In Progress Flowmon Packet Investigator before 12.1.0, a Flowmon user with access to Flowmon Packet Investigator could leverage a path-traversal vulnerability to retrieve files on the Flowmon appliance's local filesystem.

Flowmon

**Visualize Network Traffic, Identify Issues & Prevent Cyber Incidents****Reduce risk and improve your resilience across your on-prem, hybrid and cloud with intelligent network visibility and security monitoring.**

Discover entire solution

**Protect your business from  
modern threats**

**Detection**

Uncover ransomware attacks, unknown threats and early incident of compromise before they can impact your business.

**Threat Hunting**

Analyze malicious activity and investigate the root cause with a state-of-the-art solution based on AI & ML.

**Response**

Leverage response in autonomous way to enhance containment and eradication of cyber threats.

**Forensic Analysis**

Collect, store and retrieve all network security data to deep analysis for better cybersecurity resilience.

Explore security solution

**Control your network with full  
visibility & decisive Intelligence**

**Complete Insight**

Gain comprehensive visibility into your entire hybrid & cloud environment. Get a holistic overview of your network with detailed insights.

**Performance Indicators**

See performance degradation and distinguish between delays caused by the network itself and delays caused by applications and services.

**Troubleshooting & Analysis**

Quickly find the root cause of any network & security failures with deep data granularity and suggestions for remedial action.

**Indispensable Anomaly Detection**

Automated analysis of user and network behaviour for recognition of advanced threats and operational issues.

Explore NPMD Solution

**Flowmon Named Technology Leader in Network Detection and Response**

Released in 2022, the SPARK MatrixTM report conducted by Quadrant Knowledge Solutions provides market insights, competitive evaluation, and vendor rankings to better understand the capabilities of different solutions in the network detection and response (NDR) market. In Customer Impact and Technology Excellence they awarded Flowmon's NDR the highest ranking of Technology Leader.

Get the report

**Results first**

> “The installation of Flowmon is very simple and intuitive. Thanks to Flowmon, we are provided with network visibility that we previously lacked. As a consequence we can identify the causes of network issues easier than ever before. The solution also allows us to design the proper capacity of our network. We plan to enforce network monitoring solution deployment across all 11 group offices and 20 facilities.”

Masahiro Sato  
Operations Network Engineer at SEGA

**Technology trusted by your peers**

 Rated 4.9/5

“Nowadays keeping eye on internet browsing history and analysing the data flow is very difficult. The Flowmon solution made thus task easier. We can analyse the network flow and also, we can identify the security threats in the network. The complete dashboard for this is really useful.”

Demo

**See live product demo**

Explore a fully interactive product demo and see what issues it can tackle for you.

Launch demo

Trial

**Request free trial**

Get no-obligation 30-day trial of Flowmon in your network.

Get your trial today

CVE-2023-26101: Flowmon - Trusted solution for network and security operations | Flowmon

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.
Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a "software supply chain attack lead to another software

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.

Google-owned Mandiant, which is tracking the attack event under the moniker **UNC4736**, said the incident marks the first time it has seen a "software supply chain attack lead to another software supply chain attack."

The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer.

"The malicious application next attempts to steal sensitive information from the victim user's web browser," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an analysis of the malware. "Specifically it will target the Chrome, Edge, Brave, or Firefox browsers."

Select attacks targeting cryptocurrency companies also entailed the deployment of a next-stage backdoor referred to as Gopuram that's capable of running additional commands and interacting with the victim's file system.

Mandiant's investigation into the sequence of events has now revealed the patient zero to be a malicious version of a now-discontinued software provided by a fintech company called Trading Technologies, which was downloaded by a 3CX employee to their personal computer.

It described the initial intrusion vector as "a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X\_TRADER."

This rogue installer, in turn, contained a setup binary that dropped two trojanized DLLs and an innocuous executable, the latter of which is used to side-load one of the DLLs that's camouflaged as a legitimate dependency.

The attack chain then made use of open source tools like SIGFLIP and DAVESHELL to ultimately extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that's capable of sending data, executing shellcode, and terminating itself.

The initial compromise of the employee's personal computer using VEILEDSIGNAL enabled the threat actor to obtain the individual's corporate credentials, two after which the first unauthorized access to its network took place via a VPN by taking advantage of the stolen credentials.

Besides identifying tactical similarities between the compromised X\_TRADER and 3CXDesktopApp apps, Mandiant found that the threat actor subsequently laterally moved within the 3CX environment and breached the Windows and macOS build environments.

"On the Windows build environment, the attacker deployed a TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL side-loading through the IKEEXT service and ran with LocalSystem privileges," Mandiant said. "The macOS build server was compromised with POOLRAT backdoor using Launch Daemons as a persistence mechanism."

POOLRAT, previously classified by the threat intelligence firm as SIMPLESEA, is a C/C++ macOS implant capable of collecting basic system information and executing arbitrary commands, including carrying out file operations.

UNC4736 is suspected to be a threat group with North Korean nexus, an assessment that's been reinforced by ESET's discovery of an overlapping command-and-control (C2) domain (journalide\[.\]org) employed in the supply chain attack and that of a Lazarus Group campaign called Operation Dream Job.

Evidence gathered by Mandiant shows that the group exhibits commonalities with another intrusion set tracked as Operation AppleJeus, which has a track record of carrying out financially motivated attacks.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

What's more, the breach of Trading Technologies' website is said to have taken place in early February 2022 by weaponizing a then zero-day flaw in Google Chrome (CVE-2022-0609) to activate a multi-stage infection chain responsible for serving unknown payloads to the site visitors.

"The site www.tradingtechnologies\[.\]com was compromised and hosting a hidden IFRAME to exploit visitors, just two months before the site was known to deliver a trojanized X\_TRADER software package," Mandiant explained.

Another link connecting it to AppleJeus is the threat actor's previous use of an older version of POOLRAT as part of a long-running campaign disseminating booby-trapped trading applications like CoinGoTrade to facilitate cryptocurrency theft.

The entire scale of the campaign remains unknown, and it's currently not clear if the compromised X\_TRADER software was used by other firms. The platform was purportedly decommissioned in April 2020, but it was still available to download from the site in 2022.

