Red Hat Security Advisory 2022-4691-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a spoofing vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update  
Advisory ID:       RHSA-2022:4691-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4691  
Issue date:        2022-05-18  
CVE Names:         CVE-2018-25032 CVE-2021-3634 CVE-2021-3737  
                   CVE-2021-4189 CVE-2021-41617 CVE-2022-24904  
                   CVE-2022-24905 CVE-2022-29165  
====================================================================  
1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.3 in  
openshift-gitops-argocd container.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous  
deployment for cloud native applications.

Security Fix(es):

* argocd: ArgoCD will blindly trust JWT claims if anonymous access is  
enabled (CVE-2022-29165)

* argocd: Symlink following allows leaking out-of-bound manifests and JSON  
files from Argo CD repo-server (CVE-2022-24904)

* argocd: Login screen allows message spoofing if SSO is enabled  
(CVE-2022-24905)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2081686 - CVE-2022-29165 argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled  
2081689 - CVE-2022-24905 argocd: Login screen allows message spoofing if SSO is enabled  
2081691 - CVE-2022-24904 argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2021-3634  
https://access.redhat.com/security/cve/CVE-2021-3737  
https://access.redhat.com/security/cve/CVE-2021-4189  
https://access.redhat.com/security/cve/CVE-2021-41617  
https://access.redhat.com/security/cve/CVE-2022-24904  
https://access.redhat.com/security/cve/CVE-2022-24905  
https://access.redhat.com/security/cve/CVE-2022-29165  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYoW2xtzjgjWX9erEAQg+Dw//Sz7EYdBs7gg3YPbXIEYK189PeBAgGVHm  
x2r4lCqZyWthN/nXDjEaOi6WQLP9SjOQm4QGp28/JTkkaHdXFNrIaNUUfweW+HvM  
3hTPs6cdheB9/Vt+57Az+z5Jw2xUotyA23tLVPW/Gi7gWP54wPZG8KpdE8aVhA1w  
EWpNH27WbzPDxI02a2d1upU7UeclGJvNofWTGiSwPO6DbSULbVin/owgjwMbDJVH  
CVI8oxrL7S0WVFHfsTqWh9yRgtMqaBYlFS5L3cTH6b+05zb9Zi6+8fox+a/QQbDt  
oNcii89Jiosi/yt387cUmeAK3sgK7HcHhpY9D/eGJU7OjWaz2xpkOpBOC6a3enpB  
OWhOCknLKVL73LSFAnG2GuFpGdiTjYYq3Vk7Wot3k7qeDeVSQqgTcJKFGZAhSCjb  
PjKnHPftVB1+sK9QRQh1GwN/V74Y3tjTJYEs/ulRnG5n4lwyvy94QUa+rDBEVhnN  
q07pIy8or0j5WLVKo3SGp55ayowuy/opvzEEReDf4gWMdtCL6wIJ/J08ckna3HsK  
H1EJJe361ytg2APxp0BJIE65o4Siyp26QBHX9ySGdRjUbRC/PW+bKr/VXDxSbURX  
xGi19UMLT183Gq4lYfo1CgAFpJ3iMTQkKERVy9FAi5rm/XYGJgvz1ypAqxvUYMRW  
LpTZZZKm6P4=qP77  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4691-01

Researchers have found there's a theoretical possibility that malware could run, even when an iPhone is off.
The post How iPhones can run malware even when they’re off appeared first on Malwarebytes Labs.

Most people think that turning off their iPhone – or letting the battery die – means that the phone is, well, _off_. The thing is, this isn’t quite true. In reality, most of the phone’s functionality has ended, but there are components that mindlessly continue a zombie-like existence, for the most part unbeknownst to the user.

Even when the battery dies in your iPhone, it’s not truly dead. The phone will shut itself down to conserve the last little bits of power, and will enter a low power mode that is very different from the Low Power Mode that is offered when the battery drops to 20%, and that is found in the battery settings. These last trickles of power are used to keep certain limited functionality active for some time. The same is true of turning the phone off, except that this functionality can stay active much longer with a battery closer to full.

What is this functionality? Most notably, Express Cards – payment cards used with public transit systems – can continue to work in such a state. So can things like digital home or car keys, which seems logical. After all, you don’t want to get locked out just because your iPhone battery died!

More surprising is that the iPhone’s Find My capabilities continue to function. This means that the phone’s location can still be tracked, in a manner similar to how AirTags work, even after it has been turned off.

**Is this a problem or not a problem?**

Much ado has been made in the past of the use of things like Express Cards, which can be used without authentication. Someone could potentially jostle you in a public place and scan your phone with a fake public transit payment terminal, thus skimming money off the card you have set as an Express Card. That’s 100% possible, but not really all that likely.

Not to mention that there’s a simpler scenario. Someone could pull the same trick with a normal payment terminal, rather than one pretending to be a public transit terminal, and the tap-to-pay cards in your wallet. That’s a much simpler scenario with a much higher probability of success.

Similarly, digital keys could be used to access your car or your home, if someone stole your phone. Of course, that’s assuming they could figure out where your car or your home are from a locked phone, which is a pretty big “if” unless the thief had some prior knowledge.

In this regard, your phone doesn’t really pose much more of a risk than other things you’d have on your person. Of course, this is highly dependent on circumstances. For example, stealing a phone left on a table while the owner’s not paying attention would be a lot easier than stealing a wallet and keys from someone’s pocket. On the other hand, if a thief snatches someone’s purse or backpack, they may get phone, keys, and wallet, and the phone could easily be the least useful of the three.

Find My, on the other hand, is a bigger problem.

