Categories: News
Tags: week

Tags:  security

Tags:  July

Tags:  2023

A list of topics we covered in the week of July 10 to July 16 of 2023



(Read more...)




The post A week in security (July 10 - 16) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (July 10 - 16)

By Waqas
The developer behind the malicious app, Limestone Software Solutions, has also been banned from the Google Play Store.
This is a post from HackRead.com Read the original post: Google Removes Swing VPN Android App Exposed as DDoS Botnet

The app under discussion, Swing VPN – Fast VPN Proxy, was uncovered as a DDoS botnet by a cybersecurity researcher named “Lecromee” on June 4th, 2023.

On June 4th, 2023, cybersecurity researcher “Lecromee” uncovered alarming information about the popular VPN app, Swing VPN – Fast VPN Proxy. Developed by Limestone Software Solutions for Android and iOS platforms, Swing VPN’s Android version was found to be operating as a dangerous **DDoS botnet**, posing significant risks to its unsuspecting users.

Hackread.com, first **reported on the issue** on June 21, 2023, after Lecromee’s investigation raised serious concerns. The findings indicated that the app, which claimed to offer legitimate VPN services, was harbouring malicious intent and could carry out distributed denial of service (DDoS) attacks.

Shortly after the report was published, Hackread.com was contacted by Google on June 22, confirming the veracity of the claims. In response to the alarming discovery, Google took immediate action and swiftly removed Swing VPN’s Android app with over 5 million installs from the **Google Play Store**.

It is worth noting that another app from Limestone Software Solutions, called **Hotspot for Swing VPN**, has also been removed from the app store along with Swing VPN – Fast VPN Proxy.

A Google spokesperson emphasized the company’s commitment to user safety and security, stating,

> “The app was removed from Google Play on June 22, and the developer has been banned. Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behaviour on Android devices with Google Play Services, even when those apps come from other sources.”
> 
> Google

The removal of **Swing VPN – Fast VPN Proxy** app from the official app store highlights the ongoing challenges faced by platforms like Google Play in combating malicious apps. Unfortunately, such occurrences are not uncommon, and Google continuously works to enhance its security measures to protect users.

However, users themselves must remain vigilant and cautious about the apps they download and grant permission to. Cybersecurity experts recommend the following best practices to stay safe:

*   **Research Before Download**: Always research the app and its developer before downloading it. Check user reviews, ratings, and previous security incidents, if any.
*   **Update Regularly**: Keep all apps, including VPNs, up-to-date with the latest versions and security patches to minimize vulnerabilities.
*   **Verify Permissions**: Be cautious about granting excessive permissions to apps. Review and understand the permissions an app requests before installation.
*   **Use Reputable Sources**: Stick to trusted app stores like Google Play and Apple’s App Store to minimize the risk of downloading malicious apps.
*   **Antivirus Software**: Install reputable antivirus software on your device to detect and block potential threats.

As the digital landscape continues to evolve, staying informed and vigilant against cyber threats is crucial. The Swing VPN incident serves as a reminder that even seemingly legitimate apps can harbour dangerous intentions, making it essential for users to prioritize their online safety.

If you suspect any app or service is engaging in malicious behaviour, report it to the respective app store or platform immediately. By working together, users, researchers, and tech companies can create a safer digital environment for everyone.

If you are an Android user, you can follow this **link** to report an app or an app developer. For iOS users, this **link** can be helpful.

1.  Fake GitHub Repos Delivering Malware as PoCs
2.  Google kicks out 600 malicious apps from Play Store
3.  Apple removed all major VPN apps from Chinese App Store
4.  Google removes ClearURLs Chrome extension from its store
5.  Google Fails To Remove “App Developer” Behind Malware Scam

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Google Removes Swing VPN Android App Exposed as DDoS Botnet

CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker.

This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them.



**CleverTap Cordova Plugin**

  

**👋 Introduction**

The CleverTap Cordova Plugin for Mobile Customer Engagement and Analytics solutions.

For more information check out our website and documentation.

To get started, sign up here.

**✅ Supported Versions**

*   CleverTap Android SDK version 4.6.6
*   CleverTap iOS SDK version 4.2.2

**🚀 Installation and Quick Start**

To install CleverTap for Cordova, follow the steps mentioned below:

When you create your CleverTap account, you will also get a -Test account. Use the -Test account for development and the main account for production.

