res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation.

Asterisk Project Security Advisory - AST-2021-006

 

**Product**

Asterisk

**Summary**

Crash when negotiating T.38 with a zero port

**Nature of Advisory**

Remote Crash

**Susceptibility**

Remote Authenticated Sessions

**Severity**

Minor

**Exploits Known**

No

**Reported On**

February 20, 2021

**Reported By**

Gregory Massel

**Posted On**

March 4, 2021

**Last Updated On**

March 4, 2021

**Advisory Contact**

bford AT sangoma DOT com

**CVE Name**

CVE-2019-15297

 

**Description**

When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004.

**Modules Affected**

res\_pjsip\_t38.c

 

**Resolution**

If T.38 faxing is not required then setting “t38\_udptl” on the endpoint to “no” disables this functionality. This option is “no” by default.

If T.38 faxing is required, then Asterisk should be upgraded to a fixed version.

  

**Affected Versions**

**Product**

**Release Series**

Asterisk Open Source

16.x

16.16.1

Asterisk Open Source

17.x

17.9.2

Asterisk Open Source

18.x

18.2.1

Certified Asterisk

16.x

16.8-cert6

 

**Corrected In**

**Product**

**Release**

Asterisk Open Source

16.16.2, 17.9.3, 18.2.2

Certified Asterisk

16.8-cert7

 

**Patches**

**Patch URL**

**Revision**

https://downloads.digium.com/pub/security/AST-2021-006-16.diff

Asterisk 16

https://downloads.digium.com/pub/security/AST-2021-006-17.diff

Asterisk 17

https://downloads.digium.com/pub/security/AST-2021-006-18.diff

Asterisk 18

https://downloads.digium.com/pub/security/AST-2021-006-16.8.diff

Certified Asterisk 16.8

 

**Links**

https://issues.asterisk.org/jira/browse/ASTERISK-29203

https://downloads.asterisk.org/pub/security/AST-2021-006.html

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-006.pdf and https://downloads.digium.com/pub/security/AST-2021-006.html

  

**Revision History**

**Date**

**Editor**

**Revisions Made**

February 25, 2021

Ben Ford

Initial revision

March 4, 2021

Ben Ford

Added ‘posted on’ date

Asterisk Project Security Advisory - AST-2021-006  
Copyright © 02/25/2021 Digium, Inc. All Rights Reserved.  
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

CVE-2021-46837: AST-2021-006

Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc.

*   CVE-2018-7173: fixed in 4.01 \[JBIG2Stream.cc\]
    
*   CVE-2018-7174: fixed in 4.01 \[XRef.cc\]
    
*   CVE-2018-7175: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-7452: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-7453: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2018-7454: fixed in 4.01 \[XFAForm.cc\]
    
*   CVE-2018-7455: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8100: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8101: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8102: fixed in 4.01 \[JBIG2Stream.cc\]
    
*   CVE-2018-8103: fixed in 4.01 \[JBIG2Stream.cc\]
    
*   CVE-2018-8104: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8105: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8106: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8107: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-11033: fixed in 4.00
    
*   CVE-2018-16368: fixed in 4.01 \[Splash.cc\]
    
*   CVE-2018-16369: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2018-18454: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18455: fixed in 4.01 \[GfxState.cc\]
    
*   CVE-2018-18456: fixed in 4.01 \[Gfx.cc\]
    
*   CVE-2018-18457: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18458: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18459: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18650: reporting an out-of-memory errors is the proper response
    
*   CVE-2018-18651: fixed in 4.01 \[Catalog.cc\]
    
*   CVE-2019-9587: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2019-9588: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2019-9589: fixed in 4.02 \[PSOutputDev.cc\]
    
*   CVE-2019-9877: fixed in 4.02 \[Lexer.cc\]
    
*   CVE-2019-10020 / CVE-2019-10024 / CVE-2019-10025: fixed in 4.02 \[Gfx.cc\]
    
*   CVE-2019-12360: fixed in 4.02 \[FoFiTrueType.cc\]
    
*   CVE-2019-12493: fixed in 4.02 \[GfxState.cc\]
    
*   CVE-2019-12515: fixed in 4.02 \[Gfx.cc\]
    
*   CVE-2019-12957: fixed in 4.02 \[FoFiType1C.cc\]
    
