Ubuntu Security Notice 5489-1 - Alexander Bulekov discovered that QEMU incorrectly handled floppy disk emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly leak sensitive information. It was discovered that QEMU incorrectly handled NVME controller emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-5489-1  
June 21, 2022

qemu vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:  
- qemu: Machine emulator and virtualizer

Details:

Alexander Bulekov discovered that QEMU incorrectly handled floppy disk  
emulation. A privileged attacker inside the guest could use this issue to  
cause QEMU to crash, resulting in a denial of service, or possibly leak  
sensitive information. (CVE-2021-3507)

It was discovered that QEMU incorrectly handled NVME controller emulation.  
An attacker inside the guest could use this issue to cause QEMU to crash,  
resulting in a denial of service, or possibly execute arbitrary code. This  
issue only affected Ubuntu 22.04 LTS. (CVE-2021-3929)

It was discovered that QEMU incorrectly handled QXL display device  
emulation. A privileged attacker inside the guest could use this issue to  
cause QEMU to crash, resulting in a denial of service, or possibly execute  
arbitrary code. (CVE-2021-4206, CVE-2021-4207)

Jietao Xiao, Jinku Li, Wenbo Shen, and Nanzi Yang discovered that QEMU  
incorrectly handled the virtiofsd shared file system daemon. An attacker  
inside the guest could use this issue to create files with incorrect  
ownership, possibly leading to privilege escalation. This issue only  
affected Ubuntu 22.04 LTS. (CVE-2022-0358)

It was discovered that QEMU incorrectly handled virtio-net devices. A  
privileged attacker inside the guest could use this issue to cause QEMU to  
crash, resulting in a denial of service, or possibly execute arbitrary  
code. (CVE-2022-26353)

It was discovered that QEMU incorrectly handled vhost-vsock devices. A  
privileged attacker inside the guest could use this issue to cause QEMU to  
crash, resulting in a denial of service, or possibly execute arbitrary  
code. (CVE-2022-26354)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  qemu-system                     1:6.2+dfsg-2ubuntu6.2  
  qemu-system-arm                 1:6.2+dfsg-2ubuntu6.2  
  qemu-system-mips                1:6.2+dfsg-2ubuntu6.2  
  qemu-system-misc                1:6.2+dfsg-2ubuntu6.2  
  qemu-system-ppc                 1:6.2+dfsg-2ubuntu6.2  
  qemu-system-s390x               1:6.2+dfsg-2ubuntu6.2  
  qemu-system-sparc               1:6.2+dfsg-2ubuntu6.2  
  qemu-system-x86                 1:6.2+dfsg-2ubuntu6.2  
  qemu-system-x86-microvm         1:6.2+dfsg-2ubuntu6.2  
  qemu-system-x86-xen             1:6.2+dfsg-2ubuntu6.2

Ubuntu 21.10:  
  qemu-system                     1:6.0+dfsg-2expubuntu1.3  
  qemu-system-arm                 1:6.0+dfsg-2expubuntu1.3  
  qemu-system-mips                1:6.0+dfsg-2expubuntu1.3  
  qemu-system-misc                1:6.0+dfsg-2expubuntu1.3  
  qemu-system-ppc                 1:6.0+dfsg-2expubuntu1.3  
  qemu-system-s390x               1:6.0+dfsg-2expubuntu1.3  
  qemu-system-sparc               1:6.0+dfsg-2expubuntu1.3  
  qemu-system-x86                 1:6.0+dfsg-2expubuntu1.3  
  qemu-system-x86-microvm         1:6.0+dfsg-2expubuntu1.3  
  qemu-system-x86-xen             1:6.0+dfsg-2expubuntu1.3

Ubuntu 20.04 LTS:  
  qemu-system                     1:4.2-3ubuntu6.23  
  qemu-system-arm                 1:4.2-3ubuntu6.23  
  qemu-system-mips                1:4.2-3ubuntu6.23  
  qemu-system-misc                1:4.2-3ubuntu6.23  
  qemu-system-ppc                 1:4.2-3ubuntu6.23  
  qemu-system-s390x               1:4.2-3ubuntu6.23  
  qemu-system-sparc               1:4.2-3ubuntu6.23  
  qemu-system-x86                 1:4.2-3ubuntu6.23  
  qemu-system-x86-microvm         1:4.2-3ubuntu6.23  
  qemu-system-x86-xen             1:4.2-3ubuntu6.23

