Apple Security Advisory 12-11-2023-6 - macOS Monterey 12.7.2 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-6 macOS Monterey 12.7.2

macOS Monterey 12.7.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214037.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accounts  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

AppleEvents  
Available for: macOS Monterey  
Impact: An app may be able to access information about a user's contacts  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

CoreServices  
Available for: macOS Monterey  
Impact: A user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

Find My  
Available for: macOS Monterey  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

IOKit  
Available for: macOS Monterey  
Impact: An app may be able to monitor keystrokes without user permission  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42891: an anonymous researcher

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

ncurses  
Available for: macOS Monterey  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2020-19185  
CVE-2020-19186  
CVE-2020-19187  
CVE-2020-19188  
CVE-2020-19189  
CVE-2020-19190

TCC  
Available for: macOS Monterey  
Impact: An app may be able to access protected user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42932: Zhongquan Li (@Guluisacat)

Vim  
Available for: macOS Monterey  
Impact: Opening a maliciously crafted file may lead to unexpected  
application termination or arbitrary code execution  
Description: This issue was addressed by updating to Vim version  
9.0.1969.  
CVE-2023-5344

macOS Monterey 12.7.2 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qkgACgkQX+5d1TXa  
Ivoi6g//deAGIBiNGJ9/O+WaHdMoxgvKz0DltheGcMXYTOlrO8KnGTDQocG6kGKs  
V+p4CNnyBCxMXz8jIVxaOE2httkTxv9YTXRZ9i4CmeK1OGlWNgslqdRSx4f/4D8G  
7S2NbyIWqXjn/S36Lr8ueApGbnojUYfDcORwcpGgbNGF22hQjepcivIt7hscdFfw  
OaNZ4Z6BgBiA6kEDeZ3arsfMwCbj5dZLSi1tcgwfngZcqKAQgZu9gWKaveZYXAdS  
yabpr+MBuw/qVII7FJU0o8Vr8uMoDiUjNrrP8se4LPYo9TIl71CWGXsVZk2vHosj  
lIVFdu5PmZ5fAoCcUKaZHo8U5uaq23QgtuQefDU5t5vtKlEBN+oHxWfMHyJ3Z1RC  
hdUBd7huNkOVwh+X2h/kpUZA064udVyZNSLTTZGI0BdEZan3HGAw0/rCtZiESE6C  
LMy+UIs/EgnFalxQwRtPAzTippWf+J8LKpw0Iq+VqOOslA0YrBnbkVfSyq0YK7D8  
tNLCdpvZKa582DTscNoWzoDMxWDDMf1vO09Aqklq6iS08vMLHZejWQTjkHS3jF5l  
wJP1l1al2/um29uKNjTNmfSkBm2YCLnO4750xo4r0488/BUf/BWSynPTT7H9NkLs  
rTcKnM14a4eBOArrJpueRA2fpgbvEuiqgu0INpZUTnEWF5r/QEY=  
=w28X  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-6

Apple Security Advisory 12-11-2023-5 - macOS Ventura 13.6.3 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-5 macOS Ventura 13.6.3

macOS Ventura 13.6.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214038.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accounts  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

AppleEvents  
Available for: macOS Ventura  
Impact: An app may be able to access information about a user's contacts  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Archive Utility  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42924: Mickey Jin (@patch1t)

AVEVideoEncoder  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42884: an anonymous researcher

CoreServices  
Available for: macOS Ventura  
Impact: A user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

Find My  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

IOKit  
Available for: macOS Ventura  
Impact: An app may be able to monitor keystrokes without user permission  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42891: an anonymous researcher

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

ncurses  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2020-19185  
CVE-2020-19186  
CVE-2020-19187  
CVE-2020-19188  
CVE-2020-19189  
CVE-2020-19190

TCC  
Available for: macOS Ventura  
Impact: An app may be able to access protected user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42932: Zhongquan Li (@Guluisacat)

Vim  
Available for: macOS Ventura  
Impact: Opening a maliciously crafted file may lead to unexpected  
application termination or arbitrary code execution  
Description: This issue was addressed by updating to Vim version  
9.0.1969.  
CVE-2023-5344

