Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
Version 1.10.25 – 2022-01-21
Fixed selfupdate on Windows + PHP 8.1 regression (#10446)
Version 1.10.24 – 2021-12-09
Added v1 deprecation warning when running install. Please make sure you upgrade to Composer 2, see https://blog.packagist.com/deprecating-composer-1-support/
Fixed PHP 8.1 compatibility
Fixed some more Windows CLI parameter escaping edge cases
Version 1.10.23 – 2021-10-05
Security: Fixed command injection vulnerability on Windows (GHSA-frqg-7g38-6gcf / CVE-2021-41116)
Microsoft has released over 117 security fixes for this month’s April 2022 release. Besides the usual security fixes, there were two zero days of note and they are:CVE-2022-26904: This known zero-day flaw impacts the Windows User Profile Service. This is an EoP (elevation of privilege) vulnerability. However, exploitation has not been seen in the wild and requires a race condition to successfully exploit. This has a CVSS score of 7.0.CVE-2022-24521: This bug is another EoP issue found in the Windows Common Log File System (CLFS) Driver. This bug has been reported by Microsoft as being actively exploited in the wild. This vulnerability was reported by the NSA and Crowdstrike to Microsoft after being observed to have been used in active attacks. This has a CVSS score of 7.8.On a side note, another CLFS vulnerability (CVE-2022-24481) was disclosed but it was not reported to be a zero day.Why is this Significant?This is significant as CVE-2022-24521 was exploited as a 0-day in the wild. Exploiting CVE-2022-24521 provides elevated privileges to an attacker, and as such the security bug was likely leveraged in conjunction with an unspecified code execution vulnerability.How Widespread is the Attack that Leverages CVE-2022-24521?At this time, there is no information available as to how widespread the attack is. However, since the vulnerability was publicly disclosed, attacks that leverage CVE-2022-24521 may increase.Is there Any Other Vulnerability in the April Patch Tuesday that Requires Attention?Microsoft also released a patch for another escalation of privilege vulnerability (CVE-2022-24481). While the vulnerability was not reported nor observed to have been exploited in the wild, the Microsoft advisory states that exploitation is likely to occur. As such a patch for CVE-2022-24481 should also be applied as soon as possible. It is important to note that this CVE was not a zero day.Has Microsoft Released Security Advisories for CVE-2022-24521 and CVE-2022-24481?Yes, Microsoft has issued advisories for both vulnerabilities. See the Appendix for a link to “CVE-2022-24521: Windows Common Log File System Driver Elevation of Privilege Vulnerability” and “CVE-2022-24481: Windows Common Log File System Driver Elevation of Privilege Vulnerability”.Has Microsoft Released a Patch for CVE-2022-24521 and CVE-2022-24481?Yes, Microsoft has released a patch for both vulnerabilities on April 12nd, 2022 as part of regular MS Tuesday for the month.What is the Status of Coverage?FortiGuard Labs has released the following IPS signature for CVE-2022-24521 in version 20.295:MS.Windows.CVE-2022-24521.Privilege.Elevation (default action is set to pass)FortiGuard Labs has released the following IPS signature for CVE-2022-24481 in version 20.295:MS.Windows.CVE-2022-24481.Privilege.Elevation (default action is set to pass)
FortiGuard Labs is aware of new reports of Industroyer2, the successor to the Industroyer malware. First discovered in 2016, Industroyer was attributed to energy grid attacks in Kiev, Ukraine. The attack resulted in a loss of electricity for over an hour and was attributed to the Russian government (Sandworm). The latest discovery of Industroyer2 was discovered by researchers at ESET (who also discovered Industroyer in 2015).Industroyer is an Industrial Control System (ICS) specific malware that is modular and was discovered to have capabilities to control electrical substations and circuit breakers. It uses industrial communication protocols and techniques to conduct its operations via a global industry standard used by many critical infrastructure verticals.This latest variant of Industroyer2 was seen targeting ICS devices within electrical substations and then trying to erase any evidence of its attack by running CaddyWiper malware along with other Linux and Solaris (UNIX) wipers. It is currently unknown at this time how the threat actors were able to compromise and obtain initial access before entering into the ICS network. For further details on CaddyWiper, please see our Threat Signal here. This is a current news event, further details will be published when available.What are the Technical Details of this Attack?Industroyer2 is a Windows executable file and was executed via a scheduled task on April 8th. According to the analysis, it was compiled on March 23rd which suggests that the threat actors (Sandworm) behind this attack had planned it for over two weeks. Industroyer2 communicates over the IEC 60870-5-104 protocol, which is used by ICS/SCADA devices to communicate. This variant is different from the original Industroyer, which supported multiple ICS protocols.Caddywiper was deployed via a group policy object (GPO) to likely thwart any forensic recovery and analysis. It was found on machines that contained Industroyer2 installations. Other malware (ORCSHRED, SOLOSHRED, AWFULSHRED) found in these campaigns were destructive Linux and Solaris (UNIX) versions that acted as a worm and wiper and were deployed via shell scripts.What Operating Systems are Affected?Windows, Linux and Solaris systems are affected.What is the Severity of this Attack?Medium. This is limited specifically to targeted attacks.What is the Status of Coverage?FortiGuard Labs has the following (AV) signatures in place for publicly available samples as:W32/Agent.AECG!trData/KillDisk.NDA!trAll network IOC’s are blocked by the WebFiltering client.
A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user to be authenticated for this vulnerability to be successfully exploited. Affected Product: Schneider Electric Software Update (SESU) SUT Service component (V2.1.1 to V2.3.0)
A CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability exists that could cause remote code execution. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)
A CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability exists that could cause remote code execution when performed over the network. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior, including former Unity Pro), EcoStruxure Process Expert (2020 and prior, including former HDCS), SCADAPack RemoteConnect for x70 (All versions)
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
USN-5378-1 fixed a vulnerability in Gzip. This update provides
the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM.
Original advisory details:
Cleemy Desu Wayo discovered that Gzip incorrectly handled certain
filenames. If a user or automated system were tricked into performing zgrep
operations with specially crafted filenames, a remote attacker could
overwrite arbitrary files.