In last year's edition of the Security Navigator we noted that the Manufacturing Industry appeared to be totally over-represented in our dataset of Cyber Extortion victims. Neither the number of businesses nor their average revenue particularly stood out to explain this.
Manufacturing was also the most represented Industry in our CyberSOC dataset – contributing more Incidents than any other

In last year's edition of the Security Navigator we noted that the Manufacturing Industry appeared to be totally over-represented in our dataset of Cyber Extortion victims. Neither the number of businesses nor their average revenue particularly stood out to explain this.

Manufacturing was also the most represented Industry in our CyberSOC dataset – contributing more Incidents than any other sector.

We found this trend confirmed in 2023 – so much in fact that we decided to take a closer look. So let's examine some possible explanations.

And debunk them.

****Hunting for possible explanations****

Manufacturing is still the most impacted industry in our Cyber Extortion dataset in 2023, as tracked by monitoring double-extortion leak sites. Indeed, this sector now represents more than 20% of all victims since we started observing the leak sites in the beginning of 2020.

Approximately 28% of all our clients are from Manufacturing, contributing with an overall share of 31% of all potential incidents we investigated.

We note that 58% of the Incidents this industry deals with are internally caused, 32% were externally caused, 1% was classified as "Partner" or 3rd parties. When external threat actors had caused the security incident, we observed the top 3 threat actions were Web Attacks, Port Scanning and Phishing.

On the other hand, Manufacturing has the lowest apparent number of confirmed security vulnerabilities per IT Asset in our Vulnerability scanning dataset. Our pentesting teams on the other hand report 4.81 CVSS findings per day, which is quite a bit above the average of 3.61 across all other industries.

**Several questions present themselves, which we will attempt to examine here:**

1.  What part does Operation Technology play?
2.  Are businesses in Manufacturing more vulnerable?
3.  Is the Manufacturing sector being deliberately targeted more?
4.  Do our Manufacturing clients experience more incidents?

****What part does OT play?****

A tempting assumption to make is that businesses in the Manufacturing sector are compromised more often via notoriously insecure Operational Technology (OT) or Internet of Things (IoT) systems. Plants and factories can often not afford to be disrupted or shut down and that Manufacturing is therefore a soft target for extortionists.

It sure sounds plausible. The catch is: we don't see these theories supported in our data.

The attack against US Energy giant Colonial Pipeline was probably the most notable recent example of a successful attack against an industrial facility.

Discover the latest in cybersecurity with comprehensive "**Security Navigator 2023**" report. This research-driven report is based on 100% first-hand information from 17 global SOCs and 13 CyberSOCs of Orange Cyberdefense, the CERT, Epidemiology Labs and World Watch and provides a wealth of valuable information and insights into the current and future threat landscape.

In July this year US intelligence agencies even warned of a hacking toolset dubbed 'Pipedream' that is designed target specific Industrial Control Systems. But it is not clear to us if or when these tools have ever been encountered in the wild. Apart from the infamous Stuxnet attack from 2010, one struggles to recall a single cyber security incident where the entry point was an OT system.

At Colonial Pipeline the backend 'conventional' administrative systems were compromised first. Looking more closely, this is the case for almost all reported incidents at industrial facilities.

****Are businesses in the Manufacturing sector more vulnerable to attacks?****

To answer this questions we examined a set of 3 million vulnerability scan findings, and a sample of 1,400 Ethical Hacking reports.

We derived three metrics that facilitate somewhat normalized comparisons across the industries in our client base:

****VOC scanning findings per asset, time to patch, Pentest findings per day of testing.****

If we rank industries for their performance on each of those metrics and sort from worst to best, then our clients in the Manufacturing sector arrives in 5th place out of 12 comparable industries.

The chart below shows the overall \*ranking\* of our Manufacturing clients out of comparable industries.

****VOC unique findings/asset****

On this metric there were seven other industries that performed better than Manufacturing.

While we have a comparatively high number of assets from Manufacturing clients in our scanning dataset, we report far fewer Findings per Asset than the average across all industries. Almost 10 times fewer, in fact.

****Time to patch****

On this metric 6 other industries ranked better than Manufacturing. The average age of all findings for this industry is 419 days, which is a concerning number and worse than recorded for eight other industries in this dataset.

****Pentesting findings****

We observe that the average CVSS Per Day was 4.81, compared to 3.61 on average for clients in all other sectors in the dataset – 33% higher.

****Is the Manufacturing sector being targeted more by extortionists?****

We use the North American Industry Classification System – NAICS - classification system when categorizing our clients.

A consideration of double-extortion victim counts per industry reveals a very interesting pattern: Of the 10 industries with the most recorded victims in the dataset, 7 are also counted amongst the biggest industries by entity count.

Manufacturing however, is a clear trend-breaker.

Another factor raises questions: if businesses in the Manufacturing sector were more willing to pay ransom that would make them more attractive as victims. But then we would expect to see such businesses featuring on the 'name and shame' leak site less often, not more.

****Do our Manufacturing clients experience more incidents?****

The Manufacturing industry once again generated the highest number of Incidents as a percentage of the total in our CyberSOC dataset. 31% of all Incidents are generated for the 28% of our clients that are from this sector.

The Incident data lacks context, however. To establish a baseline for comparison, we assign customers a 'Coverage Score' between 0 and 5 in 8 different 'domains' of Threat Detection, accounting for a maximum total detection score of 40.

We use the coverage score to normalize the incident count. Put simply, the lower a client's assessed coverage score is, the more this adjustment will 'boost' the number of Incidents in this comparison. The logic is that a low amount of coverage will just not show us a lot of incidents, though they very likely occurr.

If we adjust the True Positive and False Positive Incidents as described above, we still see more than seven times as many Incidents per clients from Manufacturing than the average for all industries.

