ToddyCat's Samurai and Ninja tools are designed to give attackers persistent and deep access on compromised networks, security vendor says.

A threat group that may have been among the first to exploit the ProxyLogon zero-day vulnerability in Exchange Servers last year is using a pair of dangerous and previously unseen malware tools in a cyber espionage campaign targeting military and government organizations in Europe and Asia.

Researchers at Kaspersky who first detected the group's activities this week described the tools as malware designed to enable long-term persistence on an organization's public-facing Web servers and giving attackers the ability to move laterally and penetrate deeply into compromised networks.

The malware tools have features that allow their functionality to be extended at will, but Kaspersky has been unable so far to determine the full range of their capabilities, the vendor noted.

**Attacks Targeted ProxyLogon Exchange Server Flaw**

Kaspersky is tracking the previously unknown group as "ToddyCat." In a report this week, the security vendor said the adversary's victim targeting and certain operational overlaps with at least one known Chinese threat actor suggest that members of ToddyCat are Chinese-speaking as well.

"This group targets high-profile organizations, usually government, diplomatic, military organizations, and military contractors," says Giampaolo Dedola, security researcher at Kaspersky. It may be possible that the threat actor has compromised victims in the US as well. But currently Kaspersky has no information to suggest this is indeed the case, Dedola says.

Kaspersky's analysis showed that ToddyCat's campaign began in December 2020 with attacks targeting selected Exchange Servers belonging to three organizations in Vietnam and Taiwan. The attackers used an unknown exploit to breach the Exchange Servers and deploy the popular China Chopper Web shell on the systems. They then used the Web shell to initiate a multi-stage infection chain involving custom loaders that ended with one of the new malware tools — a backdoor called "Samurai" — being deployed on the compromised system.

**Sophisticated Malware**

Samurai is a passive backdoor designed to give the attackers persistent access on Internet-facing Web servers. The backdoor works on ports 80 and 443 and is designed primarily to execute arbitrary C# code on infected systems.

"Based on our investigation, we were able to detect some of the source codes uploaded by the attacker and we know that it was used to execute arbitrary commands, download files, forward TCP packets to internal hosts," Dedola says. As one example, he points to the attacker using Samurai to communicate with internal Active Directory servers. "The ability to run arbitrary C# code allows attackers to infinitely extend the malware's capabilities," he says.

Kaspersky's research showed the attackers also used Samurai to launch "Ninja," the other previously unseen malware tool that ToddyCat is using in its attacks. Ninja is Cobalt Strike-like malware for executing post-exploitation activities on already compromised systems.

"It allows the attackers to control the remote system, manipulate the file system, manipulate processes, inject arbitrary code in other processes, forward TCP packets, and load new modules in its memory," Dedola says.

Ninja agents can be configured to act like servers. So, the adversary can use the malware to designate specific machines as internal command and control servers (C2s), thereby limiting connections to external servers and reducing the chances of being detected. This feature, combined with the TCP command forwarding functionality, gives the attackers a way to manage even those systems that are not directly connected to the Internet, Dedola says.

Between Dec. 2020 and early Feb. 2021, ToddyCat remained tightly focused on a handful of organizations in Vietnam and Taiwan. But then, for a brief period between late February and early March, the threat actor quickly escalated its attacks by targeting the ProxyLogon vulnerability to compromise organizations in multiple countries. The group's victims included organizations in Russia, UK, Slovakia, India, Iran, and Malaysia, and belonged to industries and sectors that have traditionally been of interest to China-based groups, Kaspersky said.

**A Change in Tactics**

Almost all of ToddyCat's early attacks targeted Exchange Server flaws. But starting Sept. 2021, Kaspersky observed what it described as "waves of attacks" against desktop systems involving the use of malicious loaders sent via the Telegram messaging service. It's unclear how many organizations ToddyCat has compromised, but the number is likely less than 30, Dedola says.

What makes Samurai and Ninja dangerous is the anti-forensic and anti-analysis technique incorporated into the malware, according to Kaspersky. For example. Samurai is designed to share TCP port 80 and 443 with Microsoft Exchange and cannot be detected by monitoring the ports. The malware also uses a complex loading scheme to avoid detection and maintain persistence. It addition, it uses a technique called "control-code flattening" to avoid detection by static analysis tools, Dedola says.

"The Ninja Trojan is also another modular malware, with capabilities that can be easily extended by the attacker," he tells Dark Reading, adding that the malware runs only in memory and never appears on file systems, making it harder to detect. "It is usually executed with a loader, which decrypts the payload from a third file. The file with the encrypted payload is immediately deleted by the loader."

Christopher Prewitt, CTO at Inversion6, says Kaspersky's research shows that the malware authors have gone to great lengths to hide and obfuscate their methods. While the Samurai backdoor features some relatively common features, ToddyCat's bespoke Ninja post-exploit tool appears more interesting.

"It is loaded in memory, making it much more difficult to analyze and detect," Prewitt says. "The threat actor could continue to reuse this part of their toolkit, while only swapping out or updating the initial infection point and backdoor tooling."

