Vulnerability of pointers being incorrectly used during data transmission in the video framework. Successful exploitation of this vulnerability may affect confidentiality.

Title: HUAWEI EMUI/Magic UI security updates July 2022

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the June 2022 Android security bulletin:

Critical: CVE-2022-20130, CVE-2022-20145

High: CVE-2021-39691, CVE-2022-20006, CVE-2022-20134, CVE-2022-20135, CVE-2022-20142, CVE-2022-20143, CVE-2022-20141, CVE-2021-4154, CVE-2022-25375, CVE-2022-24958, CVE-2022-25258, CVE-2022-20132

Medium: CVE-2021-39806, CVE-2022-20197, CVE-2022-20201, CVE-2022-20202, CVE-2021-35118, CVE-2021-20268, CVE-2021-20321, CVE-2021-35121, CVE-2021-3635, CVE-2021-3715, CVE-2021-3743, CVE-2021-3753, CVE-2021-38160, CVE-2022-0492, CVE-2022-20148, CVE-2022-20166, CVE-2022-26966, CVE-2021-35119

Low: none

Already included in previous updates: CVE-2021-39803, CVE-2022-20007, CVE-2022-20109, CVE-2022-20110, CVE-2020-11307, CVE-2021-30264, CVE-2020-11263, CVE-2021-1894, CVE-2021-30272, CVE-2021-30274, CVE-2021-30275, CVE-2021-30278, CVE-2021-30279, CVE-2021-30282

※For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40016: Improper permission control vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-46741: Vulnerability of defects being introduced in the design process in the basic framework and settings module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect integrity.

CVE-2021-40012: Vulnerability of pointers being incorrectly used during data transmission in the video framework

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2022-31751: Multi-thread competition for resources in the kernel emcom module

Severity: Critical

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability can affect availability.

CVE-2021-40013: Improper permission control vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect integrity.

CVE-2022-34737: Incorrect permission assignment vulnerability in the application security module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.

CVE-2022-31755: Improper preservation of permissions vulnerability in the communications module

Severity: Medium

Affected versions: EMUI 11.0.1

Impact: Successful exploitation of this vulnerability can affect availability.

CVE-2022-34736: Null pointer vulnerability in the frame scheduling module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-34735: Null pointer vulnerability in the frame scheduling module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-34739: Addition overflow vulnerability in the fingerprint sensor module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause the data of unknown addresses to be obtained from the address mapping.

CVE-2022-34742: Read/Write vulnerability in system components

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-34740: Buffer overflow vulnerability in the NFC module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause exceptions in NFC card registration, deletion, and activation.

CVE-2022-34741: Buffer overflow vulnerability in the NFC module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause exceptions in NFC card registration, deletion, and activation.

CVE-2022-31762: Input verification vulnerability in the AMS module

Severity: Medium

Affected versions: EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will cause unauthorized operations.

CVE-2022-34743: Out-of-bounds read vulnerability in the AT commands of the USB port

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2022-34738: Permission control vulnerability in the SystemUI module

Severity: Medium

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause the service running in the background being unable to be perceived by the user.

CVE-2021-40012: July

There is a buffer overflow vulnerability in eSE620X vESS V100R001C10SPC200 and V100R001C20SPC200. An attacker can exploit this vulnerability by sending a specific message to the target device due to insufficient validation of packets. Successful exploit could cause a denial of service condition.

There is a buffer overflow vulnerability in DOPRA SSP products. An attacker can exploit this vulnerability by sending a specific message to the target device due to insufficient validation of packets. Successful exploit could cause a denial of service condition. (Vulnerability ID: HWPSIRT-2020-82332)  
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2021-39999.  
Huawei has released software updates to fix this vulnerability. This advisory is available at the following link:  
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20211201-01-buffer-en  

Product Name

Affected Version

Resolved Product and Version

eSE620X vESS

V100R001C10SPC200

V100R001C20SPC600

V100R001C20SPC200

  

Successful exploit could cause a denial of service condition.  

This vulnerability can be exploited only when the following conditions are present:

Attackers can send packets to the affected module.

Vulnerability details:

There is a buffer overflow vulnerability in DOPRA SSP products. An attacker can exploit this vulnerability by sending a specific message to the target device due to insufficient validation of packets. Successful exploit could cause a denial of service condition.