**What’s the problem with Find My?**

The major use cases for Find My are for you to find a lost device, or for someone you’ve shared your location with to find you. So what’s the problem? I mean, these are situations where you fully intend for your phone to be trackable, right? Unfortunately, there are scenarios that are not so beneficial.

Consider stalking or abuse scenarios where the stalker knows your Apple ID credentials, or has been given – through stealth or bullying – the ability to see your location. This is often the case with intimate partner abuse, for example. If you are in such an abusive situation, you may be under the false impression that turning your phone off will temporarily stop the tracking. Alas, that is not the case, and this could be a painful lesson to learn… both literally and figuratively.

However, there’s a possibility of still worse problems, like malware.

**Wait… what?! Did you say malware?**

Indeed. German researchers recently found that the Bluetooth firmware, responsible for managing the Bluetooth Low Energy (BLE) communication upon which Find My relies, is not cryptographically signed. Since the firmware is not signed, that means that modifications to the firmware cannot be detected without comparing the firmware to a known-good copy of the firmware.

Since BLE communication continues when the phone is off, the researchers found that there is a theoretical possibility that malware on the device could modify the Bluetooth firmware, thus installing malicious code that could continue to run even when the phone appears to be off. The most likely use case for such malware would be to use the BLE tracking capabilities to monitor the phone’s location.

Now, before you go chucking your phone in the garbage or smashing it with a hammer, let’s keep in mind that this is all theoretical at the moment. Compromising the firmware would require a jailbreak, which is not an easy thing to accomplish remotely. Physical access lowers the difficulty level, but it’s still not likely that this technique could be used by most adversaries.

**How can I protect myself?**

If you’re in a situation where an abuser is monitoring your location, you should be aware that turning off your phone will not stop the tracking. For those in such situations, we advise seeking help, as disabling the tracking could have bad consequences. If you need to not be tracked for a while, leave your phone in a location where it’s reasonable to expect you might spend some time.

When it comes to malware, there’s not much to worry about at present. There’s no known malware using BLE firmware compromise to remain persistent when the phone is “off.” Further, unless you are likely to be targeted by a nation-state adversary – for example, if you are a human rights advocate or journalist critical of an oppressive regime – you’re not likely to ever run into this kind of problem. (If that ever changes, you can be sure we’ll cover that here!)

If you actually are a potential target for a nation-state adversary, don’t trust that your phone is ever truly off. In such a case, a Faraday bag, or a low-tech flip phone, might be a good investment!

How iPhones can run malware even when they’re off

A joint multi-national cybersecurity advisory has revealed the top ten attack vectors most exploited by cybercriminals in order to gain access to organisation networks.
The post 10 ways attackers gain access to networks appeared first on Malwarebytes Labs.

A joint multi-national cybersecurity advisory has revealed the top ten attack vectors most exploited by cybercriminals in order to gain access to organisation networks, as well as the techniques they use to gain access.

The advisory cites five techniques used to gain leverage:

1.  **Public facing applications**. Anything internet-facing can be a threat if not properly patched and updated. Whether a glitch, bug, or design, a poorly secured website or database can be the launchpad for an exploit.
2.  **External remote services**. Theft of valid accounts is often combined with remote corporate services like VPNs or other access mechanisms. This allows attackers to infiltrate and persist on a network.
3.  **Phishing**. A mainstay of business-centric attacks, everything from spear phishing to CEO fraud and Business Email Compromise (BEC) lies in wait for unwary admins.
4.  **Trusted relationships**. Attackers will map out relationships between organisations. Third-party trusted access from one organisation to the target will itself become a target, used to gain access to otherwise unreachable internal networks.
5.  **Valid accounts**. These may be obtained by phishing, social engineering, insider threats, or carelessly handed data.

There’s some degree of overlap between most of these techniques, with some following on naturally from another. The advisory lists ten different areas for concern, which you can see below. If you recognise some as potential weak points, or your organisation has no policy on the issues raised, it may be time to take this bull by the horns.

**10 ways attackers gain access to networks****1\. Multifactor authentication (MFA) is not enforced**

MFA is especially useful when bad actors have such a heavy focus on techniques like phishing, trusted relationships, and valid accounts. Any of these approaches could have serious long-term impacts on an affected organisation. It’s not just how they get in, but what they get up to afterwards.

A company struck down with ransomware and data exfiltration may have experienced several stages of attack to reach this point. Imagine if all of them had never taken place because the initial point of entry, a phished password, had been protected with MFA. An absolutely invaluable tool for all users, and especially for administrators or people with elevated privileges.

**2\. Incorrectly applied privileges or permissions and errors within access control lists**

Users should only be able to access resources necessary for any given purpose. Someone accidentally granted admin level controls on a corporate website may cause chaos if their account is compromised, or they leave the business and nobody revokes access. On a similar note, Access Control Lists (ACLs) used to filter network traffic and/or grant certain users file access can go bad quickly if users are granted the wrong access permissions.

**3\. Software is not up to date**

Asset and patch management will help keep operating systems and other key software up to date. Vulnerability scans are valuable for assessing which software is unsupported, in an end-of-life state, or another category which means continuous updating may be difficult. Outdated software ripe for attack via exploits is one of the most common bad practices leading to network compromise.

**4\. Use of vendor-supplied default configurations or default usernames and passwords**

Off the shelf hardware using default setups are a no go for business. There’s a very good chance default username/passwords are easily available online, on everything from access dumps to generic questions on help sites. Not changing defaults on both hardware and software is going to be one of the number one ways an organisation is breached without knowing about it.

