Uncaptured exceptions in the home screen module. Successful exploitation of this vulnerability may affect stability.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the September 2022 Android security bulletin:

Critical: none

High: CVE-2022-20395, CVE-2022-22822, CVE-2022-23852, CVE-2022-23990, CVE-2022-25314, CVE-2022-25704, CVE-2022-22095, CVE-2021-0697, CVE-2021-0871, CVE-2021-0942, CVE-2021-0943, CVE-2022-25670

Medium: CVE-2022-28388, CVE-2022-20254, CVE-2022-20268, CVE-2022-20274, CVE-2022-20308, CVE-2022-20325, CVE-2022-20331

Low: none

Already included in previous updates: CVE-2022-20361, CVE-2022-20082, CVE-2022-20081, CVE-2021-39765, CVE-2022-25657, CVE-2022-22082, CVE-2022-22083, CVE-2022-22084, CVE-2022-22085, CVE-2022-22086, CVE-2022-22087, CVE-2021-0698, CVE-2021-0887, CVE-2021-0891, CVE-2021-0946, CVE-2021-0947, CVE-2021-39815, CVE-2022-20122

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40017: Vunerability of not verifying the validity of the key's format in the HW\_KEYMASTER module

Severity: Critical

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause out-of-bounds access.

CVE-2021-46839: Lack of length check vulnerability in the HW\_KEYMASTER module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers can construct malicious data and cause out-of-bounds access.

CVE-2021-46840: Out-of-bounds access vulnerability in parameter set verification of the HW\_KEYMASTER module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers can construct malicious data and cause out-of-bounds access.

CVE-2022-38983: UAF vulnerability in the BT Hfp Client module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause arbitrary code execution.

CVE-2022-38984: Vulnerability of not verifying the data transferred by kernel space in the HIPP module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will cause out-of-bounds read, affecting confidentiality.

Acknowledgment: Wen Guanxing

CVE-2022-38985: Input verification vulnerability in the facial recognition module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38986: Vulnerability of bypassing the check of data transferred by kernel space in the HIPP module

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause out-of-bounds access to the HIPP module and page table tampering, affecting device confidentiality and availability.

Acknowledgment: Wen Guanxing

CVE-2022-38998: Vulnerability of not verifying the data transferred by kernel space in the HISP module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will cause out-of-bounds read, affecting confidentiality.

Acknowledgment: Wen Guanxing

CVE-2022-39011: Vulnerability of bypassing the check of data transferred by kernel space in the HISP module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause unauthorized access to the HISP module.

Acknowledgment: Wen Guanxing

CVE-2022-41576: boot.sh script that can be modified by malicious programs in the rphone module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability can cause irreversible program implantation on the user's device.

CVE-2022-41577: Vulnerability that kernel space does not verify the length of the data transferred by user space

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Out-of-bounds read may occur in the kernel, affecting device confidentiality and availability.

CVE-2022-41578: Out-of-bounds write vulnerability in the mptcp module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause attack programs to modify program information to implement root privilege escalation attacks.

CVE-2022-41580: Vulnerability of not verifying the read content in the HW\_KEYMASTER module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers can construct malicious data and cause out-of-bounds access.

CVE-2022-41581: Vulnerability of not verifying the read content in the HW\_KEYMASTER module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers can construct malicious data and cause out-of-bounds access.

CVE-2022-41582: Configuration defects.in the security module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2022-41583: Array out-of-bounds read vulnerability in the storage maintenance and debugging module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will cause some statistics of the module to be abnormal.

CVE-2022-41584: Out-of-bounds read vulnerability in the kernel module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause memory overwritting.

CVE-2022-41585: Out-of-bounds read vulnerability in the kernel module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause memory overwritting.

CVE-2022-41586: Untruncated data vulnerability in the communication framework module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-41587: Uncaptured exceptions in the home screen module

Severity: Medium

Affected versions: EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect stability.

CVE-2022-41588: Service logic exception vulnerability in the home screen module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2022-41589: Interface misuse vulnerability in the Maple DFX stack module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability can affect system services and device availability.

CVE-2022-41592: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41593: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41594: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41595: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41597: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41598: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41600: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41601: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41602: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41603: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41587: October

The US House of Representatives voted on Friday to extend the Section 702 spy program. It passed without an amendment that would have required the FBI to obtain a warrant to access Americans’ information.

A controversial US wiretap program days from expiration cleared a major hurdle on its way to being reauthorized.

After months of delays, false starts, and interventions by lawmakers working to preserve and expand the US intelligence community’s spy powers, the House of Representatives voted on Friday to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA) for two years.

Legislation extending the program—controversial for being abused by the government—passed in the House in a 273–147 vote. The Senate has yet to pass its own bill.

Section 702 permits the US government to wiretap communications between Americans and foreigners overseas. Hundreds of millions of calls, texts, and emails are intercepted by government spies each with the “compelled assistance” of US communications providers.

