Powered by Cribl, a CrowdStrike Falcon Fund partner, and available to CrowdStrike Falcon platform customers.

**AUSTIN, Texas and RSA Conference 2023, SAN FRANCISCO, April 24, 2023** – CrowdStrike (Nasdaq: CRWD) today introduced CrowdStream, powered by open observability company Cribl, which transforms how customers can get any data, from any security or IT source, directly into the CrowdStrike Falcon platform to solve XDR, log management and AI-based analytics challenges in a rapid, cost effective way.

Organizations struggle to get the complete visibility across the security and IT data sources needed to effectively stop increasingly sophisticated adversaries as they move across attack surfaces to breach organizations. Collecting and routing this siloed data is creating a heavy burden of complexity and cost, especially as data volumes continue to exponentially grow across ever-multiplying data sources.

CrowdStream is a new native platform capability that directly connects any data source into the CrowdStrike Falcon platform using Cribl’s observability pipeline technology. By sitting between data sources and their destination, CrowdStream provides an elegant and cost-effective way to get data into the CrowdStrike Falcon platform to greatly accelerate the adoption of XDR and log management, as well as aggregating the required data to train advanced AI/ML models.

CrowdStream transforms an organization’s ability to unify siloed security and IT data by:

• **Easily connect and rout****e** data from any source into the CrowdStrike Falcon platform, accelerating the adoption of XDR and log management by minimizing the complexity and cost of onoboarding data sources.

• **Unify data within the CrowdStrike Falcon platform for insights** and near-instant search at petabyte scale to provide the rich visibility and aggregated telemetry needed to eliminate threats, run deep analytics and hunt for adversaries.

• **Cut log management costs** by sending the right data (and only the right data) to a modern log management solution such as CrowdStrike Falcon LogScale. Recently, a large financial institution switched to CrowdStrike Falcon LogScale and saved at least $5 million dollars over three years in infrastructure and licensing costs.

• **Consolidate** point products by centralizing and normalizing data within the CrowdStrike Falcon platform to continuously address new security and IT use cases with fully integrated capabilities built on a unified data model.

“Cybersecurity is ultimately a data problem. Today’s adversary techniques are growing more sophisticated including the use of initial access, lateral movement, privilege escalation, defense evasion and data extortion. However, organizations are still struggling to effectively and efficiently collect the right data from a variety of security and IT point products they deploy to root out and shut down threats from adversaries,” said Michael Sentonas, president at CrowdStrike. “For organizations to stay ahead of these threats, it is imperative they have real-time visibility and data at their fingertips. We see the CrowdStream technology as a game-changer that significantly improves our customer’s ability to get the right data, from any source, directly into the CrowdStrike Falcon platform to solve the hardest security and IT challenges in an elegant, cost-effective way.”

“Cribl is a proud CrowdStrike Falcon Fund partner, as we were one of CrowdStrike’s first investments. We see this expanded strategic partnership with CrowdStrike as another step to solving the massive data problem that cybersecurity teams face today,” said Clint Sharp, co-founder and CEO, Cribl. “By making the process of data collection for the CrowdStrike Falcon platform easier, CrowdStream will revolutionize the way that organizations quickly gain value from XDR and log management.”

**Additional Resources**

• For more information on CrowdStream, please visit the CrowdStrike blog and Cribl website.

**About Cribl**

Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It’s enterprise software that doesn’t suck, enables tech professionals to do what they need to do, and gives them the ability to say “Yes.” With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit www.cribl.io or our LinkedIn, Twitter, or Slack community.

**About CrowdStrike**

CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike: We stop breaches.

CrowdStrike Introduces CrowdStream to Accelerate and Simplify XDR Adoption

Categories: Podcast
This week on Lock and Code, we speak with Courtney Brown about a mental health nonprofit's use of AI to speak to people suffering emotional distress. 



(Read more...)




The post Removing the human: When should AI be used in emotional crisis? Lock and Code S03E09 appeared first on Malwarebytes Labs.

In January, a mental health nonprofit admitted that it had used Artificial Intelligence to help talk to people in distress. 

Prompted first by a user's longing for personal improvement—and the difficulties involved in that journey—the AI tool generated a reply, which, with human intervention, could be sent verbatim in a chat box, or edited and fine-tuned to better fit the situation. The AI said:

“I hear you. You’re trying to become a better person and it’s not easy. It’s hard to make changes in our lives, especially when we’re trying to do it alone. But you’re not alone. There are people here who care about you and want to help you. I’m proud of you for making the decision to try to improve your life. It takes a lot of courage and strength. I send you love and support as you go through this journey.”

