USN-6725-1: Linux kernel vulnerabilities

Read Time:3 Minute, 53 Second

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel
did not properly validate certain data structure fields when parsing lease
contexts, leading to an out-of-bounds read vulnerability. A remote attacker
could use this to cause a denial of service (system crash) or possibly
expose sensitive information. (CVE-2023-1194)

Quentin Minster discovered that a race condition existed in the KSMBD
implementation in the Linux kernel, leading to a use-after-free
vulnerability. A remote attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2023-32254)

It was discovered that a race condition existed in the KSMBD implementation
in the Linux kernel when handling session connections, leading to a use-
after-free vulnerability. A remote attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2023-32258)

It was discovered that the KSMBD implementation in the Linux kernel did not
properly validate buffer sizes in certain operations, leading to an integer
underflow and out-of-bounds read vulnerability. A remote attacker could use
this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2023-38427)

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel
did not properly validate SMB request protocol IDs, leading to a out-of-
bounds read vulnerability. A remote attacker could possibly use this to
cause a denial of service (system crash). (CVE-2023-38430)

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel
did not properly validate packet header sizes in certain situations,
leading to an out-of-bounds read vulnerability. A remote attacker could use
this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2023-38431)

It was discovered that the KSMBD implementation in the Linux kernel did not
properly handle session setup requests, leading to an out-of-bounds read
vulnerability. A remote attacker could use this to expose sensitive
information. (CVE-2023-3867)

Pratyush Yadav discovered that the Xen network backend implementation in
the Linux kernel did not properly handle zero length data request, leading
to a null pointer dereference vulnerability. An attacker in a guest VM
could possibly use this to cause a denial of service (host domain crash).
(CVE-2023-46838)

It was discovered that the IPv6 implementation of the Linux kernel did not
properly manage route cache memory usage. A remote attacker could use this
to cause a denial of service (memory exhaustion). (CVE-2023-52340)

It was discovered that the device mapper driver in the Linux kernel did not
properly validate target size during certain memory allocations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-52429, CVE-2024-23851)

Yang Chaoming discovered that the KSMBD implementation in the Linux kernel
did not properly validate request buffer sizes, leading to an out-of-bounds
read vulnerability. An attacker could use this to cause a denial of service
(system crash) or possibly expose sensitive information. (CVE-2024-22705)

Chenyuan Yang discovered that the btrfs file system in the Linux kernel did
not properly handle read operations on newly created subvolumes in certain
conditions. A local attacker could use this to cause a denial of service
(system crash). (CVE-2024-23850)

It was discovered that a race condition existed in the Bluetooth subsystem
in the Linux kernel, leading to a null pointer dereference vulnerability. A
privileged local attacker could use this to possibly cause a denial of
service (system crash). (CVE-2024-24860)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– Architecture specifics;
– Block layer;
– Cryptographic API;
– Android drivers;
– EDAC drivers;
– GPU drivers;
– Media drivers;
– Multifunction device drivers;
– MTD block device drivers;
– Network drivers;
– NVME drivers;
– TTY drivers;
– Userspace I/O drivers;
– EFI Variable file system;
– F2FS file system;
– GFS2 file system;
– SMB network file system;
– BPF subsystem;
– IPv6 Networking;
– Network Traffic Control;
– AppArmor security module;
(CVE-2023-52463, CVE-2023-52445, CVE-2023-52462, CVE-2023-52609,
CVE-2023-52448, CVE-2023-52457, CVE-2023-52464, CVE-2023-52456,
CVE-2023-52454, CVE-2023-52438, CVE-2023-52480, CVE-2023-52443,
CVE-2023-52442, CVE-2024-26631, CVE-2023-52439, CVE-2023-52612,
CVE-2024-26598, CVE-2024-26586, CVE-2024-26589, CVE-2023-52444,
CVE-2023-52436, CVE-2024-26633, CVE-2024-26597, CVE-2023-52458,
CVE-2024-26591, CVE-2023-52449, CVE-2023-52467, CVE-2023-52441,
CVE-2023-52610, CVE-2023-52451, CVE-2023-52469, CVE-2023-52470)

Read More

USN-6724-1: Linux kernel vulnerabilities

Read Time:1 Minute, 39 Second

Pratyush Yadav discovered that the Xen network backend implementation in
the Linux kernel did not properly handle zero length data request, leading
to a null pointer dereference vulnerability. An attacker in a guest VM
could possibly use this to cause a denial of service (host domain crash).
(CVE-2023-46838)