macOS Ventura 13.6.3 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qgoACgkQX+5d1TXa  
IvpDVg//XCF9zB8zPCD2GtLafeKaQG1RY1ywmunkYsqnfzyOqkYb5MnbwozHMDwa  
qypd87nhWD7ROenEAUKf4yCjk9Gf168PeUEE5pYT7Hz4/bAfCVadOouy00/WBTEQ  
smmVQs0dYrPIJ1FW/ppx4SgXnXgLh9sSibwnn0nwd0cwsP8fkfbv3LLgqa8Ac7dB  
wcQoulwdau7SCdMXqNdch4iX91cH1qhSl1B8M6JmZNgg6iqCtCwBT1igzBGAijrb  
wv80jtTsvDxNjXn81Z4OpwhhIvcat4ZcV/caisRyK56co5v2BWm2rmQJwB8MQLVq  
M3Rjh8FeSg31t1BOCeKZh27tbihPE+TF/PBDHMOFW4n5PbyYe45ipVSiZtCJTx/M  
BzJiNsNsb4ej7TJUucPiLFNb2qRMS9NNu9/tnhCYzoSnuWd3ifxYJnF+sVJweZcl  
mJbIqXAPpopd9hvLr+ZLaVszbwCgDpj2D3puZ718x94JenipTRVAiBLlIJNZo7MC  
RKtHp357of0yaGfj8Ak8hkbU+MGxh5/l0fWIGEjCnqz8UP9xJ32PCpNU9hVLjFPF  
DJO4TdF4XBnTncCfXZMXdGouwutyab8DZBtq9Y5Xlvy6qSs9ljc4xBPvpspFsyRV  
xKYkmdMsZPZ02HSPKNZLEljeUEuHirrdMKNT0E+Kb3s6gwI7nGQ=  
=pTTV  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-5

Apple Security Advisory 12-11-2023-4 - macOS Sonoma 14.2 addresses code execution, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-4 macOS Sonoma 14.2

macOS Sonoma 14.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214036.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: macOS Sonoma  
Impact: Secure text fields may be displayed via the Accessibility  
Keyboard when using a physical keyboard  
Description: This issue was addressed with improved state management.  
CVE-2023-42874: Don Clarke

Accounts  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

AppleEvents  
Available for: macOS Sonoma  
Impact: An app may be able to access information about a user's contacts  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

AppleGraphicsControl  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: Multiple memory corruption issues were addressed with  
improved input validation.  
CVE-2023-42901: Ivan Fratric of Google Project Zero  
CVE-2023-42902: Ivan Fratric of Google Project Zero, and Michael  
DePlante (@izobashi) of Trend Micro Zero Day Initiative  
CVE-2023-42912: Ivan Fratric of Google Project Zero  
CVE-2023-42903: Ivan Fratric of Google Project Zero  
CVE-2023-42904: Ivan Fratric of Google Project Zero  
CVE-2023-42905: Ivan Fratric of Google Project Zero  
CVE-2023-42906: Ivan Fratric of Google Project Zero  
CVE-2023-42907: Ivan Fratric of Google Project Zero  
CVE-2023-42908: Ivan Fratric of Google Project Zero  
CVE-2023-42909: Ivan Fratric of Google Project Zero  
CVE-2023-42910: Ivan Fratric of Google Project Zero  
CVE-2023-42911: Ivan Fratric of Google Project Zero  
CVE-2023-42926: Ivan Fratric of Google Project Zero

AppleVA  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42882: Ivan Fratric of Google Project Zero

Archive Utility  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42924: Mickey Jin (@patch1t)

AVEVideoEncoder  
Available for: macOS Sonoma  
Impact: An app may be able to disclose kernel memory  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42884: an anonymous researcher

Bluetooth  
Available for: macOS Sonoma  
Impact: An attacker in a privileged network position may be able to  
inject keystrokes by spoofing a keyboard  
Description: The issue was addressed with improved checks.  
CVE-2023-45866: Marc Newlin of SkySafe

CoreMedia Playback  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-42900: Mickey Jin (@patch1t)

CoreServices  
Available for: macOS Sonoma  
Impact: A user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

ExtensionKit  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

IOKit  
Available for: macOS Sonoma  
Impact: An app may be able to monitor keystrokes without user permission  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42891: an anonymous researcher

Kernel  
Available for: macOS Sonoma  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

ncurses  
Available for: macOS Sonoma  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2020-19185  
CVE-2020-19186  
CVE-2020-19187  
CVE-2020-19188  
CVE-2020-19189  
CVE-2020-19190

SharedFileList  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2023-42842: an anonymous researcher

TCC  
Available for: macOS Sonoma  
Impact: An app may be able to access protected user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42932: Zhongquan Li (@Guluisacat)

Vim  
Available for: macOS Sonoma  
Impact: Opening a maliciously crafted file may lead to unexpected  
application termination or arbitrary code execution  
Description: This issue was addressed by updating to Vim version  
9.0.1969.  
CVE-2023-5344

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: macOS Sonoma  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

Additional recognition

Memoji  
We would like to acknowledge Jerry Tenenbaum for their assistance.