This was experimental work from Koko, a mental health nonprofit that integrated the GPT-3 large language model into its product for a short period of time that is now over. In a video demonstration posted on Twitter earlier this year, Koko co-founder Rob Morris revealed that the nonprofit had used AI to provide "mental health support to about 4,000 people" across "about 30,000 messages." Though Koko pulled GPT-3 from its system after a reportedly short period of time, Morris said on Twitter that there are several questions left from the experience. 

"The implications here are poorly understood," Morris said. "Would people eventually seek emotional support from machines, rather than friends and family?"

Today, on the Lock and Code podcast with host David Ruiz, we speak with Courtney Brown, a social services administrator with a history in research and suicidology, to dig into the ethics, feasibility, and potential consequences of relying increasingly on AI tools to help people in distress. For Brown, the immediate implications draw up several concerns. 

> "It disturbed me to see AI using 'I care about you,' or 'I'm concerned,' or 'I'm proud of you.' That made me feel sick to my stomach. And I think it was partially because these are the things that I say, and it's partially because I think that they're going to lose power as a form of connecting to another human."

But, importantly, Brown is not the only voice in today's podcast with experience in crisis support. For six years and across 1,000 hours, Ruiz volunteered on his local suicide prevention hotline. He, too, has a background to share. 

Tune in today as Ruiz and Brown explore the boundaries for deploying AI on people suffering from emotional distress, whether the "support" offered by any AI will be as helpful and genuine as that of a human, and, importantly, whether they are simply afraid of having AI encroach on the most human experiences. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Removing the human: When should AI be used in emotional crisis? Lock and Code S03E09

Print management software provider PaperCut said that it has "evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro.
"PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01

Threat Intel / Cyber Attack

Print management software provider PaperCut said that it has "evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro.

"PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC," it further added.

The update comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw (CVE-2023-27350, CVSS score - 9.8) to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

Cybersecurity company Huntress, which found about 1,800 publicly exposed PaperCut servers, said it observed PowerShell commands being spawned from PaperCut software to install remote management and maintenance (RMM) software like Atera and Syncro for persistent access and code execution on the infected hosts.

Additional infrastructure analysis has revealed the domain hosting the tools – windowservicecemter\[.\]com – was registered on April 12, 2023, also hosting malware like TrueBot, although the company said it did not directly detect the deployment of the downloader.

TrueBot is attributed to a Russian criminal entity known as Silence, which in turn has historical links with Evil Corp and its overlapping cluster TA505, the latter of which has facilitated the distribution of Cl0p ransomware in the past.

"While the ultimate goal of the current activity leveraging PaperCut's software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning," Huntress researchers said.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment."

Users are recommended to upgrade to the fixed versions of PaperCut MF and NG (20.1.7, 21.2.11, and 22.0.9) as soon as possible, regardless of whether the server is "available to external or internal connections," to mitigate potential risks.

Customers who are unable to upgrade to a security patch are advised to lock down network access to the servers by blocking all inbound traffic from external IPs and limiting IP addresses to only those belonging to verified site servers.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers

Repetier Server through 1.4.10 does not have CSRF protection.

Here you can download the free version of Repetier-Server. To get the Pro version with all features, you just have to enter your Repetier-Server Pro license code you can get here. Repetier-Server Monitor is always free.

** Repetier-Server 1.4.10**

**After installing Repetier-Server you can activate a completely free test period of 14 days to test out all Pro features. If you are satisfied, we are happy if you decide for a Pro version and support this project.**

**Download Older Versions**

**Show Changelog**

**Which version is the right?**

For the linux versions we currently only have Debian installer which work with all newer Debian like distributions like Ubuntu as long as your libc version is greater equal the used version. See table below:

*   **Linux 32 bit Intel (intel32):** libc 2.19 like used in Ubuntu 14.04LTS
*   **Linux 64 bit Intel (amd64):** libc 2.13 like used in Debian Wheezy
*   **Linux 32 bit ARM (armhf):** libc 2.16 like used in Debian Jessie. Use armel if you have a older libc.
*   **Linux 64 bit ARM (armhf 64 bit):** libc 2.23 like used in Ubuntu 16.04
*   **Linux 32 bit ARM (armel):** libc 2.13 like on Raspberry-Pi Raspian
*   **Windows: Vista, 7, 10 and 11**
*   **Mac: OS X 10.13 or later**

For the arm boards we have two versions depending on the arm architecture. The widespread Raspberry-PI uses the armel version. Boards with better hardware like Beagle bon black should use the faster armhf version.

For update informations, please check out our changelog.

