Exploit involved duping developers into exposing repositories with social engineering techniques

Exploit involved duping developers into exposing repositories with social engineering techniques

A security researcher has discovered a way to launch code execution attacks by exploiting the GitHub Pages build process.

Joren Vrancken netted a $4,000 reward for a command injection bug reported through GitHub’s HackerOne bug bounty program, as described in a recent blog post.

According to Vrancken, the security issue existed in GitHub Pages, a static hosting service able to pull data from repositories, run code through a build process, and then publish websites.

**Path to code execution**

To streamline the process, GitHub Pages supports the Jekyll static site generator.

Jekyll settings are stored in a YAML configuration file, and some aspects of the service are automated by GitHub, including themes, in which GitHub will issue a POST request and automatically create a new commit to issue changes to the source.

These processes require administrator privileges, and only two directories – the root of a branch and /docs – can be specified. However, user-input directories can also be specified in the theme chooser URL.

Catch up with the latest bug bounty news

You could select an arbitrary directory to use as a GitHub Pages source and then run the GitHub job workflow, which includes the launch of Jekyll, static file deployment, and uploading page artifacts. Eventually, this process can trigger a payload via a tar command, resulting in arbitrary code execution.

However, the attacker already has admin privileges, so this isn’t necessarily a huge problem.

Vrancken found the means to turn this workflow functionality into something more serious. If an attacker wants access to code hosted in a private repo, all they need is a URL and user interaction.

By crafting a malicious URL that downloads and executes a script from a third-party source, attackers could use phishing or other social engineering tactics to lure an admin user into clicking the link and following the Select Theme process – thereby triggering a malicious payload and exposing the repository.

Attackers need only supply a URL – they do not need a GitHub account nor any connection to the target repo.

**‘Hack The Box-esque’**

After notifying GitHub of his findings on July 27, Vrancken received a response on the same day, with confirmation arriving on August 2. By August 23, the GitHub security team had resolved the issue by removing the Theme Chooser functionality.

Vrancken was awarded a GitHub Pro subscription as well as a bug bounty of $4,000 for his efforts.

“This was definitely one of the more fun bug bounties I did, because it combines multiple GitHub-specific features with some more traditional Hack The Box-esque techniques,” the researcher commented. “I wholeheartedly recommend the GitHub bug bounty program.”

Jill Moné-Corallo, GitHub’s director of product security engineering response, told The Daily Swig: “Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure. Joren’s findings demonstrate their passion in security research and engaging researchers like them is the reason why we continue to see value in our bug bounty program.”

YOU MIGHT ALSO LIKE Graph-based JavaScript bug scanner discovers more than 100 zero-day vulnerabilities in Node.js libraries

Command injection vulnerability in GitHub Pages nets bug hunter $4k

Plus: Chrome patches another zero-day flaw, Microsoft closes up 100 vulnerabilities, Android gets a significant patch, and more.

August was a bumper month for security patches, with Apple, Google, and Microsoft among the firms issuing emergency fixes for already exploited vulnerabilities. The month also saw some big fixes arriving from the likes of VMWare, Cisco, IBM, and Zimbra.

Here’s everything you need to know about the important security fixes issued in August.

Apple iOS 15.6.1

After a two-month patch hiatus, followed by multiple fixes in July, Apple released an emergency security update in August with iOS 15.6.1. The iOS update fixed two flaws, both of which were being used by attackers in the wild.

It is thought that the vulnerabilities in WebKit (CVE-2022-32893) and the Kernel (CVE-2022-32894) were being chained together in attacks, with serious consequences. A successful attack could allow an adversary to take control of your iPhone and access your sensitive files and banking details.

Combining the two flaws “typically provides all the functionality needed to mount a device jailbreak,” bypassing almost all Apple-imposed security restrictions, Paul Ducklin, a principal research scientist at Sophos, wrote in a blog analyzing the vulnerabilities. This would potentially allow adversaries to “install background spyware and keep you under comprehensive surveillance,” Ducklin explained.

Apple always avoids giving out details about vulnerabilities until most people have updated, so it’s hard to know who the attack targets were. To ensure you are safe, you should update your devices to iOS 15.6.1 without delay.

