**In what scenarios can the security feature be bypassed?**

On machines with slow or older USB controller hardware, the Group policy might have (silently) failed to apply. On such machines, the attacker can trivially exploit this enforcement failure by attaching a USB storage device to the affected machine.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20211216**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20211216)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-22023: Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability

"HavanaCrypt" is also using a command-and-control server that is hosted on a Microsoft Hosting Service IP address, researchers say.

Threat actors are increasingly using fake Microsoft and Google software updates to try to sneak malware on target systems.

The latest example is "HavanaCrypt," a new ransomware tool that researchers from Trend Micro recently discovered in the wild disguised as a Google Software Update application. The malware's command and-control (C2) server is hosted on a Microsoft Web hosting IP address, which is somewhat uncommon for ransomware, according to Trend Micro.

Also notable, according to the researchers, is HavanaCrypt's many techniques for checking if it is running in a virtual environment; the malware's use of code from open source key manager KeePass Password Safe during encryption; and its use of a .Net function called "QueueUserWorkItem" to speed up encryption. Trend Micro notes that the malware is likely a work-in-progress because it does not drop a ransom note on infected systems.

HavanaCrypt is among a growing number of ransomware tools and other malware that in recent months have been distributed in the form of fake updates for Windows 10, Microsoft Exchange, and Google Chrome. In May, security researchers spotted ransomware dubbed "Magniber" doing the rounds disguised as Windows 10 updates. Earlier this year, researchers at Malwarebytes observed the operators of the Magnitude Exploit Kit trying to fool users into downloading it by dressing the malware as a Microsoft Edge update.

As Malwarebytes noted at the time, fake Flash updates used to be a fixture of Web-based malware campaigns until Adobe finally retired the technology because of security concerns. Since then, attackers have been using fake versions of other frequently updated software products to try to trick users into downloading their malware — with browsers being one of the most frequently abused.

Creating fake software updates is trivial for attackers, so they tend to use them to distribute all classes of malware including ransomware, info stealers, and Trojans, says an analyst with Intel 471 who requested anonymity. "A non-technical user might be fooled by such techniques, but SOC analysts or incident responders will likely not be fooled," the analyst says.

Security experts have long noted the need for organizations to have multi-layered defenses in place to defend against ransomware and other threats. This includes having controls for endpoint detection and response, user and entity behavior-monitoring capabilities, network segmentation to minimize damage and limit lateral movement, encryption, and strong identity and access control -- including multi-factor authentication. 

Since adversaries often target end users, it is also critical for organizations to have strong practices in place for educating users about phishing risks and social engineering scams designed to get them to download malware or follow links to credential harvesting sites.

**How HavanaCrypt Works**

HavanaCrypt is .Net malware that uses an open-source tool called Obfuscar to obfuscate its code. Once deployed on a system, HavanaCrypt first checks to see if the "GoogleUpdate" registry is present on the system and only continues with its routine if the malware determines the registry is not present.

The malware then goes through a four-stage process to determine if the infected machine is in a virtualized environment. First it checks the system for services such as VMWare Tools and vmmouse that virtual machines typically use. Then it looks for files related to virtual applications, followed by a check for specific file names used in virtual environments. Finally, it compares the infected systems' MAC address with unique identifier prefixes typically used in virtual machine settings. If any of checks show the infected machine to be in a virtual environment, the malware terminates itself, Trend Micro said.

Once HavanaCrypt determines it's not running in a virtual environment, the malware fetches and executes a batch file from a C2 server hosted on a legitimate Microsoft Web hosting service. The batch file contains commands for configuring Windows Defender in such a manner that it allows detected threats. The malware also stops a long list of processes, many of which are related to database applications such as SQL and MySQL or to desktop applications such as Microsoft Office.

HavanaCrypt's next steps include deleting shadow copies on the infected systems, deleting functions for restoring data, and gathering system information such as the number of processors the system has, processor type, product number, and BIOS version. The malware uses the QueueUserWorkItem function and code from KeePass Password Safe as part of the encryption process.

"QueueUserWorkItem is a standard technique for creating thread pools," says the analyst from Intel 471. "The use of thread pools will speed up encryption of the files on the victim machine."

With KeePass, the ransomware author has copied code from the password manager tool and used this code in their ransomware project. "The copied code is used to generate pseudorandom encryption keys," the analyst notes. "If the encryption keys were generated in a predictable, repeatable way, then it might be possible for malware researchers to develop decryption tools."

The attacker's use of a Microsoft hosting service for the C2 server highlights the broader trend by attackers to hide malicious infrastructure in legitimate services to evade detection. "There is a great deal of badness hosted in cloud environments today, whether it's Amazon, Google, or Microsoft and many others," says John Bambenek, principal threat hunter at Netenrich. "The highly transient nature of the environments makes reputation systems useless."

Fake Google Software Updates Spread New Ransomware

Single-click account takeovers are made possible by taking advantage of quirks in OAuth

Single-click account takeovers are made possible by taking advantage of quirks in OAuth

It is possible to perform single-click account hijacking by abusing the OAuth process flow, a security researcher has found.

OAuth, also known as Open Authentication, is a framework for managing identities and securing online areas across third-party services. Rather than leverage an account username and password combination, for example, service providers can utilize OAuth to provide temporary and secure access tokens.

However, in some scenarios, attackers can abuse OAuth implementations to steal these tokens and perform one-click account hijacking.

**Dirty dancing**

On July 6, Frans Rosén, Security Advisor at Detectify, walked us through several potential attack vectors and how organizations can mitigate the risk of compromise.

Rosén describes these scenarios as “dirty dancing”. Attackers can abuse OAuth ‘dances’ – their authentication processes and how they manage communication between a browser and service provider – by combining response-type switching, invalid states, and redirect URI programming “quirks” to steal user information such as authorization codes or tokens.

