Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.

**\[FIXED\] Authenticated RCE vulnerability - ManageEngine ADManager Plus**

**Vulnerability details**

**Severity**

Medium

**CVE ID**

CVE-2022-42904

**Affected software versions**

Build 7151 and older

**Fixed version**

Build 7160

**Fixed on**

September 26, 2022

**Details**

ADManager Plus builds 7151 and older were reported to have an authenticated remote code execution vulnerability. This has been fixed in the build 7160; its release notes can be found here.

**Impact**

An authenticated user can remotely execute codes on the machine where ADManager Plus is installed.

**Steps to update**

Update your ADManager Plus instance to its latest build by installing the service pack.

**Acknowledgement**

This issue was reported by George Koumettou via the Zoho Bug Bounty Program.

**Request Support**

Need further assistance? Fill this form, and we'll contact you rightaway.

Select a language to translate the contents of this web page:

CVE-2022-42904: Mitigate authenticated RCE vulnerability in ADManager Plus

A secure-by-design culture is needed to develop a comprehensive offboarding and identity management strategy that limits potential for broader compromise in case of unauthorized access.

Increased turnover is putting a strain on existing offboarding processes — especially manual ones — for departing employees and contractors. Recent high-profile layoffs at major tech companies have put the spotlight on this issue.

Meanwhile, efforts to limit access to sensitive company information are growing more complex as data access points multiply.

The rise of distributed workforces, cloud computing, work from home, and shadow IT suggest a comprehensive offboarding policy is required, aided by automation.

A recent survey from Oomnitza found, however, that nearly half of IT leaders have doubts about their company's onboarding and offboarding automation capabilities.

The study found a third of enterprises lose more than 10% of their technology assets when offboarding workers, and more than four in 10 (42%) said they experienced unauthorized access to SaaS applications and cloud resources.

**Deploying ETM to Fortify Endpoints and Applications**

Ramin Ettehad, co-founder of Oomnitza, explains that enterprise technology management (ETM) solutions, with built-in integrations, rich analytics, and simplified workflows, allow organizations to define and continuously improve onboarding and offboarding processes.

"They can fortify onboarding user experience by ensuring the right endpoints, accessories, applications, and cloud resources are available at the start so that the new hire can be productive on day one," he says.

These solutions can also enable secure offboarding by ensuring endpoints and their data are secured, software licenses are reclaimed, and access to systems, SaaS, and cloud resources are deprovisioned.

Furthermore, departing workers' email, applications, and workplaces can be reassigned automatically to ensure business continuity.

"All of this is done with true process automation across teams and systems, and is not driven by tickets and requests, which rely on manual workloads and are prone to delays and errors," Ettehad adds.

Cyberhaven CEO Howard Ting explains that most organizations today have a single sign-on product that can turn off an employee's access to all apps with one click and device software that can lock and remotely wipe a laptop.

"While many companies today turn off access as soon as, or even before, they notify employees they're being let go, people can sense what's coming and they preemptively collect customer lists, design files, and source code in anticipation of losing access," he adds.

When an employee voluntarily quits, companies have even fewer tools to prevent data exfiltration because the employee knows they're going to depart before their employer.

While many organizations more closely monitor employees from when they give notice to quit until their last day, a Cyberhaven survey found employees are 83% more likely to take sensitive data in the two weeks before they give notice when they're under less scrutiny.

**Coordinating Offboarding Programs**

Ting says the best employee offboarding programs are coordinated across HR, IT, IT security, and physical security teams working together to protect company data and assets.

The HR team finalizes departures and notifies employees, IT ensures access to apps and company laptops is shut off in a timely manner, the physical security team disables access to company facilities, and the IT security team monitors for unusual behavior.

"These teams perform specific tasks in sequence the day an employee or group of employees is let go," he says.

Ting adds he's also seeing more companies monitor for employees putting company data on personal devices or applications. When offboarding, they make the employee's severance agreement contingent on returning or destroying that company data.