3CX, in an update shared on April 20, 2023, said it's taking steps to harden its systems and minimize the risk of nested software-in-software supply chain attacks by enhancing product security, incorporating tools to ensure the integrity of its software, and establishing a new department for Network Operations and Security.

"Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea's interests," Mandiant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX

We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX, a complex, lengthy intrusion that has the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.

We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider **3CX.** The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on **LinkedIn** to lure people into opening malware disguised as a job offer; malware targeting **Mac** and **Linux** users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.

Researchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file.

In late March 2023, 3CX disclosed that its desktop applications for both **Windows** and **macOS** were compromised with malicious code that gave attackers the ability to download and run code on all machines where the app was installed. 3CX says it has more than 600,000 customers and 12 million users in a broad range of industries, including aerospace, healthcare and hospitality.

3CX hired incident response firm **Mandiant**, which released a report on Wednesday that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for **X\_TRADER**, a software package provided by **Trading Technologies**.

“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” reads the April 20 Mandiant report.

Mandiant found the earliest evidence of compromise uncovered within 3CX’s network was through the VPN using the employee’s corporate credentials, two days after the employee’s personal computer was compromised.

“Eventually, the threat actor was able to compromise both the Windows and macOS build environments,” 3CX said in an April 20 update on their blog.

Mandiant concluded that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group known as Lazarus, a determination that was independently reached earlier by researchers at Kaspersky Lab and Elastic Security.

Mandiant found the compromised 3CX software would download malware that sought out new instructions by consulting encrypted icon files hosted on **GitHub**. The decrypted icon files revealed the location of the malware’s control server, which was then queried for a third stage of the malware compromise — a password stealing program dubbed ICONICSTEALER.

The double supply chain compromise that led to malware being pushed out to some 3CX customers. Image: Mandiant.

Meanwhile, the security firm **ESET** today published research showing remarkable similarities between the malware used in the 3CX supply chain attack and Linux-based malware that was recently deployed via fake job offers from phony executive profiles on LinkedIn. The researchers said this was the first time Lazarus had been spotted deploying malware aimed at Linux users.

As reported in a recent series last summer here, LinkedIn has been inundated this past year by fake executive profiles for people supposedly employed at a range of technology, defense, energy and financial companies. In many cases, the phony profiles spoofed chief information security officers at major corporations, and some attracted quite a few connections before their accounts were terminated.

Mandiant, Proofpoint and other experts say Lazarus has long used these bogus LinkedIn profiles to lure targets into opening a malware-laced document that is often disguised as a job offer. This ongoing North Korean espionage campaign using LinkedIn was first documented in August 2020 by **ClearSky Security**, which said the Lazarus group operates dozens of researchers and intelligence personnel to maintain the campaign globally.

**Microsoft Corp.**, which owns LinkedIn, said in September 2022 that it had detected a wide range of social engineering campaigns using a proliferation of phony LinkedIn accounts. Microsoft said the accounts were used to impersonate recruiters at technology, defense and media companies, and to entice people into opening a malicious file. Microsoft found the attackers often disguised their malware as legitimate open-source software like **Sumatra PDF** and the SSH client **Putty**.

Microsoft attributed those attacks to North Korea’s Lazarus hacking group, although they’ve traditionally referred to this group as “**ZINC**“. That is, until earlier this month, when Redmond completely revamped the way it names threat groups; Microsoft now references ZINC as “**Diamond Sleet**.”

The ESET researchers said they found a new fake job lure tied to an ongoing Lazarus campaign on LinkedIn designed to compromise **Linux** operating systems. The malware was found inside of a document that offered an employment contract at the multinational bank HSBC.

“A few weeks ago, a native Linux payload was found on VirusTotal with an HSBC-themed PDF lure,” wrote ESET researchers **Peter Kalnai** and **Marc-Etienne M.Leveille**. “This completes Lazarus’s ability to target all major desktop operating systems. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload.”

ESET said the malicious PDF file used in the scheme appeared to have a file extension of “.pdf,” but that this was a ruse. ESET discovered that the dot in the filename wasn’t a normal period but instead a Unicode character (U+2024) representing a “leader dot,” which is often used in tables of contents to connect section headings with the page numbers on which those sections begin.

“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF,” the researchers continued. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”

ESET said anyone who opened the file would see a decoy PDF with a job offer from HSBC, but in the background the executable file would download additional malware payloads. The ESET team also found the malware was able to manipulate the program icon displayed by the malicious PDF, possibly because fiddling with the file extension could cause the user’s system to display a blank icon for the malware lure.

**Kim Zetter**, a veteran Wired.com reporter and now independent security journalist, interviewed Mandiant researchers who said they expect “many more victims” will be discovered among the customers of Trading Technologies and 3CX now that news of the compromised software programs is public.

“Mandiant informed Trading Technologies on April 11 that its X\_Trader software had been compromised, but the software maker says it has not had time to investigate and verify Mandiant’s assertions,” Zetter wrote in her Zero Day newsletter on Substack. For now, it remains unclear whether the compromised X\_Trader software was downloaded by people at other software firms.

If there’s a silver lining here, the X\_Trader software had been decommissioned in April 2020 — two years before the hackers allegedly embedded malware in it.

“The company hadn’t released new versions of the software since that time and had stopped providing support for the product, making it a less-than-ideal vector for the North Korean hackers to infect customers,” Zetter wrote.

3CX Breach Was a Double Supply Chain Compromise

**SANTA CLARA, Calif.****,** **April 20, 2023** **/PRNewswire/ --** Infoblox Inc. the company that delivers a simplified, cloud- enabled networking and security platform for improved performance and protection, today published a threat report blog on a remote access trojan (RAT) toolkit with DNS command and control (C2). The toolkit created an anomalous DNS signature observed in enterprise networks in the U.S., Europe, South America, and Asia across technology, healthcare, energy, financial and other sectors. Some of these communications go to a controller in Russia.