Depending on where you live, default passwords may be a major point of concern not just in a business sense but in a very legal one too. Default configurations are now running the risk of bans and fines.

**5\. Remote services—such as a virtual private network (VPN)—lack sufficient controls to prevent unauthorized access**

Additional security and privacy tools require care to be taken with regard setup and configuration. A poorly-designed workplace VPN may be easily accessed by an attacker, and could also help mask exploration and exploitation of the network. MFA is useful here, as is monitoring connection times for abnormal use patterns such as suddenly connecting to the VPN outside of work time.

**6\. Strong password policies are not implemented**

Insufficient and weak passwords are a key way to gain a foothold on the network. Poor Remote Desktop Protocol (RDP) setups are hit particularly hard by bad password practices. It’s a common way ransomware attacks begin life on a corporate network.

Password guessing tools will keep trying until they guess a weak password and enable entry into the target organisation. One way to combat this is limit the amount of login attempts via RDP before locking the user out.

**7\. Cloud services are unprotected**

Unprotected cloud services are a permanent feature of security breach stories. Default passwords, and in some cases no passwords, allows for easy access to both corporate and client data. Aside from the actual harm of people’s data left lying around, the reputational damage for those responsible can be immense. It’s much better to not end up in this scenario in the first place.

**8\. Open ports and misconfigured services are exposed to the Internet**

Criminals use scanning tools to discover open ports and leverage them as attack vectors. Compromising a host in this way can give rise to the possibility of multiple attacks after gaining initial access. RDP, NetBios, and Telnet are all potentially high-risk for an insecure network.

**9\. Failure to detect or block phishing attempts**

Malicious macros in Word documents or Excel files are a key feature of business-centric phishing attacks. They may be a little closer to being ushered through the exit, thanks to recent permission changes in Office products which makes it harder to run them.

Even without the threat of bogus attachments, phishing is still a huge problem for administrators. No scanning of mails coming into the network, or checking message content from internal senders for signs of compromised accounts, will add to this issue. This internal threat is another area where MFA will help greatly. A policy for swift disabling and deletion of accounts for departed employees should also be considered.

**10\. Poor endpoint detection and response**

Cybercriminals frequently make it as hard as possible to identify the attacks they use. Malware is packed in certain ways to avoid detection and identification. Malicious scripts uploaded to websites are obfuscated so it’s difficult to figure out exactly what they’re doing.

Is your website playing host to a card skimmer or SEO poisoning and spam redirection? Without the right tools and analysis, it may take much longer to figure out and your business will suffer for the duration.

**Best practices to protect your systems**

The advisory includes a helpful list of ways to combat some of these issues:

*   **Control access**: Rigorously policing who can access what, when, and how is important. Allow local logins only for administrators, barring them from RDP unless absolutely necessary. Consider dedicated admin workstations if feasible. Everyone should only have access to what is required to do their job effectively, with a proper business flow required to authorise requested additional permissions. If employees change roles or leave the organisation, revoke their access immediately.
*   **Harden Credentials**: MFA across all areas of the organisation is again key here. Consider physical hardware tokens for those with access to business critical services. If MFA is not available for certain employees, make use of other security techniques to minimise unauthorised logins. A rigorous password policy combined with checking devices used, time of day, location data, and user history can help piece together a picture of what could reasonably be described as a legitimate employee.
*   **Establish centralized log management:** Log generation and retention are essential tools for many aspects of security. Data from intrusion detection tools help shape a picture of potentially malicious activity, where it comes from, which time of day, and so on. Determine which logs you require. Do you need a full picture of cloud activity? Is system logging important? Are you able to capture activity on the network? Decide on a retention period. Too short a timeframe and you may have to refer back to logs which no longer exist. Too long, and there may be privacy issues around what what you’ve captured and retained. Safe storage is also important, as you don’t want attackers tampering with the data you’ve collected.
*   **Use antivirus solutions**: Workstations require security solutions capable of dealing with exploits that require no user interaction and attacks reliant on social engineering. Desktop hijacks, malvertising, and bogus attachments are just some of the threats to consider. Routine monitoring of scan results will assist with figuring out weak spots in your security perimeter.
*   **Employ detection tools**: An Intrusion Detection System (IDS) helps sniff out malicious network activity and protects from dubious activity. Penetration testing can expose misconfigurations with services listed above such as cloud, VPNs, and more. Cloud service provider tools will aid in pinpointing overshared storage and irregular or abnormal access.

Stay safe out there!

10 ways attackers gain access to networks

A new research published by academics from KU Leuven, Radboud University, and the University of Lausanne has revealed that users' email addresses are exfiltrated to tracking, marketing, and analytics domains before such is submitted and without prior consent.
The study involved crawling 2.8 million pages from the top 100 websites, and found that as many as 1,844 websites allowed trackers to

A new research published by academics from KU Leuven, Radboud University, and the University of Lausanne has revealed that users' email addresses are exfiltrated to tracking, marketing, and analytics domains before such is submitted and without prior consent.

The study involved crawling 2.8 million pages from the top 100 websites, and found that as many as 1,844 websites allowed trackers to capture email addresses before form submission in the European Union, a number that jumped to 2,950 when the same set of websites are visited from the U.S.

"Emails (or their hashes) were sent to 174 distinct domains (eTLD+1) in the U.S. crawl, and 157 distinct domains in the EU crawl," the researchers said. Furthermore, 52 websites were determined to be collecting passwords in the same manner, an issue that has since been addressed following responsible disclosure.

LiveRamp, Taboola, Adobe, Verizon, Yandex, Meta, TikTok, Salesforce, Listrak, and Oracle are some of the top third-party trackers that have been spotted logging email addresses, while Yandex, Mixpanel, and LogRocket lead the list in the password-grabbing category.

