After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8.

**Mozilla Foundation Security Advisory 2022-15**

Announced

April 5, 2022

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.8

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-1097: Use-after-free in NSSToken objects**

Reporter

Randell Jesup

Impact

high

**Description**

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1745667

**#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions**

Reporter

Axel '0vercl0k' Souchet

Impact

high

**Description**

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1755621

**#CVE-2022-1197: OpenPGP revocation information was ignored**

Reporter

Thunderbird user Johannes König

Impact

moderate

**Description**

When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected.

**References**

*   Bug 1754985

**#CVE-2022-1196: Use-after-free after VR Process destruction**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

moderate

**Description**

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1750679

**#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument**

Reporter

Kirin

Impact

moderate

**Description**

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash.

**References**

*   Bug 1751609

**#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read.

**References**

*   Bug 1756957

**#CVE-2022-28286: iframe contents could be rendered outside the border**

Reporter

prada960808

Impact

low

**Description**

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks.

**References**

*   Bug 1735265

**#CVE-2022-24713: Denial of Service via complex regular expressions**

Reporter

Addison Crump and Jan-Erik Rediger

Impact

low

**Description**

The rust regex crate did not properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing. If an attacker was able to supply input to this crate, they could have caused a denial of service in the browser.

**References**

*   Bug 1758509

**#CVE-2022-28289: Memory safety bugs fixed in Thunderbird 91.8**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 91.8

CVE-2022-1196: Security Vulnerabilities fixed in Thunderbird 91.8

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

**Mozilla Foundation Security Advisory 2022-02**

Announced

January 11, 2022

Impact

high

Products

Firefox ESR

Fixed in

*   Firefox ESR 91.5

**#CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.  
_This bug only affects Thunderbird for Windows. Other operating systems are unaffected._

**References**

*   Bug 1735071

**#CVE-2022-22743: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode.

**References**

*   Bug 1739220

**#CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash.

**References**

*   Bug 1739923

**#CVE-2022-22741: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode.

**References**

*   Bug 1740389

**#CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1742334

**#CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur**

Reporter

Atte Kettunen

Impact

high

**Description**

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash.

**References**

*   Bug 1742382

**#CVE-2022-22737: Race condition when playing audio files**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1745874

**#CVE-2021-4140: Iframe sandbox bypass with XSLT**

Reporter

Peter Van der Beken

Impact

high

**Description**

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox.

**References**

*   Bug 1746720

**#CVE-2022-22748: Spoofed origin on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

moderate

**Description**

Malicious websites could have confused Thunderbird into showing the wrong origin when asking to launch a program and handling an external URL protocol.

**References**

*   Bug 1705211

**#CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event**

Reporter

Jannis Rautenstrauch

Impact

moderate

**Description**

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations

**References**

*   Bug 1735856

**#CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection**

Reporter

Mattias Jacobsson

Impact

moderate

**Description**

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1737252

**#CVE-2022-22747: Crash when handling empty pkcs7 sequence**

Reporter

Tavis Ormandy

Impact

low

**Description**

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable.

**References**

*   Bug 1735028

**#CVE-2022-22739: Missing throttling on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

low

**Description**

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol.

**References**

*   Bug 1744158

**#CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

CVE-2021-4140: Security Vulnerabilities fixed in Firefox ESR 91.5

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96.

**Mozilla Foundation Security Advisory 2022-01**

Announced

January 11, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 96

**#CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1735071

**#CVE-2022-22743: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode.

**References**

*   Bug 1739220

**#CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash.

**References**

*   Bug 1739923

**#CVE-2022-22741: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode.

**References**

*   Bug 1740389

**#CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1742334

**#CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur**

Reporter

Atte Kettunen

Impact

high

**Description**

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash.

**References**

*   Bug 1742382

**#CVE-2022-22737: Race condition when playing audio files**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1745874

**#CVE-2021-4140: Iframe sandbox bypass with XSLT**

Reporter

Peter Van der Beken

Impact

high

**Description**

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox.

**References**

*   Bug 1746720

**#CVE-2022-22750: IPC passing of resource handles could have lead to sandbox bypass**

Reporter

Jed Davis

Impact

moderate

**Description**

By generally accepting and passing resource handles across processes, a compromised content process might have confused higher privileged processes to interact with handles that the unprivileged process should not have access to.  
_This bug only affects Firefox for Windows and MacOS. Other operating systems are unaffected._

**References**

*   Bug 1566608

**#CVE-2022-22749: Lack of URL restrictions when scanning QR codes**

Reporter

Wladimir Palant working with Include Security

Impact

moderate

**Description**

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1705094

**#CVE-2022-22748: Spoofed origin on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

moderate

**Description**

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol.