Apple also released iPadOS 15.6.1, watchOS 8.7.1, and macOS Monterey 12.5.1, all of which you should update at the next opportunity.

Google Chrome

Google released a security update in August to fix its fifth zero-day flaw this year. In an advisory, Google listed 11 vulnerabilities fixed in August. The patches include a use-after-free flaw in FedCM—tracked as CVE-2022-2852 and rated as critical—as well as six highly rated issues and three classed as having a medium impact. One of the highly rated vulnerabilities has been exploited by attackers, CVE-2022-2856.

Google hasn’t provided any detail about the exploited flaw, but since attackers have gotten ahold of the details, it’s a good idea to update Chrome now.

Earlier in August, Google released Chrome 104, fixing 27 vulnerabilities, seven of which were rated as having a high impact.

Google Android

The August Android security patch was a hefty one, with dozens of fixes for serious vulnerabilities, including a flaw in the framework that could lead to local privilege escalation with no additional privileges needed. Meanwhile, an issue in the media framework could lead to remote information disclosure, and a flaw in the system could lead to remote code execution over Bluetooth. A vulnerability in kernel components could also lead to local escalation of privileges.

The Android security patch was late in August, but it’s now available on such devices as Google’s Pixel range, the Nokia T20, and Samsung Galaxy devices (including the Galaxy S series, Galaxy Note series, Galaxy Fold series, and Galaxy Flip series).

Microsoft

Microsoft’s August Patch Tuesday fixed over 100 security flaws, of which 17 are rated as critical. Among the fixes was a patch for an already exploited flaw tracked as CVE-2022-34713, also known as DogWalk.

The remote code execution (RCE) flaw in the Windows Support Diagnostic Tool (MDST) is rated as having a high impact because exploiting it can result in a system compromise. The vulnerability, which affects all users of Windows and Windows Server, was first exposed over two years ago in January 2020, but Microsoft didn’t consider it a security issue at the time.

VMWare

VMWare fixed a bunch of flaws in August, including a critical authentication bypass bug tracked as CVE-2022-31656. On releasing the patch, the software firm warned that public exploit code is available.

VMWare also fixed an RCE vulnerability in VMware Workspace ONE Access, Identity Manager, and Aria Automation (formerly vRealize Automation), tracked as CVE-2022-31658 with a CVSS score of eight. Meanwhile, a SQL injection RCE vulnerability found in VMware Workspace ONE Access and Identity Manager also got a CVSS score of eight. Both require an attacker to have administrator and network access before they can trigger remote code execution.

Apple Fixed a Serious iOS Security Flaw—Have You Updated Yet?

The threat landscape has changed dramatically over the past decade. While cybercriminals continue to look for new ways to gain access to networks and steal sensitive information, the mobile attack surface is also expanding.
Mobile devices are not only becoming more powerful but also more vulnerable to cyberattacks, making mobile security an increasingly important concern for enterprises.
This

The threat landscape has changed dramatically over the past decade. While cybercriminals continue to look for new ways to gain access to networks and steal sensitive information, the mobile attack surface is also expanding.

Mobile devices are not only becoming more powerful but also more vulnerable to cyberattacks, making mobile security an increasingly important concern for enterprises.

This means that anyone accessing the Internet via their cell phone or logging into their home or work network at any time is putting both their own personal data and that of their company at risk.

No matter how big or small your business is, you should always take steps to ensure the security of your employees and customers. Recent global attacks have shown us just how vulnerable businesses are to cyberattacks.

There are several ways hackers can attack mobile devices. To protect their data, businesses should take a comprehensive approach that addresses both internal and external threats.

Jamf Threat Defense protects against mobile endpoint (iOS, iPadOS, Android) threat vectors through a highly effective mobile application, the Jamf Trust app, and prevents in-network threats in real-time through Jamf's Secure Access Layer.

Jamf Threat Defense accommodates all device types and ownership models while safeguarding user privacy. Comprehensive, multi-level security solution.

Jamf Threat Defense monitors mobile devices for configuration vulnerabilities and app risks. It also monitors network connections for content threats and network compromises. It assigns risk assessments and provides a range of policy enforcement actions for a response.

