Category Archives: Advisories

Advisories

New WhiteSnake Infostealer Sold in Underground

Read Time:1 Minute, 24 Second

FortiGuard Labs is aware of a report that a new infostealer malware dubbed “WhiteSnake” is being sold in underground forums as a Malware-as-a-Service (MaaS) offering. WhiteSnake comes in Windows and Linux versions, and is capable of stealing information from popular Web browsers and apps installed on compromised machines and crypto wallets.Why is this Significant?This is significant because WhiteSnake is a new as a service infostealer being sold in underground web forums. As such, attackers can easily purchase the infostealer for a fee and use it to steal various types of sensitive information. What is WhiteSnake Infostealer?WhiteSnake is an infostealer that is capable of stealing sensitive information from popular Web browsers and apps such as Chromium-based browsers, Firefox, Edge, Steam and Telegram. It also targets various cryptocurrency wallets as well as crypto wallet browser extensions. The stolen information is then sent to attacker’s Telegram bots. The malware is being sold in underground websites and has both Windows and Linux version.A report indicates that WhiteSnake was circulated as a fake PDF file, however a WhiteSnake variant that FortiGuard Labs came across may have disguised a popular game for kids.How Widespread is WhiteSnake Infostealer?As the time of this writing, there is no indication that the malware is widely used. However, due to the malware being sold with a moderate price tag, it is expected that a high rate of adoption occurs as it is affordable for many cybercriminals regardless if they are professional or not.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for WhiteSnake infostealer and related files: W32/Stealer.WS!trMSIL/Agent.APA!trPossibleThreat

Read More

Advisories

BlackLotus Malware Bypasses UEFI Secure Boot

Read Time:1 Minute, 8 Second

Why is this Significant?This is significant because BlackLotus malware can bypass UEFI Secure Boot giving itself less chance to be detected as the malware is executed before the operating system and traditional OS-based security solutions start.Also, BlackLotus was reportedly seen to be advertised and sold in underground forums as such use of BlackLotus will likely increase in attacks.What is BlackLotus?BlackLotus is a malware that can bypass UEFI Secure Boot feature to install itself and deploys a backdoor that allows an attacker to remotely control the compromised machines via remote commands.BlackLotus leverages CVE-2022-21894 (Secure Boot Security Feature Bypass vulnerability) to bypass UEFI Secure Boot. While the vulnerability was patched by Microsoft in regular Patch Tuesday January 2022, reportedly it can still be exploitable as the affected signed binaries are not yet in the UEFI revocation list.According to ESET, BlackLotus stops installation if machines’ locales are set to Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine.How Widespread is BlackLotus?There is no information available as to how widespread BlackLotus is. However, since the malware is being sold in underground forums, the use of BlackLotus is expected to pick up. What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for the available samples in the report:W64/BlackLotus.A!trW64/BlackLotus.B!trW32/PossibleThreat

Read More

Advisories

Multiple Vulnerabilities in Aruba Products Could Allow for Arbitrary Code Execution

Read Time:42 Second

Multiple vulnerabilities have been discovered in Aruba Products, the most severe of which could allow for Arbitrary code execution.

Aruba Mobility Conductor is an advanced WLAN deployed as a virtual machine (VM) or installed on an x86-based hardware appliance.
Aruba Mobility Controller is a WLAN hardware controller in a virtualized environment
WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected service account. Depending on the privileges associated with the service account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Advisories

USN-5935-1: Linux kernel vulnerabilities

Read Time:3 Minute, 32 Second

It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)

Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel
did not properly handle VLAN headers in some situations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-0179)

It was discovered that the NVMe driver in the Linux kernel did not properly
handle reset events in some situations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-3169)

Maxim Levitsky discovered that the KVM nested virtualization (SVM)
implementation for AMD processors in the Linux kernel did not properly
handle nested shutdown execution. An attacker in a guest vm could use this
to cause a denial of service (host kernel crash) (CVE-2022-3344)