  

This vulnerability was discovered by Huawei internal tester.

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2021-39999: Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products

Live555 through 1.08 does not handle socket connections properly. A huge number of incoming socket connections in a short time invokes the error-handling module, in which a heap-based buffer overflow happens. An attacker can leverage this to launch a DoS attack.

**Ba Jinsheng** bajinsheng at u.nus.edu  
_Wed Sep 8 22:28:48 PDT 2021_

*   Previous message (by thread): \[Live-devel\] Memory Leak in MPEGProgramStreamParser
*   Next message (by thread): \[Live-devel\] A Heap-overflow in FD\_ISSET
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

Hi,

There may be another similar overflow bug about the fd\_set in BasicUsageEnvironment/BasicTaskScheduler.cpp:115
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  for (int i = 0; i < 10000; ++i) {
    if (FD\_ISSET(i, &fReadSet) || FD\_ISSET(i, &fWriteSet) || FD\_ISSET(i, &fExceptionSet)) {
      fprintf(stderr, " %d(", i);
      if (FD\_ISSET(i, &fReadSet)) fprintf(stderr, "r");
      if (FD\_ISSET(i, &fWriteSet)) fprintf(stderr, "w");
      if (FD\_ISSET(i, &fExceptionSet)) fprintf(stderr, "e");
      fprintf(stderr, ")");
    }
  }
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
In default, the fd\_set should only support 1024 fds.
Sometimes, it incur the overflow as follow:

==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000470 at pc 0x000000647338 bp 0x7ffff34b50d0 sp 0x7ffff34b50c8
READ of size 8 at 0x619000000470 thread T1
    #0 0x647337 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:115:61
    #1 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile\*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5
    #2 0x59bf95 in AC3AudioStreamParser::readAndSaveAFrame() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:314:41
    #3 0x59bf95 in AC3AudioStreamFramer::samplingRate() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:112:14
    #4 0x52b7f6 in AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock\*, unsigned char, FramedSource\*) /home/ubuntu/experiments/live555/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22
    #5 0x5e744e in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr\_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, sockaddr\_storage&, unsigned char&, unsigned char&, Port&, Port&, void\*&) /home/ubuntu/experiments/live555/liveMedia/OnDemandServerMediaSubsession.cpp:168:6
    #6 0x4e412f in RTSPServer::RTSPClientSession::handleCmd\_SETUP\_afterLookup2(ServerMediaSession\*) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:1514:17
    #7 0x4e0235 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:831:19
    #8 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:291:3
    #9 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler(void\*, int) /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:284:15
    #10 0x6469f5 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2
    #11 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile\*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5
    #12 0x59bf95 in AC3AudioStreamParser::readAndSaveAFrame() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:314:41
    #13 0x59bf95 in AC3AudioStreamFramer::samplingRate() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:112:14
    #14 0x52b7f6 in AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock\*, unsigned char, FramedSource\*) /home/ubuntu/experiments/live555/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22
    #15 0x5e744e in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr\_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, sockaddr\_storage&, unsigned char&, unsigned char&, Port&, Port&, void\*&) /home/ubuntu/experiments/live555/liveMedia/OnDemandServerMediaSubsession.cpp:168:6
    #16 0x4e412f in RTSPServer::RTSPClientSession::handleCmd\_SETUP\_afterLookup2(ServerMediaSession\*) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:1514:17
    #17 0x4e0235 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:831:19
    #18 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:291:3
    #19 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler(void\*, int) /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:284:15
    #20 0x6469f5 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2
    #21 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile\*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5

0x619000000470 is located 0 bytes to the right of 1008-byte region \[0x619000000080,0x619000000470)
allocated by thread T1 here:
    #0 0x4c789d in operator new(unsigned long) (/home/ubuntu/experiments/live555/testProgs/testOnDemandRTSPServer+0x4c789d)
    #1 0x645882 in BasicTaskScheduler::createNew(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:32:9


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:115:61 in BasicTaskScheduler::SingleStep(unsigned int)
Shadow bytes around the buggy address:
  0x0c327fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00\[fa\]fa
  0x0c327fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==13==ABORTING




Best regards,
Jinsheng Ba

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20210909/84e04d3f/attachment-0001.htm\>

*   Previous message (by thread): \[Live-devel\] Memory Leak in MPEGProgramStreamParser
*   Next message (by thread): \[Live-devel\] A Heap-overflow in FD\_ISSET
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the live-devel mailing list

CVE-2021-41396: [Live-devel] A Heap-overflow in FD_ISSET

This updated advisory is a follow-up to the original advisory titled ICSA-22-055-03 Schneider Electric Easergy P5 and P3 that was published February 24, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Use of Hard-coded Credentials, Classic Buffer Overflow, and Improper Input Validation vulnerabilities in Schneider Electric Easergy P5 and P3 medium voltage protection relays.

