An access control issue in the component /api/plugin/uninstall Dataease v1.11.1 allows attackers to arbitrarily uninstall the plugin, a right normally reserved for the administrator.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Ryze-T opened this issue

Jun 15, 2022

· 2 comments

**Comments**

**DataEase 版本**  
最新版

**运行方式(安装包运行 or 源码运行 ?)**  
安装包运行

**浏览器版本**  
任意

**Bug 描述**  
普通权限越权卸载插件

**Bug 重现步骤(有截图更好)**  
普通用户无法对插件进行处理，但是通过调用接口可对插件进行卸载：

    POST /api/plugin/uninstall/1 HTTP/1.1
    Host: xxx
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN
    Accept-Encoding: gzip, deflate
    Authorization: xxx
    LINK-PWD-TOKEN: null
    Connection: close
    Content-Length: 0
    

Authorization为鉴权标准，低权限依然可以调用api/plugin/uninstall接口进行插件卸载：  
  
包发送后显示成功：  
  
管理员查看插件被卸载，漏洞利用成功：

CVE-2022-34112: [Bug]普通权限越权卸载插件 · Issue #2429 · dataease/dataease

PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.2 allows remote attackers to execute arbitrary code, aka a "previously unknown vulnerability chain" related to SQL injection, as exploited in the wild in July 2022.

Attackers have found a way to use a security vulnerability to carry out arbitrary code execution in servers running PrestaShop websites. For details, please read the entire article.

**What’s happening**

The maintainer team has been made aware that malicious actors are exploiting a combination of known and unknown security vulnerabilities to inject malicious code in PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information.

While investigating this attack, we found a previously unknown vulnerability chain that we are fixing. At the moment, however, we cannot be sure that it’s the only way for them to perform the attack. To the best of our understanding, this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to SQL injection vulnerabilities. Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.

**How the attack works**

The attack requires the shop to be vulnerable to SQL injection exploits. To the best of our knowledge, the latest version of PrestaShop and its modules are free from these vulnerabilities. We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability.

According to our conversations with shop owners and developers, the recurring modus operandi looks like this:

1.  The attacker submits a POST request to the endpoint vulnerable to SQL injection.
2.  After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
3.  The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

After the attackers successfully gained control of a shop, they injected a fake payment form on the front-office checkout page. In this scenario, shop customers might enter their credit card information on the fake form, and unknowingly send it to the attackers.

While this seems to be the common pattern, attackers might be using a different one, by placing a different file name, modifying other parts of the software, planting malicious code elsewhere, or even erasing their tracks once the attack has been successful.

**What to do to keep your shop safe**

First of all, make sure that your shop and all your modules are updated to their latest version. This should prevent your shop from being exposed to known and actively exploited SQL injection vulnerabilities.

According to our current understanding of the exploit, attackers might be using MySQL Smarty cache storage features as part of the attack vector. This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. Until a patch has been published, we recommend physically disabling this feature in PrestaShop’s code in order to break the attack chain.

To do so, locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):

    if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
        include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';
        $smarty->caching_type = 'mysql';
    }
    

**How to tell if you have been affected**

Consider looking at your server’s access log for the attack pattern explained above. This is an example shared by a community member:

    - [14/Jul/2022:16:20:56 +0200] "POST /modules/XXX/XXX.php HTTP/1.1" 200 82772 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
     
    - [14/Jul/2022:16:20:57 +0200] "GET / HTTP/1.1" 200 63011 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
     
    - [14/Jul/2022:16:20:58 +0200] "POST /blm.php HTTP/1.1" 200 82696 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"
    

(Note: the vulnerable module’s path has been modified for security reasons)

Be aware that not finding this pattern on your logs doesn’t necessarily mean that your shop has not been affected by the attack: the complexity of the exploit means that there are several ways of performing it, and attackers might also try and hide their tracks.

Consider contacting a specialist to perform a full audit of your site and make sure that no file has been modified nor any malicious code has been added.

**Additional information**

A patch version is currently being tested, and should be released soon.

We would like to take the opportunity to stress out once more the importance of keeping your system updated to prevent such attacks. This means regularly updating both your PrestaShop software and its modules, as well as your server environment.

CVE-2022-36408: Major Security Vulnerability on PrestaShop Websites

Dark Reading's weekly roundup of all the OTHER important stories of the week.

Welcome to Dark Reading's weekly digest of the can't-miss stories of the week, featuring the lowdown on the Neopets breach and what it means for consumer-facing companies of all kinds; Google Drive and the trouble with the malicious use of cloud applications; a slew of disclosures about state-sponsored campaigns; and a Google Ads-related malvertising issue.  

Dark Reading's editors have gathered all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would feel wrong not covering. In this week's "in case you missed it" (ICYMI) digest, read on for more on the following:

*   Neopets & Gaming's Lax Security
*   SolarWinds Hackers Embrace Google Drive in Embassy Attacks
*   Nation-State Attacks Ramp Up in APT-a-Palooza
*   Google Ads Abused as Part of Tech Support Scams

**Neopets & Gaming's Lax Security**

Neopets this week became the third gaming platform in the space of a week to be hit with a cyberattack (after Bandai Namco and Roblox), highlighting the interest that attackers have in hitting "leisure-activity" companies during the summer months. According to reports, the purveyor of virtual pets was robbed for its source code as well as the personal information belonging to its 69 million users.

A hacker who goes by the handle of "TarTarX" is putting the ill-gotten goods up for sale for 4 bitcoins, which translates to around $92,000 using Friday's exchange rate. The stolen PII appears to include data includes members' usernames, names, email addresses, ZIP codes, dates of birth, gender, country, and game-related information.

