Nokia ASIK AirScale System Module

Cybersecurity and telecom providers from around the world can now test their technologies and use cases in OneLayer's digital twin private network environment.

**TEL AVIV, Israel, Oct. 27, 2022 /PRNewswire/ —** OneLayer, a pioneer in securing private LTE/5G networks for enterprises, announced today the launch of one of the world's first 5G private network security labs. The lab, which will be open to the public for research purposes, acts as a digital twin to simulate specific threat scenarios posed to an enterprise network. The data collected during these simulations will help companies find the best security solutions for each organization and its needs.

Private cellular networks provide organizations with improved connectivity and increased reliability, a dedicated bandwidth with capacity and range, no lag time, and connectivity of IoT and OT devices across vast areas. As organizations increasingly adopt private networks, they must also address securing such networks, so the same standard of security applied to enterprise IP networks is addressed in the cellular domain.

The OneLayer 5G Security Lab provides a simulated environment for cyber and telecom companies to examine diverse security challenges and solutions in this domain. Using core equipment from Nokia, Druid, and Airspan, the lab can create private networks based on different types of cores, end units, and IoT devices to model different types of cyberattacks and the solutions to defend against them.

"The goal of this security lab is to provide the opportunity to test private networks and security use cases to improve the understanding of connected IoT and OT devices for continued R&D of OneLayer's private cellular security platform," said Liron Ben-Horin, VP of Systems Engineering at OneLayer. "We intend to collect and analyze data in order to profile devices and segment networks appropriately. We want to share our tools and capabilities with the private network ecosystem to foster industry collaboration. As such, we welcome any company that is researching or testing LTE/5G devices to join us on this journey at our Tel Aviv-based security lab."

"OTORIO and OneLayer have joined forces in order to leverage OneLayer's 5G Security Lab to test the integrations with various technologies and telecom systems," said Matan Dobrushin, VP Research at OTORIO. "We are excited for our mutual research collaboration to ensure the usability, efficiency and safety of OTORIO's solutions in hybrid networks."

"We are excited for the opportunity to leverage OneLayer's Security Lab and to work together to improve the cybersecurity of 5G core network devices," said Sharon Brizinov, Director of Security Research at Claroty's Team82. "The collaborations coming out of the security lab will benefit enterprise security overall as we explore the ever-growing attack surface of the Extended Internet of Things (XIoT) and these devices' connectivity within cellular networks."

"Armis recognizes the growing risk raised by private cellular networks," said Barak Hadad, Head of Research at Armis. "Together with OneLayer, we can help defenders gain full visibility to their core networks and their connected devices."

"I'm excited to see a Tel Aviv-based startup, OneLayer, investing in a unique 5G devices lab. These types of activities enable the Israeli ecosystem and cybersecurity market to ensure we are ahead of the bad guys as the network continues to evolve," said Eli Fainberg, VP Product at Forescout.

**About OneLayer**

OneLayer provides enterprise-grade security for private LTE/5G networks. Its platform and IoT security toolkit can be implemented in private cellular networks to provide better visibility, control and protection for organizations. The company was founded by world-class cybersecurity experts with a deep understanding of both cellular protocols and IoT security needs and veterans from the IDF's 8200 and 81 intelligence units. OneLayer is backed by industry-leading advisors and has partnered with experts both in the cybersecurity domain as well as the telecom industry. To learn more about OneLayer please visit https://one-layer.com/ or LinkedIn.

OneLayer Opens 5G Security Lab for Network Security Companies to Research Threats to Private Cellular Networks

In CarSettings of app packages, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-220741473

_Published October 3, 2022_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2022-10-05 or later from the October 2022 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The issue in this bulletin is a high security vulnerability in the System component that could enable local escalation of privilege in Bluetooth settings. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

**Announcements**

*   In addition to the security vulnerabilities described in the October 2022 Android Security Bulletin, the October 2022 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

**2022-10-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-10-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**System**

The vulnerability in this section could enable local escalation of privilege in Bluetooth settings.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20429

A-220741473

EoP

High

10, 11, 12, 12L

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2022-10-01 or later address all issues associated with the 2022-10-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-10-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-10-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

October 3, 2022

Bulletin Published

CVE-2022-20429: Android Automotive OS Update Bulletin—October 2022  |  Android Open Source Project

In dllist_remove_node of TBD, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-242344778

_Published October 3, 2022 | Updated October 5, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-10-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-10-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-10-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20419

A-237290578

ID

Critical

12L, 13

CVE-2022-20420

A-238377411

EoP

High

13

CVE-2022-20351

A-224771921

ID

High

10, 11, 12, 12L

CVE-2021-39624

A-67862680

DoS

High

11, 12, 12L

CVE-2021-39758

A-205130886

EoP

Moderate

10, 11, 12

CVE-2022-20415

A-231322873

EoP

Moderate

10, 11, 12, 12L, 13

**Media Framework**

The most severe vulnerability in this section could lead to local information disclosure with User execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20413

