Category Archives: Advisories

xen-4.16.2-2.fc37

Read Time:16 Second

FEDORA-2022-d80cc73088

Packages in this update:

xen-4.16.2-2.fc37

Update description:

Arm: unbounded memory consumption for 2nd-level page tables [XSA-409,
CVE-2022-33747]
P2M pool freeing may take excessively long [XSA-410, CVE-2022-33746]
lock order inversion in transitive grant copy handling [XSA-411,
CVE-2022-33748]

Read More

USN-5683-1: Linux kernel (IBM) vulnerabilities

Read Time:3 Minute, 12 Second

It was discovered that the framebuffer driver on the Linux kernel did not
verify size limits when changing font or screen size, leading to an out-of-
bounds write. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Selim Enes Karaduman discovered that a race condition existed in the
General notification queue implementation of the Linux kernel, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-1882)

Duoming Zhou discovered that race conditions existed in the timer handling
implementation of the Linux kernel’s Rose X.25 protocol layer, resulting in
use-after-free vulnerabilities. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux
kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-26365)

Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan
and Ariel Sabba discovered that some Intel processors with Enhanced
Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET
instructions after a VM exits. A local attacker could potentially use this
to expose sensitive information. (CVE-2022-26373)

Eric Biggers discovered that a use-after-free vulnerability existed in the
io_uring subsystem in the Linux kernel. A local attacker could possibly use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2022-3176)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the
Linux kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in the
Linux kernel incorrectly handled socket buffers (skb) references when
communicating with certain backends. A local attacker could use this to
cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in
the Linux kernel on ARM platforms contained a race condition in certain
situations. An attacker in a guest VM could use this to cause a denial of
service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel
contained a double-free vulnerability in certain error conditions. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-34494, CVE-2022-34495)

It was discovered that the Netlink Transformation (XFRM) subsystem in the
Linux kernel contained a reference counting error. A local attacker could
use this to cause a denial of service (system crash). (CVE-2022-36879)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that truncated
packets below the packet header size. When such rules are in place, a
remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2022-36946)

Jann Horn discovered that the KVM subsystem in the Linux kernel did not
properly handle TLB flush operations in some situations. A local attacker
in a guest VM could use this to cause a denial of service (guest crash) or
possibly execute arbitrary code in the guest kernel. (CVE-2022-39189)

Read More

libreoffice-7.2.7.2-2.fc35

Read Time:24 Second

FEDORA-2022-775c747e4a

Packages in this update:

libreoffice-7.2.7.2-2.fc35

Update description:

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme ‘vnd.libreoffice.command’ specific to LibreOffice was added.

In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning.

Read More

USN-5682-1: Linux kernel (AWS) vulnerabilities

Read Time:2 Minute, 9 Second

It was discovered that the BPF verifier in the Linux kernel did not
properly handle internal data structures. A local attacker could use this
to expose sensitive information (kernel memory). (CVE-2021-4159)

It was discovered that an out-of-bounds write vulnerability existed in the
Video for Linux 2 (V4L2) implementation in the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-20369)

Duoming Zhou discovered that race conditions existed in the timer handling
implementation of the Linux kernel’s Rose X.25 protocol layer, resulting in
use-after-free vulnerabilities. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux
kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-26365)

Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan
and Ariel Sabba discovered that some Intel processors with Enhanced
Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET
instructions after a VM exits. A local attacker could potentially use this
to expose sensitive information. (CVE-2022-26373)

Eric Biggers discovered that a use-after-free vulnerability existed in the
io_uring subsystem in the Linux kernel. A local attacker could possibly use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2022-3176)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the
Linux kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741, CVE-2022-33742)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in
the Linux kernel on ARM platforms contained a race condition in certain
situations. An attacker in a guest VM could use this to cause a denial of
service in the host OS. (CVE-2022-33744)

It was discovered that the Netlink Transformation (XFRM) subsystem in the
Linux kernel contained a reference counting error. A local attacker could
use this to cause a denial of service (system crash). (CVE-2022-36879)

Read More

USN-5680-1: gThumb vulnerabilities

Read Time:30 Second

It was discovered that gThumb did not properly managed
memory when processing certain image files. If a user were
tricked into opening a specially crafted JPEG file, an
attacker could possibly use this issue to cause gThumb to
crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2019-20326)

It was discovered that gThumb did not properly handled
certain malformed image files. If a user were tricked into
opening a specially crafted JPEG file, an attacker could
possibly use this issue to cause gThumb to crash, resulting
in a denial of service. (CVE-2020-36427)