Email addresses pose a number of advantages. Not only are they unique, enabling third-parties to track users across devices, it can also be employed to match their online and offline activities, say, in scenarios where they make an in-store purchase that requires them to share their email address or sign up for a loyalty card.

The idea behind harvesting email addresses entered in online forms, even in cases where the users do not submit any form, has also been fueled by ongoing attempts by browser vendors to drop support for third-party cookies, forcing marketers to look for alternative static identifiers to track users.

This is not the first time such a concern has been raised. In June 2017, Gizmodo discovered that a third party called NaviStone was collecting personal information from mortgage calculator forms prior to their submission, with very few websites explicitly disclosing this practice in their privacy policy.

Fast forward five years later, not much has changed, the researchers said, what with websites related to fashion/beauty, online shopping, and general news emerging as the top categories with the most "leaky forms."

"Despite filling email fields on hundreds of websites categorized as pornography, we have not a single email leak," the findings show, noting how it lines up with previous studies that have shown that adult websites have relatively fewer third-party trackers when compared to general sites with comparable popularity.

What's more, such a practice may be in violation of at least three different General Data Protection Regulation (GDPR) requirements in the E.U., contravening principles of transparency, purpose limitation, and user consent.

"Users should assume that the personal information they enter into web forms may be collected by trackers—even if the form is never submitted," the researchers concluded, calling on a further investigation from browser vendors, privacy tool developers, and data protection agencies.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Web Trackers Caught Intercepting Online Forms Even Before Users Hit Submit

From a scrappy contest where hackers tried to win laptops, Pwn2Own has grown into a premier event that has helped normalize bug hunting.

In April 2007, when Apple's “I'm a Mac” ads were telling people that Macs can't get hacked, security researcher Dragos Ruiu decided to put the idea to the test – in front of a room full of security researchers, no less. He bought two MacBook Pros and put them on the floor of the CanSecWest conference in Vancouver, which he organized. The challenge had a catchy name, Pwn2Own: If you pwn a computer, you own it.

To Ruiu, it was more than a game. He wanted to make a “political point” that the commercials were misleading and Apple should take security seriously.

“Apple has had an on-again, off-again relationship with researchers. Sometimes they love hackers, sometimes they want to pretend hackers don't exist,” Ruiu tells Dark Reading. “This is one of those times when their marketing department used to run their security team.”

Back then, most companies also treated security researchers poorly. If someone found a flaw and reported it, they would often be threatened with lawyers. Part of Pwn2Own's merit is that it helped change that, “normalizing the concept of reporting bugs,” says Dustin Childs, communications manager for Trend Micro's Zero Day Initiative program, who now runs the event.

Throughout the years, the Pwn2Own competition has attracted high-profile researchers, including Dino Dai Zovi, Charlie Miller, George Hotz, Vincenzo Iozzo, Dion Blazakis, Ralf-Philipp Weinmann, and Jung Hoon Lee (aka Lokihardt). They’ve poked at everything, from Macs to phones, to IoT devices, industrial control systems, and even cars.

“It's a demonstration of some of the most advanced exploitation techniques that exist in the industry, at any given point in time,” says Brian Gorenc, senior director of vulnerability research at Trend Micro Gorenc. Demonstrations like these actually change how the industry looks at security.

Researchers’ efforts are well rewarded, too. Last year alone, cash prizes at Pwn2Own –

one of the highest-paying hacking competitions in the world – exceeded $2.5 million in total during multiple events.

This year’s contest, which starts today, marks its 15th anniversary and includes six categories: virtualization, Web browser, enterprise applications, server, local escalation of privilege, enterprise communications, and automotive. Whoever earns the most points will be crowned Master of Pwn, which will guarantee them “a killer trophy and a pretty snazzy jacket to boot.”

**Early Pwn2Own Wins  
**But let’s start with a recap of the first day of the 2007 CanSecWest conference, when two MacBook Pros with the latest security updates were in the spotlight, waiting to be hacked. A few researchers tried their luck, but the computers survived.

Then, security expert Shane Macaulay, who was in attendance, called former co-worker Dino Dai Zovi, based in New York, and asked him if he wanted to participate.

“I said, OK, cool, let me sit down and take a look and see what I can find,” Dai Zovi said in an interview a week after the conference. It took him five hours to detect a bug and another four to write the exploit. At 3 a.m., he called Macaulay, telling him they might actually win.

Dai Zovi found a bug in a QuickTime library loadable through a Java applet. An attacker could exploit it through any browser on Mac OS X that supports Java applets, such as Safari and Firefox. He sent his exploit to Macaulay, who put it on a website and emailed its URL to the organizers of the challenge. Once they loaded the malicious Web page, Macauley obtained a remote shell that granted him control of the laptop. The duo pwned the machine, earning them a 15-inch MacBook (which Macaulay kept since Dai Zovi had recently bought himself a laptop) and a $10,000 cash prize, courtesy of the Zero Day Initiative.

Dai Zovi says winning the first Pwn2Own event changed his life. “It was a massive benefit to my career and really put it on a different and better trajectory,” he says. “At the time, I had been writing exploits quietly as a personal hobby for almost a decade but was not at all known for it.”

The reputation he gained led him to consulting projects on iOS security and writing a book with another Pwn2Own rockstar, Charlie Miller, “The Mac Hacker's Handbook,” followed by “iOS Hacker's Handbook.”