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

macOS Sonoma 14.2 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qdUACgkQX+5d1TXa  
Ivp5JQ/9FhhIgATXMT6vd3gK4Bqn3JRODRK+rBcNBjb0zMKWh42fXqZA81K86Ksv  
FB6/OxqYmdo9NI2g7VMj0I7vS8cQf2ZE0sjSYObkuZ32As5y7Ov+xvNnrCjLuwV3  
vrDlBFRRS7KWNskNEV4ciT+ECHUYU6Jkrpt/TqpmR/B/fFxNfjE2Ibeuy56CSlGi  
FYCasHeyI5pC4kfetYG6Jo7RwcK1nCbNWHB3+zKQItvkkwV3nVBF+QjJGD/aEzz3  
X8Jp/hf3taYesK45lr6HWGcuuAGLAAYkjfxz8lLYDQ4AoQ5Xi9WCTjEX9shdKgoF  
oo1JQDCEuhLXK+1vOxoYEmUAKMRQMMlRMtZgft8hPh6Pce8gYcI0Rez3RT5+m2+U  
C7d0+97gnpssZkq2JRdyjogl5ACNHGD81jBHg33PppnjTptKNn8JSyXIZLBM3zK/  
jQRLmEAlJkl6MgnWKiy+pyzPxCsoFJnOJG481sLTEfQbiQONFIUV3YTesxbIv2a0  
8yAM0cFf5cqF6frS81zn8vYfdPJU6HJ3OQGmumLQ4UJAbWY7zg9XbyyZTFw2woGj  
0IvoSEBuP4e25JznB1/nchP7W4MJ9VfAzMe/MyBqOibHgomkY1UQqdvWz7olK3Bb  
5NkKt5PVTVjAH+R5wVnnXPlWq7Rgfg2m0Y9g3FwTm4WPrIUT5Us=  
=c6Yv  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-4

Atos Unify OpenScape Session Border Controller (SBC) versions before V10 R3.4.0, Branch versions before V10 R3.4.0, and BCF versions before V10 R10.12.00 and V10 R11.05.02 suffer from an argument injection vulnerability that can lead to unauthenticated remote code execution and authentication bypass.

SEC Consult Vulnerability Lab Security Advisory < 20231205-0 >  
=======================================================================  
               title: Argument injection leading to unauthenticated RCE and  
                      authentication bypass  
             product: Atos Unify OpenScape Session Border Controller (SBC)  
                      Atos Unify OpenScape Branch  
                      Atos Unify OpenScape BCF  
  vulnerable version: OpenScape SBC before V10 R3.4.0  
                      OpenScape Branch before V10 R3.4.0  
                      OpenScape BCF V10 before V10 R10.12.00 and V10 R11.05.02  
       fixed version: OpenScape SBC V10 R3.4.0 or higher  
                      OpenScape Branch V10 R3.4.0 or higher  
                      OpenScape BCF V10 R10.12.00 or higher, V10 R11.05.02  
          CVE number: CVE-2023-6269  
              impact: Critical  
            homepage: https://unify.com/  
               found: 2023-09-01  
                  by: Armin Weihbold (Office Linz)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Unify is is the Atos brand for communication and collaboration solutions  
Unify is the newest member of the Atos family, combining Atos’ knowledge and  
reputation in the IT services market with Unify’s expertise in unified  
communications and collaboration to provide customers with seamless services  
solutions for their entire digital portfolio. Within Atos, Unify continues to  
deliver a unique integrated proposition for unified communications and real  
time capabilities."

Source: https://unify.com/en/expert/unify

Business recommendation:  
------------------------  
SEC Consult recommends users of this solution to immediately install the latest  
patch from the vendor.

Furthermore, an in-depth security analysis performed by security professionals  
is highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Argument injection leading to unauthenticated RCE and authentication bypass (CVE-2023-6269)  
The administrative web interface insufficiently escapes supplied login  
credentials before passing them to a user management application, leading to  
an unauthenticated attacker being able to gain root access to the appliance  
via SSH.

Another possibility to exploit this vulnerability is to append a special  
argument during logon to completely bypass the authentication of the web interface.  
A previously unauthenticated attacker can logon as administrator without any  
known credentials.

