In ffjpeg (commit hash: caade60), the function bmp_load() in bmp.c contains an integer overflow vulnerability, which eventually results in the heap overflow in jfif_encode() in jfif.c. This is due to the incomplete patch for issue 38

**version**: master (commit caade60)  
**poc**: poc  
**command**: ./ffjpeg -e $poc$

Here is the trace reported by ASAN:

    user@c3ae4d510abb:/path_to_ffjpeg/src$ ./ffjpeg -e poc
    =================================================================
    ==17827==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000148 at pc 0x555555567e84 bp 0x7fffffffe120 sp 0x7fffffffe110
    READ of size 1 at 0x612000000148 thread T0
        #0 0x555555567e83 in jfif_encode /path_to_ffjpeg/src/jfif.c:763
        #1 0x555555556c63 in main /path_to_ffjpeg/src/ffjpeg.c:33
        #2 0x7ffff73bf0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #3 0x55555555704d in _start (/path_to_ffjpeg/src/ffjpeg+0x304d)
    
    0x612000000148 is located 0 bytes to the right of 264-byte region [0x612000000040,0x612000000148)
    allocated by thread T0 here:
        #0 0x7ffff769abc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x555555557987 in bmp_load /path_to_ffjpeg/src/bmp.c:48
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /path_to_ffjpeg/src/jfif.c:763 in jfif_encode
    

This issue is the same as #38, but the fix to it (0fa4cf8) is not complete. An integer overflow is still possible in line 43. In the example below, when width=1431655779, pb->stride=44 which bypasses the check in line 44. This will lead to a heap buffer flow in jfif.c as in the ASAN report above.

pb->width = (int)header.biWidth > 0 ? (int)header.biWidth : 0;

pb->height = (int)header.biHeight > 0 ? (int)header.biHeight : 0;

pb->stride = ALIGN(pb->width \* 3, 4);

if ((long long)pb->stride \* pb->height >= 0x80000000) {

printf("bmp's width \* height is out of range !\\n");

goto done;

}

    pwndbg> p pb
    $3 = (BMP *) 0x7fffffffe370
    pwndbg> p *(BMP *) 0x7fffffffe370
    $4 = {
      width = 1431655779,
      height = 6,
      stride = 44,
      pdata = 0x555555576490
    }
    

I cannot reproduce the crash with the provided poc file.

    ❯ ./bin_asan/bin/ffjpeg -e ffjpeg-bmp_load-integer-overflow
    =================================================================
    ==2742398==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x1555555c00 bytes
        #0 0x4c5587 in calloc /home/ubuntu178/Downloads/llvm12/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
        #1 0x507342 in jfif_encode /home/ubuntu178/cvelibf/test/ffjpeg/caade60/build_asan/src/jfif.c:749:21
        #2 0x4fc0bf in main /home/ubuntu178/cvelibf/test/ffjpeg/caade60/build_asan/src/ffjpeg.c:33:16
        #3 0x7fa4e61cb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    ==2742398==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /home/ubuntu178/Downloads/llvm12/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3 in calloc
    ==2742398==ABORTING
    ❯ ASAN_OPTIONS="allocator_may_return_null=1" ./bin_asan/bin/ffjpeg -e ffjpeg-bmp_load-integer-overflow
    ❯ ls
    bin_afl    bin_asan    build.sh   build_aflpp  build_normal  decode.bmp  ffjpeg-bmp_load-integer-overflow  
    bin_aflpp  bin_normal  build_afl  build_asan   code          encode.jpg  ffjpeg-jfif_load-buffer-overflow
    

I tested with gdb and find that the poc did not pass the check in jfif.c:752 and with poc the program does not execute the jfif.c:763.