Miller found himself in the spotlight the following year when he wrote an exploit for Safari with colleagues Jake Honoroff and Mark Daniel. “It might be because I'm biased about the things I'm good at, but \[Safari is\] the easiest browser \[to hack\],” Miller said in an interview after the competition.

**Beyond Apple  
**But Pwn2Own wasn’t only about Apple products. During the 2008 event, a Fujitsu U810 laptop running Vista was also attacked with an exploit for Adobe Flash written by Shane Macaulay, Alexander Sotirov, and Derek Callaway.

“In the very beginning, Pwn2Own was very much a browser-focused contest, and over the years, we've expanded the attack surfaces,” Gorenc says. “We've raised the prizes to make it more attractive for people to come in.”

Indeed, by 2015 the total cash prices exceeded $500,000. This month’s event, held in a hybrid format, has up to $600,000 waiting for the hacking of the Tesla Model 3, the largest target in Pwn2Own history.

But it is not only about money. “Pwn2Own was the first competition that focused on demonstrating real, working zero-day exploits against real-world software, whereas before most security competitions were capture-the-flag competitions that focused on “mock” targets and vulnerabilities,” Dai Zovi says. “It really put the focus on what was possible against the software that millions, if not billions, of people use to put a spotlight on how much we needed to improve security.”

**When ‘Wow’ Is an Understatement  
**The Pwn2Own competition has expanded to include software like MS Office, Adobe Reader, and Zoom. It has also tested the security of iPhones and BlackBerrys, and featured attacks targeting SCADA systems and IoT devices.

Some of the hacks were just mind-blowing and “times when 'wow' just isn't enough,” according to an HP Security Research blog post published during the 2015 event. That was when Jung Hoon Lee from South Korea hacked three browsers: Internet Explorer 11 (he found a time-of-check to time-of-use vulnerability), both the stable and beta version of Chrome (he exploited a buffer overflow race condition in the browser), and Safari (he exploited an uninitialized stack pointer in the browser).

  
Another exciting hack happened in 2017, when a team of researchers from Chinese Internet security company Qihoo 360 broke into VMWare's virtual machine sandbox.

“They fired up a virtual client, a fully patched Windows box. They pulled a fully patched browser and browsed to a Web page. They took their hands off the keyboard and let everything run,” Trend Micro's Childs says. “They combined enough bugs to break out of that \[sandbox\] and execute code on the underlying hypervisor on VMware Server underneath. And it was astonishing.”

  
Hacks like these made vendors feel edgy before the competition, and sometimes they would even push updates before an event.

“One year we got to Vancouver only to find out that the version of the BlackBerry deployed in Canada actually patched our bug, so we had to not sleep for two nights straight to fix the exploit,” says security expert Iozzo.

But, he adds, things like that were part of Pwn2Own's cachet. Many hackers who attended these events say they were both intense and fun. In March 2019, team Fluoroacetate, which took its name from a highly toxic substance that can kill bugs, found a severe memory randomization bug in Tesla's Model 3's infotainment system. Team members Richard Zhu and Amat Cama were crowned Masters of Pwn, earning $375,000 and the car.

  
Humor and jokes complement the stress associated with hacking.

“Last year also, we had someone hack a printer and play AC/DC through the speaker, which was pretty inventive,” Childs says. “We're dealing with a serious subject matter; the impact of these bugs can be tremendous. But at the same time, we try to keep the attitude light for the competitors so that we don't take ourselves too seriously.”

**Pwn2Own's Contributions to Bug Hunting  
**When the first edition of the Pwn2Own competition took place, the concept of hunting bugs was pretty exotic. Most companies were reluctant to talk to security researchers who reported issues, and even vendors who attended Pwn2Own events had mixed feelings about it.

But as the competition gained attention and brought everyone good publicity, companies started to open up. Looking back, security researcher Ruiu says that Pwn2Own partially assumed the role of negotiator, helping hackers get decent pay for their work.

“The manufacturers would love to just say: Have a T-shirt here,” Ruiu says. “But we became advocates for the security developers.”

As security experts and vendors met in the disclosure room to talk about hacks, the mood became less adversarial and more cooperative. The result: Bugs were fixed promptly before being exploited by a malicious entity.

Pwn2Own showed “it was OK for responsible organizations to compensate individual researchers for the hours of work put into their findings,” and led many large software companies to support bug-bounty programs, says Terri Forslof, a threat analyst at Microsoft.

Ruiu agrees, saying that Pwn2Own has helped pave the way for bug-bounty platforms like HackerOne and Bugcrowd, which work as intermediaries between researchers and tech companies. In 2021, HackerOne paid nearly $37 million for more than 66,500 valid bugs; the median earning for a critical bug was about $3,000. Also last year, Google offered bug hunters $8.7 million, while Zoom paid out $1.8 million.

Ruiu's initial goal of getting Apple to take security seriously has also been achieved, at least in part. The Cupertino, Calif., giant is currently offering up to $1 million to security experts for an exploit that results in a zero-click kernel code execution with persistence and kernel PAC bypass.

But although the role bug bounties play is undeniable, related issues remain. They still need to be formalized, says Childs, adding that such projects are not for everyone. “They're not a one-size-fits-all thing,” he says.

Many companies start bug-bounty programs without having a mature response process in place to be able to handle the reports they receive. As Childs puts it, “They get all these bugs, and they don't know what to do with them.” Organizations should have an efficient triage and specific procedures process in place to roll updates to customers, he points out.

“Until you have that basic, fundamental process available, offering a bug-bounty program is actually going to be more harmful than good because you're going to be getting bugs, and you're going to be overwhelmed by that,” Childs says. “And then you begin to have an adversarial relationship with the people who are reporting, even though you ask them to report.”

