TA569 has modified the JavaScript of a legitimate content and advertising engine used by news affiliates, in order to spread the FakeUpdates initial access framework.

The cyber-threat threat actor known as TA569, or SocGholish, has compromised JavaScript code used by a media content provider in order to spread the FakeUpdates malware to major media outlets across the US.

According to a series of tweets from the Proofpoint Threat Research Team posted late Wednesday, the attackers have tampered with the codebase of an application that the unnamed company uses to serve video and advertising to national and regional newspaper websites. The supply chain attack is being used to spread TA569's custom malware, which is typically employed to establish an initial access network for follow-on attacks and ransomware delivery.

Detection might be tricky, the researchers warned: "TA569 historically removed and reinstated these malicious JS injects on a rotating basis," according to one of the tweets. "Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn't be considered a false positive."

More than 250 regional and national newspaper sites have accessed the malicious JavaScript, with impacted media organizations serving cities such as Boston, Chicago, Cincinnati, Miami, New York, Palm Beach, and Washington, DC, according to Proofpoint. However, only the impacted media content company knows the full range of the attack and its impact on affiliate sites, the researchers said.

The tweets cited Proofpoint threat detection analyst Dusty Miller, senior security researcher Kyle Eaton, and senior threat researcher Andrew Northern for the discovery and investigation of the attack.

**Historical Links to Evil Corp**

FakeUpdates is an initial access malware and attack framework in use since at least 2020 (but potentially earlier), that in the past has used drive-by downloads masquerading as software updates to propagate. It previously has been linked to activity by the suspected Russian cybercrime group Evil Corp, which has been formally sanctioned by the US government.

The operators typically host a malicious website that executes a drive-by download mechanism — such as JavaScript code injections or URL redirections — which in turn triggers the download of an archive file that contains malware.

Symantec researchers previously observed Evil Corp using the malware as part of an attack sequence to download WastedLocker, then a new ransomware strain, on target networks back in July 2020.

A surge of drive-by download attacks that used the framework followed toward the end of that year, with the attackers hosting malicious downloads by leveraging iFrames to serve up compromised websites via a legitimate site.

More recently, researchers tied a threat campaign distributing FakeUpdates through existing infections of the Raspberry Robin USB-based worm, a move that signified a link between the Russian cybercriminal group and the worm, which acts as a loader for other malware.

**How to Approach the Supply Chain Threat**

The campaign discovered by Proofpoint is yet another example of attackers using the software supply chain to infect code that's shared across multiple platforms, to broaden the impact of malicious attack without having to work any harder.

Indeed, there already have been numerous examples of the ripple effect these attacks can have, with the now infamous SolarWinds and Log4J scenarios being among the most prominent.

The former started in late December 2020 with a breach in the SolarWinds Orion software and spread deep into the next year, with multiple attacks across various organizations. The latter saga unfolded in early December 2021, with the discovery of a flaw dubbed Log4Shell in a widely used Java logging tool. That spurred multiple exploits and made millions of applications vulnerable to attack, many of which remain unpatched today.

Supply chain attacks have become so prevalent that security administrators are looking for guidance about how to prevent and mitigate them, which both the public and private sector have been happy to offer.

Following an executive order issued by President Biden last year directing government agencies to improve the security and integrity of the software supply chain, the National Institute for Standards and Technology (NIST) earlier this year updated its cybersecurity guidance for addressing software supply chain risk. The publication includes tailored sets of suggested security controls for various stakeholders, such as cybersecurity specialists, risk managers, systems engineers, and procurement officials.

Security professionals also have offered organizations advice on how to better secure the supply chain, recommending that they take a zero-trust approach to security, monitor third-party partners more than any other entity in an environment, and choose one supplier for software needs that offers frequent code updates.

Supply Chain Attack Pushes Out Malware to More than 250 Media Websites

With Microsoft’s announcement on Nov. 2 of its support for Azure AD Certificate-based authentication (CBA) for both iOS and Android devices, Yubico is excited to share that the YubiKey is currently the only external device that supports CBA on Android and iOS. Plus, the YubiKey is the only FIPS certified phishing-resistant solution available for Azure AD on mobile.