Ettehad adds managing and enabling a remote workforce today requires executives to break down silos and automate key technology business processes.

"They must connect their key systems and orchestrate rules, policies, and workflows across the technology and employee lifecycle with conditional rule-based automation of all tasks across teams and systems," he says.

**The Need for 'Controlled Urgency'**

Tom McAndrew, CEO at Coalfire, calls for "controlled urgency" to tackle the secure offboarding challenge.

"When we look at identity management more broadly, it can often be a complex problem, spanning many applications, internal, external, SaaS, on-prem, and so on," he says. "The identity strategy is the central point. The fewer sources of identity and access control there are to manage, the more automation can support these operations at scale."

He argues that when HR and information security are not operating as a team, it's easy to see platforms spinning to solve point solutions rather than looking at the "what-if" scenarios.

"Every system that is not integrated with a core identity platform becomes one more manual task or another tool that needs to be invested in to solve a problem that could have been avoided with sensible planning," he says.

McAndrew adds that a rogue employee with authorized access to critical, sensitive information is a significant threat.

"When you look at the potential risk from a disgruntled staff member, combined with an HR team struggling to manage a substantial scale of departures, it's easy for mistakes to be made and for frustrated or disaffected staff to take matters into their own hands," he says.

He warns that this can also trigger legal complications, often requiring further professional forensic support, making a poor business decision even more costly.

**Unauthorized Access to SaaS, Cloud Apps a Major Challenge**

Corey O'Connor, director of products at DoControl, a provider of automated SaaS security, points out that unauthorized access to SaaS applications and cloud resources is an identity security problem for both human and machine identities.

"However, preventative controls and detective mechanisms could help mitigate the risk of unauthorized access," he explains.

This means having full visibility and a complete inventory (i.e., users, assets, applications, groups, and domains) will enable security and IT teams to put in place the appropriate preventative controls.

"From there, implementing detective mechanisms that identify high-risk or anomalous activity" is the next step, he says.

Application-to-application connectivity, including machine identity, needs to be secure as well; otherwise the organization increases the risk of supply chain based attacks.

"Machine identities can be over privileged, unsanctioned, and not within the security team's visibility," he says. "When they become compromised, they can provide unauthorized access to sensitive data within the application that it's connected to."

That means both human user and machine identities need preventative controls and detective mechanisms to reduce risk.

**Detecting Exfiltration, Managing Applications**

Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services, says that post-pandemic, many organizations increased their utilization of various cloud and SaaS platforms.

"Because different departments use different applications, and some individuals integrate with interim solutions, IT departments found themselves drowning in the white noise of XaaS, with no standard way of managing it," he says.

While IT admins generally lock down the corporate email account during offboarding, ex-employees may still have access to unknown services that contain sensitive data.

"Putting the idea of an insider threat aside, if one of those unknown services is hacked and needs the password changed, no one may know to take action," he warns.

McCarthy says network defenders need to determine where sensitive data is stored and develop ways to detect exfiltration.

"Deploying an egress filtering solution limits how a threat can exfiltrate data, while also providing the needed visibility to verify it has not occurred," he says. "The impact of stolen data varies from industry to industry, but most data breaches result in monetary fines and loss of customer confidence."

He adds that if IT security teams are bogged down with managing all the SaaS applications an organization uses, having too many of their own tools is also a burden.

"Deploying scalable, multi-cloud management tools that consolidate visibility and policy enforcement reduces their operational overhead," McCarthy says.

Secure Offboarding in the Spotlight as Tech Layoffs Mount

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 11 and Nov. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for November 11 to 18

The LodaRAT malware has resurfaced with new variants that are being deployed in conjunction with other sophisticated malware, such as RedLine Stealer and Neshta.
"The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities," Cisco Talos researcher Chris Neal said in a write-up published Thursday.
Aside from being dropped

The LodaRAT malware has resurfaced with new variants that are being deployed in conjunction with other sophisticated malware, such as RedLine Stealer and Neshta.