China-Linked ToddyCat APT Pioneers Novel Spyware

After the Raccoon Stealer Trojan disappeared, the RIG Exploit Kit seamlessly adopted Dridex for credential theft.

The cybercriminals behind the RIG Exploit Kit earlier this year traded out the credential-stealer Trojan Raccoon Stealer after its lead developer was killed in the Russian invasion of Ukraine.

According to analysts with Bitdefender, the cybercrime group behind the RIG Exploit Kit was able to quickly substitute in the tried-and-true financial Trojan Dridex, which has a range of functions, including keylogging and the ability to steal screenshots. 

"The move to Dridex was a strategic decision to save the operation," Bogdan Botezatu, director, Threat Research and Reporting at Bitdefender, tells Dark Reading. "Cybercriminals running this campaign had to move to a different option or lose the money they had already invested in renting out access to the RIG EK panel. Dridex is a powerful information-stealer that, to some extent, provides similar functionality to Raccoon. Unlike Raccoon, it is still operational and can offer 'business continuity' to the cybercriminals behind this campaign."

The RIG Exploit Kit lets cybercriminals quickly swap out payloads to avoid detection or in case of compromise, according to researchers at Bitdefender, making adaptability part of its product. 

"This once again demonstrates that threat actors are agile and quick to adapt to change," the analysts wrote in their report on the malware campaign. 

"In order to be prepared, defenders should patch the known vulnerabilities in software used across the organization and monitor for the indicators of compromise (IOCs), Botezatu counsels. "A security solution with machine-learning capabilities can detect and block the payload at various execution stages as well."

It's also worth noting that Racoon is likely to make a reappearance, Botezatu notes.

"The Raccoon group has hit a temporary stop with the death of one of its operators, but we believe the team will regroup," he says. "Usually, such groups suspend their operations when teams get arrested or when they voluntarily decide to shift to a more lucrative business. Loss of a team member is a temporary road block and we presume that they will get back online as soon as they manage to recruit a replacement."

RIG Exploit Kit Replaces Raccoon Stealer Trojan With Dridex

Artificial intelligence use is booming, but it's not the secret weapon you might imagine.

From cyber operations to disinformation, artificial intelligence extends the reach of national security threats that can target individuals and whole societies with precision, speed, and scale. As the US competes to stay ahead, the intelligence community is grappling with the fits and starts of the impending revolution brought on by AI.

The US intelligence community has launched initiatives to grapple with AI’s implications and ethical uses, and analysts have begun to conceptualize how AI will revolutionize their discipline, yet these approaches and other practical applications of such technologies by the IC have been largely fragmented.

As experts sound the alarm that the US is not prepared to defend itself against AI by its strategic rival, China, Congress has called for the IC to produce a plan for integration of such technologies into workflows to create an “AI digital ecosystem” in the 2022 Intelligence Authorization Act.

The term AI is used for a group of technologies that solve problems or perform tasks that mimic humanlike perception, cognition, learning, planning, communication, or actions. AI includes technologies that can theoretically survive autonomously in novel situations, but its more common application is machine learning or algorithms that predict, classify, or approximate empiric-like results using big data, statistical models, and correlation.

While AI that can mimic humanlike sentience remains theoretical and impractical for most IC applications, machine learning is addressing fundamental challenges created by the volume and velocity of information that analysts are tasked with evaluating today.

At the National Security Agency, machine learning finds patterns in the mass of signals intelligence collects from global web traffic. Machine learning also searches international news and other publicly accessible reporting by the CIA's Directorate of Digital Innovation, responsible for advancing digital and cyber technologies in human and open-source collection, as well as its covert action and all-source analysis, which integrates all kinds of raw intelligence collected by US spies, whether technical or human. An all-source analyst evaluates the significance or meaning when that intelligence is taken together, memorializing it into finished assessments or reports for national security policymakers.

In fact, open source is key to the adoption of AI technologies by the intelligence community. Many AI technologies depend on big data to make quantitative judgments, and the scale and relevance of public data cannot be replicated in classified environments.

Capitalizing on AI and open source will enable the IC to utilize other finite collection capabilities, like human spies and signals intelligence collection, more efficiently. Other collection disciplines can be used to obtain the secrets that are hidden from not just humans but AI, too. In this context, AI may supply better global coverage of unforeseen or non-priority collection targets that could quickly evolve into threats.

Meanwhile, at the National Geospatial-Intelligence Agency, AI and machine learning extract data from images that are taken daily from nearly every corner of the world by commercial and government satellites. And the Defense Intelligence Agency trains algorithms to recognize nuclear, radar, environmental, material, chemical, and biological measurements and to evaluate these signatures, increasing the productivity of its analysts.

In one example of the IC’s successful use of AI, after exhausting all other avenues—from human spies to signals intelligence—the US was able to find an unidentified WMD research and development facility in a large Asian country by locating a bus that traveled between it and other known facilities. To do that, analysts employed algorithms to search and evaluate images of nearly every square inch of the country, according to a senior US intelligence official who spoke on background with the understanding of not being named.

