Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.

All Vulnerability Reports

**CVE-2022-31690: Privilege Escalation in spring-security-oauth2-client**  
**Severity**

High

**Vendor**

Spring by VMware

**Description**

Spring Security, versions **5.7** prior to **5.7.5**, and **5.6** prior to **5.6.9**, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.

This vulnerability exposes applications that meet all of the following requirements:

*   Act in the role of a Login Client (e.g. http.oauth2Login())
*   Use one or more authorization rules with authorities mapped from authorized scopes (e.g. anyRequest().hasAuthority("SCOPE_message.write")) in the client application
*   Register an authorization server that responds with empty scopes list (per RFC 6749, Section 5.1)

This vulnerability **does not** expose applications that:

*   Act in the role of a Resource Server only (e.g. http.oauth2ResourceServer())
*   Use authorization rules with authorities not mapped from authorized scopes (e.g. anyRequest().hasAuthority("ROLE_USER")) in the client application

**Affected VMware Products and Versions**

Severity is high unless otherwise noted.

*   Spring Security
    *   5.7 to 5.7.4
    *   5.6 to 5.6.8
    *   Older, unsupported versions are also affected

**Mitigation**

Users of affected versions should apply the following mitigation: Spring Security 5.7 to 5.7.5, Spring Security 5.6 to 5.6.9. Older versions should upgrade to a supported branch. There are no other mitigation steps required. Releases that have fixed this issue include:

*   Spring Security
    *   5.7.5
    *   5.6.9

**Credit**

This issue was identified and responsibly reported by Tobias Soloschenko (@klopfdreh) from Apache Software Foundation.

**References**

*   https://docs.spring.io/spring-security/reference/servlet/oauth2/login/index.html
*   https://docs.spring.io/spring-security/reference/reactive/oauth2/login/index.html
*   https://github.com/spring-projects/spring-security-samples/blob/4638e1e428ee2ddab234199eb3b67b9c94dfa08b/servlet/spring-boot/java/oauth2/webclient/src/main/java/example/SecurityConfiguration.java#L48
*   https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:M/IR:M/AR:X/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:H/MI:H/MA:N&version=3.1

**History**

2022-10-31: Initial vulnerability report published.

CVE-2022-31690: CVE-2022-31690 | Security

Categories: News
Categories: Ransomware
Tags: Raspberry Robin

Tags:  FakeUpdates

Tags:  LockBit

Tags:  Clop

Tags:  ransomware

Microsoft warns that the Raspberry Robin worm has triggered payload alerts on devices of almost 1,000 organizations in the past 30 days and is used to introduce ransomware.



(Read more...)




The post Raspberry Robin worm used as ransomware prelude appeared first on Malwarebytes Labs.

Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive. First spotted in September 2021, it was typically introduced into a network through infected removable drives, often USB devices.

Now the worm has been found to be the foothold for more serious threats like ransomware as laid out in this Microsoft Security blog. Microsoft warns that the worm has triggered payload alerts on devices of almost 1,000 organizations in the past 30 days.

**Primary infection**

Initially, the Raspberry Robin worm often appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device. The name of the lnk file was _recovery.lnk_ which later changed to filenames associated with the brand of the USB device. Raspberry Robin uses both autoruns to launch and social engineering to encourage users to click the LNK file.

Raspberry Robin’s LNK file points to _cmd.exe_ to launch the Windows Installer service _msiexec.exe_ and install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices.

**Infrastructure**

A NAS device is a storage server connected to a computer network, storing data that can be accessed by a wide variety of devices, including Windows, macOS, and other systems. In real life this usually means they are used as an external hard-drive that can be accessed over an intranet or the internet. There are several vulnerabilities in QNAP devices for which patches are available, but unfortunately many of them remain unpatched due to unawareness.

**Backdoor**

To be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.

By using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.

**Guests**

As an established access provider in the current malware-as-a-service landscape you can make money by selling the access to affected networks to other malware operators like ransomware groups. Microsoft found that Raspberry Robin has been used to facilitate FakeUpdates (SocGholish), Fauppod, IcedID, Bumblebee, TrueBot, LockBit, and human-operated intrusions.

