This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .traceroute.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted.

Title: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (traceroute.php) Conditional Command Injection  
Advisory ID: ZSL-2022-5740  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 14.12.2022

**Summary**

The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations.

With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming.

SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper

**Description**

This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .traceroute.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted.

**Vendor**

SOUND4 Ltd. - https://www.sound4.com | https://www.sound4.biz

**Affected Version**

FM/HD Radio Processing:  
Impact/Pulse/First (Version 2: 1.1/2.15)  
Impact/Pulse/First (Version 1: 2.1/1.69)  
Impact/Pulse Eco 1.16  
Voice Processing:  
BigVoice4 1.2  
BigVoice2 1.30  
Web-Audio Streaming:  
Stream 1.1/2.4.29  
Watermarking:  
WM2 (Kantar Media) 1.11

**Tested On**

Apache/2.4.25 (Unix)  
OpenSSL/1.0.2k  
PHP/7.1.1  
GNU/Linux 5.10.43 (armv7l)  
GNU/Linux 4.9.228 (armv7l)

**Vendor Status**

\[26.09.2022\] Vulnerability discovered.  
\[30.09.2022\] Vendor contacted.  
\[13.12.2022\] No response from the vendor.  
\[14.12.2022\] Public security advisory released.

**PoC**

sound4\_traceroute\_cmdinj.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[14.12.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x (traceroute.php) Conditional Command Injection

The application allows an unauthenticated attacker to send network signals to an arbitrary target host that can be abused in an ICMP flooding attack. This includes the utilisation of the ping, traceroute and nslookup commands through ping.php, traceroute.php and dns.php respectively.

Title: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (ping/traceroute) ICMP Flood Attack  
Advisory ID: ZSL-2022-5728  
Type: Local/Remote  
Impact: DoS  
Risk: (3/5)  
Release Date: 14.12.2022

**Summary**

The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations.

With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming.

SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper

**Description**

The application allows an unauthenticated attacker to send network signals to an arbitrary target host that can be abused in an ICMP flooding attack. This includes the utilisation of the ping, traceroute and nslookup commands through ping.php, traceroute.php and dns.php respectively.

**Vendor**

SOUND4 Ltd. - https://www.sound4.com | https://www.sound4.biz

**Affected Version**

FM/HD Radio Processing:  
Impact/Pulse/First (Version 2: 1.1/2.15)  
Impact/Pulse/First (Version 1: 2.1/1.69)  
Impact/Pulse Eco 1.16  
Voice Processing:  
BigVoice4 1.2  
BigVoice2 1.30  
Web-Audio Streaming:  
Stream 1.1/2.4.29  
Watermarking:  
WM2 (Kantar Media) 1.11

**Tested On**

Apache/2.4.25 (Unix)  
OpenSSL/1.0.2k  
PHP/7.1.1  
GNU/Linux 5.10.43 (armv7l)  
GNU/Linux 4.9.228 (armv7l)

**Vendor Status**

\[26.09.2022\] Vulnerability discovered.  
\[30.09.2022\] Vendor contacted.  
\[13.12.2022\] No response from the vendor.  
\[14.12.2022\] Public security advisory released.

**PoC**

sound4\_icmp\_flood.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[14.12.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x (ping/traceroute) ICMP Flood Attack

The suit claims the company lacks adequate moderation to prevent widespread hate speech that has led to violence and death.

On November 3, 2021, Meareg Amare, a professor of chemistry at Bahir Dar University in Ethiopia, was gunned down outside his home. Amare, who was ethnically Tigrayan, had been targeted in a series of Facebook posts the month before, alleging that he had stolen equipment from the university, sold it, and used the proceeds to buy property. In the comments, people called for his death. Amare’s son, researcher Abrham Amare, appealed to Facebook to have the posts removed but heard nothing back for weeks. Eight days after his father’s murder, Abrham received a response from Facebook: One of the posts targeting his father, shared by a page with more than 50,000 followers, had been removed.

"I hold Facebook personally responsible for my father's murder," he says.

Today, Abrham, as well as fellow researchers and Amnesty International legal adviser Fisseha Tekle, filed a lawsuit against Meta in Kenya, alleging that the company has allowed hate speech to run rampant on the platform, causing widespread violence. The suit calls for the company to deprioritize hateful content in the platform’s algorithm and to add to its content moderation staff.

“Facebook can no longer be allowed to prioritize profit at the expense of our communities. Like the radio in Rwanda, Facebook has fanned the flames of war in Ethiopia,” says Rosa Curling, director of Foxglove, a UK-based nonprofit that tackles human rights abuses by global technology giants. The organization is supporting the petition. “The company has clear tools available—adjust their algorithms to demote viral hate, hire more local staff and ensure they are well-paid, and that their work is safe and fair—to prevent that from continuing.”

Since 2020, Ethiopia has been embroiled in civil war. Prime Minister Abiy Ahmed responded to attacks on federal military bases by sending troops into Tigray, a region in the country’s north that borders neighboring Eritrea. An April report released by Amnesty International and Human Rights Watch found substantial evidence of crimes against humanity and a campaign of ethnic cleansing against ethnic Tigrayans by Ethiopian government forces. 