    (gdb) set args -e ./ffjpeg-bmp_load-integer-overflow 
    (gdb) b jfif.c:752
    Breakpoint 1 at 0x48f9: file jfif.c, line 752.
    (gdb) r
    Starting program: /home/ubuntu178/cvelibf/test/ffjpeg/caade60/bin_normal/bin/ffjpeg -e ./ffjpeg-bmp_load-integer-overflow 
    
    Breakpoint 1, jfif_encode (pb=0x7fffffffdd40) at jfif.c:752
    752         if (!yuv_datbuf[0] || !yuv_datbuf[1] || !yuv_datbuf[2]) {
    (gdb) p *(BMP *) pb
    $1 = {width = 1431655779, height = 6, stride = 44, pdata = 0x555555561490}
    (gdb) n
    753             goto done;
    (gdb) 
    850         if (yuv_datbuf[0]) free(yuv_datbuf[0]);
    (gdb) p yuv_datbuf[0]
    $2 = (int *) 0x0
    

Tested in Ubuntu 20.04, 64bit; Clang 12.0.0.

Did you copy-paste the file from browser? The poc contains special characters in the end.

    ❯ xxd ffjpeg-bmp_load-integer-overflow
    00000000: 5f55 5555 5555 553d 3635 7155 5555 5455  _UUUUUU=65qUUUTU
    00000010: 5555 6355 5555 0600                      UUcUUU..
    

ps: I tried to copy the PoC from browser and encountered the same output as you :)  
Maybe you could try download the PoC with the RAW link

My test environment is

    user@c3ae4d510abb:$ cat /etc/issue
    Ubuntu 20.04.4 LTS \n \l
    
    user@c3ae4d510abb:$ gcc --version
    gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    

The poc file is downloaded from the browser, but the xxd shows same result as yours:

    ❯ xxd ffjpeg-bmp_load-integer-overflow
    00000000: 5f55 5555 5555 553d 3635 7155 5555 5455  _UUUUUU=65qUUUTU
    00000010: 5555 6355 5555 0600                      UUcUUU..
    

And I use the wget to download the poc file and get the same result:

    ❯ wget https://github.com/dandanxu96/PoC/raw/main/ffjpeg/ffjpeg-bmp_load-integer-overflow
    --2022-04-01 11:53:22--  https://github.com/dandanxu96/PoC/raw/main/ffjpeg/ffjpeg-bmp_load-integer-overflow
    Resolving github.com (github.com)... 20.205.243.166
    Connecting to github.com (github.com)|20.205.243.166|:443... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: https://raw.githubusercontent.com/dandanxu96/PoC/main/ffjpeg/ffjpeg-bmp_load-integer-overflow [following]
    --2022-04-01 11:53:23--  https://raw.githubusercontent.com/dandanxu96/PoC/main/ffjpeg/ffjpeg-bmp_load-integer-overflow
    Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8000::154, 2606:50c0:8002::154, 2606:50c0:8001::154, ...
    Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8000::154|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 24 [application/octet-stream]
    Saving to: ‘ffjpeg-bmp_load-integer-overflow.1’
    
    ffjpeg-bmp_load-integer-overflow. 100%[===========================================================>]      24  --.-KB/s    in 0s      
    
    2022-04-01 11:53:24 (1.21 MB/s) - ‘ffjpeg-bmp_load-integer-overflow.1’ saved [24/24]
    
    ❯ xxd ffjpeg-bmp_load-integer-overflow.1
    00000000: 5f55 5555 5555 553d 3635 7155 5555 5455  _UUUUUU=65qUUUTU
    00000010: 5555 6355 5555 0600                      UUcUUU..
    ❯ ./bin_asan/bin/ffjpeg -e ffjpeg-bmp_load-integer-overflow.1
    =================================================================
    ==2755917==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x1555555c00 bytes
        #0 0x4c5587 in calloc /home/ubuntu178/Downloads/llvm12/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
        #1 0x507342 in jfif_encode /home/ubuntu178/cvelibf/test/ffjpeg/caade60/build_asan/src/jfif.c:749:21
        #2 0x4fc0bf in main /home/ubuntu178/cvelibf/test/ffjpeg/caade60/build_asan/src/ffjpeg.c:33:16
        #3 0x7f54a11b10b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    ==2755917==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /home/ubuntu178/Downloads/llvm12/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3 in calloc
    ==2755917==ABORTING
    ❯ ASAN_OPTIONS="allocator_may_return_null=1" ./bin_aflpp/bin/ffjpeg -e ffjpeg-bmp_load-integer-overflow.1
    ❯ ls
    bin_afl    bin_normal  build_aflpp   code        ffjpeg-bmp_load-integer-overflow  
    bin_aflpp  build.sh    build_asan    decode.bmp  ffjpeg-bmp_load-integer-overflow.1  
    bin_asan   build_afl   build_normal  encode.jpg  ffjpeg-jfif_load-buffer-overflow
    ❯ sha1sum ./ffjpeg-bmp_load-integer-overflow
    3bc9c74cee80ff2a5c7c837f3d26abd5d7ae7205  ./ffjpeg-bmp_load-integer-overflow
    ❯ sha1sum ./ffjpeg-bmp_load-integer-overflow.1
    3bc9c74cee80ff2a5c7c837f3d26abd5d7ae7205  ./ffjpeg-bmp_load-integer-overflow.1
    