Yubico worked closely with Microsoft to ensure CBA on mobile became a reality.

Microsoft’s new support provides users with the same convenient smart card authentication method on mobile devices that they have on their desktops. CBA has been a staple of governments and high security environments for decades, long before the invention of FIDO U2F and FIDO2, mostly due to its reliability and effectiveness in physical environments. With Executive Order 14028 on Improving the Nation's Cybersecurity, the adoption of CBA and other phishing-resistant multi-factor authentication methods are mandated for civilian federal agencies in the US.

CBA is widely deployed across many industries, and remains a favorite amongst security experts. For some organizations, it is the logical choice from the available Azure offerings. With this announcement, customers can now use CBA on their mobile devices using native Azure AD CBA. When using native Azure AD CBA, organizations can reduce their existing infrastructure and move it into the cloud. Azure AD CBA capabilities can also be combined with Conditional Access policies so admins can enforce phishing-resistant sign-in methods.

CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt.

“Yubico has been a driving force in working with our teams to build this solution that allows Microsoft customers to securely log into their Microsoft accounts on their iPhone or Android mobile device. This is a big win for us, Yubico, and most importantly our federal government customers,” said Sue Bohn, Vice President of Product Management for Microsoft’s Identity and Network Access (IDNA) group.

Setting up CBA on Azure requires some basic configuration steps within Azure AD and installation of the Microsoft Authenticator app on Android or iOS/iPadOS. The Yubico Authenticator app is also needed on iOS/iPadOS. The PIV credential must be set up independently from the Azure solution. Your existing YubiKey PIV/smart card issuance process does not need to change.

Also, with the new Conditional Access authentication strength policies, you can enforce CBA as the required sign-in mechanism.

Yubico and Microsoft are globally recognized leaders in cybersecurity assisting public and private organizations on their journey to Zero Trust. Both Yubico and Microsoft are FIDO Alliance members and committed to providing phishing-resistant authentication solutions based on FIDO2 and certificate-based authentication standards.

**Learn more**

Microsoft's mobile certificate-based solution coupled with the YubiKey is a simple, convenient, FIPS certified phishing-resistant MFA methods for organizations, and we’re excited to share additional details and best practices during our upcoming webinar, _New solutions to prevent phishing with Azure AD and YubiKeys_ on November 3rd at 9 am PT, register here to attend.

Certificate-Based Authentication With YubiKeys for Microsoft, Third-Party, and Web Applications Now Available on iOS and Android

"SandStrike," the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.

Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn't mean attackers aren't constantly trying to deploy other sophisticated mobile malware as well.

The latest example is "SandStrike," a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Iran's Baha'i community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.

**Elaborate Social Media Lures**

To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.

According to Kaspersky, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Group's notorious Pegasus spyware along with emerging problems like Hermit.

**Mobile Malware on the Rise**

The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint released earlier this year highlighted a 500% increase in mobile malware delivery attempts in Europe in the first quarter of this year. The increase followed a sharp decline in attack volumes toward the end of 2021.

The email security vendor found that many of the new malware tools are capable of a lot more than just credential stealing: "Recent detections have involved malware capable of recording telephone and non-telephone audio and video, tracking location and destroying or wiping content and data."

Google and Apple's official mobile app stores continue to be a popular mobile malware delivery vector. But threat actors are also increasingly using SMS-based phishing campaigns and social engineering scams of the sort seen in the SandStrike campaign to get users to install malware on their mobile devices.

Proofpoint also found that attackers are targeting Android devices far more heavily than iOS devices. One big reason is that iOS doesn't allow users to install an app via an unofficial third-party app store or to download it directly to the device, like Android does, Proofpoint said.