It's unclear how TarTarX gained access to the website, but Javvad Malik, security awareness advocate at KnowBe4, notes that the attack should be a wake-up call to all consumer-focused enterprises to better secure their data.

“We've seen toy manufacturers and games developers hit in the past due to the vast amount of personal data they collect," he says. "Such organizations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur."

Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere, given the potential for credential-stuffing attacks, he adds.

**SolarWinds Hackers Embrace Google Drive in Embassy Attacks**

The hackers behind the sprawling SolarWinds supply chain attack are at it again, this time abusing Google Drive to smuggle malware onto targets' machines.

The advanced persistent threat (APT), tracked as APT29, Cloaked Ursa, Cozy Bear, or Nobellium, launched two waves of email-borne attacks between May and June. According to an analysis from Palo Alto Networks' Unit 42, the attacks targeted a foreign embassy in Portugal and another in Brazil. The group used a supposed agenda for an upcoming meeting with an ambassador as a lure.

"In both cases, the phishing documents contained a \[Google Drive\] link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload," according to Unit 42's post this week.

APT29 is believed by the US government to be affiliated with Russia’s Foreign Intelligence Service (SVR), and is widely considered to be responsible not only for SolarWinds but also the hack of the United States Democratic National Committee (DNC) in 2016.

The use of legitimate cloud services to deliver malicious payloads is on the rise as cybercriminals look to take advantage of the entrenched trust that millions of business users (and email gateways) have in them. Lior Yaari, CEO and co-founder of Grip Security, noted that this points to the need to better vet content coming from software-as-a-service (SaaS) app.

“The recent malicious activity discovered using Google Drive is emblematic of the SaaS security challenge — universal accessibility and ease of deployment," he said in a statement to Dark Reading. "Before Google Drive, there was Dropbox and before Dropbox, APT29 was hitting Microsoft 365. The SaaS security challenge for campaigns like these only illustrates the trend toward exploiting SaaS’s strengths for nefarious ends. And the matter only becomes worse with more SaaS out-of-sight for many security teams.”

**Nation-State Attacks Ramp Up in APT-a-Palooza**

Speaking of APTs, several nation-state-backed campaigns came to light this week. For instance, Citizen Lab said that it had forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus mobile spyware after an extensive espionage campaign that took place late last year. The effort targeted Thai pro-democracy protesters and activists calling for reforms to the monarchy.

Google's Threat Analysis Group for its part flagged an odd false-flag operation in Ukraine. The Russia-linked hacking group Turla (aka Snake, Uroburos, and Venomous Bear) have created a malicious Android app that masquerades as a tool for Ukrainian hackers looking to carry out distributed denial-of-service (DDoS) attacks against Russian websites. Turla dubbed the app CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard.

CyberAzov is "hosted on a domain controlled by the actor and disseminated via links on third party messaging services," according to Google TAG. While the app is distributed under the guise of performing DDoS attacks, "the 'DoS' consists only of a single GET request to the target website, not enough to be effective."

In reality, the app is "designed to map out and figure out who would want to use such an app to attack Russian websites," according to an additional commentary from Bruce Schneier.

Meanwhile, Cisco Talos observed an unusual campaign targeting Ukrainian entities, which it said is likely attributable to Russia. This attack stood out amidst the barrage of cyberattacks that have been mounted against Ukraine, researchers said, because the attack targeted a large software development company whose wares are used in various state organizations within Ukraine.

"As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack," researchers said in a posting this week, adding that the persistent access could also have been leveraged in other ways, including gaining deeper access into the company's network or launching additional attacks such as ransomware.

Also notable is the fact the effort revolved around "a fairly uncommon piece of malware" called GoMet; GoMet is an open source backdoor that was first seen in the wild in March.

And finally, the government of Belgium issued a statement disclosing a spate of attacks against its defense sector and public safety organizations emanating from three China-linked threat groups: APT27, APT30, and APT31 (aka Gallium or UNSC 2814).

The "malicious cyber activities … significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence," according to the statement.

**Google Ads Abused as Part of Tech Support Scams**

People performing a Google search for Amazon, Facebook, YouTube, or Walmart could find themselves browser-hijacked, researchers warned this week.

A malvertising campaign is abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams, according to Malwarebytes.

"The threat actors are … purchasing ad space for popular keywords and their associated typos," researchers explained in a posting. "A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result)."

In Google search results, those first returned links could be ads that redirect users to fake warnings urging them to call rogue Microsoft agents for support, researchers explained.

"Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them," researchers lamented.

The approach could just as easily be used to redirect to malicious sites serving up malware or phishing pages, researchers noted. Users — especially business users — should always take care to be skeptical when unexpected browser redirects occur.

ICYMI: Neopets & the Gaming Problem; SolarWinds Hackers Are Back; Google Ads Abused

Apple Security Advisory Safari - Safari 15.6 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

Safari 15.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213341.

Safari Extensions  
Available for: macOS Big Sur and macOS Catalina  
Impact: Visiting a maliciously crafted website may leak sensitive  
data  
Description: The issue was addressed with improved UI handling.  
CVE-2022-32784: Young Min Kim of CompSec Lab at Seoul National  
University

WebKit  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero  
Day Initiative

WebRTC  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution.  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