The government may strictly target foreigners believed to possess “foreign intelligence information,” but it also eavesdrops on the conversations of an untold number of Americans each year. (The government claims it is impossible to determine how many Americans get swept up by the program.) The government argues that Americans are not themselves being targeted and thus the wiretaps are legal. Nevertheless, their calls, texts, and emails may be stored by the government for years, and can later be accessed by law enforcement without a judge’s permission.

The House bill also dramatically expands the statutory definition for communication service providers, something FISA experts, including Marc Zwillinger—one of the few people to advise the Foreign Intelligence Surveillance Court (FISC)—have publicly warned against.

“Anti-reformers not only are refusing common-sense reforms to FISA, they’re pushing for a major expansion of warrantless spying on Americans,” US senator Ron Wyden tells WIRED. “Their amendment would force your cable guy to be a government spy and assist in monitoring Americans’ communications without a warrant.”

The FBI’s track record of abusing the program kicked off a rare détente last fall between progressive Democrats and pro-Trump Republicans—both bothered equally by the FBI’s targeting of activists, journalists, and a sitting member of Congress. But in a major victory for the Biden administration, House members voted down an amendment earlier in the day that would’ve imposed new warrant requirements on federal agencies accessing Americans’ 702 data.

“Many members who tanked this vote have long histories of voting for this specific privacy protection,” says Sean Vitka, policy director at the civil-liberties-focused nonprofit Demand Progress, “including former speaker Pelosi, Representative Lieu, and Representative Neguse.”

The warrant amendment was passed earlier this year by the House Judiciary Committee, whose long-held jurisdiction over FISA has been challenged by friends of the intelligence community. Analysis by the Brennan Center this week found that 80 percent of the base text of the FISA reauthorization bill had been authored by intelligence committee members.

“Three million Americans' data was searched in this database of information,” says Representative Jim Jordan, chair of the House Judiciary Committee. “The FBI wasn't even following its own rules when they conducted those searches. That's why we need a warrant.”

Representative Mike Turner, who chairs the House Intelligence Committee, campaigned alongside top spy agency officials for months to defeat the warrant amendment, arguing they’d cost the bureau precious time and impede national security investigations. The communications are legally collected and already in the government's possession, Turner argued; no further approval should be required to inspect them.

“The United States is at its greatest risk of terrorism in more than a decade following the horrific October 7th attack on Israel, and the \[intelligence community\] must focus attention and resources on that threat while continuing to stay ahead of China,” Turner and Jim Himes, the top Democrat on the House Intelligence Committee, said in a joint statement after the vote, adding that 702 remains one of the country's most effective national security tools.

“It allows the United States to counter our adversaries, like China and Russia, thwart potential terrorist attacks from ISIS, Al-Qaeda, Hamas, and Hezbollah, and disrupt international drug cartels who are looking to smuggle fentanyl into our nation,” they said.

The FBI introduced a slate of new internal policies to clamp down on the abuse itself, changes that the Biden administration argues are sufficient to ward off future abuse. Knowingly searching the database for information about Americans requires analysts—who must now submit to annual training sessions—to seek approval from higher up the chain of command than before. Running batch queries targeting Americans’ communications now requires a consultation with a government attorney.

While opposing the search warrants, Turner backed a ban on searches of 702 data for criminal cases that lack any foreign element. While that amendment has been welcomed by members on both sides of the issue, privacy hawks say the ban is not quite the major reform that Turner has proclaimed. Data on the program made public by the FISC suggests the ban will in reality affect less than a handful of cases each year.

Critics of the program say that relying on the FBI to internally police against its own constitutional violations is a tactic that has failed in the past, and that the bureau can no longer be trusted not to spy on Americans without cause.

“Section 702 has been abused under presidents from both political parties, and it has been used to unlawfully surveil the communications of Americans across the political spectrum,” says Kia Hamadanchy, senior policy counsel at the American Civil Liberties Union. “The Senate must add a warrant requirement and rein in this out-of-control government spying.”

Judiciary members had also sought to include an amendment banning the government from buying Americans' geolocation data from private companies. At Turner’s behest, House speaker Mike Johnson killed the amendment earlier in the week.

The US Supreme Court has recognized geolocation data as protected from seizure by the “probable cause” standard. Rather than begin applying for warrants, the government has circumvented the ruling in many cases, buying up GPS data from companies that consumers largely believe are tracking them purely for advertising purposes.

“They’re buying data. That’s what they’re doing,” says Warren Davidson, a Republican congressperson from Ohio. “They’re structuring markets to collect the data and they’re circumventing the Fourth Amendment. We need to turn that off.”

House Votes to Extend—and Expand—a Major US Spy Program

Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication.**Note:**This issue is a result of missing checks for services that require an active session.