Proof of concept:  
-----------------  
1) Argument injection leading to unauthenticated RCE and authentication bypass (CVE-2023-6269)  
Example 1) Gaining unauthenticated SSH root access

The file receiving data from the login page is `auth.php`, here the  
user-provided credentials are passed on to the function  
`PasswordMgr::authPassword` after some checks on the supplied username.

```php  
// /srv/www/htdocs/auth.php  
// [...]  
     $ret=false;  
     $real_user='';  
     $error = '';  
     $local_user=strip_tags($_POST['username']);  
// [...]  
     if( !sessionLimitReached() )  
     {  
         // Authenticate user/password...  
         $privilege = PasswordMgr::getUserPrivilege($local_user);  
         if (($local_user == 'assistant') || ($local_user == 'cdr') || (!PasswordMgr::isUserEnabled($local_user))){  
             $ret = false;  
         }  
         else {  
             switch ($privilege) {  
                 case 'admin':  
                     $ret = PasswordMgr::authPassword($_POST["username"], $_POST["password"], $error, $real_user, $local_user, FALSE);  
                     break;  
                 // [...]  
             }  
         }  
         // [...]  
     }  
// [...]

```

The function `PasswordMgr::authPassword` in `core/PasswordMgr.php` is just a  
wrapper around `call_osbpasswd` in the same file.

```php  
// /srv/www/htdocs/core/PasswordMgr.php

public static function authPassword($username, $password, &$error, &$real_user, &$local_user, $local = FALSE)  
{  
     $error='';  
     if ( PasswordMgr::call_osbpasswd("auth", $username, $password, $error, $real_user, $local_user, $local ) )  
     {  
         $error='Current Password does not match user';  
         return false;  
     }  
     return true;  
}  
```

The function `call_osbpasswd` is responsible for anything related to user  
management, it does this by constructing shell arguments and supplying them to  
the executable `/osb/bin/osbpasswd` which is executed with root privileges via  
`cfgUtilExecSudo`. This executable handles the actual authentication, creation  
of users, and other tasks.  
In the case of authentication the arguments are written to a temporary file  
and read from there.  
Before that the supplied password is escaped using `escapeshellcmd` instead of  
`escapeshellarg`. This means that space characters (hex 0x20) in the password  
are left intact allowing for argument injection.

```php  
// /srv/www/htdocs/core/PasswordMgr.php

public static function call_osbpasswd( $method, $username, $password, &$output, &$real_user, &$local_user, $local, $extraArg = '' )  
{  
     // [...]  
     $curruser = 'GUI';  
     // [...]

     $params = "$method";  
     if ($local)          $params .= ' --local';  
     if ($username != '') $params .= " --user $username";  
     if ($curruser != '') $params .= " --curruser $curruser";  
     if ($extraArg != '') $params .= "$extraArg";

     $file = '';  
     // [...]  
     else {  
         $params .= " --password ";  
         $fakePar = $params."xxxxxx";  
         $params .= escapeshellcmd($password);  
         $params .= "\n";  
         $file = tempnam('/osb/var/tmp','osbpasswd.'.md5($params).'.');  
         /*E.g.: /opt/openbranch/var/tmp/osbpasswd.f9e2a9fcf29c6275830257316d560e27.CG4IcQ */  
         cfgUtilEcho( $params, $file );  
         $command = "/osb/bin/osbpasswd ".$fakePar." --file ".$file;  
     }

     $outArray = array();  
     $ret = cfgUtilExecSudo($command, $outArray, FALSE, TRUE);  
     // [...]  
     return $ret;  
}  
```

The function that is responsible for parsing command line arguments  
in the called application `/osb/bin/osbpasswd` iterates over arguments and  
sets global variables based on them. This is done in a loop and no check is  
done if that argument was already set. This means an attacker can override all  
parameters by specifying them again.

```C  
int parse_arguments(int argc, char **argv, int n)  
{  
   // [...]  
   while ( n < argc && argv[n] ) {  
     // [...]  
     else if ( !strcmp("--user", argv[n]) ) {  
         if ( ++n < argc )  
            arg_user = argv[n];  
     }  
     else if ( !strcmp("--shell", argv[n]) ) {  
         if ( ++n < argc )  
             arg_shell = argv[n];  
     }  
     // [...]  
     else if ( !strcmp("auth", argv[n]) ) {  
         arg_command_name = argv[n];  
         arg_command_number = 1;  
     }  
     else if ( !strcmp("add", argv[n]) ) {  
         arg_command_name = argv[n];  
         arg_command_number = 6;  
     }  
     // [...]  
     ++n;  
   }  
   return 0LL;  
}  
```

The combination of faulty escaping of the supplied password and overly  
permissive parsing of arguments in the called binary leads to an attacker being  
able to request arbitrary operations from the `/osb/bin/osbpasswd` binary with  
arbitrary arguments. An attacker could for example create a new user with SSH  
access and change the password of the root user leading to a complete  
compromise of the system.

To demonstrate the vulnerability, it is sufficient to [...]

[ Proof of concept removed ]

- this creates a new user with SSH access, the second one [...]

[ Proof of concept removed ]

which changes the password of the root user. The attacker can then login [...]  
to gain root access.