Safari 15.6 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuUACgkQeC9qKD1p  
rhh3QA//cN/O9LcDr67uACD/222GDWGZnm80emLeEmJaczyRYZNswciqGhAc7EPd  
qfyVvzq2DHAvFm64gGSGX6rzOzZbY9QRvkQ4TodqugeBoAIO0VM2moLTO/KR74fE  
SwWeWHTrPYD9k6/zCL7o3XdrwTcqvlbYD9AXSIJ1lI4BmmbDIjjLFjH5NfrsBixy  
vthQmj99twepLofgo1Wfjg1AfwUMrr6BVnZcpxEyBBjrjpBD5FVEZWJ+RB4nUaKP  
6aM4CPpXqPbou0w3bgMt0K8x2qpudolxOFfStu2FsSFVnw2B5khgcCL0C2qIO9Hb  
5n5NDb1FuPI7sDNcREIbBGjHqcjpQv5wkF7lz1EK6UQk3D4Rp8RJXFKYDWgwKNVA  
GcMEBXW8XmI3UrfpRJi/B8o/rMA9y75hVnPujl+KN9jX/6Ey7p09OK3hJavaFDuY  
heZyqdlfAa81Gwf+VBoF8bkYKZj2GCGOOL+zsuPLrtyEL8y28P5ZIBc5ALSzDgK5  
Fv4VnaE4adu8NIqU3DimQeD44G4IpZAhhS4BMiTVosZ+KUjtnX3hmFR+wI8bV2I1  
oBYtwRZOUyMHAfRSLtJFriqy5N5XK4NRD4Xb9q5auOOeyhWcgGY0K+9kSTNdDP6o  
hR93N6uOYQt7htOmiXF7ztUDMikh2i7A9NScLyX/k3y9uvtWMmw=  
=bU24  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-7

Apple Security Advisory 2022-07-20-4 - Security Update 2022-005 Catalina addresses code execution, information leakage, null pointer, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-4 Security Update 2022-005 Catalina

Security Update 2022-005 Catalina addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213343.

APFS  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleMobileFileIntegrity  
Available for: macOS Catalina  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu  
Security, Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32853: Ye Zhang(@co0py_Cat) of Baidu Security  
CVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security

Audio  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Calendar  
Available for: macOS Catalina  
Impact: An app may be able to access sensitive user information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

Calendar  
Available for: macOS Catalina  
Impact: An app may be able to access user-sensitive data  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2022-32849: Joshua Jones

CoreText  
Available for: macOS Catalina  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

FaceTime  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to access private  
information  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-32781: Wojciech Reguła (@_r3ggi) of SecuRing

File System Events  
Available for: macOS Catalina  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

ICU  
Available for: macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: macOS Catalina  
Impact: Processing an image may lead to a denial-of-service  
Description: A null pointer dereference was addressed with improved  
validation.  
CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2022-32811: ABC Research s.r.o

Kernel  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32815: Xinru Chi of Pangu Lab  
CVE-2022-32813: Xinru Chi of Pangu Lab

libxml2  
Available for: macOS Catalina  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

PackageKit  
Available for: macOS Catalina  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An issue in the handling of environment variables was  
addressed with improved validation.  
CVE-2022-32786: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Catalina  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed with improved checks.  
CVE-2022-32800: Mickey Jin (@patch1t)

PluginKit  
Available for: macOS Catalina  
Impact: An app may be able to read arbitrary files  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

PS Normalizer  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted Postscript file may result  
in unexpected app termination or disclosure of process memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

SMB  
Available for: macOS Catalina  
Impact: An app may be able to gain elevated privileges  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Catalina  
Impact: A user in a privileged network position may be able to leak  
sensitive information  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)

Software Update  
Available for: macOS Catalina  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

Spindump  
Available for: macOS Catalina  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed with improved file handling.  
CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Spotlight  
Available for: macOS Catalina  
Impact: An app may be able to gain elevated privileges  
Description: A validation issue in the handling of symlinks was  
addressed with improved validation of symlinks.  
CVE-2022-26704: Joshua Mason of Mandiant

TCC  
Available for: macOS Catalina  
Impact: An app may be able to access sensitive user information  
Description: An access issue was addressed with improvements to the  
sandbox.  
CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)  
of Tencent Security Xuanwu Lab (xlab.tencent.com)

Vim  
Available for: macOS Catalina  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating Vim.  
CVE-2021-4136  
CVE-2021-4166  
CVE-2021-4173  
CVE-2021-4187  
CVE-2021-4192  
CVE-2021-4193  
CVE-2021-46059  
CVE-2022-0128

Wi-Fi  
Available for: macOS Catalina  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Security Update 2022-005 Catalina may be obtained from the Mac App  
Store or Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuQACgkQeC9qKD1p  
rhiuNw//V3lvbuk3ZcN4l2+dumbidEYnYD+qrrm+V332BNA9zqn9Uyoy1l9mXY32  
qA/UfHpnuZj5F2qjBNinkpV9VlwMZUIZmWfLBrVz3+cF1wrF6RZVFmz05sVsWTCC  
zB7H9eCPQr/afrTgjf2evIsaCZaqveOP7ZVFV3dOEOpzp/hMUYFWF69mEbYfl2Z1  
PlB3bkZPys4fZ3nCq70egWotGl7V4M/9aqGBDQZzAwmcsepeppBaCP1MnDiDiWqA  
6m2jVNDDTP/CasfPt1k3jR3aKf7f+ySZozQLyUyMhRpTLnZ1fpEtD5jjwK/hprKW  
g00gdTOBl7aGAxbKL3xlsxXRGzhzy9n2RVN4duhRKEbDKDShCfRFmCxXGxAGJB7J  
96TqA/wy1s7gnlxNzUfJewJMopr3AU4ffhdyOgKV1Is7eRwAhKYlh3K5T6C28Uuj  
8TXAqY2qwMqs+jIqe3dGEuPBj83tQMD0xukIhzGtuxwoziiPyzSfrgUHvSK8vBYN  
NGGfLdHn8ailAYpnFeRxhImxclr59QddI8uzS/G6O9CLJY0jUh3tjCNC3fjIjS6F  
lD3+P/J/Hf5HFvpvNyw6aJVVYIcGFOQi+RmhVGysMHuGIz4aqc9rTdvbAKdeKpyK  
8p0C6S1/sV+pu7morGBm9aSm/rRyDZSVWSA2l/3fRA9mJmrL8Ao=  
=fcrb  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-4

Apple Security Advisory 2022-07-20-3 - macOS Big Sur 11.6.8 addresses code execution, information leakage, null pointer, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-3 macOS Big Sur 11.6.8

macOS Big Sur 11.6.8 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213344.