Hackers also complain. Some say they are underpaid for the bugs they discover, while others argue that their efforts are not always acknowledged in full.

During this week’s Pwn2Own, both Ruiu and ZDI hope to make one more small step in the right direction. “It still continues to change; it evolves continuously,” Ruiu says. “One of our goals is to improve the relationship between vendors and independent researchers.”

How Pwn2Own Made Bug Hunting a Real Sport

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server.

CVE-2022-22784: Security Bulletin

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.

@@ -468,7 +468,7 @@ a),DRAWIO\_GITLAB\_URL=a);a=urlParams\["gitlab-id"\];null!=a&&(DRAWIO\_GITLAB\_ID=a);w if("1"==urlParams.offline||"1"==urlParams.demo||"1"==urlParams.stealth||"1"==urlParams.local||"1"==urlParams.lockdown)urlParams.picker="0",urlParams.gapi="0",urlParams.db="0",urlParams.od="0",urlParams.gh="0",urlParams.gl="0",urlParams.tr="0"; "se.diagrams.net"==window.location.hostname&&(urlParams.db="0",urlParams.od="0",urlParams.gh="0",urlParams.gl="0",urlParams.tr="0",urlParams.plugins="0",urlParams.mode="google",urlParams.lockdown="1",window.DRAWIO\_GOOGLE\_APP\_ID=window.DRAWIO\_GOOGLE\_APP\_ID||"184079235871",window.DRAWIO\_GOOGLE\_CLIENT\_ID=window.DRAWIO\_GOOGLE\_CLIENT\_ID||"184079235871-pjf5nn0lff27lk8qf0770gmffiv9gt61.apps.googleusercontent.com");"trello"==urlParams.mode&&(urlParams.tr="1"); "embed.diagrams.net"==window.location.hostname&&(urlParams.embed="1");(null==window.location.hash||1>=window.location.hash.length)&&null!=urlParams.open&&(window.location.hash=urlParams.open);window.urlParams=window.urlParams||{};window.MAX\_REQUEST\_SIZE=window.MAX\_REQUEST\_SIZE||10485760;window.MAX\_AREA=window.MAX\_AREA||225E6;window.EXPORT\_URL=window.EXPORT\_URL||"/export";window.SAVE\_URL=window.SAVE\_URL||"/save";window.OPEN\_URL=window.OPEN\_URL||"/open";window.RESOURCES\_PATH=window.RESOURCES\_PATH||"resources";window.RESOURCE\_BASE=window.RESOURCE\_BASE||window.RESOURCES\_PATH+"/grapheditor";window.STENCIL\_PATH=window.STENCIL\_PATH||"stencils";window.IMAGE\_PATH=window.IMAGE\_PATH||"images"; window.STYLE\_PATH=window.STYLE\_PATH||"styles";window.CSS\_PATH=window.CSS\_PATH||"styles";window.OPEN\_FORM=window.OPEN\_FORM||"open.html";window.mxBasePath=window.mxBasePath||"mxgraph";window.mxImageBasePath=window.mxImageBasePath||"mxgraph/images";window.mxLanguage=window.mxLanguage||urlParams.lang;window.mxLanguages=window.mxLanguages||\["de","se"\];var mxClient={VERSION:"18.0.6",IS\_IE:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("MSIE"),IS\_IE11:null!=navigator.userAgent&&!!navigator.userAgent.match(/Trident\\/7\\./),IS\_EDGE:null!=navigator.userAgent&&!!navigator.userAgent.match(/Edge\\//),IS\_EM:"spellcheck"in document.createElement("textarea")&&8==document.documentMode,VML\_PREFIX:"v",OFFICE\_PREFIX:"o",IS\_NS:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Mozilla/")&&0>navigator.userAgent.indexOf("MSIE")&&0>navigator.userAgent.indexOf("Edge/"), window.STYLE\_PATH=window.STYLE\_PATH||"styles";window.CSS\_PATH=window.CSS\_PATH||"styles";window.OPEN\_FORM=window.OPEN\_FORM||"open.html";window.mxBasePath=window.mxBasePath||"mxgraph";window.mxImageBasePath=window.mxImageBasePath||"mxgraph/images";window.mxLanguage=window.mxLanguage||urlParams.lang;window.mxLanguages=window.mxLanguages||\["de","se"\];var mxClient={VERSION:"18.0.7",IS\_IE:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("MSIE"),IS\_IE11:null!=navigator.userAgent&&!!navigator.userAgent.match(/Trident\\/7\\./),IS\_EDGE:null!=navigator.userAgent&&!!navigator.userAgent.match(/Edge\\//),IS\_EM:"spellcheck"in document.createElement("textarea")&&8==document.documentMode,VML\_PREFIX:"v",OFFICE\_PREFIX:"o",IS\_NS:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Mozilla/")&&0>navigator.userAgent.indexOf("MSIE")&&0>navigator.userAgent.indexOf("Edge/"), IS\_OP:null!=navigator.userAgent&&(0<=navigator.userAgent.indexOf("Opera/")||0<=navigator.userAgent.indexOf("OPR/")),IS\_OT:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Presto/")&&0>navigator.userAgent.indexOf("Presto/2.4.")&&0>navigator.userAgent.indexOf("Presto/2.3.")&&0>navigator.userAgent.indexOf("Presto/2.2.")&&0>navigator.userAgent.indexOf("Presto/2.1.")&&0>navigator.userAgent.indexOf("Presto/2.0.")&&0>navigator.userAgent.indexOf("Presto/1."),IS\_SF:/Apple Computer, Inc/.test(navigator.vendor), IS\_ANDROID:0<=navigator.appVersion.indexOf("Android"),IS\_IOS:/iP(hone|od|ad)/.test(navigator.platform)||navigator.userAgent.match(/Mac/)&&navigator.maxTouchPoints&&2<navigator.maxTouchPoints,IS\_WEBVIEW:/((iPhone|iPod|iPad).\*AppleWebKit(?!.\*Version)|; wv)/i.test(navigator.userAgent),IS\_GC:/Google Inc/.test(navigator.vendor),IS\_CHROMEAPP:null!=window.chrome&&null!=chrome.app&&null!=chrome.app.runtime,IS\_FF:"undefined"!==typeof InstallTrigger,IS\_MT:0<=navigator.userAgent.indexOf("Firefox/")&&0>navigator.userAgent.indexOf("Firefox/1.")&& 0>navigator.userAgent.indexOf("Firefox/2.")