In a similar comparison, limited only to Perimeter Security, and only Medium Sized business, Manufacturing ranks 1st with the most Incidents per Customer out of 7 comparable Industries.

****Conclusion****

We ruled out a massive impact of OT security vulnerabilities, and therefore focus on regular IT systems. Our scanning teams assessed a large number of targets but reported relatively few vulnerabilities per asset. Overall, we rank the Manufacturing sector as 5th or 6th weakest of all industries from a vulnerability point of view.

The question of why we consistently record such a high proportion of victims from the Manufacturing industry is not readily answered with the data we have. We believe that in the end it still comes down to the level of vulnerability, best reflected in our Penetration Testing, and Findings Age data.

All of our data points to the fact that attackers are mostly opportunistic. Rather than deliberately singling industries out, they simply compromise businesses that are vulnerable.

The customers represented in our datasets have engaged with us for Vulnerability Assessment or Managed Detection, and therefore represent relatively 'mature' examples of that industry. We can deduce that average businesses in this sector would benchmark worse in terms of vulnerabilities. Whether the high number of victims we observe on attacker leak-sites is a direct reflection of the high number of overall victims in this sector, or the skewed reflection of an industry that refuses to concede to initial ransom demands, is not entirely clear.

What does appear likely, however, is that vulnerability is the primary factor that determines which businesses get compromised and extorted – in this sector as much as any other.

This is just an excerpt of the analysis. More details on how different Industries performed in comparison to others, as well as more CyberSOC, Pentesting and VOC data (along with plenty of other interesting research topics) can be found in the Security Navigator. It's free of charge, so have a look. It's worth it!

_**Note:** This article has been written and contributed by Charl van der Walt, Head of Security Research at Orange Cyberdefense._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

What's Wrong with Manufacturing?

Patched earlier this month, a code-execution vulnerability is the latest FortiOS weakness to be exploited by attackers, who see the devices as well-placed targets for initial access operations.

In early March, a customer called in Fortinet's incident response team when multiple FortiGate security appliances stopped working, entering an error mode after the firmware failed an integrity self test.

It was a cyberattack, which led to the discovery of the latest vulnerability in Fortinet devices, a medium severity but highly exploitable bug (CVE-2022-41328) that allows a privileged attacker to read and write files. The threat group, which Fortinet labeled as an "advanced actor," appeared to be targeting government agencies or government-related organizations, the company stated in a recent analysis of the attack.

Yet the incident also shows that attackers are giving Fortinet devices significant attention. And the attack surface is wide: So far this year, 60 vulnerabilities in Fortinet products have been assigned CVEs and published in the National Vulnerability Database, double the rate at which flaws were disclosed in Fortinet devices in the previous peak year, 2021. Plenty are critical, too: Earlier this month, Fortinet revealed that a critical buffer underwrite vulnerability in FortiOS and FortiProxy (CVE-2023-25610) could allow a remote unauthenticated attacker to run any code on a variety of appliances.

Interest is high, as well. In November, for example, one security firm warned that a cybercriminal group was selling access to compromise FortiOS devices on a Russian Dark Web forum. But whether the vulnerabilities have spurred attention, or vice versa, is moot, says David Maynor, senior director of threat intelligence at Cybrary, a security training firm.

"Attackers smell blood in the water," he says. "The number and frequency of remotely exploitable vulnerabilities over the last two years has increased at a breakneck speed. If there is a nation-state group that isn't integrating Fortinet exploits, they are slouching on the job."

Like other network security appliances, Fortinet devices inhabit the critical point between the Internet and internal networks or applications, making them a valuable target to compromise for attackers looking for a foothold into corporate networks, the research team from threat intelligence firm GreyNoise Research said in an email interview with Dark Reading.

"A large majority of Fortinet devices are edge devices, and as a result are commonly Internet facing," the team said. "This is true of all edge devices. If an attacker is going to go through the effort of an exploitation campaign the volume of edge devices make\[s\] for a valuable target."

The researchers also warned that Fortinet is not likely alone in the crosshairs of attackers.

"All edge devices from any vendors will have vulnerabilities sooner or later," GreyNoise Research said.

**Fortinet Attack Detailed**

Fortinet described the attack on its customers' devices in some detail in its advisory. The attackers had used the vulnerability to modify the device firmware and add a new firmware file. The attackers gained access to the FortiGate devices via the FortiManager software and modified the devices' start-up script to maintain persistence.

The malicious firmware could have allowed for data exfiltration, the reading and writing of files, or given the attacker a remote shell, depending on the command the software received from the command-and-control (C2) server, Fortinet stated. More than a half dozen other files were modified as well.

The incident analysis, however, lacked several critical pieces of information, such as how the attackers gained privileged access to the FortiManager software and the date of the attack, among other details. 

When contacted, the company issued a statement in response to an interview request: "We published a PSIRT advisory (FG-IR-22-369) on March 7 that details recommended next steps regarding CVE-2022-41328," the company said. "As part of our ongoing commitment to the security of our customers, Fortinet shared additional detail and analysis in the March 9 blog post and continue to advise customers to follow the guidance provided."

Overall, by finding and disclosing the vulnerability, and publishing an analysis of their incident response, Fortinet is doing the right things, the GreyNoise Research team told Dark Reading.

"They published a detailed analysis two days later including an executive summary, as well as a massive \[number\] of accurate details about the nature of the vulnerability and the activity of the attacker, providing defenders \[with\] actionable intelligence," the team stated. "Fortinet chose to clearly, timely, and accurately communicate about this vulnerability."

Cyberattackers Continue Assault Against Fortinet Devices

Evgenii Serebriakov now runs the most aggressive hacking team of Russia’s GRU military spy agency. To Western intelligence, he’s a familiar face.