APFS  
Available for: macOS Big Sur  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleMobileFileIntegrity  
Available for: macOS Big Sur  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu  
Security, Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32853: Ye Zhang (@co0py_Cat) of Baidu Security  
CVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security

AppleScript  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security

Audio  
Available for: macOS Big Sur  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32825: John Aakerblom (@jaakerblom)

Audio  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Calendar  
Available for: macOS Big Sur  
Impact: An app may be able to access sensitive user information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

Calendar  
Available for: macOS Big Sur  
Impact: An app may be able to access user-sensitive data  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2022-32849: Joshua Jones

CoreText  
Available for: macOS Big Sur  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

FaceTime  
Available for: macOS Big Sur  
Impact: An app with root privileges may be able to access private  
information  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-32781: Wojciech Reguła (@_r3ggi) of SecuRing

File System Events  
Available for: macOS Big Sur  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

ICU  
Available for: macOS Big Sur  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: macOS Big Sur  
Impact: Processing an image may lead to a denial-of-service  
Description: A null pointer dereference was addressed with improved  
validation.  
CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

Intel Graphics Driver  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2022-32811: ABC Research s.r.o

Kernel  
Available for: macOS Big Sur  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32815: Xinru Chi of Pangu Lab  
CVE-2022-32813: Xinru Chi of Pangu Lab

libxml2  
Available for: macOS Big Sur  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An issue in the handling of environment variables was  
addressed with improved validation.  
CVE-2022-32786: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed with improved checks.  
CVE-2022-32800: Mickey Jin (@patch1t)

PluginKit  
Available for: macOS Big Sur  
Impact: An app may be able to read arbitrary files  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

PS Normalizer  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted Postscript file may result  
in unexpected app termination or disclosure of process memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

Software Update  
Available for: macOS Big Sur  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

Spindump  
Available for: macOS Big Sur  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed with improved file handling.  
CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Spotlight  
Available for: macOS Big Sur  
Impact: An app may be able to gain elevated privileges  
Description: A validation issue in the handling of symlinks was  
addressed with improved validation of symlinks.  
CVE-2022-26704: Joshua Mason of Mandiant

TCC  
Available for: macOS Big Sur  
Impact: An app may be able to access sensitive user information  
Description: An access issue was addressed with improvements to the  
sandbox.  
CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)  
of Tencent Security Xuanwu Lab (xlab.tencent.com)

Vim  
Available for: macOS Big Sur  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating Vim.  
CVE-2022-0156  
CVE-2022-0158

Wi-Fi  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Windows Server  
Available for: macOS Big Sur  
Impact: An app may be able to capture a user’s screen  
Description: A logic issue was addressed with improved checks.  
CVE-2022-32848: Jeremy Legendre of MacEnhance

macOS Big Sur 11.6.8 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYf6sACgkQeC9qKD1p  
rhgOJBAAtzyKOqdTnnBbwbFoG/HoZIbCVSVOtI5VIGH1weMQ72R3X2tXB5yTlpto  
3l/eoMe0/covxipiZ+CvTh9tM5ZfV3IxN4bpsbxew1R/s81YE2K55dFp5+4zzqgh  
YyWrx8SntngP9PywAdKa+GRZrW7R95oNp2UTwifcQvFPs40F/OPrNQm23Xkmqsx0  
zNNvMmqPaeCU8mgIOadO/uv626LjnkyKdwHKM3VBxGmklNEddQDjjoWcYugH7QYj  
e28EpKINEYfGVP/5n4uSeP6+kXmJj9nLzdKzfBD78gyBu5NX3Ai5Wh1BbsFMoFYE  
wcqlgEjMk3440babLb9kSRm81NX+EPgJLtjVPNRIrqs8pTh95CcDTRsotDUDl03R  
BrP6XGyXiS+3XyhdbamJDG9pCthJdo455XaYOlmzgIfgTJMkX3kdxiMAgGvbkPVl  
3IesUuChRvi6pZwTWXN4k5Rn9epZSV+9HaYplnFPScJpYeLzUKThz1P2KbMTd0CT  
fiBU+fxwQqfzGRX3gyzRz0DMqiGdk0PnO9pfWND+9lQDyht7s73XnZrVOnPZHGYC  
tiNdrEHm+4WKaEwl/5invCZ8vPaiJ9cTH/aSbeRkeqR8ilDQMIhm2xooSP8Sd00E  
gTOoTOANfxrOqkFWhj0HQEq5OmCeALkE8BqiLuOVVIrN4e2LgPg=  
=6wU+  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-3

Apple Security Advisory 2022-07-20-2 - macOS Monterey 12.5 addresses bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-2 macOS Monterey 12.5

macOS Monterey 12.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213345.