Fisseha Tekle, Amnesty International's lead Ethiopia researcher, has further implicated Facebook in propagating abusive content, which, according to the petition, endangered the lives of his family. Since 2021, Amnesty and Tekle have drawn widespread rebuke from supporters of Ethiopia’s Tigray campaign—seemingly for not placing the blame for wartime atrocities squarely at the feet of Tigrayan separatists. In fact, Tekle’s research into the countless crimes against humanity amid the conflict fingered belligerents on all sides, finding the separatists and federal Ethiopian government mutually culpable for systematic murders and rapes of civilians. Tekle told reporters during an October press conference: “There’s no innocent party which has not committed human rights violations in this conflict.”

In a statement Foxglove shared with WIRED, Tekle spoke of witnessing “firsthand” Facebook’s alleged role in tarnishing research aimed at shining a light on government-sponsored massacres, describing social media platforms perpetuating hate and disinformation as corrosive to the work of human rights defenders.

Facebook, which is used by more than 6 million people in Ethiopia, has been a key avenue through which narratives targeting and dehumanizing Tigrayans have spread. In a July 2021 Facebook post that remains on the platform, Prime Minister Ahmed referred to Tigrayan rebels as “weeds” that must be pulled. However, the Facebook Papers revealed that the company lacked the capacity to properly moderate content in most of the country’s more than 45 languages. 

Leaked documents shared by Facebook whistleblower Frances Haugen show that parent company Meta's leadership remained well-informed of the platform's potential for exacerbating political and ethnic violence throughout the Tigray war, earning Ethiopia special attention at times from the company's premiere risk and response team. By at least 2021, the documents show, conflict in the country had raised enough alarms to warrant the formation of a war-room-like operation known as an IPOC, a process Facebook created in 2018 to respond rapidly to political "crisis moments." 

Relative to its usual content moderation processes, IPOC is viewed internally as a scalpel, deployed not only to anticipate emerging threats but triage cases of "overwhelming abuse" spurred on by political flash points. This includes the use of so-called "break the glass" measures: dozens of "levers" IPOC teams can deploy during exceptionally inciteful events to quell spikes in hate speech on the platform. In the US, for instance, this included the November 2020 election and subsequent attack on the US Capitol. 

In testimony before the US Senate last fall, Haugen likened the violence in Ethiopia to the genocide of more than 25,000 Rohingya Muslims in Myanmar, war crimes for which Facebook has been internationally condemned for its role in instigating, by the United Nation's Human Rights Council, among others. "What we saw in Myanmar and are now seeing in Ethiopia are only the beginning chapters of a story so terrifying no one wants to read the end of it," Haugen, a former Facebook product manager, told lawmakers. 

As late as December 2020, Meta lacked hate speech classifiers for Oromo and Amharic, two of the major languages spoken in Ethiopia. To compensate for its inadequate staff and in the absence of classifiers, Meta’s team searched for other proxies that would allow them to identify dangerous content, a method known as network-based moderation. But the team struggled because they found, for reasons not immediately clear, that Ethiopian users were far less likely to perform actions that Facebook had long used to help detect hate speech, which included the appearance of too many "angry" face reactions. One internal proposal suggested ditching this model entirely, replacing it instead with one that lends greater weight to other "negative" actions, such as users un-liking pages or hiding posts. It's not clear from the documents whether the proposal was accepted.

In its 2021 roadmap, Meta designated Ethiopia as a country in “dire” risk of violence, and in an assessment of the company’s response to violent and inciting content, it ranked its own capacity in Ethiopia as a 0 out of 3. Yet, in another document, a Meta staff member acknowledged that the company lacked “human review capacity” for Ethiopia in the run-up to the country’s elections. 

The petitioners have asked the high court to issue a declaration naming Meta responsible for violating a slate of basic rights guaranteed under Kenya’s Constitution of 2010: the right to freedom of expression and association; the right not to be subjected to violence or have information about one’s family or private affairs unnecessarily publicized; and the right to equal protection under the law, among others. Moreover, the petitioners have asked the court to order the establishment of a victims' fund of over $2 billion, with the court itself dispersing the funds on a case-by-case basis. Lastly, they’ve asked the court to compel Facebook to declare that its algorithms will no longer promote inciteful, hateful, and dangerous content and demote it wherever found, in addition to rolling out new crisis mitigation protocol “qualitatively equivalent to those deployed in the US,” for Kenya and all other countries whose content Meta moderates from Nairobi. 

“Kenya is the content moderation hub for posts in Oromo, Tigrinya, and Amharic. These are the only three Ethiopian languages, out of the 85 spoken in the country, that Facebook’s current content moderators can even attempt to cover,” says Curling. “There are currently 25 Facebook content moderators working on Ethiopian-related content for a country of 117 million people. Decisions by these individuals, forced to work in awful and unfair conditions, about what posts are taken down and what remains online are taken in Kenya, and it is the Kenyan courts, therefore, that need to determine both men’s legal challenge.”

Meta spokesperson Sally Aldous told WIRED that hate speech and incitement to violence are against the company’s policies. “Our safety and integrity work in Ethiopia is guided by feedback from local civil society organizations and international institutions,” she says. “We employ staff with local knowledge and expertise, and continue to develop our capabilities to catch violating content in the most widely spoken languages in the country, including Amharic, Oromo, Somali, and Tigrinya.” 

Aldous did not address whether the company has more than 25 moderators focused on the country and whether the company has an IPOC team focused on the conflict in Tigray, beyond the country’s election cycles.

Meanwhile, in the wake of his father’s death, Amare and his family were forced to flee their home. He is currently awaiting the outcome of his asylum claim in the United States.