A-235850634

ID

High

10, 11, 12, 12L, 13

CVE-2022-20418

A-231986464

ID

High

12, 12L, 13

**System**

The most severe vulnerability in this section could lead to local escalation of privilege with System execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20412

A-230794395

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20416

A-237717857

EoP

High

12, 12L, 13

CVE-2022-20417

A-237288416

EoP

High

12, 12L, 13

CVE-2021-39673

A-195410559 \[2\]

ID

High

13

CVE-2022-20394

A-204906124

ID

High

10, 11, 12, 12L

CVE-2022-20410

A-205570663

ID

High

10, 11, 12, 12L, 13

CVE-2022-20425

A-235823407

DoS

High

10, 11, 12, 12L, 13

**Google Play system updates**

There are no security issues addressed in Google Play system updates (Project Mainline) this month.

**2022-10-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-10-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2022-1786

A-230867044  
Upstream kernel \[2\]

EoP

High

io\_uring

CVE-2022-20421

A-239630375  
Upstream kernel

EoP

High

Binder driver

CVE-2022-20422

A-237540956  
Upstream kernel

EoP

High

armv8 emulation

CVE-2022-20423

A-239842288  
Upstream kernel \[2\]

EoP

High

USB

**Kernel components**

The vulnerability in this section could lead to local escalation of privilege with System execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2022-20409

A-238177383  
Upstream kernel

EoP

Moderate

io\_uring

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Component

CVE-2021-0696

A-242344778 \*

High

PowerVR-GPU

CVE-2021-0951  

A-242345085 \*

High

PowerVR-GPU

CVE-2021-0699

A-242345178 \*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-26471

A-234037999  
M-ALPS07319121 \*

High

telephony

CVE-2022-26472

A-234037216  
M-ALPS07319095 \*

High

ims

**UNISOC components**

These vulnerabilities affect UNISOC components and further details are available directly from UNISOC. The severity assessment of these issues is provided directly by UNISOC.

   

CVE

References

Severity

Component

CVE-2022-20430

A-242221233  
U-1882896 \*

High

Telephony

CVE-2022-20431

A-242221238  
U-1882896 \*

High

Telephony

CVE-2022-20432

A-242221899  
U-1882896 \*

High

Telephony

CVE-2022-20433

A-242221901  
U-1882896 \*

High

Telephony

CVE-2022-20434

A-242244028  
U-1882896 \*

High

Telephony

CVE-2022-20435

A-242248367  
U-1901996 \*

High

Android

CVE-2022-20436

A-242248369  
U-1901996 \*

High

Android

CVE-2022-20437

A-242258929  
U-1916307 \*

High

Android

CVE-2022-20438

A-242259920  
U-1916307 \*

High

Android

CVE-2022-20439

A-242266172  
U-1916307 \*

High

Andorid

CVE-2022-20440

A-242259918  
U-1916307 \*

High

Android

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-25720

A-238214313  
QC-CR#3048142  
QC-CR#3049634  
QC-CR#3051517  
QC-CR#3102432

Critical

WLAN

CVE-2022-22077

A-238108281  
QC-CR#3155201

High

Kernel

CVE-2022-25723

A-238108282  
QC-CR#3072203

High

Kernel

CVE-2022-33214

A-238103940  
QC-CR#3178237

High

Display

CVE-2022-33217

A-238103939  
QC-CR#3182864

High

Kernel

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-25718

A-238106982 \*

Critical

Closed-source component

CVE-2022-25748

A-238106075 \*

Critical

Closed-source component

CVE-2022-25660

A-228101818 \*

High

Closed-source component

CVE-2022-25661

A-228101758 \*

High

Closed-source component

CVE-2022-25687

A-238106629 \*

High

Closed-source component

CVE-2022-25736

A-238214356 \*

High

Closed-source component

CVE-2022-25749

A-238106077 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-10-01 or later address all issues associated with the 2022-10-01 security patch level.
*   Security patch levels of 2022-10-05 or later address all issues associated with the 2022-10-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-10-01\]
*   \[ro.build.version.security\_patch\]:\[2022-10-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-10-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-10-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-10-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

October 3, 2022

Bulletin Published

1.1

October 5, 2022

Bulletin revised to include AOSP links

CVE-2021-0696: Android Security Bulletin—October 2022  |  Android Open Source Project

UN countries are preparing to pick a new head of the International Telecommunications Union. Who wins could shape the open web's future.

This week in Romania, a US State Department candidate is facing a Russian challenger in an election for the leadership of one of the most important international technology bodies in the world.