While AI can calculate, retrieve, and employ programming that performs limited rational analyses, it lacks the calculus to properly dissect more emotional or unconscious components of human intelligence that are described by psychologists as system 1 thinking.

AI, for example, can draft intelligence reports that are akin to newspaper articles about baseball, which contain structured non-logical flow and repetitive content elements. However, when briefs require complexity of reasoning or logical arguments that justify or demonstrate conclusions, AI has been found lacking. When the intelligence community tested the capability, the intelligence official says, the product looked like an intelligence brief but was otherwise nonsensical.

Such algorithmic processes can be made to overlap, adding layers of complexity to computational reasoning, but even then those algorithms can’t interpret context as well as humans, especially when it comes to language, like hate speech.

AI’s comprehension might be more analogous to the comprehension of a human toddler, says Eric Curwin, chief technology officer at Pyrra Technologies, which identifies virtual threats to clients from violence to disinformation. “For example, AI can understand the basics of human language, but foundational models don’t have the latent or contextual knowledge to accomplish specific tasks,” Curwin says.

“From an analytic perspective, AI has a difficult time interpreting intent,” Curwin adds. “Computer science is a valuable and important field, but it is social computational scientists that are taking the big leaps in enabling machines to interpret, understand, and predict behavior.”

In order to “build models that can begin to replace human intuition or cognition,” Curwin explains, “researchers must first understand how to interpret behavior and translate that behavior into something AI can learn.”

Although machine learning and big data analytics provide predictive analysis about what might or will likely happen, it can’t explain to analysts how or why it arrived at those conclusions. The opaqueness in AI reasoning and the difficulty vetting sources, which consist of extremely large data sets, can impact the actual or perceived soundness and transparency of those conclusions.

Transparency in reasoning and sourcing are requirements for the analytical tradecraft standards of products produced by and for the intelligence community. Analytic objectivity is also statuatorically required, sparking calls within the US government to update such standards and laws in light of AI’s increasing prevalence.

Machine learning and algorithms when employed for predictive judgments are also considered by some intelligence practitioners as more art than science. That is, they are prone to biases, noise, and can be accompanied by methodologies that are not sound and lead to errors similar to those found in the criminal forensic sciences and arts.

“Algorithms are just a set of rules, and by definition are objective because they’re totally consistent,” says Welton Chang, cofounder and CEO of Pyrra Technologies. With algorithms, objectivity means applying the same rules over and over. Evidence of subjectivity, then, is the variance in the answers.

“It’s different when you consider the tradition of the philosophy of science,” says Chang. “The tradition of what counts as subjective is a person's own perspective and bias. Objective truth is derived from consistency and agreement with external observation. When you evaluate an algorithm solely on its outputs and not whether those outputs match reality, that’s when you miss the bias built in.”

Depending on the presence or absence of bias and noise within massive data sets, especially in more pragmatic, real-world applications, predictive analysis has sometimes been described as “astrology for computer science.” But the same might be said of analysis performed by humans. A scholar on the subject, Stephen Marrin, writes that intelligence analysis as a discipline by humans is “merely a craft masquerading as a profession.”

Analysts in the US intelligence community are trained to use structured analytic techniques, or SATs, to make them aware of their own cognitive biases, assumptions, and reasoning. SATs—which use strategies that run the gamut from checklists to matrixes that test assumptions or predict alternative futures—externalize the thinking or reasoning used to support intelligence judgments, which is especially important given the fact that in the secret competition between nation-states not all facts are known or knowable. But even SATs, when employed by humans, have come under scrutiny by experts like Chang, specifically for the lack of scientific testing that can evidence an SAT’s efficacy or logical validity.

As AI is expected to increasingly augment or automate analysis for the intelligence community, it has become urgent to develop and implement standards and methods, which are both scientifically sound and ethical for law enforcement and national security contexts. While intelligence analysts grapple with how to match AI’s opacity to the evidentiary standards and argumentation methods required for the law enforcement and intelligence contexts, the same struggle can be found in understanding analysts’ unconscious reasoning, which can lead to accurate or biased conclusions.

The Power and Pitfalls of AI for US Intelligence

Ubuntu Security Notice 5489-1 - Alexander Bulekov discovered that QEMU incorrectly handled floppy disk emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly leak sensitive information. It was discovered that QEMU incorrectly handled NVME controller emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-5489-1  
June 21, 2022

qemu vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:  
- qemu: Machine emulator and virtualizer

Details:

Alexander Bulekov discovered that QEMU incorrectly handled floppy disk  
emulation. A privileged attacker inside the guest could use this issue to  
cause QEMU to crash, resulting in a denial of service, or possibly leak  
sensitive information. (CVE-2021-3507)

It was discovered that QEMU incorrectly handled NVME controller emulation.  
An attacker inside the guest could use this issue to cause QEMU to crash,  
resulting in a denial of service, or possibly execute arbitrary code. This  
issue only affected Ubuntu 22.04 LTS. (CVE-2021-3929)