Example 2) Bypassing the web interface logon as administrator  
As described in example 1, the same vulnerability can also be exploited to  
bypass the logon for the web interface and immediately gain access as  
administrator because the arguments for the command-line tool are passed and  
evaluated.

By supplying the [...] following [...] string [...], it is possible to logon  
without known credentials:

[ Proof of concept removed ]

[...]  
Afterwards the attacker is logged on as administrator (or any other supplied  
user account).

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:

* Atos Unify OpenScape Session Border Controler (SBC) Firmware Version V10 R3.3.0

According to vendor, versions before V10 R3.3.0 are affected as well.

The vendor confirmed that the following products are vulnerable:  
* Atos Unify OpenScape SBC V10 before V10 R3.4.0  
* Atos Unify OpenScape Branch V10 before V10 R3.4.0  
* Atos Unify OpenScape BCF V10 before V10R10.12.00 and V10R11.05.02

Vendor contact timeline:  
------------------------  
2023-09-13: Contacting vendor through email obso@atos.net; sending  
             encrypted advisory (S/MIME)  
2023-09-25: Call with vendor, patch has already been developed, available  
             internally for testing & QA since 22nd.  
2023-09-26: Preliminary vendor security advisory available, giving feedback  
             regarding recommendations. Vendor informs customers in advance  
             (TLP:AMBER), patch planned for 2023-09-27.  
2023-10-04: Vendor security advisory public release (TLP:WHITE).  
2023-10-06: Asking regarding next steps for affected product Atos Unify  
             OpenScape BCF.  
2023-10-10: Vendor confirms that OpenScape BCF is affected as well and added  
             it to their advisory.  
2023-11-27: Reserving CVE-2023-6269 and sending it to vendor, defining  
             release date of 5th December.  
2023-12-05: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides a patch for the affected products:  
* Atos Unify OpenScape Session Border Controller Firmware Version V10 >=R3.4.0  
* Atos Unify OpenScape Branch version V10 >=R3.4.0  
* Atos Unify OpenScape BCF version V10 >=V10R10.12.00 and V10R11.05.02

The patches can be obtained for registered customers through the vendor's  
download server:  
https://sws.unify.com/SWSIntranet/SWSIntra.aspx or via  
https://unify.com/en/partner/partnerportal  
https://unify.com/en/support/kunden-support-portal

Furthermore, the vendor has also released a security advisory which is  
available here:  
https://networks.unify.com/security/advisories/OBSO-2310-01.pdf

Workaround:  
-----------  
In addition to deploying the patch, limit access to the administrative  
web application and SSH ports to authorized personnel on the network level.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF A. Weihbold / @2023

Atos Unify OpenScape Authentication Bypass / Remote Code Execution

The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an administrator user in the application.

**Cross Site Request Forgery in Silverpeas**

Moderate severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023

GHSA-g27c-w2v7-88xp: Cross Site Request Forgery in Silverpeas

The "Create a Space" feature in Silverpeas Core 6.3.1 is reserved for use by administrators. This function suffers from broken access control, allowing any authenticated user to create a space by navigating to the correct URL.

**Broken access control in Silverpeas**

Moderate severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023

GHSA-vpp3-hpcm-v944: Broken access control in Silverpeas

Anveo Mobile application version 10.0.0.359 and server version 11.0.0.5 suffer from missing certificate validation and user enumeration vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20231128-0 >  
=======================================================================  
               title: Missing Certificate Validation & User Enumeration  
             product: Anveo Mobile App and Server  
  vulnerable version: Mobile App: 10.0.0.359 / 2016-07-13; Server: 11.0.0.5  
       fixed version: -  
          CVE number: -  
              impact: Medium  
            homepage: https://www.anveogroup.com/en/mobile-apps-for-dynamics/  
               found: 2023-05-28  
                  by: Daniel Hirschberger (Office Bochum)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Create your own individual Mobile App with Anveo. Our base, out of the box  
solutions offer many useful functions, and can be flexibly adapted to your  
requirements: the Anveo Service App, Anveo Sales App, and Anveo Delivery App.  
You are looking for a mobile App for a different scenario? Not a problem with  
the Anveo Mobile App Builder! Thanks to the toolkit character of the solution,  
configuration of a completely new, custom App is simple."

Source: https://www.anveogroup.com/en/mobile-apps-for-dynamics/

Business recommendation:  
------------------------  
The vendor was unresponsive and did not reply to our communication attempts and even  
deleted our comment to request a contact on LinkedIn, see the timeline section further  
below.

There is no solution known to us for this security issue. In case you are a customer  
of Anveo, request an update from them about the issue.