Jamf Threat Defense is a great fit for any organization that needs to monitor and secure how its users access corporate data from mobile devices.

**Why might a customer want this?**

If an organization's end users connect to corporate apps with mobile devices, the devices can become attack vectors via phishing, man-in-the-middle attacks, malware, and much more.

Some devices may be corporately owned and managed, but many of these devices may be unmanaged or BYOD, which means organizations have less control and visibility.

**What problems does it solve?**

Phishing: blocks phishing pages if users click on a scam link Protection of Corporate Apps: based on a device's security state and network behavior Malware & Malicious Apps: stops malware from taking data from devices Man-In-The-Middle: prevents interception of connections on un-secured Wi-Fi Zero-Day Threats: machine intelligence engine (MI:RIAM) detects unknown threats before they reach devices Mixed Device Ownership: provides protection for managed and BYOD devices.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Interested in Reducing Your Risk Profile? Jamf Has a Solution for That

New graph-based tool offers a better alternative to current approaches for finding vulnerabilities in JavaScript code, they note.

Researchers at Johns Hopkins University recently uncovered a startling 180 zero-day vulnerabilities across thousands of Node.js libraries using a new code analysis tool they developed specifically for the purpose, called ODGen.

Seventy of those flaws have since received common vulnerabilities and exposures (CVE) identifiers. They include command injection flaws, path traversal vulnerabilities, arbitrary code execution issues, and cross-site scripting vulnerabilities — some of them in widely used applications.

In a paper released at the Usenix Security Symposium earlier this month, the Johns Hopkins researchers — Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao — described ODGen as a better alternative to current code-analysis and so-called graph query-based approaches for finding Node.js vulnerabilities.

Program analysis-based approaches have proved useful in helping detect individual vulnerability types such as code-injection flaws in JavaScript. But they cannot be easily extended to detect all kind of vulnerabilities that might be present in the Node.js platform, the researchers said. Similarly, graph-based code-analysis methods — where code is first represented as a graph and then queried for specific coding errors — works well in environments such as C++ and PHP. However, graph-based approaches are not as efficient in mining for JavaScript vulnerabilities because of the programming language's extensive use of dynamic features, they noted.

**A 'Novel' Approach for Finding JavaScript Vulnerabilities**

So, the researchers instead developed what they described as a "novel" and better method called Object Dependence Graph (ODG) that can be used for detecting Node.js vulnerabilities. They implemented ODGen to generate "ODG" for Node.js programs to detect vulnerabilities, they said.

Cao, assistant professor of computer science at Johns Hopkins University and a co-author of the research report, uses a couple of analogies to describe graph-based code analysis in general and their proposed Objective Dependence Graph. "If we consider a vulnerability as a special pattern — say, a green node connected with a red node and then a black node — a graph-based code-analysis tool first converts programs to a graph with many nodes and edges," Cao says. "Then the tool looks for such patterns in the graph to locate a vulnerability."

The Object Dependence Graph that the researchers have proposed refines this approach by representing JavaScript objects as nodes and adding features — including dependencies between objects — that are specific to the programming language, and then querying for errors. Cao describes how the method works using grains in a handful of rice: If all the grains look the same before boiling but assume two different shades after boiling — one representing good grains and the other bad grains — then it becomes easier to spot and weed out the bad grains. "Abstract interpretation is kind of like the boiling process that converts rice — that is, programs — into different colored objects" so errors are easier to spot, Cao says.

**A Variety of Bugs**

To see if their approach works, the researchers first tested ODGen against a sample of 330 previously reported vulnerabilities in Node.js packages on the node package manager (npm) repository. The test showed the scanner correctly identifying 302 of the 330 vulnerabilities. Buoyed by the relatively high accuracy rate, the researchers ran ODGen against some 300,000 Java packages in npm. The scanner reported a total of 2,964 potential vulnerabilities across the packages. The researchers checked 264 of them — all with more than 1,000 downloads per week on average — and were able to confirm 180 as being legitimate vulnerabilities. Forty-three of them were at the application level, 122 were in packages that are imported by other applications or code, and the remaining 15 were present in indirect packages.