For years, the hacking unit within Russia's GRU military intelligence agency known as Sandworm has carried out some of the worst cyberattacks in history—blackouts, fake ransomware, data-destroying worms—from behind a carefully maintained veil of anonymity. But after half a decade of the spy agency's botched operations, blown cover stories, and international indictments, perhaps it's no surprise that pulling the mask off the man leading that highly destructive hacking group today reveals a familiar face.

The passport Evgenii Serebriakov used to enter the Netherlands in 2018.

Photograph: Department of Justice

The commander of Sandworm, the notorious division of the agency's hacking forces responsible for many of the GRU's most aggressive campaigns of cyberwar and sabotage, is now an official named Evgenii Serebriakov, according to sources from a Western intelligence service who spoke to WIRED on the condition of anonymity. If that name rings a bell, it may be because Serebriakov was indicted, along with six other GRU agents, after being caught in the midst of a close-range cyberespionage operation in the Netherlands in 2018 that targeted the Organization for the Prohibition of Chemical Weapons in the Hague.

In that foiled operation, Dutch law enforcement didn't just identify and arrest Serebriakov and his team, who were part of a different GRU unit generally known as Fancy Bear or APT28. They also seized Serebriakov’s backpack full of technical equipment, as well as his laptop and other hacking devices in his team’s rental car. As a result, Dutch and US investigators were able to piece together Serebriakov's travels and past operations stretching back years and, given his newer role, now know in unusual detail the career history of a rising GRU official.

According to the intelligence service sources, Serebriakov was placed in charge of Sandworm in the spring of 2022 after serving as deputy commander of APT28, and now holds the rank of colonel. Christo Grozev, the lead Russia-focused investigator for open source intelligence outlet Bellingcat, has also noted Serebriakov's rise: Around 2020, Grozev says, Serebriakov began receiving phone calls from GRU generals who, in the agency's strict hierarchy, only speak to higher-level officials. Grozev, who says he bought the phone data from a Russian black market source, says he also saw the GRU agent's number appear in the phone records of another powerful military unit focused on counterintelligence. "I realized he must be in a command position," says Grozev. "He can't just be a regular hacker anymore."

The fact that Serebriakov appears to have attained that position despite having been previously identified and indicted in the failed Netherlands operation suggests that he must have significant value to the GRU—that he's “apparently too good to dump,” Grozev adds.

Serebriakov's new position leading Sandworm—officially GRU Unit 74455 but also known by the nicknames Voodoo Bear and Iridium—puts him in charge of a group of hackers who are perhaps the world's most prolific practitioners of cyberwar. (They've also dabbled in espionage and disinformation campaigns.) Since 2015, Sandworm has led the Russian government's unprecedented campaign of cyberattacks on Ukraine: It penetrated electric utilities in western Ukraine and Kyiv to cause the first- and second-ever blackouts triggered by hackers and targeted Ukrainian government agencies, banks, and media with countless data-destructive malware operations. In 2017, Sandworm released NotPetya, a piece of self-replicating code that spread to networks worldwide and inflicted a record $10 billion in damage. Sandworm then went on to sabotage the 2018 Winter Olympics in Korea and attack TV broadcasters in the nation of Georgia in 2019, a shocking record of reckless hacking.

With Russia's full-scale invasion of Ukraine a year ago, the GRU's most aggressive hacking unit, now under Serebriakov's leadership, has refocused its efforts on that country. From its headquarters in a tower in the Moscow suburb of Khimki, it has launched new volleys of data-destroying malware, attempted to cause a third blackout—which the Ukrainian government says it prevented—and bombarded Ukrainian and Polish organizations with a fake ransomware campaign known as Prestige.

Serebriakov's pre-Sandworm hacking career was no less brazen. When he was captured along with the six other GRU agents in the Netherlands in 2018, US prosecutors say, he had in his backpack a Wi-Fi Pineapple, a book-sized device designed to spoof Wi-Fi networks and trick victims into connecting to it instead of the intended Wi-Fi hot spot, then carry out man-in-the-middle attacks that intercept or alter the victim's traffic. Serebriakov's team had also parked a rented car outside the Organization for the Prohibition of Chemical Weapons building with an antenna for Wi-Fi hacking hidden in the trunk. The team was likely targeting staffers of the OPCW who were investigating Russia's use of the Novichok nerve agent in the GRU's attempted assassination of defector Sergei Skripal.

Serebriakov posing with a Russian athlete at the Summer Olympics in Rio de Janeiro in 2016.

Photograph: Department of Justice

When investigators examined that confiscated Wi-Fi hacking equipment, they found evidence of a long list of Wi-Fi networks it had connected to previously, essentially mapping out the travels of Serebriakov and his colleagues to carry out previous hacking operations. The hackers, it seemed, had targeted officials at the 2016 Summer Olympics in Rio de Janeiro, from which more than 100 Russian athletes had been banned for performance-enhancing drug use, as well as attendees of a conference in Lausanne, Switzerland, focused on anti-doping efforts in athletics.

Exactly why Dutch authorities released Serebriakov and his fellow spies rather than criminally charge them—or extradite them to the US, where they face an indictment for hacking crimes—has never been explained, and the Dutch MIVD defense intelligence service didn't respond to WIRED's questions about it at the time.

That the figure at the helm of Sandworm today is someone previously identified in that very publicly blown Netherlands operation may demonstrate Serebriakov's value to the GRU: According to the intelligence service sources, he's regarded as having good connections to the security research community and strong technical skills. As for the fiasco of the GRU's Netherlands mission, the intelligence sources say that was blamed on the agents escorting him and his APT28 colleagues, not the hackers themselves. And in some cases, for the GRU, an indictment only bolsters an agent's reputation for boldness and risk-taking. “For the Kremlin, it may be ‘great, you’ve made a splash, built the myth, bolstered our reputation as these techno-raiders, good on you,’” says Gavin Wilde, a former official at the US National Security Agency and the White House National Security Council who now serves as a fellow at the Carnegie Endowment for International Peace.