Furthermore, an in-depth security analysis performed by security professionals is  
highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Missing Certificate Validation  
The Windows application was tested which does not perform certificate validation  
and is therefore vulnerable to man-in-the-middle attacks which might allow an  
attacker to gain access to sensitive data.

2) User Enumeration  
The login is vulnerable to user enumeration because the error message for a  
non-existent user differs from the error message when a user exists. This allows  
an attacker to perform targeted brute-force attacks and potentially take over  
other user accounts.

Proof of concept:  
-----------------  
1) Missing Certificate Validation  
The application does not validate the server certificate. To verify this,  
a new self-signed certificate was created with the openssl commandline tool.

Afterwards, an openssl server was spawned with netcat:

[ POC removed]

When adding a new account in the application with the IP and port of this server,  
a connection is attempted. Now a special string has to be sent from the netcat  
listener to the client.

As a response, the client tries to authenticate against the server with the  
username and password:

<img certificate_validation.png>

The part between <EOS> and <EOSC> can be base64-decoded and decompressed with  
zlib which yields the following output:

[ POC removed ]

The "PW" Parameter contains the base64-encoded password, in this case "unknown".

2) User Enumeration  
When a non-existent user tries to login, the error message shows "Cannot find  
user":

<img user_nonexistent.png>

When a valid username but a wrong password is submitted, the server responds  
with "Username or password is not correct":

<img user_exists.png>

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* Application version 10.0.0.359 / 2016-07-13 (the Windows version was tested)

The vendor did not respond to our communication attempts, hence it is unknown whether  
further versions are affected as well.

Vendor contact timeline:  
------------------------  
2023-06-12: Contacting vendor through email info@AnveoGroup.com  
             Asking for security contact, no response  
2023-06-26: Contacting vendor through same email again, no response.  
2023-07-24: Contacting vendor through technical support email support@AnveoGroup.com  
             Asking for security contact again, no response.  
2023-09-15: Contacting vendor again through info@AnveoGroup.com, support@AnveoGroup.com  
             and datenschutz@AnveoGroup.com. Ticket got automatically created, but no  
             response.  
2023-09-19: Posted a message/comment on LinkedIn at Anveo Group to contact us. Besides a  
             few profile views from employees (Team Lead Anveo Mobile App, Social Media  
             Marketing, CEO) no response.  
             Our comment then got deleted by Anveo Group.  
             Comment:  
             "Hi Anveo Group, we have been trying to reach your company since June through  
             our responsible disclosure process as we have identified some security  
             issues in your products. We never received any response via multiple email  
             addresses (found on your website). Could you please get in touch with us and  
             provide us with a person responsible for security? Thank you!"  
2023-09-20: Contacting third party whether they received a patch; no response.  
2023-10-09: Contacting again; no response.  
2023-10-23: Contacting again; no response.  
2023-11-17: Final attempt, asked third party for info again, tried to contact  
             "support@anveogroup.com" through ticket again. No response from vendor, but  
             third party replied, that they also did not receive any response from Anveo.  
2023-11-28: Public release of security advisory.

Solution:  
---------  
The vendor was unresponsive and did not reply to our communication attempts and even  
deleted our comment to request a contact on LinkedIn, see the timeline section.

There is no solution known to us for this security issue. In case you are a customer  
of Anveo, request an update from them about the issue.

Furthermore, an in-depth security analysis performed by security professionals is  
highly advised, as the software may be affected from other security issues.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2023