**References**

*   Bug 1705211

**#CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event**

Reporter

Jannis Rautenstrauch

Impact

moderate

**Description**

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations

**References**

*   Bug 1735856

**#CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection**

Reporter

Mattias Jacobsson

Impact

moderate

**Description**

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1737252

**#CVE-2022-22763: Script Execution during invalid object state**

Reporter

Mozilla Fuzzing Team

Impact

moderate

**Description**

When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible.

**References**

*   Bug 1740534

**#CVE-2022-22747: Crash when handling empty pkcs7 sequence**

Reporter

Tavis Ormandy

Impact

low

**Description**

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable.

**References**

*   Bug 1735028

**#CVE-2022-22736: Potential local privilege escalation when loading modules from the install directory.**

Reporter

Toshihito Kikuchi

Impact

low

**Description**

If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. However the install directory is not world-writable by default.  
_This bug only affects Firefox for Windows in a non-default installation. Other operating systems are unaffected._

**References**

*   Bug 1742692

**#CVE-2022-22739: Missing throttling on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

low

**Description**

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol.

**References**

*   Bug 1744158

**#CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

**#CVE-2022-22752: Memory safety bugs fixed in Firefox 96**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96

CVE-2022-22749: Security Vulnerabilities fixed in Firefox 96

When closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.<br>*Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 100.

Sorry, I can't find "_1757138?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-29910: Invalid Bug ID

The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100.

**Mozilla Foundation Security Advisory 2022-16**

Announced

May 3, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 100

**#CVE-2022-29914: Fullscreen notification bypass using popups**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks.

**References**

*   Bug 1746448

**#CVE-2022-29909: Bypassing permission prompt in nested browsing contexts**

Reporter

Armin Ebert

Impact

high

**Description**

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions.

**References**

*   Bug 1755081

**#CVE-2022-29916: Leaking browser history with CSS variables**

Reporter

Mateusz Sionkowski

Impact

high

**Description**

Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history.

**References**

*   Bug 1760674

**#CVE-2022-29911: iframe Sandbox bypass**

Reporter

Trung Pham

Impact

high

**Description**

An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present.

**References**

*   Bug 1761981

**#CVE-2022-29912: Reader mode bypassed SameSite cookies**

Reporter

Matheus Vrech

Impact

moderate

**Description**

Requests initiated through reader mode did not properly omit cookies with a SameSite attribute.

**References**

*   Bug 1692655

**#CVE-2022-29910: Firefox for Android forgot HTTP Strict Transport Security settings**

Reporter

Mark B

Impact

moderate

**Description**

When closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.  
_Note: This issue only affected Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1757138

**#CVE-2022-29915: Leaking cross-origin redirect through the Performance API**

Reporter

Sohom Datta

Impact

low

**Description**

The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects.

**References**

*   Bug 1751678

**#CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9

**#CVE-2022-29918: Memory safety bugs fixed in Firefox 100**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Gabriele Svelto, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 100

CVE-2022-29915: Security Vulnerabilities fixed in Firefox 100

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

**Mozilla Foundation Security Advisory 2022-17**

Announced

May 3, 2022

Impact

high

Products

Firefox ESR

Fixed in

*   Firefox ESR 91.9

**#CVE-2022-29914: Fullscreen notification bypass using popups**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks.

**References**

*   Bug 1746448

**#CVE-2022-29909: Bypassing permission prompt in nested browsing contexts**

Reporter

Armin Ebert

Impact

high

**Description**

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions.

**References**

*   Bug 1755081

**#CVE-2022-29916: Leaking browser history with CSS variables**

Reporter

Mateusz Sionkowski

Impact

high

**Description**

Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history.

**References**

*   Bug 1760674

**#CVE-2022-29911: iframe Sandbox bypass**

Reporter

Trung Pham

Impact

high

**Description**

An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present.

**References**

*   Bug 1761981

**#CVE-2022-29912: Reader mode bypassed SameSite cookies**

Reporter

Matheus Vrech

Impact

moderate

**Description**

Requests initiated through reader mode did not properly omit cookies with a SameSite attribute.

**References**

*   Bug 1692655

**#CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9

CVE-2022-29909: Security Vulnerabilities fixed in Firefox ESR 91.9

The parent process would not properly check whether the Speech Synthesis feature is enabled, when receiving instructions from a child process. This vulnerability affects Thunderbird < 91.9.

Sorry, I can't find "_1764778?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-29913: Invalid Bug ID

A successful attacker could use the SSRF vulnerability to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.

A vulnerability in the Google Web Stories plug-in for WordPress could be exploited via a server-side request forgery (SSRF) vulnerability to steal Amazon Web Services (AWS) metadata from sites hosted on the AWS server. That metadata can include sensitive information such as the AccessKeyId, SecretAccessKey, and Token.