**RECOMMENDED** Node.js fixes multiple bugs that could lead to RCE, HTTP request smuggling

Browser developers, including Google and Mozilla, have worked hard in recent years to destroy any potential pathways to cross-origin referer leaks and cross-site scripting (XSS) attacks.

However, as highlighted in MITRE’s latest 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list, made public at the end of June, these attacks are still common and a threat to users worldwide.

**Abusing the sign-in flow**

The solutions implemented by browsers to reduce the risk of these attacks includes Content Security Policy (CSP) and Trusted Types, which allow the software to reject data values that could lead to DOM XSS and credential hijacking.

However, the researcher says that OAuth’s sign-in flow, used by companies including Slack, Facebook, and Twitter, can potentially be ‘broken’ for the same impact.

**RELATED** CWE Top 25: These are the most dangerous software weaknesses of 2022

It should be kept in mind these types of attacks aren’t easy to perform and, as Rosén says, involve a ‘grind’ involving an examination of source code and a knowledge of how OAuth’s dances work.

**Breaking the chain**

To steal tokens, an attacker must first break the chain between the system issuing tokens and a service provider consuming them.

This can be achieved by changing the state-value in use through a specially crafted link, sent to a potential victim as a sign-in page, but which uses the valid state of the attacker.

Once a victim has signed in and is redirected back to a website, the ‘dance’ is interrupted, as there is no valid state for the user. The user will then be shown an error message, and if the attacker is able to leak data and URLs from the error page, the researcher says that the threat actor “can now sign in with their own state and the code leaked from the victim”.

Read more of the latest hacking news

It can also be possible that response-type, response-mode switching, and redirect-uri path abuse could be used to intercept connections and cause unexpected behavior, although changing these pathways is difficult.

“In a proper OAuth-dance using code, in the last step to acquire the access token from the service provider, the must also be provided for validation to the service provider,” Rosén explains.

“If the that was used in the dance is mismatching the value that the website sends to the provider, no access token will be issued.”

**One-click hijack**

The researcher tested out different attack methods and achieved one-click hijacking. One exploit involving Apple OAuth sign-in was reported on May 12.

There are other quirks that attackers can also exploit to compromise OAuth and grab leaked URLs. These include performing an XSS attack on the third-party domain that receives URL data during authentication and abusing APIs intended for fetching URLs. Domains without sufficient origin checks, for example, may be at risk of exploitation.

“Due to the fact that each OAuth provider allows so many different response types and modes, it becomes quite tricky for a website to cover all different cases,” Rosén says.

To mitigate the risk of attack, the researcher recommends reviewing the OAuth 2.0 Security Best Current Practice guide, making sure that pages rendered for OAuth’s authorization response do not contain third-party resources or links, and users should also consider only allowing limited OAuth response-types and modes.

“You might not use any vulnerable third-party scripts today, but if anyone in your organization introduces anything new through Google Tag Manager or similar, or if the third-party scripts change, you can prevent any future potential token leakage,” Rosén commented.

**DEEP DIVES** Decentralized Identifiers: Everything you need to know about the next-gen web ID tech

‘Dirty dancing’ in OAuth: Researcher discloses how cyber-attacks can lead to account hijacking

Plus: A duplicitous bug bounty scheme, the iPhone's new “lockdown mode,” and more of the week's top security news.

As states grapple with the far-reaching implications of the United States Supreme Court's June decision to reverse the constitutional right to abortion, WIRED examined the privacy risks posed by widely deployed automated license plate readers as the risks of being prosecuted for seeking an abortion ramp up around the country. And researchers underscored the digital self-defense value of end-to-end encryption anywhere in the world, as civil rights protections and law enforcement powers evolve.

Apple announced a new protection this week known as “Lockdown Mode” for iOS 16 that will let users elect to run their phone in a more limited, but more secure mode if they are at risk of being targeted with invasive spyware. And researchers say that new encryption algorithms announced by the National Institute of Standards and Technology that are designed to be resistant to quantum computers will be difficult to test in any practical sense for years to come. 

We examined how users can protect themselves against the worst Instagram scams and took a look back at the worst hacks and data breaches of 2022 so far, with many more inevitably still to come.

But that's not all. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!

In one of the most expansive and impactful breaches of personal data of all time, attackers grabbed data of almost 1 billion Chinese citizens from a Shanghai police database and attempted to extort the department for about $200,000. The trove of data contains names, phone numbers, government ID numbers, and police reports. Researchers found that the database itself was secure, but that a management dashboard was publicly accessible from the open internet, allowing anyone with basic technical skills to grab the information without needing a password. The scale of the breach is immense and it is the first of this size to hit the Chinese government, which is notorious for hoarding massive amounts of data, not only about its own citizens, but about people all over the world. China was memorably responsible for the United States Office of Personnel Management breach and Equifax credit bureau breach, among many others worldwide.

FBI director Christopher Wray and the chief of the UK's security agency MI5, Ken McCallum, issued a joint warning this week that China is, as Wray put it, the "biggest long-term threat to our economic and national security." The pair noted that China has conducted extensive espionage around the world and interfered in elections and other political proceedings. Wray noted that if China moves to seize Taiwan it would "represent one of the most horrific business disruptions the world has ever seen." McCallum said that since 2019, MI5 has more than doubled its focus on China and now conducts seven times as many Chinese Community Party-related investigations as it did in 2018. China Foreign Ministry spokesman Zhao Lijian described British officials as attempting to "hype up the China threat theory." He added that MI5 should "cast away imagined demons."

The bug bounty program HackerOne, which manages vulnerability submission and reward programs for companies, fired an employee this week for stealing vulnerability disclosures submitted through the platform and submitting them to affected companies to recover the reward for personal gain. HackerOne uncovered the scheme when one customer company flagged a vulnerability disclosure that was suspiciously similar to one it had received in June from a different researcher. The rogue employee, who was new to the company, had access to HackerOne's platform from April 4 until June 23 and made seven vulnerability disclosures using stolen research. “This is a clear violation of our values, our culture, our policies, and our employment contracts,” HackerOne wrote in an incident report. “We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future.”