"The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities," Cisco Talos researcher Chris Neal said in a write-up published Thursday.

Aside from being dropped alongside other malware families, LodaRAT has also been observed being delivered through a previously unknown variant of another commodity trojan called Venom RAT, which has been codenamed S500.

An AutoIT-based malware, LodaRAT (aka Nymeria) is attributed to a group called Kasablanca and is capable of harvesting sensitive information from compromised machines.

In February 2021, an Android version of the malware sprang forth as a way for the threat actors to expand their attack surface. Then in September 2022, Zscaler ThreatLabz uncovered a new delivery mechanism that involved the use of an information stealer dubbed Prynt Stealer.

The latest findings from Cisco Talos documents the altered variants of LodaRAT that have been detected in the wild with updated functionality, chiefly enabling it to proliferate to every attached removable storage device and detect running antivirus processes.

The revamped implementation is also considered ineffective in that it searches for an explicit list of 30 different process names associated with different cybersecurity vendors, meaning a solution that's not included in the search criteria will not be detected.

Also included in this list are discontinued security software such as Prevx, ByteHero, and Norman Virus Control, suggesting that this may be an attempt on the part of the threat actor to flag systems or virtual machines running older versions of Windows.

An analysis of the captured artifacts further reveals the removal of non-functional code and the use of string obfuscation using a more efficient method.

The bundling of LodaRAT alongside Neshta and RedLine Stealer has also been something of a puzzle, although it's being suspected that "LodaRAT is preferred by the attacker for performing a particular function."

"Over the course of LodaRAT's lifetime, the implant has gone through numerous changes and continues to evolve," the researchers said. "While some of these changes appear to be purely for an increase in speed and efficiency, or reduction in file size, some changes make Loda a more capable malware."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

LodaRAT Malware Resurfaces with New Variants Employing Updated Functionalities

Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called “Zeppelin” in May 2020. He’d been on the job less than six months, and because of the way his predecessor architected things,… Read More »

Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called “**Zeppelin**” in May 2020. He’d been on the job less than six months, and because of the way his predecessor architected things, the company’s data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter’s bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. “Don’t pay,” the agent said. “We’ve found someone who can crack the encryption.”

Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder — **Lance James**. Zeppelin sprang onto the crimeware scene in December 2019, but it wasn’t long before James discovered multiple vulnerabilities in the malware’s encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers.

In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn’t want to tip its hand to Zeppelin’s creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed.

This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their ransomware code.

“The minute you announce you’ve got a decryptor for some ransomware, they change up the code,” James said.

But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B’s referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists.

In a blog post published today to coincide with a Black Hat Dubai talk on their discoveries, James and co-author **Joel Lathrop** said they were motivated to crack Zeppelin after the ransomware gang started attacking nonprofit and charity organizations.

“What motivated us the most during the leadup to our action was the targeting of homeless shelters, nonprofits and charity organizations,” the two wrote. “These senseless acts of targeting those who are unable to respond are the motivation for this research, analysis, tools, and blog post. A general Unit 221B rule of thumb around our offices is: Don’t \[REDACTED\] with the homeless or sick! It will simply trigger our ADHD and we will get into that hyper-focus mode that is good if you’re a good guy, but not so great if you are an \*\*\*hole.”

The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects.

“If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!” they wrote. “The challenge was that they delete the \[public key\] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key.”

Unit 221B ultimately built a “Live CD” version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant **Digital Ocean** that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys.

A typical Zeppelin ransomware note.

Jon is another grateful Zeppelin ransomware victim who was aided by Unit 221B’s decryption efforts. Like Peter, Jon asked that his last name and that of his employer be omitted from the story, but he’s in charge of IT for a mid-sized managed service provider that got hit with Zeppelin in July 2020.