Who wins could determine whether the internet remains a relatively decentralized and open platform—or begins to centralize into the hands of nation-states and state-run companies that may want great control over what their citizens see and do online. Yet, with just days to go before the vote, the race for secretary-general of the International Telecommunications Union (ITU) has garnered painfully little attention.

It’s a two-person race: On one side is the American, Doreen Bogdan-Martin, a former Commerce Department expert on telecommunications who joined the ITU in the 1990s. She’s squaring off against Rashid Ismailov, the former deputy minister for Russia’s telecommunications ministry.

According to their election platforms, Bogdan-Martin and Ismailov signal the same core objective: connecting every person in the world to the internet and cellphone service by 2030. The two candidates, however, represent fundamentally different visions for the future of the internet. Bodgan-Martin’s campaign has focused on her track record of navigating the complex machinery of the United Nations body. Ismailov, meanwhile, has promised a “humanization” of telecommunications infrastructure—and has invoked his candidacy as a way to reject American “dominance” online.

If the wrong candidate wins, says Göran Marby, head of Internet Corporation for Assigned Names and Numbers (Icann), the stakes couldn’t be higher: “People around the world might not be able to connect to one single interoperable internet.”

Today, the ITU technically sits under the auspices of the United Nations. But it predates the world’s major deliberative body by about 80 years.

Originally established to do things like standardize the Morse code alphabet and codify the standard distress call, the ITU is today responsible for creating standards and interoperability between an array of services and technologies and expanding access to modern communications platforms.

Maintaining interoperability is an unsung but critical job. The ITU needs to ensure that all countries can agree on allocating space on the radio frequency spectrum, and it assigns orbital slots to various communication satellites, amongst other tasks. For example, the ITU is the reason a Japanese cellphone can still work in Dakar, and vice versa.

Unlike other UN bodies, the ITU is not merely the purview of nation-states: Its members include 190 nation-states, as well as 900 corporations, research bodies, and NGOs. (Only nations can vote in leadership elections, however.) For the past eight years, the organization has been led by Secretary-General Zhao Houlin, who had been rising in the ranks of the sprawling ITU bureaucracy since he left the Chinese telecommunications ministry in 1986.

Kristen Cordell, an adjunct fellow at the Center for Strategic and International Studies (CSIS), has called the ITU “the most important UN agency you have never heard of.” Decisions made at the international body, she argued, “have a tremendous impact on the everyday lives of Americans.”

Authoritarian states like China, Cordell wrote, “have increased their interest and activism in the ITU, leading to concerns that their outsized influence in standards setting may lead to the bifurcation of the internet.” Houlin’s time at the helm of the organization, according to Cordell, has been marked by “highly favorable comments and decisions in support of Chinese companies.” Those companies have, in turn, ramped up their involvement in the ITU. Huawei alone has submitted some 2,000 new standards proposals to the organization, according to Cordell.

In 2019, Houlin signed a memorandum of understanding between the ITU and the Export-Import Bank of China to expand internet access through the Global South under China’s signature Belt and Road Initiative. The initiative has been criticized as a form of neocolonialism: hooking up countries, particularly in Africa, to high-interest loans that leave them beholden to Chinese investment.

Proposals from Chinese state enterprises and from Beijing itself suggest, in their words, a “New IP” and are purportedly a response to a lack of innovation in how data is processed at the lowest levels of the internet. China has suggested that tagging data packets by their intended purpose could improve data routing and reduce latency. Beijing, in ITU proposals, offers altruistic examples, like prioritizing streaming data associated with virtual surgeries.

Critics, however, say the issues diagnosed by China are already being addressed and that such a proposal would likely worsen these fundamental problems, not improve them. The Internet Society, a US-based nonprofit that promotes internet openness, derided the proposal as one likely to make those identified problems worse and said it ignores progress in making the patchwork of different systems and operators play well with each other. “Creating overlapping work is duplicative and costly. In the end, it does not enhance interoperability,” wrote Internet Society analysts Hascall Sharp and Olaf Kolkman.

Many see an ulterior motive. This new balkanized internet “would lack free and open standards and be primed for manipulation by autocrats that seek to limit civil liberties and human rights,” Cordell argues.

“The internet, at its lowest level, should be data-agnostic,” says Mallory Knodel, chief technology officer at the Center for Democracy & Technology. There is “less information control if the data is agnostic,” she says.

“New IP would centralize control over the network into the hands of telecoms operators, all of which are either state-run or state-controlled in China,” reads a 2020 report from Oxford Information Labs, prepared for NATO and obtained by _Infosecurity Magazine_. “So, internet infrastructure would become an arm of the Chinese state.”

Members of the ITU have largely shot down these proposals for New IP. But that doesn’t mean China is giving up.

