Categories: News
Categories: Personal
In every scam no matter how sophisticated or how amateur, there are two red flags.



(Read more...)




The post How to spot a scam appeared first on Malwarebytes Labs.

Unfortunately, scams are a fact of life online. The virtual ties that bind us are international now: Our public telephone numbers, social media accounts, email addresses, messaging apps, dating profiles, and even our physical mailboxes, can all be reached by any criminal and con artist from anywhere in the world.

And test us they do, with everything from the preposterous offers of “Nigerian princes” to the slow boiling intimacy of long-term, long-distance romances.

There is a lot of good advice around (and plenty of it on this website) to help you understand which scams are popular right, how they work, and how to spot them.

Though undoubtedly useful, the advice is often specific to a single campaign or type of scam: Watch out for fake DHL emails; Beware of SMS messages from the Royal Mail; Don’t open invoices from unknown senders; Check the spelling and links in emails; Reverse image search too-good-to-be-true dating profile pics, and so on.

Being specific, the advice is narrow. SMS scams are not the same as email scams, and neither has much in common with a romance scam. There is a lot to remember.

So today I’m going to offer you something different. I want to give you the most general advice I can—a template that can be applied to almost any scam, over any media, on any time scale, whether it’s a new scam or something tried and tested.

It doesn’t make the other advice redundant, it’s just another way to look at things.

The advice comes from perhaps the most famous conman in the world, Frank Abagnale, whose alleged exploits were made famous by Leonardo DeCaprio in the movie “Catch me if you can”. Abagnale’s account of his own backstory is either true, partially true, or a total fabrication, depending on who you ask. What isn’t in doubt is that he knows a thing or two about lying to get what he wants.

In 2019 he gave an interview to CNBC in which he gives perhaps the best generalised advice about scams I’ve ever heard, and which I will repeat here.

> In every scam no matter how sophisticated or how amateur, there are two red flags.

These are Abagnale’s red flags:

**An urgent need for money**

The end goal of all scams is to enrich the scammer. And that often involves a direct transfer of money, whether it’s entering credit card details into a fake website or wiring tens of thousands of dollars to a stranded lover.

The demand for money is almost always urgent. Scammers know that their requests don’t stack up, so they want you to rush, and they don’t want you to involve other people.

In a romance scam where the criminal hopes to make the victim fall in love with them, the scammer may take their time to begin. However, when the demand for money comes, it is likely to be urgent.

On a recent Lock and Code podcast, Cindy Liebes, Chief Cybersecurity Evangelist for the Cybercrime Support Network, spelled out just how patient these scammers can be:

> "It can take months, it can take years, but invariably they will seek to get money."

In other situations, such as business email compromise (BEC) scams, the urgency is immediate.

In a BEC scam an attacker spoofs the email account of a senior employee, such as a CEO, and tries to get a more junior employee to send them some of the company’s money.

Requests often come with a deadline and a demand for secrecy. The “CEO” concocts a story with one or more emails, messages or phone calls about needing help with an urgent, confidential deal. The scammer wants to isolate the employee from the company’s checks and balances, and their own common sense.

Underpinning it all is Abagnale’s first red flag: An urgent need for money.

Sometimes victims aren’t told to act urgently, they just want to. A few months ago we covered an Instagram scam in which victims thought they’d stumbled upon a website where they could see naked pictures of an attractive friend.

The urgency here came from the viewer’s desire to act on a sexual impulse, and is reinforced by language like “LIMITED SLOTS ONLY, DON’T MISS OUT” and “What are you waiting for?”

The small print even explained the scam in plain terms—victims were being signed up for a premium rate subscription service—but the scammers were betting that victims would be in too much of a hurry to read it.

**Asking for personal information**

Abagnale’s second red flag is being asked for personal information. Personal information helps the scammer pretend to be you.

Sometimes it’s as simple as stealing your username and password with a fake website, so they can log in as you on the real website.

But it can also be very subtle. In his book The Art of Deception, infamous social engineer Kevin Mitnick describes how he would sometimes make several phone calls to build up the information he needed for a scam.

Each call would capture small details that improved his credibility for the next one. For example, one of Mitnick’s most famous crimes is stealing the source code for a popular Motorola phone in the early 1990s, an attack he described to Vice in 2019.

The attack began with a call to the main Motorola reception, which sent him back-and-forth on several more calls in which he learned the phone number of the VP of Motorola mobility, and that the company had a research centre in Arlington Heights.

This information allowed him to call the VP and credibly introduce himself as “Rick, over in Arlington Heights”, which was enough to convince them to give him the name and phone number of the phone’s project manager.

Mitnick then called the project manager and learned from her voicemail that she was on holiday, and who to contact while she was away. He called the project manager’s stand-in and convinced her that the project manager had not fulfilled a promise to send him the source code before she left on holiday.

Most of the conversations did not ask for enough sensitive information to alert the people he was talking to, but every one of them contained a request for something personal or privileged. Of course, when he finally asked for the source code, he was making a request for hugely privileged information, but he was able to create a plausible enough persona to pull it off.

In fact, the last victim was so convinced of “Rick”’s authenticity that she persuaded a security manager to hand over a username and password for the company’s proxy server, on his behalf.

Thankfully, most of us aren’t faced with a hacker as skilled as Mitnick, and few of us would be able to stop him if we were. Most cons are simpler, more direct versions of the same basic idea.

And that brings me to my final point.

Many scammers are professional criminals and scams are common because they work. It makes sense to prepare yourself as thoroughly as you can to spot them, but we all fall short sometimes. There is no shame in falling for a scam, and it isn’t your fault if you do.

How to spot a scam

Symantec Advanced Secure Gateway (ASG) and ProxySG are susceptible to an HTTP desync vulnerability. When a remote unauthenticated attacker and other web clients communicate through the proxy with the same web server, the attacker can send crafted HTTP requests and cause the proxy to forward web server responses to unintended clients. Severity/CVSSv3: High / 8.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

HTTP Desync Vulnerability in ASG and ProxySG

**Summary**

Symantec Advanced Secure Gateway (ASG) and ProxySG are susceptible to an HTTP desync vulnerability. When a remote unauthenticated attacker and other web clients communicate through the proxy with the same web server, the attacker can send crafted HTTP requests and cause the proxy to forward web server responses to unintended clients.