An SSRF vulnerability gives attackers a way to elevate privileges on a compromised system using a modified URL, thereby gaining access to internal resources.

The Web Stories plug-in is an open visual storytelling format for the Web, consisting of animations and other interactive graphics, which can be shared and embedded across sites and apps. There are more than 100,000 active installations of the plug-in.

A Wordfence research team discovered the plug-in was vulnerable to the SSRF bug (CVE-2022-3708) in versions through 1.24.0, due to insufficient validation of URLs supplied via the "url" parameter found via the /v1/hotlink/proxy REST API Endpoint.

"Exploiting this vulnerability, an authenticated user could make web requests to arbitrary locations originating from the web application," Wordfence Threat Intelligence team member Topher Tebow wrote in a Dec. 21 blog post.

He added that, in testing, the team was able to uncover specific metadata used to enable features like EC2 Instance Connect; stolen metadata could then be used to log in to the virtual server and run commands through the terminal.

The researcher noted that this is the tip of the iceberg: "There are many metadata categories provided by AWS that each have specific uses and varying degrees of severity if misused."

The team found the flaw in October, and by the end of November, two blocks of code were updated to fully patch the vulnerability in the plug-in.

"With the patch applied within version 1.25.0 and newer, attempts to obtain AWS metadata will fail," Tebow explained.

He added that the attack can succeed for users logged in with an account that has minimal permissions, such as a subscriber, so the issue particularly threatens sites with open registration.

"The authenticated user does not need high level privileges to exploit this vulnerability," Tebow continued.

**Using Zero Trust to Limit SSRF Vulnerabilities**

"Understanding the impact of vulnerabilities such as SSRF vulnerabilities is critical for developers," Tebow wrote. "Keeping code secure can be difficult to ensure during the development phase, which is why the code must be tested for vulnerabilities during and after it has been written."

Developers were advised to pay close to attention to their coding practices as they relate to the vulnerabilities inherent in each programming language, ensure any inputs are validated, and to adopt a posture of zero trust authentication.

"SSRF vulnerabilities are possible because the internal and external resources may be configured to assume that requests sent from an internal location are inherently trustworthy," Tebow noted. "By requiring validation and authorization for every action, this default trust is removed, and requests must be validated properly before being considered trusted."

Constant code reviews and updates of WordPress plug-ins and themes are among the other steps that developers can take to limit exploits of WordPress-built websites.

**WordPress Sites Face a Raft of Security Issues**

Malicious actors have been targeting WordPress sites at a rapid clip — mainly through vulnerable plug-ins — since the beginning of the year: In February, a report found tens of thousands of websites powered by WordPress were vulnerable to attack via a remote code execution (RCE) bug in a widely used plug-in called Essential Addons for Elementor.

In May, there was a widespread attack launched to exploit known RCE flaw in the Tatsu Builder WordPress plug-in, and two months later, researchers discovered a phishing kit that injects malware into legitimate WordPress sites and uses a fake PayPal-branded social engineering scam.

More recently, a threat group called SolarMarker exploited a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, while another group of attackers were actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

Google WordPress Plug-in Bug Allows AWS Metadata Theft

Threat actors continue to evolve the malicious botnet, which has also added a list of new vulnerabilities it can use to target devices.

A recently discovered botnet that attacks organizations through Internet of things (IoT) vulnerabilities has added brute-forcing and distributed denial-of-service (DDoS) attack vectors, as well as the ability to exploit new flaws to its growing arsenal, Microsoft security analysts have found. 

The updates to Zerobot, a malware first observed earlier this month by Fortinet researchers, pave the way for more advanced attacks as the threat continues to evolve, according to the Microsoft Security Threat Intelligence Center (MSTIC).

MSTIC revealed in a blog post on Dec. 21 that the threat actors have updated Zerobot to version 1.1, which can now target resources through DDoS and make them inaccessible, widening the possibilities for attack and further compromise.

"Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations," the researchers wrote in the post. "In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target."

**Brute-Forcing and Other Tactics**

Fortinet researchers already had tracked two previous versions of Zerobot — one that was quite basic and another that was more advanced. The botnet's principal mode of attack originally was to target various IoT devices — including products from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more — through flaws found in those devices, and then spread to other assets connected on the network that way to propagate the malware and grow the botnet.

Microsoft researchers now have observed the botnet getting more aggressive in its attacks on devices, using a new brute-force vector to compromise weakly secured IoT devices rather than just trying to leverage a known vulnerability, the researchers revealed.

"IoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors," they wrote in the post. "Zerobot is capable of propagating through brute-force attacks on vulnerable devices with insecure configurations that use default or weak credentials."

The malware attempts to to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices, the researchers wrote. In their observations alone, the MSTIC team identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.