**Different Types of Mobile Malware in Circulation**

Proofpoint identified the most significant mobile malware threats as FluBot, TeaBot, TangleBot, MoqHao, and BRATA. The different capabilities integrated into these malware tools include data and credential theft, stealing funds from online accounts, and general spying and surveillance. One of these threats — FluBot — has been largely quiet since the disruption of its infrastructure in a coordinated law enforcement action in June.

Proofpoint found that mobile malware is not confined to a specific region or language. "Instead, threat actors adapt their campaigns to a variety of languages, regions and devices," the company warned.

Meanwhile, Kaspersky said it blocked some 5.5 million malware, adware, and riskware attacks targeted at mobile devices in Q2 2022. More than 25% of these attacks involved adware, making it the most common mobile threat at the moment. But other notable threats included mobile banking Trojans, mobile ransomware tools, spyware link SandStrike, and malware downloaders. Kaspersky found that creators of some malicious mobile apps have increasingly targeted users from multiple countries at once.

The mobile malware trend poses a growing threat to enterprise organizations, especially those that allow unmanaged and personally owned devices in the workplace. Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) released a checklist of actions that organizations can take to address these threats. Its recommendations include the need for organizations to implement security-focused mobile device management; to ensure that only trusted devices are allowed access to applications and data; to use strong authentication; to disable access to third-party app stores; and to ensure that users use only curated app stores.

Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

We can bridge that gap by spreading the word about the opportunities, the requirements, and the many tools available to help applicants break into the field.

Cybercrime seems to be in the headlines every day, as ransomware demands escalate and distributed denial-of-service (DDoS) attacks and other assaults paralyze and damage enterprises of all types and sizes. In 2021, the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) received 847,376 reports of cyberattacks, up 7% from 2020, with a growing focus on critical infrastructure and the supply chain. The costs of cybercrime are astronomical, approaching $7 billion, according to FBI statistics.

Hoping to remediate, or preferably prevent, such attacks, companies work daily to bolster their cybersecurity measures. The federal Cybersecurity and Infrastructure Security Agency launched its Shields Up campaign this year to encourage proactive defenses against potential cyberattacks prompted by US sanctions placed on Russia. Insurance companies, meanwhile, are raising premiums and limiting coverage for organizations with inadequate cyber protection.

As willing as employers may be to comply, one of the biggest challenges is finding the staff to implement stronger defenses. In the US alone, there are currently more than 700,000 openings in cybersecurity, a 43% increase over last year, according to CyberSeek. Demand isn't confined to the tech industry; it's growing in sectors such as finance, as well. Employers are struggling to fill these critical posts now but can't find enough applicants, never mind being able to meet future demand.

**Misconceptions and Missed Potential**

One of the major reasons for the severe shortage is the common misconception that it's necessary to have a STEM or security-related degree to work in cybersecurity. This is not the case. Self-motivated individuals with some level of technical skill and problem-solving experience are great candidates. The challenge is to communicate the opportunity and actual requirements so we can begin tapping this potential pool of talent.

Obviously, some familiarity with technology is a must, as it would be difficult to bring in someone with no technical background at all. But that background does not need to be specific to cybersecurity, because many job skills are readily transferable. For example, IT system admins accustomed to patching systems and investigating suspicious or unusual events will find their experience useful in cybersecurity. When I was a systems admin, I was often in meetings with the security team. I learned about vulnerabilities, and it was my responsibility to patch them. That kind of experience is invaluable for anyone considering a cybersecurity career.

We need to search out people with the innate ability to recognize what's normal and investigate deviations from that norm. If they've been involved in troubleshooting, that's a plus. Even seemingly unrelated backgrounds can come in handy. For instance, self-taught techies who love to tinker and have figured out how to build their own systems and solve problems in the process could have a future in the cybersecurity field.

**Resources for the Resourceful**

Let's make it clear that a college degree, specifically in cybersecurity, isn't the only way into this field. There are many training resources available for potential candidates who want to improve their qualifications. Self-learners can take free or low-cost online courses in cybersecurity and networking. Completing this type of training will strengthen a candidate's resume and open up more opportunities.