The United States Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Treasury Department said in a joint alert this week that North Korean hackers have been targeting the healthcare and public health sectors with the little known Maui ransomware strain. They warned that paying such ransoms could violate US sanctions. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services,” the alert warns. “In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.”

Chinese Police Exposed 1B People's Data in Unprecedented Leak

By Deeba Ahmed
Apple has announced adding a new feature to iOS devices dubbed the Lockdown Mode. This feature aims to…
This is a post from HackRead.com Read the original post: Apple Debuts Lockdown Mode to Prevent State-Sponsored Spying

Apple has announced adding a new feature to iOS devices dubbed the Lockdown Mode. This feature aims to protect Apple users from “highly targeted mercenary spyware,” revealed Apple’s official blog post on the announcement.

**What is Lockdown Mode?**

The newly introduced security capability will act as additional, specialized protection for the Apple device to prevent targeted cyberattacks or spying campaigns, particularly from state-sponsored spies/hackers.

Though a small fraction of users may be at the risk of targeted spying, it is still a welcome addition for iOS users. Users who may become targets of threat actors because of who they are or what they do, especially users targeted by the NSO Group or private hackers, would benefit the most from this feature. These include human rights activities, political nonconformists, protestors, journalists, etc.

The Lockdown Mode will automatically lock down all hijackable system functionalities so that even the most advanced hackers cannot compromise the device.

Apple’s head of security engineering and architecture, Ivan Krstić, called it a “groundbreaking capability” reflecting Apple’s “unwavering commitment to protecting users from even the rarest, most sophisticated attacks.”

**Lockdown Mode Capabilities**

According to Apple’s blog post, after Lockdown Mode is formally available on iOS devices, it will perform the following functions to protect the device.

*   Blocking/disabling link previews and attachments in messages.
*   Blocking wired connection with any computer, device, or accessory if the iPhone is locked.
*   Disabling just-in-time JavaScript compilation except if the user has excluded some website from blocking.
*   Blocking incoming service requests, invitations, and FaceTime calls from unknown users, allowing calls/requests from senders the device user has previously contacted.
*   Blocking configuration profiles installation and enrollment of the device in MDM (mobile device management).

**Lockdown Mode Official Launching**

The Lockdown Mode will be rolled out in late September 2022. It will be introduced on iOS 16, macOS Ventura, and iPadOS 16. Initially, it will be offered as a test version for researchers to help the company detect security flaws and bugs.

It is worth noting that Apple offered a $10 million reward to cybersecurity researchers working on improving Lockdown Mode defenses and a $2 million bug bounty to those who detect security flaws.

The introduction of Lockdown Mode highlights that not even the world’s most valuable company can protect its products from state-backed intrusion or commercial spyware. 

**More Apple Security News**

1.  Google hackers found malicious websites hacking iPhones
2.  Zero-Click exploit allowed attackers to hack any targeted iPhone
3.  15-year-old Unpatched Root Access Bug found in Apple’s macOS
4.  55 Apple vulnerabilities risked iCloud account takeover, data theft
5.  Apple Bug bounty: Earn big backs for hacking iPhone & other products

Apple Debuts Lockdown Mode to Prevent State-Sponsored Spying

Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and returns an error to the consensus client should the message be missing. Users are advised to upgrade to versions 2.2.7 or v2.4.5. There are no known workarounds for this issue.


**v2.2.7 Release Notes - July 1, 2022****Fixes**

**orderer - Handle malformed consensus request**

If a consensus client sends a malformed consensus request to an orderer it may crash the orderer node.  
This fix checks for the malformed consensus request and returns an error to the consensus client.

**Dependencies**

Fabric v2.2.7 has been tested with the following dependencies:

*   Go 1.18.2
*   CouchDB v3.2.2

Fabric docker images on dockerhub utilize Alpine 3.16.

**Deprecations (existing)**

**FAB-15754: The 'Solo' consensus type is deprecated.**

The 'Solo' consensus type has always been marked non-production and should be in  
use only in test environments, however for compatibility it is still available,  
but may be removed entirely in a future release.

**FAB-16408: The 'Kafka' consensus type is deprecated.**

The 'Raft' consensus type was introduced in v1.4.1 and has become the preferred  
production consensus type. There is a documented and tested migration path from  
Kafka to Raft, and existing users should migrate to the newer Raft consensus type.  
For compatibility with existing deployments, Kafka is still supported,  
but may be removed entirely in a future release.  
Additionally, the fabric-kafka and fabric-zookeeper docker images are no longer updated, maintained, or published.

**Fabric CouchDB image is deprecated**

v2.2.0 added support for CouchDB 3.1.0 as the recommended and tested version of CouchDB.  
If prior versions are utilized, a Warning will appear in peer log.  
Note that CouchDB 3.1.0 requires that an admin username and password be set,  
while this was optional in CouchDB v2.x. See the  
Fabric CouchDB documentation  
for configuration details.  
Also note that CouchDB 3.1.0 default max\_document\_size is reduced to 8MB. Set a higher value if needed in your environment.  
Finally, the fabric-couchdb docker image will not be updated to v3.1.0 and will no longer be updated, maintained, or published.  
Users can utilize the official CouchDB docker image maintained by the Apache CouchDB project instead.

**FAB-7559: Support for specifying orderer endpoints at the global level in channel configuration is deprecated.**

Utilize the new 'OrdererEndpoints' stanza within the channel configuration of an organization instead.  
Configuring orderer endpoints at the organization level accommodates  
scenarios where orderers are run by different organizations. Using  
this configuration ensures that only the TLS CA certificates of that organization  
are used for orderer communications, in contrast to the global channel level endpoints which  
would cause an aggregation of all orderer TLS CA certificates across  
all orderer organizations to be used for orderer communications.