Fauppod is heavily obfuscated malweare that is also used to spread FakeUpdates, and writes Raspberry Robin to USB drives. TrueBot Trojans are used in targeted attacks for reconnaissance purposes.

An example of the human-operated intrusions was the deployment of Cobalt Strike to deliver the Clop ransomware.

**Stop the worm**

In Windows, the autorun of USB drives is disabled by default. However, many organizations have widely enabled it through legacy Group Policy changes, according to Microsoft. If you enabled it, this is a policy worth re-thinking.

Owners of QNAP devices should be aware of the fact that they are not only putting their own files at risk by not applying the patches, but they are providing malware authors with a free-to-use infrastructure to victimize others.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Raspberry Robin worm used as ransomware prelude

xfig 3.2.7 is vulnerable to Buffer Overflow.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, subin.kim@prosys.kr, Roland Rosenfeld <roland@debian.org>:  
Bug#992395; Package xfig. (Wed, 18 Aug 2021 06:15:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to "Potential Buffer Overflow vulnerability in xfig-3.2.7b" <subin.kim@prosys.kr>:  
New Bug report received and forwarded. Copy sent to subin.kim@prosys.kr, Roland Rosenfeld <roland@debian.org>. (Wed, 18 Aug 2021 06:15:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: xfig
Version: xfig
Severity: important

Dear Maintainer,

It seems that there exists a potential Buffer Overflow.
(src/w\_help.c:55)
sprintf(filename, "%s/html/%s/index.html", XFIGDOCDIR, getenv("LANG"));

the length of getenv("LANG") may become very long and cause Buffer Overflow while executing sprintf(...).


-System Information:
Debian Release: 11.0
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.4.0-19041-Microsoft
Locale: LANG=en\_US.UTF-8, LC\_CTYPE=en\_US.UTF-8 (charmap=UTF-8), LANGUAGE=en\_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages xfig depends on:
pn  fig2dev | transfig  <none>
ii  libc6               2.31-13
ii  libjpeg62-turbo     1:1.5.2-2+deb10u1
ii  libpng16-16         1.6.36-6
ii  libx11-6            2:1.6.7-1+deb10u2
ii  libxi6              2:1.7.9-1
pn  libxpm4             <none>
ii  libxt6              1:1.1.5-1+b3
ii  sensible-utils      0.0.14
pn  xaw3dg              <none>

Versions of packages xfig recommends:
pn  xfig-libs  <none>

Versions of packages xfig suggests:
pn  cups-client | lpr  <none>
pn  ghostscript        <none>
pn  gimp               <none>
pn  gsfonts-x11        <none>
pn  netpbm             <none>
pn  spell              <none>
pn  xfig-doc           <none>

**Reply sent** to Roland Rosenfeld <roland@debian.org>:  
You have taken responsibility. (Fri, 20 Aug 2021 12:09:03 GMT) (full text, mbox, link).

**Notification sent** to "Potential Buffer Overflow vulnerability in xfig-3.2.7b" <subin.kim@prosys.kr>:  
Bug acknowledged by developer. (Fri, 20 Aug 2021 12:09:03 GMT) (full text, mbox, link).

Message #12 received at 992395-close@bugs.debian.org (full text, mbox, reply):

Source: xfig
Source-Version: 1:3.2.8a-1
Done: Roland Rosenfeld <roland@debian.org>