It was discovered that QEMU incorrectly handled QXL display device  
emulation. A privileged attacker inside the guest could use this issue to  
cause QEMU to crash, resulting in a denial of service, or possibly execute  
arbitrary code. (CVE-2021-4206, CVE-2021-4207)

Jietao Xiao, Jinku Li, Wenbo Shen, and Nanzi Yang discovered that QEMU  
incorrectly handled the virtiofsd shared file system daemon. An attacker  
inside the guest could use this issue to create files with incorrect  
ownership, possibly leading to privilege escalation. This issue only  
affected Ubuntu 22.04 LTS. (CVE-2022-0358)

It was discovered that QEMU incorrectly handled virtio-net devices. A  
privileged attacker inside the guest could use this issue to cause QEMU to  
crash, resulting in a denial of service, or possibly execute arbitrary  
code. (CVE-2022-26353)

It was discovered that QEMU incorrectly handled vhost-vsock devices. A  
privileged attacker inside the guest could use this issue to cause QEMU to  
crash, resulting in a denial of service, or possibly execute arbitrary  
code. (CVE-2022-26354)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  qemu-system                     1:6.2+dfsg-2ubuntu6.2  
  qemu-system-arm                 1:6.2+dfsg-2ubuntu6.2  
  qemu-system-mips                1:6.2+dfsg-2ubuntu6.2  
  qemu-system-misc                1:6.2+dfsg-2ubuntu6.2  
  qemu-system-ppc                 1:6.2+dfsg-2ubuntu6.2  
  qemu-system-s390x               1:6.2+dfsg-2ubuntu6.2  
  qemu-system-sparc               1:6.2+dfsg-2ubuntu6.2  
  qemu-system-x86                 1:6.2+dfsg-2ubuntu6.2  
  qemu-system-x86-microvm         1:6.2+dfsg-2ubuntu6.2  
  qemu-system-x86-xen             1:6.2+dfsg-2ubuntu6.2

Ubuntu 21.10:  
  qemu-system                     1:6.0+dfsg-2expubuntu1.3  
  qemu-system-arm                 1:6.0+dfsg-2expubuntu1.3  
  qemu-system-mips                1:6.0+dfsg-2expubuntu1.3  
  qemu-system-misc                1:6.0+dfsg-2expubuntu1.3  
  qemu-system-ppc                 1:6.0+dfsg-2expubuntu1.3  
  qemu-system-s390x               1:6.0+dfsg-2expubuntu1.3  
  qemu-system-sparc               1:6.0+dfsg-2expubuntu1.3  
  qemu-system-x86                 1:6.0+dfsg-2expubuntu1.3  
  qemu-system-x86-microvm         1:6.0+dfsg-2expubuntu1.3  
  qemu-system-x86-xen             1:6.0+dfsg-2expubuntu1.3

Ubuntu 20.04 LTS:  
  qemu-system                     1:4.2-3ubuntu6.23  
  qemu-system-arm                 1:4.2-3ubuntu6.23  
  qemu-system-mips                1:4.2-3ubuntu6.23  
  qemu-system-misc                1:4.2-3ubuntu6.23  
  qemu-system-ppc                 1:4.2-3ubuntu6.23  
  qemu-system-s390x               1:4.2-3ubuntu6.23  
  qemu-system-sparc               1:4.2-3ubuntu6.23  
  qemu-system-x86                 1:4.2-3ubuntu6.23  
  qemu-system-x86-microvm         1:4.2-3ubuntu6.23  
  qemu-system-x86-xen             1:4.2-3ubuntu6.23

Ubuntu 18.04 LTS:  
  qemu-system                     1:2.11+dfsg-1ubuntu7.40  
  qemu-system-arm                 1:2.11+dfsg-1ubuntu7.40  
  qemu-system-mips                1:2.11+dfsg-1ubuntu7.40  
  qemu-system-misc                1:2.11+dfsg-1ubuntu7.40  
  qemu-system-ppc                 1:2.11+dfsg-1ubuntu7.40  
  qemu-system-s390x               1:2.11+dfsg-1ubuntu7.40  
  qemu-system-sparc               1:2.11+dfsg-1ubuntu7.40  
  qemu-system-x86                 1:2.11+dfsg-1ubuntu7.40

After a standard system update you need to restart all QEMU virtual  
machines to make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5489-1  
  CVE-2021-3507, CVE-2021-3929, CVE-2021-4206, CVE-2021-4207,  
  CVE-2022-0358, CVE-2022-26353, CVE-2022-26354

Package Information:  
  https://launchpad.net/ubuntu/+source/qemu/1:6.2+dfsg-2ubuntu6.2  
  https://launchpad.net/ubuntu/+source/qemu/1:6.0+dfsg-2expubuntu1.3  
  https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.23  
  https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.40

Ubuntu Security Notice USN-5489-1

OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion (aka “billion laughs”) attack allowing denial of service.