Fiona Alexander, a cofounder of Salt Point Strategies who is also part of the American delegation to the ITU, points out that there is a “sleight of hand” going on with some of the authoritarian regimes as they advance proposals like New IP—most recently, China has rebranded that proposal to the innocuous-sounding “IPV6+.”

China has acknowledged that increased central control is, in its view, an upside of these proposals. “States have the right to make ICT-related \[information and communications technology\] public policies consistent with national circumstances to manage their own ICT affairs and protect their citizens’ legitimate interests in cyberspace,” reads a set of 2019 submissions written by Beijing.

This kind of work is, traditionally, not the purview of the ITU. Nongovernmental groups, like Icann and the Internet Engineering Task Force (IETF), tend to be more directly responsible for managing the actual protocols that govern the internet.

The Russian candidate to replace him, Ismailov, is no stranger to China’s international policy: He spent three years as a regional vice president at Huawei. From there, Ismailov rose through the ranks of the Russian Ministry of Telecom and Mass Communications before joining Nokia and later Russian telecommunications firm PJSC VimpelCom.

Beijing and Moscow have made no secret of the fact that they’re on the same page at the ITU.

A 2021 pact between Beijing and Moscow committed both countries to flexing their muscle when it comes to international technology governance, with an eye to “preserving the sovereign right of States to regulate the national segment of the Internet.”

“Russia and China emphasize the need to enhance the role of the International Telecommunication Union and strengthen the representation of the two countries in its governing bodies,” the agreement concludes.

Ismailov has been transparent that his view of the organization stands in stark contrast to that of his American competitor.

“Americans are, perhaps, allergic to everyone who has anything to do with Huawei,” Ismailov said in his official, 30-minute campaign video. “I don’t understand why this has happened.” He added that the “demonization” of the Chinese company was done, in his view, “out of fear of competition.”

While Ismailov said he would “strive to avoid this politicization” of the organization, he also pledged to defend Russia against consequences levied for its war in Ukraine.

“I want to make sure that the organization focuses more on its actual objectives—frequencies standardization, etc,” he said, through a translator, in his campaign video. “Of course this won’t be totally possible because technology is now an integral part of our everyday life, including geopolitics. We are seeing this with the sanctions that are being imposed. Russia is being pressured in all international organizations—some want to strip it of its voting rights, others want to expel Russia.”

In a press conference in May, Ukraine’s head of the State Special Communications Service, Yurii Shchyhol, said his country had moved to sanction Russia at the ITU as a denouncement of its invasion of Ukraine—what Ismailov euphemistically refers to as a “special military operation.”

If she wins, Bodgan-Martin will be the first woman to lead the ITU—she will also be the first American to lead the organization since 1965. While the State Department says Bodgan-Martin’s candidacy is a matter of having “the right candidate at the right time,” her bid for the job is no accident.

Houlin’s first candidacy for the secretary-general position, in 2014, went unopposed. In 2017, the Trump administration unveiled its National Security Strategy: a hodgepodge of tactics to counter China’s rising influence in the world. In it, the White House identified the protection of a free and open internet as a top priority and set “active engagement in key organizations” as necessary measures, mentioning the ITU by name.

Yet at the 2018 ITU Plenipotentiary Conference, Houlin again ran unopposed—his re-election bid was supported by 176 of the 178 countries present.

Ahead of the vote on September 29, at this year’s conference in Bucharest, the United States seems to be taking the race seriously. Members from the American delegation, as well as a senior official at the State Department who spoke on the condition of anonymity, said Bodgan-Martin has been campaigning intensely. A litany of photos posted to Twitter, and a surprisingly active hashtag, show her meeting with technical and civil society groups around the world.

In February, the United States appointed Ambassador Erica Barks-Ruggles as their representative responsible for the ITU conference—with marching orders to get Bogdan-Martin elected. She appeared before a House foreign affairs subcommittee late last year to underscore the fact that the United States’ focus on the ITU election, amongst others, meant “countering the efforts of countries such as the People’s Republic of China and Russia to reshape and undermine international law, institutions, and standards.” President Joe Biden has also released a statement endorsing Bogdan-Martin.

“What we’re really hearing from countries around the world,” the official says, is that connecting the roughly 3 billion people on the planet with no access to the internet is a top priority—closing the so-called digital divide. “We learned during Covid the stark digital divide that’s out there, and they want it closed as soon as possible,” the official said.

On that, they said, Bogdan-Martin “is focused like a laser.”

Ismailov, meanwhile, is trying to turn the race into a referendum on America.

“You can clearly see the two camps humankind is divided into: developing countries and the West,” he says in his campaign video. He set up the United States, and the West more broadly, as a monopolistic entity with respect to the internet.

