Google Forms is used as a conduit to share details of the purported subscription.

It's worth noting that the form has its response receipts enabled, which sends a copy of the response to the form respondent by email, so that the attacker can send an invitation to complete the form themselves and receive the responses.

"Because the attacker enabled the response receipt option, the target will receive a copy of the completed form, which the attacker has designed to look like a payment confirmation for Norton Antivirus software," security researcher Mike Britton said.

The use of Google Forms is also clever in that the responses are sent from the address "forms-receipts-noreply@google\[.\]com," which is a trusted domain and, therefore, have a higher chance of bypassing secure email gateways, as evidenced by a recent Google Forms phishing campaign uncovered by Cisco Talos last month.

"Additionally, Google Forms often use dynamically generated URLs," Britton explained. "The constantly changing nature of these URLs can evade traditional security measures that utilize static analysis and signature-based detection, which rely on known patterns to identify threats."

**Threat Actor Targets Recruiters With More\_eggs Backdoor**

The disclosure arrives as Proofpoint revealed a new phishing campaign that's targeting recruiters with direct emails that ultimately lead to a JavaScript backdoor known as More\_eggs.

The enterprise security firm attributed the attack wave to a "skilled, financially motivated threat actor" it tracks as TA4557, which has a track record of abusing legitimate messaging services and offering fake jobs via email to ultimately deliver the More\_eggs backdoor.

"Specifically in the attack chain that uses the new direct email technique, once the recipient replies to the initial email, the actor was observed responding with a URL linking to an actor-controlled website posing as a candidate resume," Proofpoint said.

"Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to visit the fake resume website."

More\_eggs is offered as malware-as-a-service, and is used by other prominent cybercriminal groups like Cobalt Group (aka Cobalt Gang), Evilnum, and FIN6. Earlier this year, eSentire linked the malware to two operators from Montreal and Bucharest.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google