**01**

****About Us.****

**We provide state-of-the-art solutions based on the most recent breakthroughs in the field of semantic technologies, to enable a direct and effective management of enterprise data.**

**We support organizations in dealing with the challenges of data governance, production, and management through solutions based on the groundbreaking Ontology-based Data Management technology.**

**OBDA Systems is an innovation startup of Sapienza University of Rome, and a company of the Almawave Group.**

****02********Ontology-based Data**  
**Management********A three-level data virtualization technology that allows data access, integration, quality checking, and governance through an ontology or a knowledge graph.****

**The Ontology Layer**

**A knowledge graph that describes the business domain: a user-friendly, machine-readable model of enterprise data.**

**A high-level representation of the business domain through which the data is accessed.**

**Data access, integration, and quality checking are enhanced by exploiting automatic reasoning capabilities over the graph**.

**The Mapping Layer**

**Semantic Links between the ontology and the enterprise data sources**.

**SQL queries on the databases are connected to the ontology entities to enable virtual data access.**

**The mappings allow separation of the physical data structure from the ontology model, and bridge the semantic gap between the two.**

**The Data Layer**

**Enterprise data sources and applications.**

**No new custom databases are required. No ETL processes. Zero impact on the pre-existing enterprise data layer.**

**Pay-as-you-go model: connect new data sources to the ontology by mapping them to instantly gain integration.**

****Simple****

**Access data through simple business questions over the ontology, regardless of where and how the data is stored.**

****Efficient****

**Reduces turn-around-time for key business decisions and drops the cost of querying the data.**

**Agile**

**The virtual data-to-ontology mappings require no ETL processes or custom database restructuring.**

**Flexible**

**A pay-as-you-go approach to building the ontology and mapping the data for any business use case.**

03

****Solutions****

**Simplifying data governance, boosting information management services, and getting the best out of your data.**

**Semantic Data Access and Integration**

******The ontological representation of the enterprise data simplifies the work of the domain experts, who can use business concepts to interact with integrated data sources for the purpose of data governance and analytics.******

**Enterprise Knowledge Graphs**

****Knowledge Graphs and ontologies give meaning to enterprise data through the business language.  
OBDA Systems provides tools and expertise that help organizations build and maintain their own Enterprise Knowledge Graphs.****

**Data Quality Checking and Governance**

********The ontology provides the business rules to measure the quality of enterprise data. OBDA System’s tools leverage these rules to help identify and correct data quality issues, and improve the value and reliability of the enterprise data sources**.******

**Preparation and Publication of 5\* Linked Open Data**

************Preparation, annotation and publication of 5 star Linked Open Data through a simple query-driven pipeline. Support for W3C standards, data lineage tracing, privacy and protection management through the ontology model.************

**0**4

****Products****

****The Mastro Suite: OBDM tools for the end-user and the designer.****

****The motor behind OBDM: an ontology reasoning system with virtual query answering capabilities over enterprise data sources and automatic data quality verification with respect to the ontology business rules.****

****The Semantic Knowledge Graph Platform: Monolith is the gateway to accessing Mastro’s features, while also allowing ontology exploration, knowledge graph creation, data mapping visualization and editing.****

****An Open Source, free-to-use, completely graphical ontology editor with syntactic and semantic reasoning capabilities, to ensure quick, safe, and easy ontology creation.****

**05**

****Our Team**  
**

****Maurizio Lenzerini****

**Co-Founder & President**

****Raniero Romagnoli****

**CEO**

****Valerio Santarelli****

**Co-Founder & CTO**

****Marco Ruzzi****

**Co-Founder & Lead Developer**

****Lorenzo Lepore****

**Co-Founder & Senior R&D Engineer**

****Giacomo Ronconi****

**Senior R&D Engineer**

****Giuseppe De Giacomo****

**Co-Founder & Scientific Advisor**

****Domenico Lembo****

**Co-Founder & Scientific Advisor**

****Antonella Poggi****

**Co-Founder & Scientific Advisor**

****Domenico Fabio Savo****

****Co-Founder & Scientific Advisor****

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.

CVE-2021-40511: Home - OBDA Systems

Open source is here to stay, and it's imperative that CIOs have a mature, open source engagement strategy, across consumption, contribution, and funding as a pillar of digital transformation.

Following the trio of the Log4J vulnerability and the more recent compromise of two open source libraries in the NPM ecosystem and one in Spring Core, supply chain security is weighing heavily on cyber defenders' minds. While the financial services sector has hardened its cyber defenses compared with other industries and become one of the earliest adopters of zero-trust security, institutions must continue to embrace open source technology while actively engaging in risk mitigation.

With so many foundational components of the global tech stack originating from open source code repositories like GitHub, recent exploits have heightened worries that this open ecosystem is inherently vulnerable to attack. This is especially true given the finance industry's finance industry's embrace of open source, as shown by Goldman Sachs contributing source code of several of its data modules as open source in 2020.

**Keeping Open Source Environments Protected**

First off, financial institutions must assume a more active role in the funding of open source foundations and direct-to-maintainer grants to help limit exposures from critical code dependencies, as illustrated by the Log4Shell debacle. To this end, public-private sector partnerships will be vital for financial institutions looking to harden their open source security postures. Confronting the inherent DevSecOps of the open source ecosystem requires a financial and strategic commitment from institutions willing to support the whole spectrum of open source maintainers — and not just the Apache Software Foundations of this world. Projects like the OpenSSF Alpha-Omega initiative are a great example of this approach.