Ubuntu 18.04 LTS:  
  qemu-system                     1:2.11+dfsg-1ubuntu7.40  
  qemu-system-arm                 1:2.11+dfsg-1ubuntu7.40  
  qemu-system-mips                1:2.11+dfsg-1ubuntu7.40  
  qemu-system-misc                1:2.11+dfsg-1ubuntu7.40  
  qemu-system-ppc                 1:2.11+dfsg-1ubuntu7.40  
  qemu-system-s390x               1:2.11+dfsg-1ubuntu7.40  
  qemu-system-sparc               1:2.11+dfsg-1ubuntu7.40  
  qemu-system-x86                 1:2.11+dfsg-1ubuntu7.40

After a standard system update you need to restart all QEMU virtual  
machines to make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5489-1  
  CVE-2021-3507, CVE-2021-3929, CVE-2021-4206, CVE-2021-4207,  
  CVE-2022-0358, CVE-2022-26353, CVE-2022-26354

Package Information:  
  https://launchpad.net/ubuntu/+source/qemu/1:6.2+dfsg-2ubuntu6.2  
  https://launchpad.net/ubuntu/+source/qemu/1:6.0+dfsg-2expubuntu1.3  
  https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.23  
  https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.40

Ubuntu Security Notice USN-5489-1

OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion (aka “billion laughs”) attack allowing denial of service.

**01**

****About Us.****

**We provide state-of-the-art solutions based on the most recent breakthroughs in the field of semantic technologies, to enable a direct and effective management of enterprise data.**

**We support organizations in dealing with the challenges of data governance, production, and management through solutions based on the groundbreaking Ontology-based Data Management technology.**

**OBDA Systems is an innovation startup of Sapienza University of Rome, and a company of the Almawave Group.**

****02********Ontology-based Data**  
**Management********A three-level data virtualization technology that allows data access, integration, quality checking, and governance through an ontology or a knowledge graph.****

**The Ontology Layer**

**A knowledge graph that describes the business domain: a user-friendly, machine-readable model of enterprise data.**

**A high-level representation of the business domain through which the data is accessed.**

**Data access, integration, and quality checking are enhanced by exploiting automatic reasoning capabilities over the graph**.

**The Mapping Layer**

**Semantic Links between the ontology and the enterprise data sources**.

**SQL queries on the databases are connected to the ontology entities to enable virtual data access.**

**The mappings allow separation of the physical data structure from the ontology model, and bridge the semantic gap between the two.**

**The Data Layer**

**Enterprise data sources and applications.**

**No new custom databases are required. No ETL processes. Zero impact on the pre-existing enterprise data layer.**

**Pay-as-you-go model: connect new data sources to the ontology by mapping them to instantly gain integration.**

****Simple****

**Access data through simple business questions over the ontology, regardless of where and how the data is stored.**

****Efficient****

**Reduces turn-around-time for key business decisions and drops the cost of querying the data.**

**Agile**

**The virtual data-to-ontology mappings require no ETL processes or custom database restructuring.**

**Flexible**

**A pay-as-you-go approach to building the ontology and mapping the data for any business use case.**

03

****Solutions****

**Simplifying data governance, boosting information management services, and getting the best out of your data.**

**Semantic Data Access and Integration**

******The ontological representation of the enterprise data simplifies the work of the domain experts, who can use business concepts to interact with integrated data sources for the purpose of data governance and analytics.******

**Enterprise Knowledge Graphs**

****Knowledge Graphs and ontologies give meaning to enterprise data through the business language.  
OBDA Systems provides tools and expertise that help organizations build and maintain their own Enterprise Knowledge Graphs.****

**Data Quality Checking and Governance**

********The ontology provides the business rules to measure the quality of enterprise data. OBDA System’s tools leverage these rules to help identify and correct data quality issues, and improve the value and reliability of the enterprise data sources**.******

**Preparation and Publication of 5\* Linked Open Data**

************Preparation, annotation and publication of 5 star Linked Open Data through a simple query-driven pipeline. Support for W3C standards, data lineage tracing, privacy and protection management through the ontology model.************