CyberSeek is a terrific organization dedicated to closing the cybersecurity talent gap. It offers information and resources for students, job seekers, employers, educators, and more. Among its offerings is a list of cybersecurity training available at little or no cost.

(ISC)2 is an excellent resource for experienced IT professionals as well as those just starting out in the field. It offers a range of certifications for everyone from students and entry-level candidates without a technical background to those with years of experience who want to expand or update their knowledge. Its high-level certified information systems security professional (CISSP) certification takes commitment but is considered one of the best in the industry.

There are other less demanding options that might be a good starting point, including Pluralsight's boot camps for coding. Security BSides (often called just BSides) is a nonprofit organization that hosts conferences to share knowledge on information security and provide networking opportunities. TryHackMe bills itself as "a fun way" to learn about cybersecurity through interactive, real-world scenarios suitable for all skill levels. Additionally, Amazon, IBM, and Microsoft each have a variety of free courses that prepare candidates for a career in the field.

**Talk About Rewards**

There's ample reason to hope the public will respond to our compelling message. A CISSP earns $131,030 a year, according to (ISC)2. Yet there are benefits beyond a healthy salary and job availability — protecting against cyber threats can be fulfilling in so many more ways.

For example, those with a military or law enforcement background might find cybersecurity particularly rewarding because it gives them the chance to continue performing meaningful work that protects society at large.

It's clear we must do all we can to attract desperately needed talent into the security industry. We can do that by spreading the word about the opportunities, the requirements, and the many tools available to help applicants break into the field.

How to Narrow the Talent Gap in Cybersecurity

Red Hat Security Advisory 2022-7201-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.12. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.11.12 security update  
Advisory ID:       RHSA-2022:7201-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7201  
Issue date:        2022-11-02  
CVE Names:         CVE-2020-35525 CVE-2020-35527 CVE-2022-0494  
                   CVE-2022-1353 CVE-2022-2509 CVE-2022-2588  
                   CVE-2022-3515 CVE-2022-23816 CVE-2022-23825  
                   CVE-2022-26945 CVE-2022-29900 CVE-2022-29901  
                   CVE-2022-30321 CVE-2022-30322 CVE-2022-30323  
                   CVE-2022-32742 CVE-2022-37434 CVE-2022-40674  
                   CVE-2022-41974  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.11.12 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.12. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2022:7200

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Security Fix(es):

* go-getter: command injection vulnerability (CVE-2022-26945)  
* go-getter: unsafe download (issue 1 of 3) (CVE-2022-30321)  
* go-getter: unsafe download (issue 2 of 3) (CVE-2022-30322)  
* go-getter: unsafe download (issue 3 of 3) (CVE-2022-30323)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

You may download the oc tool and use it to inspect release image metadata  
as follows:

(For x86_64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.12-x86_64

The image digest is  
sha256:0ca14e0f692391970fc23f88188f2a21f35a5ba24fe2f3cb908fd79fa46458e6

(For s390x architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.12-s390x

The image digest is  
sha256:7b9b21e35286e67473a0c4c28c84e3d806eb30364682a6b072b79109c2d22c6b

(For ppc64le architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.12-ppc64le

The image digest is  
sha256:c61315b1257695b5f86d2782a70909227e004cd7cd30236c6f94a9e4ecf24ecb

(For aarch64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.11.12-aarch64

The image digest is  
sha256:c70dc68aef64280d3cba9a056af29438943b30c260a7156893e1bae5c6c5ce3f

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2042826 - [SNO] the replicas of ingresscontroller/default is 2 on new installed SNO private cluster  
2092839 - Downward API (annotations) is missing PCI information when using the tuning metaPlugin on SR-IOV Networks  
2092918 - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)  
2092923 - CVE-2022-30322 go-getter: unsafe download (issue 2 of 3)  
2092925 - CVE-2022-30323 go-getter: unsafe download (issue 3 of 3)  
2092928 - CVE-2022-26945 go-getter: command injection vulnerability  
2099800 - Bump to kubernetes 1.24.6  
2109487 - machine-controller is case sensitive which can lead to false/positive errors