**FAB-17428: Support for configtxgen flag --outputAnchorPeersUpdate is deprecated.**

The --outputAnchorPeersUpdate mechanism for updating anchor peers has always had  
limitations (for instance, it only works the first time anchor peers are updated).  
Instead, anchor peer updates should be performed through the normal config update flow.

**FAB-15406: The fabric-tools docker image is deprecated**

The fabric-tools docker image will not be published in future Fabric releases.  
Instead of using the fabric-tools docker image, users should utilize the  
published Fabric binaries. The Fabric binaries can be used to make client calls  
to Fabric runtime components, regardless of where the Fabric components are running.

**FAB-15317: Block dissemination via gossip is deprecated**

Block dissemination via gossip is deprecated and may be removed in a future release.  
Fabric peers can be configured to receive blocks directly from an ordering service  
node by using the following configuration:

    peer.gossip.orgLeader: true
    peer.gossip.useLeaderElection: false
    peer.gossip.state.enabled: false
    peer.deliveryclient.blockGossipEnabled: false
    

**FAB-15061: Legacy chaincode lifecycle is deprecated**

The legacy chaincode lifecycle from v1.x is deprecated and will be removed  
in a future release. To prepare for the eventual removal, utilize the v2.x  
chaincode lifecycle instead, by enabling V2\_0 application capability on all  
channels, and redeploying all chaincodes using the v2.x lifecycle. The new  
chaincode lifecycle provides a more flexible and robust governance model  
for chaincodes. For more details see the  
documentation for enabling the new lifecycle.

**Changes:**

*   7f22e99 Release commit for v2.2.7 (#3504)
*   80bcc18 Check if inner consensus message is missing
*   e7dc57d Release commit for v2.2.6 (#3488)
*   862ab4d Add logging for identity, policy, and signature troubleshooting (release-2.2) (#3483) \[ #3006 \]
*   b7aaeb8 Fix gossip unit test flake (#3215)
*   2dc7d5c Bump Alpine to 3.16 (release-2.2) (#3473)
*   2d286f1 Fixed Found Typos
*   b24f2c0 Add -buildvcs=false for building binaries
*   dd3e96e Update 'Using Private Data in Fabric' tutorial (Backport #1875)
*   61561dd bump Go to 1.18.2 (release-2.2)