**0**4

****Products****

****The Mastro Suite: OBDM tools for the end-user and the designer.****

****The motor behind OBDM: an ontology reasoning system with virtual query answering capabilities over enterprise data sources and automatic data quality verification with respect to the ontology business rules.****

****The Semantic Knowledge Graph Platform: Monolith is the gateway to accessing Mastro’s features, while also allowing ontology exploration, knowledge graph creation, data mapping visualization and editing.****

****An Open Source, free-to-use, completely graphical ontology editor with syntactic and semantic reasoning capabilities, to ensure quick, safe, and easy ontology creation.****

**05**

****Our Team**  
**

****Maurizio Lenzerini****

**Co-Founder & President**

****Raniero Romagnoli****

**CEO**

****Valerio Santarelli****

**Co-Founder & CTO**

****Marco Ruzzi****

**Co-Founder & Lead Developer**

****Lorenzo Lepore****

**Co-Founder & Senior R&D Engineer**

****Giacomo Ronconi****

**Senior R&D Engineer**

****Giuseppe De Giacomo****

**Co-Founder & Scientific Advisor**

****Domenico Lembo****

**Co-Founder & Scientific Advisor**

****Antonella Poggi****

**Co-Founder & Scientific Advisor**

****Domenico Fabio Savo****

****Co-Founder & Scientific Advisor****

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.

CVE-2021-40511: Home - OBDA Systems

Open source is here to stay, and it's imperative that CIOs have a mature, open source engagement strategy, across consumption, contribution, and funding as a pillar of digital transformation.

Following the trio of the Log4J vulnerability and the more recent compromise of two open source libraries in the NPM ecosystem and one in Spring Core, supply chain security is weighing heavily on cyber defenders' minds. While the financial services sector has hardened its cyber defenses compared with other industries and become one of the earliest adopters of zero-trust security, institutions must continue to embrace open source technology while actively engaging in risk mitigation.

With so many foundational components of the global tech stack originating from open source code repositories like GitHub, recent exploits have heightened worries that this open ecosystem is inherently vulnerable to attack. This is especially true given the finance industry's finance industry's embrace of open source, as shown by Goldman Sachs contributing source code of several of its data modules as open source in 2020.

**Keeping Open Source Environments Protected**

First off, financial institutions must assume a more active role in the funding of open source foundations and direct-to-maintainer grants to help limit exposures from critical code dependencies, as illustrated by the Log4Shell debacle. To this end, public-private sector partnerships will be vital for financial institutions looking to harden their open source security postures. Confronting the inherent DevSecOps of the open source ecosystem requires a financial and strategic commitment from institutions willing to support the whole spectrum of open source maintainers — and not just the Apache Software Foundations of this world. Projects like the OpenSSF Alpha-Omega initiative are a great example of this approach.

Financial institutions also need to adopt a more robust software bill of materials (SBOMs), a key point highlighted in President Biden’s executive order from last June. Modern SBOMs deploy machine-readable processing, a technology that enables systems to ingest incoming structured report data, to autonomously analyze the state of SBOM readiness by organizations around the world. SBOMs can thus help financial institutions rapidly identify patterns across their industry and across borders, helping them spot critical risk issues before they metastasize into larger problems.

A table-stakes strategy for financial institutions to mitigate open source risks on the consumption side include the implementation of stronger internal license and IP controls and tools to track and monitor inbound open source projects. More granular strategic solutions start with financial institutions taking time to understand the defenders that are focused on securing the open source realm. Organizations like Mend, Sonatype, and Synk are key players in this world.

The broader sustainability of the open source ecosystem is another reason for financial institutions to assume a more hands-on role in the development of code repositories and other active-source artifacts. Institutions should consider offering secure coding training as part of their onboarding, something too often overlooked in academic curricula.

Encouraging in-house developers to contribute "sweat equity" to the ecosystem will increase the number of eyes on open source artifacts, thus enhancing the odds that financial institutions will be able to spot code vulnerabilities before they threaten a SolarWinds type of breach. This approach will effectively reduce the probability and blast radius of future vulnerabilities.

**Benefits of Open Source Outweigh the Risks**

Despite recent, worrisome supply chain attacks, financial institutions should not be deterred by these challenges. The global financial industry is now very seriously democratizing software through open source, not only as a cost reduction but as a powerful collaboration model that goes beyond code to be used to address challenges like data standardization and industrywide interoperable workflows. Open source is here to stay, and therefore it is no longer optional — it's imperative that CIOs have a mature, open source engagement strategy, across consumption, contribution, and funding as a pillar of their digital transformation endeavors.