“They encouraged extremist resources on their platforms at the same time they eradicated anyone who goes against their agenda,” Ismailov adds, citing Donald Trump’s Twitter ban as a prime example. In the friendly interview, Ismailov was asked about Russian media, such as RT, being taken offline in the United States and Europe. Ismailov likened it to “cancel culture.”

Ismailov drew a stark comparison: The Soviet Union’s development of nuclear weapons, followed by China, “offset everyone’s ambitions and made the perception of risk very tangible.” There had not been the same nuclear arms race in the telecommunications space, he says.

It’s a message that could just work, but the Americans are paying it no mind. “He’s focusing on a very negative vision, moaning about things,” the official says of Ismailov. “Let him do that.”

The State Department official spoke on background, and the department declined to make Bogdan-Martin available for an interview. A request to the Russian mission in Geneva, where the ITU is located, went unanswered.

While there was some quiet optimism about Bodgan-Martin’s chances, none of the experts and delegates to the ITU who spoke with WIRED were willing to predict her victory. Even though Russia has lost a number of major votes at the UN in recent months, the race for secretary-general is—unlike many other votes at the international body—a secret ballot, leaving room for horse-trading.

Some of Russia’s appeal is macro: The Beijing and Russia compact is undoubtedly attractive to less democratic countries that want to be free to regulate and restrict the internet as they see fit. Ismailov might also be attractive for other reasons. Earlier this year, Russian satellite operator Intersputnik announced that the country would be sponsoring a 200-seat cafeteria at the ITU’s new Geneva headquarters.

The top-tier race isn’t the only one that matters, however. At their annual meeting later this month, the ITU members will also select a number of senior functionaries, elect the make-up of regulatory boards, and choose a new council. All of those races have the potential to determine the way the ITU approaches these core questions over the next four years.

The secretary-general race will, however, signal what direction the organization is headed. Göran Marby, CEO of Icann—a core administrator of the technical infrastructure of the internet—would not officially endorse Bodgan-Martin, but he told the organization’s annual meeting last week that voting for Ismailov would mean “people around the world might not be able to connect to one single interoperable internet.”

Marby said he was remaining neutral, but added: “We vividly oppose one of the platforms, that the Russian potential secretary-general stands for.”

In an email statement, a spokesperson for Marby told WIRED that Ismailov’s candidacy threatens to further centralize control within the ITU, taking those authorities away from stakeholder groups like Icann.

“Technically, this is not possible,” they wrote. “The internet operates based on a system of voluntary standards, best practices, cooperation, and trust.” This cooperative model, they added, “is a model that works. The internet has operated without fail for nearly 40 years.”

While reiterating their neutrality in the race, the spokesperson added that “if the functions of Icann were moved to the ITU, the risk of internet fragmentation would be very real, and the interoperability of the internet would be jeopardized.”

This Vote Could Change the Course of Internet History

An issue was discovered in Nokia FastMile 5G Receiver 5G14-B 1.2104.00.0281. Bluetooth on the Nokia ODU uses outdated pairing mechanisms, allowing an attacker to passively intercept a paring handshake and (after offline cracking) retrieve the PIN and LTK (long-term key).

**Nokia-FastMile-5G-Receiver-5G14-B**

CVE-2022-38788

AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (5,5)

\[Description\]

An issue was discovered in Nokia FastMile 5G Receiver 5G14-B with software version 1.2104.00.0281.

Bluetooth on the Nokia ODU uses outdated pairing mechanisms, allowing an attacker to passively intercept a paring handshake and (after offline cracking) retrieve the PIN and LTK (long-term key).

 

\[Vulnerability Type\]

Incorrect Access Control

\[Vendor of Product\]

Nokia

\[Affected Product Code Base\]

Nokia FastMile 5G Receiver 5G14-B

Found in Software Version: 1.2104.00.0281

Pathed in: 1.2202.00.0266

\[Attack Type Other\]

Bluetooth

\[Impact Information Disclosure\]

true

\[Has vendor confirmed or acknowledged the vulnerability?\]

true

\[Reference\]

https://www.nokia.com/notices/responsible-disclosure/

Product page: https://www.nokia.com/networks/products/fastmile-5g-receiver/

\[Discoverer\]

Daniel Wong

CVE-2022-38788: GitHub - ProxyStaffy/Nokia-FastMile-5G-Receiver-5G14-B

In the SEPolicy configuration of system apps, there is a possible access to the 'ip' utility due to an insecure default value. This could lead to local information disclosure of network data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-219808546References: Upstream kernel

_Published September 6, 2022 Updated September 9, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-09-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-09-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-09-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Android runtime**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-22822