Coined "Decoy Dog," Infoblox's Threat Intelligence Group was the first to discover this toolkit and is collaborating with other security vendors, as well as customers, to disrupt this activity, identify the attack vector, and secure global networks. The critical insight is that DNS anomalies measured over time not only surfaced the RAT, but ultimately tied together seemingly independent C2 communications. A technical analysis of Infoblox's findings is here.

"Decoy Dog is a stark reminder of the importance of having a strong, protective DNS strategy," said Renée Burton, Senior Director of Threat Intelligence for Infoblox. "Infoblox is focused on detecting threats in DNS, disrupting attacks before they start, and allowing customers to focus on their own business." 

As a specialized DNS-based security vendor, Infoblox tracks adversary infrastructure and can see suspicious activity early in the threat lifecycle, where there is "intent to compromise'' and before the actual attack starts. As a normal course of business, any indicators that are deemed suspicious are included in Infoblox's Suspicious domain feeds, direct to customers, to help them preemptively protect themselves against new and emerging threats.

**Threat Discovery, Anatomy & Mitigation:** 

*   Infoblox discovered activity from the remote access trojan (RAT) Pupy active in multiple enterprise networks in early April 2023. This C2 communication went undiscovered since April 2022.
*   The RAT was detected from anomalous DNS activity on limited networks and in network devices such as firewalls; not user devices such as laptops or mobile devices.
*   The RAT creates a footprint in DNS that is extremely hard to detect in isolation but, when analyzed in a global cloud-based protective DNS system like Infoblox's BloxOne® Threat Defense, demonstrates strong outlier behavior. Further it allowed Infoblox to tie the disparate domains together.
*   C2 communications are made over DNS and are based on an open-source RAT called Pupy. While this is an open-source project, it has been consistently associated with nation-state actors.
*   Organizations with protective DNS can mitigate their risk. BloxOne Threat Defense customers are protected from these suspicious domains.
*   In this case, Russian C2 domains were already included in the Suspicious domains feeds in BloxOne Threat Defense (Advanced) back in the fall of 2022. In addition to the Suspicious Domains feed, these domains have now been added to Infoblox's anti-malware feed.
*   Infoblox continues to urge organizations to block the following domains:

*   claudfront.net
*   allowlisted.net
*   atlas-upd.com
*   ads-tm-glb.click
*   cbox4.ignorelist.com
*   hsdps.cc

"While we automatically detect thousands of suspicious domains every day at the DNS level – and with this level of correlation, it's rare to discover these activities all originating from the same toolkit leveraging DNS for command-and-control," added Burton.

The Infoblox team is working around the clock to understand the DNS activity. Complex problems like this one highlight the need for an industry-wide intelligence-in-depth strategy where everyone contributes to understanding the entire scope of a threat.

For the full threat summary titled **"Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic"** click here.

**About Infoblox's Threat Intelligence Group:**

The Threat Intelligence Group at Infoblox is dedicated to creating high fidelity "block-and-forget" domain name service (DNS) intelligence data for use in BloxOne Threat Defense. Core to Infoblox's protection strategy is the identification of suspicious domains. Infoblox's Threat Intelligence Group uses a patented machine learning algorithm to minimize the risk of enterprise outages while enabling maximum coverage of threats. Infoblox identifies suspicious domains through several **custom-built algorithms and DNS based threat hunting**.

The organization focuses on DNS and infrastructure actors. The team can identify suspicious behavior before its impact is known by the adjacent areas of the industry (endpoint, netflow vendors), and can track persistent actors to block their DNS infrastructure before it becomes a problem for our customers. Threat actors often register domains well in advance of using them for attacks, typically 14-120 days in advance, but we have seen domains held dormant for upwards of two years - like this case in point.

**About Infoblox** 

Infoblox unites networking and security to deliver unmatched performance and protection. Trusted by Fortune 100 companies and emerging innovators, we provide real-time visibility and control over who and what connects to your network, so your organization runs faster and stops threats earlier. Visit infoblox.com**, or follow-us on** LinkedIn or Twitter.

Infoblox Uncovers DNS Malware Toolkit & Urges Companies to Block Malicious Domains

The new Security Legal Research Fund and Hacking Policy Council are aimed at protecting "good faith" security researchers from legal threats and giving them a voice in policy discussions.

Security researchers who report vulnerabilities run the risk of either being slapped with legal sanctions to suppress disclosure or getting caught up in a legal battle punishing them for finding the flaws in the first place.

Even though the US Department of Justice announced last year that it won't prosecute cybersecurity researchers engaged in "good faith" vulnerability research and disclosure for violating the Computer Fraud and Abuse Act (CFAA), researchers still risk criminal and civil actions from states, foreign governments, and corporations. The nonprofit Center for Cybersecurity Policy & Law is pushing back with two coordinated initiatives – the Hacking Policy Council and the Security Legal Research Fund – to protect individuals who discover vulnerabilities that could potentially harm users if exploited.

The formation of the Hacking Policy Council and Security Legal Defense Fund underscores how critical it is to identify and disclose vulnerabilities to prevent malicious actors from gaining access to software, infrastructure, and data, says Futurum Research senior analyst Krista Macomber.

"The intention is to create a climate that encourages collaboration and information sharing and protects folks working diligently to expose potential threats," Macomber says.

The Hacking Policy Council plans to advocate and lobby for better vulnerability disclosure regulations and removing outdated laws. Founding member organizations include Google, Bugcrowd, HackerOne, Intel, Intigriti, and Luta Security. The Security Legal Research Fund, as of now, will provide only funding.

"The defense fund does not plan to provide direct legal representation to researchers at this time," said Harley Geiger, an attorney with Venable and coordinator of the two new groups, during the press conference announcing the two initiatives. "Instead, it will help provide funding to individuals who are facing legal threats due to good faith security research and vulnerability disclosure."

**Plight of Ethical Hackers**

James Dempsey, one of the Security Legal Research Fund's board members and a lecturer at the University of California at Berkeley Law and Stanford University, noted that independent researchers have long faced legal jeopardy for their efforts. For example, Dempsey pointed to a well-known case in 2008 when a judge issued an injunction that prevented a team of MIT students from presenting at the DEF CON security conference about vulnerabilities they discovered in Massachusetts Bay Transit Authority's fare card system.