A plurality (80) of the confirmed vulnerabilities that ODGen detected were command injection flows that allow attackers to execute arbitrary code at the operating system level via a vulnerable application. Thirty were path traversal flaws; 24 enabled code tampering, and 19 involved a specific type of command injection attack called prototype pollution.

New ODGen Tool Unearths 180 Zero-Days in Node.js Libraries

By Deeba Ahmed
Through the bug bounty program, ethical hackers will get rewards ranging from $100 - $31,337, depending on their discovered bug’s severity.
This is a post from HackRead.com Read the original post: Google Introduces Bug Bounty Program for Open-Source Software

Google has launched its Open Source Software Vulnerability Rewards Program (OSS VRP), where researchers will find bugs and vulnerabilities in the open-source software ecosystem. Google is offering rewards of around $31,337 to those who detect bugs.

Google has employed a crowdsourced approach to security with a special focus on mitigating vulnerabilities in the under-funded and under-maintained but extensively used open-source projects.

Through this rewards program, the company aims to eliminate invasion points and help enterprises function securely since the open-source ecosystem needs massive security overhauling.

It is worth noting that a large number of organizations rely on open-source software to perform critical operations. Yet, they exercise little to no control over these components, making the situation risky for these organizations.

Furthermore, attacks on the **software supply chain** have spiked over the years. They are currently at an all-time high after 0-day vulnerabilities **Log4j** and **Log4Shell** were discovered, and devastating data breaches took place, including SolarWinds.

Through OSS VRP, ethical hackers will get rewards ranging from $100 – $31,337, depending on their discovered bug’s severity. The highest rewards will be offered to bugs found in sensitive open-source projects like Angular, Bazel, Protocol buffers, Golang, and Fuchsia.

According to Google’s **blog post**, the event will focus mainly on up-to-date versions of open-source projects/software and repository settings saved in **GitHub’s public repositories**. Some of the vulnerabilities Google expects to be detected include those that cause supply chain compromise, product vulnerabilities caused by design issues, weak passwords, leaked credentials, etc.

*   Vulnerabilities that lead to supply chain compromise
*   Design issues that cause product vulnerabilities
*   Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations

> “The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged.”
> 
> Google

Such programs will restore the confidence of users and vendors in the open source software supply chain as vulnerabilities will be timely identified and fixed. So if you have what it takes to participate in Google’s latest bug bounty program we wish you good luck!

Google Introduces Bug Bounty Program for Open-Source Software

Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs

Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs

The rush to patch systems affected by the landmark Log4Shell vulnerability has coincided with a wider improvement in patching rates for the most critical flaws, a report has found.

The remote code execution (RCE) flaw in Apache Log4j (CVE-2021-44228), the near-ubiquitous open source Java logging utility, sent organizations across the ecosystem scrambling to fix applications or patch systems after it emerged in December 2021.

Eight months on, the 2022 Trustwave SpiderLabs Telemetry Report has concluded that organizations “finally understand the necessity of having a solid security posture”.

RECOMMENDED Graph-based JavaScript bug scanner discovers more than 100 zero-days in Node.js libraries

Shodan searches performed by Trustwave SpiderLabs researchers revealed a sharp fall in the proportion of affected instances vulnerable to 2022’s highest profile vulnerabilities versus 2021’s equivalent flaws.

“Vulnerability disclosure-to-patch times have decreased,” Alex Rothacker, director of research and security scanning at Trustwave, told The Daily Swig.

**Celebrity factor**

He also noticed that security flaws’ “level of celebrity” was tied to both patching rates and patching speeds, with Log4j and Spring Framework instances outscoring what Rothacker said are lower profile issues in F5’s BIG-IP and Atlassian’s Confluence on these fronts.

For instance, only 0.36% of 405,993 instances of the most popular products running Log4j were vulnerable to the first Log4Shell patch (as opposed to the subsequent bypass) six months after exploits surfaced.

Equivalent numbers were 0.075% of 452,520 instances running unpatched versions of Spring Framework, another popular open source Java component, in regard to ‘Spring4Shell’ (CVE-2022-22965) three months after its disclosure.

Instances vulnerable to RCEs in F5’s BIG-IP (CVE-2022-1388) and Atlassian Confluence Server and Data Center (CVE-2022-26134) were 2.73% of 1,719 after disclosure and 4.44% of 7,074 hosts respectively – although disclosure was much more recent in these cases.