It was discovered that the Habana’s AI Processors driver in the Linux
kernel did not properly initialize certain data structures before passing
them to user space. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2023-50431)

It was discovered that the device mapper driver in the Linux kernel did not
properly validate target size during certain memory allocations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-52429, CVE-2024-23851)

It was discovered that the CIFS network file system implementation in the
Linux kernel did not properly validate certain SMB messages, leading to an
out-of-bounds read vulnerability. An attacker could use this to cause a
denial of service (system crash) or possibly expose sensitive information.
(CVE-2023-6610)

Yang Chaoming discovered that the KSMBD implementation in the Linux kernel
did not properly validate request buffer sizes, leading to an out-of-bounds
read vulnerability. An attacker could use this to cause a denial of service
(system crash) or possibly expose sensitive information. (CVE-2024-22705)

Chenyuan Yang discovered that the btrfs file system in the Linux kernel did
not properly handle read operations on newly created subvolumes in certain
conditions. A local attacker could use this to cause a denial of service
(system crash). (CVE-2024-23850)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– Android drivers;
– Userspace I/O drivers;
– F2FS file system;
– SMB network file system;
– Networking core;
(CVE-2023-52434, CVE-2023-52436, CVE-2023-52435, CVE-2023-52439,
CVE-2023-52438)

Read More

USN-6723-1: Bind vulnerabilities

Read Time:23 Second

Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered
that Bind icorrectly handled validating DNSSEC messages. A remote attacker
could possibly use this issue to cause Bind to consume resources, leading
to a denial of service. (CVE-2023-50387)

It was discovered that Bind incorrectly handled preparing an NSEC3 closest
encloser proof. A remote attacker could possibly use this issue to cause
Bind to consume resources, leading to a denial of service. (CVE-2023-50868)

Read More

The Hidden Threat in Plain Sight: Analyzing Subtextual Attacks in Digital Communications

Read Time:6 Minute, 43 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

In our always-online world, we’re facing a new kind of cyber threat that’s just as sneaky as it is harmful: subtextual attacks. These aren’t your run-of-the-mill security breaches; they’re cunningly crafted messages that may look harmless—but they actually carry a dangerous payload within them.

Join me as we take a closer look at this under-the-radar, but still dangerous, threat. We’ll explore how these deceptive messages can sneak past our defenses, trick people into taking unwanted actions, and steal sensitive information without ever tripping an alarm.

The Rise of Subtextual Attacks

Unlike traditional cyber attacks, which are often direct and identifiable, subtextual attacks rely on subtlety and deception. Attackers craft messages that on the surface appear harmless or unrelated to any malicious activity.

However, embedded within these communications are instructions, links, or information that can compromise security, manipulate behavior, or extract sensitive data.

And not only is big data paramount in advertising and other avenues, but it’s also like keeping everything in your wallet—it’s convenient, helpful even, but signals to attackers that you’re indeed willing to put all your eggs in one basket when it comes to communications.

These attacks exploit the nuances of language and context and require a sophisticated understanding of human communication and digital interaction patterns. For instance, a seemingly benign email might include a specific choice of words or phrases that, when interpreted correctly, reveal a hidden command or a disguised link to a malicious site.

Psychological Manipulation Through Subtext

Subtextual attacks also leverage psychological manipulation, influencing individuals to act in ways that compromise security or divulge confidential information. By understanding the psychological triggers and behavioral patterns of targets, attackers craft messages that subtly guide the recipient’s actions.

For instance, an attacker might use social engineering techniques combined with subtextual cues to convince a user to bypass normal security protocols. An email that seems to come from a trusted colleague or superior, containing subtle suggestions or cues, can be more effective in eliciting certain actions than a direct request or command.

Attackers can also exploit the principle of urgency or scarcity, embedding subtle cues in communications that prompt the recipient to act quickly, bypassing their usual critical thinking or security procedures.

The Evolution of Digital Forensics

To combat the growing rise of subtextual attacks, the field of digital forensics has evolved significantly over the past decade.

Initially focused on recovering and analyzing electronic information to investigate crime, digital forensics now incorporates advanced linguistic analysis, data pattern recognition, and machine learning to detect hidden threats.

Modern digital forensic tools can analyze vast quantities of data to identify anomalies or patterns indicative of subtextual cues. These tools examine not just the content but also the metadata of communications, looking for irregularities in sender information, timing, and network routing that might hint at a subtextual attack.