Dempsey pointed to a more recent case in 2021 when Missouri Governor Mike Parson threatened to prosecute reporters at the St. Louis Post-Dispatch after the newspaper published an article exposing vulnerabilities on a state agency's website. But Missouri prosecutors ultimately declined to file charges.

"To get that letter on the letterhead threatening legal action can be very intimidating, and that's what we want to help people overcome," Dempsey said.

"This issue has so much impact that I think it really merits a group that is tightly focused on this issue and can bring that expertise to policymakers to help them make more informed policy," said Charley Snyder, Google's head of security policy.

The Hacking Policy Council will initially work to lobby for changes in laws and regulations in the US and, ultimately, worldwide. Luta Security founder and CEO Katie Moussouris emphasized that many regulations are outdated.

"Right now we have a lot of regulations that were, frankly, written in a different era when there was not a nuanced understanding of the hand-in-hand relationship between vulnerability discovery and malicious hacking prevention," she said.

Complicating matters is the global disparity in regulations and policies, which sometimes require disclosure to a government, either in tandem or before notifying affected users and the public, Moussouris noted. A provision in the Cyber Resilience Act, proposed by the European Commission, would require anyone in the EU discovering a vulnerability to disclose it within 24 hours.

"As written, it will be as effective for security as GDPR was for privacy; it will have that much of an impact," Venable's Geiger said.

Adding to the complexity, Geiger noted that the current definition doesn't distinguish between good faith security research and malicious criminals.

"There is currently no provision for making sure that the vulnerability, before it is disclosed, is patched," he said. "Part of the concern with the CRA is that you then end up EU-wide with a rolling list of software and vulnerabilities that may not yet be mitigated, shared with perhaps dozens of EU government agencies."

**Legal Aid for Security Researchers**

The Security Legal Research Fund will help good faith security researchers and penetration testers facing cease-and-desist letters, lawsuits, fines, and prosecution for disclosing vulnerabilities, said Tim Willis, head of Google's Project Zero team, during the media briefing.

"My hope in the long term for this fund is that the chilling effect that is currently felt by security researchers is reversed over time. One thing that all these parties can agree on is that users lose when things don't get fixed quickly," Willis said.

Geiger emphasized that the effort would focus on protecting ethical hackers who only use their research to protect users.

"The fund is not looking at helping good faith security researchers who are sued for something like extortion if they, in fact, committed extortion," Geiger said. "It will be for the act of good faith security research or the act of vulnerability disclosure connected with that good faith security research."

Amie Stepanovich, VP of US policy at the Future of Privacy Forum and a Security Research Legal Defense Fund board member, said each request will be considered based on the scope and merit of the case and the applicant's financial resources.

"We are going to be targeting funds to where they're needed most," Stepanovich said. "We want to be able to help as many people as possible in as dire need as possible, and so we will be making decisions about amounts based on the case and the need and what the actual factual circumstances are."

Google is seeding the Security Legal Research Fund with an undisclosed amount, but the fund would be operated by the Center for Cybersecurity Policy & Law to ensure no one company has influence or receives favor over how the funds are used. Willis urged other companies to also contribute to the fund.

Omdia analyst Curtis Franklin believes the fund and counsel further validate and support independent researchers' role in finding vulnerabilities.

"Independent researchers are a necessary part of our security infrastructure right now, and I think it's good that this is being recognized and that these companies want to take the steps of having more formal legal recognition of that," Franklin says. "Our systems are now sufficiently complex that no one company can find all of the vulnerabilities that exist and all of the interactions that exist in their systems, either before or after they're released."

New Policy Group Wants to Improve Cybersecurity Disclosure, Support Researchers

The Open Source Security Foundation's SLSA v1.0 release is an important milestone in improving software supply chain security and providing organizations with the tools they need to protect their software.

The Open Source Security Foundation (OpenSSF) has released v1.0 of Supply-chain Levels for Software Artifacts (SLSA) with specific provisions for the software supply chain.

Modern application development teams regularly reuse code from other applications and pull code components and developer tools from myriad sources. Research from Snyk and the Linux Foundation last year found that 41% of organizations didn't have high confidence in open source software security. With supply chain attacks posing an ever-present and ever-evolving threat, both software development teams and security teams now recognize that open source components and frameworks need to be secured.

SLSA is a community-driven supply chain security standards project backed by major technology companies, such as Google, Intel, Microsoft, VMware, and IBM. SLSA focuses on increasing security rigor within the software development process. Developers can follow SLSA's guidelines to make their software supply chain more secure, and enterprises can use SLSA to make decisions about whether to trust a software package, according to the Open Source Security Foundation.

SLSA provides a common vocabulary to talk about software supply chain security; a way for developers to assess upstream dependencies by evaluating the trustworthiness of source code, builds, and container images used in the application; an actionable security checklist; and a way to measure compliance with the forthcoming Secure Software Development Framework (SSDF).

The SLSA v1.0 release divides SLSA’s level requirements into multiple tracks, each one measuring a particular aspect of software supply chain security. The new tracks will help users better understand and mitigate the risks associated with software supply chains and ultimately develop, demonstrate, and use more secure and reliable software, the OpenSSF says. SLSA v1.0 also provides more explicit guidance on how to verify provenance, along with making corresponding changes to the specification and provenance format.

The Build Track Levels 1-3, which roughly correspond to Levels 1-3 in earlier SLSA versions, describes levels of protection against tampering during or after software build. The Build Track requirements reflect the tasks required: producing artifacts, verifying build systems, and verifying artifacts. Future versions of the framework will build on requirements to address other aspects of the software delivery life cycle.

Build L1 indicates provenance, showing how the package was built; Build L2 indicates signed provenance, generated by a hosted build service; and Build L3 indicates the build service has been hardened.

The higher the level, the higher the confidence that a package can be traced back to its source and has not been tampered with, OpenSSF said.