Expand Up

@@ -51,6 +51,9 @@ def \_\_str\_\_(self):

async def get\_endpoints(self, params\=None, sockname\=None):

return await self.iserver.get\_endpoints(params, sockname)

  

def is\_activated(self) \-> bool:

return self.state \== SessionState.Activated

  

async def create\_session(self, params, sockname\=None):

self.logger.info('Create session request')

result \= ua.CreateSessionResult()

Expand Down

CVE-2023-26150: check if session is active · FreeOpcUa/opcua-asyncio@b4106df

The US has to adapt its own policies to counter the push, warns former DocuSign CEO and Under Secretary of State Keith Krach.

Despite the block on information flowing from China, stories about the nation's surveillance state have leaked out. From social credit scores and online censorship to electronic billboards that display a citizen's "violations" like jaywalking, surveillance is a part of everyday life for millions of Chinese people.

China is increasingly exporting not only its technology but the authoritarian values that underpin them, and this spread must be contained before it moves through more of the world, says Keith Krach, who served as DocuSign CEO from 2009 to 2019 before becoming Under Secretary of State for Economic Growth, Energy, and the Environment in the Trump administration in June 2019.

Krach, who continues to advise the administration of President Joe Biden and leads the Krach Institute for Tech Diplomacy at Purdue University, was nominated for the 2022 Nobel Peace Prize for his work on China. He recently spoke with Dark Reading about China's tech-centered authoritarianism, how the country is embedding its values in its exports, and what the US must do with its own tech policies to keep a moral high ground.

This interview has been condensed for length and clarity.

    

Source: Keith Krach

**Q: You've dedicated much of your career to fighting against "techno-authoritarianism." How do you define that term? What activities rise to the level of authoritarianism?**

**Krach:** Our rivals are playing the long game in what's a four-dimensional game of military, economic, diplomatic, and cultural chess — and the crossroads, the main battleground, is technology. It all intersects there. So here's what techno-authoritarianism is in the simplest \[terms\]: It is using technology for bad instead of for good. That could be a surveillance state, dangerous military weapons, or whatever else is done for bad.

You can think of it as sort of the opposite of what we \[in the United States\] honor as a nation and in the free world at large: respecting things like the rule of law, property of all kinds, nations' sovereignty, human rights, the environment, the press. Those good principles of collaboration, like transparency, reciprocity, accountability — these are things that we honor.

But these are things that China, Russia, the authoritarians don't live by. Instead they \[rule by\] a power principle: cooperation, coercion, concealment, intimidation, retaliation, retribution. And what \[affects us all\] is that when someone doesn't play by the rules, it's no longer a free market; it's a fool's market. For example, let's say you're a Silicon Valley CEO, and I'm a Chinese company. I can steal your intellectual property, I don't have to be transparent, I can use slave labor, I can use cheap energy from big coal-fired power plants.

I don't have to obey the law — or to be \[more precise\], I _am_ the law. How can you possibly compete? I'll beat you every time. So we've got to do something about it.

**Q: You've been particularly vocal about techno-authoritarianism in China — to the extent that you can no longer visit or do business there after officials sanctioned you and your family** **\[among other former Trump officials\] last year.**

**Can you provide context on the extent of Chinese surveillance? It's especially present in Xinjiang, where authorities closely track the habits and activities of millions of Uyghurs, a Muslim minority group in the city. The US is among several countries to accuse China of committing genocide** **of the Uyghurs, but surveillance happens all over the country in varying degrees.**

**Krach:** Oh, it's literally George Orwell's _1984_. They use technology to intimidate, and there is no privacy anymore. To the extent that in Beijing and a lot of the big cities, they have these big TV-like electronic billboards where they show, for example, if somebody jaywalks crossing the street. They'll flash your picture up there, they'll show how many violations they have, all this kind of personal stuff. They know exactly where people are doing, what people are spending, I mean ... everything. They assign people social credit scores based on their behavior and decide what you can and can't do.

It creates a paranoid society where everybody feels watched, and nobody trusts anyone — because there's also incentives for turning people in for violations. It's just a nasty, nasty way to live.

**Q: Chinese authorities, of course, say this surveillance is for the good of the people. They're leveraging technology in all sorts of new projects, including so-called safe cities** **underpinned by \[Chinese telecom\] Huawei that harness all kinds of data about people's activities — ostensibly created to be like what we call smart cities here, helping get ambulances to car accidents faster and assisting police in stopping crime. But in actuality, according to groups like the bipartisan Center for Strategic and International Studies, they're tracking facial recognition and license plate data, monitoring social media, and stomping out dissent.**

**Krach:** These wired cities are a Trojan horse, the same way that what they're doing in Xinjiang is a proving ground. It's beta testing for all this stuff to roll out in China and to export elsewhere. So Xinjiang is literally a glance into the future.

China is essentially exporting a "dictatorship-in-a-box" when they send their surveillance tools \[overseas\]. These are tools that the worst of dictators could have only dreamed up. And that's the stuff that enables genocide: the whole surveillance state, literally thought control. I call it China's Great One-Way Firewall, where all the data comes in for their own use. Propaganda goes out, but the truth does not come in. That's why \[China's President\] Xi \[Jinping\] is just obsessed with technology. His biggest obsession is the semiconductor business because he knows that's the foundation of everything.