Even moreso, many organizations have started using dark web monitoring services, as data scraped from digital communications is either resold or used by nefarious actors as a trophy from their hacking conquests.

On top of this, we know that data security is paramount in all industries—however, if your business is in a field that routinely handles sensitive information, like healthcare or finance, you’re automatically under more scrutiny.

Making sure that you’re meeting guidelines and regulations, like ensuring HIPAA-compliant hosting or PCI-compliant hosting is essential for businesses in those areas. Otherwise, you’re liable both in legal terms and could be subject to crippling fines from regulatory bodies.

Examples of Subtextual Attacks

There are various ways in which bad-faith actors can leverage subtext through a variety of attack vectors to meet their malicious goals. Let’s take a closer look at several examples:

● Phishing Attacks: Perhaps the most straightforward and notable instance of subtextual attacks, phishing campaigns consist of attackers sending emails mimicking a trusted entity, such as a bank, to deceive recipients into providing sensitive or restricted information. This tactic exploits trust and familiarity, embedding malicious intent within seemingly legitimate communications.

● Ransomware and Double Extortion Attacks: The attack on Software AG demonstrates a double extortion tactic where attackers encrypted and stole sensitive data, demanding a ransom. When the company refused to pay, the attackers leaked the data online, compounding the attack’s impact. This kind of attack manipulates the target into a lose-lose situation, leveraging the subtext of the stolen data’s critical value.

● Credential Stuffing and Password Attacks: The Canada Revenue Agency experienced a password attack where attackers used previously breached credentials to access thousands of accounts. This technique relies on the subtle assumption that many users reuse passwords, a subtextual vulnerability that attackers exploit to gain unauthorized access.

As you can see, in all of the provided cases, the underlying danger lines in this—the attack is masked by normalcy or trust, necessitating vigilant and sophisticated defense mechanisms.

Strengthening Defenses Against Subtextual Attacks

To safeguard against subtextual attacks, organizations and individuals must adopt a multi-layered security approach that includes both technological solutions and human vigilance.

Modern cybersecurity training should now encompass awareness tests that also encapsulate this new, less-overt paradigm, teaching attendees how to properly scrutinize and vet not just the straightforward, obvious elements that make up digital communication but also to consider the context and subtext.

In the same way in which more conventional attacks can be simulated with the use of various pentesting tools, you should consider “simluating” an attack through digital communications. Of course, you should let your team members or employees know that these tests will occur ahead of time.

Sending business correspondence with subtle signs of malicious intent—like, for instance, from a slightly different or misspelled email address, that contains shady links or asks for access to files or information that the sender should not be privy to are just some ideas.

Best Practices and Tools to Incorporate

However, cybersecurity awareness is just one-half of the battle; you also need the appropriate tools to wage that battle effectively.

Depending on the exact nature, line of work, and complexity inherent to your organization, your needs will vary, so a good place to start is with what’s universal. To use a simple example, every organization has the need for record-keeping and bookkeeping—adopting a solution like a PDF SDK can provide your organization a lot more control over how your documents are handled in terms of access management and storage

Technological defenses should also include advanced content analysis tools that are actively capable of detecting subtle cues and anomalies in language and behavior. These systems must continually learn and adapt to the evolving tactics of attackers while incorporating artificial intelligence and machine learning to stay a step ahead.

Finally, keep in mind that malicious actors won’t always pose as people within your organization—they can (and do) often pose as clients or business partners.

Regular communication with the people you collaborate with can serve to weed out some of these intrusion attempts—but as a final protection, consider investing in features like a digital signature API or a multi-factor authentication system to make sure all deals are transparent and trackable.

Keeping your Systems Secure

As you can clearly see, we’re dealing with a new breed of cyber threats that are sneakier than ever before. Subtextual attacks are tricky because they hide their nasty intentions behind normal-looking messages, exploiting both high-tech methods and our own human psychology.

It’s a cunning blend of tech and mind games, making these threats tough to spot and even tougher to defend against—but here’s the kicker: as these threats get more sophisticated, so do our strategies to fight them. We need to be on our toes, combining smart tech solutions with a good dose of critical thinking and a healthy skepticism of anything that seems off.

Read More

ZDI-24-361: Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability

Read Time:18 Second

This vulnerability allows remote attackers to bypass the SmartScreen security feature to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-29988.

Read More