Software supply chain security is a key component of the Biden administration's US National Cybersecurity Strategy, as it pushes software providers to assume greater responsibility for the security of their products. And recently, 10 government agencies from seven countries (Australia, Canada, Germany, the Netherlands, New Zealand, the United Kingdom, and the United States) released new guidelines, "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default," to urge software developers to take necessary steps to ensure they are shipping products that are both secure by design and by default. That means removing default passwords, writing in safer programming languages, and establishing vulnerability disclosure programs for reporting flaws.

As part of securing the software supply chain, security teams should be engaging with developers to educate them about secure coding practices and tailoring security awareness training to include the risks surrounding the software development life cycle.

OpenSSF Adds Software Supply Chain Tracks to SLSA Framework

**DENVER****,** **April 20, 2023** **/PRNewswire/ --** Red Canary, a leader in managed detection and response, launched Red Canary Readiness, a new portfolio of offerings that gives teams a whole new way to train and prepare for incidents. Now any company can improve their incident response preparedness by empowering their security teams to practice and validate the skills, processes, and playbooks required to quickly respond to cyber and business continuity threats.

The initial Readiness product is Readiness Exercises, a first-of-its-kind continuous learning platform that combines training, tabletops, and atomic tests in one experience. With Readiness Exercises available today, cybersecurity professionals get on-demand content and expert training at their fingertips, making it easy for companies to skill up employees, no matter where they are.

**Enterprises must maintain a skilled and ready workforce to face today's top cybersecurity threats**

Adversaries are becoming faster and more efficient at distributing and scaling cyberattacks. Rather than infrequent and one-size-fits-all training, continuous learning is critical to keep pace with the evolving threat landscape.

Readiness scenarios are ripped from the headlines and informed by Red Canary's leading threat intelligence and adversary research from its Managed Detection and Response (MDR) solution, which conducts millions of investigations per year. This expertise is mapped to industry-standard frameworks, such as NIST and MITRE ATT&CK®, to ensure teams are practicing the most critical scenarios. Training can be self-guided or facilitated, ranging from 20 minutes to 2 hours, and prepares teams to face incidents involving business email compromise, ransomware, and other threats including Qbot and Raspberry Robin.

"We have previously invested in cybersecurity training but have had mixed results. The exercises don't always relate to the threats that matter most to us, and the lessons are infrequent and don't always stick," said Michael Strong, Chief Security Officer, GCI. "This is why we are so excited about Readiness Exercises. Now our team can continuously train and benchmark our progress, learning from the Red Canary team who respond to real-world threats daily. It gives me confidence knowing that we're better prepared for the next threat that comes our way."

"Just having an incident response plan and a set of playbooks is no longer enough. That plan and those playbooks must be put to the test regularly and refined to keep up with evolving threats," wrote Jess Burn, Sr. Analyst, Forrester in an April 2022 blog post.

Readiness Exercises foster continuous learning, which drives both employee and business success through:

*   **Continuously improving your readiness:** Benchmark current skill levels against industry standards through frequent feedback and scoring. Onboard new team members and establish a culture of consistent skill improvement.
*   **Training for real-world threats:** Continuously practice and validate team preparedness against realistic scenarios based on trending adversary groups, tools, and MITRE ATT&CK® techniques.
*   **Get training, tabletops, and atomic tests in one experience:** Bring together disparate learning tools and run them in your environment to maximize their relevance and impact.

"We're excited to announce the launch of Readiness Exercises, a comprehensive solution that combines tabletop exercises, cybersecurity training, and atomic testing into a seamless, continuous learning experience," said Brian Beyer, CEO of Red Canary. "With this innovative product, we're reinventing the way organizations approach cybersecurity training and prepare for real-world threats."

**Learn more**

*   Learn more about Readiness
*   Watch the Readiness Exercises video
*   Register for the Readiness webinar

**Availability** 

Red Canary Readiness launched today, with Red Canary Readiness Exercises generally available now.

**About Red Canary**

Red Canary is a leader in managed detection and response (MDR). We serve companies of every size and industry, focusing on finding and stopping threats before they can have a negative impact. As the security ally for nearly 1,000 organizations, we provide MDR across our customers' cloud workloads, identities, SaaS applications, networks, and endpoints. For more information about Red Canary, visit: https://www.redcanary.com.

SOURCE Red Canary

Red Canary Announces Readiness

Heading to San Francisco next week? Here are all the Talos and Cisco Secure talks and events you won't want to miss.

Thursday, April 20, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

We’re firing up the conference circuit again for 2023, kicking things off next week with the RSA Conference in San Francisco. Cisco has a ton of exciting announcements, keynotes and talks lined up for the week, but there are also plenty of Talos-focused events to take in.

We’ll be at our own booth giving “flash talks” throughout the conference and will generally be around to answer questions about Talos, provide service demos and talk about the latest security offerings from Cisco. In case you’re having a hard time finding the Cisco booth, use RSA’s map here. The main Talos team will be at North Expo N-5845 and Cisco Talos Incident Response will be at South Expo S-1027.

Here are some of the other major events at RSA that we’re taking part in.

*   Brad Garnett, the head of Cisco Talos Incident Response, is joining the Cisco Secure Security Stories podcast for a live recording on Tuesday the 25th at 11 a.m. PT inside the Customer Lounge at the Marriott Marquis. Head up to the fifth floor and look for the Sierra K room! Brad will be discussing the latest trends and attacker TTPs his team is seeing in the field.
*   Cisco has a special sponsored talk on Wednesday the 26th from 9:40 – 10:30 a.m. PT with Nick Biasini, the head of Talos Outreach, and AJ Shipley, Cisco Secure’s vice president of product management for threat, detection and response. This session will analyze why industry partnerships are a must for security to win. Come meet A.J. and Nick in the Moscone South building, or if you can’t make it, a recording will be available for RSA attendees.
*   There will be two live Beers with Talos episodes on the 26th at 2 p.m. PT and the 27th at 9 a.m. PT. Join the BWT gang for gameshows, security hot takes and general debauchery. Both recording sessions will be in the Customer Lounge.
*   If you want a chance to meet the BWT hosts and some other special Talos guest, join us in the Customer Lounge on Wednesday at 4 p.m. PT for a meet-and-greet and networking session. This is an open session with Talos experts, Beers with Talos and members of the Cisco CISO Advisory panel.
*   The latest episode of ThreatWise TV from (now Talos’ own!) Hazel Burton also has a rundown of everything you can expect from Cisco and Talos at RSA. You can also read Cisco’s preview blog post here.