**Affected Product(s)**

**Advanced Secure Gateway (ASG)**

**CVE**

**Affected Version(s)**

**Remediation**

CVE-2021-46825

6.7, 7.3

Upgrade to 6.7.5.16 or 7.3.7.1.

**ProxySG**

**CVE**

**Affected Version(s)**

**Remediation**

CVE-2021-46825

6.7, 7.3

Upgrade to 6.7.5.16 or 7.3.7.1.

****

**Issue Details**

 **CVE-2021-46825**   

 **Severity/CVSSv3:**

 High / 8.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

 **References:**

 **Impact:**

 NVD: CVE-2021-46825

 Information Disclosure

 **Description:**

When a remote unauthenticated attacker and other web clients communicate through the proxy with the same web server, the attacker can send crafted HTTP requests and cause the proxy to forward web server responses to unintended clients. Responses intended for other web clients can be forwarded to the attacker and responses intended for the attacker can be forwarded to other web clients.

**Mitigation & Additional Information**

The following product updates have been made available to customers to remediate these issues:

*   ASG 6.7.5.16 and 7.3.7.1.
*   ProxySG 6.7.5.16 and 7.3.7.1.

Symantec recommends the following measures to reduce risk of attack:

*   Restrict access to administrative or management systems to authorized privileged users.
*   Restrict remote access to trusted/authorized systems only.
*   Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
*   Keep all operating systems and applications current with vendor patches.
*   Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
*   Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

**Acknowledgements**

*   _CVE-2021-46825:Robin Peraglie, Radically Open Security_

CVE-2021-46825: Support Content Notification - Support Portal - Broadcom support portal

A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach…

A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach enterprise environments: picking up the phone and pretending to be IT support, simply called voice phishing (Vishing).

According to a new report from Google’s Threat Intelligence Group (GTIG), this actor has been impersonating internal tech staff in phone-based social engineering attacks. Their goal is to trick employees, mostly in English-speaking branches of multinational companies, into granting access to sensitive systems, particularly Salesforce, a widely used customer relationship management (CRM) platform.

****How the Scam Works****

UNC6040 doesn’t rely on exploits or security vulnerabilities. Instead, it counts on human error. The attackers call employees and walk them through approving a connected app inside Salesforce. But this isn’t just any app, it’s often a modified version of Salesforce’s legitimate Data Loader tool.

With this access, attackers can query and extract vast amounts of data from the targeted organization. In some cases, they disguise the tool as “My Ticket Portal,” a name aligned with the IT support theme of the scam.

Once access is granted, UNC6040 pulls data in stages. Sometimes, they start small to avoid detection, using test queries and limited batch sizes. If the initial probing goes unnoticed, they scale up the operation and begin large-volume exfiltration.

****Extortion Comes Later****

Interestingly, data theft doesn’t always lead to immediate demands. In several incidents, months passed before victims received extortion messages. During those messages, attackers claimed to be associated with the well-known hacking group ShinyHunters, a move likely aimed at increasing pressure on victims to pay up.

This delayed approach hints that UNC6040 might be working with other actors who specialize in monetizing stolen data. Whether they’re selling access or handing off the data for follow-up attacks, the long pause makes incident detection and response more complicated for security teams.

While the primary target is Salesforce, the group’s ambitions don’t end there. Once they gain credentials, UNC6040 has been observed moving laterally through corporate systems, targeting platforms like Okta and Microsoft 365. This broader access allows them to collect additional valuable data, deepen their presence, and build leverage for future extortion attempts.

Attack flow (Google)

****Protecting Against These Attacks****

GTIG advises taking a few clear steps to make these types of breaches less likely. First, limit who has access to powerful tools like Data Loader, only users who genuinely need it should have permissions, and those should be reviewed regularly. It’s also important to manage which connected apps can access your Salesforce setup; any new app should go through a formal approval process.

To prevent unauthorized access, especially from attackers using VPNs, logins and app authorizations should be restricted to trusted IP ranges. Monitoring is another key piece, platforms like Salesforce Shield can flag and react to large-scale data exports in real time. While multi-factor authentication (MFA) isn’t perfect, it still plays a major role in protecting accounts, especially when users are trained to spot tricks like phishing calls that try to get around it.

Hackers Using Fake IT Support Calls to Breach Corporate Systems, Google

Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 7 Jun 2022 19:04:13 +0000
From: John Haxby <john.haxby@...cle.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: Daniel Kiper <daniel.kiper@...cle.com>
Subject: \[SECURITY PATCH 00/30\]  Multiple GRUB2 vulnerabilities - 2022/06/07
 round

\[ This message was sent to grub-devel@....org.   It's archived at.    \]
\[ https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html \]
\[ and the 30 individual patches are linked from there as well as in.  \]
\[ the git repo. These issues were previously brought to the.          \]
\[ linux-distros list.                                                 \]


Hi all,

This patch set contains a bundle of fixes for various security flaws discovered
in the GRUB2 during last year. The most severe ones, i.e. potentially exploitable,
have CVEs assigned and are listed at the end of this email. Additionally, the list
of CVEs contains a CVE assigned for the shim vulnerability. It has been added
for completeness.

Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here \[1\] we are listing at
least some links to the messaging known at the time of this posting.

Full mitigation against all CVEs will require updated shim with latest SBAT
(Secure Boot Advanced Targeting) \[2\] data provided by distros and vendors.
This time UEFI revocation list (dbx) will not be used and revocation of broken
artifacts will be done with SBAT only. For information on how to apply the
latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly
permit known older boot artifacts to boot.

Updated GRUB2, shim and other boot artifacts from all the affected vendors will
be made available when the embargo lifts or some time thereafter.