I am doing research about vulnerability reproduction and analysis. Could you please provide more information, such as how you compile the target program?

Thanks for any reply!

The complete compilation process is as follows. Feel free to ask if you encountered any problems.

    user@c3ae4d510abb:$ git clone https://github.com/rockcarry/ffjpeg.git ffjpeg-caade60
    Cloning into 'ffjpeg-caade60'...
    remote: Enumerating objects: 438, done.
    remote: Counting objects: 100% (88/88), done.
    remote: Compressing objects: 100% (62/62), done.
    remote: Total 438 (delta 52), reused 52 (delta 26), pack-reused 350
    Receiving objects: 100% (438/438), 191.18 KiB | 1.86 MiB/s, done.
    Resolving deltas: 100% (259/259), done.
    
    user@c3ae4d510abb:$ cd ffjpeg-caade60/
    user@c3ae4d510abb:$ ls
    LICENSE  Makefile  README  docs  msvc  src
    
    user@c3ae4d510abb:$ vim src/Makefile
    CC      = gcc
    AR      = ar
    - CCFLAGS = -Wall
    + CCFLAGS = -Wall -g -fsanitize=address
    
    user@c3ae4d510abb:$ make -j
    src
    make -C src
    make[1]: Entering directory 'ffjpeg-caade60/src'
    gcc -Wall -g -fsanitize=address -o color.o color.c -c
    gcc -Wall -g -fsanitize=address -o dct.o dct.c -c
    gcc -Wall -g -fsanitize=address -o quant.o quant.c -c
    gcc -Wall -g -fsanitize=address -o zigzag.o zigzag.c -c
    gcc -Wall -g -fsanitize=address -o bitstr.o bitstr.c -c
    gcc -Wall -g -fsanitize=address -o huffman.o huffman.c -c
    gcc -Wall -g -fsanitize=address -o bmp.o bmp.c -c
    gcc -Wall -g -fsanitize=address -o jfif.o jfif.c -c
    gcc    -c -o ffjpeg.o ffjpeg.c
    ar rcs libffjpeg.a color.o dct.o quant.o zigzag.o bitstr.o huffman.o bmp.o jfif.o
    gcc -Wall -g -fsanitize=address -o ffjpeg ffjpeg.o libffjpeg.a
    make[1]: Leaving directory 'ffjpeg-caade60/src'
    
    user@c3ae4d510abb:$ ./src/ffjpeg -e ../ffjpeg-bmp_load-integer-overflow
    =================================================================
    ==16175==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000148 at pc 0x55555555e71e bp 0x7fffffffe190 sp 0x7fffffffe180
    READ of size 1 at 0x612000000148 thread T0
        #0 0x55555555e71d in jfif_encode ffjpeg-caade60/src/jfif.c:763
        #1 0x555555556771 in main (ffjpeg-caade60/src/ffjpeg+0x2771)
        #2 0x7ffff73bf0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #3 0x55555555656d in _start (ffjpeg-caade60/src/ffjpeg+0x256d)
    
    0x612000000148 is located 0 bytes to the right of 264-byte region [0x612000000040,0x612000000148)
    allocated by thread T0 here:
        #0 0x7ffff769abc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x555555556c26 in bmp_load ffjpeg-caade60/src/bmp.c:48
        #2 0x55555555673a in main (ffjpeg-caade60/src/ffjpeg+0x273a)
        #3 0x7ffff73bf0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    

I can't reproduce it either.

