Apple Security Advisory 09-26-2023-9 - tvOS 17 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-9 tvOS 17

tvOS 17 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213936.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Airport  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A permissions issue was addressed with improved redaction  
of sensitive information.  
CVE-2023-40384: Adam M.

App Store  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote attacker may be able to break out of Web Content  
sandbox  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-40448: w0wbox

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40432: Mohamed GHANNAM (@_simo36)  
CVE-2023-41174: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40399: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

AuthKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

Bluetooth  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker in physical proximity can cause a limited out of  
bounds write  
Description: The issue was addressed with improved checks.  
CVE-2023-35984: zer0k

bootp  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau  
(ZeroClicks.ai Lab)

CFNetwork  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may fail to enforce App Transport Security  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-38596: Will Brattain at Trail of Bits

CoreAnimation  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Dev Tools  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: This issue was addressed with improved checks.  
CVE-2023-32396: Mickey Jin (@patch1t)

Game Center  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

GPU Drivers  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40391: Antonio Zekic (@antoniozekic) of Dataflow Security

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with improved validation.  
CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

libpcap  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2023-40400: Sei K.

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxslt  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Maps  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)

MobileStorageMounter  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A user may be able to elevate privileges  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-41068: Mickey Jin (@patch1t)

Photos Storage  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access edited photos saved to a temporary  
directory  
Description: The issue was addressed with improved checks.  
CVE-2023-40456: Kirin (@Pwnrin)  
CVE-2023-40520: Kirin (@Pwnrin)

Pro Res  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41063: Certik Skyfall Team

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Simulator  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2023-40419: Arsenii Kostromin (0x3c3e)

StorageKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong  
Kim(@nevul37)

Additional recognition

Airport  
We would like to acknowledge Adam M., and Noah Roskin-Frazee and  
Professor Jason Lau (ZeroClicks.ai Lab) for their assistance.

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.

Audio  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Bluetooth  
We would like to acknowledge Jianjun Dai and Guang Gong of 360  
Vulnerability Research Institute for their assistance.

Control Center  
We would like to acknowledge Chester van den Bogaard for their  
assistance.

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group, 永超 王 for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

libxpc  
We would like to acknowledge an anonymous researcher for their  
assistance.

libxslt  
We would like to acknowledge Dohyun Lee (@l33d0hyun) of PK Security,  
OSS-Fuzz, and Ned Williamson of Google Project Zero for their  
assistance.

NSURL  
We would like to acknowledge Zhanpeng Zhao (行之) and 糖豆爸爸(@晴天组织) for  
their assistance.

Photos  
We would like to acknowledge Dawid Pałuska and Kirin (@Pwnrin) for their  
assistance.

Photos Storage  
We would like to acknowledge Wojciech Regula of SecuRing  
(wojciechregula.blog) for their assistance.

Power Services  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Shortcuts  
We would like to acknowledge Alfie Cockell Gwinnett, Christian Basting  
of Bundesamt für Sicherheit in der Informationstechnik, Cristian Dinca  
of "Tudor Vianu" National High School of Computer Science, Romania,  
Giorgos Christodoulidis, Jubaer Alnazi of TRS Group Of Companies,  
KRISHAN KANT DWIVEDI, and Matthew Butler for their assistance.

Software Update  
We would like to acknowledge Omar Siman for their assistance.

Spotlight  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal, and Dawid Pałuska for their  
assistance.

StorageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance. 

WebKit  
We would like to acknowledge Khiem Tran, Narendra Bhati From Suma Soft  
Pvt. Ltd, and an anonymous researcher for their assistance.

Wi-Fi  
We would like to acknowledge Wang Yu of Cyberserval for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJoACgkQX+5d1TXa  
IvpJvw/+OKqntqggqPkx4TXqH+nCchp4wj3KCjmdtULgoYL2BStw+jXAl9Z/Wnyi  
uhg7YgboJb+jFc2UbYNG/w6Ks4qnh1P/4xwd8KfiGH+u0pblR24DDyNOPA6X+F4c  
CJ2jfagKi7xOM/Djm0mkrkZ1PeiXkx5k4bBLL+I8ckadCZinecn0tZur0gwAzN/y  
e113vKgGJDvVn257inJ063d7d+R4gdDNznMq4Mg5+gtbWoz9OZ6gHiTj+u8jwrlh  
+10ZOBtTHGQ612OptUB2FcyLn439CQhftHlc91L5Am2HsduesB6MBmtiZlfFMaca  
P8Vur6sh/k34roqaWVW2ljvMkqZMJSocTgjzMsVN87itikXT9ua5HbcInnkCMx+A  
8gtOnogY/lsm446Qu0mH0MYAZLSbQ9OYzJor9fax9PV+ysmOGn2SfM2o6DKPXjCE  
74+yFAiv+lo3yrr68SQea/PiDxhMt7+i/Ia7vO5gg1HkqANFc0//KC2pObdGSNu6  
cWJQUcGqOvU/jqnIO9WLXRnSDdXsRGLJ8xXSAYL8M2FdW5Md/tvQ3/p+/6kwXfnq  
cXwM/92G0mx1GFeapToP0NCjUwx4ARCw9d1Y+5keZ4gRaVOJzy/96WKzbc5blVGH  
C5RT/4ty1vpgbCcI8kmDt0WD2nvTnwoNgBaEti/iC3Lzu+M52wA=  
=Zq9i  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-9