APFS  
Available for: macOS Monterey  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleMobileFileIntegrity  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32810: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32840: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with improved checks.  
CVE-2022-32845: Mohamed Ghannam (@_simo36)

AppleScript  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu  
Security, Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security  
CVE-2022-32852: Ye Zhang (@co0py_Cat) of Baidu Security  
CVE-2022-32853: Ye Zhang (@co0py_Cat) of Baidu Security

AppleScript  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security

Audio  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Audio  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32825: John Aakerblom (@jaakerblom)

Automation  
Available for: macOS Monterey  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved checks.  
CVE-2022-32789: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Calendar  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

CoreMedia  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom  
(@jaakerblom)

CoreText  
Available for: macOS Monterey  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

File System Events  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

GPU Drivers  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: Multiple out-of-bounds write issues were addressed with  
improved bounds checking.  
CVE-2022-32793: an anonymous researcher

GPU Drivers  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-32821: John Aakerblom (@jaakerblom)

iCloud Photo Library  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user information  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2022-32849: Joshua Jones

ICU  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32841: hjy79425575  
ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may lead to a denial-of-service  
Description: A null pointer dereference was addressed with improved  
validation.  
CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2022-32811: ABC Research s.r.o

Intel Graphics Driver  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

Kernel  
Available for: macOS Monterey  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32813: Xinru Chi of Pangu Lab  
CVE-2022-32815: Xinru Chi of Pangu Lab

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32817: Xinru Chi of Pangu Lab

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32829: an anonymous researcher

Liblouis  
Available for: macOS Monterey  
Impact: An app may cause unexpected app termination or arbitrary code  
execution  
Description: This issue was addressed with improved checks.  
CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China  
(nipc.org.cn)

libxml2  
Available for: macOS Monterey  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

Multi-Touch  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

Multi-Touch  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved state  
handling.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An issue in the handling of environment variables was  
addressed with improved validation.  
CVE-2022-32786: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed with improved checks.  
CVE-2022-32800: Mickey Jin (@patch1t)

PluginKit  
Available for: macOS Monterey  
Impact: An app may be able to read arbitrary files  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

PS Normalizer  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted Postscript file may result  
in unexpected app termination or disclosure of process memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

SMB  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-32796: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: An app may be able to gain elevated privileges  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: An app may be able to gain elevated privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32798: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: A user in a privileged network position may be able to leak  
sensitive information  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32818: Sreejith Krishnan R (@skr0x1c0)

Software Update  
Available for: macOS Monterey  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

Spindump  
Available for: macOS Monterey  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed with improved file handling.  
CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Spotlight  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32801: Joshua Mason (@josh@jhu.edu)

subversion  
Available for: macOS Monterey  
Impact: Multiple issues in subversion  
Description: Multiple issues were addressed by updating subversion.  
CVE-2021-28544: Evgeny Kotkov, visualsvn.com  
CVE-2022-24070: Evgeny Kotkov, visualsvn.com  
CVE-2022-29046: Evgeny Kotkov, visualsvn.com  
CVE-2022-29048: Evgeny Kotkov, visualsvn.com

TCC  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user information  
Description: An access issue was addressed with improvements to the  
sandbox.  
CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)  
of Tencent Security Xuanwu Lab (xlab.tencent.com)

WebKit  
Available for: macOS Monterey  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero  
Day Initiative

WebRTC  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution.  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

Wi-Fi  
Available for: macOS Monterey  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32837: Wang Yu of Cyberserval

Wi-Fi  
Available for: macOS Monterey  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Windows Server  
Available for: macOS Monterey  
Impact: An app may be able to capture a user’s screen  
Description: A logic issue was addressed with improved checks.  
CVE-2022-32848: Jeremy Legendre of MacEnhance

Additional recognition

802.1X  
We would like to acknowledge Shin Sun of National Taiwan University  
for their assistance.

AppleMobileFileIntegrity  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

Calendar  
We would like to acknowledge Joshua Jones for their assistance.

configd  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

DiskArbitration  
We would like to acknowledge Mike Cush for their assistance.

macOS Monterey 12.5 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYiL4ACgkQeC9qKD1p  
rhhjpQ//TQX1ihtXRIjFpPOViMy6IxuLE1CsKFxq5MweXelbPB/UdeUl/zL5G54b  
/Lx2XYKoWj6u27FCO0BHxBqtYbAd6sfx70VLCk5W6gyk/yCi0n3zh7BvRvWB/Ugh  
6NuHB39a1kbbjLLoQPbW0L6egdrCfqP/+ZujqjKl7xI58nda9jMHJC1ns87KQoDn  
Er5SAGf7M2ErGNzOFqvXjpJYvGsrKJyfqNxp99H/sPlzu7URX9Gq3f3n1o55IUUa  
mcxlBPDfUmDQPjdSqw/BprQkDOvp0fzmTy+phB0fkgmvVJ8EmEJAoilL4SyH4uW9  
V1GD9rtjUKh7G/gSFAo7y0HBDQoM+E9hA+4PPlH2o1nUOAl6BRWUka6jf4yaqrpr  
pfo1K2hPQj1g4MMZFCDWkJ+7V1+1GTQ9WlagL5gB3QaKefiSG4cTnL06Y8zn38TD  
TY3JrdqUI7Pzugu+FuHs7P168yNIGXTscb1ptrVlaVBaVuyICmEcKX4HS+I5o30q  
WqCOaRoaa6WRqBwNEy7zVAExjSPt7t8ZWt85avWSt+rLxNGiVkPrpHu4fE+V2IAV  
fz1VA4S/w69h9uJHXdcG+QfvNxX+zj/vljF6DK3dyQ957Mqfyr2y9ojSbdf6vo4n  
DJFXNxbEk35loy/kDDidC1C1sFKY+JeQF7ZBi0/QOyuSdSdJrSg=  
=ibIr  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-2