**An Expanded Security Vulnerability Exploit List**

Zerobot hasn't abandoned its original way to access devices, however, and has even expanded this practice. Prior to its new version, Zerobot already could exploit more than 20 flaws in assorted devices, including routers, webcams, network-attached storage, firewalls, and other products from a host of well-known manufacturers.

The botnet has now added seven new exploits for flaws to its quiver, found in Apache, Roxy-WI, Grandstream, and other platforms, the researchers found.

MSTIC also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers, they added.

**Zerobot's Post-Compromise Behavior**

Researchers also observed more about Zerobot's behavior once it gains device access. For one, it immediately injects a malicious payload — which may be a generic script called "zero.sh" that downloads and attempts to execute the bot, or a script that downloads the Zerobot binary of a specific architecture, they said.

"The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds," the researchers wrote.

Once Zerobot achieves persistence, it scans for other devices exposed to the Internet that it can infect, by randomly generating a number between 0 and 255 and scanning all IPs starting with this value.

"Using a function called _new\_botnet\_selfRepo\_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources," the Microsoft researchers wrote. "This function includes 61 IP subnets, preventing scanning of these IPs."

Zerobot 1.1 uses scripts targeting various architectures, including ARM64, MIPS, and x86\_64. The researchers also have observed samples of the botnet on Windows and Linux devices, exhibiting different persistence methods based on the OS.

**Protecting the Enterprise**

Fortinet researchers already had stressed the importance of organizations immediately updating to the latest versions of any devices affected by Zerobot. Given that businesses are losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, the danger is real.

To help identify if an organization is vulnerable, Microsoft researchers included an updated list of CVEs that Zerobot can exploit in their post. The MSTIC team also recommended that organizations use security solutions with cross-domain visibility and detection capabilities to detect Zerobot malware variants and malicious behavior related to the threat.

Enterprises should also adopt a comprehensive IoT security solution that allows for visibility and monitoring of all IoT and operational technology (OT) devices, threat detection and response, and integration with SIEM/SOAR and extended detection and response (XDR) platforms, according to Microsoft.

As part of this strategy, they should ensure secure configurations for devices by changing default passwords to strong ones and blocking SSH from external access, as well as use least-privileges access including VPN service for remote access, the researchers said.

Another way to avoid compromise by Zerobot is to harden endpoints with a comprehensive security solution that manages the apps that employees can use and provides application control for unmanaged solutions, they said. This solution also should perform timely cleanup of unused and stale executables sitting on an organization's devices.

Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal

The Zerobot DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.
Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.
Zerobot, first documented by Fortinet FortiGuard Labs earlier this month,

Internet of Things / Patch Management

The **Zerobot** DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.

Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.

Zerobot, first documented by Fortinet FortiGuard Labs earlier this month, is a Go-based malware that propagates through vulnerabilities in web applications and IoT devices like firewalls, routers, and cameras.

"The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities," Microsoft researchers said.

Also called ZeroStresser by its operators, the malware is offered as a DDoS-for-hire service to other criminal actors, with the botnet advertised on social media by its operators.

Microsoft said that one domain with connections to Zerobot – zerostresser\[.\]com – was among the 48 domains that were seized by the U.S. Federal Bureau of Investigation (FBI) this month for offering DDoS attack features to paying customers.

The latest version of Zerobot spotted by Microsoft not only targets unpatched and improperly secured devices, but also attempts to brute-force over SSH and Telnet on ports 23 and 2323 for spreading to other hosts.

The list of newly added known flaws exploited by Zerobot 1.1 is as follows -

*   **CVE-2017-17105** (CVSS score: 9.8) - A command injection vulnerability in Zivif PR115-204-P-RS
*   **CVE-2019-10655** (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability in Grandstream GAC2500, GXP2200, GVC3202, GXV3275, and GXV3240
*   **CVE-2020-25223** (CVSS score: 9.8) - A remote code execution vulnerability in the WebAdmin of Sophos SG UTM
*   **CVE-2021-42013** (CVSS score: 9.8) - A remote code execution vulnerability in Apache HTTP Server
*   **CVE-2022-31137** (CVSS score: 9.8) - A remote code execution vulnerability in Roxy-WI
*   **CVE-2022-33891** (CVSS score: 8.8) - An unauthenticated command injection vulnerability in Apache Spark
*   **ZSL-2022-5717** (CVSS score: N/A) - A remote root command injection vulnerability in MiniDVBLinux

Upon successful infection, the attacks chain proceeds to download a binary named "zero" for a specific CPU architecture that enables it to self-propagate to more susceptible systems exposed online.

Additionally, Zerobot is said to proliferate by scanning and compromising devices with known vulnerabilities that are not included in the malware executable, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.

Zerobot 1.1 further incorporates seven new DDoS attack methods by making use of protocols such as UDP, ICMP, and TCP, indicating "continuous evolution and rapid addition of new capabilities."

"The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks," the tech giant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#perl