CVE-2022-28471: Integer overflow in bmp_load() resulting in heap overflow in jfif_encode() at jfif.c:763 · Issue #49 · rockcarry/ffjpeg

Uncontrolled search path elements in the Intel(R) VTune(TM) Profiler software before version 2022.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® VTune™ Profiler Advisory**

**Summary:**

A potential security vulnerability in the Intel® VTune™ Profiler software may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-21807

Description: Uncontrolled search path elements in the Intel(R) VTune(TM) Profiler software before version 2022.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® VTune™ Profiler software before version 2022.2.0.

**Recommendation:**

Intel recommends updating the Intel® VTune™ Profiler software to version 2022.2.0 or later.

Updates are available for download at this location: https://www.intel.com/content/www/us/en/developer/tools/oneapi/vtune-profiler-download.html

**Acknowledgements:**

Intel would like to thank @j00sean for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21807: INTEL-SA-00658

Uncontrolled search path in the Intel(R) VTune(TM) Profiler software before version 2022.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® VTune™ Profiler Advisory**

**Summary: **

A potential security vulnerability in the Intel® VTune™ Profiler software may allow escalation of privilege.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-26028

Description: Uncontrolled search path in the Intel(R) VTune(TM) Profiler software before version 2022.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® VTune™ Profiler software before version 2022.2.0.

**Recommendations:**

Intel recommends updating the Intel® VTune™ Profiler to version 2022.2.0.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/tools/oneapi/vtune-profiler-download

**Acknowledgements:**

Intel would like to thank houjingyi for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-26028: INTEL-SA-00676

Improper authentication in the Intel(R) SDP Tool before version 3.0.0 may allow an unauthenticated user to potentially enable information disclosure via network access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® SDP Tool Advisory**

**Summary: **

A potential security vulnerability in the Intel® Server Debug and Provisioning (SDP) Tool may allow information disclosure.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-26508

Description: Improper authentication in the Intel(R) SDP Tool before version 3.0.0 may allow an unauthenticated user to potentially enable information disclosure via network access.

CVSS Base Score: 4.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

**Affected Products:**

Intel® SDP Tool software before version 3.0.0.

**Recommendations:**

Intel recommends updating the Intel® SDP Tool software to version 3.0.0 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/download/19092/intel-server-debug-and-provisioning-tool-intel-sdp-tool.html

**Acknowledgements:**

The following issue was found internally by Intel employees.  Intel would like to thank Xu, Qianjin, Ul Islam and Mohammed Mujahid.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-26508: INTEL-SA-00710

Improper input validation in the Intel(R) Distribution of OpenVINO(TM) Toolkit may allow an authenticated user to potentially enable denial of service via network access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Distribution of OpenVINO™ Toolkit Advisory**

**Summary: **

A potential security vulnerability in the Intel® Distribution of OpenVINO™ Toolkit software may allow denial of service.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2021-26251

Description: Improper input validation in the Intel(R) Distribution of OpenVINO(TM) Toolkit may allow an authenticated user to potentially enable denial of service via network access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

**Affected Products:**

Intel® Distribution of OpenVINO™ Toolkit before version 2021.4.2.

**Recommendations:**

Intel recommends updating the Intel® Distribution of OpenVINO™ Toolkit to version 2021.4.2 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/tools/openvino-toolkit/download.html

**Acknowledgements:**

The following issue was found internally by Intel employees.  Intel would like to thank Dariusz Trawinski and Adrian Tobiszewski.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-26251: INTEL-SA-00642

Improper access control in the Intel(R) OFU software before version 14.1.28 may allow an authenticated user to potentially enable denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® OFU Software Advisory**

**Summary: **

A potential security vulnerability in the Intel® One Boot Flash Utility (OFU) software may allow denial of service.  Intel is releasing software updates to mitigate this potential vulnerability.  
 