The attackers that savaged Jon’s company managed to phish credentials and a multi-factor authentication token for some tools the company used to support customers, and in short order they’d seized control over the servers and backups for a healthcare provider customer.

Jon said his company was reluctant to pay a ransom in part because it wasn’t clear from the hackers’ demands whether the ransom amount they demanded would provide a key to unlock all systems, and that it would do so safely.

“They want you to unlock your data with their software, but you can’t trust that,” Jon said. “You want to use your own software or someone else who’s trusted to do it.”

In August 2022, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint warning on Zeppelin, saying the FBI had “observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.”

The advisory says Zeppelin has attacked “a range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.”

The FBI and CISA say the Zeppelin actors gain access to victim networks by exploiting weak Remote Desktop Protocol (RDP) credentials, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups, the alert notes.

Jon said he felt so lucky after connecting with James and hearing about their decryption work, that he toyed with the idea of buying a lottery ticket that day.

“This just doesn’t usually happen,” Jon said. “It’s 100 percent like winning the lottery.”

By the time Jon’s company got around to decrypting their data, they were forced by regulators to prove that no patient data had been exfiltrated from their systems. All told, it took his employer two months to fully recover from the attack.

“I definitely feel like I was ill-prepared for this attack,” Jon said. “One of the things I’ve learned from this is the importance of forming your core team and having those people who know what their roles and responsibilities are ahead of time. Also, trying to vet new vendors you’ve never met before and build trust relationships with them is very difficult to do when you have customers down hard now and they’re waiting on you to help them get back up.”

A more technical writeup on Unit 221B’s discoveries (cheekily titled “0XDEAD ZEPPELIN”) is available here.

Researchers Quietly Cracked Zeppelin Ransomware Keys

By Waqas
ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date.
This is a post from HackRead.com Read the original post: Study shows that 42% of people use their names in passwords

Password theft can make life significantly more difficult. Aside from benign major hassle, compromised passwords can easily lead to identity theft and cause serious legal issues. Therefore, it is worth paying attention to the strength of your passwords and changing them regularly or, at the latest, when you suspect your accounts have been compromised.

ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date. Since this information is easily traceable on social media, your accounts can be more prone to hacking attacks.

**How can someone find out my password?**

A compromised password allows unauthorized people to log into your accounts. Password compromise is usually not your fault; your data is not directly compromised on a specific computer. There’s no reason to automatically assume that an attacker has accessed or hacked your computer and is still watching it (these thoughts are only appropriate if you find that multiple passwords have been compromised in a relatively short period of time).

The most common reason is the theft of user’s personal data from various services. It is also conceivable that attackers could hack and obtain a database of users of a certain service (a so-called “Breach”) and then publish it. The password is then sold on the black market and can in fact be read by anyone. 

**How to protect yourself****Checking for fraudulent use**

You can easily check your password online. Take a look at the publicly available tools that can do this. Most of them work automatically and can send an alert when you enter your email address if they detect a leak or incident (containing your email address or password) as mentioned above.

The best-known monitoring tool is ”have I been pwned”. Here, after entering your email address, you can see which services or providers have been hacked and which user accounts have been compromised. If your account is listed, consider your password hacked and change it urgently. It is clear which one it is by looking at your password, even if it is not naturally displayed.

You can type the password directly into the Pwned Passwords tool (instead of looking for the associated email). The result is a notification of whether the password was part of a data breach and how many times it happened. The database contains over 613 million compromised passwords that have previously been proven to have been stolen.

Other password compromise checking services:

*   F-Secure
*   Firefox Monitor
*   Chrome browser
*   Avast Hack Check
*   Mirkat for Lenovo

**Discover weak and duplicated passwords at the administrator or keychain**

Password compromise detection or password weakness alerts should be available in any decent password manager. We’ve already covered them in our magazine, and you can find the best-known ones in a dedicated password managers section.