A-219942275

EoP

High

10, 11, 12, 12L

CVE-2022-23852

A-221255869

EoP

High

10, 11, 12, 12L

CVE-2022-23990

A-221256678

EoP

High

10, 11, 12, 12L

CVE-2022-25314

A-221384482

EoP

High

10, 11, 12, 12L

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20218

A-223907044

EoP

High

12, 12L

CVE-2022-20392

A-213323615 \[2\]

EoP

High

10, 11, 12, 12L

CVE-2022-20393

A-233735886

ID

High

11, 12, 12L

CVE-2022-20197

A-208279300

EoP

Moderate

10, 11, 12, 12L

**System**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20395

A-221855295

EoP

High

11, 12, 12L, 13

CVE-2022-20398

A-221859734

EoP

High

13

CVE-2022-20396

A-234440688

ID

High

12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Permission Controller, Permission Controller

CVE-2022-20218

MediaProvider

CVE-2022-20395

WiFi

CVE-2022-20398

**2022-09-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-09-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local information disclosure of network data with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2022-20399

A-219808546  
Upstream kernel

ID

High

SELinux

**Kernel components**

The most severe vulnerability in this section could lead to local escalation of privilege in system libraries with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2021-4083

A-216408350  
Upstream kernel

EoP

High

Kernel

CVE-2022-29582

A-231494876  
Upstream kernel

EoP

High

fs

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Component

CVE-2021-0697

A-238918403\*

High

PowerVR-GPU

CVE-2021-0942

A-238904312\*

High

PowerVR-GPU

CVE-2021-0943

A-238916921\*

High

PowerVR-GPU

CVE-2021-0871

A-238921253\*

High

PowerVR-GPU

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-26447

A-237956326  
M-ALPS06784478\*

High

BT firmware

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Component

CVE-2022-20385

A-238379819  
U-1903041\*

High

kernel

CVE-2022-20386

A-238227328  
U-1903099\*

High

Android

CVE-2022-20387

A-238227324  
U-1872920\*

High

Android

CVE-2022-20388

A-238227323  
U-1872920\*

High

Android

CVE-2022-20389

A-238257004  
U-1872920\*

High

Android

CVE-2022-20390

A-238257002  
U-1872920\*

High

Android

CVE-2022-20391

A-238257000  
U-1872920\*

High

Andorid

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-22095

A-223210037  
QC-CR#3168780  
QC-CR#3088894

High

Kernel

CVE-2022-25656

A-228101796  
QC-CR#3119439 \[2\]  
QC-CR#2998082 \[2\]

High

Kernel

CVE-2022-25670

A-235102548  
QC-CR#3104235

High

WLAN

CVE-2022-25693

A-235102897  
QC-CR#3141474

High

Display

CVE-2022-25704

A-235102694  
QC-CR#3155069 \[2\]

High

Bluetooth

CVE-2022-25706

A-235102901  
QC-CR#3155132

High

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-25708

A-235102756\*

Critical

Closed-source component

CVE-2022-22066

A-223209292\*

High

Closed-source component

CVE-2022-22074

A-235102567\*

High

Closed-source component

CVE-2022-22081

A-235102758\*

High

Closed-source component

CVE-2022-22089

A-235102568\*

High

Closed-source component

CVE-2022-22091

A-223209291\*

High

Closed-source component

CVE-2022-22092

A-223211216\*

High

Closed-source component

CVE-2022-22093

A-223209815\*

High

Closed-source component

CVE-2022-22094

A-223210036\*

High

Closed-source component

CVE-2022-25669

A-235102508\*

High

Closed-source component

CVE-2022-25686

A-235102899\*

High

Closed-source component

CVE-2022-25688

A-235102421\*

High

Closed-source component

CVE-2022-25690

A-235102422\*

High

Closed-source component

CVE-2022-25696

A-235102900\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-09-01 or later address all issues associated with the 2022-09-01 security patch level.
*   Security patch levels of 2022-09-05 or later address all issues associated with the 2022-09-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-09-01\]
*   \[ro.build.version.security\_patch\]:\[2022-09-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-09-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-09-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-09-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

September 6, 2022

Bulletin Published

1.1

September 9, 2022

Bulletin revised to include AOSP links  
Revised CVE Table

CVE-2022-20399: Android Security Bulletin—September 2022  |  Android Open Source Project

Plus: Chrome patches another zero-day flaw, Microsoft closes up 100 vulnerabilities, Android gets a significant patch, and more.

August was a bumper month for security patches, with Apple, Google, and Microsoft among the firms issuing emergency fixes for already exploited vulnerabilities. The month also saw some big fixes arriving from the likes of VMWare, Cisco, IBM, and Zimbra.

Here’s everything you need to know about the important security fixes issued in August.

Apple iOS 15.6.1

After a two-month patch hiatus, followed by multiple fixes in July, Apple released an emergency security update in August with iOS 15.6.1. The iOS update fixed two flaws, both of which were being used by attackers in the wild.