Gwangun Jung discovered a race condition in the IPv4 implementation in the
Linux kernel when deleting multipath routes, resulting in an out-of-bounds
read. An attacker could use this to cause a denial of service (system
crash) or possibly expose sensitive information (kernel memory).
(CVE-2022-3435)

It was discovered that a race condition existed in the Kernel Connection
Multiplexor (KCM) socket implementation in the Linux kernel when releasing
sockets in certain situations. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-3521)

It was discovered that the Netronome Ethernet driver in the Linux kernel
contained a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3545)

It was discovered that the Intel i915 graphics driver in the Linux kernel
did not perform a GPU TLB flush in some situations. A local attacker could
use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2022-4139)

It was discovered that a race condition existed in the Xen network backend
driver in the Linux kernel when handling dropped packets in certain
circumstances. An attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2022-42328, CVE-2022-42329)

It was discovered that the NFSD implementation in the Linux kernel
contained a use-after-free vulnerability. A remote attacker could possibly
use this to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2022-4379)

It was discovered that a race condition existed in the x86 KVM subsystem
implementation in the Linux kernel when nested virtualization and the TDP
MMU are enabled. An attacker in a guest vm could use this to cause a denial
of service (host OS crash). (CVE-2022-45869)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did
not properly validate the number of channels, leading to an out-of-bounds
write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2022-47518)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did
not properly validate specific attributes, leading to an out-of-bounds
write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2022-47519)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did
not properly validate offsets, leading to an out-of-bounds read
vulnerability. An attacker could use this to cause a denial of service
(system crash). (CVE-2022-47520)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did
not properly validate specific attributes, leading to a heap-based buffer
overflow. An attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2022-47521)

Lin Ma discovered a race condition in the io_uring subsystem in the Linux
kernel, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-0468)

Read More

Advisories

USN-5934-1: Linux kernel (Raspberry Pi) vulnerabilities

Read Time:4 Minute, 0 Second

It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)

It was discovered that the NVMe driver in the Linux kernel did not properly
handle reset events in some situations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-3169)

It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)

Gwangun Jung discovered a race condition in the IPv4 implementation in the
Linux kernel when deleting multipath routes, resulting in an out-of-bounds
read. An attacker could use this to cause a denial of service (system
crash) or possibly expose sensitive information (kernel memory).
(CVE-2022-3435)

It was discovered that a race condition existed in the Kernel Connection
Multiplexor (KCM) socket implementation in the Linux kernel when releasing
sockets in certain situations. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-3521)

It was discovered that the Netronome Ethernet driver in the Linux kernel
contained a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3545)

It was discovered that the hugetlb implementation in the Linux kernel
contained a race condition in some situations. A local attacker could use
this to cause a denial of service (system crash) or expose sensitive
information (kernel memory). (CVE-2022-3623)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)

It was discovered that the Intel i915 graphics driver in the Linux kernel
did not perform a GPU TLB flush in some situations. A local attacker could
use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2022-4139)

It was discovered that a race condition existed in the Xen network backend
driver in the Linux kernel when handling dropped packets in certain
circumstances. An attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2022-42328, CVE-2022-42329)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did
not properly validate offsets, leading to an out-of-bounds read
vulnerability. An attacker could use this to cause a denial of service
(system crash). (CVE-2022-47520)

It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)

José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)

It was discovered that the Android Binder IPC subsystem in the Linux kernel
did not properly validate inputs in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2023-20938)

Kyle Zeng discovered that the class-based queuing discipline implementation
in the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23454)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)

Read More

Advisories

CVE-2020-36670

Read Time:22 Second

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to invoke these functions which can be used to perform actions like modify form submission records, deleting files, sending test emails, modifying plugin settings, and more.

Read More

Advisories

USN-5933-1: Libtpms vulnerabilities

Read Time:20 Second

Francisco Falcon discovered that Libtpms did not properly manage memory
when performing certain cryptographic operations. An attacker could
possibly use this issue to cause a denial of service, or possibly execute
arbitrary code. (CVE-2023-1017, CVE-2023-1018)

It was discovered that Libtpms did not properly manage memory when
handling certain commands. An attacker could possibly use this issue
to cause a denial of service.

Read More