“Every dream we had collapsed,” he says.

A New Lawsuit Accuses Meta of Inflaming Civil War in Ethiopia

A confluence of factors is leading people in the nation to gravitate toward extremist views.

All across the country, there are signs of a more radicalized American populace. It’s become impossible to ignore over the past few years. The US has witnessed an insurrection, the rise of QAnon, increasing anti-Semitism, attacks on the LGBTQ community, and more. While radicalism has risen to some degree in many other Western nations, this trend has been exceptionally more pronounced in the United States. It is, therefore, necessary to determine the root causes of it and what makes America, well, exceptional. 

To better understand extremism in the US, it’s necessary to understand who is being radicalized. It’s primarily right-wing extremism, but right-wing extremism covers many different groups and types of people who engage with it. It’s not just the people who join militias like the Proud Boys or the Oath Keepers, it’s the seemingly ordinary people who latch onto QAnon or other conspiracy theories. 

The January 6, 2021, attack in Washington is a good case study on what kind of people have become radicalized in the US. There were members of militia groups there, but research has shown roughly 90 percent of the people who stormed the Capitol were not affiliated with militias or other far-right groups. Many were business owners or regular working people who became convinced over time that the 2020 election had been stolen from Donald Trump.

Conspiracy theories like those under the QAnon umbrella have infiltrated many groups of people one might not expect. They’ve found their way into yoga and parenting groups. A neighbor you regularly encounter at the grocery store and don’t think twice about could be in the process of being radicalized. People from all walks of life can be influenced by these conspiracy theories. 

All of that said, there are some notable psychological and social factors that could be causing Americans to become more prone to embrace extreme ideologies. One of the key factors appears to be a strong sense of uncertainty. The human brain doesn’t like uncertainty, and it can cause people to seek out a path to feeling more certain and assured by any means possible.

J. M. Berger, an author and researcher who focuses on extremism, says there have been many reasons for people to feel uncertain over the past decade or so. Rapid changes in technology, major shifts in the labor market and the economy, the Covid-19 pandemic, and more have caused many Americans to feel unanchored. This creates a situation where extremism can flourish.

“What you find is people are most vulnerable to authoritarianism and extremist impulses when they don’t know what they’re supposed to do,” Berger says. “They don’t know where they fit in the world.”

Arie Kruglanski, a professor of psychology at the University of Maryland, says that something that motivates people in uncertain times is a need to feel significant. 

“These things increase the motivation to reassert your significance. Once you have that, you’re vulnerable to narratives that promise you a restoration of your significance,” Kruglanski says. “Many of these conspiracy theories—most of them, I would think—do that.”

Extremist movements can make people feel significant, give them a sense of purpose, and provide them a narrative that explains why everything seems so screwed up. They also give them a sense of community and support. Kruglanski says the more you feel embraced by a network of people, the more you feel motivated to embrace their narrative, even if it’s extreme. Oftentimes, he says, people don’t realize how extreme the group they’re joining actually is until they’ve become invested in it.

Berger says social media has ramped up feelings of uncertainty. He says that’s partly due to the fact that ideas can now almost instantly be spread far and wide with little effort, which can be destabilizing.

“In the past, when transmission of ideas was slower, the ideas had a chance to evolve as they were being transmitted. This would sometimes create a sort of moderating influence,” Berger says. “With social media, ideas move so fast that there’s really no prospect for moderation. Even the most extreme ideas can spread incredibly quickly.”

Social media has also made it easier for people to become radicalized because they can easily find people who share any extreme views they may have and who will happily invite them into a movement. Someone who wouldn’t have met people who share their views in the small town they lived in years ago can easily find a community online and become further radicalized.

“Social media has radically changed how people communicate,” Berger says. “It’s radically changed the kinds of ideas people are exposed to.” 

Research has shown social media exacerbates political polarization, often pushes users to view more extreme content, and helps extremists organize and coordinate their efforts. Social media also has positive impacts in terms of helping organize activists and connecting people in beneficial ways, but its negative effects and uses are significant.

“The network support, the clandestine conspiracy narratives combined with the sense of uncertainty, sense of lost significance—these elements create a combustible mixture that can be lit and lead to radicalization and radical action,” Kruglanski says.

So, many people feel uncertain and insignificant, and social media is flooded with disinformation and groups of extremists who will invite them into a movement. That’s some of it. The more obvious aspect of this, but one that is important, is the role of political leaders in America and a Republican Party that has become more extreme itself. 

“We have people who are the top leaders of a right-wing party who are really just willing to come out and express and endorse positions that are much more radical than what used to be the norm in American politics,” Berger says. “They’re creating a permission structure for people to talk about racism and violence in ways that previously would have been outside of the realm of civil discourse.”

Thomas Zeitzoff, an associate professor in the School of Public Affairs at American University, says the Republican Party has embraced—and is now largely controlled by—extreme figures who would have been sidelined in the past.

“The people who used to gatekeep and keep out people like Pat Buchanan or kick out the John Birchers are not running the party,” Zeitzoff says. “I’m a big believer that parties have to be strong gatekeepers. You have to push people like Marjorie Taylor Greene and Lauren Boebert out. They have no business being in a mainstream party.”

Bringing the US back to a more stable place and countering extremism isn’t an easy thing to do when extremism has become this rampant, but there may be some solutions. Kruglanski says those who oppose this extremism need to find positive ways to offer people significance, dignity, and a sense of certainty. Berger proposed a similar remedy.