I am posting all the GRUB2 upstream patches which fix all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository \[3\] too.

I would like to thank, in alphabetical order, the following people who were working
really hard on the GRUB, shim and other things related to these issues:
 - Alec Brown (Oracle),
 - Alexander Burmashev (Oracle),
 - Andrew Cooper (Citrix),
 - Chris Coulson (Canonical),
 - D. Jared Dominguez (Red Hat),
 - Daniel Axtens,
 - Darren Kenny (Oracle),
 - Eric Snowberg (Oracle),
 - Ilya Okomin (Oracle),
 - Jagannathan Raman (Oracle),
 - Jan Setje-Eilers (Oracle),
 - Jeremiah Cox,
 - John Haxby (Oracle),
 - Julian Andres Klode (Canonical),
 - Lidong Chen (Oracle),
 - Marco A Benatto (Red Hat),
 - Marcus Meissner (SUSE),
 - Marta Lewandowska (Red Hat),
 - Michael Chang (SUSE),
 - Peter Jones (Red Hat),
 - Petr Janda (Red Hat),
 - Robbie Harwood (Red Hat),
 - Robert Truxal (Microsoft),
 - Ross Philipson (Oracle),
 - Steve McIntyre (Debian),
 - Sudhakar Kuppusamy (IBM),
 - Tamas K Lengyel (Intel),
 - Todd Cullum (Red Hat),
 - Vikram Narayanan (University of California Irvine).

We would not be able to succeed without all your hard work.

It was very big pleasure to work with you all.

Thank you!

Daniel

\[1\] Red Hat: https://access.redhat.com/security/security-updates/#/
   SUSE:    https://www.suse.com/support/kb/doc/?id=000020668

\[2\] https://github.com/rhboot/shim/blob/main/SBAT.md

\[3\] https://git.savannah.gnu.org/gitweb/?p=grub.git
   https://git.savannah.gnu.org/git/grub.git

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds write in heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the
heap area. An attacker may take advantage of that to cause heap data corruption
or eventually arbitrary code execution and circumvent secure boot protections.
This issue has a high complexity to be exploited as an attacker needs to
perform some triage over the heap layout to achieve significant results, also
the values written into the memory are repeated three times in a row making
difficult to produce valid payloads.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3696 grub2: Crafted PNG image may lead to out-of-bound write during huffman table handling
5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

A heap out-of-bounds write may happen during the handling of Huffman tables in
the PNG reader. This may lead to data corruption in the heap space.
Confidentiality, Integrity and Availability impact may be considered Low as it's
very complex to an attacker control the encoding and positioning of corrupted
Huffman entries to achieve results such as arbitrary code execution and/or
secure boot circumvention.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3697 grub2: Crafted JPEG image can lead to buffer underflow write in the heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted JPEG image may lead the JPEG reader to underflow its data pointer,
allowing user controlled data to be written in heap. To be successfully
performed the attacker needs to do some triage over the heap layout and craft
an image with a malicious format and payload. This vulnerability can lead to
data corruption and eventual code execution or secure boot circumvention.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28733 grub2: Integer underflow in grub\_net\_recv\_ip4\_packets
8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

A malicious crafted IP packet can lead to an integer underflow in
grub\_net\_recv\_ip4\_packets() function on rsm->total\_len value. Under certain
circumstances the total\_len value may end up wrapping around to a small integer
number which will be used in memory allocation. If the attack succeeds in such
way, subsequent operations can write past the end of the buffer.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28734 grub2: Out-of-bounds write when handling split HTTP headers
7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

When handling split HTTP headers, GRUB2 HTTP code accidentally moves its
internal data buffer point by one position. This can lead to a out-of-bound
write further when parsing the HTTP request, writing a NULL byte past the
buffer. It's conceivable that an attacker controlled set of packets can lead
to corruption of the GRUB2's internal memory metadata.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28735 grub2: shim\_lock verifier allows non-kernel files to be loaded
6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The GRUB2's shim\_lock verifier allows non-kernel files to be loaded on shim-powered
secure boot systems. Allowing such files to be loaded may lead to unverified
code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.

Reported-by: Julian Andres Klode

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28736 grub2: use-after-free in grub\_cmd\_chainloader()
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

There's a use-after-free vulnerability in grub\_cmd\_chainloader() function. The
chainloader command is used to boot up operating systems that doesn't support
multiboot and do not have direct support from GRUB2. When executing chainloader
more than once a use-after-free vulnerability is triggered. If an attacker can
control the GRUB2's memory allocation pattern sensitive data may be exposed and
arbitrary code execution can be achieved.

Reported-by: Chris Coulson

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28737: shim: Buffer overflow when loading crafted EFI images
6.5/CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

There's a possible overflow in handle\_image() when shim tries to load and execute
crafted EFI executables. The handle\_image() function takes into account the SizeOfRawData
field from each section to be loaded. An attacker can leverage this to perform
out-of-bound writes into memory. Arbitrary code execution is not discarded in
such scenario.

Reported-by: Chris Coulson

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

grub-core/commands/boot.c          |  66 +++++++++++++++++++++++++++++++++++++++++++++++-------
grub-core/fs/btrfs.c               | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
grub-core/fs/f2fs.c                |  58 ++++++++++++++++++++++++++++++++++++-----------
grub-core/kern/efi/sb.c            |  39 +++++++++++++++++++++++++++++---
grub-core/kern/file.c              |   2 ++
grub-core/loader/efi/chainloader.c |  46 ++++++++++++++++++++------------------
grub-core/net/dns.c                |  25 ++++++++++++++++-----
grub-core/net/http.c               |  17 +++++++++-----
grub-core/net/ip.c                 |  10 ++++++++-
grub-core/net/net.c                |  11 +++++++--
grub-core/net/netbuff.c            |  13 +++++++++++
grub-core/net/tftp.c               |   3 ++-
grub-core/normal/charset.c         |   2 ++
grub-core/video/readers/jpeg.c     | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
grub-core/video/readers/png.c      | 158 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------
include/grub/loader.h              |   5 +++++
include/grub/net.h                 |   1 +
include/grub/verify.h              |   1 +
18 files changed, 501 insertions(+), 167 deletions(-)