On some systems, passwords are stored in keychains that support the features mentioned above; for example, on iOS (iPhone) and macOS, the keychain warns if a password is weak or repeated across multiple services. Since iOS 14 and macOS Big Sur, the keychain can also keep track of compromised passwords. If your saved password has an exclamation mark icon next to it, you should change it right away.

1.  List of 2020’s most used passwords is here and it’s appalling
2.  Revealed: The 200 Most used and Worst Passwords of 2021
3.  Chrome on Android will alert, fix your compromised password
4.  Psst! tool by 1Password lets users share passwords using a link
5.  Nissan source code leaked, it used “admin” as username, password

**Use a password manager**

The average internet user uses so many services and apps that if they had to use unique passwords for each one, they would not be able to remember them. So, if you don’t want to give up security completely and use a single password, we recommend using a password manager.

Password managers may even suggest strong passwords, which is something to consider. Password suggestions are also built into some browsers or password manager plug-ins allow this feature. Artificial intelligence can judge better than the user what is a suitable and strong password.

The default setting for cloud-based password managers is to log in with 2FA. If you use a password manager on your phone, it usually has biometrics – fingerprint or facial recognition. This adds another layer of security to password access.

**Ustwo-factor authentication**

We regularly cover two-factor authentication (2FA) in our magazine, so the term is certainly not new to you. Simply put, 2FA adds an extra layer of protection to your login, so a simple password is no longer enough. To log in, you will still need to enter a one-time password (OTP), which is generated separately on the device you have. This is usually an app on your smartphone that shows you an OTP password for each “paired” service, which is valid for a very short period.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Study shows that 42% of people use their names in passwords

Languages such as C and C++ rely too heavily on the programmer not making simple memory-related security errors.

Security analysts welcomed a recommendation from the US National Security Agency (NSA) last week for software developers to consider adopting languages, such as C#, Go, Java, Ruby, Rust, and Swift, that reduce memory-related vulnerabilities in code.

The NSA described these as "memory-safe" languages that manage memory automatically as part of the computer language. They do not rely on the programmer to implement memory security and instead use a combination of compile time and runtime checks to protect against memory errors, the NSA said.

**The Case for Memory-Safe Languages**

The NSA's somewhat unusual advisory on Nov. 10 pointed to widely used languages such as C and C++ as relying too heavily on programmers not to make memory-related mistakes, which it noted continues to be the top cause for security vulnerabilities in software. Previous studies — one by Microsoft in 2019 and another from Google in 2020 related to its Chrome browser, for instance — found 70% of vulnerabilities were memory-safety issues, the NSA said.

"Commonly used languages, such as C and C++, provide a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform the needed checks on memory references," the NSA said. This often results in exploitable vulnerabilities tied to simple mistakes such as buffer overflow errors, memory allocation issues, and race conditions.

C#, Go, Java, Ruby, Rust, Swift, and other memory-safe languages do not completely eliminate the risk of these issues, the NSA said in its advisory. Most of them, for instance, include at least a few classes or functions that aren't memory-safe and allow the programmer to perform a potentially unsafe memory management function. Memory-safe languages can sometimes also include libraries written in languages that contain potentially unsafe memory functions.

But even with these caveats, memory-safe languages can help reduce vulnerabilities in software resulting from poor and careless memory management, the NSA said.

Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, welcomes the NSA's recommendation. The use of memory-safe languages should, in fact, be the default for most applications, he says.

"For practical purposes, relying on developers to focus on memory management issues instead of programming cool, new features represents a tax on innovation," he says.

With memory-safe programming languages and associated frameworks, it is the authors of the language that ensure proper memory management and not the application developers, Mackey says.

**Shift Can Be Challenging**

Shifting a mature software development environment from one language to another can be hard, the NSA acknowledged. Programmers will need to learn the new language, and there are likely going to be newbie mistakes and efficiency hits during the process. The extent of memory security that is available can also vary significantly by language. Some might offer only minimal memory security, while others offer considerable protections around memory access, allocation, and management.