By Deeba Ahmed
Student Data Managing Platform National Student Clearinghouse Confirmed MOVEit Hack Affected 900 US Schools.
This is a post from HackRead.com Read the original post: 900 U.S. Schools Hit by MOVEit Hack, Exposing Student Data

****KEY FINDINGS****

*   **Educational institutions are assumed to be the most vulnerable sector today, considering that 70 to 80% of lower-to-higher education providers reported experiencing ransomware attacks in 2022.**

*   **National Student Clearinghouse has reaffirmed these suspicions, revealing that nearly 900 US schools were impacted by the MOVEit hack.**

*   **According to the research, reporting, and verification services provider, sensitive student records were stolen in the MOVEit data breach.**

*   **The organization identified the scope of this breach on June 20 following an investigation.**

*   **The National Student Clearinghouse boasts a network of 3600 colleges/universities and 22,000 high schools.**

Last week, Hackread **covered** research from cybersecurity firm Sophos and VPN service provider AtlastVPN, revealing that education was the top-most targeted sector in ransomware attacks. During 2022, 80% of lower education and 79% of higher education institutions became targets of ransomware attacks. The **recovery** cost from these attacks touched $ 1.59 million in 2022-2023 for lower education institutes and close to $ 1 million for higher education institutions in 2023.

The latest revelation from the National Student Clearinghouse has reaffirmed these findings by revealing that around 900 schools were impacted by the **MOVEit attack**. MOVEit is a managed file transfer software created by Progress Software Corp and widely used by financial institutions, governments, and thousands of public/private sector entities worldwide for sharing information.

On 31st May 2023, MOVEit became the target of a hack attack where the platform suffered huge data loss after being hit by Cl0p ransomware. The ransomware operators accessed information belonging to organizations and individuals by **exploiting** a zero-day vulnerability.

As of September 22, 2023, this attack has impacted 2,053 organizations and 57,624,249 individuals, as per the information available on Cl0p operators’ website, SEC filings, and public disclosures, **explained** cybersecurity firm Emsisoft. Over 90% of the impacted organizations were based in the US, 1.8% in Germany, 3.2% in Canada, and 1.0% in the UK.

The National Student Clearinghouse is among the impacted organizations. The non-profit has **confirmed** (PDF) that around 900 colleges/universities have been affected by the MOVEit attack. The list of affected schools is available **here** (PDF).

The organization informed the California attorney general’s office that its MOVEit server was hacked in late May, but it discovered the scale of the breach and stealing of the student record database on June 20 with help from cybersecurity experts and law enforcement agencies. 

“Through our investigation, on June 20, 2023, we learned that an unauthorized party obtained certain files from the MOVEit tool. The issue occurred on or around May 30, 2023,” the organization explained.

The stolen data included name, contact details, school records, date of birth, student ID number, enrollment records, degree, and course-level data compromised in the attack. It has sent data breach notifications to impacted individuals. The notification has been posted to the California attorney general’s website. 

The **National Student Clearinghouse** has patched the software and added stricter monitoring mechanisms, apart from offering victims free identity monitoring services for two years.

It is worth noting that the infamous MOVEit hack impacted many high-profile organizations, including Norton’s parent company, Gen Digital, the US Department of Energy, Siemens Energy, Shell, and Schneider Electric. 

The French government agency Pole Emploi, the Colorado Department of Health Care Policy and Financing, and Maximus lost the highest amount of personal data of registered individuals.