**The one big thing**

The UK’s National Cyber Security Center (NCSC) released a report this week on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco published a patch for in 2017. This campaign, dubbed "Jaguar Tooth," is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity. While infrastructure of all types has been observed under attack, attackers have been particularly successful in compromising infrastructure with out-of-date software.

**Why do I care?**

In short, there are extremely sophisticated actors who are increasingly targeting network infrastructure devices from a variety of manufacturers. Talos and Cisco are concerned that insufficient awareness and patching, the reliance on end-of-life equipment and the necessity for always-on connectivity makes too many infrastructure devices easy prey. The results of these issues range from being an unwitting participant in criminal activity to events of true national security impact.

**So now what?**

Relying on out-of-date gear or utilizing out-of-date protocols and technologies will eventually cost your organization. Work with your vendor to give yourself the best chance of defending your environment. Talos’ blog also has a series of recommendations for defending and updating aging network infrastructure. For the specific Jaguar Tooth campaign, users who haven’t already should patch affected devices immediately.

**Top security headlines of the week**

**A 21-year-old was arrested for allegedly leaking sensitive Pentagon and Department of Defense documents and images on a Discord server.** The images eventually made their way onto other popular social media platforms in the public eye. The U.S. military is increasingly relying on Discord and other emerging social platforms for recruitment but has become a popular place for leakers to share secrets and other sensitive information. One of the other users on the Discord server where the most recent slate of images was leaked said the alleged leaker wanted to make sure “we know what’s going on with our tax dollars,” though the user who spoke to CNN was only 17 years old.  A 2021 report from the U.S. House of Representatives found that user moderation on platforms like Discord is not enough to prevent leaks, saying “the risks of relying too much on user moderation when the userbase may not have an interest in reporting problematic content.” (Washington Post, Slate, CNN)

The U.S. Cybersecurity and Infrastructure Security Agency **released new guidance for software manufacturers to adopt secure-by-design principles** and make the software more secure from the start of its lifecycle rather than being tacked on as later patches. Some of the major recommendations include having companies take ownership of the security implications of their products, embracing “radical transparency” toward security issues and ensuring there is support from company leadership to prioritize product security.  Other federal agencies from Australia, Canada, the United Kingdom, Germany, Netherlands and New Zealand published similar guidelines. (FedScoop, CISA)

**Montana is set to be the first U.S. state to ban downloads of the popular social media app TikTok,** citing security and data privacy concerns related to the app’s Chinese owners. The bill, which is set to be signed into law soon, is likely to spark a Constitutional debate around First Amendment freedom of speech protections and national digital privacy law. The state is likely to also face technical challenges around restricting downloads, and access to, the app. Company representatives from TikTok called the bill an "attempt to censor American voices” and “egregious government overreach.” A similar ban is being considered in U.S. Congress but faces a more uphill battle than in Montana’s Republican-controlled legislature. (Wired, Buzzfeed)

**Can’t get enough Talos?**

*   Talos Takes Ep. #134: How to best prepare for, and respond to, supply chain attacks
*   Cisco urges users to keep its network hardware up-to-date
*   Threat Roundup for April 7 – 14
*   Vulnerability Spotlight: Hard-coded password vulnerability could allow attacker to completely take over Lenovo Smart Clock

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 4ad8893f8c7cab6396e187a5d5156f04d80220dd386b0b6941251188104b2e53  
**MD5:** cdd331078279960a1073b03e0bb6fce4  
**Typical Filename:** mediaget.exe  
**Claimed Product:** MediaGet  
**Detection Name:** W32.DFC.MalParent

Threat Source newsletter (April 20, 2023) — Preview of Cisco and Talos at RSA

Today's LLMs pose too many trust and security risks.

_The Berryville Institute of Machine Learning (BIML) recently attended_ _Calypso AI’s Accelerate AI 2023_ _conference in Washington, DC. The meeting included practitioners from both government and industry, regulators, and academics. I participated in a very timely panel entitled "Emerging Risks and Opportunities of LLMs in the NATSEC and Beyond." That panel spurred this article._

_None of the content in this column was created by an LLM._

Large language models (LLMs) are a kind of machine learning system that has taken the world by storm. ChaptGPT (aka GPT-3.5), an LLM produced and fielded by OpenAI, is one of the most pervasive and popular of the many generative AI models for text. Other generative models include the image generators Dall-E, Midjourney, and Stable Diffusion, and the code generator Copilot.

LLMs and other generative tools present incredible opportunities for applications, and the rush to field such systems is in full gallop. LLMs have the potential to be lots of fun, solve hard problems in science, help with the thorny problems of knowledge management, create interesting content, and most importantly in my view, move the world a little closer to artificial general intelligence (AGI) and a theory of representation that produces massive cognitive science breakthroughs.

But using today's nascent LLMs — and any generative AI tools — comes with real risks.

**Of Parrots and Pollution**

LLMs are trained on massive corpuses of information (300 billion words, mostly scraped from the Internet) and use auto-association to predict the next word in a sentence. As such, most scientists agree that LLMs do not really "understand" anything or do any real thinking. Rather, they are "stochastic parrots," as some researchers call them. LLMs still do generate impressive streams of text, in context, and in an often useful and deeply surprising manner.

Feedback loops are an important class of problem in all kinds of ML models (and one that BIML introduced several years ago as “\[raw:8:looping\]”). Here is what we said at the time:

_Model confounded by subtle feedback loops. If data output from the model are later used as input back into the same model, what happens? Note that this is rumored to have happened to Google translate in the early days when translations of pages made by the machine were used to train the machine itself. Hilarity ensued. To this day, Google restricts some translated search results through its own policies_.

Imagine what will happen when a majority of what can be easily scraped from the Internet is generated by AI models of dubious quality, and then these LLMs start to eat their own tails. Talk about information pollution.