We believe that the bug you reported is fixed in the latest version of
xfig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992395@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Rosenfeld <roland@debian.org> (supplier of updated xfig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 20 Aug 2021 13:26:32 +0200
Source: xfig
Architecture: source
Version: 1:3.2.8a-1
Distribution: unstable
Urgency: medium
Maintainer: Roland Rosenfeld <roland@debian.org>
Changed-By: Roland Rosenfeld <roland@debian.org>
Closes: 992395
Changes:
 xfig (1:3.2.8a-1) unstable; urgency=medium
 .
   \* New upstream release 3.2.8a.
   \* 07\_missing-config.h, 08\_fig-format-doc, 09\_repair-table-doc are now
     incorporated upstream.
   \* Adapt file preservation to new upstream version.
   \* Update debian/copyright.
   \* Move xfig binary to /usr/libexec/xfig/xfig.
   \* Package test binaries and use them in autopkgtest.
   \* Update to Standards-Version 4.6.0 (no changes).
   \* 07\_LANG\_overflow: Avoid buffer overflow in LANG (Closes: #992395).
Checksums-Sha1:
 3c61e420b37da903f6a7e246fb0bacdab13c5ab8 2268 xfig\_3.2.8a-1.dsc
 0ac17ad33fdc8d570c187641e3d62ca9cd8faa2e 5380896 xfig\_3.2.8a.orig.tar.xz
 cd9de585ba1cf9f60cb888db8e6c23aedac8db8a 31736 xfig\_3.2.8a-1.debian.tar.xz
 7ec24ede8ad6c45982f1d6daecdf8eb2bbeb78db 8802 xfig\_3.2.8a-1\_source.buildinfo
Checksums-Sha256:
 5ccff8d437f6cca74c999902606c5288bc2faa3d4e369fbf5e9e41f06f528b83 2268 xfig\_3.2.8a-1.dsc
 ba43c0ea85b230d3efa5a951a3239e206d0b033d044c590a56208f875f888578 5380896 xfig\_3.2.8a.orig.tar.xz
 5bce4925951b4da43606ea0fdbc58e6d5bd586db5d3288f1b6abd2f69bc7dbe8 31736 xfig\_3.2.8a-1.debian.tar.xz
 8b72190e5c937543ef4692e84125a5bc816e234e68982b38f2c2d9f63e48f407 8802 xfig\_3.2.8a-1\_source.buildinfo
Files:
 47505378c399e92bd8320c9e7c3cfa26 2268 graphics optional xfig\_3.2.8a-1.dsc
 58dd2b6f9f17d7006c78156ce2da0073 5380896 graphics optional xfig\_3.2.8a.orig.tar.xz
 21becafff522811fd703ad707848b2c8 31736 graphics optional xfig\_3.2.8a-1.debian.tar.xz
 1ad72572a407e7d1ee3be3d287bbf4f4 8802 graphics optional xfig\_3.2.8a-1\_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAmEfkesACgkQAnE7z8pU
ELK3ihAAjb2QzTyLRtUVTT50trBehzl8WJvfo7txeYBvJZup+j0hd0T46EFlpZ7M
gTFTN2zxWf7w8WUYQyfSqM7anzl3otEEaLSQ3kE3vzo+ZH9T0J98m2F/OQbEqF1u
QLbZxQF4f8M98s3TY3qBrE8Q+jN9CxcAaHMD4raoUw5LVz6FJ8c/l/xg8AQN2ekK
YWwwhZnxRWJjM3mu6hK7Cj9ihOsrs6f9q10t08q6sKVnuWLTUuvl5mGB3cDd/zHk
YNJ724pBwqUNPU1sDfGl6/DWiuWjmJwaQ1H/MnPEnV/7Utu3adfvF7AAodmxuV91
Jvx5Tb9VqnY84eRdCi2zFFyMKk4Kv6VXNLcOtFbpg7chFcWApIm+NY4Ql5s21yZg
JJZgrVHEo1rjqGbNQ9dnQHN8qZCANeKbJ44eGDgFnYPrUr963TWHhbDOOcwgU4sS
/HQf6aeq6OtXU5gSpLW2yfex2PAPustTmedREnSLuI3V5yiQxNa3Z8fQe3I36AKR
f0M4PU0c8JFEucA4ocwnzKflGsEqwGd/0OOSiPLShCdE+iaBrbz7FaOnQBO81Oyx
KUEXbL19EgBvSiz1oXIuVxgoObcEx2PK+W8uw1RkWq7Y2yjfx2N+kuDvTsJAEDzA
xYOtje3y6/VKKGWBVlDz8rFJSBA0hSY68XS+xQTzFPnNIU5wFPw=
=/r76
-----END PGP SIGNATURE-----

**Bug archived.** Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 18 Sep 2021 07:29:13 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Mon Oct 31 16:35:27 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-40241: #992395 - xfig: Potential Buffer Overflow vulnerability in src/w_help.c

CTO recognized as cybersecurity influencer for his research and thought leadership.