** Repetier-Server Monitor 1.4.5**

Free desktop app to connect multiple Repetier-Server PRO or OEM instances at once with additional functions like easy g-code upload from any slicer, Repetier-Server backup, …  
Read more …

**Show Changelog**

**System requirements**

*   Windows 7 and higher (64 bit), Mac OS X 10.10 and higher and Linux (64 bit)
*   200 MB disc storage
*   The current version of Repetier-Server
*   If under linux the screen is empty add –disable-gpu as parameter. Happens especially under virtual machines.

**Troubleshooting:**

If you have any problems with our software, here you will find help:

*   Manual including installation instructions and other documentations
*   Frequently askes questions
*   Our forum for answers and questions not covered in the above sources

**Notice for Raspberry Pi users**

The Pi is very power sensitive. If it does not receive stable 5V, you may experience stability issues like bad connections or temperature errors. Use a solid 3A power supply, best with 5.1 V output. Also a cheap usb cable with thin wires can cause voltage loss. We recommend an AWG20 USB cable.

More information

CVE-2023-31061: Download - Repetier-Server

Pumpkin Sandstorm. Spandex Tempest. Charming Kitten. Is this really how we want to name the hackers wreaking havoc worldwide?

Hackers—particularly state-sponsored ones focused on espionage and cyberwar, and organized cybercriminals exploiting networks worldwide for profit—are not pets. They wreck businesses, sow chaos, disrupt critical infrastructure, support some of the world's most harmful militaries and dictatorships, and help those governments spy on and oppress innocent people worldwide.

So why, when I write about these organized hacker groups as a cybersecurity reporter, do I find myself referring to them with cute pet names like Fancy Bear, Refined Kitten, and Sea Turtle?

Why, when I interview different cybersecurity firms about a particular unit of Russian military intelligence hackers, do I have to internally translate that this company refers to Fancy Bear as Pawn Storm, while this one calls them Iron Twilight? Why, when I wrote a news piece earlier this week about a North Korea–linked hacking team that has spied on their South Korean neighbors, stolen millions in cryptocurrency to fund the totalitarian regime of Kim Jong-un, and corrupted the software distributed by multiple companies to spread malicious code worldwide, did I find myself referring to them as "the hacker group known as Kimsuky, Emerald Sleet, or Velvet Chollima"? It is all, frankly, a little embarrassing—and to the average reader, lends reporting about cyber conflict about as much gravity as the play-by-play of a Pokémon card game.

A few days ago, Microsoft's cybersecurity division announced it was changing the entire taxonomy of names it uses for the hundreds of hacker groups that it tracks. Instead of its previous system, which gave those organizations the names of elements—a fairly neutral, scientific-sounding system as these things go—it will now give hacker groups two-word names, including in their description a weather-based term indicating what country the hackers are believed to work on behalf of, as well as whether they're state-sponsored or criminal.

That means Phosphorous, an Iranian group that Microsoft reported this week has been targeting US critical infrastructure like seaports, energy companies, and transit systems, now has the less-than-fearsome name Mint Sandstorm. Iridium, Russia's most aggressive and dangerous cyberwar-focused military hacker unit more commonly known as Sandworm—responsible for multiple blackouts in Ukraine and the most destructive malware in history—now has the whimsical title of Seashell Blizzard. Barium, a team of Chinese hackers that's carried out more software-supply-chain attacks than perhaps any group worldwide, is now Brass Typhoon—a phrase that, I confess, I have a hard time separating from flatulence.

Many of the new names sounded so absurd that I actually double-checked Microsoft hadn't published the new labeling system on April 1. Periwinkle Tempest. Pumpkin Sandstorm. Spandex Tempest. Gingham Typhoon. “These names are just really silly,” says Rob Lee, the founder and CEO of industrial-control-system cybersecurity firm Dragos. “I mean, talk about not being taken seriously as a profession.”

Goofiness aside, the new system is counterproductive for actual cybersecurity analysis, Lee argues. Given that Microsoft's threat intelligence is some of the best in the world, analysts and customers across the industry will have to actually revise their databases—and even some of their products—to match Microsoft's new naming scheme, he says. And the revised system now locks in educated guesses about the national loyalties of hackers with no indication of the analysts' degree of confidence in those assessments, Lee adds.f

What if a hacker group thought to be part of a nation’s intelligence agency turns out to be a hacker-for-hire contractor? Or cybercriminals temporarily conscripted to work on behalf of a government? “Assessments change over time,” Lee says. “Like, ‘We told you it was Dirty Mustard and now it’s Swirling Tempest,’ and you’re like, what the fuck?” (Lee’s own firm, Dragos, admittedly gives hacker groups mineral names that are often confusingly similar to Microsoft’s old system. But at least Dragos has never called anyone Gingham Typhoon.)