||0<=navigator.userAgent.indexOf("Iceweasel/")&&0>navigator.userAgent.indexOf("Iceweasel/1.")&&0>navigator.userAgent.indexOf("Iceweasel/2.")||0<=navigator.userAgent.indexOf("SeaMonkey/")&&0>navigator.userAgent.indexOf("SeaMonkey/1.")||0<=navigator.userAgent.indexOf("Iceape/")&&0>navigator.userAgent.indexOf("Iceape/1."),IS\_SVG:"MICROSOFT INTERNET EXPLORER"!=navigator.appName.toUpperCase(),NO\_FO:!document.createElementNS||"\[object SVGForeignObjectElement\]"!== @@ -11694,7 +11694,7 @@ D.appendChild(R);Q.appendChild(D);this.container=Q};var W=ChangePageSetup.protot this.format);null!=this.mathEnabled&&(this.page.viewState.mathEnabled=this.mathEnabled);null!=this.shadowVisible&&(this.page.viewState.shadowVisible=this.shadowVisible)}}else W.apply(this,arguments),null!=this.mathEnabled&&this.mathEnabled!=this.ui.isMathEnabled()&&(this.ui.setMathEnabled(this.mathEnabled),this.mathEnabled=!this.mathEnabled),null!=this.shadowVisible&&this.shadowVisible!=this.ui.editor.graph.shadowVisible&&(this.ui.editor.graph.setShadowVisible(this.shadowVisible),this.shadowVisible= !this.shadowVisible)};Editor.prototype.useCanvasForExport=!1;try{var U=document.createElement("canvas"),X=new Image;X.onload=function(){try{U.getContext("2d").drawImage(X,0,0);var u=U.toDataURL("image/png");Editor.prototype.useCanvasForExport=null!=u&&6<u.length}catch(D){}};X.src="data:image/svg+xml;base64,"+btoa(unescape(encodeURIComponent('<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="1px" height="1px" version="1.1"><foreignObject pointer-events="all" width="1" height="1"><div xmlns="http://www.w3.org/1999/xhtml"></div></foreignObject></svg>')))}catch(u){}})(); (function(){var b=new mxObjectCodec(new ChangePageSetup,\["ui","previousColor","previousImage","previousFormat"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};b.afterDecode=function(e,f,c){c.previousColor=c.color;c.previousImage=c.image;c.previousFormat=c.format;null!=c.foldingEnabled&&(c.foldingEnabled=!c.foldingEnabled);null!=c.mathEnabled&&(c.mathEnabled=!c.mathEnabled);null!=c.shadowVisible&&(c.shadowVisible=!c.shadowVisible);return c};mxCodecRegistry.register(b)})(); (function(){var b=new mxObjectCodec(new ChangeGridColor,\["ui"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};mxCodecRegistry.register(b)})();(function(){EditorUi.VERSION="18.0.6";EditorUi.compactUi="atlas"!=uiTheme;Editor.isDarkMode()&&(mxGraphView.prototype.gridColor=mxGraphView.prototype.defaultDarkGridColor);EditorUi.enableLogging="1"!=urlParams.stealth&&"1"!=urlParams.lockdown&&(/.\*\\.draw\\.io$/.test(window.location.hostname)||/.\*\\.diagrams\\.net$/.test(window.location.hostname))&&"support.draw.io"!=window.location.hostname;EditorUi.drawHost=window.DRAWIO\_BASE\_URL;EditorUi.lightboxHost=window.DRAWIO\_LIGHTBOX\_URL;EditorUi.lastErrorMessage= (function(){var b=new mxObjectCodec(new ChangeGridColor,\["ui"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};mxCodecRegistry.register(b)})();(function(){EditorUi.VERSION="18.0.7";EditorUi.compactUi="atlas"!=uiTheme;Editor.isDarkMode()&&(mxGraphView.prototype.gridColor=mxGraphView.prototype.defaultDarkGridColor);EditorUi.enableLogging="1"!=urlParams.stealth&&"1"!=urlParams.lockdown&&(/.\*\\.draw\\.io$/.test(window.location.hostname)||/.\*\\.diagrams\\.net$/.test(window.location.hostname))&&"support.draw.io"!=window.location.hostname;EditorUi.drawHost=window.DRAWIO\_BASE\_URL;EditorUi.lightboxHost=window.DRAWIO\_LIGHTBOX\_URL;EditorUi.lastErrorMessage= null;EditorUi.ignoredAnonymizedChars="\\n\\t\`~!@#$%^&\*()\_+{}|:\\"<>?-=\[\];'./,\\n\\t";EditorUi.templateFile=TEMPLATE\_PATH+"/index.xml";EditorUi.cacheUrl=window.REALTIME\_URL;null==EditorUi.cacheUrl&&"undefined"!==typeof DrawioFile&&(DrawioFile.SYNC="none");Editor.cacheTimeout=1E4;EditorUi.enablePlantUml=EditorUi.enableLogging;EditorUi.isElectronApp=null!=window&&null!=window.process&&null!=window.process.versions&&null!=window.process.versions.electron;EditorUi.nativeFileSupport=!mxClient.IS\_OP&&!EditorUi.isElectronApp&& "1"!=urlParams.extAuth&&"showSaveFilePicker"in window&&"showOpenFilePicker"in window;EditorUi.enableDrafts=!mxClient.IS\_CHROMEAPP&&isLocalStorage&&"0"!=urlParams.drafts;EditorUi.scratchpadHelpLink="https://www.diagrams.net/doc/faq/scratchpad";EditorUi.enableHtmlEditOption=!0;EditorUi.defaultMermaidConfig={theme:"neutral",arrowMarkerAbsolute:!1,flowchart:{htmlLabels:!1},sequence:{diagramMarginX:50,diagramMarginY:10,actorMargin:50,width:150,height:65,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35, mirrorActors:!0,bottomMarginAdj:1,useMaxWidth:!0,rightAngles:!1,showSequenceNumbers:!1},gantt:{titleTopMargin:25,barHeight:20,barGap:4,topPadding:50,leftPadding:75,gridLineStartPadding:35,fontSize:11,fontFamily:'"Open-Sans", "sans-serif"',numberSectionStyles:4,axisFormat:"%Y-%m-%d"}};EditorUi.logError=function(d,g,k,l,p,q,x){q=null!=q?q:0<=d.indexOf("NetworkError")||0<=d.indexOf("SecurityError")||0<=d.indexOf("NS\_ERROR\_FAILURE")||0<=d.indexOf("out of memory")?"CONFIG":"SEVERE";if(EditorUi.enableLogging&&