“If there is a solution, I think it’s to pursue policies that give people some sense of security and understanding of where they are and how they’re supposed to interact with the world,” Berger says.

There will always be conspiracy theorists. Social media isn’t going anywhere. And political leaders will forever use fear and lies to influence people. But America will have to deal with these conditions that are making extremism more likely if it’s going to continue to function politically. A house built on dynamite is a dangerous place to live.

Why Are People in the US Becoming Radicalized?

Intel Data Center Manager's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" is vulnerable to an authenticated, blind SQL injection attack when user-supplied input to the HTTP POST parameter "dataName" is processed by the web application. Versions 4.1 and below are affected.

    RCE Security Advisoryhttps://www.rcesecurity.com1. ADVISORY INFORMATION=======================Product:        Intel Data Center ManagerVendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.htmlType:           SQL Injection [CWE-89]Date found:     2022-01-21Date published: 2022-12-01CVSSv3 Score:   9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)CVE:            CVE-2022-212252. CREDITS==========This vulnerability was discovered and researched by Julien Ahrens fromRCE Security.3. VERSIONS AFFECTED====================Intel Data Center Manager 4.1 and below4. INTRODUCTION===============Energy costs are the fastest rising expense for today’s data centers. Intel® DataCenter Manager (Intel® DCM) provides real-time power and thermal consumption data,giving you the clarity you need to lower power usage, increase rack density, andprolong operation during outages.(from the vendor's homepage)5. VULNERABILITY DETAILS========================Intel DCM's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" isvulnerable to an authenticated, blind SQL Injection when user-supplied input tothe HTTP POST parameter "dataName" is processed by the web application.Since the application does not properly validate and sanitize this parameter, anattacker can inject arbitrary SQL commands against the PostgreSQL backenddatabase server of the web application.Successful exploits can allow an authenticated attacker (the lowest possibleauthorization level "Guest" is sufficient) to read and modify database contentsand execute any system commands on the underlying operating system. This way,the attacker can compromise the system's entire confidentiality, integrity, andavailability.6. PROOF OF CONCEPT===================POST /DcmConsole/DataAccessServlet?action=getRoomRackData HTTP/1.1Host: [ip-address]Cookie: JSESSIONID=[session-id]Content-Length: 153Accept: application/json, text/plain, */*Content-Type: text/plainUser-Agent: Mozilla/5.0Accept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Connection: close{"antiCSRFId":"[your-anti-csrf-id]","requestObj":{"snapshotId":1,"roomId":1,"dataName":"test');SELECT PG_SLEEP(5)--"}}(see the referenced blog post for more details)7. SOLUTION===========Update at least to version 5.0.0.46307.8. REPORT TIMELINE==================2022-01-21: Discovery of the vulnerability2022-01-21: Reported to vendor via their bug bounty program2022-01-21: Vendor response: Sent to "appropriate reviewers"2022-02-08: Vendor acknowledges the vulnerability with a severity of "medium" without sharing their CVSS calculation2022-02-15: Endless back-and-forth discussions about the rating. Vendor proposes a rating of 6.82022-02-16: I don't accept the rating because the vendor downplayed it2022-02-25: After discussions, vendor rates issue as CVSS 9.0 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)2022-02-25: Apparently AV:A is still wrong, but I don't have more energy to fight them. However this advisory contains the proper CVSS rating.2022-xx-xx: Vendor releases version 5.0.0.46307 which includes the fix2022-08-09: Vendor releases advisory INTEL-SA-006622022-12-01: Public disclosure9. REFERENCES==============https://www.rcesecurity.com/2022/12/from-zero-to-hero-part-2-intel-dcm-sql-injection-to-rce-cve-2022-21225/https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.htmlhttps://github.com/MrTuxracer/advisories

Intel Data Center Manager 4.1 SQL Injection

The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Intel Data Center Manager  
Vendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html  
Type:           Incorrect Use of Privileged APIs [CWE-648]  
Date found:     2022-07-16  
Date published: 2022-12-07  
CVSSv3 Score:   7.4 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)  
CVE:            -

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Intel Data Center Manager 5.1 (latest) and below

4. INTRODUCTION  
===============  
Energy costs are the fastest rising expense for today’s data centers. Intel® Data  
Center Manager (Intel® DCM) provides real-time power and thermal consumption data,  
giving you the clarity you need to lower power usage, increase rack density, and  
prolong operation during outages.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The latest version (5.1) and all prior versions of Intel's DCM are vulnerable to a  
local privileges escalation vulnerability using the application user "dcm" used to  
run the web application and the rest interface. An attacker who gained RCE using  
this dcm user (i.e., through Log4j) is then able to escalate their privileges to  
root by abusing a weak Sudo configuration for the "dcm" user:

dcm ALL=(ALL) NOPASSWD:/usr/local/bin/SDPTool  
dcm ALL=(ALL) NOPASSWD:/usr/bin/cp  
dcm ALL=(ALL) NOPASSWD:/usr/bin/chmod

The Intel Server Debug and Provisioning Tool (SDP Tool) must be installed for the  
Data Center Manager to be vulnerable. Successful exploits can allow an authenticated  
attacker to execute commands as root. In this way, the attacker can compromise the  
victim system's entire confidentiality, integrity, and availability, thereby allowing  
to persist within the attached network.