**Install the Plugin**

Grab the Account ID and Token values from your CleverTap Dashboard -> Settings.

**For Android _Important_**

Starting with v2.0.0, the plugin uses FCM rather than GCM. To configure FCM, add your google-services.json to the root of your cordova project **before you add the plugin**.  
The plugin uses an after plugin add hook script to configure your project for FCM.  
If the google-services.json file is not present in your project when the script runs, FCM will not be configured properly and will not work.

**Using Cordova**

# ensure npm is installed: npm -g install npm
cordova plugin add https://github.com/CleverTap/clevertap-cordova.git --variable CLEVERTAP\_ACCOUNT\_ID="YOUR CLEVERTAP ACCOUNT ID" --variable CLEVERTAP\_TOKEN="YOUR CELVERTAP ACCOUNT TOKEN"

**Using Ionic**

ionic cordova plugin add clevertap-cordova@latest --variable CLEVERTAP\_ACCOUNT\_ID="YOUR CLEVERTAP ACCOUNT ID" --variable CLEVERTAP\_TOKEN="YOUR CELVERTAP ACCOUNT TOKEN"

**For Ionic 5**

npm install @ionic-native/clevertap --save 

*   Be sure to add CleverTap as a provider in your app module.

  constructor(platform: Platform, statusBar: StatusBar, splashScreen: SplashScreen, clevertap: CleverTap) {
    platform.ready().then(() \=> {
      // Okay, so the platform is ready and our plugins are available.
      // Here you can do any higher level native things you might need.
      statusBar.styleDefault();
      splashScreen.hide();

      ...
      clevertap.setDebugLevel(2);
      clevertap.getCleverTapID()((id) \=> {console.log(id)});
      ...
    });
  }
}

**🛠 Integration**

See our Technical Documentation for Android and Technical Documentation for iOS for instructions on integrating CleverTap into your app.

**📑 Documentation & Example**

*   See our CleverTap Plugin Usage Documentation
    
*   See the included Example Cordova project for usage.
    
*   See the included Ionic Example project for usage.
    

**⁉️ Questions?**

If you have questions or concerns, you can reach out to the CleverTap support team from the CleverTap Dashboard.

**TroubleShooting Guide:** Please refer here if you are facing common integration issues.

CVE-2023-2507: GitHub - CleverTap/clevertap-cordova: CleverTap Cordova Plugin

Microsoft Edge for Android (Chromium-based) Tampering Vulnerability

CVE-2023-36888

By Habiba Rashid
Due to privacy concerns, Meta has not yet released the Threads app in EU countries, creating a loophole for criminals to upload fake versions of the app.
This is a post from HackRead.com Read the original post: Fake THREADS App Climbs to Number 1 Spot on Apple Store in Europe

**Apple has removed the fake THREADS app from the European App Store, ending its top position as the number 1 iOS app until July 11, 2023, when it was reported.**

In a recent development, Apple has **taken down** a fake version of the popular Threads app from its App Store in Europe. The fake app, developed by SocialKit LTD, had been soaring up the charts of the most downloaded apps. However, thanks to the diligent work of cybersecurity firm and iOS developer **Mysk**, the fraudulent app has been exposed and removed, and the developer’s account has been suspended.

Among the apps created by SocialKit LTD that have been removed are ChatGP, SelfMe: Selfie AI Face Editor, and Remove Background Eraser, among others. The fakeThreads app had gained significant traction, particularly in Germany, the Netherlands, and Switzerland, where it had claimed the number one position in the App Store rankings.

Fake app topping in EU countries (Screenshots via Mysk – Twitter)

The original Threads app, launched by Meta as a competitor to Twitter, has garnered more than 100 million downloads worldwide since its release earlier this month. However, the app has yet to be made available in the European Union due to the bloc’s stringent privacy laws.

This absence has created an opportunity for cybercriminals to capitalize on the demand by producing counterfeit apps and employing over 700 phoney domain names in a single day, according to a **report**.

Mysk, in a tweet, highlighted the concerning statistics regarding the genuine app’s absence in the European market. They stated, “Statistically, exactly 0% of iOS users looking for Threads in the EU have downloaded the right app. If app sideloading was possible, the percentage of EU users downloading the right app would certainly be greater than 0%.”