**SAN FRANCISCO, Oct. 31, 2022 /PRNewswire/** — Normalyze, a data-first cloud security platform, today announced that Ravi Ithal, chief technology officer and co-founder, has been named to the Enterprise Security Tech Cyber Influencer Top 10 List. The Enterprise Security Tech Cyber Influencer Top 10 list recognizes the top cybersecurity influencers providing immense value to the industry with groundbreaking research, visionary thought leadership, and consistent leadership and culture-building accolades.

The rise of cloud computing has increased the complexity of the enterprise attack surface. A recent survey from IDC found that 98% of organizations queried reported at least one cloud data breach in the past 18 months. As a result, security teams don't know where their data resides or its value, leading to difficulty avoiding data breaches. Normalyze's secret sauce is its ability to gather all security stakeholders, from the CISO to the security engineer, to DevOps, in one user interface to discover data, classify it, and prioritize discovery of attack paths that can lead to sensitive information.

"I've been fortunate enough to be part of some industry- and category-defining cybersecurity companies for a couple of decades now and I can tell you that cybersecurity has never been more important for economic and national security as it is now. It's incredibly humbling to be recognized for the accomplishment that led to assembling the smart team at Normalyze," said Ithal. "Cloud data is adding so much complexity right now and I really believe in the work we're doing at Normalyze to share best practices and let people trust their data in the cloud again."

"We need leaders in the cybersecurity industry now more than ever," said Jack Campbell, Managing Editor, Enterprise Security Tech. "The industry is bogged down by the daily cat-and-mouse game with cyber criminals, so we need industry leaders that are forward-looking and have a vision for how we can move the industry forward and solve macro security problems instead of simply firefighting. We're honored to be able to recognize these leaders for the value that they are bringing to the market and their dedication to moving the cybersecurity industry forward."

For more information about the Enterprise Security Tech Cyber Influencer Top 10 List, please visit this page.

**About Enterprise Security Tech**

Enterprise Security Tech is a specialized cyber media company with a global presence. The Enterprise Security Tech blog is a cybersecurity blog written for CISOs, CIOs, and security-minded CEOs that brings together critical news, expert insights, and product information to help security leaders make informed business decisions. Enterprise Security Tech is also home to The Cyber Jack Podcast, which brings listeners the latest cybersecurity insights via security experts from around the industry. For more information about Enterprise Security Tech, visit our website.

**About Normalyze:**

Normalyze is a pioneering provider of cloud data security solutions helping customers secure their data, applications, identities, and infrastructure across public clouds. With Normalyze, organizations can discover and visualize their cloud data attack surface within minutes and get real-time visibility and control into their security posture including access, configurations, and sensitive data to secure cloud infrastructures at scale. The Normalyze agentless and machine-learning scanning platform continuously discovers resources, sensitive data and access paths across all cloud environments. The company was founded by industry veterans Ravi Ithal and Amer Deeba and has several customers, including Corelight, Netskope, and Orkes. The company is funded by Lightspeed Venture Partners and Battery Ventures. For more information, please visit normalyze.ai.

**SOURCE:** Normalyze

Normalyze Co-Founder and CTO, Ravi Ithal, Named to the Enterprise Security Tech Cyber Influencer Top 10 List

Gentoo Linux Security Advisory 202210-33 - A vulnerability has been discovered in Libtirpc which could result in denial of service. Versions less than 1.3.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-33  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Libtirpc: Denial of Service  
     Date: October 31, 2022  
     Bugs: #859634  
       ID: 202210-33

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Libtirpc which could result in  
denial of service.

Background  
==========

Libtirpc is a port of Sun's Transport-Independent RPC library to Linux.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-libs/libtirpc          < 1.3.2                      >= 1.3.2

Description  
===========

Currently svc_run does not handle poll timeout and rendezvous_request  
does not handle EMFILE error returned from accept(2 as it used to.  
These two missing functionality were removed by commit b2c9430f46c4.

The effect of not handling poll timeout allows idle TCP conections  
to remain ESTABLISHED indefinitely. When the number of connections  
reaches the limit of the open file descriptors (ulimit -n) then  
accept(2) fails with EMFILE. Since there is no handling of EMFILE  
error this causes svc_run() to get in a tight loop calling accept(2).  
This resulting in the RPC service of svc_run is being down, it's  
no longer able to service any requests.