6. PROOF OF CONCEPT  
===================  
Just one way of exploitation is by replacing the current sudoers configuration:

1.Create a new sudoers configuration file using the compromised "dcm" user in i.e. /tmp/  
2.sudo chmod 440 /tmp/sudoers  
3.sudo cp sudoers /etc/sudoers  
4.sudo /bin/bash

7. SOLUTION  
===========  
None. Intel thinks that this is not a vulnerability and therefore does also not assign  
a CVE for it.

8. REPORT TIMELINE  
==================  
2022-07-16: Discovery of the vulnerability  
2022-07-16: Reported to vendor via their bug bounty program  
2022-07-18: Vendor response: Sent to "appropriate reviewers"  
2022-07-26: Vendor states that the vulnerability "depends on something that does not exist (eg; RCE)."  
2022-07-26: Sent a clarification that a compromise of the "dcm" account is indeed necessary, but there have been RCEs in the past (i.e. through Log4j)  
2022-09-22: Vendor has troubles to reproduce the bug and asks for another PoC  
2022-09-22: Sent a clarification about the PoC  
2022-09-22: Vendor states that the report "does not clearly demonstrate a vulnerability in DCM" and the report will be closed.  
2022-09-23: Provided the vendor with a PoC utilizing Log4shell (CVE-2021-44228) in a former version of DCM  
2022-10-10: Vendor asks whether the Log4shell bug is still reproducible in the latest version of DCM  
2022-10-10: Made clear that Log4shell is not the point about the report  
2022-10-11: Vendor states "We do not clearly see a a vulnerability demonstrated in DCM"  
2022-10-12: [Back and forth about the provided PoCs]  
2022-10-12: I'm giving up.  
2022-12-07: Public disclosure

9. REFERENCES  
==============  
https://github.com/MrTuxracer/advisories

Intel Data Center Manager 5.1 Local Privilege Escalation

Planet eStream versions prior to 6.72.10.07 suffer from shell upload, account takeover, broken access control, SQL injection, both persistent and reflective cross site scripting, path traversal, and information disclosure vulnerabilities.

Planet eStream Code Execution / SQL Injection / XSS / Broken Control

The UK's use of technology to enforce its hard-line immigration policy brings the border into every facet of migrants' lives.

In 2019, Anna moved from Poland to the UK with her partner and three children. Soon after they settled into their home and new life, he became violent. Anna attempted to leave, taking their children with her. But when she contacted her local council’s social services, they asked her about her immigration status. There was a problem.

Anna—a pseudonym, for privacy and safety reasons—had a valid visa under the EU Settlement Scheme (EUSS), which required European citizens to register with the British immigration authorities after Britain voted to leave the EU in 2017. But when she tried to prove it, she couldn’t. She had never received a text message or a physical letter saying that she had settled status. Anna went back into the household with her children and her abuser, with nowhere else to go.

When Anna got in touch with the immigration authorities, they put her through to a technical team that, she says, rarely called her back and seemed to constantly be too busy, with long waiting times. Once she got through to the helpline, they confirmed that she had made a valid application (and that her children had settled status, so they had the right to remain in the UK). But they couldn’t give her access to her account. Without it, she couldn’t generate a sharecode—digital proof of her immigration status that would allow her to access social services, get a job, or rent an apartment.

After another serious incident, the police finally gave her abuser an injunction. Anna left the house, but she lost a job offer because she couldn’t prove her immigration status. She couldn’t apply for benefits because she didn’t have proof that she was also actively working. In March 2022, she received confirmation through a charity that was helping her that she had presettled status. But she still hasn’t been contacted by the UK’s Home Office directly—and still has no access to her sharecode.

Anna’s story is shocking. But as the UK’s immigration and policing agency, the Home Office, emphasizes a “digital-by-default” approach to border management, these stories are becoming increasingly common. Earlier this year, the Home Office released its “New Plan for Immigration,” which laid out the increasing digitization of the UK’s immigration system. “We will have a seamless, fully digital, end-to end journey for customers interacting with the immigration system by 2025,” the Home Office said in its plan. 

Currently, migrants and people applying for new visas in the UK are encouraged to use an app to submit their biometrics, including scans of their face; to fill out forms online; and to prove their immigration status with sharecodes. Technology is playing a larger role in immigration systems around the world, affecting the ways borders can be enforced in a physical space and borders and immigration status are maintained once people enter a country. For migrants, this increasing digitization of the immigration system makes it possible for the border to be anywhere and everywhere, spreading into all corners of their lives. 

A Hostile Environment

Public interest in migration is significant in the UK, with more than 50 percent of Britons polled saying it was one of the most important issues facing the union. The Home Office has made multiple justifications for its move to digital status: that it will be better for older people who won’t have to keep track of a piece of paper, that it could enhance security for vulnerable people who might otherwise have their documents taken away by nefarious actors (for example, traffickers or exploitative employers), and that there will be sufficient time for people to fully transition to digital status. But campaigners, organizations, and lawyers working with migrant communities around the UK say these digital systems are already rife with problems, many of which will only get worse.

“Do we have an immigration system that treats people as full humans, that is responsive to people’s circumstances and is based on common sense?” asks Mary Atkinson of the Joint Council for the Welfare of Immigrants, a UK-based nonprofit. “A digital system might work to make the system that it’s implementing quicker, but there will always be problems, glitches that cause anguish and real pain.” 