*   CVE-2019-12958: fixed in 4.02 \[FoFiType1C.cc\]
    
*   CVE-2019-13281: fixed in 4.02 \[Stream.cc\]
    
*   CVE-2019-13282: fixed in 4.02 \[Function.cc\]
    
*   CVE-2019-13283: fixed in 4.02 \[FoFiType1.cc\]
    
*   CVE-2019-13286: fixed in 4.02 \[JBIG2Stream.cc\]
    
*   CVE-2019-13287: fixed in 4.02 \[Gfx.cc\]
    
*   CVE-2019-13288: fixed in 4.02
    
*   CVE-2019-13289: fixed in 4.02 \[JBIG2Stream.cc\]
    
*   CVE-2019-13291: fixed in 4.02 \[Stream.cc\]
    
*   CVE-2019-14288 / CVE-2019-14289: fixed in 4.02 \[JBIG2Stream.cc\]
    
*   CVE-2019-14290 / CVE-2019-14291 / CVE-2019-14292 / CVE-2019-14293: fixed in 4.02 \[GfxState.cc\]
    
*   CVE-2019-14294: fixed in 4.02 \[JPXStream.cc, JPXStream.h\]
    
*   CVE-2019-15860: old bug in 2.00, no longer relevant
    
*   CVE-2019-16088: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2020-25725: fixed in 4.03 \[SplashOutputDev.cc\]
    
*   CVE-2020-35376: fixed in 4.03 \[FoFiType1C.cc\]
    
*   CVE-2022-24106: fixed in 4.04 \[Stream.cc\]
    
*   CVE-2022-24107: fixed in 4.04 \[JPXStream.cc\]
    
*   CVE-2022-30524: will be fixed in 4.05 \[TextOutputDev.cc\]
    
*   CVE-2022-33108: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2022-38171: fixed in 4.04 \[JBIG2Stream.cc\]

CVE-2022-24107: Xpdf Security Fixes

CVE-2022-24107

Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.

CVE-2022-38784: Poppler

Hytec Inter HWL-2511-SS v1.05 and below implements a SHA512crypt hash for the root account which can be easily cracked via a brute-force attack.

**Hytec Inter HWL-2511-SS vulnerabilities.****Product Description:  
**

The HWL-2511-SS device from Hytec Inter is an industrial LTE router that can be used for remote data transmission such as collecting sensor data and checking surveillance camera images.

**Affected Products:**

All Hytec Inter HWL-2511-SS devices from version 1.05 and under.  

**Vulnerability Summary:**

*   Vulnerability 1 - Unauthenticated Remote Command Injection.  
    A vulnerability in the implementation of the ping command can allow an unauthenticated, remote attacker to perform a command injection attack. This vulnerability is due to insufficient validation of a process argument in the binary file /www/cgi-bin/popen.cgi. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.
    
*   Vulnerability 2 - SSH CLI Command Injection.  
    A vulnerability in the implementation of the CLI (command line interface) can allow a local attacker with low privilege to perform a command injection attack. This vulnerability is due to insufficient validation of a process argument in the binary file /usr/sbin/clishell. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.
    
*   Vulnerability 3 - Use of weak Hard-coded Cryptographic Key.  
    By default the HWL-2511-SS devices have a built-in weak SHA512crypt hash for the root account that can be recovered after a brute-force attack. This vulnerability can allow an external attacker to SSH the device or login to the web administration interface.
    

**Reproduction Steps:****1\. Unauthenticated Remote Command Injection.**

The endpoint /cgi-bin/popen.cgi can be called remotely without user authentication as there is no cookie verification Cookie: mgs=UUID to check if the request is legitimate. The second problem is that the GET parameter command can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the /etc/shadow file.  

**2\. SSH CLI Command Injection.**

When a user login to SSH a custom binary file with limited commands is loaded /usr/sbin/clishell. In the example below we show how it is possible via the traceroute command to use a command injection payload and escape the custom CLI binary to spawn a real shell.  

**3\. Use of weak Hard-coded Cryptographic Key.**

After extracting the firmware image and then reverse engineering it, we found that the file /etc/shadow has a built-in SHA512crypt hash for the root user and only took us a few minutes to recover it by a brute-force attack..  