**Vulnerability Details:**

CVE-2021-33104

Description: Improper access control in the Intel(R) OFU software before version 14.1.28 may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 6.5 Medium

**Affected Products:**

Intel® OFU software before version 14.1.28.  
 

**Recommendations:**

Intel recommends updating Intel® OFU software to version 14.1.28 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/download/19032/intel-one-boot-flash-update-intel-ofu-utility-for-intel-server-boards-and-intel-server-systems-based-on-intel-62x-chipset.html  
 

**Acknowledgements:**

Intel would like to thank Rajat Gupta, security researcher at SecLab, UC Santa Barbara, USA for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-33104: INTEL-SA-00769

Insecure inherited permissions in the Intel(R) NUC Software Studio Service installer before version 1.17.38.0 may allow an authenticated user to potentially enable escalation of privilege via local access

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® NUC Software Studio Service Installer Advisory**

**Summary: **

A potential security vulnerability in the Intel® NUC Software Studio Service installer may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-38103

Description: Insecure inherited permissions in the Intel(R) NUC Software Studio Service installer before version 1.17.38.0 may allow an authenticated user to potentially enable escalation of privilege via local access

CVSS Base Score:  6.7 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® NUC Software Studio Service before version 1.17.38.0.

**Recommendations:**

Intel recommends updating the Intel® NUC Software Studio Service to version 1.17.38.0 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/download/19691/intel-nuc-software-studioservice.html?wapkw=service

**Acknowledgements:**

Intel would like to thank Aobo Wang for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/09/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries United States and other countries.  Other names and brands may be claimed as the property of others.

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-38103: INTEL-SA-00854

Uncontrolled search path in the Intel(R) Unite(R) Plugin SDK before version 4.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Unite® Plugin SDK Advisory**

**Summary:**

A potential security vulnerability in the Intel® Unite® Plugin Software Development Kit (SDK) may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-32576

Description: Uncontrolled search path in the Intel(R) Unite(R) Plugin SDK before version 4.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® Unite® Plugin SDK before version 4.2.

**Recommendations:**

Intel recommends updating the Intel® Unite® Plugin SDK to version 4.2 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/download/18358/28323/intel-unite-app-plug-in-software-development-kit.html

**Acknowledgements:**

Intel would like to thank @j00sean for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/09/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries United States and other countries.  Other names and brands may be claimed as the property of others.

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-32576: INTEL-SA-00723

Improper access control in the Intel(R) Solid State Drive Toolbox(TM) before version 3.4.5 may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Solid State Drive Toolbox™ Escalation of Privilege Vulnerability**

Intel ID: 

INTEL-SA-00074

Product family: 

Intel® Solid State Drive Toolbox™

Impact of vulnerability: 

Elevation of Privilege

Severity rating: 

Important

Original release: 

May 30, 2017

Last revised: 

May 30, 2017

**Summary:** 

There is an escalation of privilege vulnerability in the Intel® Solid State Drive Toolbox™ versions before 3.4.5 which allow a local administrative attacker to load and execute arbitrary code. 

**Description:** 

There is an escalation of privilege vulnerability in the Intel® Solid State Drive Toolbox™ versions before 3.4.5 which allow a local administrative attacker to load and execute arbitrary code. 

*   ·        CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H (High 7.7)

**Affected products:** 

Intel® Solid State Drive Toolbox™ all versions before 3.4.5

**Recommendations:** 

Intel recommends all users of Affected Products to update to Intel® Solid State Drive Toolbox™ version 3.4.5 and later from https://downloadcenter.intel.com

**Acknowledgements:** 

Intel would like to thank Stefan Kanthak for reporting this issue and working with us on coordinated disclosure.

Revision

Date

Description

1.0

30-May-2017

Initial Release

1.1

09-May-2023

CVE Number Update

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries United States and other countries.  Other names and brands may be claimed as the property of others.

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2023-31199: INTEL-SA-00074

The Andariel group is targeting critical defense, aerospace, nuclear, and engineering companies for data theft, the FBI, NSA, and others said.