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-1099 - Missing  $SEARCH domain in /etc/resolve.conf for OCP v4.9.31 cluster  
OCPBUGS-1346 - OpenStack UPI scripts do not create server group for Computes  
OCPBUGS-1658 - Whereabouts should allow non default interfaces to Pod IP list [backport 4.11]  
OCPBUGS-1713 - Kuryr-Controller Restarting on KuryrPort with missing pod  
OCPBUGS-1955 - [4.11] Dual stack cluster fails on installation when multi-path routing entries exist  
OCPBUGS-1972 - [IPI on Baremetal] ipv6 support issue in metal3-httpd  
OCPBUGS-1984 - Install Helm chart form doesn't allow the user select a specific version  
OCPBUGS-2011 - [4.11] ironic clear_job_queue and reset_idrac pending issues  
OCPBUGS-2014 - CI: Backend unit tests fails because devfile registry was updated (mock response)  
OCPBUGS-2042 - [2102088] 4.11 CatalogSourcesUnhealthy error in subscription When upgrading ptp-operator  
OCPBUGS-2046 - Remove policy/v1beta1 in 4.11 and later  
OCPBUGS-2050 - [release-4.11] DNS operator does not reconcile the openshift-dns namespace  
OCPBUGS-2092 - Use floating tags in golang imagestream  
OCPBUGS-2112 - [release-4.11] Address e2e failures due to pod security  
OCPBUGS-2113 - [4.11] etcd and kube-apiserver pods get restarted due to failed liveness probes while deleting/re-creating pods on SNO  
OCPBUGS-2140 - member loses rights after some other user login in openid / group sync  
OCPBUGS-2293 - CVO skips reconciling the installed optional resources in the 4.11 to 4.12 upgrade  
OCPBUGS-2320 - [release-4.11] Remove namespace and name from gathered DVO metrics  
OCPBUGS-2451 - e2e tests: Installs Red Hat Integration - 3scale operator test is failing due to change of Operator name  
OCPBUGS-2528 - dns-default pod missing "target.workload.openshift.io/management:" annotation  
OCPBUGS-2606 - [release-4.11] go.mod should beworking with golang-1.17 and golang-1.18  
OCPBUGS-2616 - e2e-gcp-builds is permafailing  
OCPBUGS-2626 - Worker creation fails within provider networks (as primary and secondary)  
OCPBUGS-2640 - prometheus-k8s-0 ends in CrashLoopBackOff with evel=error err="opening storage failed: /prometheus/chunks_head/000002: invalid magic number 0" on SNO after hard reboot tests  
OCPBUGS-2658 - [4.11] VPA E2Es fail due to CSV name mismatch  
OCPBUGS-2766 - 'oc login' should be robust in the face of gather failures  
OCPBUGS-2780 - Import: Advanced option sentence is splited into two parts and headlines has no padding  
OCPBUGS-449 - KubeDaemonSetRolloutStuck alert using incorrect metric in 4.9 and 4.10  
OCPBUGS-526 - Prerelease report bug link should be updated to JIRA instead of Bugzilla  
OCPBUGS-668 - Prefer local dns does not work expectedly on OCPv4.11  
OCPBUGS-673 - crio occasionally fails to start during deployment  
OCPBUGS-689 - [2112237] [ Cluster storage Operator 4.x(10/11) ] DefaultStorageClassController report fake message "No default StorageClass for this platform" on Alicloud, IBM  
OCPBUGS-744 - [4.11] Spoke BMH stuck ?provisioning? after changing a BIOS attribute via the converged workflow  
OCPBUGS-947 - [4.11] Rebase openshift/etcd 4.11 onto 3.5.5  
OCPBUGS-955 - [2087981] PowerOnVM_Task is deprecated use PowerOnMultiVM_Task for DRS ClusterRecommendation