Due to a lack of handling of certain error cases, connections to  
Libtirpc could remain ESTABLISHED indefinitely.

Impact  
======

Denial of service can be achieved via establishing enough connections to  
Libtirpc to reach the limit of open file descriptors for the process.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Libtirpc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/libtirpc-1.3.2"

References  
==========

[ 1 ] CVE-2021-46828  
      https://nvd.nist.gov/vuln/detail/CVE-2021-46828

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-33

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-33

The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.

    Qualys Security AdvisoryLeeloo Multipath: Authorization bypass and symlink attack in multipathd(CVE-2022-41974 and CVE-2022-41973)========================================================================Contents========================================================================SummaryCVE-2022-41974: Authorization bypassCVE-2022-41973: Symlink attackAcknowledgmentsTimeline========================================================================Summary========================================================================We discovered two local vulnerabilities (an authorization bypass and asymlink attack) in multipathd, a daemon that is running as root in thedefault installation of (for example) Ubuntu Server:https://ubuntu.com/server/docs/device-mapper-multipathing-introductionhttps://github.com/opensvc/multipath-toolsWe combined these two vulnerabilities with a third vulnerability, inanother package that is also installed by default on Ubuntu Server, andobtained full root privileges on Ubuntu Server 22.04; other releases areprobably also exploitable. We will publish this third vulnerability, andthe complete details of this local privilege escalation, in an upcomingadvisory.The authorization bypass (CVE-2022-41974) was introduced in February2017 (version 0.7.0) by commit 9acda0c ("Perform socket client uid checkon IPC commands"), but earlier versions perform no authorization checksat all: any unprivileged local user can issue any privileged command tomultipathd.The symlink attack (CVE-2022-41973) was introduced in May 2018 (version0.7.7) by commit 65d0a63 ("functions to indicate mapping failure in/dev/shm"); the vulnerable code was hardened significantly in May 2020(version 0.8.5) by commit 40ee3ea ("simplify failed wwid code"), but itremains exploitable nonetheless.========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep 'multipath[d]'root         377       1  0 13:55 ?        00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep 'multipathd'u_str LISTEN 0      4096        @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, "list" is 1 (1<<0), "add" is 2 (1<<1), and "path" (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163         r += add_key(keys, "list", LIST, 0);164         r += add_key(keys, "show", LIST, 0);165         r += add_key(keys, "add", ADD, 0);...183         r += add_key(keys, "path", PATH, 1);------------------------------------------------------------------------ 53 #define LIST            (1ULL << __LIST) 54 #define ADD             (1ULL << __ADD) .. 69 #define PATH            (1ULL << __PATH)------------------------------------------------------------------------  6 enum {  7         __LIST,                 /*  0 */  8         __ADD, .. 23         __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command "list path PARAM" is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command "add path PARAM"is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527         set_handler_callback(LIST+PATH, cli_list_path);....1549         set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325         uint64_t fp = 0;...331         vector_foreach_slot(vec, kw, i)332                 fp += kw->code;333 334         return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95         vector_foreach_slot (handlers, h, i) 96                 if (h->fingerprint == fp) 97                         return h; 98  99         return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485         case CLT_PARSE:486                 c->error = parse_cmd(c);487                 if (!c->error) {...491                         if (!c->is_root && kw->code != LIST) {492                                 c->error = -EPERM;...495                         }496                 }497                 if (c->error)...501                 else502                         set_client_state(c, CLT_WORK);...522         case CLT_WORK:523                 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client's UID (obtained from SO_PEERCRED) is 0  (i.e., if is_root is true), then the client is privileged; otherwise,  it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute  any commands; otherwise, only unprivileged LIST commands are allowed  (i.e., commands whose first keyword is either "list" or "show").Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is "list")but whose fingerprint matches a privileged command (by repeating the"list" keyword): we can exploit this flaw to bypass multipathd'sauthorization check.For example, we are not allowed to execute "add path PARAM" (whosefingerprint is 2+65536=65538) because the first keyword is not "list",but we are allowed to execute the equivalent "list list path PARAM"(whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is "list" (the multipathd daemon below replies"blacklisted" because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.========================================================================CVE-2022-41973: Symlink attack========================================================================multipathd operates insecurely, as root, in /dev/shm (a sticky,world-writable directory similar to /tmp). The vulnerable code (inmark_failed_wwid()) may be executed during the normal lifetime ofmultipathd, but a local attacker can force its execution by exploitingthe authorization bypass CVE-2022-41974; for example, by adding a"whitelisted, unmonitored" device to multipathd:------------------------------------------------------------------------$ multipathd list devices | grep 'whitelisted, unmonitored'    sda1 devnode whitelisted, unmonitored    ...$ multipathd list list path sda1fail------------------------------------------------------------------------This command, which is equivalent to "add path sda1", results in thefollowing system-call trace (strace) of the multipathd daemon:------------------------------------------------------------------------386 openat(AT_FDCWD, "/dev/shm/multipath/failed_wwids", O_RDONLY|O_DIRECTORY) = -1 ENOENT (No such file or directory)387 mkdir("/dev", 0700)                     = -1 EEXIST (File exists)388 mkdir("/dev/shm", 0700)                 = -1 EEXIST (File exists)389 mkdir("/dev/shm/multipath", 0700)       = 0390 mkdir("/dev/shm/multipath/failed_wwids", 0700) = 0391 openat(AT_FDCWD, "/dev/shm/multipath/failed_wwids", O_RDONLY|O_DIRECTORY) = 12392 getpid()                                = 375393 openat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", O_RDONLY|O_CREAT|O_EXCL, 0400) = 13394 close(13)                               = 0395 linkat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", 12, "VBOX_HARDDISK_VB60265ca5-df119cb6", 0) = 0396 unlinkat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", 0) = 0397 close(12)                               = 0------------------------------------------------------------------------- at line 389, the directory "/dev/shm/multipath" is created, if it does  not exist already;- at line 390, the directory "/dev/shm/multipath/failed_wwids" is  created, if it does not exist already;- at lines 391-397, the empty file  "/dev/shm/multipath/failed_wwids/VBOX_HARDDISK_VB60265ca5-df119cb6" is  created, if it does not exist already (its name is the "World Wide ID"  of the added device).multipathd is therefore vulnerable to two different symlink attacks:1/ if we (attackers) create an arbitrary symlink "/dev/shm/multipath",then we can create a directory named "failed_wwids" (user root, grouproot, mode 0700) anywhere in the filesystem;2/ if we create an arbitrary symlink "/dev/shm/multipath/failed_wwids",then we can create a file named "VBOX_HARDDISK_VB60265ca5-df119cb6"(user root, group root, mode 0400, size 0) anywhere in the filesystem.These two symlink attacks are very weak, because we do not control thename, user, group, mode, or contents of the directory or file that wecreate; only its location. Despite these limitations, we were able tocombine multipathd's vulnerabilities (authorization bypass and symlinkattack) with a third vulnerability (in another package), and obtainedfull root privileges on Ubuntu Server 22.04; we will publish this thirdvulnerability in an upcoming advisory.Side note: initially, we thought that the symlink attack 1/ would fail,because /dev/shm is a sticky world-writable directory, and the kernel'sfs.protected_symlinks is 1 by default; to our great surprise, however,it succeeded. Eventually, we understood that only the final component ofa path is protected, not its intermediate components; for example, if/tmp/foo is a symlink, then an access to /tmp/foo itself is protected,but an access to /tmp/foo/bar is not. Interestingly, this weakness wasalready pointed out in 2017 by Solar Designer, and the originalOpenwall, grsecurity, and Yama protections are not affected:https://www.openwall.com/lists/kernel-hardening/2017/06/06/74========================================================================Acknowledgments========================================================================We thank Martin Wilck and Benjamin Marzinski for their hard work on thisrelease, and the SUSE Security Team for their help with this disclosure.We also thank the members of linux-distros@openwall.========================================================================Timeline========================================================================2022-08-24: Advisory sent to security@suse.2022-10-10: Advisory and patches sent to linux-distros@openwall.2022-10-24: Coordinated Release Date (15:00 UTC).