Chris Coulson (3):
     loader/efi/chainloader: Simplify the loader state
     commands/boot: Add API to pass context to loader
     loader/efi/chainloader: Use grub\_loader\_set\_ex()

Daniel Axtens (20):
     kern/file: Do not leak device\_name on error in grub\_file\_open()
     video/readers/png: Abort sooner if a read operation fails
     video/readers/png: Refuse to handle multiple image headers
     video/readers/png: Drop greyscale support to fix heap out-of-bounds write
     video/readers/png: Avoid heap OOB R/W inserting huff table items
     video/readers/png: Sanity check some huffman codes
     video/readers/jpeg: Abort sooner if a read operation fails
     video/readers/jpeg: Do not reallocate a given huff table
     video/readers/jpeg: Refuse to handle multiple start of streams
     video/readers/jpeg: Block int underflow -> wild pointer write
     normal/charset: Fix array out-of-bounds formatting unicode for display
     net/ip: Do IP fragment maths safely
     net/netbuff: Block overly large netbuff allocs
     net/dns: Fix double-free addresses on corrupt DNS response
     net/dns: Don't read past the end of the string we're checking against
     net/tftp: Prevent a UAF and double-free from a failed seek
     net/tftp: Avoid a trivial UAF
     net/http: Do not tear down socket if it's already been torn down
     net/http: Fix OOB write for split http headers
     net/http: Error out on headers with LF without CR

Darren Kenny (3):
     fs/btrfs: Fix several fuzz issues with invalid dir item sizing
     fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
     fs/btrfs: Fix more fuzz issues related to chunks

Julian Andres Klode (1):
     kern/efi/sb: Reject non-kernel files in the shim\_lock verifier

Sudhakar Kuppusamy (3):
     fs/f2fs: Do not read past the end of nat journal entries
     fs/f2fs: Do not read past the end of nat bitmap
     fs/f2fs: Do not copy file names that are too long

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (269 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-28733: oss-security - [SECURITY PATCH 00/30] Multiple GRUB2 vulnerabilities

An exploitable information disclosure vulnerability exists in the get_dnode_of_data functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause information disclosure resulting in a information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2020-6104: TALOS-2020-1046 || Cisco Talos Intelligence Group

The Wall Street Journal reports that Charter, Consolidated, and Windstream have been added to the growing list of…

The Wall Street Journal reports that Charter, Consolidated, and Windstream have been added to the growing list of US telecom companies breached by Chinese state-sponsored hackers in the Salt Typhoon campaign.

The list of telecommunications companies compromised in the **Salt Typhoon cyberattack** continues to grow, with recent reports naming Charter Communications, Consolidated Communications, and Windstream as the latest victims of Chinese government espionage. 

This follows previous confirmations from **AT&T, Verizon, T-Mobile**, and Lumen Technologies, as earlier reported by Hackread.com, that their networks had been breached. According to Anne Neuberger, White House deputy national security adviser for cyber and emerging technologies, Chinese hackers have targeted nine US telecoms, with the latest three remaining unclear.

The Wall Street Journal **reported** that Chinese spies exploited vulnerabilities in network devices from Fortinet and Cisco to gain unauthorized access to these telecom networks. In some cases, attackers gained control of high-level network management accounts lacking multi-factor authentication, granting them access to several routers. This access allowed them to potentially monitor network traffic and cover their tracks.

This incident has prompted several government-level security developments. The US Department of Treasury **recently sanctioned** a Chinese cybersecurity company for its role in another cyberattack, and the US government is taking steps to strengthen the security of American telecom infrastructure.

These measures include increased scrutiny by the FCC, legislative efforts to enhance security, and recommendations for individuals and organizations to improve their cybersecurity practices.

Moreover, given the ongoing wave of Salt Typhoon’s breaches, the US Cybersecurity and Infrastructure Security Agency (CISA) is advising government officials to switch to end-to-end encrypted messaging apps like Signal. 

The latest revelation highlights the growing threat of Chinese cyberattacks on US infrastructure, with the Salt Typhoon campaign indicating a shift from traditional espionage to more disruptive activities. Experts urge organizations in international business or critical infrastructure to enhance their cybersecurity defences.

**Chris Hauk**, Consumer Privacy Champion at Pixel Privacy commented on the latest development stating, _“_Possible targets of these Chinese attackers need to immediately follow the steps outlined by the FBI and NSA to help harden their systems against attack. Actually, any organization would be advised to follow the steps._“_

_“_Patching and upgrading apps and devices, limiting the types of connections and privileged accounts, and only using strong encryption, are just some of the steps organizations can take to harden their systems against attack_,”_ Chris added.

1.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
2.  **CISA – FBI: Chinese Hackers Compromised US Telecom Networks**
3.  **US Charges 5 Suspected MGM Hackers from Scattered Spider Gang**
4.  **Microsoft: Chinese Flax Typhoon uses legit tools for cyber espionage**
5.  **Chinese Hackers Breach US Firm, Maintain Network Access for Months**

US Telecom Breaches Widen as 9 Firms Hit by Chinese Salt Typhoon Hackers

An authentication bypass vulnerability exists in the get_IFTTTTtoken.cgi functionality of Asus RT-AX82U 3.0.0.4.386_49674-ge182230. A specially-crafted HTTP request can lead to full administrative access to the device. An attacker would need to send a series of HTTP requests to exploit this vulnerability.