**Q: Several countries, including Kyrgyzstan and Ecuador, have adopted Chinese-made surveillance tech. That's in part because China has worked to offer less-funded governments functional and more affordable semiconductors and 5G technologies. When China exports this technology, it seems that in many cases they're exporting the values behind them as well. How can that spread of authoritarianism be stopped?**  

**Krach:** I'll take you inside what happened with 5G for an example. You heard about the 5G race all the time a couple of years ago because it looked like China's most important \[tech\] company Huawei was going to run the table for 5G. They announced 91 5G deals, 47 in Europe. So \[in the US government\] we're hitting the panic button. 5G controls are much more than cell phones: It's utility grids, Internet of Things, people's personal data, the government's more precious secrets.

Right around February 2020 \[when I was Under Secretary of State for Economic Growth, Energy, and the Environment in the Trump administration\], it seemed US efforts to stop it were failing. So our team got the authority to make a last-ditch effort to defeat their 5G master plan. We combined our team with some of the greatest Foreign Service officers, and it was like magic with that diversity of thought.

What we heard was that \[US\] government guys going around the world, saying, "Don't buy Huawei." And I go, "That's the dumbest thing I've ever heard." If I'm a CEO, I'd say to my chief of staff, "Hey, let's check out Huawei. They must have something good." So I said, "Why don't we treat the countries, the telcos, like customers? The customer's always right, and to get a customer, you must have a value proposition. Why should they partner with us if they don't get anything out of it?"

In my first 60 bilateral \[meetings\] I had as under secretary, I asked all these governments, "How's your relationship with China?" They'd say, "Oh, they're a really important trading partner." And then they'd look both ways, as if someone was there, and add, "But we don't trust them." That rang bells in my head. Because trust is the basis of every relationship — personal, business, or otherwise. You buy from people you trust. You partner with people you trust. So we went around to the CEOs of these foreign telcos and said, "Do you want to give your government's and citizens' data to a country that requires any company to turn information over to the Chinese Communist Party? Or do you want to partner with someone you trust?"

We created a digital standard of trust, called the Trust Principle, built on principles like respect for human rights and collaboration. And that was the basis for what we did with the Clean Network, a group of 60 countries that represent two-thirds of the world's global GDP, \[along with\] 200 telcos and a whole host of companies that were committed to building a 5G system completely free of bad actors and dedicated to fair principles.

It's not an anti-China thing. It's your choice: You can either be locked out of 70% of the market, or you can change the way that you do business. That moral high ground is key. In one move, we took those things that they were using against us and weaponized the very principles that protect our freedoms. In less than a year, those 91 \[Huawei\] 5G deals dropped by \[dozens and dozens\].

    

Source: Keith Krach

**Q. I want to turn the lens inward now because ideas like the Trust Principle and the Clean Network depend on maintaining that moral high ground — and they're built on essentially what we think of as fundamental American ideals — but in reality, the US has participated in surveillance itself. And in the private sector, plenty of US tech companies have had their own issues with data privacy and security, with many of their businesses based on supplying free services and monetizing the data their users provide. Can we have a leg to stand on unless we reform our own practices here in the States?**

**Krach:** It's an interesting and important question. Most people have never heard of this position, but I was the US/EU ombudsman for the data privacy shield. Now what that meant was after the Snowden episode, the Europeans go, "You know, we don't want you guys to do it again." And so they came up with a one-way data privacy shield: From a governance standpoint, if the United States snooped on a European and the Europeans found out about it, then they had a mechanism where they take it to the EU, they'd sort it out, and then it would come directly to me. There was nobody in the executive branch overseeing me on this, to be honest — it was straight with the judicial branch, and those guys were serious. "We're gonna prosecute come hell or high water. Patriotism thrown out the door; you've got to do what's right." And that was an interesting thing.

But the first thing I thought was, why isn't this reciprocal? The No. 1 thing \[I said\] when I met with the Europeans was, "Why is this a one-way thing, but you guys are shielded?" And then I'd say, "Oh, hey, how's your EU/China data privacy shield going? You have one, right?" And they're like, "Uh ... no. You know, China will be China."

Anyway, from a company standpoint, when people think of US tech companies, they think of the social and search companies like Google and Facebook. They're important companies, sure, but that's a small fraction of it. In my view, the rules of the road have not fully been written yet on data, privacy, security, data flows. It's going to take not only all three branches of our government but also the private sector and international players. If I were \[a tech CEO\], I would get out in front of this one because you can see it's going to be coming down. Things like Elon Musk buying Twitter probably would be a catalyst for that.

**Q: What, then, does the US need to do? It sounds like you think there's a lot more coming pretty soon down the pipe in terms of regulatory and compliance.**

**Krach:** Yeah, yeah. And I think it needs to be clear. But also, US companies were getting robbed blind and locked out of the Chinese market. So there's a squeeze play there, and then \[on the government level\] the EU was coming up with these regulations that just target US companies, so there's another squeeze play. But here again, it all boils down to one word: trust. You have to be able to trust the people you partner with, and you have to be trusted yourself.