Institutions are doing more than just implementing code that another developer has updated. Financial organizations should look to invest internal developer resources to actively contribute to code repositories. Developers should be contributing code not just in their spare time, but more appropriately, while they're on the job within the expected scope of their organizational roles.

By taking a proprietary stake in the open-innovation ecosystem, financial institutions can better mitigate vulnerabilities and exposures emanating from their tech stacks. This type of risk management also requires the articulation of companywide policies, learning, and collaboration resources throughout the firm. Naturally, financial institutions need to delegate and establish leadership roles to oversee the effort.

Whether through open source foundations or direct monetary or sweat-equity contributions to projects, financial institutions must realize the importance of professional software supply chain management. They should also understand the roles that consumers must play in securing the open source IT stack, which underpins the modern digital economy.

Why Financial Institutions Must Double Down on Open Source Investments

A researcher has posted a PoC for yet another NTLM relay attack method dubbed DFSCoerce. It is high time to retire NTLM. 
The post DFSCoerce, a new NTLM relay attack, can take control over a Windows domain appeared first on Malwarebytes Labs.

A researcher has published a Proof-of-Concept (PoC) for an NTLM relay attack dubbed DFSCoerce. The method leverages the Distributed File System: Namespace Management Protocol (MS-DFSNM) to seize control of a Windows domain.

**Active Directory**

A directory service is a hierarchical arrangement of objects which is structured in a way that makes access easy. Windows Active Directory (AD) is a directory service provided by Microsoft and developed for Windows domains. Basically, it is a central database which gets contacted before a user is granted access to a resource or a service. Organizations primarily use AD to perform authentication and authorization.

Many large organizations depend on Windows Active Directory (AD) to maintain order in the mountain of work involved in managing users, computers, permissions, and file servers.

**NTLM**

NTLM is short for New Technology LAN Manager. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN). NTLM is a protocol that uses a challenge and response method to authenticate a client.

1.  First, the client establishes a network path to the server and sends a NEGOTIATE\_MESSAGE advertising its capabilities.
2.  Next, the server responds with CHALLENGE\_MESSAGE which is used to establish the identity of the client.
3.  Finally, the client responds to the challenge with an AUTHENTICATE\_MESSAGE.

The NTLM protocol uses one or both of two hashed password values. Both passwords are also stored on the server (or domain controller). And through a lack of salting they are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.

**NTLM relay attack**

NTLM relay attacks allow attackers to steal hashed versions of user passwords, and relay clients’ credentials in an attempt to authenticate to servers. They use a Machine-in-the-Middle method that allows threat actors to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources.

PetitPotam is an example of an NTLM relay attack that prompted Microsoft to send out an advisory for system administrators to stop using the now deprecated Windows NT LAN Manager (NTLM) to thwart an attack. PetitPotam used the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) protocol to execute an NTLM attack.

The DFSCoerce script is based on the PetitPotam exploit, but instead of using MS-EFSRPC, it uses MS-DFSNM, a protocol that allows the Windows Distributed File System (DFS) to be managed over an remote procedure call (RPC) interface.

_Tweet by the researcher that discovered DFSCoerce_

**Other methods**

Other methods threat actors could use include the MS-RPRN, and the MS-FSRVP protocols. And now the researcher has added MS-DFSNM to the list of applicable protocols. A list which researchers expect to grow even more. The Distributed File System Namespace Management (DFSNM) protocol is one of a collection of protocols that group shares that are located on different servers by combining various storage media into a single logical namespace. The DFS namespace is a virtual view of the share. When a user views the namespace, the directories and files in it appear to reside on a single share.

**Mitigation**

While Microsoft has issued patches for NTLM attacks in the past, it is unclear whether it will do the same for DFSNM to thwart the DFSCoerce method.

The advice for system administrators is to follow Microsoft’s advisory on how to prevent NTLM relay attacks. The Microsoft advisory, triggered by PetitPotam, will also prevent DFSCoerce and other NTLM attack methods. The recommendation basically says to disable the deprecated NTLM authentication where possible and use the Extended Protection for Authentication (EPA). Extended Protection for Authentication helps protect against MITM attacks, in which an attacker intercepts a client’s credentials and forwards them to a server.