Leeloo Multipath Authorization Bypass / Symlink Attack

Gentoo Linux Security Advisory 202210-32 - An integer overflow has been found in hiredis which could result in arbitrary code execution. Versions less than 1.0.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-32  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: hiredis, hiredis-py: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #873079, #816318  
       ID: 202210-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

An integer overflow has been found in hiredis which could result in  
arbitrary code execution.

Background  
==========

hiredis is a minimalistic C client library for the Redis database.

hiredis-py is a Python extension that wraps hiredis.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/hiredis           < 1.0.1                      >= 1.0.1  
  2  dev-python/hiredis         < 2.0.0                      >= 2.0.0

Description  
===========

Hiredis is vulnerable to integer overflow if provided maliciously  
crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing  
`multi-bulk` (array-like) replies, hiredis fails to check if `count *  
sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not,  
and the `calloc()` call doesn't itself make this check, it would result  
in a short allocation and subsequent buffer overflow.

Impact  
======

Malicious Redis commands could result in remote code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All hiredis users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/hiredis-1.0.1"

All hiredis-py users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/hiredis-2.0.0"

References  
==========

[ 1 ] CVE-2021-32765  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32765

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-32

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-32

Apple Security Advisory 2022-10-27-15 - Safari 16.1 addresses code execution, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-15 Additional information for APPLE-SA-2022-10-24-7 Safari 16.1

Safari 16.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213495.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Visiting a malicious website may lead to user interface  
spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243693  
CVE-2022-42799: Jihwan Kim (@gPayl0ad), Dohyun Lee (@l33d0hyun)

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A type confusion issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 244622  
CVE-2022-42823: Dohyun Lee (@l33d0hyun) of SSD Labs

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 245058  
CVE-2022-42824: Abdulrahman Alqabandi of Microsoft Browser  
Vulnerability Research, Ryan Shin of IAAI SecLab at Korea University,  
Dohyun Lee (@l33d0hyun) of DNSLab at Korea University

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may disclose  
internal states of the app  
Description: A correctness issue in the JIT was addressed with  
improved checks.  
WebKit Bugzilla: 242964  
CVE-2022-32923: Wonyoung Jung (@nonetype_pwn) of KAIST Hacking Lab  
Entry added October 27, 2022

WebKit PDF  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 242781  
CVE-2022-32922: Yonghwi Jin (@jinmo123) at Theori working with Trend  
Micro Zero Day Initiative

Additional recognition

WebKit  
We would like to acknowledge Maddie Stone of Google Project Zero,  
Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd., an  
anonymous researcher for their assistance.

Safari 16.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKowACgkQ4RjMIDke  
NxlhOg/+I94LgMI7No4xw6dub1rdzNTbMV6A0R14HXwA7PoMzXgXJotYFyAfGUY4  
zd2fE9ixEuXqt+OsVrQ0/ZU4HcLEJLQk2ZkULoDfNeGiuJpi6k9VhPp6995XtLNb  
zGZgMu5dOPBkYsSaM5XaVwLQPtsIbac3u/Uoo6l2TyyN1B2clsI1dS2IXS8DEHkr  
2fCImTAcFfqIW7TZ6xqAdYOL5QLoJ8qXTcjSMaWtPpPzkfpZCTTwV8ifauK5rTQd  
JsFf49RFWMNdZ3qHNRaENsFMh1Y+bMRIW6Xt41WKXhSPdNXonv93N472YGhMtt7Z  
k+IuibGRVlwzc5Ri4AnQspBjhint6vo4vbJ39h1FoSzqTm3PruH+HGrhlfMTGR8/  
0s/QDBLQbA+UlM5r6uinQ5pI771rRyHTCWOxLUVVopDOV9ImV36Y+INakc3pTXL1  
420Wg31lCMO3cwwXyVYq/zDbCpJ2gDptSWTqlubli+omxMG7LRs0Vn9P4NTosVzk  
jN49FHJE2moD8O0D+sia6+lhyVhcP8UIA3WtcXegVngrwL6sAoFa5SCp49wmbb/O  
Ye1eysxuMR2xu7piVbUpGh0wRY50MbwwSWX0vRt0CwxcoiQK90lQFbqy2RFX4eN8  
k/jjh3nPUl20WxgOfQfLfiY/9aPcQSzvcOzba2bSovdgyk8xH+o=  
=3IzG  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-10-27-15

Gentoo Linux Security Advisory 202210-31 - Multiple vulnerabilities have been discovered in OpenEXR, the worst of which could result in arbitrary code execution. Versions less than 3.1.5 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-31  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: OpenEXR: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #838079, #830384, #817431, #810541, #801373, #787452  
       ID: 202210-31

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in OpenEXR, the worst of  
which could result in arbitrary code execution.