**Q: As we look at how technology is evolving in general — Web3, the metaverse — there's so much emerging. Which security issues do you think should be top of mind from a policy standpoint?**

**Krach:** The first one is protect from the enemy. On _60 Minutes_, FBI Director \[Christopher\] Wray talked at length about China's cyber threat and threat to intellectual property. Because their attitude is, if it's out there and we can take it, it's your fault for not protecting it. It's a wholly different value system. 

So the second piece is educating everyone about that, especially at the corporate board level. I just wrote an article for Fortune about how companies need to have their China contingency plan. \[Business leaders\] need to ask themselves, "What is our policy to make sure that we're trusted by our customers, our shareholders, our suppliers, our partners, all the governments we do business with?"

There's some things the government can help out on. For example, we could install something like the no-bribery law, in which American companies that go overseas and are asked for bribes have the law to fall back on. They can say, "No can do, it's against the law. I'll go to jail, sorry." Why don't we make a law that it's illegal to transfer technology to the Chinese? They have that divide-and-conquer system: "You guys won't give it to me? I'll go to your competitor." So there's some things that we can do along those lines, understanding their values and how we can weaponize ours. But again here, it takes collaboration across government and the private sector. It's critical that we figure it out.

Q&A: How China Is Exporting Tech-Based Authoritarianism Across the World

A new proposal by the Consumer Financial Protection Bureau would use a 54-year-old privacy law to impose new oversight of the data broker industry. But first, the agency must survive Elon Musk.

The United States government’s leading consumer protection watchdog announced Tuesday the first steps in a plan to crack down on predatory data broker practices that the agency says help fuel scams, violence, and threats to US national security.

The Consumer Financial Protection Bureau is proposing a rule that would allow regulators to police data brokers under the Fair Credit Reporting Act (FCRA), a landmark privacy law enacted more than a half century ago. Under the proposal, data brokers would be limited in their ability to sell certain sensitive personal information, including financial data and credit scores, phone numbers, Social Security numbers, and addresses. The CFPB says that closing the loopholes allowing data brokers to trade in this data with little to no oversight will benefit vulnerable people and the US as a whole.

“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” Rohit Chopra, CFPB’s director, said in a statement. “The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.”

Passed in 1970 as the first US privacy law, the FCRA requires “credit reporting agencies” to adhere to certain standards of accuracy and privacy in their dealing with people’s financial information, including credit histories, credit scores, debt payment histories, and other related data. The CFPB’s proposal aims to treat data brokers like credit reporting agencies when they deal in this sensitive data. It would require data brokers to obtain “separate, explicit authorization” before acquiring or sharing people’s credit information, rather than burying these permissions in expansive legal documents that surveys show are often unread or impossible for the average person to parse.

In a conversation with reporters on Monday, Chopra pointed to the recent attacks on US telecommunications systems, which the government has attributed to China, to emphasize the value of personal data to the nation's foreign rivals. “But often, our adversaries don't need to hack anything,” he says. “Data brokers, the outfits that collect and sell detailed information about our personal and financial lives, are making this data available to anyone willing to pay a price.”

The action proposed by the CFPB is aimed, Chopra says, at stopping data brokers from “enabling scammers, stalkers and spies undermining our personal safety and America's national security.”

The CFPB’s idea of using existing US law to regulate data brokers is not novel. In February 2023, a group of consumer-focused nonprofits urged Chopra to enforce the powers the FCRA affords regulators to prevent data brokers from engaging in these potentially damaging practices.

“Protecting the personal information of all people in the US is increasingly urgent in our current political climate,” says Laura Rivera, attorney with Just Futures Law, a nonprofit that supports grassroots activists. “The stakes are too high to continue to let the data broker industry sell our information at their discretion, where the status quo has made it ripe for abuse and targeting from harmful actors.”

In a briefing with WIRED on Monday, CFPB officials declined to comment on whether they believe the regulatory action will be short lived, as president-elect Donald Trump plans to empower a number of Silicon Valley figures to reorganize the federal government with the aim of targeting “waste and fraud.”

Elon Musk, who is coleading an office named after a meme coin—the Department of Government Efficiency, or DOGE—directly attacked the CFPB's work last week, calling for the agency to be “deleted.” Musk's remarks followed an attack on the agency's work by Marc Andreessen, a venture capitalist, who claimed on a recent episode of Joe Rogan’s podcast that the agency is “terrorizing” banking startups.

The CFBP was founded in 2011 with the aim of protecting consumers from the kinds of fraud and abuse that kicked off the 2008 financial crisis.

A CFPB official tells WIRED that the agency is also concerned about data being transmitted in ways that companies allege protects people's identities but in reality can be "de-anonymized" in simple ways, as studies have repeatedly shown. "As technology advances, we surmise that it will be even easier to de-mask purportedly de-identified data," one official said. The proposed rule thus includes a range of guidelines for credit reporting agencies involved in selling data they alleged has been de-identified.