But Serebriakov's reappearance also indicates that relatively few people serve as key players in high-profile state-sponsored hacking operations, says John Hultquist, the head of threat intelligence at cybersecurity firm Mandiant. Hultquist was part of the group of researchers who initially discovered and named Sandworm, and he has closely tracked the unit for years. “This is someone from a notorious close-access operation, and then he shows up as the leader of another organization we know very well,” says Hultquist, using the term _close-access_ to refer to Serebriakov's short-range Wi-Fi hacking tactics in the Netherlands. “To a certain extent, it demonstrates how small this world is that we’re trying to keep tabs on.”

“The same individuals show up again and again—and I mean the people with the actual hands on the keyboard,” Hultquist adds. “It speaks to the limited number of people in the field. We're still living in a world where talent is apparently limited to the point where we know the adversaries intimately.”

This Is the New Leader of Russia's Infamous Sandworm Hacking Unit

Two gang members are being charged for allegedly threatening to release personal information and impersonating law enforcement in an effort to dox victims.

Two individuals, belonging to a crime group known as "Vile," are being charged with wire fraud and conspiracy to commit computer intrusions after allegedly breaching a law enforcement database and using stolen data to blackmail their victims. Members of the group threatened to release their personal information on public websites.

According to a press release published on March 14 from the US Attorney's Office in the Eastern District of New York, Sagar Steven Singh (19) and Nicholas Ceraolo (25) used the stolen password of a police officer to gain access into a database containing records of narcotics, currency seizures, and intelligence reports. It took the perpetrators only one day to begin extorting the subjects of the reports, threatening to harm their family members if they weren't provided with the victim's personal information, such as their Social Security numbers and home addresses, or payment to keep the information off of websites, an effort known as doxxing.

In addition to this, Singh used a foreign law enforcement officer's email address to contact social media companies for information on their users, purporting to need it for police investigations. Known as emergency requests, these are requests that governments can make to social media companies for user information; there are thousands made to companies every year. In fact, 75% of the time it was asked, Meta, formerly known as Facebook, gave up the requested information.

"As alleged, the defendants shamed, intimidated, and extorted others online. This Office will not tolerate those who impersonate law enforcement officers and misuse the public safety infrastructure that exists to protect our citizens," stated United States Attorney Breon Peace in the press release. Both defendants face up to five years in prison, and Ceraolo faces up to 20 years.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Vile' Gang Duo Breaches Police Database, Impersonates Officers in Extortion Gambit

Protection laws are always evolving. Here's how you can streamline your compliance efforts     .

In the coming months, data protection laws will continue to evolve and strengthen, requiring organizations to refine their data protection policies and demonstrate how they safeguard customers' information. As part of the changing mandates, cybersecurity frameworks will also refine customer data retention regulations.

Understanding the ongoing changes to data privacy regulations is challenging enough for chief information security officers (CISOs) and their teams. Implementing the needed changes as they occur only adds complexity and confusion. This article explores changes to consumer privacy regulations and describes ways companies can streamline their compliance efforts.

This year, the US Department of Defense is expected to enhance its national cybersecurity standard for all contractors working with the federal supply chain and handling controlled unclassified information (CUI), and mandate Cybersecurity Maturity Model Certification (CMMC) program requirements. While this mandate does not directly affect many enterprises, the ruling will certainly affect other organizations that conduct indirect business with the federal supply chain, as well as those in the private market, requiring them to meet changing data protection laws that are pivotal to businesses' daily operations.

Additionally, the California Consumer Privacy Act (CCPA), one of the country’s more stringent consumer privacy laws, will introduce enhanced rights for individuals wishing to change their personal data or opt out of marketing and third-party communications — an important consideration given the many recent third-party data breaches. Businesses must therefore establish more rigorous policies and processes to protect their systems and the critical data stored on them, and ensure those processes are well-understood and enforced.

Prescriptive cyber regulations around data protection can be an asset to businesses. They help strengthen their brand reputation, given their focus on protecting user data and keeping the company safe from attacks. But because increasing regulation further stresses already constrained security, risk, and IT resources and steepens the learning curve, the negative aspects of these changes often can overshadow the benefits they offer.

**Proactive vs. Reactive Measures: Which Approach Is More Effective?**

As the frameworks accompanying cybersecurity mandates and compliance guidelines are also refined, many now encourage (and sometimes mandate) that businesses transition to a proactive, risk-based approach that establishes their liability based on the type of data they collect and how it's used. At the same time, many data-centric cybersecurity frameworks are pushing the industry toward proactive prioritization and risk-ranking gap analysis to enable an accurate measure of system risk while reducing required resources and time for compliance. This collision of data privacy concerns and the associated cybersecurity framework regulations are overwhelming for companies trying to strengthen their security and compliance posture.

Proactive risk prioritization based on comprehensive, contextual, and historical threat intelligence coupled with active control over the enterprise can alleviate many of the compliance headaches CISOs face. To achieve this, I recommend that CISOs and their teams take the following steps:

**1\. Understand how your enterprise is using data.** The growing volume of data that companies collect brings a greater need for asset-aligned contextual cyber intelligence that reveals what data is needed for day-to-day operations and how that data is used. Technology solutions are available that facilitate comprehension, but gaining an accurate understanding requires an audit approach. CISOs and other leaders must consider and define the company's BAU (business as usual) processes to understand what data is needed for standard day-to-day operations. By doing this, companies can set a solid policy around what and how they use certain data types.

**2\. Conduct a thorough risk assessment.** A full-scale cybersecurity risk assessment weighs risks both within the organization and across the supply chain against the effectiveness of core security controls that protect data. This step is critical given the high-profile software supply chain vulnerabilities in recent years. Incidents like the notorious SolarWinds breach, and many others like it, provide evidence of the importance of paying close attention to third-party risks to secure an organization's systems, networks, and data.