When I reached out to Microsoft about its new naming scheme, the head of its Threat Intelligence Center, John Lambert, explained the rationale behind the change: Microsoft's new names are more distinct, memorable, and searchable. In contrast to Lee's point about choosing neutral names, the Microsoft team _wanted_ to give customers more context about hackers in the names, Lambert says, immediately identifying their nationality and motive. (Instances that are not yet fully attributed to a known group are given a temporary classifier, he notes.)

Microsoft's team was also just running out of elements—there are, after all, only 118 of them. “We liked weather because it's a pervasive force, it's disruptive, and there's a kindred spirit because the study of weather over time involves improvement in sensors, data, and analysis,” says Lambert. “That's cybersecurity defenders' world, too.” As for the adjectives preceding those meteorological terms—often the real source of the names' inadvertent comedy—they're chosen by analysts from a long list of words. Sometimes they have a semantic or phonetic connection to the hacker group, and sometimes they're random. “There’s some origin story to each one,” Lambert says, “or it could just be a name out of a hat.”

There's a certain, stubborn logic behind the cybersecurity industry's ever-growing sprawl of hacker group handles. When a threat intelligence firm finds evidence of a new team of network intruders, they can't be sure they're seeing the same group that another company has already spotted and labeled, even if they do see familiar malware, victims, and command-and-control infrastructure between the two groups. If your competitor isn't sharing everything they see, it's better to make no assumptions and track the new hackers under your own name. So Sandworm becomes Telebots, and Voodoo Bear, and Hades, and Iron Viking, and Electrum, and—_sigh_—Seashell Blizzard, as every company's analysts get a different glimpse of the group's anatomy.

But, sprawl aside, did these names have to be quite so on-their-face ridiculous? To some degree, it may be wise to give names to hacker gangs that rob them of their malevolent glamour. Members of the Russian ransomware group EvilCorp, for instance, are not likely to be happy with Microsoft's rebranding them as Manatee Tempest. On the other hand, is it really appropriate to label a group of Iranian hackers that seeks to penetrate crucial elements of US civilian infrastructure Mint Sandstorm, as if they're an exotic flavor of air freshener? (The older name given to them by Crowdstrike, Charming Kitten, is certainly not any better.) Did the Israeli hacker-for-hire mercenaries known as Candiru, who have sold their services to governments targeting journalists and human rights activists, really need to be renamed Caramel Tsunami, a brand befitting a Dunkin’ beverage, and one that's already taken by a strain of cannabis?

Kevin Mandia, one of the original hacker hunters and the founder and CEO of the cybersecurity firm Mandiant, captured this problem in a speech at the Cybersecurity Threat Intelligence Summit in 2018. “I’ve always wondered, how do you get into a boardroom and say, ‘Sir, I know you’re breached. You’re in the headlines. And you were hacked by Fluffy Snuggle Duck,’” Mandia said. “It just doesn’t work.”

Mandia concedes today that in the five years since his Fluffy Snuggle Duck comment, he's become more inured to the silly hacker group names. “I don't care what they're called, I just want to make sure we have the catalog right. Do we have the fingerprints for them, do we have defenses for them?” he says.

In our interview, though, he still seemed to be genuinely tripped up by the labeling scheme of his competitor Crowdstrike, which names hackers after different animals based on their nationality. “Bear is Russia … or is it?” Mandia pondered out loud. “Panda is China. But that’s a bear. I’m confused already.”

Mandia and Lee both dream of a day when a government body—say, the US National Institute of Standards and Technology—comes up with a hacker group naming convention that can be adopted across the industry. But they both also say that companies would never stick to it. Marketing aside, the fog of war in cybersecurity research means analysts at different companies will never be sure they're looking at the same entities—unless they all agree to openly share every scrap of their closely guarded intelligence.

Until then, well, just watch out for Periwinkle Tempest. Last year, Periwinkle Tempest launched crippling ransomware attacks across the entire nation of Costa Rica, leading the country's government to declare a national emergency. Periwinkle Tempest are some of the most dangerous hackers in the world. Periwinkle Tempest. Seriously.

Hacker Group Names Are Now Absurdly Out of Control

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The three vulnerabilities are as follows -

CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability 
CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control

Patch Management / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The three vulnerabilities are as follows -

*   **CVE-2023-28432** (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability
*   **CVE-2023-27350** (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control Vulnerability
*   **CVE-2023-2136** (CVSS score - TBD) - Google Chrome Skia Integer Overflow Vulnerability

"In a cluster deployment, MinIO returns all environment variables, including MINIO\_SECRET\_KEY and MINIO\_ROOT\_PASSWORD, resulting in information disclosure," MinIO maintainers said in an advisory published on March 21, 2023.