Asked whether the proposal would extend to US government agencies, an official says that US law sets forth "very clear pathways" for the government to purchase personally identifying data for law enforcement and intelligence purposes. In a recent case, US Immigration and Customs Enforcement was discovered by reporters to have purchased access to the personal data of Americans in an attempt to investigate immigrants—data acquired by the media conglomerate Thomson Reuters, which it provided to custeroms in contracts the company disclosed were worth more than $100 million. (Thomson Reuters previously denied that the purpose of the data is to track undocumented immigrants and has emphasized that its database does not contain information that normally requires a search warrant to access.)

“We are not disrupting any of those pathways,” a CFPB official says. The agency is requesting comment, however, on the potential impacts of such government purchases to ensure that access is “appropriate.”

Emily Peterson-Cassin, director of corporate power at the nonprofit advocacy group Demand Progress’s Education Fund, commended the CFPB’s proposal and urged the incoming Trump administration to see it through.

“The CFPB is doing something important that will resonate with every single American. Anyone you pick off the street can tell you about the daily scam texts, emails and calls they receive from fraudsters who easily buy our contact information from shady, unaccountable data brokers,” Peterson-Cassin says. “Finally, someone—specifically the CFPB—has stepped in to stop this daily plague affecting hundreds of millions of people by applying real standards to their sale of our sensitive information.”

Top US Consumer Watchdog Has a Plan to Fight Predatory Data Brokers

Red Hat Security Advisory 2023-2110-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.16. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.12.16 security update  
Advisory ID:       RHSA-2023:2110-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2110  
Issue date:        2023-05-10  
CVE Names:         CVE-2022-46146 CVE-2023-0286 CVE-2023-1999   
                   CVE-2023-28617   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.12.16 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.12.

Red Hat Product Security has rated this update as having a security impact  
of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.12.16. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2023:2109

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

* exporter-toolkit: authentication bypass via cache poisoning  
(CVE-2022-46146)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.12 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

You can download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
can be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:5339b3c4686010dc42990e0addce5aa4fddd071d6d9504dffe08a4b5059f6f38

(For s390x architecture)  
The image digest is  
sha256:171c389cac763eb6f77cb088755782bec565357baf655e611f50885f814f1aaf

(For ppc64le architecture)  
The image digest is  
sha256:de25720325b20112a6361207a6c42a2f5859e6d023fe176410a9e1aaf0ed3c74

(For aarch64 architecture)  
The image digest is  
sha256:8794d8a92afa21c8869daba76761deff737126ef9e3377e30173bd826506cc67

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2149436 - CVE-2022-46146 exporter-toolkit: authentication bypass via cache poisoning

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-11559 - multus-admission-controller should not run as root under Hypershift-managed CNO  
OCPBUGS-11844 - Pipeline is not removed when Deployment/DC/Knative Service or Application is deleted  
OCPBUGS-11972 - update the default pipelineRun template name  
OCPBUGS-11993 - TypeError on VIF revert  
OCPBUGS-12199 - create hosted cluster failed with aws s3 access issue  
OCPBUGS-12265 - [4.12] Network scale metrics  
OCPBUGS-12361 - PTP metrics - Unexpected metrics for old phc2sys appears in metrics after modify ptpconfigs   
OCPBUGS-12440 - Instance shouldn't be moved back from f to a  
OCPBUGS-12473 - [4.13] Fix Flake TestAttemptToScaleDown/scale_down_only_by_one_machine_at_a_time  
OCPBUGS-12476 - Pipelines repository list and creation form doesn't show Tech Preview status  
OCPBUGS-12477 - Users don't know what type of resource is being created by Import from Git or Deploy Image flows  
OCPBUGS-12688 - 4.12 upgrade jobs broken by runc upgrade  
OCPBUGS-1753 - Using OLM descriptor components deletes operand e2e test failing  
OCPBUGS-6888 - Show Git icon and URL in repository link in PLR details page should be based on the git provider