Anveo Mobile User Enumeration / Missing Certificate Validation

Apple Security Advisory 12-11-2023-2 - iOS 17.2 and iPadOS 17.2 addresses code execution and spoofing vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-12-11-2023-2 iOS 17.2 and iPadOS 17.2iOS 17.2 and iPadOS 17.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214035.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.AccountsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-42919: Kirin (@Pwnrin)AVEVideoEncoderAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to disclose kernel memoryDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42884: an anonymous researcherBluetoothAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker in a privileged network position may be able toinject keystrokes by spoofing a keyboardDescription: The issue was addressed with improved checks.CVE-2023-45866: Marc Newlin of SkySafeEntry added December 11, 2023ExtensionKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)Find MyAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to read sensitive location informationDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)ImageIOAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing an image may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.CVE-2023-42898: Junsung LeeCVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung LeeKernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to break out of its sandboxDescription: The issue was addressed with improved memory handling.CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv(@Synacktiv)Safari Private BrowsingAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Private Browsing tabs may be accessed without authenticationDescription: This issue was addressed through improved state management.CVE-2023-42923: ARJUN S DSiriAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker with physical access may be able to use Siri toaccess sensitive user dataDescription: The issue was addressed with improved checks.CVE-2023-42897: Andrew Goldberg of The McCombs School of Business, TheUniversity of Texas at Austin (linkedin.com/andrew-goldberg-/)WebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 259830CVE-2023-42890: Pwn2carWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing an image may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 263349CVE-2023-42883: Zoom Offensive Security TeamAdditional recognitionSafari Private BrowsingWe would like to acknowledge Joshua Lund of Signal Technology Foundationfor their assistance.Setup AssistantWe would like to acknowledge Aaron Gregory of Acoustic.com and EasternIllinois University – Graduate School of Technology for theirassistance.WebKitWe would like to acknowledge 椰椰 for their assistance.Wi-FiWe would like to acknowledge Noah Roskin-Frazee and Prof. J.(ZeroClicks.ai Lab) for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.2 and iPadOS 17.2".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qS0ACgkQX+5d1TXaIvpuvRAAsTLfKiqLQl5qptq6yCPw8oPdttsnGkfZG//ISfcC46tZQI0BGjdFTEww2QUYOde00FMqk99ubD0/lE7gs/BdVP+1cSiG90FfZsHt/q0Jm+eIbhIsQdCs8eLcBOVAdPRLCJ1kdD13zbpnHH+IoZUPVTlY4gVo5ps1DP1iOHBWMN2ks3RNW7+NQ3ygCxyCs9qLce+zC7p69rCbCSvqmdEfC7OZ2tEFwELJcWgDDzVpa9nxBMSXp67qvFamSHsdZu+mBOyDpgRaQ77s/LL6Aj/EUzGoqu9j0K+fYht/prPtswa7mBvqi3qXyJUUW1TqQzquo3jRoestFuyuLol9PsufcJB2HbsswT/9qaYx9fO6g6M3uj3fu9NkojPtO45gxHkaIcO/h0ixpGrjg8ZlfKTkGN7DoQ97pv+DxUrhIFskUKRZLF5Xb6B5mztLBu5UePYRPVHi9qe48qN8/g7X8z9VvzmR++ns45ODRns7/PH8DHlJXa8+xoJkn+9nL2Q9x7zkcD/YNbgMstROhtbqczk1tSbqF+J9tnKC+PzW+vhBwDMat8h+jC7QKPh0d9oTBNiqhECRlb+6OewTf5f1UBbrgjGOvk/xgz+RS96aAOUNkcoJ6WDXcSlga3ERMO1jBqle3G3LlSvTqtwJ53PHnzBMogk1m5Bo0OSOJYjIOczKm3g==71FW-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-2

The threat actors behind the BazaCall call back phishing attacks have been observed leveraging Google Forms to lend the scheme a veneer of credibility.
The method is an "attempt to elevate the perceived authenticity of the initial malicious emails," cybersecurity firm Abnormal Security said in a report published today.
BazaCall (aka BazarCall), which was first

Cyber Threat / Phishing Attack

The threat actors behind the **BazaCall** call back phishing attacks have been observed leveraging Google Forms to lend the scheme a veneer of credibility.

The method is an "attempt to elevate the perceived authenticity of the initial malicious emails," cybersecurity firm Abnormal Security said in a report published today.

BazaCall (aka BazarCall), which was first observed in 2020, refers to a series of phishing attacks in which email messages impersonating legitimate subscription notices are sent to targets, urging them to contact a support desk to dispute or cancel the plan, or risk getting charged anywhere between $50 to $500.

By inducing a false sense of urgency, the attacker convinces the target over a phone call to grant them remote access capabilities using remote desktop software and ultimately establish persistence on the host under the guise of offering help to cancel the supposed subscription.

Some of the popular services that are impersonated include Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

In the latest attack variant detected by Abnormal Security, a form created using Google Forms is used as a conduit to share details of the purported subscription.

It's worth noting that the form has its response receipts enabled, which sends a copy of the response to the form respondent by email, so that the attacker can send an invitation to complete the form themselves and receive the responses.

"Because the attacker enabled the response receipt option, the target will receive a copy of the completed form, which the attacker has designed to look like a payment confirmation for Norton Antivirus software," security researcher Mike Britton said.

The use of Google Forms is also clever in that the responses are sent from the address "forms-receipts-noreply@google\[.\]com," which is a trusted domain and, therefore, have a higher chance of bypassing secure email gateways, as evidenced by a recent Google Forms phishing campaign uncovered by Cisco Talos last month.

"Additionally, Google Forms often use dynamically generated URLs," Britton explained. "The constantly changing nature of these URLs can evade traditional security measures that utilize static analysis and signature-based detection, which rely on known patterns to identify threats."

**Threat Actor Targets Recruiters With More\_eggs Backdoor**

The disclosure arrives as Proofpoint revealed a new phishing campaign that's targeting recruiters with direct emails that ultimately lead to a JavaScript backdoor known as More\_eggs.