**3\. Quantify cyber-risks.** Typical enterprise risk assessments prioritize risks with generic "high," "medium," or "low" ratings, pointing to the likelihood of that risk becoming an attack and the resulting impact. However, more is needed to quantify a company's risk. For example, where does the company have a presence online? How widespread are its vulnerabilities? What assets are at risk? Also, how resilient is the organization in maintaining business as usual if an attack occurs? How much would an attack cost the enterprise?

A quality threat intelligence solution identifies and enriches measurement of an enterprise's vulnerabilities and helps entities safely prioritize which gaps to address. \[Note: The author's company is one of many that offer threat intelligence services.\] Such threat intelligence can help security teams understand which business sectors are more at risk and the organization’s posture, and whether cybercriminals are targeting a particular business or software, including their own. Any area of a business or its suppliers can be a target, such as a retailer's point-of-sale systems. Threat intelligence can reveal hundreds of posts on Dark Web forums about plans to target these critical systems, for example, and alert the retailer to tighten security and prevent attackers from gaining access to business systems or customer data well before an active attack begins.

**4\. Define a measurable, consumable security awareness policy.** Measuring the effectiveness of a security awareness program requires knowing if employees, business partners, third-party suppliers, and others fully understand and follow the company's security policies. Keeping track of cyber incidents and how they are handled can reveal how well the company communicates, trains, and enforces these policies to people on the front line, a company’s greatest vulnerability. Additionally, a robust security awareness policy requires the organization and its vendors’ cooperation, which should be clearly articulated as part of any formalized agreement.

As the amount of data companies consume and process continues to grow and malicious actors find more sophisticated ways to access that data, tightening data privacy regulations makes perfect sense. Yet the added burden of continually meeting ever-changing compliance requirements can seem near impossible to over-stretched teams.

By following these steps and putting proactive intelligence and analysis in place, companies and their employees, partners, and customers all come out ahead — which is good for business and good for society.

Meet Data Privacy Mandates With Cybersecurity Frameworks

Ubuntu Security Notice 5951-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the NVMe driver in the Linux kernel did not properly handle reset events in some situations. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5951-1  
March 14, 2023

linux-ibm, linux-ibm-5.4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-ibm: Linux kernel for IBM cloud systems  
- linux-ibm-5.4: Linux kernel for IBM cloud systems

Details:

It was discovered that the Upper Level Protocol (ULP) subsystem in the  
Linux kernel did not properly handle sockets entering the LISTEN state in  
certain protocols, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-0461)

It was discovered that the NVMe driver in the Linux kernel did not properly  
handle reset events in some situations. A local attacker could use this to  
cause a denial of service (system crash). (CVE-2022-3169)

It was discovered that a use-after-free vulnerability existed in the SGI  
GRU driver in the Linux kernel. A local attacker could possibly use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3424)

Gwangun Jung discovered a race condition in the IPv4 implementation in the  
Linux kernel when deleting multipath routes, resulting in an out-of-bounds  
read. An attacker could use this to cause a denial of service (system  
crash) or possibly expose sensitive information (kernel memory).  
(CVE-2022-3435)

It was discovered that a race condition existed in the Kernel Connection  
Multiplexor (KCM) socket implementation in the Linux kernel when releasing  
sockets in certain situations. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-3521)

It was discovered that the Netronome Ethernet driver in the Linux kernel  
contained a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3545)

It was discovered that the hugetlb implementation in the Linux kernel  
contained a race condition in some situations. A local attacker could use  
this to cause a denial of service (system crash) or expose sensitive  
information (kernel memory). (CVE-2022-3623)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

It was discovered that the Intel i915 graphics driver in the Linux kernel  
did not perform a GPU TLB flush in some situations. A local attacker could  
use this to cause a denial of service or possibly execute arbitrary code.  
(CVE-2022-4139)

It was discovered that a race condition existed in the Xen network backend  
driver in the Linux kernel when handling dropped packets in certain  
circumstances. An attacker could use this to cause a denial of service  
(kernel deadlock). (CVE-2022-42328, CVE-2022-42329)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did  
not properly validate offsets, leading to an out-of-bounds read  
vulnerability. An attacker could use this to cause a denial of service  
(system crash). (CVE-2022-47520)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

José Oliveira and Rodrigo Branco discovered that the prctl syscall  
implementation in the Linux kernel did not properly protect against  
indirect branch prediction attacks in some situations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that a use-after-free vulnerability existed in the  
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2023-0266)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

It was discovered that the Android Binder IPC subsystem in the Linux kernel  
did not properly validate inputs in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-20938)

Kyle Zeng discovered that the class-based queuing discipline implementation  
in the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23454)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in  
the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23455)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1045-ibm      5.4.0-1045.50  
   linux-image-ibm                 5.4.0.1045.71  
   linux-image-ibm-lts-20.04       5.4.0.1045.71

Ubuntu 18.04 LTS:  
   linux-image-5.4.0-1045-ibm      5.4.0-1045.50~18.04.1  
   linux-image-ibm                 5.4.0.1045.56

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5951-1  
   CVE-2022-3169, CVE-2022-3424, CVE-2022-3435, CVE-2022-3521,  
   CVE-2022-3545, CVE-2022-3623, CVE-2022-36280, CVE-2022-41218,  
   CVE-2022-4139, CVE-2022-42328, CVE-2022-42329, CVE-2022-47520,  
   CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,  
   CVE-2023-0461, CVE-2023-20938, CVE-2023-23454, CVE-2023-23455

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1045.50  
   https://launchpad.net/ubuntu/+source/linux-ibm-5.4/5.4.0-1045.50~18.04.1

Ubuntu Security Notice USN-5951-1

WordPress Profile Builder plugin versions 3.9.0 and below suffer from a missing authorization vulnerability in wppb_toolbox_usermeta_handler().