**See More**

*   b17d01a bump golang.org/x/crypto and golang.org/x/tools (release-2.2) (#3436)
*   21e522b bump go-dockerclient (release-2.2) (#3435) \[ #2338 \]
*   df783d6 Remove duplicated line
*   eabe68b Fix some errors in the tutorial
*   4f61890 Bump CouchDB to 3.2.2 (release-2.2)
*   8be2067 Fix mistake change 'curl' to 'git'
*   2deacba Fix doc to handle $PWD containing whitepaces
*   6a1071e Update README build badge link
*   fa43e61 Update links for Jira to GitHub issue transition in README
*   4b1bfbf Update boostrap.sh for test network
*   e728001 Update documentation to include Go SDK
*   449ef0a Fix link to security bug reporting process (#2160)
*   2f4eb7f Update "master" branch references to "main".
*   09393f6 Update chaincode language parameter name
*   ed67dbe Fix hyperlink
*   61d5840 Fix warning log printing
*   578a648 Properly handle concurrent building of chaincode packages
*   cfbb980 Documentation: Update network (Key Concepts) page
*   0d79dd2 certs mgmt guide (#3307)
*   0132f2a Additional TLS troubleshooting information (#3346)
*   4ab9059 Ignore channel double creation during replication. \[ #2931 \]
*   e2f05e6 Ignore expired CA/TLS CA certs on msp init (#3238) (#3249) (#3255)
*   68b6b90 Fix FAB-18528: remove panic in ifConfig func (#2828)
*   f7318ff Release commit for v2.2.5
*   c04cd7d Bump Go to 1.17.5 (release-2.2) (#3186)
*   4996e82 - Fix failure to generate all possible combinations (backport #3132) (#3150)
*   162f867 Add Information about AWS HSM
*   fcdc0b5 Backport setEvent information to 2.2 \[ #2958 \]
*   acf88a0 \[Backport\] #2936 to release-2.2 (#2953)
*   eddb470 Unit test flake when rpc server stream not closed (backport #2935) (#2942)
*   19a137b Fix broken links for international workgroups (#2920)
*   2088b5f Update docs for Jira to GitHub issue transition
*   263ca9e Release commit for v2.2.4 (#2901)
*   029e6ed Fixed a typo in private\_data\_tutorial
*   1eedcff Update Go to v1.16.7 and alpine to 3.14 (release-2.2)
*   851f838 Fix process termination waits in health tests (#2889)
*   e6a6a61 platform/golang: loosen assertion for Go 1.16.2 (release-2.2)
*   ba2a9f1 deps: bump testify (release-2.2) (#2886) \[ #2336 \]
*   50064c8 Update x509.CertPool equality checks (#2880)
*   f441ba2 Change name of test network docker network in 2.2
*   859c7d5 Clean up Go modules (release-2.2) (#2876)
*   07ac9f5 Stop spamming for wait channel acquirement in orderer integration test
*   b076bd7 Options for GRPC message size configurable
*   c91b546 Change name of comm msg size default consts
*   da9e1bd Refactor max message sizes in comm client config
*   fbf7b93 FAB18529 added nil check in channel header parsing
*   9a6b351 Additional documentation for implicit private data collections
*   8fd2ad8 \[FAB-18509\] Stop panic of collection index path is wrong (#2726) (#2744)
*   62c68d1 Updated enrollUser function in write\_first\_app Doc (#2713)
*   a0dcb5c Update docs to clarify that an implicit collection can not have an index
*   2f7fd17 Fixed grammatical errors
*   f36fe03 \[Doc-Update\] + What is a commercial paper section
*   8b1d355 Fix a typo in CouchDB tutorial
*   4c77749 Fix typo
*   f3f170f Fix peerchaincode.md as well
*   30a0931 Add explanation of --ctor JSON string
*   b926247 Clarify orderers seeing the transaction data
*   f4feedb Cherry pick deploy CC fixes into release-2.2
*   68bc522 Clarify "identity expired" error messages (#2685) (#2688)
*   3a69034 Fix spelling mistakes in the Github Contributions page
*   ccecf10 \[FAB-18484\] Return transaction forwarding result back to the client synchronously
*   7e61944 \[FAB-18487\] Update broken link in 2.2 branch
*   186d9bf Typo fix in peer deployment guide in main (#2660)
*   31e41ce Update private\_data\_tutorial.rst
*   4cb453e Fix jq commands in create channel tutorial (#2662)
*   8851da3 Back port 2023 - skip empty ledge and 2635 - RetrieveBlockByNumber (#2648) \[ #2023, #2635 \]
*   cc50451 Clarify doc for readset validations (#2647) (#2655)
*   3548215 Update secured\_private\_asset\_transfer\_tutorial.md
*   56b3689 \[FAB-18479\] Log error if orderer can't forward SubmitRequest to Raft leader
*   dd7e921 fix duplicate entry in code snippet
*   7871c26 Optionally disable gossip block forwarding (#2606)
*   bce75cf Update docs/source/upgrade\_to\_newest\_version.md
*   678523b Govendor added to documentation
*   26b45ca Deploy a chaincode to new channel command issue
*   3f2158a Improve error message for invalid consenter cert (#2587)
*   94ace65 v2.2.3 release commit
*   d272122 Cherry pick removing duplicate word (#2523)
*   222fbc8 Add Security Model topic to docs
*   8116872 Fix link in international_languages.md
*   496c5f5 integration: PKCS#11 SKI to CKA\_ID mapping test
*   d2d031e pkcs11: Add SKI to CKA\_ID mapping for BCCSP \[ #11 \]
*   7214be7 Prevent race that occurs after test timeout
*   6adcbce integration: backport chaincode\_server\_test
*   8843223 Back-fill tests for externalbuilder.Duration
*   796f760 This commit upgrades goleveldb. This upgraded version includes a fix for \[ #2463 \]
*   fae13c3 Report correct reason of stream abort in orderer cluster
*   2b2e154 Log stream total lifetime
*   100a7e7 corrected organization labels
*   6320aed corrected Org1 text in Org2 box to Org2
*   8d0645b Update build to use Go 1.15
*   6cb530b Change string cast of int value to rune cast
*   d539244 Directives are in comment text instead of groups
*   a1b4d2d Implement legacy name constraints verification
*   4321503 Add test to assert on name constraint behavior
*   880914c Re-encode ECDSA CRL signature during MSP setup
*   8883d71 Add test to exercise signature validation change
*   cb3c87b deps: bump github.com/pkg/errors
*   f635afd Adjust etcdraft error assertions for go 1.15
*   5f19a00 Replace test cert fixtures with generated certs
*   aa7ad4f Set SKI, support multi hosts, add Signer to CA
*   684e255 Fix typos in a "Developing Applications" doc
*   358cba7 Update AZP Service Connection Name
*   913d2ab Prepare for next release v2.2.3 (#2347)
*   eb2b1ea Add peer log message for failure to invoke chaincode (#2339)
*   0583c22 Add test newtork download instructions to create a channel tutorial
*   bebb75f v2.2.2 release commit
*   a80c772 Add release notes for v2.2.2 (#2232)
*   1de0825 Fix the issue of Nil/Zero-length-byte-array value (#2310)
*   e5ecdef Remove system channel from Test Network tutorial
*   c25eb86 \[FAB-15648\] document update: Non-TLS orderer with etcdraft usage (#1678)
*   a861c00 cherry pick test network doc chaincode deployment fix
*   10c7839 Remove unreachable and unnecessary code in gossip membership (#2295)
*   6805515 Orderer deployment tutorial update
*   fba5d90 \[doc\] fix broken link
*   48bad48 \[FAB-18170\] Endorsement policy page discusses NodeSDK
*   ee8fcfc \[FAB-18392\] Clarify scope and limitations of test network
*   90326b8 \[FAB-18252\] Documentation should reference Java chaincode support
*   813be7f Remove anchor peers from configtx.yaml tutorial (#2257)
*   11526cf Cherry pick org3 edits to release-2.2 branch (#2256)
*   5953056 Split command in "add an org to network" tutorial
*   91d9621 Add more details to logging specification examples