****RELATED ARTICLES****

1.  Conti ransomware gang demanded $40m from US school district
2.  Institute of International Education leaks data of thousands of students
3.  Gamarue malware found in UK Govt-funded laptops for homeschoolers

900 U.S. Schools Hit by MOVEit Hack, Exposing Student Data

Red Hat Security Advisory 2023-5693-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. These new packages include numerous enhancements, and bug fixes.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5693.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ceph Storage 6.1 security, enhancement, and bug fix updateAdvisory ID:        RHSA-2023:5693-01Product:            Red Hat Ceph StorageAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5693Issue date:         2023-10-12Revision:           01CVE Names:          CVE-2018-14041====================================================================Summary: An update is now available for Red Hat Ceph Storage 6.1 in the Red HatEcosystem Catalog.Description:Red Hat Ceph Storage is a scalable, open, software-defined storage platformthat combines the most stable version of the Ceph storage system with aCeph management platform, deployment utilities, and support services.These new packages include numerous enhancements, and bug fixes. Space precludes documenting all of these changes in this advisory.Users are directed to the Red Hat Ceph Storage Release Notes forinformation on the most significant of these changes:https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/indexSolution:https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6https://access.redhat.com/articles/2789521https://access.redhat.com/articles/1548993CVEs:CVE-2018-14041References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index

Red Hat Security Advisory 2023-5693-01

Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Choices Plugin
*   OWASP Dependency-Check Plugin
*   Performance Plugin
*   pom2config Plugin
*   Scriptler Plugin
*   Squash TM Publisher (Squash4Jenkins) Plugin

**Descriptions****Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-2219 / CVE-2021-21699**

Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5.7 escapes references to parameter names.

**Stored XSS vulnerability in Scriptler Plugin**

**SECURITY-2406 / CVE-2021-21700**

Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts.

Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion.

**XXE vulnerability in Performance Plugin**

**SECURITY-2394 / CVE-2021-21701**

Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

**XXE vulnerability in pom2config Plugin**

**SECURITY-2415 / CVE-2021-43576**

pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

**XXE vulnerability in OWASP Dependency-Check Plugin**

**SECURITY-2488 / CVE-2021-43577**

OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control workspace contents to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

**Arbitrary file write vulnerability in Squash TM Publisher (Squash4Jenkins) Plugin**

**SECURITY-2525 / CVE-2021-43578**

Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input.

This allows attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-2219: High
*   SECURITY-2394: High
*   SECURITY-2406: High
*   SECURITY-2415: High
*   SECURITY-2488: High
*   SECURITY-2525: High

**Affected Versions**

*   **Active Choices Plugin** up to and including 2.5.6
*   **OWASP Dependency-Check Plugin** up to and including 5.1.1
*   **Performance Plugin** up to and including 3.20
*   **pom2config Plugin** up to and including 1.2
*   **Scriptler Plugin** up to and including 3.3
*   **Squash TM Publisher (Squash4Jenkins) Plugin** up to and including 1.0.0

**Fix**

*   **Active Choices Plugin** should be updated to version 2.5.7
*   **Scriptler Plugin** should be updated to version 3.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   OWASP Dependency-Check Plugin
*   Performance Plugin
*   pom2config Plugin
*   Squash TM Publisher (Squash4Jenkins) Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Adith Sudhakar working with Trend Micro Zero Day Initiative** for SECURITY-2394, SECURITY-2415
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2525
*   **Guy Lederfein of Trend Micro** for SECURITY-2406
*   **Kevin Guerroudj, and, independently, Audrey Prieur of Trend Micro** for SECURITY-2219

CVE-2021-21700: Jenkins Security Advisory 2021-11-12

Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2021-21699: Jenkins Security Advisory 2021-11-12

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.

CVE-2021-43578: Jenkins Security Advisory 2021-11-12

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

CVE-2021-43576: Jenkins Security Advisory 2021-11-12

Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21701: Jenkins Security Advisory 2021-11-12

By Waqas
Nitrokod crypto miner mines Monero (XMR) coin on infected devices and so far it has targeted 111,000 unsuspecting users in 11 countries.
This is a post from HackRead.com Read the original post: Nitrokod Crypto Miner Hiding in Fake Microsoft and Google Translate Apps

Check Point researchers have shared details of a new campaign in which the cybercriminals are distributing **cryptocurrency-mining malware**. This malware is hard to detect by unsuspecting users because it is distributed through fake and malicious Google Translate and other popular apps.

According to researchers, the malware is spread via third-party websites hosted on platforms like Uptodown and Softpedia and offer free software downloads. These websites can be accessed through a simple **Google search**.

Fake malicious apps spreading the Nitrokod crypto miner (Image via CheckPoint)

**Campaign Analysis**

The cryptocurrency mining Trojan is called Nitrokod. It is spread disguised as a clean Windows application. The malware keeps its execution on hold for several days or weeks and launches its **Monero mining** code when it deems safe.