6. References:

https://access.redhat.com/security/cve/CVE-2020-35525  
https://access.redhat.com/security/cve/CVE-2020-35527  
https://access.redhat.com/security/cve/CVE-2022-0494  
https://access.redhat.com/security/cve/CVE-2022-1353  
https://access.redhat.com/security/cve/CVE-2022-2509  
https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/cve/CVE-2022-3515  
https://access.redhat.com/security/cve/CVE-2022-23816  
https://access.redhat.com/security/cve/CVE-2022-23825  
https://access.redhat.com/security/cve/CVE-2022-26945  
https://access.redhat.com/security/cve/CVE-2022-29900  
https://access.redhat.com/security/cve/CVE-2022-29901  
https://access.redhat.com/security/cve/CVE-2022-30321  
https://access.redhat.com/security/cve/CVE-2022-30322  
https://access.redhat.com/security/cve/CVE-2022-30323  
https://access.redhat.com/security/cve/CVE-2022-32742  
https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/cve/CVE-2022-41974  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2JozNzjgjWX9erEAQhHwxAAidAR052/ozo/ov6l13JeYEuIF/01JhB9  
P3L3rcLhNk76PR8A7gPu4UR/Ws5Jx3htFMMxWwtWGr13zpmI0KN3aFiJo5HMT07o  
Ug8TuPI66U4d5VVGhd9ihecdoYGPnRMlGVLLhIczRpnPHC960VaS9+6wUHs8Wu/S  
Du9QcuPRI8SD1sFsWZ2XPy0X6OJDkflDL1aDHQnaM6E3uajNR1lqBafZplToyPzz  
x5yB79lxz28E2/7qMFaarp9hvrel8mlXHZ3jh1K6yeLLJ/o/rxnbgyJNY2WEAnsM  
/ygqoZ+MAHAdkID38gc5vFzT75JDWfuouMrmhw6j58eb/SN4pLo1/iL9OQdKFuWs  
rQwJ4NsopoTnI1VV1awYIblPvYjK9/3MtL/denrMVgLONTvOLMSROuLtGNVeUSTZ  
VIxTV70wtT7Dn6rAfQYb35y9mfzDrQVoR01kRqlhPULUx0qPvaU+tVmXTwUShDCL  
/98LZUalebsbdwETs/vzEFMZDspBdrI0gEgbtWN1v3n2LrYaLuC+6+5THOB2zsgh  
c+vY5iR4rIh6bPRR8b79MkKWpibO2aJjuY/V/cthtVF5ZixYO4fXtmlFR010uzfV  
5Lcbt74wOOJGrcLtqtwjBLqPDzye2lkB92ukLGOKDIiJ/GyLy1trhJGjsC/xjrCx  
92G318cSZhU=qJeD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7201-01

Red Hat Security Advisory 2022-7280-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:7280-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7280  
Issue date:        2022-11-01  
CVE Names:         CVE-2022-2588 CVE-2022-21123 CVE-2022-21125  
                   CVE-2022-21166  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.2  
Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time TUS (v. 8.2) - x86_64  
Red Hat Enterprise Linux Real Time for NFV TUS (v. 8.2) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* A use-after-free in cls_route filter implementation may lead to privilege  
escalation (CVE-2022-2588)

* Incomplete cleanup of multi-core shared buffers (aka SBDR)  
(CVE-2022-21123)

* Incomplete cleanup of microarchitectural fill buffers (aka SBDS)  
(CVE-2022-21125)

* Incomplete cleanup in specific special register write operations (aka  
DRPW) (CVE-2022-21166)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Update RT source tree to the latest RHEL-8.2.z21 Batch (BZ#2100575)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2090237 - CVE-2022-21123 hw: cpu: Incomplete cleanup of multi-core shared buffers (aka SBDR)  
2090240 - CVE-2022-21125 hw: cpu: Incomplete cleanup of microarchitectural fill buffers (aka SBDS)  
2090241 - CVE-2022-21166 hw: cpu: Incomplete cleanup in specific special register write operations (aka DRPW)  
2114849 - CVE-2022-2588 kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation

6. Package List:

Red Hat Enterprise Linux Real Time for NFV TUS (v. 8.2):

Source:  
kernel-rt-4.18.0-193.93.1.rt13.143.el8_2.src.rpm

x86_64:  
kernel-rt-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-core-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-core-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-kvm-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-devel-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-kvm-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-modules-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm

Red Hat Enterprise Linux Real Time TUS (v. 8.2):

Source:  
kernel-rt-4.18.0-193.93.1.rt13.143.el8_2.src.rpm

x86_64:  
kernel-rt-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-core-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-core-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-devel-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-modules-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-193.93.1.rt13.143.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2FrpdzjgjWX9erEAQiUKRAAn2+wAHJN7JCGJnyrxle0O5lJG082lRys  
YadFY+KfafjmmFf3OmF8RWH5H3hURYnD8dy3l+pg9tadu1DVDQcHw4F3sa14wqka  
ozHadtjnTpdPuioSRa0nS4W1lB+KxlD0X6jcGeCd7wie5RFl589nfMJJ/uJjNJSA  
2ngUYYACAj4KW+M2nAq54l3t1TSg25Obn/C3QUxWf+p2GSutzQozkOCVTyuHQFVM  
sbjmzmzm8OkvV8FCNJaq9nCzYA4atd53NVsZ0OtvWPD2a3OC4hIpQCxlbhOzC4/6  
gEjUPf7qBt6xYNwHyIZrWU7NklEKA/cBxeCnEjrSY2EkSVABboAKSGPyTZVsHB/A  
+AeTpYEsWPbR1Tq6GOuesszkvHqLWPQHw0l02mCc4u02oJpy46zjEfyXEXmcTIps  
AwX/+gU9SS12fQQivDOsy6YTEfsUscLHvdmFyQsSXiN6CzD0zcIQE1FKe+SSqU5O  
PQksp90Hd1QvzqIww6M/TQ/gfSpvfJNdEFKeEaLXxaTOIQ/ByAKb2CRohSipOy/9  
hy78V96iAy22BQNyC1MUfXUP0pf/s7/Dhr3ZYyPHjq2Nv6NjibXLf+kO3W1uOU3s  
tA9/fOQrHEIjbuzJkDaVGq8rIstx3W2lbxOvJ8ciL+1vQhfj/xT9Sh6KPbECcBEw  
9Ag402aFhko=+/FL  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7280-01

Multiple vulnerabilities have been disclosed in Checkmk IT Infrastructure monitoring software that could be chained together by an unauthenticated, remote attacker to fully take over affected servers. 
"These vulnerabilities can be chained together by an unauthenticated, remote attacker to gain code execution on the server running Checkmk version 2.1.0p10 and lower," SonarSource researcher

Multiple vulnerabilities have been disclosed in Checkmk IT Infrastructure monitoring software that could be chained together by an unauthenticated, remote attacker to fully take over affected servers.

"These vulnerabilities can be chained together by an unauthenticated, remote attacker to gain code execution on the server running Checkmk version 2.1.0p10 and lower," SonarSource researcher Stefan Schiller said in a technical analysis.

Checkmk's open source edition of the monitoring tool is based on Nagios Core and offers integrations with NagVis for the visualization and generation of topological maps of infrastructures, servers, ports, and processes.

According to its Munich-based developer tribe29 GmbH, its Enterprise and Raw editions are used by over 2,000 customers, including Airbus, Adobe, NASA, Siemens, Vodafone, and others.

The four vulnerabilities, which consist of two Critical and two Medium severity bugs, are as follows -

*   A code injection flaw in watolib's auth.php (CVSS score: 9.1)
*   An arbitrary file read flaw in NagVis (CVSS score: 9.1)
*   A command injection flaw Checkmk's Livestatus wrapper and Python API (CVSS score: 6.8), and
*   A server-side request forgery (SSRF) flaw in the host registration API (CVSS score: 5.0)

While these shortcomings on their own have a limited impact, an adversary can chain the issues, starting with the SSRF flaw to access an endpoint only reachable from localhost, using it to bypass authentication and read a configuration file, ultimately gaining access to the Checkmk GUI.