Catch up on the latest Log4j vulnerability news

By contrast, Trustwave’s 2021 report found that more than 50% of instances were vulnerable in relation to each of three similarly impactful vulnerabilities, weeks or months after patch release.

“Log4Shell seems to have been a call to action for many organizations,” said Rothacker. “The volume of questions and requests for remediation help that we received from customers for Log4Shell was unprecedented.”

**Critical mass**

This year is on course to comfortable eclipse 2021 in terms of both number of CVEs published and the proportion of which that are critical, the report found.

For instance, Rothacker said that August has already surpassed all previous months in 2022 and 2021, with 3,779 CVEs published as of August 26, while July and June also saw high numbers of 2,226 and 2,377 respectively.

Critical vulnerabilities account for 18% of 2022 CVEs, up from 13% of CVEs in 2021.

The report also discovered that some affected instances were still vulnerable to CVEs dating back as far as 2016, with the most widespread bug being CVE-2017-15906, an issue in encrypted remote login tool OpenSSH.

Despite being distributed in most Linux distributions by default, the bug’s medium severity means “it is most likely that many organizations do not see it as a significant issue and are de-prioritizing fixing it” said Rothacker.

“Other listed vulnerabilities either are for less commonly deployed software e.g CVE-2018-15199, or do have other mitigations, or constraints e.g CVE-2018-1312, that make it less likely that they will be exploited,” he added.

The top three CWE classifications for 2022 are cross-site scripting (XSS), SQL injection, and out-of-bounds write bugs.

RELATED CWE Top 25: These are the most dangerous software weaknesses of 2022

Log4Shell legacy? Patching times plummet for most critical vulnerabilities – report

ODGen tool was presented at this year’s Usenix Security Symposium

ODGen tool was presented at this year’s Usenix Security Symposium

Researchers at Johns Hopkins University have developed a graph-based code analysis tool that can detect a wide range of vulnerabilities in JavaScript programs.

Called ODGen, the tool was presented at this year’s Usenix Security Symposium and addresses some of the challenges that limited the use of graph-based security tools in analyzing JavaScript programs.

The researchers proved the effectiveness of ODGen by applying it to thousands of Node.js libraries, where it discovered 180 zero-day vulnerabilities and received 70 CVEs.

**Graph-based methods**

Graph-based scanners parse source code files to build a graph structure that represents the different properties and execution branches of an application. This graph can then be used to model and find vulnerabilities in the source code.

Graph query-based approaches have proven to be very effective in detecting vulnerabilities in some programming languages. One technique in particular, Code Property Graph (CPG), has proven to be successful in securing C/C++ and PHP code.

**RECOMMENDED** Critical command injection vulnerability discovered in Bitbucket Server and Data Center

Inspired by the success of graph methods – particularly CPG – the researchers at Johns Hopkins University tried to apply them to JavaScript. While there are different tools for finding specific vulnerabilities in JavaScript code, graph-based tools promise to provide a general framework for detecting all kinds of vulnerabilities.

“JavaScript, particularly Node.js, is becoming a vital community with millions of packages these days,” Yinzhi Cao, co-author of the paper and assistant professor of computer science at Johns Hopkins University, told _The Daily Swig_.

“At the same time, many of these NPM packages are less maintained and vulnerabilities are prevalent in the NPM ecosystem. That is why we decided to perform the study to make the ecosystem a safer environment.”

However, their initial findings showed that CPG is not very effective in JavaScript due to the language’s dynamic structure, which makes it much more difficult to parse and analyze object relations and program branches prior to execution.

“CPG does not model detailed object relations including (i) prototype chains and (ii) object-level data flows. Therefore, it is hard to apply CPG to detect JavaScript-specific vulnerabilities, such as Prototype Pollution and Internal Property Tampering. And it is hard to model fine-grained object-level data flows in CPG,” Cao said.

**Object Dependence Graph**

In their paper, the researchers propose Object Dependence Graph (ODG) as a novel method to build graphs from JavaScript code. ODG uses some of the components of CPG, such as Abstract Syntax Trees (AST), and adds features that are specific to JavaScript, including fine-grained data dependency between objects. Accordingly, the researchers created ODGen, a tool for creating and querying ODGs.