In 2012, then-home secretary Theresa May announced that the UK’s immigration policy would be geared toward making the UK a “hostile environment” for immigrants. If you didn’t have regularized immigration status (such as a visa or a settlement route), the UK would become such a difficult place to live that you would leave of your own volition. As part of this plan, more and more people were tasked with checking immigration status—from landlords to bank clerks, teachers, university lecturers, and doctors—to ensure that people could access services.

These types of checks have played a role in a host of problems, including the Windrush scandal.  Academics and activists have noted that it has become relatively easy for people to slip through the cracks of legal status, making them vulnerable to removal or detention. Since May, there have been five home secretaries, all of whom have repeatedly emphasized their desire to reduce immigration to the UK (even when these plans draw condemnation from the UN and other international bodies). The most recent, Suella Braverman (who was in the post for 40 days, fired for a security breach, and then reinstated a week later), courted controversy for saying that it was her dream to see refugees to the UK deported to Rwanda. Those in the sector say Braverman is just as hard-line as her predecessor, Priti Patel—if not more so. 

What this means in practice is that people’s information and proof of immigration status are kept on databases owned and operated by the Home Office. The first example of this was the EUSS, but other visa routes are going the same way—such as the Graduate Route visa, which was introduced last year and which people apply for with an app, and the Ukraine Family Scheme, which was introduced earlier in 2022 for people fleeing the conflict in Ukraine. If you’re approved to remain under these conditions, when you apply for a job or try to open a bank account, you will be asked to generate a sharecode that your employer or a bank employee or a police officer can input into their end of the Home Office database to verify your status. 

“We’re at the beginning of a widespread conversation about data collection, and we see that the Home Office has no accountability,” says Andreea Dimitrsou, who works at the 3million, a campaign group in the UK that advocates for the rights of EU citizens living in the UK.

People working in the sector, particularly with migrant communities, have countless stories of the way that digital-by-default systems are affecting their clients. “We have real concerns about the digital hostile environment,” says Julia Tinsley-Kent of Migrants Rights Network, an NGO. “If people are buying data packages to prove their visa status—that’s a worry, especially with the cost of living. There are risks of harm that haven’t been properly investigated—security issues, people being able to see other people’s statuses erroneously, system failures.”

In 2019, the Home Office announced the Status Checking Project, a centralized database that made it possible for migrants to prove their status. Immigrant rights campaigners and members of parliament at the time called it “seriously concerning,” both because of the scale of data collected and the seeming lack of safeguards in place. As a result of the nature of the UK’s immigration system, where people who aren’t border guards are tasked with checking immigration status, the digitization of these services has wide-reaching impacts.

“It’s a good idea for the government to be thinking about this, and the government should be taking initiative around digitization,” says Joe Tomlinson, a lecturer at the University of York who has carried out extensive research into automation in the UK’s immigration system. “My concern is that they’re not doing it very well.” Tomlinson and fellow researcher Jed Meers recently released a paper after surveying 200 landlords about their willingness to use a digital immigration checking service when renting to prospective tenants. They found that an applicant whose name didn’t sound “British” but who had a British passport had an 87 percent chance of being accepted as a tenant. However, if this prospective tenant only had digital proof of immigration status, they had a 13 percent chance of being accepted as a tenant—with the digital status taking precedence over factors like employment, age, and gender.

The EUSS has increasingly become a testing ground for some of these issues. “You bake problems into the way that systems are built,” says Tomlinson. “You can have something that looks like it’s producing outcomes, but the procedural systemic flaws happen, and you get situations like what’s happening with the EUSS.” As of June 2022, more than 5.83 million people had applied to the EUSS, with 5.4 million of those granted status. (The Home Office told WIRED in a statement that the total number of people granted status is now 5.9 million.)  But since the program opened in June 2020, the number of people waiting more than 18 months for a decision has grown too, and data breaches are reported frequently.

Vivian, a researcher at a higher education institution who asked not to be identified for privacy reasons, says that knowing she would only have digital proof of her immigration status under the EUSS made her worried. “When my partner and I were renewing our mortgage, the bank really scrutinized our digital immigration status. They realized that my name had been recorded properly, with my first name and then my last name, and then my partner’s was recorded with his last name first. So they blocked our mortgage application,” she says “We faced a wall in trying to solve this problem, and we kept getting through to people on the Home Office helpline who said, ‘Look, we’ve taken notice of this but we can’t do anything.’”

Their frustration grew, and instability in the British economy caused Vivian and her partner even more stress. Eventually, they were able to solve the issue by writing a letter to the bank and emphasizing that they were both in full-time employment by large institutions. But Vivian says that she knows they got lucky. ”Essentially, someone at the bank decided to let it go. But what if our status had been harder to read? Or if we were self-employed?”

In a statement, the Home Office defended EUSS as an “overwhelming success” and said it has measures in place when its technology fails to function.

 “Our digital services are rigorously tested and designed to be highly resilient and, as with any major digital program, we have contingency measures in place should issues occur,” the Home Office said. “If individuals experience technical issues, they are still able to evidence their rights by gaining support from our resolution center, available seven days a week.”

Even within migrant communities, there are differences in access. The 3million submits reports to the Independent Monitoring Authority, which monitors the post-Brexit rights of EU and EEA citizens, who theoretically are able to use this information in stakeholder consultations. For non-EU migrants, there are precious few other avenues or bodies that can advocate for them, except for individual charities and NGOs, many of which are already overstretched.