Apple Security Advisory 2022-07-20-1 - iOS 15.6 and iPadOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-07-20-1 iOS 15.6 and iPadOS 15.6iOS 15.6 and iPadOS 15.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213346.APFSAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32832: Tommy Muir (@Muirey03)AppleAVDAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may be able to cause kernel code executionDescription: A buffer overflow was addressed with improved boundschecking.CVE-2022-32788: Natalie Silvanovich of Google Project ZeroAppleAVDAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)AppleMobileFileIntegrityAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to gain root privilegesDescription: An authorization issue was addressed with improved statemanagement.CVE-2022-32826: Mickey Jin (@patch1t) of Trend MicroApple Neural EngineAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to break out of its sandboxDescription: This issue was addressed with improved checks.CVE-2022-32845: Mohamed Ghannam (@_simo36)Apple Neural EngineAvailable for devices with Apple Neural Engine: iPhone 8 and later,iPad Pro (3rd generation) and later, iPad Air (3rd generation) andlater, and iPad mini (5th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: This issue was addressed with improved checks.CVE-2022-32840: Mohamed Ghannam (@_simo36)CVE-2022-32829: an anonymous researcherApple Neural EngineAvailable for devices with Apple Neural Engine: iPhone 8 and later,iPad Pro (3rd generation) and later, iPad Air (3rd generation) andlater, and iPad mini (5th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32810: Mohamed Ghannam (@_simo36)AudioAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-32820: an anonymous researcherAudioAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32825: John Aakerblom (@jaakerblom)CoreMediaAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)CoreTextAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may cause an unexpected app termination orarbitrary code executionDescription: The issue was addressed with improved bounds checks.CVE-2022-32839: STAR Labs (@starlabs_sg)File System EventsAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to gain root privilegesDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32819: Joshua Mason of MandiantGPU DriversAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: Multiple out-of-bounds write issues were addressed withimproved bounds checking.CVE-2022-32793: an anonymous researcherGPU DriversAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-32821: John Aakerblom (@jaakerblom)HomeAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A user may be able to view restricted content from the lockscreenDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32855: an anonymous researcheriCloud Photo LibraryAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to access sensitive user informationDescription: An information disclosure issue was addressed byremoving the vulnerable code.CVE-2022-32849: Joshua JonesICUAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted image may result indisclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32841: hjy79425575ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted file may lead to arbitrarycode executionDescription: A logic issue was addressed with improved checks.CVE-2022-32802: Ivan Fratric of Google Project Zero, Mickey Jin(@patch1t)ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted image may lead to disclosureof user informationDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32830: Ye Zhang (@co0py_Cat) of Baidu SecurityImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing an image may lead to a denial-of-serviceDescription: A null pointer dereference was addressed with improvedvalidation.CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)IOMobileFrameBufferAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26768: an anonymous researcherKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32813: Xinru Chi of Pangu LabCVE-2022-32815: Xinru Chi of Pangu LabKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32817: Xinru Chi of Pangu LabKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with arbitrary kernel read and write capability may beable to bypass Pointer AuthenticationDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with arbitrary kernel read and write capability may beable to bypass Pointer AuthenticationDescription: A race condition was addressed with improved statehandling.CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)LiblouisAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may cause unexpected app termination or arbitrary codeexecutionDescription: This issue was addressed with improved checks.CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China(nipc.org.cn)libxml2Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to leak sensitive user informationDescription: A memory initialization issue was addressed withimproved memory handling.CVE-2022-32823Multi-TouchAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A type confusion issue was addressed with improved statehandling.CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)PluginKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to read arbitrary filesDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32838: Mickey Jin (@patch1t) of Trend MicroSafari ExtensionsAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Visiting a maliciously crafted website may leak sensitivedataDescription: The issue was addressed with improved UI handling.CVE-2022-32784: Young Min Kim of CompSec Lab at Seoul NationalUniversitySoftware UpdateAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A user in a privileged network position can track a user’sactivityDescription: This issue was addressed by using HTTPS when sendinginformation over the network.CVE-2022-32857: Jeffrey Paul (sneak.berlin)WebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Visiting a website that frames malicious content may lead toUI spoofingDescription: The issue was addressed with improved UI handling.WebKit Bugzilla: 239316CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.WebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.WebKit Bugzilla: 240720CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro ZeroDay InitiativeWebRTCAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedstate management.WebKit Bugzilla: 242339CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence teamWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to cause unexpected system termination orwrite kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32837: Wang Yu of CyberservalWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may be able to cause unexpected systemtermination or corrupt kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32847: Wang Yu of CyberservalAdditional recognition802.1XWe would like to acknowledge Shin Sun of National Taiwan Universityfor their assistance.AppleMobileFileIntegrityWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.configdWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.6 and iPadOS 15.6".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuMACgkQeC9qKD1prhhc5hAA2emrXEYGmfH1M/gji0MOPflW+wrr0y8buntNyeJYFQbf1xgGkr9hmHlMDkROvVCXDzuMyH9QDOPNFGPqBTAe/5cL+auNq497f/vGVjEOZ09Y4vC/FVBBklgokQND7CoWBhk99PgNxVdJyzkeKhBEs9JrNaIyGVqg8tChTWWghRzyyyQfHpSQfwj1M9042Kj8w9hi4SrY9R8Oe+QrcCYw/lYo3yO6WIUfajzIs/urT175BFedXS+9l4cK6srMpa/n67w3XZU9psQBVddlkVDymx1c5Lzuo84haM7TYNddOYDVluP+676Uq0vj5E24vTuGLS+vdDlJri6WMJv2d7NZ8dtJAVhPioP3ThGGsAXdpT/PmNbkc5R0RbiVTKs/2CDK4+raGHlOz6leuEfUJtUD1rHLI5n21XBQY1HOvwB9CDqGc5l7FpRoMdajDY/8yaIbWKVu1iycA2NAsxfyc9u1QTwwluGmzelpo9XdAWIZ17j6Dkalta9scCQbakHz3M1PSAYw4ljfGuYYiHElAKuZn/daeAUKZ0zMJOVdHtecliJbV3VlqMzaOKqmgXWNoBOwCow8Tj80F2dFNTvlQe91L8r7NeQAo7KCzEXbVSQqfemojtrREl5BvmWS9s7+QxqDWAHSUr+WakmKTESMA3DTlZBhBbUXE+uNRrEwboUQKeI==Nnrk-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-1

Open source security expert warns there is still a ‘long road’ ahead to prepare for the next attack wave

Open source security expert warns there is still a ‘long road’ ahead to prepare for the next attack wave

INTERVIEW The security of the software supply chain has rocketed up the infosec agenda since The Daily Swig last spoke to Brian Fox, co-founder and CTO at DevSecOps vendor Sonatype.