**SUMMARY**

An authentication bypass vulnerability exists in the get\_IFTTTTtoken.cgi functionality of Asus RT-AX82U 3.0.0.4.386\_49674-ge182230. A specially-crafted HTTP request can lead to full administrative access to the device. An attacker would need to send a series of HTTP requests to exploit this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Asus RT-AX82U 3.0.0.4.386\_49674-ge182230

**PRODUCT URLS**

RT-AX82U - https://www.asus.com/us/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT-AX82U/

**CVSSv3 SCORE**

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-324 - Use of a Key Past its Expiration Date

**DETAILS**

The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like basically every other router, it is configurable via a HTTP server running on the local network. However, it can also be configured to support remote administration and monitoring in a more IOT style.

In order to enable remote management and monitoring of our Asus Router, so that it behaves just like any other IoT device, there are a couple of settings changes that need to be made. First we must enable WAN access for the HTTPS server (or else nothing could manage the router), and then we must generate an access code to link our device with either Amazon Alexa or IFTTT. These options can all be found internally at http://router.asus.com/Advanced_Smart_Home_Alexa.asp.

As a high level overview, upon receiving this code, the remote website will connect to your router at the get_IFTTTtoken.cgi web page and provide a shortToken HTTP query parameter. Assuming this token is received within 2 minutes of the aforementioned access code being generated, and also assuming this token matches what’s in the router’s nvram, the router will respond back with an ifttt_token that grants full administrative capabilities to the device, just like the normal token used after logging into the device via the HTTP server.

    0002863c  int32_t do_get_IFTTTToken_cgi(int32_t arg1, FILE* arg2)
    00028660      char* r0 = get_UA_Type(inpstr: &user_agent)                 // [1]
    00028668      char* r0_2
    00028668      if (r0 != 4)   // asusrouter-Windows-IFTTT-1.0
    000286b0          r0_2 = get_UA_Type(inpstr: &user_agent)
    
    // [...]
    000286cc      void var_30
    000286cc      memset(&var_30, 0, 0x20)
    000286d8      char* r0_4 = check_if_queryitem_exists("shortToken")        // [2]
    000286e0      if (r0_4 == 0)
    000286e4          r0_4 = &nullptr
    
    000286ec      int32_t r0_5 = gen_IFTTTtoken(token: r0_4, outbuf: &var_30) // [3]
    
    00028700      fputs(str: &(*"\tif (disk_num == %d) {\n")[0x15], fp: arg2)
    00028708      fflush(fp: arg2)
    0002871c      fprintf(stream: arg2, format: ""ifttt_token":"%s",\n", &var_30) // [4]
    00028724      fflush(fp: arg2)
    00028738      fprintf(stream: arg2, format: ""error_status":"%d"\n", r0_5)
    00028740      fflush(fp: arg2)
    00028750      fputs(str: &data_81196, fp: arg2)
    00028760      return fflush(fp: arg2)
    

At \[1\], the function pulls out the “User-Agent” header of our HTTP GET request and checks to see if it starts with “asusrouter”. It also checks if the text after the second dash is either “IFTTT” or “Alexa”. In either of those cases, it returns 4 or 5, and we’re allowed to proceed in the code path. At \[2\], the function pulls out the shortToken query parameter from our HTTP GET request and passes that into the gen_IFTTTtoken function at \[3\]. Assuming there is a match, gen_IFTTTtoken will output the ifttt_token authentication buffer to var_30, which is then sent back to the HTTP sender at \[4\]. Looking at gen_IFTTTtoken:

    0007b5c8  int32_t gen_IFTTTtoken(char* token, uint8_t* outbuf)
    
    0007b5d4      int32_t r0 = uptime()
    0007b5fc      memset(&ifttt_token_copy, 0, 0x20)
    0007b614      int32_t r0_8
    0007b614      int32_t arg3
    0007b614      int32_t arg4
    0007b614      if (r0 - nvram_get_int("ifttt_timestamp") s> 120)       // [5]
    0007b6ec          if (isFileExist("/tmp/IFTTT_ALEXA") s> 0)
    0007b710              Debug2File("/tmp/IFTTT_ALEXA.log", "[%s:(%d)][HTTPD] short token timeout\n", "gen_IFTTTtoken", 0x3ff, token, outbuf, arg3, arg4)
    0007b714          r0_8 = 1
    0007b630      else if (nvram_get_and_cmp("ifttt_stoken", token) == 0) // [6]
    0007b72c          if (isFileExist("/tmp/IFTTT_ALEXA") s> 0)
    0007b760              Debug2File("/tmp/IFTTT_ALEXA.log", "[%s:(%d)][HTTPD] short token is not the same: endp…", "gen_IFTTTtoken", 0x402, token, p2_nvram_get(item: "ifttt_stoken"), arg3, arg4)
    0007b764          r0_8 = 2
    0007b64c      else if (get_UA_Type(inpstr: &user_agent) != 4)
    0007b77c          if (isFileExist("/tmp/IFTTT_ALEXA") s> 0)
    0007b7a0              Debug2File("/tmp/IFTTT_ALEXA.log", "[%s:(%d)][HTTPD] user_agent not from IFTTT/ALEXA\n", "gen_IFTTTtoken", 0x405, token, outbuf, arg3, 0xf1430)
    0007b7a4          r0_8 = 3
    0007b668      else
    0007b668          int32_t r2
    0007b668          uint8_t* r3
    0007b668          r2, r3 = nvram_set("skill_act_code", p2_nvram_get(item: "skill_act_code_t"))
    0007b674          generate_asus_token(dst: &ifttt_token_copy, len: 0x20, r2, readsrc: r3)     // [7]
    0007b684          strlcpy(dst: outbuf, src: &ifttt_token_copy, len: 0x20)
    0007b694          nvram_set("ifttt_token", &ifttt_token_copy)
    0007b698          nvram_commit()
    0007b6ac          if (isFileExist("/tmp/IFTTT_ALEXA") s> 0)
    0007b6d0              Debug2File("/tmp/IFTTT_ALEXA.log", "[%s:(%d)][HTTPD] get IFTTT long token success\n", "gen_IFTTTtoken", 0x408, token, outbuf, arg3, 0xf1430)
    0007b6d4          r0_8 = 0
    0007b7ac      return r0_8
    

Right at the beginning there is a check \[5\] to see if the uptime of the device is more than two minutes after the ifttt_stoken has been generated. Assuming we are within that timeframe, the ifttt_stoken nvram item is grabbed and compared with our shortToken at \[6\]. If there’s a match, we end up hitting the code branch around \[7\], where the device generates a new ifttt_token and copies it to the output buffer on the next line of code. As a reminder, this token grants the same admin access as the normal HTTP login token.