Read More

Guloader Spam Indiscriminately Sent to State Elections Board

Read Time:4 Minute, 24 Second

Recently, the United States Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint public service announcement – Foreign Actors Likely to Use Information Manipulation Tactics for 2022 Midterm Elections (9I-100622-PSA). The focus of the PSA was to inform the public of the potential manipulation of the midterm election cycle in the United States by foreign agents using social engineering and social media disinformation tactics to influence voters and to sow discord as well.Around the same time of the announcement, FortiGuard Labs observed a Guloader campaign being sent to an elections body in the United States. Although there is no sign that they were specifically targeted, we want to highlight what’s involved in these attacks given the 2022 U.S. midterm elections in November. The infection vectors are simple malicious spam that do not rely on exploiting a vulnerability or macros.FortiGuard Labs found a campaign from a purported industrial equipment manufacturer in Indonesia, containing a malicious ISO attachment. Figure 1. Email used in this spam campaignISO email attachments are often used to avoid detection by security solutions. Clicking on the attachment triggers the ISO file. Once mounted, an EXE file-a GuLoader malware variant-becomes visible. The victim then needs to run the “Requisition order-PT. LFC Teknologi,pdf.exe” executable manually to start the infection routine. Figure 2. GuLoader file in the mounted ISO fileThis file is digitally signed via an untrusted root certificate, seen below.Figure 3. Digital signature information for “Requisition order-PT. LFC Teknologi,pdf.exe”.The GuLoader payload is a so-called first stage malware that has been seen in the wild for the past few years. It is designed to deliver a second stage payload that can be tailored to the attacker’s liking. Some reported second stage payloads include Remote Access Trojans (RATs), infostealers, and ransomware.This particular GuLoader variant reaches out to 195[.]178[.]120[.]184/sMHxAbMCsvl181[.]java, which was no longer available at the time of the investigation. However, we believe the java file to either be a decryption key or a payload download. Another, GuLoader sample (SHA2: 46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e) was submitted to VirusTotal on September 14th. This sample accesses 195[.]178[.]120[.]184/uFLBwGvx55[.]java and available OSINT suggests that the payload is the Azorult infostealer. Azorult is capable of exfiltrating data such as passwords from browsers, email, and FTP servers, and harvesting files with extensions specified by an attacker. It can also collect machine information such as user and computer name, installed programs, Windows version, and installed programs. Such stolen information can be a precursor to future attacks.Based on the traits of the GuLoader sample, FortiGuard Labs tracked down additional files involved in the same malicious spam campaign. The attacker mostly used IMG and ISO attachments along with file names in English, German, Spanish, Turkish, and Chinese. Taking a look at VirusTotal, submissions of the attachments are from the US, Czechia, China, Turkey, Germany, UK, Israel, Ireland, and Hungary. The GuLoader variant was also submitted to VirusTotal from the US, Bulgaria, Canada, China, the United Arab Emirates, and Korea. The email delivered to a board of elections in the United States was sent to a publicly available webmaster address. This indicates that the attacker sent these malicious emails to as many recipients as possible in the hope that someone would manually execute the malware. This is the first step to a potential compromise of machines related to the elections board of this United States state, and will allow the attacker to obtain a foothold to obtain unauthorized data for dissemination or simply various angles of disruption (ransomware, wiping, extortion, etc.) and even worse, perhaps sell access to an adversary for financial gain.Fortinet ProtectionsFortinet customers are already protected from the malware identified in this report through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:The following (AV) signatures detect the malware samples mentioned in this blog• NSIS/Injector.AOW!tr• W32/BHQ!tr• W32/BHQ.YXCIMZ!tr• W32/Qbot.G!tr• JS/Agent.BLOB!tr.dldr• LNK/Agent.RD!tr• JS/Starter.3A1B!tr• BAT/Starter.NIU!trThe WebFiltering client blocks all network-based URIs.Fortinet also has multiple solutions designed to help train users to understand and detect phishing threats:The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.We also suggest that organizations have their end users undergo our FREE NSE training program: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.IOCsFile IOCs (SHA2)GuLoader variants distributed in this spam campaign• 162970957d591f4652c635a18a7f11bb2f06de08f263f9d467e6fe0c4d6aa00f• 21d01928ac971c2a228a2d9e7e188aa4a07783924b84e66af618e3155eb282eb• 28712de9f03560d66c60812052b514c6a78d41287a03fb3cfdd066741ebc81dc• 46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e• 70856a79551c2e921db13eb757834a8bcb4a808ad5414e00ba207f7f132cc69f• 71186a72ce8b23242674c50e305fe2a1b98605d434d4af6f4190c9bb696e2388• 74c91f5ce079fcfdf8ec9813ec3e37c63a46e0d397b8ec31c89ca6bf17fe9229• 857364a9a903444a86b2f8d129c00bb5727beabcee4c1a8103b561ead678956f• 9ac2c9bce0561cb760098b252f3096cf1222e35bfdc1d380b1dc654dd81ed641• 9e147e27260eafbc680958cd72cf32143a426d245c29b09efdd78746752e6471• 9f245c6d31b3e8b7389053d954121927093a592b08bc02f3bac2516e78aa5808• aeca53c38a1bc40b7a53d5fcf7adceda97ac54ac56af1f161763c622c8e70d4f• b531a9e5b9ba3e10ec2ac3428e0a9835b9468943580df0894483ee9a91377294• b990b2e60ff7d5cbb74d1e42c87b08c722cc1db380608b58f2c8d4e51e8a1402• bb374bed2c79ac878b6626a1537f6f7869ab6176fba4e0f5cb16f11a255a285b• cf7188027fdf9e58695083342a2217ab861354ce960b324f4f59cbd350569a6c• d3d3a37db592226da6dcece19a2344e8a942b197001078fbdb518f262287e48f• ddf7d6b4d3b9677c5801cf1a7889c7396cce76752c593417b381e5abaf4bd1a5• e8ba90c9d071f49c4c8761ce1fcdd44f1d672c891a8625a1b2352a047bfd2b42• e929eddc1a4fa72a448d92b73ec8a4d4497bf8b1f937606f69a6ff831a66b45eEmail attachments (IMG and ISO) used to distribute GuLoader in this spam campaign• 162970957d591f4652c635a18a7f11bb2f06de08f263f9d467e6fe0c4d6aa00f• 21d01928ac971c2a228a2d9e7e188aa4a07783924b84e66af618e3155eb282eb• 28712de9f03560d66c60812052b514c6a78d41287a03fb3cfdd066741ebc81dc• 46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e• 70856a79551c2e921db13eb757834a8bcb4a808ad5414e00ba207f7f132cc69f• 71186a72ce8b23242674c50e305fe2a1b98605d434d4af6f4190c9bb696e2388• 74c91f5ce079fcfdf8ec9813ec3e37c63a46e0d397b8ec31c89ca6bf17fe9229• 857364a9a903444a86b2f8d129c00bb5727beabcee4c1a8103b561ead678956f• 9ac2c9bce0561cb760098b252f3096cf1222e35bfdc1d380b1dc654dd81ed641• 9e147e27260eafbc680958cd72cf32143a426d245c29b09efdd78746752e6471• 9f245c6d31b3e8b7389053d954121927093a592b08bc02f3bac2516e78aa5808• b531a9e5b9ba3e10ec2ac3428e0a9835b9468943580df0894483ee9a91377294• b990b2e60ff7d5cbb74d1e42c87b08c722cc1db380608b58f2c8d4e51e8a1402• bb374bed2c79ac878b6626a1537f6f7869ab6176fba4e0f5cb16f11a255a285b• cf7188027fdf9e58695083342a2217ab861354ce960b324f4f59cbd350569a6c• d3d3a37db592226da6dcece19a2344e8a942b197001078fbdb518f262287e48f• ddf7d6b4d3b9677c5801cf1a7889c7396cce76752c593417b381e5abaf4bd1a5• e8ba90c9d071f49c4c8761ce1fcdd44f1d672c891a8625a1b2352a047bfd2b42• e929eddc1a4fa72a448d92b73ec8a4d4497bf8b1f937606f69a6ff831a66b45eNetwork IOCs related to the GuLoader spam campaign• gwinaz[.]pro/PL341/index.php• kngpdrp[.]shop/PL341/index.php• chino[.]shop/PL341/index.php• www.funeralprogramsshop[.]com/e65x/