**Recommendation Fixes / Remediation:**

*   Vulnerability 1 and 2: Strengthen validation rules by checking if input contains only alphanumeric characters, no other syntax or whitespace, a whitelist of permitted values is also recommended. Please see the following link for more details: https://cwe.mitre.org/data/definitions/78.html  
    
*   Vulnerability 3: Need to generate a different password for each device. During the manufacturing process, set a randomly generated password, unique for each device (e.g. print the password on a sticker for local access). Risk: Since passwords are shared among devices, an attacker able to crack the passwords once (e.g. with physical access to the device) can access all reachable devices. Please see the following link for more details: https://cwe.mitre.org/data/definitions/1188.html

**Vulnerable Devices Found:**

As of 8Aug2022, there were 77 Hytec Inter HWL-2511-SS LTE router devices exposed to the internet and were affected by the vulnerabilities discovered.

**Reference:**

https://hytec.co.jp/eng/products/our-brand/hwl-2511-ss.html  
https://hytec.co.jp/eng/wordpress/wp-content/uploads/2019/09/hwl-2511-ss-ds.3.0.pdf

**Security researchers:**

*   Thomas Knudsen
*   Samy Younsi

CVE-2022-36555: hytec-HWL-2511-SS.md

The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 3.0.1 does not sanitise and escape some parameters before outputting them back in an attributes of an admin page, leading to Reflected Cross-Site Scripting.

CVE-2022-2537

Businesses need to re-evaluate their cyber-insurance policies as firms like Lloyd's of London continue to add restrictions, including excluding losses related to state-backed cyberattackers.

Companies will need to re-evaluate their cyber-insurance premiums after major insurance companies have adopted exclusions for catastrophic cyberattacks conducted by "state-backed" actors.

This limits the risk that companies can offset with cyber insurance, security and risk experts tell Dark Reading — making taking out a policy potentially not worth it.

In the latest limits on cyber policies, insurance marketplace Lloyd's of London issued a notice on Aug. 16 to its member insurers, or syndicates, requiring that they exclude coverage for state-backed cyberattacks. The motive for the additional restrictions is to protect insurance companies and their underwriters from catastrophic loss, and help manage systemic risk that could overwhelm insurers, Lloyd's market bulletin stated.

**Is Cyber Insurance Still Worth It?**

While the insurers' position is understandable, businesses — which have already seen their premiums skyrocket over the past three years — should question whether insurance still mitigates risk effectively, says Pankaj Goyal, senior vice president of data science and cyber insurance at Safe Security, a cyber-risk analysis firm.

"Insurance works on trust, \[so answer the question,\] 'will an insurance policy keep me whole when a bad event happens?' " he says. "Today, the answer might be 'I don't know.' When customers lose trust, everyone loses, including the insurance companies."

The cyber-insurance industry has seen profits decline sharply in the past decade, as losses jumped from 35% of the revenue from premiums five years ago, to 72% in 2020. To adapt, insurance companies have dramatically raised the cost of policies — by 74% just in 2021, after rising 22% in 2020, according to FitchRatings.

    

Cyber insurance loss ratios peaked at 72% in 2020. Source: FitchRatings

Yet, insurance firms have also focused on limiting their liability. In 2021, global insurance firm AXA decided to stop paying ransoms to cybercriminals. And over the past two years, insurance companies have added act-of-war exclusions to their policies.

In its market bulletin (PDF), Lloyd's argued that the risk posed by cyberattacks continues to evolve and its members need to adapt to the threats posed by large or widely distributed attacks. While wartime risks are often excluded, Lloyd's requires that syndicates go further and ensure that certain policies have "a suitable clause excluding liability for losses arising from any state-backed cyberattack."

"If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage," the insurance facilitator stated. "In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb."

The decisions come after pharmaceutical firm Merck won its lawsuit against its insurers after they refused to pay its $1.4 billion in business losses sustained in the NotPetya crypto-ransomware attack in 2017. The judge in the case ruled that the insurance policies' act-of-war exclusion did not apply, because the clause was meant to only exclude losses during armed conflicts.

Regardless, the policy changes are poorly thought out, some argue. 

 "Signs point to continued breaches and hacks, resulting in a longer claims process, and more litigations," says Goyal. "Unless the industry can collectively fix the way cyber insurance policies are understood, written and priced, ensuring that they are based on actual data and individual organizational risk — one size does not fit all — there is no end to the challenges and mistrust in cyber insurance."

