Read Time:2 Minute, 57 Second

FortiGuard Labs is aware of a new proof of concept released over the weekend for CVE-2023-21716 (Microsoft Word Remote Code Execution Vulnerability).Patched in the February Microsoft Monthly Security Release, CVE-2023-21716 is a vulnerability within Microsoft Office’s wwlib which allows attackers to achieve remote code execution on a targeted machine via the use of a maliciously crafted RTF document. What makes this vulnerability dangerous is that It does not require any user interaction. As a proof of concept is now available, this makes exploitation even more likely as it does not require any legwork or additional development by an attacker.What are the technical details of the CVE-2023-21716?The RTF parser in Microsoft Word is susceptible to a heap corruption vulnerability when dealing with a font table containing an excessive number of fonts. The font ID value is corrupted because it loads upper bits from the EDX data register which is used for arithmetic and logical operations and contains appended writes of ffff, which will then corrupt the heap via an out of bounds memory write.What is the CVSS score for CVE-2023-21716?The CVSS score is 9.8 (CRITICAL).Are Patches Available?Yes, Microsoft published patches in the February 14, 2023 Patch Tuesday update.What Versions of Microsoft Office are Vulnerable?Unpatched versions vulnerable are:Microsoft Office 2019 for 32-bit editionsMicrosoft Office 2019 for 64-bit editionsMicrosoft Word 2013 Service Pack 1 (64-bit editions)Microsoft Word 2013 RT Service Pack 1Microsoft Word 2013 Service Pack 1 (32-bit editions)Microsoft SharePoint Foundation 2013 Service Pack 1Microsoft Office Web Apps Server 2013 Service Pack 1Microsoft Word 2016 (32-bit edition)Microsoft Word 2016 (64-bit edition)Microsoft SharePoint Server 2019Microsoft SharePoint Enterprise Server 2013 Service Pack 1Microsoft SharePoint Enterprise Server 2016Microsoft 365 Apps for Enterprise for 64-bit SystemsMicrosoft Office 2019 for MacMicrosoft Office Online ServerSharePoint Server Subscription Edition Language PackMicrosoft 365 Apps for Enterprise for 32-bit SystemsMicrosoft Office LTSC 2021 for 64-bit editionsMicrosoft SharePoint Server Subscription EditionMicrosoft Office LTSC 2021 for 32-bit editionsMicrosoft Office LTSC for Mac 2021to CVE-2023-27176 are:Microsoft Office 2019 for 32-bit editionsMicrosoft Office 2019 for 64-bit editionsMicrosoft Word 2013 Service Pack 1 (64-bit editions)Microsoft Word 2013 RT Service Pack 1Microsoft Word 2013 Service Pack 1 (32-bit editions)Microsoft SharePoint Foundation 2013 Service Pack 1Microsoft Office Web Apps Server 2013 Service Pack 1Microsoft Word 2016 (32-bit edition)Microsoft Word 2016 (64-bit edition)Microsoft SharePoint Server 2019Microsoft SharePoint Enterprise Server 2013 Service Pack 1Microsoft SharePoint Enterprise Server 2016Microsoft 365 Apps for Enterprise for 64-bit SystemsMicrosoft Office 2019 for MacMicrosoft Office Online ServerSharePoint Server Subscription Edition Language PackMicrosoft 365 Apps for Enterprise for 32-bit SystemsMicrosoft Office LTSC 2021 for 64-bit editionsMicrosoft SharePoint Server Subscription EditionMicrosoft Office LTSC 2021 for 32-bit editionsMicrosoft Office LTSC for Mac 2021What are the Details of Coverage?FortiGuard Labs is currently assessing IPS signature creation based on available proof of concept code. This Threat Signal will be updated once this information is available.Any Suggested Mitigation?FortiGuard Labs suggests that all users of affected versions of Microsoft Office patch immediately. If this is not an option, other mitigations suggested by Microsoft include reading emails in plain text only format and utilizing the Microsoft Office File Block policy, which prevents RTF documents from being previewed or opened without user interaction. Further mitigation guidance from Microsoft can be found under “Microsoft Word Remote Code Execution Vulnerability” In the APPENDIX.