Data gathered by GreyNoise shows that as many as 18 unique malicious IP addresses from the U.S., the Netherlands, France, Japan, and Finland have attempted to exploit the flaw over the past 30 days.

The threat intelligence company, in an alert published late last month, also noted how a reference implementation provided by OpenAI for developers to integrate their plugins to ChatGPT relied on an older version of MinIO that's vulnerable to CVE-2023-28432.

"While the new feature released by OpenAI is a valuable tool for developers who want to access live data from various providers in their ChatGPT integration, security should remain a core design principle," GreyNoise said.

Also added to the KEV catalog is a critical remote code execution bug affecting PaperCut print management software that allows remote attackers to bypass authentication and run arbitrary code.

The vulnerability has been addressed by the vendor as of March 8, 2023, with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9. Zero Day Initiative, which reported the issue on January 10, 2023, is expected to release additional technical details on May 10, 2023.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

According to an update shared by the Melbourne-based company earlier this week, evidence of active exploitation of unpatched servers emerged in the wild around April 18, 2023.

Cybersecurity firm Arctic Wolf said it "has observed intrusion activity associated with a vulnerable PaperCut Server where the RMM tool Synchro MSP was loaded onto a victim system."

Lastly added to the list of actively exploited flaws is a Google Chrome vulnerability affecting the Skia 2D graphics library that could enable a threat actor to perform a sandbox escape via a crafted HTML page.

Federal Civilian Executive Branch (FCEB) agencies in the U.S. are recommended to remediate identified vulnerabilities by May 12, 2023, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug

NVIDIA DGX-2 SBIOS contains a vulnerability where an attacker may modify the ServerSetup NVRAM variable at runtime by executing privileged code. A successful exploit of this vulnerability may lead to denial of service.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2022‑42274

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42280

NVIDIA BMC contains a vulnerability in the SPX REST authorization handler, where an unauthorized user can exploit a path traversal, which may lead to escalation of privileges.

7.1

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42282

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can access arbitrary files, which may lead to information disclosure.

6.5

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE‑2022‑42283

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

6.4

AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42286

NVIDIA DGX-2 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, or escalation of privileges.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42287

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure, or data tampering.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42289

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42290

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑0200

NVIDIA DGX-2 contains a vulnerability in OFBD where a user with high privileges and a pre-conditioned heap can cause an access beyond a buffers end, which may lead to code execution, escalation of privileges, denial of service, and information disclosure.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑0201

NVIDIA DGX-2 SBIOS contains a vulnerability in Bds, where a user with high privileges can cause a write beyond the bounds of an indexable resource, which may lead to code execution, denial of service, compromised integrity, and information disclosure.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑0202

NVIDIA DGX A100 SBIOS contains a vulnerability where an attacker may modify arbitrary memory of SMRAM by exploiting the GenericSio and LegacySmmSredir SMM APIs. A successful exploit of this vulnerability may lead to denial of service, escalation of privileges, and information disclosure.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑0206

NVIDIA DGX A100 SBIOS contains a vulnerability where an attacker may modify arbitrary memory of SMRAM by exploiting the NVME SMM API. A successful exploit of this vulnerability may lead to denial of service, escalation of privileges, and information disclosure.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑0207

NVIDIA DGX-2 SBIOS contains a vulnerability where an attacker may modify the ServerSetup NVRAM variable at runtime by executing privileged code. A successful exploit of this vulnerability may lead to denial of service.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.

**CVE IDs Addressed**

**Hardware Platform**

**System**

**Affected Versions**

**Updated Version**

**Firmware Container**

CVE‑2022‑42274  
CVE‑2022‑42280  
CVE‑2022‑42282  
CVE‑2022‑42283  
CVE‑2022‑42287  
CVE‑2023‑0200  
CVE‑2023‑0201

DGX-2

DGX-2

All BMC versions prior to 1.08.00

01.08.00

23.3.1

CVE‑2022‑42286  
CVE‑2022‑42289  
CVE‑2022‑42290  
CVE‑2023‑0207

DGX-2

DGX-2

All SBIOS versions prior to 0.33

0.33

23.3.1

CVE‑2023‑0202  
CVE‑2023‑0206

DGX A100

DGX A100

All SBIOS versions prior to 1.18

1.18

22.12.1

**AMI Security Advisory CVEs Addressed**

CVE‑2022‑40259  
CVE‑2022‑40242  
CVE‑2022‑2827

DGX Station A100

DGX Station A100

All BMC versions prior to 2.01.00

2.01.00

23.3.1

**Additional Information****Security Vulnerabilities Reported by AMI**

The following table lists potential security vulnerabilities in some AMI MegaRAC SP-X Baseboard Management Controllers that have been reported by AMI. These vulnerabilities may allow user enumeration, unauthorized access, or arbitrary code execution.