Read More

RCE Vulnerability in Zimbra Collaboration Suite (CVE-2022-41352) Being Exploited in the Wild

Read Time:1 Minute, 43 Second

FortiGuard Labs is aware of reports that a vulnerability affecting Zimbra Collaboration Suite (CVE-2022-41352) is a newly reported zero-day and is being exploited in the wild. CVE-2022-41352 is a Remote Code Execution (RCE) vulnerability that allows an attacker to perform remote code execution on vulnerable servers.Why is this Significant?This is significant because CVE-2022-41352 is a remote code execution vulnerability which is a zero-day and is actively being exploited in the wild.Zimbra Collaboration, formerly known as Zimbra Collaboration Suite, is a cloud-based email, calendaring, and groupware solution developed by Synacor and is widely used worldwide. According to its Web site, Zimbra is used in more than 140 countries and over 1,000 government and financial institutions.What is CVE-2022-41352?The vulnerability exists due to Amavis’ (Zimbra’s Anti-virus engine) usage of “cpio” to extract archives in emails and scan contents. By leveraging the vulnerability, an attacker can gain improper access to any other Zimbra user accounts, which can lead to remote code execution.What is the CVSS Score?CVE-2022-41352 has a CVSS rating of 9.8. Zimbra rates the vulnerability as “major”.How Widespread is this?While we do not know how widespread this is, the first report of this vulnerability being exploited has been reported to be around the beginning of September 2022.What Versions of Zimbra Collaboration Suite are Vulnerable to CVE-2022-41352?Zimbra Collaboration Suite version 8.8.15 and 9.0 are vulnerable.Has the Vendor Released a Patch for CVE-2022-41352?Yes, the vendor released a patch on October 10, 2022.What is the Status of Protection?FortiGuard Labs released the following IPS signature for CVE-2022-41352:Zimbra.Collaboration.Suite.cpio.Remote.Code.Execution (default action is set to “pass”)Any Suggested Mitigation?As mitigation, Zimbra recommends installing the pax package, an utility for creating and extracting archive files, to Zimbra servers. For details, please refer to the Appendix for a link to “Security Update – make sure to install pax/spax”.

Read More