The enterprise security firm attributed the attack wave to a "skilled, financially motivated threat actor" it tracks as TA4557, which has a track record of abusing legitimate messaging services and offering fake jobs via email to ultimately deliver the More\_eggs backdoor.

"Specifically in the attack chain that uses the new direct email technique, once the recipient replies to the initial email, the actor was observed responding with a URL linking to an actor-controlled website posing as a candidate resume," Proofpoint said.

"Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to visit the fake resume website."

More\_eggs is offered as malware-as-a-service, and is used by other prominent cybercriminal groups like Cobalt Group (aka Cobalt Gang), Evilnum, and FIN6. Earlier this year, eSentire linked the malware to two operators from Montreal and Bucharest.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

BazaCall Phishing Scammers Now Leveraging Google Forms for Deception

By Waqas
Ukrainian Military's Main Directorate of Intelligence (GUR) Launches Devastating Cyberattack on Russia's Federal Tax Service (FTS) and IT Infrastructure
This is a post from HackRead.com Read the original post: Ukraine’s Cyberattack Cripples Russia’s Tax System

According to Ukrainian intelligence, its cybersecurity experts have destroyed databases and backups used by the Russian tax authorities.

The Ukrainian military’s Main Directorate of Intelligence (GUR) claims to have crippled Russia’s Federal Tax Service (FTS) through a sophisticated cyberattack. Apparently, the hackers backed by the agency infiltrated thousands of servers, destroying databases and backups, and disrupting communication between the central office and regional branches.

The breach reportedly encompassed not only the FTS itself but also a Russian IT company responsible for its data center services. Cybersecurity experts from the agency targeted the FTS and the IT company Office.ed-it.ru. The “paralysis” caused in the operation of the Russian system due to this attack may persist for at least a month, with full recovery nearly impossible, GUR **said**.

The directorate also stated that the attack has completely wiped out configuration files, rendering it inoperable. The primary database and backups were obliterated, leaving Russia struggling to recover vital tax data.

Screenshot shared by Ukranian authorities the the official website of the Federal Tax Service of Russia (ФНС). It says that the website is not working today, December 12, 2023. The message is in Russian language. The other screenshot shows a series of connection timeouts, apparently occurring at the taxation network in Russia:

Screenshot shared by Ukranian authorities the the official website of the Federal Tax Service of Russia (ФНС). It says that the website is not working today, December 12, 2023. The message is in Russian and says: “ФНС не работает сегодня 12.12.2023” (FNS ne rabotayet segodnya 12.12.2023).

The attack also severed communication between the FTS central office and its 2,300 regional branches, paralyzing nationwide operations. Ukraine’s hackers now control tax-related internet traffic across Russia, potentially granting them access to more sensitive information.

The attack took place recently during which military intelligence operatives penetrated the tax system’s central server as well as over 2,300 of its regional servers across Russia and occupied Crimea. It may cause several weeks or even months of disruption to tax collection and government operations.

It is worth noting that the cyberattack is just another one in a series of attacks carried out by Ukraine. **A couple of weeks ago**, in November, Ukraine claimed to have breached Russia’s top Aviation agency and announced “Aviation Cannibalism,” suggesting that the country’s aviation sector is collapsing.

Ukrainian media also **reported** a cyberattack on Russia’s Labor Ministry in November, allegedly launched by hacker group Blackjack and Ukraine’s SBU intelligence agency, resulting in the acquisition of sensitive data. However, the SBU has remained silent, leaving room for speculation and raising questions about the operation’s veracity and purpose.

On the other hand, a DDoS attack was launched on **Kyivstar**, a Ukrainian telecom provider, on December 12. Ukraine’s SBU Security Service suspects Russian intelligence involvement and has launched a criminal investigation. Kyivstar’s Director, Oleksandr Komarov, is still determining the restoration timeframe.

These events mark a significant escalation in cyber warfare between Ukraine and Russia. The attack on the Russian tax system is the second major cyberattack Ukraine claims responsibility for against Russian state agencies in recent months.

However, it is worth noting that while collaboration between the Ukrainian government and hacking groups is likely, we are still waiting for more details to determine the exact scope and modus operandi of this attack.

****_RELATED ARTICLES_****

1.  **Ukraine Leaks Personal Details of 620 Alleged FSB Agents**
2.  **Anonymous Hacks 2 Russian Industrial Firms, Leak 112GB of Data**
3.  **Ukrainian Hacktivists Trick Russian Military Wives for Personal Info**
4.  **Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine**
5.  **Ukrainian Hackers Breach Email of APT28 Leader, Who’s Wanted by FBI**

Tag

#auth