It is thought that the vulnerabilities in WebKit (CVE-2022-32893) and the Kernel (CVE-2022-32894) were being chained together in attacks, with serious consequences. A successful attack could allow an adversary to take control of your iPhone and access your sensitive files and banking details.

Combining the two flaws “typically provides all the functionality needed to mount a device jailbreak,” bypassing almost all Apple-imposed security restrictions, Paul Ducklin, a principal research scientist at Sophos, wrote in a blog analyzing the vulnerabilities. This would potentially allow adversaries to “install background spyware and keep you under comprehensive surveillance,” Ducklin explained.

Apple always avoids giving out details about vulnerabilities until most people have updated, so it’s hard to know who the attack targets were. To ensure you are safe, you should update your devices to iOS 15.6.1 without delay.

Apple also released iPadOS 15.6.1, watchOS 8.7.1, and macOS Monterey 12.5.1, all of which you should update at the next opportunity.

Google Chrome

Google released a security update in August to fix its fifth zero-day flaw this year. In an advisory, Google listed 11 vulnerabilities fixed in August. The patches include a use-after-free flaw in FedCM—tracked as CVE-2022-2852 and rated as critical—as well as six highly rated issues and three classed as having a medium impact. One of the highly rated vulnerabilities has been exploited by attackers, CVE-2022-2856.

Google hasn’t provided any detail about the exploited flaw, but since attackers have gotten ahold of the details, it’s a good idea to update Chrome now.

Earlier in August, Google released Chrome 104, fixing 27 vulnerabilities, seven of which were rated as having a high impact.

Google Android

The August Android security patch was a hefty one, with dozens of fixes for serious vulnerabilities, including a flaw in the framework that could lead to local privilege escalation with no additional privileges needed. Meanwhile, an issue in the media framework could lead to remote information disclosure, and a flaw in the system could lead to remote code execution over Bluetooth. A vulnerability in kernel components could also lead to local escalation of privileges.

The Android security patch was late in August, but it’s now available on such devices as Google’s Pixel range, the Nokia T20, and Samsung Galaxy devices (including the Galaxy S series, Galaxy Note series, Galaxy Fold series, and Galaxy Flip series).

Microsoft

Microsoft’s August Patch Tuesday fixed over 100 security flaws, of which 17 are rated as critical. Among the fixes was a patch for an already exploited flaw tracked as CVE-2022-34713, also known as DogWalk.

The remote code execution (RCE) flaw in the Windows Support Diagnostic Tool (MDST) is rated as having a high impact because exploiting it can result in a system compromise. The vulnerability, which affects all users of Windows and Windows Server, was first exposed over two years ago in January 2020, but Microsoft didn’t consider it a security issue at the time.

VMWare

VMWare fixed a bunch of flaws in August, including a critical authentication bypass bug tracked as CVE-2022-31656. On releasing the patch, the software firm warned that public exploit code is available.

VMWare also fixed an RCE vulnerability in VMware Workspace ONE Access, Identity Manager, and Aria Automation (formerly vRealize Automation), tracked as CVE-2022-31658 with a CVSS score of eight. Meanwhile, a SQL injection RCE vulnerability found in VMware Workspace ONE Access and Identity Manager also got a CVSS score of eight. Both require an attacker to have administrator and network access before they can trigger remote code execution.

Apple Fixed a Serious iOS Security Flaw—Have You Updated Yet?

Unauthenticated plugin settings change vulnerability in 59sec THE Leads Management System: 59sec LITE plugin <= 3.4.1 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Totally love it. When are you launching Windows Mobile app? Some of my sales persons are using Nokia Lumia phones and we really need them. By the way, we upgraded at 59sec PRO and we are very happy as well.

Best feature on wordpres for a guy that wants to make some sales. Indeed, is ideal for companies with several sales agents, but even for small sites, like mine, is GREAT. 🙂 You should promote yourself more!

I used 59sec lite for an ecommerce site I did for a client of mine. Even if it helps less when it comes to ecommerce for leads, it's very usefull to answer questions that leads to purchase. I like it.

Read all 6 reviews

“THE Leads Management System: 59sec LITE” is open source software. The following people have contributed to this plugin.

Contributors

*    59sec

CVE-2022-35242: THE Leads Management System: 59sec LITE

** UNSUPPORTED WHEN ASSIGNED ** An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header.

Universal Plug and Play (UPnP), a ubiquitous protocol used by “billions of devices,” may be vulnerable to data exfiltration and reflected amplified TCP distributed denial of service (DDoS) attacks.

**Background**

On June 8, researcher Yunus Çadirci published an advisory for CallStranger, a vulnerability in the Universal Plug and Play (UPnP) protocol. UPnP is currently managed by the Open Connectivity Foundation (OCF). As its name implies, UPnP is a protocol designed to allow a variety of networked devices to universally communicate with each other without any special setup or configuration.