**CVE ID**

**Severity**

**Summary**

CVE‑2022‑40259

Critical

AMI MegaRAC Redfish Arbitrary Code Execution

CVE‑2022‑40242

High

MegaRAC Default Credentials Vulnerability

CVE‑2022‑2827

High

AMI MegaRAC User Enumeration Vulnerability

The following table lists the status of the NVIDIA response to these vulnerabilities for each NVIDIA DGX system.

**System**

**Status**

DGX-1

Not vulnerable - no response required

DGX-2

Not vulnerable - no response required

DGX A100

To be addressed in May 2023 as stated in NVIDIA DGX A100 Server and DGX Station A100 - December 2022

DGX Station

Not vulnerable - no response required

DGX Station A100

Addressed in this update

**Security Vulnerabilities Reported by Intel**

The following table lists potential security vulnerabilities in some Intel Processors that have been reported by Intel. These vulnerabilities may allow escalation of privileges or denial of service. They are addressed in DGX-2 SBIOS release version 0.33.

**CVE ID**

**Severity**

**Summary**

CVE‑2020‑12357

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑8670

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑8700

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑12359

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑12358

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE‑2021‑0095

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE‑2020‑12360

Medium

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑24486

Medium

Intel(R) Processors Denial of Service Vulnerability

**Acknowledgements**

CVE‑2022‑42274, CVE‑2022‑42280, CVE‑2022‑42282, CVE‑2022‑42283, CVE‑2022‑42286, CVE‑2022‑42287, CVE‑2022‑42289, CVE‑2022‑42290: The NVIDIA Offensive Security Research (OSR) team reported these issues.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

March 23, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-0207: NVIDIA Support

NVIDIA DGX-1 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, and escalation of privileges.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2023‑0209

NVIDIA DGX-1 SBIOS contains a vulnerability in the Uncore PEI module, where authentication of the code executed by SSA is missing, which may lead to arbitrary code execution, denial of service, escalation of privileges, information disclosure, data tampering, and SecureBoot bypass.

8.2

AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑25505

NVIDIA DGX-1 BMC contains a vulnerability in the IPMI handler of the AMI MegaRAC BMC, where an attacker with the appropriate level of authorization can cause a buffer overflow, which may lead to denial of service, information disclosure, or arbitrary code execution.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑25506

NVIDIA DGX-1 contains a vulnerability in Ofbd in AMI SBIOS, where a preconditioned heap can allow a user with elevated privileges to cause an access beyond the end of a buffer, which may lead to code execution, escalation of privileges, denial of service and information disclosure. The scope of the impact of this vulnerability can extend to other components.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑25507

NVIDIA DGX-1 BMC contains a vulnerability in the SPX REST API, where an attacker with the appropriate level of authorization can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, and data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑25508

NVIDIA DGX-1 BMC contains a vulnerability in the IPMI handler, where an attacker with the appropriate level of authorization can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure, and data tampering.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑25509

NVIDIA DGX-1 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, and escalation of privileges.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA server products affected, firmware versions affected, and the updated version that includes this security update.

To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.

**CVE IDs Addressed**

**Hardware Platform**

**System**

**Affected Versions**

**Updated Version**

CVE‑2023‑25505  
CVE‑2023‑25508  
CVE‑2023‑25507

NVIDIA DGX-1 Servers

DGX-1

All BMC versions prior to 3.39.3

3.39.30

CVE‑2023‑0209  
CVE‑2023‑25506  
CVE‑2023‑25509

NVIDIA DGX-1 Servers

DGX-1

All SBIOS prior to S2W\_3A13

S2W\_3A13

**Notes**

*   Upgrade the NVIDIA DGX-1 firmware container to version 23.04.01 to get the updated firmware and SBIOS version listed in the table above. Firmware updates are available through the NVIDIA Enterprise Support Portal.

**Additional Information: Security Vulnerabilities Reported by Intel**

The following table lists potential security vulnerabilities in some Intel processors that have been reported by Intel. These vulnerabilities may allow escalation of privileges or denial of service. They are addressed in DGX-1 SBIOSS2W\_3A13.

**CVE ID**

**Severity**

**Summary**

CVE-2020-12357

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-8670

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-8700

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-12359

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-12358

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE-2021-0095

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE-2020-12360

Medium

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-24486

Medium

Intel(R) Processors Denial of Service Vulnerability

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.1

April 19, 2023

Modified CVE-2023-0209 description.