Stay safe, everyone!

DFSCoerce, a new NTLM relay attack, can take control over a Windows domain

An authenticated attacker could create an audit file that bypasses PowerShell cmdlet checks and executes commands with administrator privileges.

_This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TNS-2022-11

Credit

Tudor Enache (CVE-2022-32974)

Phil Castellanos (CVE-2022-32973)

CVSSv3 Base / Temporal Score

7.5 / 6.7 (CVE-2018-25032)

6.5 / 5.7 (CVE-2022-25313)

7.5 / 6.5 (CVE-2022-25314)

9.8 / 8.5 (CVE-2022-25315)

9.8 / 8.5 (CVE-2022-25235)

9.8 / 8.5 (CVE-2022-25236)

9.8 / 8.5 (CVE-2022-23990)

9.8 / 8.5 (CVE-2022-23852)

6.1 / 5.3 (CVE-2021-41182)

6.1 / 5.3 (CVE-2021-41183)

6.1 / 5.3 (CVE-2021-41184)

8.4 / 7.6 (CVE-2022-32973)

4.2 / 3.8 (CVE-2022-32974)

CVSSv3 Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C (CVE-2018-25032)

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C (CVE-2022-25313)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C (CVE-2022-25314)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-25315)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-25235)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-25236)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-23990)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-23852)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C (CVE-2021-41182)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C (CVE-2021-41183)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C (CVE-2021-41184)

AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:H/MUI:R/MS:C/MC:H/MI:H/MA:H (CVE-2022-32973)

AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C/CR:H/IR:X/AR:X/MAV:N/MAC:H/MPR:H/MUI:R/MS:U/MC:H/MI:N/MA:N (CVE-2022-32974)

****FREE FOR 30 DAYS****

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Thank You**

Thank you for your interest in Tenable.ot. A representative will be in touch soon.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

FREE FOR 30 DAYS Enjoy full access to detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of your software development lifecycle.

**Buy Tenable.cs**

Contact a Sales Representative to learn more about Cloud Security and how you can secure every step from code to cloud.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See Tenable.ep In Action**

Know the exposure of every asset on any platform.

CVE-2022-32973: [R2] Nessus Version 10.2.0 Fixes Multiple Vulnerabilities

In Spring Cloud Function versions prior to 3.2.6, it is possible for a user who directly interacts with framework provided lookup functionality to cause a denial-of-service condition due to the caching issue in the Function Catalog component of the framework.

All Vulnerability Reports

**CVE-2022-22979: Spring Cloud Function Dos Vulnerability**  
**Severity**

High

**Vendor**

Spring by VMware

**Description**

In Spring Cloud Function versions 3.2.5 and older unsupported versions, it is possible for a user who directly interacts with framework provided lookup functionality to cause denial of service condition due to the caching issue in Function Catalog component of the framework. At the time of writing of this CVE such interaction is only possible via spring-cloud-function-web module.

**Affected VMware Products and Versions**

Severity is high unless otherwise noted.

*   Spring Cloud Function
    *   3.2.5
    *   Older, unsupported versions are also affected

**Mitigation**

Users of affected versions should upgrade to 3.2.6. No other steps are necessary. Releases that have fixed this issue include:

*   Spring Cloud Function
    *   3.2.6

**Credit**

This vulnerability was initially discovered and responsibly reported by Yaniv.Nizry@checkmarx.com.

**References**

*   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H
*   https://cwe.mitre.org/data/definitions/770.html
*   https://cwe.mitre.org/data/definitions/497.html

**History**

2022-06-15: Initial vulnerability report published.

CVE-2022-22979: CVE-2022-22979 | Security

A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Summary**

Multiple Autodesk products have been affected by Use After Free, Out-of-bound-write, Stack-based Buffer, Memory Corruption, and Buffer Overflow vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-25789 - A maliciously crafted DWF, 3DS and DWFX files in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

2) CVE-2022-25790 - A maliciously crafted DWF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022, 2020, and 2019 can be used to write beyond the allocated boundaries when parsing the DWF files. Exploitation of this vulnerability may lead to code execution.

3) CVE-2022-25791 - A Memory Corruption vulnerability for DWF and DWFX files in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022, 2020, and 2019 may lead to code execution through maliciously crafted DLL files.