Schneider Electric Easergy P5 and P3 (Update A)

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).

The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:

**Note**: only supported versions are referenced, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible.  
_(going back to ZCS 7.1.3)_

Bug#

Summary

**CVE-ID**

**CVSS  
Score**

Zimbra  
Rating

Fix Release or  
Patch Version

Reporter

Memcached poisoning with unauthenticated request.

CVE-2022-27924

Medium

9.0.0 Patch 24, 8.8.15 Patch 31

Simon Scannell of Sonarsource

RCE through mboximport from authenticated user.

CVE-2022-27925

Medium

9.0.0 Patch 24, 8.8.15 Patch 31

Mikhail Klyuchnikov of Positive Technologies

Proxy Servlet Open Redirect Vulnerability

CVE-2021-35209

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

Open Redirect Vulnerability in preauth servlet

CVE-2021-34807

Low

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

Stored XSS Vulnerability in ZmMailMsgView.java

CVE-2021-35208

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

XSS vulnerability in Zimbra Web Client via loginErrorCode

CVE-2021-35207

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Heap-based buffer overflow vulnerabilities in PHP < 7.3.10

9.8

Critical

9.0.0 Patch 13

Upstream, see CVE-2019-9641, CVE-2019-9640

Heap-based buffer overflow vulnerabilities in PHP < 7.3.10

9.8

Critical

8.8.15 Patch 20

Upstream, see CVE-2019-9641, CVE-2019-9640

Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.

7.8

High

9.0.0 Patch 13

Upstream, see CVE-2019-0211, CVE-2019-0217

Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.

7.8

High

8.8.15 Patch 20

Upstream, see CVE-2019-0211, CVE-2019-0217

XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition)

CVE-2020-35123

Medium

9.0.0 Patch 10

Primerica

XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition)

CVE-2020-35123

Medium

8.8.15 Patch 17

Primerica

XSS CWE-79 vulnerability in tinymce

n/a

6.1

Medium

9.0.0 Patch 5

Upstream, see CVE-2019-1010091

Memory Leak in nodejs library mem

n/a

5.5

Medium

9.0.0 Patch 5

Upstream, see WS-2018-0236

Persistent XSS

CVE-2020-13653

Minor

8.8.15 Patch 11, 9.0.0 Patch 4

Telenet

Unrestricted Upload of File with Dangerous Type CWE-434

CVE-2020-12846

6.0

Minor

8.8.16 Patch 10, 9.0.0 Patch 3

Telenet

Persistent XSS CWE-79

CVE-2020-11737

4.3

Minor

9.0.0 Patch 2

Zimbra

109174

Non-Persistent XSS CWE-79

CVE-2019-12427

4.3

Minor

8.8.15 Patch 1

Meridian Miftari

109141

Non-Persistent XSS CWE-79

CVE-2019-15313

4.3

Minor

8.8.15 Patch 1

Quang Bui

109124

Non-Persistent XSS CWE-79

CVE-2019-8947

2.6

Minor

\-

Issam Rabhi of Sysdream

109123

Persistent XSS CWE-79

CVE-2019-8946

2.6

Minor

\-

Issam Rabhi of Sysdream

109122

Persistent XSS CWE-79

CVE-2019-8945

3.5

Minor

\-

Issam Rabhi of Sysdream

109117

Persistent XSS CWE-79

CVE-2019-11318

3.5

Minor

8.8.12 Patch 1

Mondher Smii

109127

SSRF CWE-918 / CWE-807

CVE-2019-9621

4.0

Minor

8.7.11 Patch11  
8.8.9 Patch10  
8.8.10 Patch8  
8.8.11 Patch4  
8.8.12

An Trinh

109096

Blind SSRF CWE-918

CVE-2019-6981

4.0

Minor

8.7.11 Patch11  
8.8.9 Patch10  
8.8.10 Patch8  
8.8.11 Patch4  
8.8.12

An Trinh

109129

XXE CWE-611  
(8.7.x only)