*   7b1dbf1 Update image filter used by integration tests
*   2a8d96c Remove Short Names and Replace With Full Path in Fabric
*   b2a5aec Check correct error
*   73b39dc \[FAB-18378\] Log warning when peer is lagging behind and cannot catch up
*   d5d9965 \[FAB-17039\] Skip retrieving pvtdata from transient store when txid is missing (#2183) (#2201)
*   3496dfc \[FAB-17954\] Document CouchDB JSON determinism (#2187)
*   26cbec6 \[FAB-18323\] CherryPick: remove ephemeral from BCCSP SW options (#1553)
*   db9a56f Fixes Hardened to Hardware
*   a381654 remove repeated the
*   bbaa5b8 update private-data sample instruction for Asset owner string
*   82b4566 Remove reference to first-network
*   0a1fc23 \[FAB-17727\] Log warning if system channel has no consortium members (#2149)
*   935a5c2 Deploy production ordering service doc
*   c928359 Add release note for RSA CA changes
*   50ca5d4 Add integration test for MSPs with RSA CA certs
*   b3646e5 Restore RSA support for x509 public key import
*   4026413 Add check for invalid key before hitting couchdb (#2133) (#2135)
*   b8a095f Add persistent volume note to peer deploy guide
*   bf2ebb6 \[FAB-18298\] Default cluster cert and key (#2119)
*   cae9a63 Update Go to 1.14.12
*   b247ed4 Revert "Allow BCCSP config to be set using env var (#1900)"
*   d1b4524 Update Jira instructions in contributing guide
*   d1730da Cherry pick \[FAB-18290\] Add channel name to pvtdata reconciler log msgs (#2091)
*   99c2d12 Deduplicate orderer server TLS root CAs
*   1e15b64 Log TLS handshake duration
*   9c5b283 FAB-18244 single node catches up with snapshot (#1964) (#2021)
*   09234c0 Remove common name from private data doc
*   5a37306 Fixed TLS certs validation for consenters (release-2.2) (#2005) \[ #1888 \]
*   6f3ad12 \[FAB-18270\] Disable debug of CouchDB response body
*   4d40d65 Peer deployment guide
*   70c41c1 Update help text in test net tutorial
*   8930c8c Fix Node OU error message
*   ab7104a Update release docs
*   4a63642 Cherry pick private data tutorial rebase
*   e36ca29 Add Troubleshooting topic to Test Network for Docker Desktop setting
*   e05c443 Allow tick interval override via orderer.yaml
*   32cb396 Fix chaincode lifecycle tutorial invoke
*   ceb23df Always Finalize the PKCS11 FindObject Operation
*   2d59f18 Corrected to capitalized function names.
*   6a370f7 Fix table width issue
*   f2e9e6e Allow BCCSP config to be set using env var (#1900)
*   6bd0699 Exercise a full end-to-end flow with PKCS11 (#1717)
*   0b3b95f removed unused variable
*   bf0b300 \[FAB-17129\] Configure peer and orderer to use PKCS#11 as BCCSP in integration test
*   8407bc8 Prepare for next release v2.2.2
*   74ac27c Add two and three digit publishing
*   344fda6 Release commit for v2.2.1
*   bebb5d8 Cherry pick secured asset transfer tutorial to 2.2
*   ba9eaff \[FAB-18041\] Add Node.js to CC as external service
*   107a867 Remove No Longer Relevant Release Note
*   99a01b2 Update release notes with FAB-18250
*   7b7ad6b Fix missing word
*   f9f3caf Add change in documentation to explain how to add collaborators in translation
*   61c05b8 \[FAB-18250\] Check Error Before Returning Session to Pool (#1937)
*   765bb73 Remove escc and vscc from list of system chaincodes
*   9906643 Update v2.2.1 release notes with latest fixes
*   c5cf627 Fix empty address in peer CLI ClientWait log
*   75046cf Remove GetSessionInfo Call
*   2e4527b Bug Fix: Saving big payloads by cache CouchDB (#1909)
*   fe684f8 Fix flakey raft/cft integration test
*   e2fa653 Add release notes for v2.2.1
*   6b1ac6f \[FAB-18237\] always update stateInfo message upon chaincode update
*   f32cb81 Bugfix in collection config history mgr (#1904)
*   3ee47a7 fix function name typo in store private data command
*   ffcbf25 Clarify tlsHandshakeTimeShift CLI help text (#1894)
*   673c364 Correct the explanation for signcerts in Membership section
*   68d13ed Update write\_first\_app.rst
*   dc8660b Regenerate peer CLI docs
*   6c9abf9 Peer CLI communicate with orderers with expired TLS certs (#1863)
*   6f76408 Bump fabric-config dep to 0.0.7
*   c5c1105 address review comments (#1890) (#1893)
*   a5a6acd pass unreconciled missing pvtdata to pvtdata store (backport to release-2.2) (#1886)
*   ee2bc1b pass unreconciled missing data info to ledger from reconciler (#1797)
*   bc00758 construct unreconciled missing pvtdata (#1699)
*   e500de9 deprioritize unreconcilable missingPvtData (#1721)
*   10cb4ea mv oldpvtdata commit to separate file
*   7eaead1 refactor pvtdatastore
*   659fe39 Adding notes for the usage of script during samples install
*   2d895c4 \[FAB-18208\] Do not sign gossip message if membership is empty
*   42da963 Convert Azure Pipeline To Stages (#1874)
*   6a02559 Fix data race in gossip/discovery test
*   7dcd9fd Minor doc fix to clear Sphinx local build error
*   09764d8 fix missing err check in the block commit path (#1543)
*   cc6dc99 minor cleanup of pvtdatastore
*   20f0697 reset leveldb batch after the commit
*   bebe131 Use directly leveldb batch (#1507)
*   99332da \[FAB-18194\] Fix service discovery for legacy installed chaincodes
*   0bd0ab2 Update RTD Placeholder
*   ef2632e \[FAB-18191\] Remove contents of leveldb dir instead of the dir itself when dropping dbs (#1828)
*   8dae484 \[FAB-18120\] Adding DevMode integration test for new lifecycle.
*   9da753a \[FAB-18169\] Add DevMode support in ChaincodeEndorsementInfoSource
*   8bbedb8 Revert "\[FAB-18183\] Bump sphinx in requirements.txt to v1.8.5"
*   bf8f6fc \[FAB-18188\] Log orderer and peer cert expiration date upon startup (#1804)
*   0e52fff \[FAB-18171\] Disregard certificate validity period in intra-orderer communication
*   445b997 \[FAB-18183\] Bump sphinx in requirements.txt to v1.8.5
*   2fc575c Cache bccsp keys generated from getECKey
*   7b8de81 Add object handle cache to PKCS#11 bccsp provider
*   bf2f3fc Make ecPoint a method on impl
*   2a22160 Make findKeyPairFromSKI a method on impl
*   86a5c64 Replace loadLib with initialize method
*   8a63732 Merge pkcs11/impl.go and pkcs11/pkcs11.go
*   f47ac7d Drain session pool before creating new sessions
*   4fd232e Add instructions for how to use @Mergifyio backport command
*   2d522b5 Update Add an Org to a Channel tutorial
*   2813aba Updates to CouchDB doc tutorial
*   4919fa7 Updated Using CouchDB to use asset transfer ledger queries smart contract
*   64c7600 Update Channel Update (Adding an Org) tutorial
*   7d6bb0f Update docs to replace fabcar references with basic asset transfer
*   1450e3c Add links for Go and Java sample applications
*   b8b7af7 Refactor tutorial to 'Writing Your First Chaincode'
*   14ad1d7 \[FAB-18109\] Update peer chaincode invoke
*   e042657 Fix code snippet display (#1759)
*   9783edb Write Your First App tutorial updates (#1757)
*   9563518 Update "Deploying a smart contract" tutorial. (#1756)
*   417bcd4 Update "Using the Fabric Test network" tutorial (#1755)
*   0b598c4 Update Write Your First Application Tutorial (#1754)
*   c4e310d Remove Use of Manifest Tool
*   5f16da8 Update RTD to Target Correct GH Release Branch
*   6491f6a Fix and improve discovery TLS authentication comments in document