    Description: Profile Builder – User Profile & User Registration Forms <= 3.9.0 – Sensitive Information Disclosure via Shortcode Affected Plugin: Profile Builder – User Profile & User Registration FormsPlugin Slug: profile-builderAffected Versions: <= 3.9.0CVE ID: CVE-2023-0814CVSS Score: 6.4 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NResearcher/s: Lana Codes Fully Patched Version: 3.9.1Vulnerability AnalysisThe vulnerability, assigned CVE-2023-0814, exists due to missing authorization within the wppb_toolbox_usermeta_handler() function. The affected function is defined as a callback function to the ‘user_meta’ shortcode, which is registered via the WordPress add_shortcode() function in usermeta.php.As with all shortcode callback functions, wppb_toolbox_usermeta_handler() takes an array of attributes. In particular, the ‘user_id’ attribute is used to create a new user object. Then, the ‘key’ attribute is used in a call to ‘$user->get()’. Finally, the function returns the value of the retrieved ‘key’ for the given ‘user_id’. During this process, capability checks are not properly implemented to ensure that the user executing the function is authorized to retrieve the given ‘key’ value.Profile Builder wppb_toolbox_usermeta_handler function The wppb_toolbox_usermeta_handler() function creates a user object and performs a $user->get() with threat actor-supplied values.PrerequisitesVulnerable instances of Profile Builder need the ‘Enable Usermeta shortcode’ setting enabled within the ‘Shortcodes’ section of the ‘Advanced Settings’ tab of the plugin’s ‘Settings’ page.Profile Builder Advanced Settings Page ‘Enable Usermeta shortcode’ setting activatedExploitationInformation DisclosureAny authenticated user, with subscriber-level permissions or greater, can send a specially-crafted HTTP POST request to the ‘wp-admin/admin-ajax.php’ endpoint with the ‘action’ parameter set to ‘parse-media-shortcode’ and the ‘shortcode’ parameter containing the ‘user_meta’ shortcode with the ‘user_id’ and ‘key’ attributes set.Profile Builder POST to admin-ajax.php to retrieve the username of the user with a user ID of 1 POST to admin-ajax.php to retrieve the username of the user with a user ID of 1As explained earlier, the value of the ‘key’ attribute is passed to a $user->get() call. Since the get() method of the WP_User class is designed to retrieve user information, any column of the ‘wp_users’ table can be passed via this attribute, including:- ID- user_login- user_pass- user_nicename- user_email- user_url- user_registered- user_activation_key- user_status- display_namePassword Reset to Privilege EscalationThe Profile Builder plugin provides the shortcode ‘[wppb-recover-password]’ to embed a password recovery form into a page on a WordPress site. The form allows users to submit their username or email address to receive an email with a password reset link containing a user activation key. When generated, this key is stored in the ‘user_activation_key’ column in the ‘wp_users’ table of the WordPress database. Using CVE-2023-0814, this key can be retrieved for any user.First, the threat actor must generate the user activation key by entering the username or email address of the targeted user in the password recovery form and clicking the ‘Get New Password’ button.Profile Builder password recovery form Next, the threat actor will make a similar POST request to our previous user enumeration proof-of-concept, but this time ensuring the ‘user_id’ is set to the user ID of the username or email address entered into the password recovery form and setting the ‘key’ attribute to ‘user_activation_key’.POST to admin-ajax.php to retrieve the user activation key for the admin accountOnce the threat actor has retrieved the user activation key, they can navigate back to the password recovery form page, but this time with the ‘key’ query parameter set to the retrieved user activation key.Password Recovery page with ‘key’ query parameter set to retrieved valueAt this point, the threat actor simply needs to enter a new password and click the ‘Reset Password’ button. The threat actor will then be able to login using the targeted username and new password.TimelineFebruary 7th, 2023 – Lana Codes responsibly discloses the vulnerability to the plugin vendor and our Vulnerability Disclosure program.February 13th, 2023 – The vendor releases a patch in version 3.9.1 and Wordfence releases a firewall rule to address the vulnerability. Wordfence Premium, Care, and Response users receive this rule.February 14th, 2023 – Wordfence releases an additional firewall rule to provide extended protection against exploitation. Wordfence Premium, Care, and Response users receive this rule.March 14th, 2023 – Wordfence free users receive the first firewall rule.March 15th, 2023 – Wordfence free users receive the second firewall rule.ConclusionIn today’s post, we covered an Information Disclosure vulnerability that could lead to the takeover of an administrative account in Cozmolabs Profile Builder, a plugin used by over 60,000 WordPress installations. The Wordfence Threat Intelligence team issued a firewall rule providing protection against the vulnerability on February 13th and 14th, 2023. This rule has been protecting our Wordfence Premium, Wordfence Care, and Wordfence Response users since that date, while those still using our free version will receive this rule on March 14 and March 15, 2023.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Profile Builder as soon as possible.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard .

WordPress Profile Builder 3.9.0 Missing Authorization

Ubuntu Security Notice 5950-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5950-1  
March 14, 2023

linux-kvm vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-kvm: Linux kernel for cloud environments

Details:

It was discovered that the Upper Level Protocol (ULP) subsystem in the  
Linux kernel did not properly handle sockets entering the LISTEN state in  
certain protocols, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-0461)

Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel  
did not properly handle VLAN headers in some situations. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-0179)

It was discovered that the NVMe driver in the Linux kernel did not properly  
handle reset events in some situations. A local attacker could use this to  
cause a denial of service (system crash). (CVE-2022-3169)

Maxim Levitsky discovered that the KVM nested virtualization (SVM)  
implementation for AMD processors in the Linux kernel did not properly  
handle nested shutdown execution. An attacker in a guest vm could use this  
to cause a denial of service (host kernel crash) (CVE-2022-3344)

Gwangun Jung discovered a race condition in the IPv4 implementation in the  
Linux kernel when deleting multipath routes, resulting in an out-of-bounds  
read. An attacker could use this to cause a denial of service (system  
crash) or possibly expose sensitive information (kernel memory).  
(CVE-2022-3435)

It was discovered that a race condition existed in the Kernel Connection  
Multiplexor (KCM) socket implementation in the Linux kernel when releasing  
sockets in certain situations. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-3521)

It was discovered that the Netronome Ethernet driver in the Linux kernel  
contained a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3545)

It was discovered that the Intel i915 graphics driver in the Linux kernel  
did not perform a GPU TLB flush in some situations. A local attacker could  
use this to cause a denial of service or possibly execute arbitrary code.  
(CVE-2022-4139)

It was discovered that the NFSD implementation in the Linux kernel  
contained a use-after-free vulnerability. A remote attacker could possibly  
use this to cause a denial of service (system crash) or execute arbitrary  
code. (CVE-2022-4379)

It was discovered that a race condition existed in the x86 KVM subsystem  
implementation in the Linux kernel when nested virtualization and the TDP  
MMU are enabled. An attacker in a guest vm could use this to cause a denial  
of service (host OS crash). (CVE-2022-45869)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did  
not properly validate the number of channels, leading to an out-of-bounds  
write vulnerability. An attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code. (CVE-2022-47518)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did  
not properly validate specific attributes, leading to an out-of-bounds  
write vulnerability. An attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code. (CVE-2022-47519)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did  
not properly validate offsets, leading to an out-of-bounds read  
vulnerability. An attacker could use this to cause a denial of service  
(system crash). (CVE-2022-47520)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did  
not properly validate specific attributes, leading to a heap-based buffer  
overflow. An attacker could use this to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2022-47521)

It was discovered that the file system writeback functionality in the Linux  
kernel contained a user-after-free vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2023-26605)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   linux-image-5.19.0-1019-kvm     5.19.0-1019.20  
   linux-image-kvm                 5.19.0.1019.16

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5950-1  
   CVE-2022-3169, CVE-2022-3344, CVE-2022-3435, CVE-2022-3521,  
   CVE-2022-3545, CVE-2022-4139, CVE-2022-4379, CVE-2022-45869,  
   CVE-2022-47518, CVE-2022-47519, CVE-2022-47520, CVE-2022-47521,  
   CVE-2023-0179, CVE-2023-0461, CVE-2023-26605

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-kvm/5.19.0-1019.20

Ubuntu Security Notice USN-5950-1

Red Hat Security Advisory 2023-1202-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include denial of service, integer overflow, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:1202-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1202  
Issue date:        2023-03-14  
CVE Names:         CVE-2022-3564 CVE-2022-4269 CVE-2022-4378   
                   CVE-2022-4379 CVE-2023-0179 CVE-2023-0266   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: use-after-free caused by l2cap_reassemble_sdu() in  
net/bluetooth/l2cap_core.c (CVE-2022-3564)

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

* kernel: use-after-free in __nfs42_ssc_open() in fs/nfs/nfs4file.c leading  
to remote Denial of Service attack (CVE-2022-4379)

* kernel: Netfilter integer overflow vulnerability in nft_payload_copy_vlan  
(CVE-2023-0179)

* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
(CVE-2023-0266)

* kernel: net: CPU soft lockup in TC mirred egress-to-ingress action  
(CVE-2022-4269)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* RHEL9:[P10] With Guest Secure Boot and lockdown enabled, DLPAR operations  
can't be done (Rainier) (BZ#2107480)

* [RHEL 9.0] LTP Test failure and crash at fork14 on Sapphire Rapids  
Platinum 8280+ (BZ#2133084)

* RHEL9.0 - boot: Add secure boot trailer (BZ#2151529)

* 'date' command shows wrong time in nested KVM s390x guest (BZ#2158816)

* Kernel FIPS-140-3 requirements - part 3 - AES-XTS (BZ#2160176)

* RHEL 9.0.0 soft quota cannot exceed more the 5 warns which breaks timer  
functionality (BZ#2164263)

* In FIPS mode, the kernel should reject SHA-224, SHA-384, SHA-512-224, and  
SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after  
2023-05-16 (BZ#2165131)

* [RHEL 9] FIPS: deadlock between PID 1 and "modprobe  
crypto-jitterentropy_rng" at boot, preventing system to boot. (BZ#2167762)

Enhancement(s):

* [Intel 9.2 FEAT] [SPR] CPU: AMX: Improve the init_fpstate setup code  
(BZ#2168383)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2150272 - CVE-2022-4269 kernel: net: CPU soft lockup in TC mirred egress-to-ingress action  
2150999 - CVE-2022-3564 kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c  
2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
2152807 - CVE-2022-4379 kernel: use-after-free in __nfs42_ssc_open() in fs/nfs/nfs4file.c leading to remote Denial of Service attack  
2161713 - CVE-2023-0179 kernel: Netfilter integer overflow vulnerability in nft_payload_copy_vlan  
2163379 - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm

noarch:  
kernel-doc-5.14.0-70.49.1.el9_0.noarch.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-matched-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS EUS (v.9.0):