**Too Broad an Exclusion**

The key problem is that the term "state-backed cyberattack" could be a very broad exclusion, and if abused by the insurance industry, one that will scuttle the usefulness of cyber insurance, experts say.

Attributing an attack to a nation-state is notoriously difficult, says James Turgal, vice president of cyber-risk and strategy for Optiv, a cybersecurity consultancy.

"Even if a computer involved in the attacks was traced back to an IP address located in an Iranian or North Korean military base, that doesn't necessarily mean that it was an attack done with the knowledge of or at the direction of the government's authorities," he says. "It could have been compromised by hackers in other countries \[as a false-flag attempt\]."

Currently, almost two-thirds of companies — 64% — suspect that they have been either directly targeted or impacted by a nation-state attack, says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. Many of the major sources of cyberattacks against North American, European, and Asian companies come from cybercriminal groups linked in some way with China, Iran, North Korea, or Russia. Whether that link will equate to being "state-backed" is an open question.

"These companies are clearly going to be worried about whether insurers will deem most attacks to be nation-state sponsored," he says. "As a result, we expect most businesses that are serious about security to double down on their efforts to protect themselves from hackers in the first place."

Insurers will have to develop clear guidelines regarding what evidence and data will be used to determine the attribution of an attack, and what behavior patterns or data points they will consider in determining whether an attack is state-backed, he says.

**Time to Beef Up Cyberdefenses**

Indeed, the exclusion will likely result in fewer companies relying on cyber insurance as a way to mitigate catastrophic risk. Instead, companies need to make sure that their cybersecurity controls and measures can mitigate the cost of any catastrophic attack, says David Lindner, chief information security officer at Contrast Security, an application security firm.

Creating data redundancies, such as backups, expanding visibility of network events, using a trusted forensics firm, and training all employees in cybersecurity can all help harden a business against cyberattacks and reduce damages.

"Organizations cannot just rely on their cyber insurance policy and must proactively protect themselves from these catastrophic cyberattacks," Lindner says.

Companies also should not expect insurance firms to reverse course. Their approach is just a continuation of the industry's reactive approach to cyber insurance, says Safe Security's Goyal. Insurance firms have increased premiums, put sub-limits on ransomware, and now, have adopted arguably broad exclusions, which may just result in delayed payouts and an increase in lawsuits when insurers refuse to pay out on a large policy.

Cyber-Insurance Firms Limit Payouts, Risk Obsolescence

Categories: Android
Categories: News
A PDF reader found on Google Play with over one million downloads is aggressively displaying full screen ads, even when the app is not in use.



(Read more...)




The post Adware found on Google Play — PDF Reader servicing up full screen ads appeared first on Malwarebytes Labs.

A PDF reader found on Google Play with over one million downloads is aggressively displaying full screen ads, even when the app is not in use. More specifically, the reader is known as _PDF reader - documents viewer_, package name _com.document.pdf.viewer._ As a result, this aggressive behavior lands it in the realm of adware. Or as we call it, Android/Adware.HiddenAds.PPMA.

**Catching the adware**

Catching this adware in real time is a game of install and wait. It takes a couple of hours before the PDF app will display ads. This long delay is in order to make it harder to track down which app is causing the ads. For example, full screen ads displaying immediately after install would likely result in quick a uninstall. With this in mind, I plugged my test phone into my laptop with _Android Device Monitor_ running. Among other tools, _Android Device Monitor_ includes _LogCat_ which logs all activity on an Android mobile device. I then installed _PDF reader - documents viewer_, package name _com.document.pdf.viewer_, directly from Google Play. Thus, my waiting game begins the morning of August 22nd.

To my surprise, at 15:04 I heard my test phone sound a charm. My expectation from previous testing is that it takes longer before an ad displays. Before unlocking the screen, I checked my _LogCat_ logs.

_08-22 15:04:55.348: I/ActivityManager(765): START u0 {flg=0x14c00004 cmp=com.document.pdf.viewer/.ads.PPMActivity} from uid 10277  
_

The keyword is ‘_START’_ in the log. What starts is an Ad SDK. This time, from the PDF reader’s special in-house Ad SDK, _com.document.pdf.viewer.ads.PPMActivity_.  Unlocking the lock screen, another important log comes in.