Cybersecurity analyst Veriti warns users, especially those in Europe, to exercise caution when downloading knock-off versions of Threads, as they often serve as conduits for malware or phishing attacks. It is crucial to obtain the app from trusted sources and exercise due diligence at all times.

While the fraudulent Threads app has been removed from the European App Store, similar bogus apps have also been detected on other platforms. Before the official launch of Instagram’s Threads on July 6, several impersonating apps were circulating on the Google Play Store, prompting Google to eventually remove them.

Nevertheless, ChatGPT’s official app for iPhone has **already been released**, while its Android app could soon be available on the Google Play Store.

**RELATED ARTICLES**

1.  Google Deletes Fake BatteryBot Pro Malware App
2.  Scylla Ad Fraud Attack on iOS Users Halted by Apple
3.  Apple removes Clearview AI iPhone app from App Store
4.  Apple removes anti-virus apps from store for “stealing data”
5.  Google removes ClearURLs Chrome extension from app store

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Fake THREADS App Climbs to Number 1 Spot on Apple Store in Europe

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video.

Thursday, July 13, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Although we can probably largely consider the COVID-19 pandemic “over,” many relics from the peak of lockdown and concerns over the virus are still around in mid-2023. It’s still impossible to get a doctor’s appointment quickly, but many restaurants have embraced al fresco dining and QR codes are back.

At one point I had totally written off QR codes as of 2010-ish, but now they’re all over restaurant menus, cash registers, tip jars and advertising. This started during the pandemic as a touch-free way of interacting with consumers and seems to be sticking around even though the days of indoor seating capacities are over.

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video. But recently I discovered several “novel” ways in which bad guys are trying to capitalize on society’s newfound trust in QR codes.

Two months ago, Bleeping Computer reported on fake parking tickets floating around major U.S. and U.K. cities that had phony QR codes on them designed to trick users into “paying” a parking ticket they didn’t owe. That same week, there were also reports of phony Microsoft Word documents being sent via email to targets that contained QR codes claiming to be from the Chinese Ministry of Finance, thus bypassing traditional email security that usually scan things like links and the body copy in an email itself.

The local CBS station in Tampa Bay, Florida also came across a fake Amazon advertisement in March that claimed to enlist people who received a postcard to test out new products. When opened, the site on the other end of the QR code asked for the target’s personal and contact information.

I figured we’d be past the days of attackers just slapping QR codes onto random things, but I also thought we were done with QR codes altogether three years ago. So this serves as a PSA to not just scan any QR code you see in the wild “just because.”

Or, if you’re unsure about the origins of a QR code, iOS and Android phones will show a snippet of a URL that the QR code is sending the user before you click on it, so it’s important to double-check that the URL is where you intended on heading (ex., amazon.com). Either that or just ask for a paper menu at the restaurant.

**The one big thing**

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves. If installed, the malicious driver can hijack and spy on web traffic, potentially redirecting it to a source of the attacker’s choosing.

**Why do I care?**

This is a concrete example of a recent trend Talos has been following of threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015. We have observed over a dozen code-signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open-source tools. By forging signatures on kernel-mode drivers, attackers can bypass the certificate policies within Windows.

**So now what?**

Microsoft has blocked all certificates discussed in Talos' blogs posted this week and released an advisory on the matter as part of Patch Tuesday. Talos recommends blocking the certificates mentioned in this blog post, as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. Specifically, for RedDriver, there are a series of new Cisco Secure product protections in place to detect and block the malicious driver.

**Top security headlines of the week**

The **list of companies affected by the massive MOVEit mass hack continues to grow,** and now includes international hotel chain Radisson and GPS company TomTom. Clop, the ransomware group behind the attack against the MOVEit data transfer software that eventually led to data breaches at more than 100 organizations, added more companies to its leak site this week. Commercial banks Deutsche Bank and Commerzbank are also among the newest victims, with both companies reportedly having clients’ names and account numbers. The parent company of Radisson also confirmed that a “limited number of guest records” were accessed, though it did not provide an exact number. Clop originally used a zero-day vulnerability that’s since been patched to access MOVEit software instances and then steal certain information from users. One threat analyst at New Zealand anti-virus maker Emsisoft estimated that there are now more than 270 businesses affected across the globe, including 17 million individuals. (Tech Crunch, Bloomberg)