1.0

April 19, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-25509: NVIDIA Support

While Intel is building more hardware protections directly into the chips, enterprises still need a strategy for applying security updates on these components.

Intel is taking a new tack with its latest commercial PC chips announced last month: Instead of touting speed and performance, the company is emphasizing the chip's security features.

The chip giant has been working with security vendors in recent years to implement hardware-level protections on the chips to protect laptops from ransomware and malware attacks. The new 13th Gen Intel Core vPro processors include under-the-hood improvements at the firmware and operating system levels that boost system protection and management, the company says.

Attackers will find it harder to compromise the firmware through hardware exploits because many of the new upgrades are in the chip's firmware and BIOS, and the chip's security layer contains prevention and detection capabilities. For example, there is a better handshake between the firmware and Microsoft's virtualization technology in Windows 11 to prevent intrusions, says Mike Nordquist, vice president and general manager of Intel Business Client Product Planning and Architecture. He notes that Hyper-V on Windows 11 works with vPro to store secrets and credentials in a virtual container.

"If you only have detection, you keep letting everyone in your front door. You are never really going to address the problem. You have to figure out how to close that front door," Nordquist says.

**Secure Enclaves on Chip**

Intel's vPro now provides the hooks for critical applications running on Windows 11 to be encrypted in memory through a feature called Total Memory Encryption-Multi-Key.

Microsoft provides the ability to encrypt storage drives, but it recently added the ability to encrypt data in memory. Intel's newer Core chips, code-named Raptor Lake, come ready for that feature; they have 16 memory slots in which applications can be encrypted, with separate keys needed to unlock the data.

The feature helps prevent side-channel attacks, which typically involve breaking into a chip and stealing unencrypted data from sources that include memory. Hackers would need a key to unlock the data, and isolating applications in 16 different slots makes it an even bigger challenge to steal data.

Applications are encrypted in virtual machines created in the memory slots, and system administrators can enable or disable the feature.

"We're not encrypting the entirety of the memory, because if you don't need to do it, it is basically going to impact performance," says Venky Venkateswaran, director of client product security and virtualization architecture and definition for Intel's Client Computing Group.

A new vPro technology to prevent security threats, TDT (threat detection technology), uses libraries baked into the chips to identify abnormal activity and security threats on a PC. The library assesses telemetry coming from CPUs that may be related to abnormal processing activity as a result of a security breach.

For example, the libraries can tell if a cryptocurrency mining application is calling on an abnormally high number of crypto instructions. That information is sent to security applications, which use that data in their engine to triage and stop threats.

The libraries have models tuned to weed out ransomware and other types of attack.

"We have low-level telemetry and an AI engine of sorts that can weed out the noise ... you don't want to have false positives," Venkateswaran says.

Intel is partnering with several antivirus vendors, including Microsoft, CrowdStrike, Eset, and Check Point Technologies, to integrate TDT features into security software. This way, the vendors get access to hardware telemetry to detect threats in virtual machines. For example, Eset Endpoint Security will be able to detect ransomware through Intel's performance monitoring unit (PMU), which sits underneath applications in the operating system.

**Patching Components**

Intel is working with PC makers to bring a standard methodology to patch PCs, and it is not putting all the eggs in one basket when it comes to securing systems. The focus is on establishing islands of security for different hardware components.

"There's no reason the BIOS needs to be able to have access to the OS memory. There is no value-add in it," Nordquist says. "So we actually deprivileged that at a base level ... and we did an enhanced level where we could really lock it down good. On vPro, that is a little bit better."

Attack vectors for PCs are different from servers and require a different security profile, he says.

"Before, PCs were designed to make sure the OS was protected. What if I want to protect something from the OS? What if I do not trust the hypervisor? I need the next level of security to deal with that," Nordquist says.

**Squashing Chip Bugs**

As a sign that Intel is serious about making hardware security a priority, the company last year awarded $935,751 in bug bounties to security researchers disclosing security flaws in its chips and firmware. The company has paid a total of $4 million since the inception of the program in 2017, according to its most recent annual security research report.

"These firmware updates are usually released on Intel's website, and the device vendor is responsible for distributing them. Some of them can be delivered automatically by Microsoft Windows Update, but only limited vendors can update their devices through it," says Alex Matrosov, founder of Binarly, whose firmware security platform helps people discover and patch hardware vulnerabilities. "CISOs should start paying more attention to threats and device ... security below the operating system. Every mature enterprise organization should invest in firmware security and specifically vulnerability management for their device security pasture."

Intel Prioritizes Security in Latest vPro Chips

Attackers have their methods timed to the second, and they know they have to get in, do their damage, and get out quickly. CISOs today must detect and block in even less time.