6. References:

https://access.redhat.com/security/cve/CVE-2022-46146  
https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/cve/CVE-2023-1999  
https://access.redhat.com/security/cve/CVE-2023-28617  
https://access.redhat.com/security/updates/classification/#moderate  
https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFva69zjgjWX9erEAQihxBAAjfgP91+Y8NAL9LsgpC9pMvYIjh92ZI1L  
uMzPo33etxENoDLUGik24Bfd+ZT9RWWywA00Ksq0LpUK4p5UBsHtXdBpCV6XhwlZ  
t5elfvcdTiIUMnV9u8HfQKsEqwnID0r8eBExCkINDbeBWHfp5qReSSHdL8xw34tA  
D/Mh6S7zlOJakNPaedRMFwxM8GYixy3fgRSVlsSk2n+Qsd4kTb9eUpl1e6tilSn/  
CVtMyF7hccKUz6U/eV7L0igzDqsaQ9PN83msDCcI2JP5sp1d4H/dcvEExMxAeJj0  
HegtSF2ZlgqICROfufKP08ySfxCYnDWbqwpgMu+6d4sLs8E7OPVD+DQ3RpyXJYfs  
ZWlZXBYZnFfxzXbN2keulncrTTrCtWr678DLPKpoKMGF/8SU727Qi7U3X7/6LMdr  
vaPnz5uPPTj8SH1ezEZE/eCoIqozVYYp4TI8bY+NYnw5dbFUJP6N4JSK0p2ul6pK  
/LIMgaslNLKm9/qZzHE8xo9d3f7zPUimc5MV9HuKe3I6sorqlJEE5TZf971tvWkL  
QhXzT4e06C2bHBaH9CSRZ0dad0BydJWgw+PXbln6Bxqm0drt+ASjbmHdHGgKV43H  
8KI9qvpFlAcaBzk78zd+MiNtDaLTpUDH3zKkh2X+8Nwzl4R4x6JHvV7utmEopR0V  
t/7Wrna0fIg=  
=Jc1o  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2110-01

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table.

CVE-2021-24198: WordPress Plugin wpDataTables - Multiple Vulnerabilities

CVE-2020-19766

Cross-site request forgery (CSRF) vulnerability in Personalized WooCommerce Cart Page 2.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

WOOHero is just a great WooCommerce extension to customize any store. Like change button text/labels, add contents and much more. WOOHero is compatible with all WooCommerce themes.  
No coding experience requires to change button text/label, add new contents inside WooCommerce core pages. WOOHero nice and simple  
settings will handle all for you. Following details and screenshots explaining all powerful feature of WOOHero.

**Getting Started Video**

**Customize/Change Text**

1.  Add to cart (Single product)
2.  Add to cart (Shop/Loop)
3.  Out of stock (Single product)
4.  View product (Grouped product – Shop/Loop)
5.  Select options (Variable products – Shop/Loop)
6.  Buy product (External product – Shop/Loop)
7.  Place order (Checkout page)

**Customize WooCommerce Core Pages**

1.  Before cart table
2.  Before cart contents
3.  Cart contents
4.  After cart contents
5.  After cart table
6.  After cart
7.  Proceed to checkout
8.  Cart coupon
9.  After cart totals
10.  Before cart totals
11.  Cart is empty
12.  Before mini cart (cart in widget)
13.  Widget shopping cart before buttons
14.  After mini cart
15.  Cart totals before shipping
16.  Cart totals after shipping
17.  Cart totals before order total
18.  Cart totals after order total
19.  Before shipping calculator
20.  After shipping calculator

**WooCommerce Actions/Hooks**

WOOHero using Woocommerce core hooks/actions to customize, zero coding requires. Just install and use.  
Details Here

**WOOHero PRO Features**

WOOHero PRO has more powerful feature and control to customize your store like:

*   **Customize Shop/Store page**
*   **Customize Product page**
*   **Customize My account page**
*   **Customize Checkout page**
*   **Customize Thanks page**
*   **Customize Change button titles (add to cart etc)**
*   **Customize Product Page**
*   **Disable Related Products**
*   **Customize Related Products**
*   **Add Unlimited Product Tabs**
*   **Enquiry/Get a Quote Form for Product**
*   **Front-end editor to add/edit contents**

**Change Any Text**

Another a cool feature of WOOHero PRO version is that you can change Any text from entire site. Like if you want to change ‘Billing Address’ text on checkout  
page, you can do this with WOOHero PRO.

Get Pro Version

1.  Upload plugin directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  After activation, you can set options from WooCommerce -> WooHero menu

**DO I need to make changes in file?**

No

**How to access settings**

In Dashboard, you will menu title WooCommerce -> WooHero

**Will this work with my Theme?**

Yes, it is compatible with all themes.

I used it just now and it’s great! In fact, it’s super powerful for being free.

Plugin functionality and working is awesome. The only suggestion is you just need to improve its backend style and usage directions. It shouldn't have a separate menu it should be somewhere in woo-commerce settings.

Great. I can change text almost anywhere in WooCommerce 🙂 Good for non technical users.

Read all 10 reviews

“WooHero WooCommerce Store Customizer” is open source software. The following people have contributed to this plugin.

Contributors

*    N-Media

**3.4 January 19, 2022**

*   Tweaks: WC latest version check

**3.3 September 19, 2021**

*   WC latest version updated
*   Bug fixed: Product tabs HTML issue fixed

**3.2 June 19, 2020**

*   Feature: It will display a Button on Cart page to remove all Cart Items.
*   Feature: It will hide content on the product page and add to cart button. Just show the login form

**3.1 Jan 11, 2020**

*   Bug fixed: Change Any Text

**3.0 Nov 17, 2019**

*   Feature: Re-arranged settings tabs
*   Feature: Front-end editor to add/edit contents
*   Feature: Disable/Enable related products, set column size
*   Feature: Products limit and columns size in Shop page.
*   Feature: More actions added to on checkout page.
*   Feature: Compatibility check with latest WooCommerce, PHP and WordPress

**2.5 June 3, 2019**

*   Bug fixed: Some security related issue fixed

**2.4 October 23, 2018**

*   Bug fixed: Settings saving issue in php version 7+ fixed.