Advisories

#StopRansomware: Royal Ransomware

March 7, 2023

Read Time:2 Minute, 0 Second

FortiGuard Labs is aware that the Cybersecurity and Infrastructure Security Agency (CISA) recently released an advisory on Royal ransomware as part of its #StopRansomware effort. The advisory states that Royal ransomware compromised multiple organizations globally starting late 2022. The threat actor is known to use malware and dual-use tools to establish persistence, move laterally in the compromised networks and exfiltrate data from victims and ultimately lock victim machines for monetary gain.Why is this Significant?This is significant because CISA released the advisory for Royal ransomware for public awareness purposes. Due to its worldwide campaign starting last September, Royal has been attributed to many attacks in recent months and is gaining traction and severity due to observed attacks targeting critical infrastructure, such as Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education verticals.What is Royal ransomware?Royal is a relatively new ransomware, having been around since at least the start of 2022. The group initially used Windows versions of Royal ransomware; however a Royal ransomware variant that can infect ESXi was observed in 2023. The Royal ransomware objective is to compromise victims’ networks, exfiltrate information, deploy Royal ransomware for file encryption and ultimately extort money from the victims for file decryption and preventing data leaks.According to the advisory, Royal ransomware infection vectors include emails, malvertising campaigns, Remote Desktop Protocol (RDP) compromise, exploiting internet-facing applications and gaining access from initial access brokers.Tools used by Royal ransomware threat actor include Chisel for C2 communication, PsExec for lateral movement, AnyDesk, LogMeIn, and Atera, to establish persistence, and Cobalt Strike and Ursnif/Gozi malware to exfiltrate data.Typically, Royal ransomware adds a “.royal” file extension to encrypted files and leaves “README.txt” as a ransom note. FortiGuard Labs previously posted blogs on Royal ransomware. See the Appendix for a link to “Ransomware Roundup: Royal Ransomware” and “Royal Ransomware Targets Linux ESXi Servers”.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for the available samples called out in the advisory:W32/Chisel.A!trBAT/Agent.E949!trBAT/Agent.70c4!trPowerShell/Agent.FGA!trRiskware/NsudoW32/PossibleThreatFortiGuard Labs has the following AV signatures in place for known samples of Royal ransomware:W32/Ransom_Royal.FFBJFIM!trW32/Royal.D779!tr.ransomW32/Royal.47AC!tr.ransomW64/Royal.CF4E!tr.ransomLinux/Filecoder_Royal.A!trW32/PossibleThreatNetwork IOCs in the advisory are blocked by the FortiGuard Webfiltering client.

Advisories

New WhiteSnake Infostealer Sold in Underground

March 7, 2023

Read Time:1 Minute, 24 Second

FortiGuard Labs is aware of a report that a new infostealer malware dubbed “WhiteSnake” is being sold in underground forums as a Malware-as-a-Service (MaaS) offering. WhiteSnake comes in Windows and Linux versions, and is capable of stealing information from popular Web browsers and apps installed on compromised machines and crypto wallets.Why is this Significant?This is significant because WhiteSnake is a new as a service infostealer being sold in underground web forums. As such, attackers can easily purchase the infostealer for a fee and use it to steal various types of sensitive information. What is WhiteSnake Infostealer?WhiteSnake is an infostealer that is capable of stealing sensitive information from popular Web browsers and apps such as Chromium-based browsers, Firefox, Edge, Steam and Telegram. It also targets various cryptocurrency wallets as well as crypto wallet browser extensions. The stolen information is then sent to attacker’s Telegram bots. The malware is being sold in underground websites and has both Windows and Linux version.A report indicates that WhiteSnake was circulated as a fake PDF file, however a WhiteSnake variant that FortiGuard Labs came across may have disguised a popular game for kids.How Widespread is WhiteSnake Infostealer?As the time of this writing, there is no indication that the malware is widely used. However, due to the malware being sold with a moderate price tag, it is expected that a high rate of adoption occurs as it is affordable for many cybercriminals regardless if they are professional or not.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for WhiteSnake infostealer and related files: W32/Stealer.WS!trMSIL/Agent.APA!trPossibleThreat

