An integer overflow flaw was discovered in the CRL signature parser in
libksba, an X.509 and CMS support library, which could result in denial
of service or the execution of arbitrary code.
Category Archives: Advisories
systemd-250.9-1.fc36
FEDORA-2022-ef4f57b072
Packages in this update:
systemd-250.9-1.fc36
Update description:
Latest bugfix release with a bunch of fixes (homed, networkd, manager, resolved, documentation): rhbz#2133792, rhbz#2135778, rhbz#2152685, and also #2031810, #2121106.
CVE-2022-4415: systemd: coredump not respecting fs.suid_dumpable kernel setting
No need to log out or reboot.
systemd-251.10-588.fc37
FEDORA-2022-6919a53ea9
Packages in this update:
systemd-251.10-588.fc37
Update description:
Bugfix release for CVE-2022-4415.
No need to log out or reboot.
flatpak-runtime-f37-3720221117153339.4 flatpak-sdk-f37-3720221117153339.4
FEDORA-FLATPAK-2022-8fbf9c37ec
Packages in this update:
flatpak-runtime-f37-3720221117153339.4
flatpak-sdk-f37-3720221117153339.4
Update description:
Updated flatpak runtime and SDK, including latest Fedora 37 security and bug-fix errata.
Threat Actors Abused Signed Microsoft Drivers
FortiGuard Labs is aware that Microsoft recently disclosed that threat actors had used Windows drivers certified by Microsoft maliciously, which prompted them to revoke their signing certificates. According to the Microsoft’s advisory, the malicious drivers were used for post-exploitation activities including ransomware deployment to compromised machines. Separate reports indicate malicious signed-driver named “POORTRY” and STONESTOP malware was used to terminate processes belonging to AV and EDR solutions. Why is this Significant?This is significant because malicious drivers legitimately signed by Microsoft are trusted by the operating system and the use of such drivers allows attackers to perform activities with highest privileges on compromised machines. One of the reported activities include the deployment of Cuba ransomware. Other reports indicate threat actors used “POORTRY”, a malicious driver signed by Microsoft, and STONESTOP malware to terminate processes belonging to AV and EDR solutions.Microsoft’s advisory states that they suspended developer accounts that were likely abused by threat actors to get Microsoft to sign malicious files through a legitimate process. Also, Microsoft revoked signing certificates used to sign the malicious files.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for the reported and available samples involved in the incident:W64/BURNTCIGAR.BQ!trW64/BURNTCIGAR.CA!trW64/BURNTCIGAR.CB!trW64/Agent.ARD!trRiskware/BURNTCIGARW32/PossibleThreat
Mallox Ransomware
FortiGuard Labs is aware of recent reports of an uptick of activity in the Mallox ransomware observed in the wild. Reportedly, the Mallox threat actor distributes ransomware via a downloader attached to spam emails by targeting unsecured internet-facing Microsoft SQL servers. Mallox ransomware encrypts files on compromised machines and typically adds a “.mallox” file extension to the affected files.Why is this Significant?This is significant because recent reports highlight an increased uptick of Mallox ransomware activities. Ransomware infection causes disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc.What is Mallox Ransomware?Mallox is a ransomware strain that has been around since 2021 and is also known as Fargo. The ransomware encrypts files on compromised machines and typically adds a “.mallox” file extension to the affected files. Mallox leaves a ransom note titled “FILE RECOVERY.txt” that contains the ransom message, victim’s private key, and a TOR site address where victims can contact the attacker. The TOR site also works as a data leak site where information stolen from the victims will be released if ransom payment is not made. At the time of this writing, the leak site listed one company, however previous victims may have been removed.Ransom note left by Mallox ransomwareMallox ransomware threat actor reportedly distributes the ransomware via downloader malware attached to spam emails. The threat actor also targets unsecured internet-facing Microsoft SQL servers by attempting to log with a list of username and password combinations.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for known Mallox ransomware samples:W32/Filecoder.D181!tr.ransomW32/Filecoder.OJC!tr.ransomW32/Generic.AC.171!tMSIL/Agent.LXR!trMSIL/Agent.LYC!trMSIL/Agent.NLO!tr.dldrMSIL/Agent.NZA!tr.dldrMSIL/Agent.OBD!tr.dldrMSIL/Agent.OEY!tr.dldrMSIL/Agent.OFN!tr.dldrMSIL/Agent.OHG!tr.dldrMSIL/GenKryptik.FMRD!trMSIL/Kryptik.ADHC!trMSIL/Kryptik.AGYT!tr.ransomMSIL/Kryptik.AHJZ!trMSIL/Kryptik.DCC!trPossibleThreat
trafficserver-9.1.4-1.fc36
FEDORA-2022-489ea47e69
Packages in this update:
trafficserver-9.1.4-1.fc36
Update description:
Update to 9.1.4, resolves CVE-2022-32749, CVE-2022-37392, CVE-2022-40743
trafficserver-9.1.4-1.el7
FEDORA-EPEL-2022-8362ddfe7c
Packages in this update:
trafficserver-9.1.4-1.el7
Update description:
Update to 9.1.4, resolves CVE-2022-32749, CVE-2022-37392, CVE-2022-40743
trafficserver-9.1.4-1.fc37
FEDORA-2022-62b61a8542
Packages in this update:
trafficserver-9.1.4-1.fc37
Update description:
Update to 9.1.4, resolves CVE-2022-32749, CVE-2022-37392, CVE-2022-40743
trafficserver-9.1.4-1.el8
FEDORA-EPEL-2022-47a8accb45
Packages in this update:
trafficserver-9.1.4-1.el8
Update description:
Update to 9.1.4, resolves CVE-2022-32749, CVE-2022-37392, CVE-2022-40743