While nothing really seems out of place at the moment, let’s take a look over at the code which actually generates the ifttt_stoken:

    00074210  uint8_t* do_ifttt_token_generation(uint8_t* output)
    // [...]
    000742c0      char ifttt_token[0x80]
    000742c0      memset(&ifttt_token, 0, 0x80)
    000742d0      char timestamp[0x80]
    000742d0      memset(&timestamp, 0, 0x80)
    000742e0      char rbinstr[0x8]
    000742e0      rbinstr[0].d = 0
    000742e8      int32_t* randbinstrptr = &rbinstr
    000742f4      rbinstr[4].d = 0
    00074308      srand(x: time(timer: nullptr))
    0007431c      // takes the remainder...
    00074324      int_to_binstr(inp: __aeabi_idivmod(rand(), 0xff), cpydst: randbinstrptr, len: 7)              // [8]
    // [...]
    00074608      snprintf(s: &ifttt_token, maxlen: 0x80, format: &percent_o, binary_str_to_int(randbinstrptr)) // [9]
    0007461c      nvram_set("ifttt_stoken", &ifttt_token)
    00074638      snprintf(s: &timestamp, maxlen: 0x80, format: &percentld, uptime())                           // [10]
    00074648      nvram_set("ifttt_timestamp", &timestamp)
    00074658      strlcpy(dst: output, src: &skill_act_code, len: 0x48)
    0007465c      nvram_commit()
    0007466c      return output
    

With the unimportant code cut out, we are left with a somewhat clear view of the generation process. At \[8\] a random number is generated that is then moded against 0xFF. This number is then transformed into a binary string of length 8 (e.g. ‘00101011’). A lot further down at \[9\], this randbinstrptr is converted back to an integer and fed into a call to snprintf(&ifttt_token, 0x80, "%o", ...), which generates the octal version of our original number. With this in mind, we can clearly see that the keyspace for the ifttt_stoken is only 255 possibilities, which makes brute forcing the ifttt_stoken a trivial matter. While normally this would not be a problem, since the ifttt_stoken can only be used for two minutes after generation, we can see a flaw in this scheme if we take a look at the ifttt_timestamp’s creation. At \[10\] we can clearly see that it is the uptime() of the device in seconds (which is taken from sysinfo()). If we recall the actual check from before:

    0007b5d4      int32_t r0 = uptime()
    // [...]
    0007b614      if (r0 - nvram_get_int("ifttt_timestamp") s> 120)
    // [...]
    0007b630      else if (nvram_get_and_cmp("ifttt_stoken", token) == 0)
    

We can see that the current uptime is used against the uptime of the generated token. Unfortunately for the device, uptime starts from when the device was booted, so if the device ever restarts or reboots for any reason, the ifttt_stoken suddenly becomes valid again since the current uptime will most likely be less than the uptime() call at the point of ifttt_stoken generation. Neither the ifttt_timestamp or the ifttt_stoken are ever cleared from nvram, even if the Amazon Alexa and IFTTT setting are disabled, and so the device will remain vulnerable from the moment of first generation of the configuration.

**TIMELINE**

2022-08-01 - Initial Vendor Contact  
2022-08-09 - Vendor Disclosure  
2022-11-16 - Vendor Patch Release  
2023-01-10 - Public Release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2022-35401: TALOS-2022-1586 || Cisco Talos Intelligence Group

Apple Security Advisory 01-22-2024-2 - iOS 17.3 and iPadOS 17.3 addresses bypass and code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-01-22-2024-2 iOS 17.3 and iPadOS 17.3iOS 17.3 and iPadOS 17.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214059.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.Apple Neural EngineAvailable for devices with Apple Neural Engine: iPhone XS and later,iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 8thgeneration and later, and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23212: Ye Zhang of Baidu SecurityCoreCryptoAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5ciphertexts without having the private keyDescription: A timing side-channel issue was addressed with improvementsto constant-time computation in cryptographic functions.CVE-2024-23218: Clemens LangKernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team ofLegendsec at QI-ANXIN GroupMail SearchAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), andIan de MarcellusNSSpellCheckerAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved handling offiles.CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)Reset ServicesAvailable for: iPhone XS and laterImpact: Stolen Device Protection may be unexpectedly disabledDescription: The issue was addressed with improved authentication.CVE-2024-23219: Peter Watthey and Christian ScaleseSafariAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A user's private browsing activity may be visible in SettingsDescription: A privacy issue was addressed with improved handling ofuser preferences.CVE-2024-23211: Mark BowersShortcutsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A shortcut may be able to use sensitive data with certainactions without prompting the userDescription: The issue was addressed with additional permissions checks.CVE-2024-23203: an anonymous researcherCVE-2024-23204: Jubaer Alnazi (@h33tjubaer)ShortcutsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to bypass certain Privacy preferencesDescription: A privacy issue was addressed with improved handling oftemporary files.CVE-2024-23217: Kirin (@Pwnrin)TCCAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access user-sensitive dataDescription: An issue was addressed with improved handling of temporaryfiles.CVE-2024-23215: Zhongquan Li (@Guluisacat)Time ZoneAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to view a user's phone number in system logsDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)WebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A maliciously crafted webpage may be able to fingerprint theuserDescription: An access issue was addressed with improved accessrestrictions.WebKit Bugzilla: 262699CVE-2024-23206: an anonymous researcherWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 266619CVE-2024-23213: Wangtaiyu of Zhongfu infoWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode executionDescription: Multiple memory corruption issues were addressed withimproved memory handling.WebKit Bugzilla: 265129CVE-2024-23214: Nan Wang (@eternalsakura13) of 360 VulnerabilityResearch InstituteWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenexploited.Description: A type confusion issue was addressed with improved checks.WebKit Bugzilla: 267134CVE-2024-23222This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.3 and iPadOS 17.3".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDP8ACgkQX+5d1TXaIvp1NA//Ziu4pKJd/OIbEjiPfVw8w/q2A4uPkHzOtxWWeSsuQHmUjULi9PGLtjFdOy6SGjIAXKkP5wpt2qoOXcqEwP8kQzMQZwmRSHyPbSNXLyDiThgLdFWOqV5GcO1+eM7vOvKfcf7ITJJashPS4gJet7QpqX0vM5Pop9XJlS679IdhnauCY/ocmoWafvayY7IZf6SXYXh/V6wWk76zW7ZAgdWz0qxPjoObc3UrggJagBuBGzbSbEj1aK+tw8GMKw0whSG1fMqoLWsIielGaAahHmyIrg424S3HK/JdAXU8QXKKUc3HYVyShceLIgf7Gn/RFtIFiqoAlublgbEXthPYVG+pwFMvjUiCFPZK4tQ9yDtst+6ViPT+LK8Ea21ZqwvWTYqcFzKVbc+DcA4W0sLZE9Rc3tMXm60qoy5x1T4tIOFGSotrjH0M8CthxaxSMxRusr4ejiczr5dbeq/4pjU5PevU/kZVIp0lA65WkznSqio/UxpJ9uD2Oh2C8ZKOHE/az3I3zD7Tll52RPWA201fvo9Q3bCL5JRd/ayXN+tVRuyACkLPcDgPMNB8TdjoBrzFvJ8KRg9XHn9qJSsz/h15UJ/lwVOKBHmSP3H+VWBR/ts0oKcj+UQGmNSHtWNXvreC6ZbQi16JSK2wp0MvVWbFrWnwg0Ory4e5x5hHbrBEvvw0Qwk==kOJs-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-2