“Our proposed ODGen abstractly interprets JavaScript code and generates a so-called Object Dependence Graph to capture such dynamic features including object relations so that a graph query-based approach can easily obtain such information and detect vulnerabilities,” Cao said.

Read more of the latest infosec research news

The researchers designed ODGen to detect vulnerabilities at application and package levels. They tested the tool on 330 documented vulnerabilities that spanned across 16 categories, including cross-site scripting (XSS), server- and client-side request forgery (SSRF/CSRF), SQL injection, prototype pollution, and command injection.

The tool was able to detect 13 types of vulnerabilities with very high accuracy, discovering 302 of the 330 bugs.

They expanded their test by crawling 300,000 NPM packages and applying ODGen with graph queries to detect queries. ODGen reported nearly 3,000 security bugs, of which the researchers verified 264 that belonged to libraries with more than 1,000 weekly downloads. They were able to confirm and report 180 security bugs, many of which were in libraries that are used widely in web applications. Of the discovered vulnerabilities, 70 were assigned CVEs.

ODGen shows how much more needs to be done to secure the open source JavaScript ecosystem and how the adaptation of existing tools can help in developing holistic approaches to securing Node.js libraries.

In the future, Cao said, the team might extend ODGen to other programming languages used in web applications, including PHP and Java.

**YOU MIGHT LIKE** Ethereum Foundation offers $1m bug bounty payouts with proof-of-stake migration multiplier

Graph-based JavaScript bug scanner discovers more than 100 zero-day vulnerabilities in Node.js libraries

Documents appear to show that Israeli spyware company Intellexa sold a full suite of services around a zero-day affecting both Android and iOS ecosystems.

Last month, an unknown customer appears to have shelled out around €8 million for a full-service zero-day remote control execution (RCE) exploit. 

Screenshots shared of the zero-day exploit bill of sale are dated July 14 and show that Intellexa, a spyware company, sold a product it called Nova Suite to an unknown buyer. It promised turnkey infections for Android, as well as iOS devices. The paperwork references iOS version 15.4.1 from March, but it's unclear how many devices remain vulnerable. 

Intellexa also promised the malware is delivered with just one click and uses the browser to inject the Android and iOS payload to mobile devices. The purchase price also includes data analysis, a "magazine" of 100 other infections, and even a full year's warranty. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Receipt for €8M iOS Zero-Day Sale Pops Up on Dark Web

A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability.

July 11th, 2022

**Linux Kernel LightNVM Subsystem Heap-based Overflow Privilege Escalation Vulnerability****ZDI-22-960  
ZDI-CAN-17194**

CVE ID

CVE-2022-2991

CVSS SCORE

8.2, (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

AFFECTED VENDORS

Linux  

AFFECTED PRODUCTS

Kernel  

VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.  

ADDITIONAL DETAILS

Linux has issued an update to correct this vulnerability. More details can be found at:  
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/lightnvm/Kconfig?h=v5.10.114&id=549209caabc89f2877ad5f62d11fca5c052e0e8 https://access.redhat.com/security/cve/CVE-2022-2991  

DISCLOSURE TIMELINE

*   2022-04-27 - Vulnerability reported to vendor
*   2022-07-11 - Coordinated public release of advisory
*   2022-08-25 - Advisory Updated

CREDIT

Lucas Leong (@\_wmliang\_) of Trend Micro Zero Day Initiative  

BACK TO ADVISORIES

CVE-2022-2991: ZDI-22-960

Multiple out-of-bounds write issues were addressed with improved bounds checking. This issue is fixed in macOS Monterey 12.5, watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6. An app may be able to disclose kernel memory.

Released July 20, 2022

**APFS**

Available for: macOS Monterey

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32832: Tommy Muir (@Muirey03)

**AppleMobileFileIntegrity**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: An authorization issue was addressed with improved state management.

CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32810: Mohamed Ghannam (@\_simo36)

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32840: Mohamed Ghannam (@\_simo36)

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-32845: Mohamed Ghannam (@\_simo36)

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: This issue was addressed with improved checks.

CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py\_Cat) of Baidu Security, Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-32851: Ye Zhang (@co0py\_Cat) of Baidu Security

CVE-2022-32852: Ye Zhang (@co0py\_Cat) of Baidu Security

CVE-2022-32853: Ye Zhang (@co0py\_Cat) of Baidu Security

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32831: Ye Zhang (@co0py\_Cat) of Baidu Security

**Audio**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32820: an anonymous researcher

**Audio**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32825: John Aakerblom (@jaakerblom)

**Automation**

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved checks.

CVE-2022-32789: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

**Calendar**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: The issue was addressed with improved handling of caches.

CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

**CoreMedia**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom)

**CoreText**

Available for: macOS Monterey

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2022-32839: STAR Labs (@starlabs\_sg)

**File System Events**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-32819: Joshua Mason of Mandiant

**GPU Drivers**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: Multiple out-of-bounds write issues were addressed with improved bounds checking.

CVE-2022-32793: an anonymous researcher

**GPU Drivers**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-32821: John Aakerblom (@jaakerblom)

**iCloud Photo Library**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2022-32849: Joshua Jones

**ICU**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32841: hjy79425575

 **ImageIO**

 Available for: macOS Monterey

 Impact: Processing an image may lead to a denial-of-service

 Description: A null pointer dereference was addressed with improved validation.

 CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2022-32811: ABC Research s.r.o

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

**Kernel**

Available for: macOS Monterey

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32813: Xinru Chi of Pangu Lab

CVE-2022-32815: Xinru Chi of Pangu Lab

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32817: Xinru Chi of Pangu Lab

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32829: an anonymous researcher

**Liblouis**

Available for: macOS Monterey

Impact: An app may cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China (nipc.org.cn)

**libxml2**

Available for: macOS Monterey

Impact: An app may be able to leak sensitive user information

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-32823

**Multi-Touch**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

**Multi-Touch**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved state handling.

CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: An issue in the handling of environment variables was addressed with improved validation.

CVE-2022-32786: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved checks.

CVE-2022-32800: Mickey Jin (@patch1t)

**PluginKit**

Available for: macOS Monterey

Impact: An app may be able to read arbitrary files

Description: A logic issue was addressed with improved state management.

CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

**PS Normalizer**

Available for: macOS Monterey

Impact: Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

**SMB**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-32796: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32798: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: A user in a privileged network position may be able to leak sensitive information

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to leak sensitive kernel state

Description: The issue was addressed with improved memory handling.

CVE-2022-32818: Sreejith Krishnan R (@skr0x1c0)

**Software Update**

Available for: macOS Monterey

Impact: A user in a privileged network position can track a user’s activity

Description: This issue was addressed by using HTTPS when sending information over the network.

CVE-2022-32857: Jeffrey Paul (sneak.berlin)

**Spindump**

Available for: macOS Monterey

Impact: An app may be able to overwrite arbitrary files

Description: This issue was addressed with improved file handling.

CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

**Spotlight**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: This issue was addressed with improved checks.

CVE-2022-32801: Joshua Mason (@josh@jhu.edu)

**subversion**

Available for: macOS Monterey

Impact: Multiple issues in subversion

Description: Multiple issues were addressed by updating subversion.

CVE-2021-28544: Evgeny Kotkov, visualsvn.com

CVE-2022-24070: Evgeny Kotkov, visualsvn.com

CVE-2022-29046: Evgeny Kotkov, visualsvn.com

CVE-2022-29048: Evgeny Kotkov, visualsvn.com

**TCC**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: An access issue was addressed with improvements to the sandbox.

CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**WebKit**

Available for: macOS Monterey

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@\_manfp) working with Trend Micro Zero Day Initiative

**WebRTC**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution.

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

**Wi-Fi**

Available for: macOS Monterey

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32837: Wang Yu of Cyberserval

**Wi-Fi**

Available for: macOS Monterey

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32847: Wang Yu of Cyberserval

**Windows Server**

Available for: macOS Monterey

Impact: An app may be able to capture a user’s screen

Description: A logic issue was addressed with improved checks.

CVE-2022-32848: Jeremy Legendre of MacEnhance

Tag

#zero_day