In addition, organizations will need to consider how much of a tradeoff they are willing to make between security and performance. "Memory safety can be costly in performance and flexibility," the NSA warned. "For languages with an extreme level of inherent protection, considerable work may be needed to simply get the program to compile due to the checks and protections."

Myriad variables are in play when trying to port an application from one language to another, says Mike Parkin, senior technical engineer at Vulcan Cyber.

"In a best-case scenario, the shift is simple and an organization can accomplish it relatively painlessly," Parkin says. "In others, the application relies on features that are trivial in the original language but require extensive and expensive development to re-create in the new one."

The use of memory-safe languages also doesn't replace the need for proper software testing, Mackey cautions. Just because a programming language is memory-safe doesn't mean the language or applications developed on it are free from bugs.

Moving from one programming language to another is a risky proposition unless you have staff that already understands both the old language and the new one, Mackey says.

"Such a migration is best done when the application is going through a major version update," he notes. "Otherwise there is the potential that inadvertent bugs are introduced as part of the migration effort."

Mackey suggests that organizations consider using microservices when it comes to shifting languages.

"With a microservices architecture, the application is decomposed into a set of services that are containerized," Mackey says. "From the perspective of a programming language, there is nothing that inherently requires that each microservice be programmed in the same programming language as other services within the same application."

**Making the Move**

Recent data from Statista shows that many developers are already using languages that are considered memory-safe. For instance, nearly two-thirds (65.6%) use JavaScript, nearly half (48.06%) use Python, one-third use Java, and nearly 28% use C#. At the same time, a substantial proportion are still using unsafe languages, such as C++ (22.5%) and C (19.25%).

"I think many organizations have already been switching away from C/C++ not only for the memory-safety issue, but also for the overall ease of development and maintenance," says Johannes Ullrich, dean of research at the SANS Technology Institute. "But there will still be legacy code bases that will have to be maintained for many years to come."

NSA's advisory offered little insight into what might have prompted its recommendation at this juncture. But John Bambenek, principal threat hunter at Netenrich, advises organizations not to ignore it.

"Memory vulnerabilities and attacks have been pervasive since the 1990s, so in general, this is good advice," he says. "With that being said, as this is coming from the NSA, I believe this advice should take added urgency and is being driven by knowledge they have and we don't."

Analysts Welcome NSA's Advice for Developers to Adopt Memory-Safe Languages

A heap buffer overflow in the LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind function of LIEF v0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted MachO file.

**Describe the bug**  
A bad macho file which can lead LIEF::MachO::Parser::parse() to a heap-buffer-overflow(read) issue.  
Poc here :  
poc1.zip

**To Reproduce**

1.  Build the whole project with **ASAN**
2.  Drive program (compile it with **ASAN** too):

// read\_mecho.c
#include <LIEF/LIEF.hpp\>

int main(int argc, char\*\* argv){
	
	if(argc != 2) return 0;

	try {
	    std::unique\_ptr<LIEF::MachO::FatBinary> macho = LIEF::MachO::Parser::parse(argv\[1\]);
	} catch (const LIEF::exception& err) {
	    std::cerr << err.what() << std::endl;
	}

	return 0;
}

3.  Run Poc:

$ ./read\_macho ./poc1.bin

**Expected behavior**  
The code snippet where the issue happened should avoid the out-bounds read operation.

**Environment (please complete the following information):**

*   System and Version : Ubuntu 20.04 + gcc 9.4.0
*   Target format : **Mach-O**
*   LIEF commit version: ad81191