Financial institutions also need to adopt a more robust software bill of materials (SBOMs), a key point highlighted in President Biden’s executive order from last June. Modern SBOMs deploy machine-readable processing, a technology that enables systems to ingest incoming structured report data, to autonomously analyze the state of SBOM readiness by organizations around the world. SBOMs can thus help financial institutions rapidly identify patterns across their industry and across borders, helping them spot critical risk issues before they metastasize into larger problems.

A table-stakes strategy for financial institutions to mitigate open source risks on the consumption side include the implementation of stronger internal license and IP controls and tools to track and monitor inbound open source projects. More granular strategic solutions start with financial institutions taking time to understand the defenders that are focused on securing the open source realm. Organizations like Mend, Sonatype, and Synk are key players in this world.

The broader sustainability of the open source ecosystem is another reason for financial institutions to assume a more hands-on role in the development of code repositories and other active-source artifacts. Institutions should consider offering secure coding training as part of their onboarding, something too often overlooked in academic curricula.

Encouraging in-house developers to contribute "sweat equity" to the ecosystem will increase the number of eyes on open source artifacts, thus enhancing the odds that financial institutions will be able to spot code vulnerabilities before they threaten a SolarWinds type of breach. This approach will effectively reduce the probability and blast radius of future vulnerabilities.

**Benefits of Open Source Outweigh the Risks**

Despite recent, worrisome supply chain attacks, financial institutions should not be deterred by these challenges. The global financial industry is now very seriously democratizing software through open source, not only as a cost reduction but as a powerful collaboration model that goes beyond code to be used to address challenges like data standardization and industrywide interoperable workflows. Open source is here to stay, and therefore it is no longer optional — it's imperative that CIOs have a mature, open source engagement strategy, across consumption, contribution, and funding as a pillar of their digital transformation endeavors.

Institutions are doing more than just implementing code that another developer has updated. Financial organizations should look to invest internal developer resources to actively contribute to code repositories. Developers should be contributing code not just in their spare time, but more appropriately, while they're on the job within the expected scope of their organizational roles.

By taking a proprietary stake in the open-innovation ecosystem, financial institutions can better mitigate vulnerabilities and exposures emanating from their tech stacks. This type of risk management also requires the articulation of companywide policies, learning, and collaboration resources throughout the firm. Naturally, financial institutions need to delegate and establish leadership roles to oversee the effort.

Whether through open source foundations or direct monetary or sweat-equity contributions to projects, financial institutions must realize the importance of professional software supply chain management. They should also understand the roles that consumers must play in securing the open source IT stack, which underpins the modern digital economy.

Why Financial Institutions Must Double Down on Open Source Investments

A researcher has posted a PoC for yet another NTLM relay attack method dubbed DFSCoerce. It is high time to retire NTLM. 
The post DFSCoerce, a new NTLM relay attack, can take control over a Windows domain appeared first on Malwarebytes Labs.

A researcher has published a Proof-of-Concept (PoC) for an NTLM relay attack dubbed DFSCoerce. The method leverages the Distributed File System: Namespace Management Protocol (MS-DFSNM) to seize control of a Windows domain.

**Active Directory**

A directory service is a hierarchical arrangement of objects which is structured in a way that makes access easy. Windows Active Directory (AD) is a directory service provided by Microsoft and developed for Windows domains. Basically, it is a central database which gets contacted before a user is granted access to a resource or a service. Organizations primarily use AD to perform authentication and authorization.

Many large organizations depend on Windows Active Directory (AD) to maintain order in the mountain of work involved in managing users, computers, permissions, and file servers.

**NTLM**

NTLM is short for New Technology LAN Manager. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN). NTLM is a protocol that uses a challenge and response method to authenticate a client.

1.  First, the client establishes a network path to the server and sends a NEGOTIATE\_MESSAGE advertising its capabilities.
2.  Next, the server responds with CHALLENGE\_MESSAGE which is used to establish the identity of the client.
3.  Finally, the client responds to the challenge with an AUTHENTICATE\_MESSAGE.

The NTLM protocol uses one or both of two hashed password values. Both passwords are also stored on the server (or domain controller). And through a lack of salting they are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.

**NTLM relay attack**

NTLM relay attacks allow attackers to steal hashed versions of user passwords, and relay clients’ credentials in an attempt to authenticate to servers. They use a Machine-in-the-Middle method that allows threat actors to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources.

PetitPotam is an example of an NTLM relay attack that prompted Microsoft to send out an advisory for system administrators to stop using the now deprecated Windows NT LAN Manager (NTLM) to thwart an attack. PetitPotam used the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) protocol to execute an NTLM attack.

The DFSCoerce script is based on the PetitPotam exploit, but instead of using MS-EFSRPC, it uses MS-DFSNM, a protocol that allows the Windows Distributed File System (DFS) to be managed over an remote procedure call (RPC) interface.

