In Settings, there is a possible way to determine whether an app is installed without query permissions, due to side channel information disclosure. This could lead to local information disclosure of an installed package, without proper query permissions, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-189122911
Category Archives: Advisories
CVE-2021-0735 (android)
In PackageManager, there is a possible way to get information about installed packages ignoring limitations introduced in Android 11 due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-188913056
CVE-2021-0975 (android)
In USB Manager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure of installed packages with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-180104273
CVE-2021-22289 (studio)
Improper Input Validation vulnerability in the project upload mechanism in B&R Automation Studio version >=4.0 may allow an unauthenticated network attacker to execute code.
DSA-5205 samba – security update
Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix.
CVE-2021-33643 (libtar, openeuler)
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read.
CVE-2021-33644 (libtar, openeuler)
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read.
CVE-2021-33645 (libtar, openeuler)
The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak.
Microsoft Patch Tuesday Fixed 0-day Arbitrary Code Execution Vulnerability (CVE-2022-34713)
Microsoft has released 141 security fixes for this month’s August 2022 release. Besides the usual security fixes, there was a zero-day of note:CVE-2022-34713: This is a vulnerability in Microsoft Support Diagnostic Tool (MSDT). Microsoft confirmed in their advisory that the vulnerability was exploited in the wild as a zero-day. CVE-2022-34713 is an arbitrary code execution (ACE) vulnerability, which requires user interaction. As such an user need to open a specifically crafted file or visit a specially designed Web site to be exploited. This has a CVSS score of 7.8 and is rated important.Why is this Significant?This is significant as Microsoft observed CVE-2022-34713 was exploited as a 0-day in the wild. Because the exploitation requires user interaction, an attacker likely uses social engineering to get users to open a specifically crafted file or visit a specially designed Web site for exploitation.How Widespread is the Attack that Leverages CVE-2022-34713?At this time, there is no information available as to how widespread the attack is. However, since the vulnerability was publicly disclosed, attacks that leverage CVE-2022-34713 may increase.Also, a similar vulnerability in MSDT (CVE-2022-30190, also known as Follina) that was patched in June 2022 by Microsoft is widely exploited in the wild. This is another indicator that likelihood of CVE-2022-34713 exploitation will likely increase.FortiGuard Labs previously released a Threat Signal for CVE-2022-30190 (Follina). See the Appendix for a link to “Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild”.Is there Any Other Vulnerability in the August Patch Tuesday that Requires Attention?Microsoft also released a patch for another vulnerability in MSDT (CVE-2022-35743). While the vulnerability was not reported nor observed to have been exploited in the wild, the Microsoft advisory states that exploitation is likely to occur. As such a patch for CVE-2022-35743 should also be applied as soon as possible. This has a CVSS score of 7.8 and is rated important.Has Microsoft Released Security Advisories for CVE-2022-34713?Yes, Microsoft has issued an advisory for the vulnerability. See the Appendix for a link to “CVE-2022-34713: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability”.Has Microsoft Released a Patch for CVE-2022-34713?Yes, Microsoft has released a patch for CVE-2022-34713 on August 9th, 2022 as part of regular MS Tuesday for the month.What is the Status of Coverage?FortiGuard Labs is investigating coverage, and will update this threat signal once any relevant updates are available.
New Ransomware “Roadsweep” Used Against Albania
FortiGuard Labs is aware of a report that Roadsweep ransomware was used against the Albanian government. Other malware Chimneysweep backdoor and ZeroCleare wiper malware were potentially used in the attack.Why is this Significant?This is significant because a new ransomware was reportedly used against the Albanian government, a member of the North Atlantic Treaty Organization (NATO). A security vendor Mandiant, with moderate confidence, attributed the attack to an unknown threat actor who supports Iran.The attack potentially involved Chimneysweep backdoor and ZeroCleare wiper malware. The former provides backdoor access to the attacker and the latter enables the threat actor to overwrite specified files, making the affected files unrecoverable.An alleged threat actor claimed responsibility for the attack on web site and telegram channel and released information supposedly belonging to the victims in Albanian government organizations on them.What is Roadsweep Malware?Roadseep is a new ransomware that encrypts files that do not have a “.exe”, “.dll”, “.sys”, “.lnk” and “.lckon” file extension on a compromised machine and adds a “.lck” file extension to them. It drops a ransom note that contains a politically inclined message and asks the victim to make a phone call to the attacker in order to decrypt the affected files. The ransom note also includes private recovery keys. What is Chimneysweep Malware?Chimneysweep is a malware that provides the attacker a backdoor access to a compromised machine. The malware connects to its C2 server and enables the remote attacker to execute commands. Such commands include capturing screenshots, downloading and executing files, downloading and installing plugins and collecting information from the compromised machine.According to Manidant, Chimneysweeper was dropped along with non-malicious Microsoft Office files or a video file by a digitally signed Self-Extracting cab file.What is ZeroCleare Malware?ZeroCleare is a destructive malware that was previously used against Middle Eastern energy companies in mid-2019. ZeroCleare is known to abuse a legitimate third-party driver for data wiping activity and is believed to have some semblance with another wiper malware “Shamoon”. According to Mandiant, a new ZeroCleare variant is capable of wiping drives specified by the attacker as opposed only wiping the system drive. That was not seen in the previous variant.This year, FortiGuard Labs published a blog on history of wiper malware that includes ZeroCleare. See the Appendix for a link to “An Overview of the Increasing Wiper Malware Threat”.What is the Status of Coverage?FortiGuard Labs detect known Ransomsweep samples with the following AV signatures:W32/Filecoder.OLZ!tr.ransomW32/Filecoder.OLZ!trFortiGuard Labs provide the following AV signatures against Chimneysweep malware:W32/Chimneysweep.A!trW32/Agent.PEI!tr.spyW32/Agent.PTQ!tr.spyW32/Generic.AC.3F197DW32/PossibleThreatPossibleThreat.MU FortiGuard Labs provide the following AV signatures against ZeroCleare malware:W32/Trojan_Win64_ZEROCLEARE.SMAW32/Trojan_Win64_ZEROCLEARE.SMBW32/Agent.XACVYS!trW32/Distrack!trW32/PossibleThreatAll network IOCs are blocked by the WebFiltering client.