**Additional context**  
ASAN says:

    ubuntu@ubuntu:~/test/LIEF/fuzz$ ./read_macho poc1.bin
    nlist[0].str_idx seems corrupted (0xaf000000)
    nlist[1].str_idx seems corrupted (0xaf000000)
    ......
    nlist[355].str_idx seems corrupted (0x3d000001)
    Indirect symbol index is out of range (1493172225 vs max sym: 356)
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    =================================================================
    ==502744==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000420 at pc 0x55b43d8d9b42 bp 0x7ffe61a9cf10 sp 0x7ffe61a9cf00
    READ of size 8 at 0x603000000420 thread T0
        #0 0x55b43d8d9b41 in std::enable_if<std::is_pointer<LIEF::MachO::SegmentCommand*>::value, LIEF::MachO::SegmentCommand&>::type LIEF::ref_iterator<std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> >&, LIEF::MachO::SegmentCommand*, __gnu_cxx::__normal_iterator<LIEF::MachO::SegmentCommand**, std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> > > >::operator*<LIEF::MachO::SegmentCommand*>() const /home/ubuntu/test/LIEF/include/LIEF/iterators.hpp:233
        #1 0x55b43d8bf315 in LIEF::ref_iterator<std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> >&, LIEF::MachO::SegmentCommand*, __gnu_cxx::__normal_iterator<LIEF::MachO::SegmentCommand**, std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> > > >::operator*() /home/ubuntu/test/LIEF/include/LIEF/iterators.hpp:226
        #2 0x55b43d892a91 in LIEF::ref_iterator<std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> >&, LIEF::MachO::SegmentCommand*, __gnu_cxx::__normal_iterator<LIEF::MachO::SegmentCommand**, std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> > > >::operator[](unsigned long) const /home/ubuntu/test/LIEF/include/LIEF/iterators.hpp:146
        #3 0x55b43d858628 in LIEF::ref_iterator<std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> >&, LIEF::MachO::SegmentCommand*, __gnu_cxx::__normal_iterator<LIEF::MachO::SegmentCommand**, std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> > > >::operator[](unsigned long) /home/ubuntu/test/LIEF/include/LIEF/iterators.hpp:133
        #4 0x55b43d8644a2 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:1629
        #5 0x55b43d831a79 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse_dyldinfo_binds<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:1357
        #6 0x55b43d801735 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:113
        #7 0x55b43d7f2348 in LIEF::MachO::BinaryParser::init_and_parse() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:145
        #8 0x55b43d7f1ab0 in LIEF::MachO::BinaryParser::parse(std::unique_ptr<LIEF::BinaryStream, std::default_delete<LIEF::BinaryStream> >, unsigned long, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:125
        #9 0x55b43d07bc01 in LIEF::MachO::Parser::build() /home/ubuntu/test/LIEF/src/MachO/Parser.cpp:174
        #10 0x55b43d078995 in LIEF::MachO::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF/src/MachO/Parser.cpp:64
        #11 0x55b43cee3923 in main /home/ubuntu/test/LIEF/fuzz/read_macho.c:8
        #12 0x7f2be6489082 in __libc_start_main ../csu/libc-start.c:308
        #13 0x55b43cee355d in _start (/home/ubuntu/test/LIEF/fuzz/read_macho+0x33055d)
    
    0x603000000420 is located 0 bytes to the right of 32-byte region [0x603000000400,0x603000000420)
    allocated by thread T0 here:
        #0 0x7f2be6ab2587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
        #1 0x55b43d7d7c50 in __gnu_cxx::new_allocator<LIEF::MachO::SegmentCommand*>::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114
        #2 0xfffcc353843  (<unknown module>)
        #3 0x7ffe61a9deef  ([stack]+0x1deef)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/test/LIEF/include/LIEF/iterators.hpp:233 in std::enable_if<std::is_pointer<LIEF::MachO::SegmentCommand*>::value, LIEF::MachO::SegmentCommand&>::type LIEF::ref_iterator<std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> >&, LIEF::MachO::SegmentCommand*, __gnu_cxx::__normal_iterator<LIEF::MachO::SegmentCommand**, std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> > > >::operator*<LIEF::MachO::SegmentCommand*>() const
    Shadow bytes around the buggy address:
      0x0c067fff8030: fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa fd fd
      0x0c067fff8040: fd fd fa fa fd fd fd fd fa fa 00 00 01 fa fa fa
      0x0c067fff8050: 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa
      0x0c067fff8060: fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00
      0x0c067fff8070: 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa
    =>0x0c067fff8080: 00 00 00 00[fa]fa 00 00 01 fa fa fa 00 00 01 fa
      0x0c067fff8090: fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00
      0x0c067fff80a0: 01 fa fa fa 00 00 01 fa fa fa fd fd fd fd fa fa
      0x0c067fff80b0: 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa
      0x0c067fff80c0: fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00
      0x0c067fff80d0: 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==502744==ABORTING