This list of changes was auto generated.

CVE-2022-31121: Release v2.2.7 · hyperledger/fabric

Latest feature will protect against targeted attacks

Jessica Haworth 07 July 2022 at 15:30 UTC

Latest feature will protect against targeted attacks

  

Apple has launched a security bug bounty for its new Lockdown Mode feature, which aims to give users heightened protection against spyware attacks.

Lockdown Mode, which will ship with iOS 16, iPadOS 16, and macOS Ventura, is “an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security”.

The feature is designed to thwart against targeted attacks from the growing number of private companies developing mercenary spyware for nation-states around the world.

Announcing the news last night (July 6), Apple said it will be available to users this fall.

**Bug bounty offerings**

Apple also revealed it has established a new category within the Apple Security Bounty program to reward researchers who find Lockdown Mode bypasses and help improve its protections.

Bounties are doubled for qualifying findings in Lockdown Mode, up to a maximum of $2 million — one of the highest maximum bug bounty payouts in the industry.

Some of the optional protections on offer through Lockdown Mode include blocking attachments other than images and disabling link previews in messages.

It’s also possible to disable web technologies such as just-in-time (JIT) JavaScript compilation for untrusted websites, along with blocking communication requests, including FaceTime calls, if the user has not previously sent the initiator a call or request.

Read more of the latest news about spyware

Wired connections with a computer or accessory are also blocked when iPhone is locked, configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM) while Lockdown Mode is turned on.

“Lockdown Mode is a groundbreaking capability that reflects our unwavering commitment to protecting users from even the rarest, most sophisticated attacks,” said Ivan Krstić, Apple’s head of security engineering and architecture.

“While the vast majority of users will never be the victims of highly targeted cyber-attacks, we will work tirelessly to protect the small number of users who are. That includes continuing to design defenses specifically for these users, as well as supporting researchers and organizations around the world doing critically important work in exposing mercenary companies that create these digital attacks.”

YOU MAY ALSO LIKE ‘Does anybody like CAPTCHAs?’ – Cloudflare CTO John Graham-Cumming envisages a frictionless future for website Turing tests

Lockdown Mode: Apple offers $2m bug bounty for vulnerabilities in new anti-spyware tech

Apple has announced a new feature called Lockdown Mode, designed to provide a safer environment on iOS for people at high risk of what Apple refers to as "mercenary spyware."
The post Apple Lockdown Mode helps protect users from spyware appeared first on Malwarebytes Labs.

Apple has announced a new feature of iOS 16 called Lockdown Mode. This new feature is designed to provide a safer environment on iOS for people at high risk of what Apple refers to as “mercenary spyware.” This includes people like journalists and human rights advocates, who are often targeted by oppressive regimes using malware like NSO Groups’ Pegasus spyware.

NSO is an Israeli software firm known for developing the Pegasus spyware. Pegasus has been in the spotlight frequently in recent years, and although NSO claims to limit who is allowed to have access to its spyware, each new finding shows it is used by authoritarian nations bent on monitoring and controlling critics. In one of the more infamous cases, and a classic example of how Pegasus has been used, journalist Jamal Khashoggi’s murder has been traced to the use of Pegasus by the United Arab Emirates.

**How is this possible? iPhones don’t get viruses!**

Contrary to popular belief, it is, in fact, possible for an iPhone to become infected with malware. However, this usually involves a fair bit of effort, usually the use of one or more vulnerabilities in iOS, the operating system for the iPhone. Such vulnerabilities have been known to sell for prices in the million dollar range, which puts such malware out of the reach of common criminals.

However, companies like NSO can purchase – or pay expert iOS reverse engineers to find – these vulnerabilities and incorporate them into a deployment system for their malware. They then sell access to this malware to make money.

Deploying the malware typically happens via something like a malicious text message, phone call, website, etc. For example, NSO has been known to use one-click vulnerabilities in Apple’s Messages app to infect a phone if a user taps a link. It’s also used more powerful zero-click vulnerabilities, capable of infecting a phone just by sending it a text. Because of this, Apple made changes in iOS 14 to harden Messages.

Messages is not the only possible avenue of attack, however, and it’s impossible to build a wall for the “walled garden” that doesn’t have some holes in it. Every bug is a potential avenue of attack, and all software has bugs. Thus, Apple has taken things to a new level by providing Lockdown Mode to high-risk individuals.

**What is Lockdown Mode?**

Lockdown Mode puts the iPhone into a state where it is more difficult to attack. This is done by limiting what is allowed in certain aspects of usage of the phone, to block potential avenues of attack. The improvements, per Apple’s press release, include:

*   Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
*   Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
*   Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
*   Wired connections with a computer or accessory are blocked when iPhone is locked.
*   Configuration profiles cannot be installed, and the device cannot enrol into mobile device management (MDM), while Lockdown Mode is turned on.

Source: Apple

Although Apple refers to Lockdown Mode as “an extreme, optional protection,” the limitations don’t actually sound particularly difficult to live with. Most users probably won’t turn this on, but these restrictions sound like something that the average user could adapt to fairly easily.