CVE-2019-9670

6.4

Major

8.7.11 Patch10

Khanh Van Pham  
An Trinh

109097

Insecure object deserialization CWE-502

CVE-2019-6980

5.4

Major

8.7.11 Patch9  
8.8.9 Patch10  
8.8.10 Patch7  
8.8.11 Patch3  
8.8.12

An Trinh

109093

XXE CWE-611

CVE-2018-20160

6.4

Major

8.7.x see 109129 above  
8.8.9 Patch9  
8.8.10 Patch5  
8.8.11 Patch1  
8.8.12

An Trinh

109017

Non-Persistent XSS CWE-79

CVE-2018-14013

4.3

Minor

8.7.11 Patch8  
8.8.9 Patch9  
8.8.10 Patch5  
8.8.11

Issam Rabhi of Sysdream

109020

Persistent XSS CWE-79

CVE-2018-18631

5.0

Major

8.7.11 Patch7  
8.8.9 Patch7  
8.8.10 Patch2  
8.8.11

Netragard

109018

Non-Persistent CWE-79

CVE-2018-14013

2.6

Minor

8.7.11 Patch7  
8.8.9 Patch6  
8.8.10 Patch1  
8.8.11

Issam Rabhi of Sysdream

109021

Limited Content Spoofing CWE-345

CVE-2018-17938

4.3

Minor

8.8.10

Sumit Sahoo

109012

Account Enumeration CWE-203

CVE-2018-15131

5.0

Major

8.7.11 Patch6  
8.8.8 Patch9  
8.8.9 Patch3

Danielle Deibler

108970

Persistent XSS CWE-79

CVE-2018-14425

3.5

Minor

8.8.8 Patch7  
8.8.9 Patch1

Diego Di Nardo

108902

Persistent XSS CWE-79

CVE-2018-10939

3.5

Minor

8.6.0 Patch11  
8.7.11 Patch4  
8.8.8 Patch4

Diego Di Nardo

108963

Verbose Error Messages CWE-209

CVE-2018-10950

3.5

Minor

8.7.11 Patch3  
8.8.8

Netragard

108962

Account Enumeration CWE-203

CVE-2018-10949

5.0

Major

8.7.11 Patch3  
8.8.8

Netragard

108894

Persistent XSS CWE-199

CVE-2018-10951

3.6

Minor

8.6.0 Patch10  
8.7.11 Patch3  
8.8.8

Netragard

97579

CSRF CWE-352

CVE-2015-7610

5.8

Major

8.6.0 Patch10  
8.7.11 Patch2  
8.8.8 Patch1

Fortinet's FortiGuard Labs

108786

Persistent XSS CWE-79

CVE-2018-6882

4.3

Minor

8.6.0 Patch10  
8.7.11 Patch1  
8.8.7  
8.8.8

Stephan Kaag of Securify

108265

Persistent XSS CWE-79

CVE-2017-17703

4.3

Minor

8.6.0 Patch9  
8.7.11 Patch1  
8.8.3

Veit Hailperin

107963

Host header injection CWE-20

\-

4.3

Minor

8.8.0 Beta2

\-

107948

107949

Persistent XSS CWE-79

CVE-2018-10948

3.5

Minor

8.6.0 Patch10  
8.7.11 Patch3  
8.8.0 Beta2

Lucideus  
Phil Pearl

107925

Persistent XSS - snippet CWE-79

CVE-2017-8802

3.5

Minor

8.6.0 Patch9  
8.7.11 Patch1  
8.8.0 Beta2

Compass Security

107878

Persistent XSS - location CWE-79

CVE-2017-8783

4.0

Minor

8.7.10

Stephan Kaag of Securify

107712

Improper limitation of file paths CWE-22

CVE-2017-6821

4.0

Minor

8.7.6

Greg Solovyev, Phil Pearl

107684

Improper handling of privileges CWE-280

CVE-2017-6813

4.0

Major

8.6.0 Patch9  
8.7.6

Greg Solovyev

106811

XXE CWE-611

CVE-2016-9924

5.8

Major

8.6.0 Patch10  
8.7.4

Alastair Gray

106612