The landmark Log4j bug and SolarWinds supply chain attack in particular have prompted the White House to act with a clarity, swiftness, and even bipartisan support that has proved elusive in other policy areas.

Fox, who has sounded the alarm on supply chain security for many years, has welcomed the government’s belated recognition of the threat, but warns that the cybersecurity industry is still failing to sufficiently prioritize the issue.

Two years on from our last interview, the recently appointed OpenSSF governance board member also considers the legacy of ‘Log4Shell’, rebuffs criticism of the volunteer-driven open source model, and foresees attack techniques mutating when defenders finally ‘vaccinate’ themselves against current methods.

Daily Swig: Sonatype has been supporting White House efforts to bolster the software supply chain – how is that progressing?

Brian Fox: In the wake of the Log4j incident there was an initial \[open source security\] summit in January, testimony before the Senate and inquiries in the Senate and House, then the White House convened some meetings.

A follow-up summit in May with many participants across the ecosystem \[resulted in a\] 10-point mobilization plan that includes everything from better educating developers around secure practices, to better tooling, to funding, to audits of popular open source projects, to prioritizing the most used projects, driving better tooling around software bills of materials, \[and\] digital signatures...

DON’T MISS ‘Endemic’ Log4j bug set to persist in the wild for at least a decade, US government warns

A number of companies have made monetary pledges – \[totalling\] about $30 million – to help this effort, which is a lot, but estimates \[of the sum needed\] to drive all 10 streams were more like $150 million \[over two years\].

There’s some other tentative talks trying to get other governments involved, because this is not just a US-centric problem; it’s a global problem.

DS: So do you feel reassured that the US government is tackling the problem in broadly the right way?

BF: Generally, yes. The executive order a little over a year ago set in motion requirements for anybody selling software to the US government to have a reproducible software bill of materials \[SBOM\] to disclose all components – think food labels.

However, there was a \[similar\] bill before Congress in 2013 that didn’t get any airtime. So it’s nice to see it happening now but it would’ve been better to see it happening almost a decade ago.

I think there will be a trickle-down effect. Even software companies that don’t directly sell to the US government, if their consumers are selling to the US government, they’re going to have to provide a bill of materials all the way down, right?

DS: Are you still as frustrated as you were in 2020, when you lamented that “many companies still don’t have inventories of their open source components”?

BF: It’s improving, but I’m impatient. In the wake of Log4j, as of May 2022, 33% of Log4j downloads from the central repository in the last 24 hours were known vulnerable versions.

Six-plus months on \[from the Log4j bug surfacing\], was this acceptable? Everybody had a collective freakout, everybody was writing about it – there’s zero reason why you wouldn’t know about it.

Oftentimes companies with really good physical parts practices have terrible digital goods practices – that blows my mind. I don’t understand why I have to educate them.

PREVIOUS INTERVIEW Sonatype’s Brian Fox on open source security and ‘drama-free’ DevSecOps

The mobilization plan largely focuses on improving the open source projects. That needs to be done, but it largely misses the point that organizations have a responsibility to understand what components they’re using.

Take the Takata airbag incident. Let’s say all the \[automotive\] manufacturers were like, “we’re going to give Takata more money to make better airbags, so we no longer need to track which parts go into our cars” – we would laugh at them. But that’s kind of what’s happening right now \[in the software supply chain\].

Log4j was fixed and patched over Thanksgiving \[within a day of the proof of concept surfacing\] – but that doesn’t solve this problem \[of users not updating their systems\].

DS: What do you make of criticisms of the open source ecosystem’s volunteer-driven model?

BF: I don’t think throwing money at maintainers solves the problem. In fact, it can often complicate things, because then you have new people motivated only by money.

Most problems are not so simple as \[maintainers\] doing a terrible job. Take Log4j – it wasn’t even really a bug in the code. It was a weird interaction between a feature in Log4j and a feature in Java runtime that executed the JNDI code.

The kneejerk reaction is, “They’re volunteers, therefore they must be amateurs” – and that’s just not true. Most people working on these projects are in fact very good software developers working for big companies during the day. Oftentimes companies pay them to work on these projects.

DS: Can you summarize the current open source threat landscape and how Sonatype is helping developers protect the ecosystem?

BF: There’s a theoretical attack where a malicious committer shows up to a popular project and puts something malicious into a real package. So far that’s not happening.

Because consumers aren’t paying enough attention, it’s really easy to confuse them by creating a fake component with malware in it that sounds similar to the real component.

We’re trying to detect when components are malicious, or are anomalous, and stop consumers from accessing them via our firewall product. The \[attack\] targets are the developers and development infrastructure, and the bad behavior – the backdoor – is triggered as soon as you download it. They’re not trying to slip code into your software so that it gets distributed to your end user or to production.

Catch up with the latest software supply chain attack news

So the only way to prevent that is to know, in real time, when that component hits the public repo, that there’s something wrong about it, and be able to stop it.

Timeliness is super important. Finding it six weeks later does no good because during that \[time\] everybody who touched it got tainted.

We use an MLAI \[machine learning, artificial intelligence\] technique, so we can train on new attacks and the model gets better and better. As of last month, we’ve reported more than 88,000 malicious packages using this technique, so it’s hundreds of orders of magnitude more \[productive\] than zero-day research.