Background  
==========

OpenEXR is a high dynamic-range (HDR) image file format developed by  
Industrial Light & Magic for use in computer imaging applications.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-libs/openexr         < 3.1.5                      >= 3.1.5

Description  
===========

Multiple vulnerabilities have been discovered in OpenEXR. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All OpenEXR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/openexr-3.1.5"

References  
==========

[ 1 ] CVE-2021-3598  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3598  
[ 2 ] CVE-2021-3605  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3605  
[ 3 ] CVE-2021-3933  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3933  
[ 4 ] CVE-2021-3941  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3941  
[ 5 ] CVE-2021-20304  
      https://nvd.nist.gov/vuln/detail/CVE-2021-20304  
[ 6 ] CVE-2021-23169  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23169  
[ 7 ] CVE-2021-45942  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45942

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-31

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-31

Apple Security Advisory 2022-10-27-14 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-10-27-14 Additional information for APPLE-SA-2022-09-12-5 Safari 16

Safari 16 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213442.

Safari Extensions  
Available for: macOS Big Sur and macOS Monterey  
Impact: A website may be able to track users through Safari web  
extensions  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 242278  
CVE-2022-32868: Michael

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer, afang5472, xmzyshypnc

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with  
Trend Micro Zero Day Initiative

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243236  
CVE-2022-32891: @real_as3617 and an anonymous researcher  
Entry updated October 27, 2022

WebKit Sandboxing  
Available for: macOS Big Sur and macOS Monterey  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: An access issue was addressed with improvements to the  
sandbox.  
WebKit Bugzilla: 243181  
CVE-2022-32892: @18楼梦想改造家 and @jq0904 of DBAppSecurity's WeBin lab  
Entry added October 27, 2022

Safari 16 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKowACgkQ4RjMIDke  
NxlCEg/+KnbktSos4M/gMt7rkcCymB4Ul4mMw0XW6eJVBL34H3XiOM9i8OoRGbg2  
F3Ft4mxRWFlzA9SgNVuvMBVHREkOdeOJ37PDtfZp9bITGAtOww8K8Ng56VxhpPem  
gs5q+veUTu95cVXDfGebwQNYtXc76+Zg/+Ju9VmhFJg0XXrjC2mzAEC8Mz2yy91b  
9otf+UeDmdBUF3eLrygVAwtXE0/swZVaRMeDu2EYFuJWl/afN+ICOrHYLxtLa9dB  
1uvw+RbOhwFRdKB010tcUUhf+M06Tp6pHPvtWHdS+Xy3RxA1d4rMzdon4TmsdEdr  
dBpOiu0EOFLMXekVosIkkvKLXAWwH5C1Ogap7IchXnc8c+rEm6Hl1QuoH4QL0krD  
P+sGYV4457e+VASkaUDEr6yxXJj+8MILm4x+7akD767qhoKvzpIfrFKY2gMnWkvK  
JNUMzPXCYLkht39KWGEJk/b/HMvlwniBmXKGDVaTG/oNcMVFyRvx81qxrNlELxcw  
lYSfP5tICA0CBWyVXYvUy1JRe15QrelLmCwpcAvAz1Edqu90sAAsPybvrPJHcZxD  
2O+parML2rVJ6zOVBg1cOddohgnJEbT3PzDW48HRV8Ub5I8WzvIKqnS+R7VWkh66  
Av8d8ElI37WY2sfIsFwXvhsIYFLZL86nel5HVEflmog2K0g/Kd0=  
=lLIK  
-----END PGP SIGNATURE-----

Tag

#mac