_08-22 15:04:56.318: I/ActivityManager(765): Displayed com.document.pdf.viewer/.ads.PPMActivity: +942ms_

Indeed, looking at the phone there is a full screen ad “displayed."

Soon after, another Ad SDK starts in the logs.

_08-22 15:05:34.227: I/ActivityManager(765): START u0 {flg=0x10000000 cmp=com.document.pdf.viewer/com.facebook.ads.AudienceNetworkActivity (has extras)} from uid 10277_

Once again, another ad displays. This time it is a video ad.

_08-22 15:05:34.927: I/ActivityManager(765): Displayed com.document.pdf.viewer/com.facebook.ads.AudienceNetworkActivity: +555ms_

After the initial ads, they come more frequently. Each time, the start of ads is signified by a charm sounding on the mobile device.  Henceforth, a full screen ad is waiting. Immediately after the first ad is a video ad.

**Don’t blame the Ad SDKs**

PDF reader uses an array of common Ad SDKs and its own Ad SDK. Facebook Ads is shown in the log above, but we also observed it using Applovin along with others. In addition, it uses an in-house Ad SDK contained in _com.document.pdf.viewer.ads.PPMActivity._ Although the use of these common Ad SDKs is shown displaying ads, it is not necessarily their fault. The issue is displaying ads where they ought not to be displayed. Any of these ads within the app, whiling using the app, is fair game. Moreover, Ad SDK’s like Applovin and Facebook Ads are necessary to keep apps free on the Play Store. It is only when the ads start displaying outside the app at random that this qualifies as adware. It is the PDF reader app that is wrongfully using these Ad SDKs.

**Not all PDF readers are the same**

There are many good PDF readers on Google Play. However, this one has some oddities signaling red flags right from the Google Play Store description.

Note the _Mature 17+_ content rating. For what reason does a PDF reader need a mature rating? Another clue something is not right is the developer’s name of _Fairy games._ I get diversifying the kinds of apps you provide, but odd developer name for anything other than gaming apps.

**Am I infected?**

If you are thinking to yourself, “_I have a PDF reader installed, am I infected!?”_ here are a few things to check. Are you receiving full screen ads? If yes, do you have an icon that looks like this?

If you do, you can uninstall from _Apps info._

More easily, you can install Malwarebytes for Android and use our **free** scanner to remove.

**Another one slips through**

From what we can tell from previous versions of _PDF reader - documents viewer,_ it has existed since November 2021. Each version thereafter serves ads just like the most recent Google Play version. Although we cannot verify if it existed on Google Play since 2021, it is likely the case. If you have a lot of apps installed on your mobile device, this one can very hard to track down. Another reason to not blindly trust you are safe while installing exclusively from Google Play. Even if the Play Store is by far the safest place to install apps on Android, it can fault from time to time as well. Having an anti-malware scanner, or anti-adware in this case, is a good idea. Stay safe out there! 

**App Information**

Package name: com.document.pdf.viewer

App Name: PDF reader - documents viewer

Developer: Fairy games

MD5: CDA77D85D5B733C89F53254F11F3F372

Google Play URL: https://play.google.com/store/apps/details?id=com.document.pdf.viewer

Adware found on Google Play — PDF Reader servicing up full screen ads

A Floating point exception (division-by-zero) flaw was found in Mupdf for zero width pages in muraster.c. It is fixed in Mupdf-1.20.0-rc1 upstream.

'704834?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-4216: Invalid Bug ID

Various Lexmark products through 2022-04-27 allow External Control of a System or Configuration Setting because of Improper Input Validation.

%PDF-1.7 %���� 1 0 obj <>/Metadata 529 0 R/ViewerPreferences 530 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 612 792\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x���\[o�H����;���X��/��@�I��"�3��^��� \[R,�$zuq�o���L�\]M�\*e��oM��Z���ꖸ�M��������,�����⿯\_�Q��R�X$��4Wb5y��\_�ׯ�}y����2\_��\_I�(R�D�\*�b�ۅK��m\*�����W�)�~������&߇z���p\_��dxe���l�?u6x;~^��l\]��wo��'��������ׯć��h�^��{����f 0�U~E^��W�����

Tag

#pdf