Source:  
kernel-5.14.0-70.49.1.el9_0.src.rpm

aarch64:  
bpftool-5.14.0-70.49.1.el9_0.aarch64.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-core-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-libs-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm

noarch:  
kernel-abi-stablelists-5.14.0-70.49.1.el9_0.noarch.rpm

ppc64le:  
bpftool-5.14.0-70.49.1.el9_0.ppc64le.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-core-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-libs-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm

s390x:  
bpftool-5.14.0-70.49.1.el9_0.s390x.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-core-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-core-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-extra-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm

x86_64:  
bpftool-5.14.0-70.49.1.el9_0.x86_64.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-core-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-libs-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-libs-devel-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-libs-devel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-libs-devel-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-4269  
https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/cve/CVE-2022-4379  
https://access.redhat.com/security/cve/CVE-2023-0179  
https://access.redhat.com/security/cve/CVE-2023-0266  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBCPddzjgjWX9erEAQiUYA//eHB1lFUQOziIVT+e7Eveh/CxB+oBYKQd  
qahqIC8RGCNzfhKszn/E76Pp9nCmuajBUWStb6f07R+vwQaGe/cQ2SS8Zfhj7Fo0  
MS5bW3udIWqqSIoSD6zHKQn8rouFzsJ2PuP1nomV3w7C+/nWk8G2y7ulWvuRIQxw  
anWwsA2FI3m/ymDkqDhwF/zF4cfosOvd/XARC6PL0+uyJHigp4egLr6XBqlY9Gh6  
P36zjfZdTyZ8MfqgFj7K4wEOr41HLaIPEeelPSmsOj+rx4IsXm+T5wu20oFoSVwr  
E9RX72wKxAblHUvVlCMBIGLeATbfO2XmqU1392+WUFysTjGTPib836+STh2PPK+p  
c6NA/rr90g59PFyTpdHCR54GZLjTrOPYNDiinvXDFiyTbkwWIZq5Qm1LoVOSUuUi  
DA+NpnB09Kglx1taqnknbt0o1G+0nkcblajZhC0LnqcqMBUfI1rQvedT7JOGlJhy  
a7W9JgIaFc5qTh1MR2dhBEbxAwbxVJaaFUmD3HASCfxJviED915IOdOM+SjkLKS1  
RPW2SmxZ8lWk46GyQLN/xHIsAL4ucntjP9SMLhwM+KDTjDRYgEjqiVUvgMgYNn7o  
miFyM1PT3sALFo2EGb+AyqXHlW8MyI0dJtEv5EV2PMegCDCf54ISQiUlMY4EKcFJ  
IwHZx9iW7VY=  
=yYLi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1202-01

Organizations are coming under pressure to protect their data, but does all data need the same security? To secure it, you first need to know what and where it is.

Let's start by examining those two broad-brush data categories: structured and unstructured.

Structured data refers to the data resident within relational databases, often presented via customer relationship management (CRM) systems and corporate applications. Tables and rows of related information in limited formats, structured and only accessible to users with suitable authorization.

Unstructured data is much less easy to ring-fence, being comprised of all the different, unrelated files present on end-user devices. The data is stored in a wide array of locations locally, across the network and in cloud-based services. When considering all these formats and types on local and network-based devices, it is easy to see how vital it is to include all this data into the overall data security equation. Omdia estimates that as much as 80% of an organization's data is resident in this unstructured category.

Now let's consider how all the data needs to be protected.

Due to the general level of sensitivity of structured data (personally identifiable information, payroll, financials, legal, etc.) security strategies will often focus on this tier. Organizations typically separate and secure the various types of data here. However, even these measures are potentially far from sufficient to protect against a determined hacker. Can any organization really say with confidence that it is adequately protected when the next attack could be from an entirely unknown quarter?

Questions of security robustness aside, for structured data, organizations do tend to treat data differently, considering the actual content (and risk to the business if it were lost) and thus appropriate controls are reasonably applied.

Given the sheer volumes, can it be said that unstructured data receives proportional (or even anything like) the same consideration structured data receives? The answer is most likely "no."

First, let's ask a more fundamental question. Can an organization, hand on heart, say it even knows where all its unstructured data is? Most organizations may struggle here. File authors may have difficulty remembering a specific file or what they did with it, or even may have left the business altogether.

This then presents this challenge: "If the organization doesn't know where a file is or what it contains, how can it be protected?"

**Discovery Solutions**

Data discovery solutions can make retrospective retrieval more palatable, but it's better to be able to classify documents at time of creation and then store them clearly and appropriately according to their value (or risk) to the business.

Omdia argues that the authors of these documents are best placed to apply a suitable mark, but artificial intelligence (AI) tools can also be employed. Today, organizational culture tends to determine if the preference is for a user or AI-centric approach. Either way, a visual and a similar embedded mark classifying the document, working in tandem with a data loss prevention (DLP) tool, will not only indicate the sensitivity of the document and with it how it should be handled, the labels will also dictate how the document can be distributed. This is the foundation to protecting unstructured data.

A consideration here. Adopting a one-size-does-not-fit-all approach does get granular quite quickly when considering all the different types and levels of data sensitivity circulating within a business. This is a necessary part of the planning process, however, and clarity and time taken to construct a hierarchical data framework at this stage will bear dividends later. Thorough and well-defined data type definition and a prioritization strategy mapped across all the various data types will not only deliver enhanced security, but also ensure that if, or when, an attack occurs, the regulators can be subsequently assured that every possible measure was in place to preserve the security of an organization's data, and, moreover, that all data was being handled in the right way. It is also worth considering at this point that highly restricted, legally sensitive data one day can become public information the next.

In terms of working with end users, views about this group and security of any type are highly polarized. Omdia firmly believes in thorough cybersecurity training for the workforce. It is vital to include users in an organization's security posture, employing them as a resilient part of the data security defensive fortification rather than sideline them as a part of the problem. Cybersecurity training is vital, but it should be ongoing and frequent to create a "security culture" within the organization.

No organization can claim to be 100% secure against the ever-evolving threat landscape. By working to understand data and accordingly implementing appropriate security controls across the varying types and sensitivities, together with proactive involvement of the end users, both the impact of unauthorized or malicious data loss can be mitigated and expensive costs associated with a blanket data security approach can be avoided.

Tag

#intel