Persistent XSS CWE-79

CVE-2017-7288

4.3

Minor

8.6.0 Patch11  
8.7.1

Sammy Forgit

105001  
105174

XSS CWE-79

CVE-2016-5721

4.3  
2.1

Minor

8.6.0 Patch11  
8.7.0

Secu

104552  
104703

XSS CWE-79

CVE-2016-3999

4.3

Minor

8.7.0

Nam Habach

104477

Open Redirect CWE-601

CVE-2016-4019

4.3

Minor

8.7.0

Zimbra

104294  
104456

CSRF CWE-352

CVE-2016-3406

2.6

Minor

8.6.0 Patch8  
8.7.0

Zimbra

104222

104910  
105071  

105175

XSS CWE-79

CVE-2016-3407

4.3  
3.5  
4.3  
2.1

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103997

104413  
104414  
104777  

104791

XSS CWE-79

CVE-2016-3412

3.5

Minor

8.7.0

Zimbra

103996

XXE (Admin) CWE-611\-

CVE-2016-3413

2.6

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103961  
104828

CSRF CWE-352

CVE-2016-3405

4.3

Minor

8.6.0 Patch8  
8.7.0

Zimbra

103959

CSRF CWE-352

CVE-2016-3404

4.3

Minor

8.6.0 Patch8  
8.7.0

Zimbra

103956

103995  
104475  
104838  

104839

XSS CWE-79

CVE-2016-3410

4.3

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103609

XSS CWE-79

CVE-2016-3411

3.5

Minor

8.6.0 Patch11  
8.7.0

Zimbra

102637

XSS CWE-79

CVE-2016-3409

4.3

Minor

8.6.0 Patch11  
8.7.0

Peter Nguyen

102276

Deserialization of Untrusted Data CWE-502

CVE-2016-3415

5.8

Major

8.7.0

Zimbra

102227

Deserialization of Untrusted Data CWE-502

n/a

7.5

Major

8.7.0

Upstream, see  
CVE-2015-4852

102029

CWE-674

CVE-2016-3414

4.0

Minor

8.6.0 Patch7  
8.7.0

Zimbra

101813

XSS CWE-79

CVE-2016-3408

4.3

Minor

8.6.0 Patch11  
8.7.0

Volexity

100885  
100899

CSRF CWE-352

CVE-2016-3403

5.8

Major

8.6.0 Patch8  
8.7.0

Sysdream

99810

CWE-284 CWE-203

CVE-2016-3401

3.5

Minor

8.7.0

Zimbra

99167

Account Enumeration CWE-203

CVE-2016-3402

2.6

Minor

8.7.0

Zimbra

101435  
101436

Persistent XSS CWE-79

CVE-2015-7609

6.4  
2.3

Major

8.6.0 Patch5  
8.7.0

Fortinet's FortiGuard Labs

101559

100133  
99854  
99914  

96973

XSS CWE-79

CVE-2015-2249

3.5

Minor

8.6.0 Patch5  
8.7.0

Zimbra

99236

XSS Vuln in YUI components in ZCS

n/a

4.3

Minor

8.6.0 Patch5

Upstream, see  
CVE-2012-5881  
CVE-2012-5882  
CVE-2012-5883

98358

98216  

98215

Non-Persistent XSS CWE-79

CVE-2015-2249

4.3

Minor

8.6.0 Patch2  
8.7.0

Cure53

97625

Non-Persistent XSS CWE-79

CVE-2015-2230

3.5

Minor

8.6.0 Patch2

MWR InfoSecurity

96105

Improper Input Validation CWE-20

CVE-2014-8563

5.8

Major

8.0.9  
8.5.1  
8.6.0

 -

83547

CSRF Vulnerability CWE-352

CVE-2015-6541

5.8

Major

8.5.0

iSEC Partners, Sysdream

87412

92825  
92833  

92835

XSS Vulnerabilities CWE-79  
(8.0.7 Patch  
contains 87412)

