A improper input validation in Fortinet FortiGate version 6.4.3 and below, version 6.2.5 and below, version 6.0.11 and below, version 5.6.13 and below allows attacker to disclose sensitive information via SNI Client Hello TLS packets.
Category Archives: Advisories
Remote Utilities Software Distributed in Ukraine via Fake Evacuation Plan Email
FortiGuard Labs is aware that a copy of Remote Manipulator System (RMS) was submitted from Ukraine to VirusTotal on February 28th, 2022. The RMS is a legitimate remote administration tool that allows a user to remotely control another computer. The file name is in Ukrainian and is “Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe” in translation to English. The SSU likely stands for the Security Service of Ukraine. Why is this Significant?This is significant because given its file name, the country where the file was submitted to VirusTotal and the current situation in Ukraine, the file may have been distributed to Ukrainians.What does the File Do?The file silently installs a copy of legitimate Remote Utilities software to the compromised machine. The software allows a remote user to control the compromised machine.Based on the telemetry FortiGuard Labs collected, there is one IP address in Ukraine that connected to the remote IP that likely belongs to the attacker. How was the File Distributed to the Targets?Most likely via links in email.CERT-UA published a warning today that “the representatives of the Center for Combating Disinformation began to receive requests for information from the mail of the Ukrainian Security Service. Such notifications are fake and are a cyberattack”. The email below is reported have been used in the attack.Machine translation:Email subject: Evacuation plan from: SBU (Urgent) -28.02.2022 day off: 534161WARNING! This is an external sheet: do not click on the links or open a tab if you do not trust the editor.Report a suspicious list to ib@gng.com.ua.Security Service of UkraineGood afternoon, you need to have acquainted with the electronic evacuation plan until 01.03.2022, to give data on the number of employees, fill in the document in accordance with Form 1980-22SBU-98.To ensure confidentiality of the transferred data, the password: 2267903645 is set on the deposit.See the document on:hxxps://mega.nz/file/[reducted]Mirror 2: hxxps://files.dp.ua/en/[reducted]Mirror 3: hxxps://dropmefiles.com/[reducted]While the remote files were not available at the time of the investigation, the email and “Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe” are likely connected based on the email content and the file name. Can the File Attributed to a Particular Threat Actor?It’s possible that a threat actor distributed the file to target Ukraine. However, while the Remote Utilities software is silently installed on the compromised machine, it displays an icon in Windows’s taskbar. Since most threat actors aim to hide their activities, this is potentially an act of novice attacker who tries to take advantage of the current situation in Ukraine.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the files involved in this attack:Riskware/RemoteAdmin_RemoteUtilities
CVE-2020-4925
A security vulnerability in the Spectrum Scale 5.0 and 5.1 allows a non-root user to overflow the mmfsd daemon with requests and preventing the daemon to service other requests. IBM X-Force ID: 191599.
Kernel Level Rat “Daxin” Discovered
FortiGuard Labs is aware of a newly discovered backdoor dubbed Daxin. Discovered by Symantec, this backdoor allows an attacker to gather and perform various command and control actions and data exfiltration on victim machines. Because of our partnership with the Cyber Threat Alliance, we were provided with IOCs to create Fortinet protections in advance so that it would be ready for today’s announcement.What separates this backdoor from many others is that Daxin is a Windows kernel level driver, also referred to as rootkits. Kernel level rootkits operate at ring 0, which allows them to operate at
the highest privileges of the operating system with impunity. What makes this threat dangerous and very effective is that it is able to leverage existing services and utilize them to perform whatever is needed without raising any suspicion by network administrators and or endpoint security software. Daxin does not contain any unique capabilities from other backdoors; however, besides its ability to run at kernel level, Daxin can also intercept TCP/IP connections in real time for further evasion. Further communications noted were the use of a custom TCP/IP stack to communicate in multiple nodes on highly secured networks.This backdoor has been attributed to state sponsored threat actors of China where targets are organizations that are of interest to the Chinese government.What Operating Systems Were Targeted?Windows operating systems.What is the Likelihood of Exploitation?Low. This is due to the attacks observed being focused on the specific interests by the threat actors behind Daxin, and not as part of a widespread attack.Is this Limited to Targeted Attacks?Yes, all attacks observed were limited to state sponsored targets. This included governmental organizations of interest, telecommunications, transportation, and manufacturing sectors as well.What is the Status of Coverage?Customers running the latest AV definitions are protected by the following signatures:W32/Agent.FF56!tr.bdrW32/Backdoor.DAXIN!trW32/PossibleThreatW64/Agent.FF56!tr.bdrW64/Backdoor.DAXIN!trW64/Agent.QWHWSZ!trMalicious_Behavior.SBW32/Exforel.B!tr.bdrDx.BG3D!trW64/Agent.WT!trW32/PossibleThreat
USN-5310-1: GNU C Library vulnerabilities
Jan Engelhardt, Tavis Ormandy, and others discovered that the GNU C Library
iconv feature incorrectly handled certain input sequences. An attacker
could possibly use this issue to cause the GNU C Library to hang or crash,
resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS
and Ubuntu 20.04 LTS. (CVE-2016-10228, CVE-2019-25013, CVE-2020-27618,
CVE-2020-29562, CVE-2021-3326)
Jason Royes and Samuel Dytrych discovered that the GNU C Library
incorrectly handled signed comparisons on ARMv7 targets. A remote attacker
could use this issue to cause the GNU C Library to crash, resulting in a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-6096)
It was discovered that the GNU C Library nscd daemon incorrectly handled
certain netgroup lookups. An attacker could possibly use this issue to
cause the GNU C Library to crash, resulting in a denial of service. This
issue only affected Ubuntu 20.04 LTS. (CVE-2021-27645)
It was discovered that the GNU C Library wordexp function incorrectly
handled certain patterns. An attacker could use this issue to cause the
GNU C Library to crash, resulting in a denial of service, or possibly
obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-35942)
It was discovered that the GNU C Library realpath function incorrectly
handled return values. An attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 21.10.
(CVE-2021-3998)
It was discovered that the GNU C library getcwd function incorrectly
handled buffers. An attacker could use this issue to cause the GNU C
Library to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2021-3999)
It was discovered that the GNU C Library sunrpc module incorrectly handled
buffer lengths. An attacker could possibly use this issue to cause the GNU
C Library to crash, resulting in a denial of service. (CVE-2022-23218,
CVE-2022-23219)
kicad-6.0.2-1.fc35
FEDORA-2022-78b18981a6
Packages in this update:
kicad-6.0.2-1.fc35
Update description:
Update to 6.0.2
ZDI-22-428: (0Day) Microsoft Visual Studio Link Following Denial-of-Service Vulnerability
This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Microsoft Visual Studio. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
ZDI-22-427: (0Day) Microsoft Visual Studio Link Following Denial-of-Service Vulnerability
This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Microsoft Visual Studio. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
ZDI-22-426: (0Day) Microsoft .NET Link Following Denial-of-Service Vulnerability
This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Microsoft .NET. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
ZDI-22-425: (0Day) Microsoft Visual Studio Link Following Denial-of-Service Vulnerability
This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Microsoft Visual Studio. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.