An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer “head” allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow.
Monthly Archives: September 2022
CVE-2015-1931
IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR1 FP10, 7 R1 before SR3 FP10, 7 before SR9 FP10, 6 R1 before SR8 FP7, 6 before SR16 FP7, and 5.0 before SR16 FP13 stores plaintext information in memory dumps, which allows local users to obtain sensitive information by reading a file.
CVE-2014-0148
Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like ‘sectors_per_block’ etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS.
CVE-2014-0147
Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine.
CVE-2014-0144
QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.
CVE-2012-4818
IBM InfoSphere Information Server 8.1, 8.5, and 8,7 could allow a remote authenticated attacker to obtain sensitive information, caused by improper restrictions on directories. An attacker could exploit this vulnerability via the DataStage application to load or import content functionality to view arbitrary files on the system.
CVE-2012-2201
IBM WebSphere MQ 7.1 is vulnerable to a denial of service, caused by an error when handling user ids. A remote attacker could exploit this vulnerability to bypass the security configuration setup on a SVRCONN channel and flood the queue manager.
CVE-2012-2160
IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SUPP_TEMPLATE_FLAG parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2011-4820
IBM Rational Asset Manager 7.5 could allow a remote attacker to bypass security restrictions. An attacker could exploit this vulnerability using the UID parameter to modify another user’s preferences.
BlackCat Uses Updated Infostealer Tools with File Corruption Capability
FortiGuard Labs is aware of a report the infamous BlackCat ransomware group has updated their infostealer tools. Dubbed Exmatter and Eamfo, the former is a data exfiltration tool which a newer version has a code for file corruption and the latter is a credential lifter for Veeam, which is backup software.Why is this Significant?This is significant because Blackcat is one of the active Ransomware-as-a-Service (RaaS) providers and their newly updated data exfiltration tool “Exmatter” is now capable of making processed files unusable.What is BlackCat?BlackCat, (also known as ALPHV and Noberus), is a relatively new Ransomware-as-a-Service (RaaS) and a ransomware variant with the same name. As a RaaS provider, it develops and offers various tools including ransomware, and recruits affiliates for corporate intrusions, encrypting files on the victim’s network and stealing confidential files from it for financial gain. BlackCat ransomware is written in the Rust programming language.FortiGuard Labs previously released Threat Signal on Blackcat. See the Appendix for a link to “Meet Blackcat: New Ransomware Written in Rust on the Block”. What is Exmatter?According to security vendor Symantec, Exmatter is a data exfiltration tool that was previously used by a BlackMatter ransomware affiliate. The tool is designed to steal various Microsoft Office files (Word, Excel and PowerPoint) as well as image, email and archive files. It supports FTP, SFTP and WebDav for file transfer of exfiltrated information. The newer version has code to corrupt files.What is Eamfo?Eamfo is a tool to steal credentials from Veeam backup software.What is the Status of Protection?FortiGuard Labs detects reported Exmatter and Eamfo tools with the following AV signatures:MSIL/Agent.DRB!trMSIL/Agent.DRB!tr.spyMSIL/Agent.7AAD!trW32/Crypt!trW32/PossibleThreatPossibleThreatPossibleThreat.PALLAS.HFortiGuard Labs has the following AV protection in place for known BlackCat ransomware:W32/Filecoder_BlackCat.A!tr.ransomW32/Ransom_Win32_BLACKCAT.YNCHH!tr.ransomW32/Ransom_Win32_BLACKCAT.YXCDU!tr.ransomW32/BlackCat.26B0!tr