CVE-2022-1767: 18.0.7 release · jgraph/drawio@c63f3a0

GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box.

CVE-2022-30976: gpac/gpac.1 at 105d67985ff3c3f4b98a98f312e3d84ae77a4463 · gpac/gpac

If you're an Apple user, make sure you patch for CVE-2022-22675, a zero-day flaw actively exported in the wild.
The post Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV appeared first on Malwarebytes Labs.

Apple has released security updates for a zero-day vulnerability that affects multiple products, including Mac, Apple Watch, and Apple TV.

The flaw is an out-of-bounds write issue—tracked as CVE-2022-22675—in AppleAVD, a decoder that handles specific media files.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Attackers could take control of affected devices if they exploit this flaw.

CVE-2022-22675 is the same vulnerability that affected macOS Monterey 12.3.1, iOS 15.4.1, and iPad 15.4.1. The flaw for these was patched in March.

This latest batch of updates has improved bounds checking for additional Apple products running specific operating systems, particularly macOS Big Sur 11.6.6, watchOS 8.6, and tvOS 15.5. These OSs are installed in Apple Macs running Big Sur, Apple Watch Series 3 and later, and Apple TV (4K, 4K 2nd generation, and 4K HD).

Apple says it’s aware this flaw is currently being abused in the wild. It didn’t go into detail, likely to give customers time to patch up their Apple devices.

BleepingComputer has noted that attacks against CVE-2022-22675 might only be targeted in nature. However,if you’re using any or all of the above Apple products we mentioned, it is still wise to apply updates as soon as you can.

Stay safe!

Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV

Researchers found a way to exploit the tech that enables Apple’s Find My feature, which could allow attackers to track location when a device is powered down.

When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down.

It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off.

This video provides a high overview of some of the ways an attack can work.

The research is the first—or at least among the first—to study the risk posed by chips running in low-power mode. Not to be confused with iOS’s low-power mode for conserving battery life, the low-power mode (LPM) in this research allows chips responsible for near-field communication, ultra wideband, and Bluetooth to run in a special mode that can remain on for 24 hours after a device is turned off.

“The current LPM implementation on Apple iPhones is opaque and adds new threats,” the researchers wrote in a paper published last week. “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.”

They added: “Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”

The findings have limited real-world value, since infections required first jailbreaking an iPhone, which in itself is a difficult task, particularly in an adversarial setting. Still, targeting the always-on feature in iOS could prove handy in post-exploit scenarios by malware such as Pegasus, the sophisticated smartphone exploit tool from Israel-based NSO Group, which governments worldwide routinely employ to spy on adversaries.

It may also be possible to infect the chips in the event hackers discover security flaws that are susceptible to over-the-air exploits similar to this one that worked against Android devices.

Besides allowing malware to run while the iPhone is turned off, exploits targeting LPM could also allow malware to operate with much more stealth since LPM allows firmware to conserve battery power. And, of course, firmware infections are extremely difficult to detect since it requires significant expertise and expensive equipment.

The researchers said Apple engineers reviewed their paper before it was published, but company representatives never provided any feedback on its contents. Apple representatives didn’t respond to an email seeking comment for this story.

Ultimately, Find My and other features enabled by LPM help provide added security, because they allow users to locate lost or stolen devices and lock or unlock car doors even when batteries are depleted. But the research exposes a double-edged sword that, until now, has gone largely unnoticed.

“Hardware and software attacks similar to the ones described have been proven practical in a real-world setting, so the topics covered in this paper are timely and practical,” said John Loucaides, senior vice president of strategy at firmware security firm Eclypsium. “This is typical for every device. Manufacturers are adding features all the time, and with every new feature comes a new attack surface.”

_This story originally appeared on_ _Ars Technica__._

Tag

#ios