Advisories

BlackLotus Malware Bypasses UEFI Secure Boot

March 7, 2023

Read Time:1 Minute, 8 Second

Why is this Significant?This is significant because BlackLotus malware can bypass UEFI Secure Boot giving itself less chance to be detected as the malware is executed before the operating system and traditional OS-based security solutions start.Also, BlackLotus was reportedly seen to be advertised and sold in underground forums as such use of BlackLotus will likely increase in attacks.What is BlackLotus?BlackLotus is a malware that can bypass UEFI Secure Boot feature to install itself and deploys a backdoor that allows an attacker to remotely control the compromised machines via remote commands.BlackLotus leverages CVE-2022-21894 (Secure Boot Security Feature Bypass vulnerability) to bypass UEFI Secure Boot. While the vulnerability was patched by Microsoft in regular Patch Tuesday January 2022, reportedly it can still be exploitable as the affected signed binaries are not yet in the UEFI revocation list.According to ESET, BlackLotus stops installation if machines’ locales are set to Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine.How Widespread is BlackLotus?There is no information available as to how widespread BlackLotus is. However, since the malware is being sold in underground forums, the use of BlackLotus is expected to pick up. What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for the available samples in the report:W64/BlackLotus.A!trW64/BlackLotus.B!trW32/PossibleThreat

Advisories

Multiple Vulnerabilities in Aruba Products Could Allow for Arbitrary Code Execution

March 7, 2023

Read Time:42 Second

Multiple vulnerabilities have been discovered in Aruba Products, the most severe of which could allow for Arbitrary code execution.

Aruba Mobility Conductor is an advanced WLAN deployed as a virtual machine (VM) or installed on an x86-based hardware appliance.
Aruba Mobility Controller is a WLAN hardware controller in a virtualized environment
WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected service account. Depending on the privileges associated with the service account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Advisories

USN-5935-1: Linux kernel vulnerabilities

March 7, 2023

Read Time:3 Minute, 32 Second

It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)

Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel
did not properly handle VLAN headers in some situations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-0179)

It was discovered that the NVMe driver in the Linux kernel did not properly
handle reset events in some situations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-3169)

Maxim Levitsky discovered that the KVM nested virtualization (SVM)
implementation for AMD processors in the Linux kernel did not properly
handle nested shutdown execution. An attacker in a guest vm could use this
to cause a denial of service (host kernel crash) (CVE-2022-3344)

Gwangun Jung discovered a race condition in the IPv4 implementation in the
Linux kernel when deleting multipath routes, resulting in an out-of-bounds
read. An attacker could use this to cause a denial of service (system
crash) or possibly expose sensitive information (kernel memory).
(CVE-2022-3435)

It was discovered that a race condition existed in the Kernel Connection
Multiplexor (KCM) socket implementation in the Linux kernel when releasing
sockets in certain situations. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-3521)

It was discovered that the Netronome Ethernet driver in the Linux kernel
contained a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3545)

It was discovered that the Intel i915 graphics driver in the Linux kernel
did not perform a GPU TLB flush in some situations. A local attacker could
use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2022-4139)

It was discovered that a race condition existed in the Xen network backend
driver in the Linux kernel when handling dropped packets in certain
circumstances. An attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2022-42328, CVE-2022-42329)

It was discovered that the NFSD implementation in the Linux kernel
contained a use-after-free vulnerability. A remote attacker could possibly
use this to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2022-4379)

It was discovered that a race condition existed in the x86 KVM subsystem
implementation in the Linux kernel when nested virtualization and the TDP
MMU are enabled. An attacker in a guest vm could use this to cause a denial
of service (host OS crash). (CVE-2022-45869)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did
not properly validate the number of channels, leading to an out-of-bounds
write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2022-47518)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did
not properly validate specific attributes, leading to an out-of-bounds
write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2022-47519)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did
not properly validate offsets, leading to an out-of-bounds read
vulnerability. An attacker could use this to cause a denial of service
(system crash). (CVE-2022-47520)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did
not properly validate specific attributes, leading to a heap-based buffer
overflow. An attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2022-47521)

Lin Ma discovered a race condition in the io_uring subsystem in the Linux
kernel, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-0468)

Advisories

USN-5934-1: Linux kernel (Raspberry Pi) vulnerabilities

March 7, 2023

Read Time:4 Minute, 0 Second

It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)

It was discovered that the hugetlb implementation in the Linux kernel
contained a race condition in some situations. A local attacker could use
this to cause a denial of service (system crash) or expose sensitive
information (kernel memory). (CVE-2022-3623)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)

It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)

José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)

It was discovered that the Android Binder IPC subsystem in the Linux kernel
did not properly validate inputs in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2023-20938)

Kyle Zeng discovered that the class-based queuing discipline implementation
in the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23454)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)

Advisories