This malware is readily available, and anyone can use it, stated Check Point’s vice president of research, Maya Horowitz. The list of victims is pretty diverse as they are spread across the following countries:

1.  Israel
2.  Turkey
3.  Cyprus
4.  Greece
5.  Poland
6.  Germany
7.  Australia
8.  Mongolia
9.  Sri Lanka
10.  United States
11.  United Kingdom

Malware analyst at Check Point Moshe Marelus stated that the malware drops around one month after the infection, and dropping files is a multi-stage process, which makes it rather complicated to track its initial stages.

**Attack Tactics**

The attack is a **multi-stage sequence** where each dropper paves the way for another dropper until the actual malware is dropped. The app runs as expected when the user downloads and installs the software loaded with Nitrokod malware while the malicious trojan sneakily works in the background. It fetches and stores several executables and schedules one .exe file to run every day once they are unpacked.

When the files are run, another executable file is extracted, which establishes a connection to a C2 server, obtains device configuration settings for the **Monero miner** code, and the mining process starts. The generated coins are sent to the attackers’ wallets. At some point, all initial stage files self-delete, and the next stage of the infection chain starts after fifteen days through the Windows utility schtasks.exe.

> “This way, the first stages of the campaign are separated from the ones that follow, making it very hard to trace the source of the infection chain and block the initial infected applications.”
> 
> Moshe Marelus – Check Point

The malware also inspects for known virtual machine processes and installed security products. If detected, the program stalls and exits. 

One stage also checks for known virtual-machine processes and security products. If found, the program exits. If not, it continues. Cybercriminals use **RAR encrypted, password-protected files** throughout the stages to make them hard to detect.

Infection chain

**Who Are the Attackers?**

CheckPoint’s **research** suggests that a Turkish-speaking group of hackers dubbed Nitrokod is behind this campaign revealed Check Point Research’s team. It has been active since 2019. This campaign was discovered in July 2022, and so far, it has affected 111,000 users in 11 countries.

The modus operandi used to trap users is by offering desktop versions of legit apps that don’t have their desktop versions. Nitrokod programmers wait patiently before launching the malware, and their attacks entail multiple stages.

**Software Exploited **

Apart from Google Translate, Nitrokod leveraged other translation apps, e.g., YouTube Music, Microsoft Translator Desktop and MP3 downloader programs. The malicious apps claim to be 100% clean but contain a crypto miner.

1.  Google ReCaptcha flaw lets bots bypass audio captcha challenge
2.  Fake Brave browser website dropped malware, thanks to Google Ads
3.  Google, Microsoft and Oracle generated the most vulnerabilities in 2021
4.  Google shares details of unpatched Windows AppContainer vulnerability
5.  Google Drive accounted for 50% of malicious Office document downloads

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Nitrokod Crypto Miner Hiding in Fake Microsoft and Google Translate Apps

Almost immediately after Neiman Marcus began informing customers about a data breach, the alleged data was offered for sale.

Luxury retail chain Neiman Marcus has begun to inform customers about a cyberattack it discovered in May. The attacker compromised a database platform storing customers’ personal information.

The letter tells customers:

> “Promptly after learning of the issue, we took steps to contain it, including by disabling access to the relevant database platform.”

In the data breach notification, Neiman Marcus says 64,472 people are affected.

An investigation showed that the data contained information such as name, contact data, date of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers. According to Neiman Marcus, the exposed data does not include gift card PINs. Shortly after the data breach disclosure, a cybercriminal going by the name “Sp1d3r” posted on BreachForums that they were willing to sell the data.

Image courtesy of Daily Dark Web

> “Neiman Marcus not interested in paying to secure data. We give them opportunity to pay and they decline. Now we sell. Enjoy!”

According to Sp1d3r, the data includes name, address, phone, dates of birth, email, last four digits of Social Security Numbers, and much more in 6 billion rows of customer shopping records, employee data, and store information.

Neiman Marcus is reportedly one of the many victims of the Snowflake incident, in which the third-party platform used by many big brands was targeted by cybercriminals. The name Sp1d3r has been associated with the selling of information belonging to other Snowflake customers.

Oddly enough, Sp1d3r’s post seems to have since disappeared.

Later screenshot

Sp1d3r’s post count went down back to 19 instead of the 20 displayed in the screenshot above.

So, the post has either been removed, withdrawn, or hidden for reasons which are currently unknown. As usual, we will keep an eye on how this develops.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your exposure**

While matters are still unclear on how much information was involved in the Neiman Marcus breach, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us