Apple Security Advisory 09-26-2023-3 - iOS 16.7 and iPadOS 16.7 addresses bypass, code execution, and out of bounds read vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-09-26-2023-3 Additional information for APPLE-SA-2023-09-21-3 iOS 16.7 and iPadOS 16.7iOS 16.7 and iPadOS 16.7 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213927.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.App StoreAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A remote attacker may be able to break out of Web ContentsandboxDescription: The issue was addressed with improved handling ofprotocols.CVE-2023-40448: w0wboxEntry added September 26, 2023Biometric AuthenticationAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to disclose kernel memoryDescription: An out-of-bounds read was addressed with improved boundschecking.CVE-2023-41232: Liang Wei of PixiePoint SecurityEntry added September 26, 2023CoreAnimationAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.CVE-2023-40420: 이준성(Junsung Lee) of Cross RepublicEntry added September 26, 2023Game CenterAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access contactsDescription: The issue was addressed with improved handling of caches.CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive SecurityEntry added September 26, 2023KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.Entry added September 26, 2023KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An attacker that has already achieved kernel code execution maybe able to bypass kernel memory mitigationsDescription: The issue was addressed with improved memory handling.CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)Entry added September 26, 2023KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A local attacker may be able to elevate their privileges. Appleis aware of a report that this issue may have been actively exploitedagainst versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.CVE-2023-41992: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GrouplibxpcAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access protected user dataDescription: An authorization issue was addressed with improved statemanagement.CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab(xlab.tencent.com)Entry added September 26, 2023libxpcAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to delete files for which it does not havepermissionDescription: A permissions issue was addressed with additionalrestrictions.CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab(xlab.tencent.com)Entry added September 26, 2023libxsltAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may disclose sensitive informationDescription: The issue was addressed with improved memory handling.CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK SecurityEntry added September 26, 2023MobileStorageMounterAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A user may be able to elevate privilegesDescription: An access issue was addressed with improved accessrestrictions.CVE-2023-41068: Mickey Jin (@patch1t)Entry added September 26, 2023Pro ResAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-41063: Certik Skyfall TeamEntry added September 26, 2023SafariAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to identify what other apps a user hasinstalledDescription: The issue was addressed with improved checks.CVE-2023-35990: Adriatik Raci of Sentry CybersecurityEntry added September 26, 2023SecurityAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A malicious app may be able to bypass signaturevalidation. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: A certificate validation issue was addressed.CVE-2023-41991: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupShare SheetAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access sensitive data logged when a usershares a linkDescription: A logic issue was addressed with improved checks.CVE-2023-41070: Kirin (@Pwnrin)Entry added September 26, 2023WebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to arbitrary codeexecution. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.WebKit Bugzilla: 261544CVE-2023-41993: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupAdditional recognitionAppSandboxWe would like to acknowledge Kirin (@Pwnrin) for their assistance.Entry added September 26, 2023libxml2We would like to acknowledge OSS-Fuzz, Ned Williamson of Google ProjectZero for their assistance.Entry added September 26, 2023KernelWe would like to acknowledge Bill Marczak of The Citizen Lab at TheUniversity of Toronto's Munk School and Maddie Stone of Google's ThreatAnalysis Group for their assistance.WebKitWe would like to acknowledge Khiem Tran, Narendra Bhati From Suma SoftPvt. Ltd, Pune (India) for their assistance.Entry added September 26, 2023WebRTCWe would like to acknowledge anonymous researcher for their assistance.Entry added September 26, 2023This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7 and iPadOS 16.7".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJYACgkQX+5d1TXaIvpAZBAAwt2P4P00xvAkwAiuPBf8IiaotxTgIVyUWKHWteDuUPKYm/I6gI10L/a1zWf9eHpFtiEtGsJ6ggXmbyXMBjKCEUglSqadeAaikMsQjeKyPTHwba00TMqhg5H3Cl7VB8QTW6CQtW+38M2z9hAQuEbGkgdgLR+GmEV84VrAz6nD3uzv+D84M4yrcGndVuaI6oENRGK+u+pYUAjlc1Q7B7np8fME4kTEwE29RXQBTmSzaMBSPDcL6bysLbQ/5KqyeGJqapeK7VY6DWHFlidjO205Y/s6sjyMtSTgNgcMQv90YSN2RGi2xzv69Hw0KWhWbZK9Clz/sYrJf9EDXEoPh/4D/khWVbiiRTyhIcpz/BbRmxnV+Ns5Bq1RHAax4MQrIoUSBCoswbA/LRZ2vryvNAHXXbgyA6zZhPwud6XhFdyElEMV7/rj5w6KYWxTitBBwPRv7iOnJS2kKvzDVklwYbzesrNjohGygLmSP69areh25NbAHr9FViiFf2mQtGkYsIbVSL0ds1oKieZGYJlymVfc2F0bxy1OL+MvKTRZPflXFW3j1MIroK2zcrzx55YzRClZY1TIT2NxcQec3IG50+r6mOhJoS8OqVa97ID6YQ1/DixxKucL0bK0H8NvuTq81vnJjAZPY1lXpNz2UjFbyt2+rdjAsbM1UJY0VRJeuM5lfF0==4GXG-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-3