4) CVE-2022-25792 - A maliciously crafted DXF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022 can be used to write beyond the allocated buffer through Buffer overflow vulnerability. This vulnerability can be exploited to execute arbitrary code.

5) CVE-2022-25796 - A Double Free vulnerability allows remote malicious actors to execute arbitrary code on DWF file in Autodesk Navisworks 2022 within affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

6) CVE-2022-27528 - A maliciously crafted DWFX and SKP files in Autodesk Navisworks 2022, 2020, and 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution

7) CVE-2022-27868 - A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions**

**Update Source**

Autodesk® Navisworks®

2022, 2020, 2019

2022.2, 2020.5, 2019.7

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Architecture

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Electrical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Map 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mechanical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® MEP

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Plant 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® LT

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mac

2022

2022.2.2

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mac LT

2022

2022.2.2

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D®

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends users of the 2019, 2020, 2021, 2022 and 2023 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD® or AutoCAD LT 2022 updates, as applicable, via the Autodesk Desktop App or the Accounts Portal. An update is not available for 32bit AutoCAD 2019. Customers using this version should plan to upgrade to 64bit AutoCAD 2019 or a newer AutoCAD version as soon as possible to avoid downtime and potential security vulnerabilities.

In addition, users of Autodesk® Navisworks ® should install the latest 2022 Update 2, which is available via the Autodesk Desktop App or Accounts Portal. This version of Autodesk® Navisworks® includes security updates that address the DWF, and DWFX file vulnerabilities. As a general best practice, we also recommend that customers only open DWF, or DWFX files from trusted sources.

Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative for reporting CVE-2022-25789, CVE-2022-25790, CVE-2022-25791, CVE-2022-25792, CVE-2022-25796, CVE-2022-27528
*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-25789
*   Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative for reporting CVE-2022-27868

**Related Information**

More information on related security advisories can be found on the Autodesk Trust Center.

**Revision History**

**Revision**

**Date**

**Description**

1.0

2/28/2022

Initial Release of the Security Advisory

1.1

3/31/2022

Update of the Security Advisory for Addition to Navisworks and AutoCAD supported versions in Product Table

1.2

4/25/2022 

Update of the Security Advisory for Addition to AutoCAD 2023 supported versions in Product Table and CVE-2022-27868 description

1.3

4/28/2022 

Update of the Security Advisory for Addition to Navisworks 2020 supported version in Product Table

1.4

5/25/2022 

Update of the Security Advisory for Addition to Navisworks 2019 supported version in Product Table

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

CVE-2022-27868: Security Advisories | Autodesk Trust Center

The Quectel RG502Q-EA modem before 2022-02-23 allow OS Command Injection.

I recently researched a relatively new 5G-capable modem from Quectel: the RG500Q-EA. I identified a security issue with how the OTA download procedure operates which allows an attacker to execute commands on the modem as root.

**Previous research**

I've previously posted about an issue affecting older Quectel modems present in the PinePhone. The issue, which was assigned the CVE ID CVE-2021-31698, is similar to the one described in this article. The article presents some background on how the modem and the mainboard (the "host" machine) communicate - usually, the mainboard sends AT commands over a serial line to the modem, which runs its own black-box operating system entirely independent of the mainboard. These AT commands are parsed by a daemon running on the modem, which then indicates whether the command executed successfully and optionally returns some data.

**Analyzing the daemon**

In the previously mentioned issue, I described that the AT commands were parsed by a daemon on the modem called atfwd_daemon. While this is still technically somewhat true, a bulk of the core functionality is offloaded to other components or libraries. Some AT commands are executed by the modem's QDSP processor, which is at the time of writing still quite difficult to reverse engineer. The library we're interested in is libql_atcop.so, which is an ARMv8 shared library present on the modem's host OS.

I identified the vulnerable command AT+QFOTADL. In practice, this command is used to point to an OTA download link, for example:

    AT+QFOTADL="https://sif.ee/Quectel-OTA.bin"
    

The modem downloads the OTA, extracts it, verifies whether it's installable, and finally installs it on the modem device.

This command is handled in libql_atcop.so by a procedure named ql_exec_qfotadl_cmd_proc():

This procedure first matches the provided schema and checks to see which protocol is being used (plain HTTP, HTTPS, or FTP):

Code flow is then passed to another procedure, which formats the provided URL into a system command using snprintf() and initiates the download:

Disassembling the binary further revealed that there is no user input sanitization in place and the provided user input is used in the command as-is, which is executed using system() (provided by a wrapper function in another library).