With Meta’s new microblogging platform **Threads taking off, users and privacy advocates are criticizing its privacy and data collection policies.** Meta, which is the parent company behind Facebook and Instagram, launched Threads last week to much fanfare and gained millions of new users in the first few hours of the app’s existence. However, the app has yet to launch in the European Union because it violates several GDPR policies. Threads’ privacy policy states the app has access to GPS location, cameras, photos, IP information, the type of device being used and device signals including “Bluetooth signals, nearby Wi-Fi access points, beacons and cell towers.” In general, Meta seems to collect more personal information on Threads users compared to other platforms, though not necessarily more than Facebook and Instagram, Meta’s other major platforms. (The Guardian, CPO Magazine)

Despite major efforts from international governments and the private sector to combat ransomware, **payments to threat actors are set to hit a new record in 2023.** A new report from blockchain company Chainanalysis reports that ransomware victims have paid adversaries $449.1 million in the first six months of this year, after that number didn’t even hit $500 million in 2022. If this pace continues, 2023 would be the second-most profitable year ever for ransomware groups behind 2021. Security researchers believe the dip in 2022 could be contributed to several factors, including Russia’s invasion of Ukraine disrupting some major APT groups and new decryption software from government agencies and private companies that can return victims’ files for free. Chainanalysis analysts state in the report that big-game hunting is largely contributing to this year’s revenue — in these cases, threat actors target major corporations that likely have the funds to pay large, requested ransom payments. (Wired, Bleeping Computer)

**Can’t get enough Talos?**

*   Cisco Talos Reports Microsoft Windows Policy Loophole Being Exploited by Threat Actor
*   Hackers target Chinese-speaking Microsoft users with ‘RedDriver’ browser hijacker
*   Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders
*   The growth of commercial spyware based intelligence providers without legal or ethical supervision
*   Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b4d8d7cbec7fe4c24dcb9b38f6036a58b765efda10c42fce7bbe2b2bf79cd53e  
**MD5:** c585f4faee96a0bec3b0f93f37239008  
**Typical Filename:** stream.txt  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Autoit::211461.in02

QR codes are relevant again for everyone from diners to threat actors

**According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of availability (A:L)? What does that mean for this vulnerability?**

The performance can be interrupted and/or reduced, but the attacker cannot fully deny service.

CVE-2023-36888: Microsoft Edge for Android (Chromium-based) Tampering Vulnerability

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20230627**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20230627)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

In notification access permission dialog box, malicious application can embedded a very long service label that overflow the original user prompt and possibly contains mis-leading information to be appeared as a system message for user confirmation.



_Published July 5, 2023_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2023-07-05 or later from the July 2023 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The issue in this bulletin is a high security vulnerability in the Packages component that could allow a malicious application to embed a service label that overflow the original user prompt and possibly contain mis-leading information as a system message for user confirmation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

**Announcements**

*   In addition to the security vulnerabilities described in the July 2023 Android Security Bulletin, the July 2023 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

**2023-07-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-07-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Packages**

The vulnerability in this section could allow a malicious application to embed a service label that overflow the original user prompt and possibly contain mis-leading information as a system message for user confirmation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21260

A-259384309

EoP

High

11, 12, 12L, 13

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2023-07-01 or later address all issues associated with the 2023-07-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-07-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-07-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