Right-to-work checks for migrants have been in place since 1996—on the Home Office website, it still says that you can check people’s original documents if they don’t have a sharecode. People with pending visas can work on the basis of their previous work conditions, but few employers seem to understand this, and many worry they’ll be penalized. Elisa, who is Polish and has settled status, has been waiting to take up employment for a month because she can’t access her sharecode. Her job is with the National Health Service, and while her employer is understanding, she’s worried about how much longer this will go on. 

“The digital systems are a total failure,” says Ake Achi, who cofounded Migrants at Work, an organization challenging right-to-work checks in the UK. “People are falling into these gaps because there’s nothing to protect us.”

Paper Thin

In 2019, the Home Office set up its Digital, Data & Technology team—its 2024 strategy emphasized that the digitization of the immigration system was already significantly underway—for example, the “Person Centric Data Platform” provides “a single view of individuals to around 700 services, and this single view is crucial to the protection of our borders.” In 2021, it was revealed the Home Office was “hoarding data” on 650 million people, with very few safeguards. Even more recently, the Home Office was told to stop using an automated decision-making algorithm for short-term visas after a legal challenge, which seemed to indirectly discriminate against people from certain nationalities—such as Pakistan or Nigeria—by labeling these countries as “riskier.” 

For people whose immigration status is not as cut and dry—for example, asylum seekers—these digital systems pose challenges too. For a while, Border Force officials and Home Office staff who were monitoring the arrival of asylum seekers to the UK via the Channel were illegally seizing their phones and extracting data from it. Privacy International, which is mounting a legal challenge over this policy, said that the policy was “in line with this government’s (and many others’) efforts to criminalize migration and rob migrants of their basic human rights.” 

People who are on immigration bail and classified as high risk have to wear GPS ankle monitors, which track where they are 24/7. Those who are classified as low risk may soon have to start wearing “smartwatches” with “facial recognition capabilities,” although it’s unclear whether this technology already exists.

“They have the right to use the data accrued from GPS monitoring—to look at that data anonymously, to understand the impact, looking where people have been frequenting and using that to carry out enforcement activity,” says Rudy Schulkind of Bail for Immigration Detainees. “It’s quite a stigmatizing and degrading thing to put people through, and we don’t know where that data is going to go. It’s got incredibly worrying implications for allowing this kind of technology to be normalized.”

Campaigners and organizers in the sector point out some immediate potential fixes to the digitization of the UK’s hostile environment. “Digitization follows substantive policy priorities,” says Tomlinson. “But just because policy is digital-first doesn’t mean it has to be digital-only. Giving people the option to also have a paper record would make some kind of difference.” Organizations like JCWI have campaigned for people to be given paper records of their visa status. Others have emphasized that the Home Office should put up a data firewall between immigration enforcement authorities and police in cases where a victim is vulnerable—currently, the police refer 204 victims per month to immigration enforcement, including victims of human trafficking and labor exploitation.

In the US, digital systems are a significant part of how Immigration and Customs Enforcement (ICE) teams carry out raids on communities. In Canada, a new automated decision-making tool is increasingly being tested on asylum and immigration applications. In the EU, a massive biometric database—which will be used for migration purposes, among others—is set to become the largest police biometrics database in the world, despite concerns from rights advocates and organizations. Digital-by-default immigration systems are slowly becoming the norm. But in many senses, they exacerbate existing issues with the systems that they work within. 

“There’s a reality in which somewhere up to a million of our fellow citizens are too scared to rent a safe home or to seek help from the police when they’re facing domestic abuse, to get a Covid vaccine, and that’s a big result of the hostile environment, whether it’s digital or not,” says Atkinson. “The ‘Papers, please’ society which this has created exists whether it’s on an app that you’re showing to your landlord or on a piece of paper.”

The Dangerous Digital Creep of Britain's ‘Hostile Environment’

Plus: ICE accidentally doxes asylum seekers, Google fails to uphold a post-Roe promise, and LastPass suffers the second breach this year.

It was another busy week in security that saw big news about protests, surveillance, spyware, data breaches, and more. In the US, recent court filings detail how the FBI’s use of a controversial warrant yielded a trove of Google’s location data from thousands of devices in and around the Capitol on January 6. Meanwhile, in Iran, videos of antigovernment protests shared on social media highlight the importance of Twitter’s role in documenting human rights abuses and the consequences if the social media platform breaks.

On November 30, Google’s Threat Analysis Group moved to block a Spanish hacking framework that targets desktop computers. The exploitation framework, dubbed Heliconia, came to Google’s attention after a series of anonymous submissions to the Chrome bug reporting program. While Google, Microsoft, and Mozilla have all patched the Heliconia vulnerabilities, it’s a good reminder to keep your devices updated. ​​Here’s what you need to know about all the important security updates released in the past month.

Google researchers also found this week that the encryption keys phone-makers use to verify software on their devices are genuine—including the Android operating system itself—were stolen and used in malware.

Finally, we published part six of WIRED reporter Andy Greenberg’s series, “The Hunt for the Dark Web’s Biggest Kingpin,” which chronicles the downfall of AlphaBay, the world’s largest dark-web marketplace. Read the final installment here, and check out the full book from which the series was excerpted, _Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency_, available now from wherever you buy books.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. 

A deadly fire in an apartment building sparked massive demonstrations in China where thousands of protestors in major cities have taken to the streets in defiance of the nation’s zero-Covid policy. The current wave of protests—the scale of which has not been seen in the country since the deadly 1989 Tiananmen Square protests—has been met with the massive surveillance and censorship apparatus that the state has been refining for decades. Authorities are using facial recognition, phone searches, and informants to identify, intimidate, and detain those who attended protests. 