_Tweet by the researcher that discovered DFSCoerce_

**Other methods**

Other methods threat actors could use include the MS-RPRN, and the MS-FSRVP protocols. And now the researcher has added MS-DFSNM to the list of applicable protocols. A list which researchers expect to grow even more. The Distributed File System Namespace Management (DFSNM) protocol is one of a collection of protocols that group shares that are located on different servers by combining various storage media into a single logical namespace. The DFS namespace is a virtual view of the share. When a user views the namespace, the directories and files in it appear to reside on a single share.

**Mitigation**

While Microsoft has issued patches for NTLM attacks in the past, it is unclear whether it will do the same for DFSNM to thwart the DFSCoerce method.

The advice for system administrators is to follow Microsoft’s advisory on how to prevent NTLM relay attacks. The Microsoft advisory, triggered by PetitPotam, will also prevent DFSCoerce and other NTLM attack methods. The recommendation basically says to disable the deprecated NTLM authentication where possible and use the Extended Protection for Authentication (EPA). Extended Protection for Authentication helps protect against MITM attacks, in which an attacker intercepts a client’s credentials and forwards them to a server.

Stay safe, everyone!

DFSCoerce, a new NTLM relay attack, can take control over a Windows domain

A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Summary**

Multiple Autodesk products have been affected by Use After Free, Out-of-bound-write, Stack-based Buffer, Memory Corruption, and Buffer Overflow vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-25789 - A maliciously crafted DWF, 3DS and DWFX files in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

2) CVE-2022-25790 - A maliciously crafted DWF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022, 2020, and 2019 can be used to write beyond the allocated boundaries when parsing the DWF files. Exploitation of this vulnerability may lead to code execution.

3) CVE-2022-25791 - A Memory Corruption vulnerability for DWF and DWFX files in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022, 2020, and 2019 may lead to code execution through maliciously crafted DLL files.

4) CVE-2022-25792 - A maliciously crafted DXF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022 can be used to write beyond the allocated buffer through Buffer overflow vulnerability. This vulnerability can be exploited to execute arbitrary code.

5) CVE-2022-25796 - A Double Free vulnerability allows remote malicious actors to execute arbitrary code on DWF file in Autodesk Navisworks 2022 within affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

6) CVE-2022-27528 - A maliciously crafted DWFX and SKP files in Autodesk Navisworks 2022, 2020, and 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution

7) CVE-2022-27868 - A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions**

**Update Source**

Autodesk® Navisworks®

2022, 2020, 2019

2022.2, 2020.5, 2019.7

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Architecture

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Electrical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Map 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mechanical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® MEP

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Plant 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® LT

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mac

2022

2022.2.2

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mac LT

2022

2022.2.2

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D®

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends users of the 2019, 2020, 2021, 2022 and 2023 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD® or AutoCAD LT 2022 updates, as applicable, via the Autodesk Desktop App or the Accounts Portal. An update is not available for 32bit AutoCAD 2019. Customers using this version should plan to upgrade to 64bit AutoCAD 2019 or a newer AutoCAD version as soon as possible to avoid downtime and potential security vulnerabilities.

In addition, users of Autodesk® Navisworks ® should install the latest 2022 Update 2, which is available via the Autodesk Desktop App or Accounts Portal. This version of Autodesk® Navisworks® includes security updates that address the DWF, and DWFX file vulnerabilities. As a general best practice, we also recommend that customers only open DWF, or DWFX files from trusted sources.

Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative for reporting CVE-2022-25789, CVE-2022-25790, CVE-2022-25791, CVE-2022-25792, CVE-2022-25796, CVE-2022-27528
*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-25789
*   Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative for reporting CVE-2022-27868

**Related Information**

More information on related security advisories can be found on the Autodesk Trust Center.

**Revision History**

**Revision**

**Date**

**Description**

1.0

2/28/2022

Initial Release of the Security Advisory

1.1

3/31/2022

Update of the Security Advisory for Addition to Navisworks and AutoCAD supported versions in Product Table

1.2

4/25/2022 

Update of the Security Advisory for Addition to AutoCAD 2023 supported versions in Product Table and CVE-2022-27868 description

1.3

4/28/2022 

Update of the Security Advisory for Addition to Navisworks 2020 supported version in Product Table

1.4

5/25/2022 

Update of the Security Advisory for Addition to Navisworks 2019 supported version in Product Table

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

CVE-2022-27868: Security Advisories | Autodesk Trust Center

The Quectel RG502Q-EA modem before 2022-02-23 allow OS Command Injection.

I recently researched a relatively new 5G-capable modem from Quectel: the RG500Q-EA. I identified a security issue with how the OTA download procedure operates which allows an attacker to execute commands on the modem as root.

**Previous research**

I've previously posted about an issue affecting older Quectel modems present in the PinePhone. The issue, which was assigned the CVE ID CVE-2021-31698, is similar to the one described in this article. The article presents some background on how the modem and the mainboard (the "host" machine) communicate - usually, the mainboard sends AT commands over a serial line to the modem, which runs its own black-box operating system entirely independent of the mainboard. These AT commands are parsed by a daemon running on the modem, which then indicates whether the command executed successfully and optionally returns some data.