"This access can further be turned into remote code execution by exploiting a Code Injection vulnerability in a Checkmk GUI subcomponent called watolib, which generates a file named auth.php required for the NagVis integration," Schiller explained.

Following responsible disclosure on August 22, 2022, the four vulnerabilities have been patched in Checkmk version 2.1.0p12 released on September 15, 2022.

The findings follow the discovery of multiple flaws in other monitoring solutions like Zabbix and Icinga since the start of the year, which could have been exploited to compromise the servers by running arbitrary code.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Multiple Vulnerabilities Reported in Checkmk IT Infrastructure Monitoring Software

An improper access control [CWE-284] vulnerability in FortiOS version 7.2.0 and versions 7.0.0 through 7.0.7 may allow a remote authenticated read-only user to modify the interface settings via the API.

** PSIRT Advisories**

**FortiOS -- Read-Only users able to modify the Interface fields using the API**

**Summary**

An improper access control \[CWE-284\] vulnerability in FortiOS may allow a remote authenticated read-only user to modify the interface settings via the API.

**Affected Products**

FortiOS version 7.2.0  
FortiOS version 7.0.0 through 7.0.7

**Acknowledgement**

Fortinet is pleased to thank Alexis La Goutte for reporting this vulnerability under responsible disclosure

CVE-2022-38380: Fortiguard

An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6.2.168 and below and version 6.4.274 and below may allow an attacker to bypass the AV engine via manipulating MIME attachment with junk and pad characters in base64.

** PSIRT Advisories**

**AV Engine - evasion by manipulating MIME attachment**

**Summary**

An insufficient verification of data authenticity vulnerability \[CWE-345\] in FortiClient, FortiMail and FortiOS AV engines may allow   
an attacker to bypass the AV engine via manipulating MIME attachment with junk and pad characters in base64.

**Affected Products**

FortiOS running AV engine version 6.2.168 and below.  
FortiOS running AV engine version 6.4.274 and below.  
FortiMail running AV engine version 6.2.168 and below.  
FortiMail running AV engine version 6.4.274 and below.  
FortiClient running AV engine version 6.2.168 and below.  
FortiClient running AV engine version 6.4.274 and below.

**Solutions**

Please upgrade AV engine to version 6.2.169 or above.  
Please upgrade AV engine to version 6.4.275 or above.  
Please upgrade to FortiMail version 7.2.0 or above  
Please upgrade to FortiMail version 7.0.3 or above  
Please upgrade to FortiMail version 6.4.7 or above  
Please upgrade to FortiOS version 7.0.8 or above.  
Please upgrade to FortiOS version 7.2.2 or above.

CVE-2022-26122: Fortiguard

An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] in FortiOS SSL-VPN versions 7.2.0, versions 7.0.0 through 7.0.6 and versions 6.4.0 through 6.4.9 may allow a remote unauthenticated attacker to gain information about LDAP and SAML settings configured in FortiOS.

** PSIRT Advisories**

**FortiOS -- Telnet on the SSL-VPN interface results in information leak**

**Summary**

An exposure of sensitive information to an unauthorized actor vulnerabiltiy \[CWE-200\] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to gain information about LDAP and SAML settings configured in FortiOS.

**Affected Products**

FortiOS version 7.2.0  
FortiOS version 7.0.0 through 7.0.6  
FortiOS version 6.4.0 through 6.4.9

**Solutions**

Please upgrade to FortiOS version 7.2.2 or above  
Please upgrade to FortiOS version 7.0.7 or above  
Please upgrade to FortiOS version 6.4.10 or above

**References**

*   Reboot FortiOS or kill the SSL-VPN process or disable DTLS settings \[if enabled\]

Tag

#ios