Some AI researchers and information security professionals are already deeply worried about information pollution today, but an infinite spewing information pollution pipeline sounds bad.

**Mansplaining-as-a-Service**

LLMs are very good B.S. artists. These models regularly express incorrect opinions and alternative facts with great confidence, and often make up information to justify their answers in a conversation (including pretend scientific references). Imagine what happens when average knowledge as scraped from the Internet — which includes lots of wrong things — is used to create new content.

The ultimate "reply guy" is not who we need writing news stories for us in the future. Facts actually do matter.

**Mirroring Broken Security**

LLMs are often trained on data that is biased in many ways. Sexist, racist, xenophobic, and misogynistic systems can and will be modeled from data sets originally collected when society was less progressive. Bias is a serious issue in LLMs, and one that operational Band-Aids are unlikely to fix.

**Trusting Deepfakes**

Deepfakes are a side effect of generative AI that has been discussed for some time. Fakes or spoofing are always a risk in security, but the capacity to make higher-quality fakes that are easy to believe is here. There are some obvious worst-case scenarios: moving markets, causing wars, inflaming cultural divides, and so on. Careful where that video came from.

**Automating Everything**

Generative models like LLMs have the capacity to replace lots of jobs, including low-level white collar jobs. Millions of people get plenty of satisfaction out of their jobs, but what if all of those jobs are willy-nilly replaced by ML systems that are cheaper to operate? We already see this with some writing content-creation jobs in local sports stories and marketing copy, for example. Should LLMs be writing our articles? Should they be practicing law? How about doing medical diagnosis?

**Using a Tool for Evil**

Generative AI can create some fun stuff. If you haven’t played with ChapGPT, you should give it a shot. I haven’t had this much fun with new technology since I got my first Apple \]\[+ in 1981, or since Java applets came out in 1995.

But the power of generative AI can be used for evil as well. For example, what if we put ML to the task of designing a novel virus with the propagation capability of COVID and the delayed onset parameters of rabies? Or how about the task of creating a plant with pollen that is also a neurotoxin. If I can think up these dastardly things in my kitchen, what happens when a real evil person starts brainstorming with ML?

Tools have no intrinsic morality or ethics. And for the record, the idea of "protecting prompts" is a pretend solution akin to protecting supercomputer access with command-line filtering.

**Holding Information in a Broken Cup**

Data moats are a thing now. That’s because if an ML model (with the help of humans) can get to your data and learn how to profitably parrot what you do by training on your data, it will. This leads to multiple risks best solved by carefully protecting your data sets instead of cramming them unto an ML model and fielding the model to the general public. In the gold rush world of ML, the gold is data.

Protecting data is harder than it sounds. Think how the government's current information classification system can't always protect classified information. Clearly, protecting sensitive and confidential information is already a huge challenge, so imagine what happens when we intentionally train up our ML systems on confidential information and set them out into the world.

Extraction and transfer attacks exist today, so be careful what you pour in your ML cup.

**What Should We Do About LLM Risk?**

So should we put some kind of magic moratorium on ML research for a few months as some technologists have self-servingly suggested? No, that's just silly. What we need to do is recognize these risks and face them directly.

The good news is that an entire industry is being built around securing ML systems, which I call machine learning security or MLsec. Check out what these new hot startups are building to control ML risk — but do so with a skeptical and well-informed eye.

Expert Insight: Dangers of Using Large Language Models Before They Are Baked

A heap-based buffer overflow vulnerability exists in the TriangleMesh clone functionality of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. A specially-crafted STL file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

A heap-based buffer overflow vulnerability exists in the TriangleMesh clone functionality of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. A specially-crafted STL file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Slic3r libslic3r 1.3.0  
Slic3r libslic3r Master Commit b1a5500

**PRODUCT URLS**

libslic3r - http://slic3r.org

**CVSSv3 SCORE**

8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-130 - Improper Handling of Length Parameter Inconsistency

**DETAILS**

Slic3r is an open-source 3D printing toolbox, mainly utilized for translating 3D printing model file types into machine code for any printer. Slic3r uses libslic3er to do most of the non-GUI-based heavy lifting: reading various file formats, converting formats, and outputting appropriate gcode for the 3D printer’s given settings.

The libslic3r library, for parsing an STL file, will eventually execute the following function:

    bool
    STL::read(std::string input_file, TriangleMesh* mesh)
    {
        try {
            mesh->ReadSTLFile(input_file);
            mesh->check_topology();
        } catch (...) {
            throw std::runtime_error("Error while reading STL file");
        }
        return true;
    }
    

libslic3r heavily relies on ADMesh for several things, including STL manipulation. Indeed the ReadSTLFile function will eventually call ADMesh’s stl_open for parsing the STL file:

    stl_open(stl_file *stl, const ADMESH_CHAR *file) {
      stl_initialize(stl);
      stl_count_facets(stl, file);
      stl_allocate(stl);
      stl_read(stl, 0, 1);
      if (!stl->error) fclose(stl->fp);
    }
    

The function stl_count_facets will count how many triangles are present in the STL object provided. Then the stl_allocate will use that number to allocate the required number of facets:

    void
    stl_allocate(stl_file *stl) {
      [...]
      stl->facet_start = (stl_facet*)calloc(stl->stats.number_of_facets,
                                            sizeof(stl_facet));
      if(stl->facet_start == NULL) perror("stl_initialize");
      stl->stats.facets_malloced = stl->stats.number_of_facets;                                             [1]
    [...]
    }
    

The stl->stats.number_of_facets will be used to represent how many valid facets are in the stl->facet_start array. At [1], the number_of_facets is used to initialize the stl->stats.facets_malloced parameter. This parameter represents the actual number of elements allocated for the stl->facet_start array. At this point stl->stats.facets_malloced and stl->stats.number_of_facets coincide. Allegedly stl->stats.facets_malloced will always coincide with the actual allocated space for stl->facet_start.