**Backing it up with big bucks**

To further bolster the security of Lockdown Mode, Apple is offering an unprecedented $2 million bug bounty to anyone who can find a qualifying vulnerability that can be exploited while an iPhone is in Lockdown Mode. Vulnerability hunters everywhere will be pounding on Lockdown Mode, looking for a bug that will score them the big payout. However, this bounty will also help to ensure that the vulnerability gets disclosed to Apple rather than being sold to a company like NSO. It’s easy to do the right thing when it also earns you $2 million!

**Should I use Lockdown Mode?**

If you’re a journalist and you cover topics that may put a target on your back, absolutely! If you’re a defender of human rights and a critic of countries that trample on those rights, don’t think twice.

Average people, though, will have little chance of ever encountering “mercenary spyware.” However, the extra security definitely wouldn’t hurt, and it looks like it won’t cost you a lot in terms of lost functionality.

Apple Lockdown Mode helps protect users from spyware

Four high, six medium, and one low severity issue fixed

Four high, six medium, and one low severity issue fixed

Fortinet has addressed a raft of security vulnerabilities affecting several of its endpoint security products.

The California-headquartered cybersecurity giant, which accounts for more than a third of all firewall and unified threat management shipments worldwide, released a huge number of firmware and software updates on Tuesday (July 5).

A quartet of high severity flaws includes multiple relative path traversal bugs in the management interface of FortiDeceptor, which spins up virtual machines that serve as honeypots for network intruders (CVE-2022-30302).

RECOMMENDED High severity OpenSSL bug could lead to remote code execution

Abuse of these “may allow a remote and authenticated attacker to retrieve and delete arbitrary files from the underlying filesystem via specially crafted web requests”, according to the corresponding Fortinet advisory.

Similarly, attackers could achieve privilege escalation in Windows versions of endpoint protection and VPN product FortiClient via path traversal in the named pipe responsible for the FortiESNAC service (CVE-2021-41031).

The FortiNAC network access control solution, meanwhile, suffered from an “empty password in configuration file vulnerability” through which an authenticated attacker could access the MySQL databases via the command line interface (CLI) (CVE-2022-26117).

**Additional bugs**

The other high severity issue, which applies to security event analysis appliance FortiAnalyzer, the FortiManager network management device, the FortiOS operating system, and the FortiProxy web proxy, “may allow a privileged attacker to execute arbitrary code or command via crafted CLI ‘execute restore image’ and ‘execute certificate remote’ operations with the TFTP protocol” (CVE-2021-43072).

Medium severity issues in the patch batch include SQL injection vulnerabilities in the FortiADC application delivery controller (CVE-2022-26120) and an OS command injection vulnerability in CLI in FortiAnalyzer and FortiManager (CVE-2022-27483).

Catch up with the latest enterprise security news

Meanwhile, cross-site scripting (XSS) issues in the FortiEDR endpoint security solution (CVE-2022-29057); a privilege escalation bug in FortiManager and FortiAnalyzer (CVE-2022-26118); and stack-based buffer overflows in diagnostic CLI commands affecting FortiOS and FortiProxy (CVE-2021-44170).

The sixth and final medium severity issue is an integer overflow in dhcpd daemon impacting FortiOS, FortiProxy, FortiSwitch ethernet switches, the FortiRecoder video surveillance system, and the FortiVoiceEnterprise communications system, (CVE-2021-42755).

Last and least, in threat terms, is a low severity XSS vulnerability affecting FortiOS (CVE-2022-23438).

YOU MIGHT ALSO LIKE Spring Data MongoDB hit by another critical SpEL injection flaw

Fortinet patch batch remedies multiple path traversal vulnerabilities

Cisco on Wednesday rolled out patches for 10 security flaws spanning multiple products, one of which is rated Critical in severity and could be weaponized to conduct absolute path traversal attacks.
The issues, tracked as CVE-2022-20812 and CVE-2022-20813, affect Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) and "could allow a remote attacker to overwrite

Cisco on Wednesday rolled out patches for 10 security flaws spanning multiple products, one of which is rated Critical in severity and could be weaponized to conduct absolute path traversal attacks.

The issues, tracked as **CVE-2022-20812 and CVE-2022-20813**, affect Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) and "could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device," the company said in an advisory.

CVE-2022-20812 (CVSS score: 9.0), which concerns a case of arbitrary file overwrite in the cluster database API, requires the authenticated, remote attacker to have Administrator read-write privileges on the application so as to be able to mount path traversal attacks as a root user.

"This vulnerability is due to insufficient input validation of user-supplied command arguments," the company said. "An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command."

Successful exploitation of the flaw could enable the adversary to overwrite arbitrary files on the underlying operating system.

CVE-2022-20813 (CVSS score: 7.4), on the other hand, has been described as a null byte poisoning flaw arising due to improper certificate validation, which could be weaponized by an attacker to stage a man-in-the-middle (MitM) attack and gain unauthorized access to sensitive data.

Also patched by Cisco is a high-severity flaw in its Smart Software Manager On-Prem (CVE-2022-20808, CVSS score: 7.7) that could be abused by an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

**Fortinet issues fixes for several products**

In a related development, Fortinet addressed multiple high-severity vulnerabilities affecting FortiAnalyzer, FortiClient, FortiDeceptor, and FortiNAC -

*   **CVE-2021-43072** (CVSS score: 7.4) - Stack-based buffer overflow via crafted CLI execute command in FortiAnalyzer, FortiManager, FortiOS and FortiProxy
*   **CVE-2021-41031** (CVSS score: 7.8) - Privilege Escalation via directory traversal attack in FortiClient for Windows
*   **CVE-2022-30302** (CVSS score: 7.9) - Multiple path traversal vulnerabilities in FortiDeceptor management interface, and
*   **CVE-2022-26117** (CVSS score: 8.0) - Unprotected MySQL root account in FortiNAC

Should the flaws be successfully exploited, it may allow an authenticated attacker to execute arbitrary code, retrieve and delete files, and access MySQL databases, or even permit a local unprivileged actor to escalate to SYSTEM permissions.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ios