**2.3 July 28, 2018**

*   Bug fixed: Menu moved under WooCommerce Manin Menu

**2.2 July 21, 2018**

*   Bug fixed: Menu not shown due to some other plugin conflict, it’s fixed now

**2.1 July 14, 2018**

*   Bug fixed: Warnings removed
*   Compatibility check with WooCommerce

**2.0**

*   WooCommerce 3.0 compatible issue fixed.

**1.2**

*   Some minor changes made in options page.

**1.1****Following button title/labels can be change**

*   Add to cart (Single product)
*   Add to cart (Shop/Loop)
*   Out of stock (Single product)
*   View product (Grouped product – Shop/Loop)
*   Select options (Variable products – Shop/Loop)
*   Buy product (External product – Shop/Loop)
*   Place order (Checkout page)

**1.0**

*   It is first version, and working perfectly

CVE-2019-5979: WooHero WooCommerce Store Customizer

An OS command injection vulnerability exists in the ys_thirdparty user_delete functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the ys\_thirdparty user\_delete functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

**PRODUCT URLS**

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

**DETAILS**

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the router console. This is an interactive shell to modify the router settings.

Here is the prompt after the login:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> 
    

The service has several functionalities. The number of functionalities depends on the user privileges. The admin user can access the enable command, which will allow access to a high privilege command menu:

    ROUTER> enable 
    ROUTER# 
      cellular-gps-dev
      clear             Reset functions
      configure         Configuration from vty interface
      copy              Copy from one file to another
      core              Set debug level
      debug             Debugging functions (see also 'undebug')
      disable           Turn off privileged mode command
      enable            Turn on privileged mode command
      end               End current mode and change to enable mode
      exit              Exit current mode and down to previous mode
      list              Print command list
      modbus-master
      no                Negate a command or set its defaults
      ping              Send echo messages
      quit              Exit current mode and down to previous mode
      reload            Halt and perform a cold restart
      show              Show running system information
      ssh               Open an ssh connection
      telnet            Open a telnet connection
      terminal          Set terminal line parameters
      test              Test
      traceroute        Trace route to destination
      undebug           Disable debugging functions (see also 'debug')
      write             Write running configuration to memory, network, or terminal
    

Issuing the configure terminal command makes it possible to access the user_permission command. This allows access to a menu where it is possible to manage user-related information:

    ROUTER(user-permission)# 
      end        End current mode and change to enable mode
      exit       Exit current mode and down to previous mode
      list       Print command list
      no         remove the user
      show       show the user information
      superuser  set superuser name or password
      user       check the user password
    

The no user <username> command removes the user associated with the issued username. This command is manage by the ys_thirdparty’s user_delete function:

    undefined4 user_delete(undefined4 param_1,undefined4 param_2,undefined4 param_3,char **argv)
    
    {
      [... variable declaration ...]
    
      username = *argv;
      iVar1 = strcmp(username,superuser);
      if (iVar1 == 0) {
        username = "[failed]:can not remove superuser!\n";
      }
      else {
        iVar1 = delete_user_real(username,0);
        [...]
      }
      [...]
    }
    

If the username provided is not the superuser, this function will call the delete_user_real function:

    uint delete_user_real(char *username,uint is_delete_super_user)
    
    {
      [... variable declaration ...]
    
      [...]
      is_superuser = strcmp(username,superuser);
      if ((is_superuser | is_delete_super_user) == 0) {
        tmp_var = 1;
      }
      else {
        [...]
        tmp_var = check_system_user(username);
        [...]
      }
      [...]
    }
    

This one, after a check about the superuser, could call the check_system_user with the provided username:

    void check_system_user(char *user)
    
    {
      [... variable declaration ...]
    
      iVar1 = __stack_chk_guard;
      popen_command._0_4_ = 0;
      memset(popen_command + 4,0,0xfc);
      snprintf(popen_command,0x100,"%s chk 0 %s","/usr/sbin/userpermit.sh",user);                           [1]
      __stream = popen(popen_command,"r");                                                                  [2]
      [...]
    }
    

This function will compose, at [1], the "/usr/sbin/userpermit.sh chk 0 <username>" string and use it as argument for the popen function at [2]. From the user_delete function until the popen call at [2] there is no check for the username provided, so this can lead to a command injection vulnerability at [2].

**Exploit Proof of Concept**

Following a POC triggering a reboot of the system through the command injection exposes above:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> enable
    ROUTER# configure terminal
    ROUTER(config)# user_permission
    ROUTER(user-permission)# no user `reboot`
    ROUTER(user-permission)# Connection closed by foreign host.
    

The Connection closed by foreign host. is the consequence of the device rebooting

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us