Source: DD Images via Shutterstock

A long-known cyber-espionage group working on behalf of North Korea's foreign intelligence service is systematically stealing technical information and intellectual property from organizations in the US and other countries to advance its own nuclear and military programs.

The group — which security vendors track variously as Andariel, Silent Chollima, Onyx Sleet, and Stonefly — is using ransomware attacks on US health care entities to fund the campaign, the US government warned this week.

**A Clear and Present Danger**

In a joint advisory, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others identified the threat actor as primarily targeting defense, aerospace, nuclear, and engineering organizations in the US, Japan, South Korea, and India. "The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide," the advisory noted.

Meanwhile, the US government offered a $10 million reward under the State Department's Rewards for Justice program for information leading to the arrest of Rim Jong Hyok, whom it believes is a key player in the malicious cyber activity. In tandem, the US Justice Department indicted Jong Hyok on charges related to his involvement in Andariel attacks on multiple US entities, including NASA and two US Air Force bases.

The information that Andariel is pursuing in its current campaign is broad and varied. From defense organizations, the adversary has been stealing information pertaining to heavy and light tanks, self-propelled howitzers, combat ships, autonomous underwater vehicles, and other equipment. Aerospace companies are being targeted for information on everything from fighter aircraft, missiles, and missile defense systems to radars and nano-satellite technology. The goal with attacks on organizations in the nuclear sector is to gather data in areas like uranium processing and enrichment, material waste, and storage. And with engineering firms, the threat actor's focus is on shipbuilding, robotics, additive manufacturing, 3D printing, and other technologies.

"The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections," the advisory said.

**Well-Known Threat Actor**

Andariel has been active for several years. Researchers at Google's Mandiant who track the group as APT45 believe it has been operational since at least 2009. Microsoft, which tracks the threat actor as OnyxSleet, says it first spotted the group in 2014. Over the years, researchers have tied the group to numerous information stealing campaigns and destructive attacks on organizations in more than a dozen critical sectors, including defense, aerospace, energy, financial services, transportation, and health care. Many of its attacks have targeted South Korean entitities.

In a report that coincided with the US government warning this week, Mandiant said it had observed APT45 gradually launching more financially motivated attacks — like ransomware attacks — in recent years, even as it has continued with its cyber espionage mission. "APT45 is one of North Korea’s longest running cyber operators, and the group's activity mirrors the regime's geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science," Mandiant said.

Microsoft also released an update on the North Korean actor this week and has observed Onyx Sleet actors recently switch from spear-phishing as a way to gain initial access to using vulnerability exploits. But otherwise, its tradecraft has remained largely unchanged, Microsoft said. "Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective."

**Vulnerability Exploits and Custom Tools**

The US government advisory described Andariel as looking for and exploiting multiple well-known vulnerabilities to gain initial access to target networks in its recent attacks. Vulnerabilities that the group has been exploiting in its attacks include the Log4Shell flaw (CVE-2021-44228) in Apache's Log4j software; CVE-2023-46604, a maximum severity bug in Apache ActiveMQ server technology; CVE-2023-34362, a widely exploited remote code execution flaw in Progress Software's MOVEIt file transfer technology; and a similar flaw in Fortra's GoAnywhere software (CVE-2023-0669).

In all, the joint advisory listed 41 CVEs that Andariel actors have exploited to break into target networks as part of its cyberespionage campaign. Of that, 16 were vulnerabilities that various vendors disclosed last year. The oldest flaw in the list is from 2017 — CVE-2017-4946 — a privilege escalation bug in VMWare's V4H and V4PA desktop agents.

Once they gain access to a network, Andariel actors typically use a variety of custom tools and malware to establish remote access, enable lateral movement, and steal data, the advisory said, listing nearly two dozen of them. The tools "include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control," the advisory said. "The tools allow the actors to maintain access to the victim system, with each implant having a designated C2 node."

The advisory describes in detail other tactics, techniques, and procedures that Andariel actors have employed in recent attacks so organizations in the group's crosshairs can take protective measures. It also provides indicators of compromise that organizations can use to check for signs of the threat actor's presence on their network and systems.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us