**Code execution**

From this, we can deduce that arbitrary command execution is possible. We can, for example, enter a valid schema and use backticks to execute our commands in a subshell. As an example, to reboot the modem:

    AT+QFOTADL="http://`reboot`"
    

Due to the fact that the daemon runs as root, the code is also being executed as the root user on the modem.

As an example, in this Asciinema recording, I use the nc binary present to establish a reverse shell (over 5G!) to my server.

It's very possible that this vulnerability affects other Quectel products as well, as firmware is commonly reused, but I do not possess other hardware to test it on. Most probably, it affects all RG50xQ products, if not more. Vendor did not clarify which products this vulnerability affects.

**Timeline**

*   **22/02/2022** - Attempted to contact vendor
*   **23/02/2022** - Vendor confirmed vulnerability
*   **23/02/2022** - Vendor informs of fix in codebase
*   **25/02/2022** - Assigned ID CVE-2022-26147
*   **14/06/2022** - Notified vendor of imminent public disclosure of vulnerability, no response from vendor
*   **21/06/2022** - Article published

CVE-2022-26147: Code execution as root via AT commands on the Quectel RG500Q-EA 5G modem

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. This vulnerability may be exploited to execute arbitrary code.

**Summary**

Applications and Services that utilize versions of PDFTron prior to 9.1.17 may be impacted by Heap-based Buffer Overflow, and Untrusted Pointer Dereference vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-27871: Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. This vulnerability may be exploited to execute arbitrary code.

2) CVE-2022-27872 : A maliciously crafted PDF file may be used to dereference a pointer for read or write operation while parsing PDF files in Autodesk Navisworks 2022. The vulnerability exists because the application fails to handle a crafted PDF file, which causes an unhandled exception. An attacker can leverage this vulnerability to cause a crash or read sensitive data or execute arbitrary code.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions\***

**Update Source**

Revit®

2022, 2021, 2020 

2022.1.2, 2021.1.6, 2020.2.8

Autodesk Desktop App, or Accounts Portal

Navisworks®

2022, 2020, 2019

2022.2, 2020.5, 2019.7

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD®

2022, 2021, 2020,2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Architecture

2022, 2021, 2020,2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Electrical

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Map 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Mechanical

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® MEP

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Plant 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® LT

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Mac

2022

2022.2.2

Autodesk Knowledge Network

AutoCAD® LT for Mac

2022

2022.2.2

Autodesk Knowledge Network

Autodesk ® Design Review

2018

2018 Hotfix 6

Autodesk Knowledge Network

Autodesk® 3ds Max®

2022, 2021

2022.3.3, 2021.3.8

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends that users of the affected products listed above apply the available hotfix for their version via the Autodesk Desktop App or the Accounts Portal. As a general best practice, we also recommend that customers only open PDF files from trusted sources.

In addition, users of the 2019, 2020, 2021 and 2022 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD®, AutoCAD LT 2022 Updates via the Autodesk Desktop App or Accounts Portal. An update is not available for 32bit AutoCAD 2019. Customers using this version should plan to upgrade to 64bit AutoCAD 2019 or a newer AutoCAD version as soon as possible to avoid downtime and potential security vulnerabilities.

Users of Autodesk® Navisworks ® should install the latest 2022 Update 2, which is available via the Autodesk Desktop App or Accounts Portal. This version of Autodesk ® Navisworks ® includes security updates that address the PDF file vulnerabilities. As a general best practice, we also recommend that customers only open PDF files from trusted sources.

Customers using previous versions that no longer qualify for full support should upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following researchers for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-27871 and CVE-2022-27872

**Related Information**

More information on related security advisories can be found on the Autodesk Trust Center.

**Revision History**

**Revision**

**Date**

**Description**

1.0

5/25/2022

Initial Release of Security advisory

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

CVE-2022-27871: Security Advisories | Autodesk Trust Center

Comodo Antivirus 12.2.2.8012 has a quarantine flaw that allows privilege escalation. To escalate privilege, a low-privileged attacker can use an NTFS directory junction to restore a malicious DLL from quarantine into the System32 folder.

Tag

#mac