Sixteen states collectively suffered more than 90 false reports of school shooters during three weeks in September—and many appear to be connected.

At 1:15 pm on September 15, a man who identified himself as Tom Gomez called Sangamon County Central Dispatch in Illinois to report that two gunmen had shot a dozen students at Springfield High School. According to call audio obtained by WIRED, the man was specific. The caller, breathing heavily, told dispatchers that he was locked inside a math classroom with other students and that the two men, both dressed in blue pants and green jackets, were killing students in the adjacent classroom: room 219.

Within five minutes, Springfield Police were at the high school's second floor, descending on the room where they were told a mass murder had occurred. The problem is that, according to police records, Springfield High doesn’t have a room 219. In fact, there was no shooting at all.

The dangerous hoax call was one of more than 90 false reports of active shooter incidents at US schools made during the second half of September, WIRED found. From Lincoln High in Dallas, Texas, to Lincoln High in Des Moines, Iowa; McArthur High in Hollywood, Florida, to Hollywood High in Los Angeles, these false reports are part of a disturbing spree of recent swatting incidents that crisscross the United States. While experts who study violence at schools say that false reports of shootings inspire copycats, state and local law enforcement officials say that many of these swatting attacks seem to stem from a single person or group.

Through local news reports, police records, and interviews with state and local officials, WIRED compiled a list of 92 false reports of school shooting incidents in 16 states that took place from September 13 to 30. Many of the false reports we tracked align with data collected by the Educator’s School Safety Network. While several impacted states experienced only one such call, others recorded a staggering number, including at least eight in Ohio, 15 in Virginia, and 17 in Minnesota during that three-week period.

Of the false reports WIRED tracked, at least 32 appear to be linked to a single group or perpetrator. Of the 60 remaining calls, many were made within minutes of one another. Most police departments refused to provide us with records or did not respond to multiple requests to confirm details about the contents of the calls, however, so the number of calls linked to a single swatting campaign may be much higher.

Data Visualization: Datawrapper

Superintendent Drew Evans of the Minnesota Bureau of Criminal Apprehension, a statewide fusion center tracking these incidents, says that in each of the 17 calls in his state, the caller had a distinct accent and that the calls were made using the same voice over IP technology. “There’s a lot of different technology that could make it appear to be a single person, but all the indications we have are that it’s either one person or a single entity,” Evans says.

In audio of the call to Springfield dispatch, the caller indeed had a discernible accent. In a detailed report of the call for service, the dispatcher noted that the caller was a “FOREIGN SPEAKING MALE” and that the caller was “SPEAKING VERY FAST WITH MIDDLE EASTERN ACCENT.” Audio of two calls from Ohio that WIRED obtained appear to be of the same person as the Springfield call's “Tom Gomez," and the caller describes the fake shooting with nearly identical details about the incident. In total, law enforcement officials from six states—Illinois, Iowa, Louisiana, Minnesota, Ohio, and Virginia—all described receiving similar calls. In each call, officials confirmed that a man with a heavy accent called from an out-of-state number and reported a mass-casualty attack. In some instances the caller reported that the shooting occurred in a specific room number that does not exist and included details about the color of the pants, shirts, and jackets of the alleged shooters.

The voice in the false-report call about Springfield High in Illinois sounds identical to a caller targeting schools in other states. One from Ohio is embedded below.

Swatting—a prank call in which someone makes a false report to emergency services in order to get a SWAT team dispatched to a target location—has been around for more than a decade. (The US Department of Justice has used the term “swatting” since at least 2007.) While no one has been seriously injured in the recent surge of swatting attacks at schools, these pranks can be deadly. In 2017, Wichita police shot and killed a 28-year-old man at his front door while responding to a false report. (In what appears to be a coincidence, Wichita’s North High School was targeted in this recent spree.)

Bolton High School in Alexandria, Louisiana, was one of at least 16 Louisiana schools targeted in September. Lieutenant Lane Windham of the Alexandria Police Department says the explanation is obvious. “I don’t think this is some prank. It’s terrorism,” he says. “When someone’s trying to terrorize the teachers, parents, all the students, and the community, what else can you call it?”

School swatting attacks appear to be preying on a familiar American fear that not only are students vulnerable to violence in their classrooms, but that law enforcement is powerless to stop it, sometimes spurring parents to try to do so themselves. This nightmare scenario became all too real during the mass shooting at Robb Elementary in Uvalde, Texas, in late May, where parents rescued their own children as police failed to act. Meanwhile, the threat of school shootings remains all too real. ​​According to research from Everytown USA, a nonprofit that tracks school shootings, the 2021–2022 school year saw nearly quadruple the average number of gunfire incidents since 2013.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us