Because of its ubiquitous nature, UPnP is used by a wide variety of devices, including personal computers, networking equipment, video game consoles and internet of things (IoT) devices such as smart televisions. As a result, Çadirci says this particular vulnerability potentially affects “billions of devices.”

**Analysis**

CVE-2020-12695 is a server-side request forgery (SSRF)-like vulnerability in devices that utilize UPnP. The vulnerability exists due to the ability to control the Callback header value in the UPnP SUBSCRIBE function.

Source: CallStranger Technical Report

The SUBSCRIBE function is part of the UPnP standard that allows devices to monitor changes in other devices and services. For example, the PoC published on GitHub shows port 2869 for Microsoft’s Xbox One — which is used to monitor device changes on the network for features like media sharing — as vulnerable.

In order to exploit the flaw, an attacker would need to send a specially crafted HTTP SUBSCRIBE request to a vulnerable device.

An attacker could utilize this vulnerability in the following scenarios:

*   Intranet device port scanning to gather additional data from trusted assets within an organization’s LAN, bypassing organizational Data Loss Prevention (DLP) standards.
*   Send large amounts of traffic to arbitrary destinations. Targets flooded by the affected devices could crash under the increased network load, resulting in a denial of service (DoS). This is a result of UPnP attempting to establish a TCP handshake with multiple SYN packets for all Callback values in the SUBSCRIBE request.
*   Exfiltrate sensitive device data by directing callback information to arbitrary targets.

With the exception of the DoS, these scenarios provide a stealthy method for an attacker to steal data from a compromised network. This sensitive information could potentially open up an organization to further attack.

**Proof of concept**

The original proof of concept (PoC) created by Çadirci has been added to his GitHub repository.

**Solution**

Since CallStranger is a protocol-level vulnerability, OCF has made changes to the UPnP protocol specification. Therefore, manufacturers of affected devices are in the process of determining its impact. As a result, we anticipate newly affected devices will be reported and patches will be released over time for devices still receiving product support. Tenable product coverage for this vulnerability can be found in the “identifying affected systems” section below.

At the time this blog post was published, the CallStranger website listed the following operating systems, networking equipment, printers, IoT devices and applications as reportedly vulnerable.

****Operating Systems****

**Vendor/Model**

**Version**

Windows 10

10.0.18362.719

Xbox One OS

10.0.19041.2494

****Networking Equipment****

**Vendor/Model**

**Version**

ASUS

RT-N11

Broadcom ADSL

\-

Cisco Wireless Access Point

WAP150 WAP131 WAP351

D-Link

DVG-N5412SP

Huawei

HG255s (HG255sC163B03) HG532e MyBox

NEC AccessTechnica

WR8165N

Netgear

WNHDE111

Ruckus ZoneDirector

\-

TP-Link

Archer C50

ZTE

ZXV10 W300 H108N

Zyxel

AMG1202-T10B

****Printers****

**Vendor/Model**

**Version**

Canon Selphy

CP1200

Dell

B1165NFW

EPSON EP, EW, XP Series Printers

\-

Hewlett Packard Deskjet, Photsmart and Officejet ENVY

\-

Samsung

X4300

****Internet of Things****

**Vendor/Model**

**Version**

Canal Digital ADB

TNR-5720 SX

Belkin Wemo

\-

Nokia HomeMusic Media Device

\-

Panasonic

BB-HCM735 VL-MWN350

Philips

2k14MTK TV (TPL161E\_012.003.039.001)

Samsung

UE55MU7000 (T-KTMDEUC-1280.5, BT - S) MU8000

Siemens

CNE1000

Trendnet

TV-IP551W

****Applications****

**Vendor/Model**

**Version**

ASUS Media Streamer

\-

LG Smartshare Media

\-

Sony Media Go Media

\-

Stream What You Hear

\-

Ubiquiti UniFi Controller

\-

**Identifying affected systems**

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Additionally, the table below lists several Tenable plugins to help identify devices within your network that may have UPnP enabled.

**Plugin ID**

**Description**

**Product**

10829

UPnP Client Detection

Nessus

35711

Universal Plug and Play (UPnP) Protocol Detection

Nessus

8061

UPNP Traffic Detection (Client)

Nessus Network Monitor (NMM)

1948

UPNP Traffic Detection

Nessus Network Monitor (NMM)

**Get more information**

*   CallStranger Disclosure Site
*   CERT/CC CallStranger Advisory (VU#339275)
*   Proof of Concept Code released on GitHub

**_Join Tenable's Security Response Team on the Tenable Community._**

**_Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface._**

Get a free 30-day trial of Tenable.io Vulnerability Management.

Tag

#nokia