July 5, 2023

Bulletin Published

CVE-2023-21260: Android Automotive OS Update Bulletin—July 2023

In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "1ca1130ec62da7638497478539c0f55ffbbf9a5e", "tree": "7b67b03be07e15952f02d3e0c0b822b76f75c033", "parents": \[ "2431799f21a1a1edb180876ff4d8a6d9d66deef5" \], "author": { "name": "Carlos Llamas", "email": "cmllamas@google.com", "time": "Fri May 05 06:48:10 2023 +0000" }, "committer": { "name": "Treehugger Robot", "email": "treehugger-gerrit@google.com", "time": "Fri May 05 23:19:06 2023 +0000" }, "message": "FROMLIST: binder: fix UAF caused by faulty buffer cleanup\\n\\nIn binder\_transaction\_buffer\_release() the \\u0027failed\_at\\u0027 offset indicates\\nthe number of objects to clean up. However, this function was changed by\\ncommit 44d8047f1d87 (\\"binder: use standard functions to allocate fds\\"),\\nto release all the objects in the buffer when \\u0027failed\_at\\u0027 is zero.\\n\\nThis introduced an issue when a transaction buffer is released without\\nany objects having been processed so far. In this case, \\u0027failed\_at\\u0027 is\\nindeed zero yet it is misinterpreted as releasing the entire buffer.\\n\\nThis leads to use-after-free errors where nodes are incorrectly freed\\nand subsequently accessed. Such is the case in the following KASAN\\nreport:\\n\\n \\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\n BUG: KASAN: slab-use-after-free in binder\_thread\_read+0xc40/0x1f30\\n Read of size 8 at addr ffff4faf037cfc58 by task poc/474\\n\\n CPU: 6 PID: 474 Comm: poc Not tainted 6.3.0-12570-g7df047b3f0aa #5\\n Hardware name: linux,dummy-virt (DT)\\n Call trace:\\n dump\_backtrace+0x94/0xec\\n show\_stack+0x18/0x24\\n dump\_stack\_lvl+0x48/0x60\\n print\_report+0xf8/0x5b8\\n kasan\_report+0xb8/0xfc\\n \_\_asan\_load8+0x9c/0xb8\\n binder\_thread\_read+0xc40/0x1f30\\n binder\_ioctl+0xd9c/0x1768\\n \_\_arm64\_sys\_ioctl+0xd4/0x118\\n invoke\_syscall+0x60/0x188\\n \[...\]\\n\\n Allocated by task 474:\\n kasan\_save\_stack+0x3c/0x64\\n kasan\_set\_track+0x2c/0x40\\n kasan\_save\_alloc\_info+0x24/0x34\\n \_\_kasan\_kmalloc+0xb8/0xbc\\n kmalloc\_trace+0x48/0x5c\\n binder\_new\_node+0x3c/0x3a4\\n binder\_transaction+0x2b58/0x36f0\\n binder\_thread\_write+0x8e0/0x1b78\\n binder\_ioctl+0x14a0/0x1768\\n \_\_arm64\_sys\_ioctl+0xd4/0x118\\n invoke\_syscall+0x60/0x188\\n \[...\]\\n\\n Freed by task 475:\\n kasan\_save\_stack+0x3c/0x64\\n kasan\_set\_track+0x2c/0x40\\n kasan\_save\_free\_info+0x38/0x5c\\n \_\_kasan\_slab\_free+0xe8/0x154\\n \_\_kmem\_cache\_free+0x128/0x2bc\\n kfree+0x58/0x70\\n binder\_dec\_node\_tmpref+0x178/0x1fc\\n binder\_transaction\_buffer\_release+0x430/0x628\\n binder\_transaction+0x1954/0x36f0\\n binder\_thread\_write+0x8e0/0x1b78\\n binder\_ioctl+0x14a0/0x1768\\n \_\_arm64\_sys\_ioctl+0xd4/0x118\\n invoke\_syscall+0x60/0x188\\n \[...\]\\n \\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\u003d\\n\\nIn order to avoid these issues, let\\u0027s always calculate the intended\\n\\u0027failed\_at\\u0027 offset beforehand. This is renamed and wrapped in a helper\\nfunction to make it clear and convenient.\\n\\nFixes: 32e9f56a96d8 (\\"binder: don\\u0027t detect sender/target during buffer cleanup\\")\\nReported-by: Zi Fan Tan \\u003czifantan@google.com\\u003e\\nLink: https://b.corp.google.com/issues/275041864\\nCc: stable@vger.kernel.org\\nSigned-off-by: Carlos Llamas \\u003ccmllamas@google.com\\u003e\\n\\nBug: 275041864\\nLink: https://lore.kernel.org/all/20230505203020.4101154-1-cmllamas@google.com\\nChange-Id: I4bcc8bde77a8118872237d100cccb5caf95d99a1\\nSigned-off-by: Carlos Llamas \\u003ccmllamas@google.com\\u003e\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "7d784e263d28338b3b629c011ab82b7d873ab4d5", "old\_mode": 33188, "old\_path": "drivers/android/binder.c", "new\_id": "15ae88216c51e49180b96e3b55e35058ebaa6c87", "new\_mode": 33188, "new\_path": "drivers/android/binder.c" } \] }

Tag

#android