The protests are stress-testing China’s sophisticated censorship apparatus, and experts say that the sheer volume of video clips has likely overwhelmed China’s armies of censors. Leaked documents from China’s Cyberspace Administration called the protests a “Level I Internet Emergency Response,” and authorities ordered ecommerce platforms to limit the availability of VPNs and firewall-circumventing routers. On Sunday, Chinese-language Twitter accounts spammed the service with links to escort services alongside city names where protests were occurring to drown out information about the protests. 

US Immigration and Customs Enforcement is in hot water after the agency mistakenly posted confidential data about thousands of asylum seekers during a routine update to their website. The data—which included the names, birthdates, nationalities, and detention locations of more than 6,000 individuals—was public for five hours before being taken down by the agency. The data disclosure could expose the immigrants affected by the breach to retaliation from the gangs and governments they had fled. 

The agency’s tech negligence comes as the Biden administration is dramatically expanding the use of technology to monitor immigrants during conditional release through smartphone apps and ankle monitors.

“The US government has an obligation to hold asylum seekers’ names and information in confidence so they don’t face retaliation,” a lawyer at Human Rights First, the organization that discovered the leak, told the _Los Angeles Times_. “ICE’s publication of confidential data is illegal and ethically unconscionable, a mistake that must never be repeated.”

New research shows that Google continues to retain sensitive location data from individuals seeking abortions in spite of promises the company made in July to purge this kind of data from its systems. Researchers with Accountable Tech, an advocacy group, conducted various experiments to analyze the data that Google stores about individuals looking for abortions online. They found that searches for directions to abortion clinics on Google Maps, as well as the routes taken to visit Planned Parenthood locations, were stored by Google for weeks. Google spokesperson Winnie King told the _Guardian_ that users “can turn Web & App Activity off at any time, delete all or part of their data manually, or choose to automatically delete the data on a rolling basis.”

Their findings contradict the pledges Google made after the US Supreme Court overturned _Roe v Wade_. “If our systems identify that someone has visited one of these places, we will delete these entries from Location History soon after they visit,” the company said in July. Five months later, Google appears to have not implemented this change.

LastPass, a popular password manager, is investigating a security incident after its systems were compromised for the second time this year. In a blog post about the incident, chief executive Karim Toubba said that an attacker gained access to their customers’ information using data stolen from LastPass’ systems in August, but did not specify what specific customer information was taken—although he stipulated that users’ stored passwords remained protected by the company’s encryption scheme. “We are working to understand the scope of the incident and identify what specific information has been accessed,” Toubba says. “In the meantime, we can confirm that LastPass products and services remain fully functional.”

China’s Police State Targets Zero-Covid Protesters

Intel Data Center Manager versions 4.1.1.45749 and below suffer from an authentication bypass vulnerability via spoofing.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Intel Data Center Manager  
Vendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html  
Type:           Authentication Bypass by Spoofing [CWE-290]  
Date found:     2022-06-01  
Date published: 2022-11-23  
CVSSv3 Score:   10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)  
CVE:            CVE-2022-33942

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Intel Data Center Manager 4.1.1.45749 and below

4. INTRODUCTION  
===============  
Energy costs are the fastest rising expense for today’s data centers. Intel® Data  
Center Manager (Intel® DCM) provides real-time power and thermal consumption data,  
giving you the clarity you need to lower power usage, increase rack density, and  
prolong operation during outages.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The application allows configuring authentication via Active Directory groups. While  
this by itself isn't an issue, it becomes one as soon as an Active Directory group  
with a well-known SID (such as "S-1-5-32-544" or "S-1-5-32-546") is configured to  
allow authentication to DCM. This is because Intel's DCM only relies on the group's  
SID to allow authentication but doesn't verify the authenticating domain, which the  
user can give during the authentication process against the DCM Console and its REST  
interface.

Since the DCM will send all Kerberos and LDAP (authentication) requests against the  
given domain, it is trivially easy to spoof the authentication responses by using an  
arbitrary Kerberos and LDAP server and replying with the SID of one of the configured  
Active Directory groups.

This allows an attacker to bypass the authentication schema by using any domain  
with any user/password combination without actually being part of any Active Directory  
groups.

6. PROOF OF CONCEPT  
===================  
See the referenced blog post for a full exploit.

7. SOLUTION  
===========  
Update to Intel DCM 5.0 or later

8. REPORT TIMELINE  
==================  
2022-06-01: Discovery of the vulnerability  
2022-06-28: Sent notification to Intel via their PSIRT  
2022-06-28: Vendor response: Sent to appropriate reviewers.  
2022-06-29: Vendor acknowledges the vulnerability and asks for coordinated disclosure on Nov. 8, 2022  
2022-06-30: Rejected the disclosure date, due to my own policy, which makes it: August 13, 2022  
2022-07-08: After a vendor call, I've submitted the issue through Intel's bug bounty program  
2022-xx-xx: Vendor releases version 5.0 without any notification which fixes this vulnerability  
2022-11-08: Vendor (responsible CNA) assigns CVE-2022-33942  
2022-11-08: Vendor publishes security advisory INTEL-SA-00713  
2022-11-23: Public disclosure

9. REFERENCES  
=============  
https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942  
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00713.html  
https://github.com/MrTuxracer/advisories

Tag

#acer