DS: Are we likely to see attackers innovate in the way you envisaged – poisoning projects directly rather than duping developers – any time soon?

BF: They’re continuing to exploit the target vector I was talking about with sometimes more advanced attacks, but many just look like copycats.

We’ve seen this pattern before. It’s a bit like Covid – if everybody gets the vaccine then a mutation finds a way to work around it and that’s the one that survives.

But not enough people are immunized to the current round of attacks so we’re not seeing a ton of innovation.

That’s why we're finding and reporting dozens of these every, single day. It’s ridiculous.

But what happens when we get really good at \[defense\]? For over a decade and a half, I was afraid that the attackers would start focusing on the supply chain. That didn’t start happening until 2019.

So if we get good at blocking these easy-ish-to-detect things, then you’ll see them move into the projects with more insidious and difficult-to-detect attacks.

The \[White House\] mobilization plan will help open source projects become more inherently secure, but it’s a long road so I worry that we’re not gonna get there fast enough.

DS: How receptive has the industry been to your message about protecting the supply chain?

BF: Much of the industry is still fighting the last decade’s battle, which is doing static analysis, prioritizing vulnerabilities, and scanning products before they go into production or get distributed downstream.

Back in the 1990s browsers had vulnerabilities all over the place and, little did you know, you could get hacked just by loading a nefarious website.

That’s kind of what’s happening with these malicious attacks. The developers grab the wrong component, which isn’t trying to compile – it’s literally just a payload to deliver a backdoor or do whatever it does. So the developer’s build fails, and they realize it’s not the component they wanted \[but not only that\] they potentially got hacked.

If you only check what developers have committed or are building for release, you are blind to these 88,000-plus \[monthly\] attacks on developers’ machines.

We’ve been really leaning hard on that messaging and a lot of people are finally latching onto it.

RECOMMENDED PyPI repo to distribute 4,000 security keys to maintainers of ‘critical projects’ in 2FA drive

‘We’re still fighting last decade’s battle’ – Sonatype CTO Brian Fox on the struggle to secure the neglected software supply chain

As new details about the scope of the sabotage emerge, the perpetrators—and the reason for their vandalism—remain unknown.

At present, there’s little information about who may have been behind the attacks. No groups or individuals have claimed responsibility for the damage, and French police have not announced any arrests linked to the cuts. Neither the Paris Public Prosecutor’s Office nor Anssi, the French cybersecurity agency, responded to WIRED’s requests for comment.

In June, CyberScoop reported claims that “radical ecologists” who oppose digitalization may be behind the attacks. However, multiple experts speaking to WIRED were skeptical of the suggestion. “It’s quite unlikely,” Combot says. Instead, in many potential sabotage instances he has seen, those who attack telecom infrastructure aim to target cell phone towers where damage is obvious and claim responsibility for their actions.

In France—and more widely around the world—there’s been an increase in attacks against telecom towers in recent years, including cutting cables, setting fire to cell phone towers, and attacking engineers. When the Covid-19 pandemic started in early 2020, there was an uptick in attacks against 5G equipment as conspiracy theorists falsely believed the network standard could be dangerous to people’s health.

While some caution against assuming environmentalist groups were behind the April attacks, there is a precedent for such actions in France: A December 2021 investigation by environmental news outlet _Reporterre_, as noted by CyberScoop, documented more than 140 attacks against 5G equipment and telecom infrastructure. The attacks were said to show a pattern based on “refusal of a digitized society.”

In one of the other biggest attacks against French networks, more than 100,000 people found themselves struggling to get online in May 2020 after several cables were cut. During the past three months, there have been an estimated 75 attacks against telecom networks in France. The total number of attacks has declined since 2020, however.

Combot says the April attack was one of the “biggest incidents” targeting telecom infrastructure in recent years. It also highlights the fragility of local internet cables. “Breaking the internet is not a good thing for those who have the idea to do so, because the internet is locally vulnerable but globally resilient,” Guillaume says.

While cutting cables and setting fire to cell phone towers can cause temporary internet outages or slowdowns, internet traffic can usually be rerouted relatively quickly. In short: It’s very hard to take the internet offline at scale. The internet can largely withstand human sabotage, damage from natural events, and Canadian beavers chomping through cables.

This doesn’t mean threats to connectivity can’t cause widespread disruption. “I fear that these attacks, in France and elsewhere in the world, will happen again,” Combot says. “There are vulnerable points everywhere in the world,” he adds, highlighting Egypt, where subsea cables pass between Europe and Asia. In June the EU published an in-depth review of subsea internet cables that says more should be done to protect them.

DE-CIX’s King says that most incidents around cables are usually accidents, such as damage from roadworks or earthquakes. “The solution is to introduce redundancy in the design of connectivity,” King says. This means having more connections in the internet’s backbone and systems to replace others in case of potential failures or attacks. Every system should have a backup.

Political and technical measures could decrease the chances of attacks on network connections. “The best way to fight against these attacks is to have a better threat intelligence,” says Oxford’s Laudrain. The French Telecoms Federation says it is working more closely with law enforcement to try to stop those who would attack cables. “Some companies publish confidential network information on their websites,” Lumen’s Modlin says. “They should seriously consider removing exact location data, given its sensitive nature.” (She did not name the companies.)

Meanwhile, Guillame says simple physical security measures can be taken, such as ensuring that areas where cables are accessible through the ground are covered by security cameras. Others suggest adding movement sensors to these locations. Preventing internet cables and equipment from damage and destruction is crucial, Guillame says. “Behind the digital economy, there are small businesses, artisans, schools, emergency services hard hit when they can no longer connect their service. It’s not acceptable.”

Tag

#intel