**Analyzing the daemon**

In the previously mentioned issue, I described that the AT commands were parsed by a daemon on the modem called atfwd_daemon. While this is still technically somewhat true, a bulk of the core functionality is offloaded to other components or libraries. Some AT commands are executed by the modem's QDSP processor, which is at the time of writing still quite difficult to reverse engineer. The library we're interested in is libql_atcop.so, which is an ARMv8 shared library present on the modem's host OS.

I identified the vulnerable command AT+QFOTADL. In practice, this command is used to point to an OTA download link, for example:

    AT+QFOTADL="https://sif.ee/Quectel-OTA.bin"
    

The modem downloads the OTA, extracts it, verifies whether it's installable, and finally installs it on the modem device.

This command is handled in libql_atcop.so by a procedure named ql_exec_qfotadl_cmd_proc():

This procedure first matches the provided schema and checks to see which protocol is being used (plain HTTP, HTTPS, or FTP):

Code flow is then passed to another procedure, which formats the provided URL into a system command using snprintf() and initiates the download:

Disassembling the binary further revealed that there is no user input sanitization in place and the provided user input is used in the command as-is, which is executed using system() (provided by a wrapper function in another library).

**Code execution**

From this, we can deduce that arbitrary command execution is possible. We can, for example, enter a valid schema and use backticks to execute our commands in a subshell. As an example, to reboot the modem:

    AT+QFOTADL="http://`reboot`"
    

Due to the fact that the daemon runs as root, the code is also being executed as the root user on the modem.

As an example, in this Asciinema recording, I use the nc binary present to establish a reverse shell (over 5G!) to my server.

It's very possible that this vulnerability affects other Quectel products as well, as firmware is commonly reused, but I do not possess other hardware to test it on. Most probably, it affects all RG50xQ products, if not more. Vendor did not clarify which products this vulnerability affects.

**Timeline**

*   **22/02/2022** - Attempted to contact vendor
*   **23/02/2022** - Vendor confirmed vulnerability
*   **23/02/2022** - Vendor informs of fix in codebase
*   **25/02/2022** - Assigned ID CVE-2022-26147
*   **14/06/2022** - Notified vendor of imminent public disclosure of vulnerability, no response from vendor
*   **21/06/2022** - Article published

CVE-2022-26147: Code execution as root via AT commands on the Quectel RG500Q-EA 5G modem

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. This vulnerability may be exploited to execute arbitrary code.

**Summary**

Applications and Services that utilize versions of PDFTron prior to 9.1.17 may be impacted by Heap-based Buffer Overflow, and Untrusted Pointer Dereference vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-27871: Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. This vulnerability may be exploited to execute arbitrary code.

2) CVE-2022-27872 : A maliciously crafted PDF file may be used to dereference a pointer for read or write operation while parsing PDF files in Autodesk Navisworks 2022. The vulnerability exists because the application fails to handle a crafted PDF file, which causes an unhandled exception. An attacker can leverage this vulnerability to cause a crash or read sensitive data or execute arbitrary code.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions\***

**Update Source**

Revit®

2022, 2021, 2020 

2022.1.2, 2021.1.6, 2020.2.8

Autodesk Desktop App, or Accounts Portal

Navisworks®

2022, 2020, 2019

2022.2, 2020.5, 2019.7

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD®

2022, 2021, 2020,2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Architecture

2022, 2021, 2020,2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Electrical

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Map 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Mechanical

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® MEP

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Plant 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® LT

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Mac

2022

2022.2.2

Autodesk Knowledge Network

AutoCAD® LT for Mac

2022

2022.2.2

Autodesk Knowledge Network

Autodesk ® Design Review

2018

2018 Hotfix 6

Autodesk Knowledge Network

Autodesk® 3ds Max®

2022, 2021

2022.3.3, 2021.3.8

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends that users of the affected products listed above apply the available hotfix for their version via the Autodesk Desktop App or the Accounts Portal. As a general best practice, we also recommend that customers only open PDF files from trusted sources.

In addition, users of the 2019, 2020, 2021 and 2022 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD®, AutoCAD LT 2022 Updates via the Autodesk Desktop App or Accounts Portal. An update is not available for 32bit AutoCAD 2019. Customers using this version should plan to upgrade to 64bit AutoCAD 2019 or a newer AutoCAD version as soon as possible to avoid downtime and potential security vulnerabilities.

Users of Autodesk® Navisworks ® should install the latest 2022 Update 2, which is available via the Autodesk Desktop App or Accounts Portal. This version of Autodesk ® Navisworks ® includes security updates that address the PDF file vulnerabilities. As a general best practice, we also recommend that customers only open PDF files from trusted sources.

Customers using previous versions that no longer qualify for full support should upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following researchers for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-27871 and CVE-2022-27872

**Related Information**

More information on related security advisories can be found on the Autodesk Trust Center.

**Revision History**

**Revision**

**Date**

**Description**

1.0

5/25/2022

Initial Release of Security advisory

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

Tag

#mac