The check_topology function eventually will remove the degenerate facets, the ones that do not form a valid triangle (for example, if two of the three vertices of any provided triangles are the same, they are removed).

libslic3r, during the read STL phase, will eventually reach the copy constructor for TriangleMesh:

    TriangleMesh::TriangleMesh(const TriangleMesh &other)
        : stl(other.stl), repaired(other.repaired)
    {
        this->clone(other);
    }
    

This copy constructor will essentially copy 1-to-1 many parameters, including the stl->stats.facets_malloced parameter, and then call the clone function:

    void TriangleMesh::clone(const TriangleMesh& other) {
        [..]
        if (other.stl.facet_start != NULL) {
            this->stl.facet_start = 
                      (stl_facet*)calloc(other.stl.stats.number_of_facets, sizeof(stl_facet));              [2]
            std::copy(
                      other.stl.facet_start, 
                      other.stl.facet_start + other.stl.stats.number_of_facets,
                      this->stl.facet_start);                                                               [3]
        }
        [..]
    }
    

This function will manage the pointers of the new objects, creating new arrays and copying the contents from the other argument. For instance, at [2], the this->stl.facet_start, array that contains the actual facets, is allocated, and then, at [3] is populated with the original object contents.

After the whole copy constructor procedure stl->stats.facets_malloced could not coincide anymore with the actual allocated space for stl->facet_start . Indeed, stats.facets_malloced is copied as it is, but the stats.number_of_facets can be less than the allocated spaces (for instance, for the removed degenerate facets). After the copy constructor, the object could have a stl.facet_start that is allocated with a smaller number than stats.facets_malloced. Because these variable are used in the ADMesh’s functions to understand if it is required to allocate more space for the stl.facet_start array, this problem can lead to a heap buffer overflow.

For example, the function used to add a facet is ADMesh’s stl_add_facet:

    void
    stl_add_facet(stl_file *stl, stl_facet *new_facet) {
      if (stl->error) return;
    
      stl->stats.facets_added += 1;
      if(stl->stats.facets_malloced < stl->stats.number_of_facets + 1) {                                    [4]
        [... Allocate more space ...]
      }
      stl->facet_start[stl->stats.number_of_facets] = *new_facet;                                           [5]
    
      [...]
    }
    

We can analyze at [4] the stl object, loading a specific STL, to realize that a buffer overflow could occur:

    (gdb) p *stl
    $5 = {
      [..]
      facet_start = 0x9b5c70,
      [...]
      stats = {
    
        number_of_facets = 0x3,
        [..]
        facets_malloced = 0x4,
        [...]
      },
    [...]
    }
    

Above it is shown that the stl object has stats.number_of_facets=3 and stats.facets_malloced=4.

    (gdb) heap chunk stl->facet_start
    Chunk(addr=0x9b5c70, size=0xb0, flags=PREV_INUSE)
    Chunk size: 176 (0xb0)
    Usable size: 168 (0xa8)
    [...]
    

The facet_start has size 0xa8. So, the number of elements in the array is:

    (gdb) p 0xa8/sizeof(stl_facet)
    $15 = 0x3
    

With the example provided, at [4], the branch will not be taken and so no reallocation will take place. This will cause a heap buffer overflow at [5].

**Crash Information**

    ==8==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000133c at pc 0x556e0e8d47c6 bp 0x7ffc72e7a6a0 sp 0x7ffc72e7a698
    WRITE of size 52 at 0x60e00000133c thread T0
        #0 0x556e0e8d47c5 in stl_add_facet /app/Slic3r/xs/src/admesh/connect.c:977
        #1 0x556e0e8d3fd3 in stl_fill_holes /app/Slic3r/xs/src/admesh/connect.c:935
        #2 0x556e0e8eb2a9 in stl_repair /app/Slic3r/xs/src/admesh/util.c:589
        #3 0x556e0e621c63 in Slic3r::TriangleMesh::repair() /app/Slic3r/xs/src/libslic3r/TriangleMesh.cpp:186
        #4 0x556e0e59229e in Slic3r::ModelObject::repair() /app/Slic3r/xs/src/libslic3r/Model.cpp:602
        #5 0x556e0e58b522 in Slic3r::Model::repair() /app/Slic3r/xs/src/libslic3r/Model.cpp:211
        #6 0x556e0e505745 in main /app/Slic3r/src/slic3r.cpp:20
        #7 0x7f6f0cbee81c in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2381c)
        #8 0x556e0e5054f9 in _start (/app/Slic3r/build/slic3r+0x6f4f9)
    
    0x60e00000133c is located 0 bytes to the right of 156-byte region [0x60e0000012a0,0x60e00000133c)
    allocated by thread T0 here:
        #0 0x7f6f0d1f0987 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
        #1 0x556e0e621339 in Slic3r::TriangleMesh::clone(Slic3r::TriangleMesh const&) /app/Slic3r/xs/src/libslic3r/TriangleMesh.cpp:103
        #2 0x556e0e621035 in Slic3r::TriangleMesh::TriangleMesh(Slic3r::TriangleMesh const&) /app/Slic3r/xs/src/libslic3r/TriangleMesh.cpp:85
        #3 0x556e0e59ae10 in Slic3r::ModelVolume::ModelVolume(Slic3r::ModelObject*, Slic3r::TriangleMesh const&) /app/Slic3r/xs/src/libslic3r/Model.cpp:1054
        #4 0x556e0e590ce5 in Slic3r::ModelObject::add_volume(Slic3r::TriangleMesh const&) /app/Slic3r/xs/src/libslic3r/Model.cpp:499
        #5 0x556e0e524c80 in Slic3r::IO::STL::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, Slic3r::Model*) /app/Slic3r/xs/src/libslic3r/IO.cpp:59
        #6 0x556e0e5056ef in main /app/Slic3r/src/slic3r.cpp:19
        #7 0x7f6f0cbee81c in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2381c)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /app/Slic3r/xs/src/admesh/connect.c:977 in stl_add_facet
    Shadow bytes around the buggy address:
      0x0c1c7fff8210: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
      0x0c1c7fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff8230: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1c7fff8240: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c1c7fff8250: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c1c7fff8260: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa
      0x0c1c7fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==8==ABORTING
    

**TIMELINE**

2022-09-01 - Vendor Disclosure  
2023-04-03 - Last Contact Date  
2023-04-20 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#intel