It may not be fair to say that incident response (IR) is the essence of an enterprise's cybersecurity strategy, but it is what everything else is building toward. However, the biggest opponent of IR is not as much attackers as it is time.

The bad guys, often aided by machine learning (especially in state-actor attacks), are ultrafocused. Cyberattackers today have a precise attack plan. Typically, they will be prepared to steal what they are looking for — or to damage systems — in a few minutes and then quickly exit the system.

Although some attackers prefer a stealthy means that installs malware and watches network activity for potentially months, many of the nastiest criminals today use a hit-and-run approach. That means an IR plan must identify what is going on, lock down ultrasensitive systems, and trap the attacker in moments. Speed may not be everything, but it's close.

Complicating the current IR environment is the fact that enterprise threat landscapes have gotten exponentially more complex in recent years, especially in terms of being porous as well as giving bad guys far more places to hide. Beyond the WAN and company systems, there are the shrinking — but still relevant — on-premises systems, a large number of cloud environments (both known and unknown), IoT/IIoT, partners with far greater access, home offices with insecure LANs, vehicle fleets with their own data retention and IP addresses, mobile devices with full credentials (often owned by employees, raising more security concerns), and SaaS apps that are hosted in systems with unknown holes of their own.

With all of that happening, the security operations center (SOC) may have mere minutes to identify and deal with a breach.

The biggest CISO problem with IR is a lack of preparation, and the biggest IR enterprise weakness today is foundational. The best processes for IR begin with readiness via building a solid organizational threat model and reconciling the threat library of things that could adversely affect the company with an alignment to what preventative, detective, and reactive controls are present against the attack surface of that threat model. Employing automation via security orchestration, automation, and response (SOAR) technologies has become highly useful in reducing response times and being able to leverage playbooks that get triggered upon certain defined conditions being met in the technical environment.

**Check the Map**

One of the most critical foundational elements is working from a current, accurate, and comprehensive data map. The problem is that today's environments make having a truly complete data map impossible.

Consider the mobile factor alone. Employees and contractors are constantly creating new intellectual property (a series of emails or texts, for example, between a sales rep and a customer or prospect) via mobile devices and then not syncing that information with centralized systems controlled by IT.

Because it's impossible to protect that which you don't know exists, generating as accurate a data map as possible is critical. It wouldn't hurt to also increase the visibility of all tools, platforms, hardware/devices (especially IoT), and anything else that an attacker could subvert.

Continuous attack surface management (CASM) has been an evolving area of security activities that companies need to mature to ensure that edge devices, particularly those that are IoT devices that may have direct access to the edge gateway, are adequately protected with detective controls.

You need to start with traditional asset management strategies, identifying all components and tracing all assets, regardless of whether they're in a rack somewhere or in a colocation. For too many enterprises, there is no comprehensiveness, no proper governance. They need to match assets and data with each line of business to plot out sustainability for that LOB. They need to figure out everything from IoT devices to third-party vendor software. There are so many things that often exist below the radar. What is the ecosystem for each and every product line?

**The Vertical Dimension**

Beyond that one enterprise, attack surface and the threat landscape must be identified for any verticals where the machine operates and often it has to drill into any and all subindustries. That forces a strict evaluation of what threat intelligence is being used.

For industry/vertical data, that means integrating information sharing and analysis centers (ISACs) along with open source alerts, vendor notifications, the Cybersecurity and Infrastructure Security Agency (CISA) and the (National Vulnerability Database (NVD) and many others, song with internal SIEM data.

But all of that threat intel is powerful before an incident. Once an attack begins and the SOC staff is actively defending itself, threat intel can sometimes prove more of a distraction than a help. It's great before as well as after the attack, but not during.

Companies often undermine their IR speed and effectiveness by not giving the SOC team sufficient access as well as information. For example, audit logs often include the IP addresses of affected devices, but some logs only display an internal NAT address and SOC staff couldn't easily and quickly map public IP addresses to NAT IP addresses. That forced the SOC team — during an emergency — to reach out to the network infrastructure team.

Does the SOC team have access to all cloud environments? Are they listed as contacts for all colocation and cloud support staff?

It is common for security people to use military analogies — especially war references — when describing incident response strategies. Sadly, those analogies are more apt than I'd wish. Attackers today are using top-end machine learning systems and are sometimes financially backed by nation-states. Their systems are often more robust and modern than what enterprises use for defense. That means that today's IR strategies must use the ML tools to keep up. The attackers have their methods timed to the second, and they know they have to get in, do their damage, exfiltrate their files, and get out quickly. CISOs today must detect and block in even less time.

Tag

#intel