CVE-2022-43171: Heap-buffer-overflow in LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind at MachO/BinaryParser.tcc:1629 · Issue #782 · lief-project/LIEF

Mediatrix 4102 before v48.5.2718 allows local attackers to gain root access via the UART port.

DGW Application 48.5.2718

*   Summary
*   Security changes

**Summary**

ID

Synopsis

DGW-14973

SIP: Support additional DHE ciphers

DGW-15007

User passwords are now securely hashed

DGW-15338

OWASP: Disable access to internal UART

DGW-15442

CVE-2022-0778: Possible Denial of Service (DoS) from purposedly crafted TLS certificate

**Security changes  
**

**DGW-15442 - CVE-2022-0778: Possible Denial of Service (DoS) from purposedly crafted TLS certificate**

An important security flaw was found in the OpenSSL library affecting DGW version 48.4 and below. If exploited successfully, this vulnerability could cause the unit to reboot unexpectedly.

The CVE-2022-0778 has been addressed by upgrading the OpenSSL library to version 1.1.1n.

**DGW-15338 - OWASP: Disable access to internal UART**

Follow OWASP IoT Verification Requirement C.1:Verify that application layer debugging interfaces such USB, UART, and other serial variants are disabled or protected by a complex password.

**DGW-15007 - User passwords are now securely hashed**

User passwords are no longer saved in clear text, but instead saved in a cryptographically secure way, using the PBKDF2-HMAC-SHA256 hash algorithm.

Previously, when exporting a backup or configuration script, the passwords could be read in clear-text. Now, only the hashed passwords are visible.

A user cannot retrieve a forgotten password anymore, since it is impossible to reverse a hashed password into a clear-text password. In case all passwords are forgotten, a partial reset or factory reset can be done to restore to the factory initial passwords.

**DGW-14973 - SIP: Support additional DHE ciphers**

The SipEp service now supports the following DHE ciphers when using SIP over TLS:

*   TLS\_DHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384

**Copyright Notice**

Copyright 2022 Media5 Corporation.

This document contains information that is proprietary to Media5 Corporation.

Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.

This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.

Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.

www.media5corp.com

CVE-2022-43096: DGW Security Improvement Notes v48.5.2718 - Mediatrix

mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker could be using the valid and legitimate executable to load malicious files.

**Information**

During an analysis of a targeted cyber-attack we found a malware utilizing a DLL Side-Loading (Binary Planting) vulnerability in Audinate’s Dante Discvoery.

During the incident, the malicious actor downloaded to the infected machines two files and place them under the same arbitrary directory:

1.  **mDNSResponder.exe**  
    This is an executable that is signed and shipped by Zoom as part of its product installation. The file’s signature is valid. We confirmed the file appears on the latest version of Zoom Rooms installation as downloaded from Zoom’s website.
    
2.  **dal\_keepalives.dll**  
    A malicious DLL written by the malicious actors behind the attack.
    

When executing the legit and original **mDNSResponder.exe**, the executable will load the malicious DLL “**dal\_keepalives.dll**”. This is because **mDNSResponder.exe** is vulnerable to DLL Sideloading attack. , that the executable is improperly specify how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker is using the valid and legitimate executable to load malicious files.

**References:**  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23748

Tag

#mac