CVE-2014-5500

4.3

Minor

8.0.8  
8.5.0

 -

83550

Session Fixation CWE-384

CVE-2013-5119

5.8

Major

8.5.0

\- 

91484

Patch ZCS8 OpenSSL for CVE-2014-0224

n/a

6.8

Major

8.0.3+Patch  
8.0.4+Patch  
8.0.5+Patch  
8.0.6+Patch  
8.0.7+Patch

Upstream, see  
CVE-2014-0224

88708

Patch ZCS8 OpenSSL for CVE-2014-0160

n/a

5.0

Major

8.0.3+Patch  
8.0.4+Patch  
8.0.5+Patch  
8.0.6+Patch  
8.0.7+Patch  
8.0.7

Upstream, see  
CVE-2014-0160

85499

Upgrade to OpenSSL 1.0.1f

n/a

4.3  
4.3  
5.8

Major

8.0.7

Upstream, see  
CVE-2013-4353  
CVE-2013-6449  
CVE-2013-6450

84547

XXE CWE-611

CVE-2013-7217

6.4  
(not 10.0)

Critical

7.2.2\_Patch3  
7.2.3\_Patch  
7.2.4\_Patch2  
7.2.5\_Patch  
7.2.6  
8.0.3\_Patch3  
8.0.4\_Patch2  
8.0.5\_Patch  
8.0.6

Private

85478

XSS vulnerability in message view

\-

6.4

Major

8.0.7

Alban Diquet  
of iSEC Partners

85411

Local root privilege escalation

\-

6.2

Major

8.0.7

Matthew David

85000

Patch nginx for CVE-2013-4547

n/a

7.5

Major

7.2.7  
8.0.7

Upstream, see  
CVE-2013-4547

80450  
80131  
80445  
80132

Upgrade to JDK 1.6 u41  
Upgrade OpenSSL to 1.0.0k  
Upgrade to JDK 1.7u15+  
Upgrade to OpenSSL 1.0.1d

n/a

2.6

Minor

7.2.3  
7.2.3  
8.0.3  
8.0.3

Upstream, see  
CVE-2013-0169

80338

Local file inclusion via skin/branding feature CWE-22

CVE-2013-7091

5.0

Critical

6.0.16\_Patch  
7.1.1\_Patch6  
7.1.3\_Patch3  
7.2.2\_Patch2  
7.2.3  
8.0.2\_Patch  
8.0.3

Private

77655

Separate keystore for CAs used for X509 authentication

\-

5.8

Major

8.0.7

Private

75424

Upgrade to Clamav 0.97.5

n/a

4.3  
4.3  
4.3

Minor

7.2.1

Upstream, see  
CVE-2012-1457  
CVE-2012-1458  
CVE-2012-1459

64981

Do not allow HTTP GET for login

\-

6.8

Major

7.1.3\_Patch  
7.1.4

Private

CVE-2022-32294: Zimbra Security Advisories - Zimbra :: Tech Center

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.

Permalink

Browse files

patch 9.0.0046: reading past end of completion with duplicate match

Problem:    Reading past end of completion with duplicate match.
Solution:   Check string length

*   Loading branch information

1 parent caea664 commit baefde14550231f6468ac2ed2ed495bc381c0c92

Showing **3 changed files** with **14 additions** and **1 deletion**.

*   *   insexpand.c
    *   *   test\_ins\_complete.vim
    *   version.c

@@ -786,7 +786,8 @@ ins\_compl\_add(

{

if (!match\_at\_original\_text(match)

&& STRNCMP(match->cp\_str, str, len) == 0

&& match->cp\_str\[len\] == NUL)

&& ((int)STRLEN(match->cp\_str) <= len

|| match->cp\_str\[len\] == NUL))

return NOTDONE;

match = match->cp\_next;

} while (match != NULL && !is\_first\_match(match));

@@ -2112,5 +2112,15 @@ func Test\_infercase\_very\_long\_line()

set noic noinfercase

endfunc

  

func Test\_ins\_complete\_add()

" this was reading past the end of allocated memory

new

norm o

norm 7o

sil! norm o

  

bwipe!

endfunc

  

  

" vim: shiftwidth\=2 sts\=2 expandtab

@@ -735,6 +735,8 @@ static char \*(features\[\]) =

  

static int included\_patches\[\] =

{ /\* Add new patch number below this line \*/

/\*\*/

46,

/\*\*/

45,

/\*\*/

**0 comments on commit baefde1**

Please sign in to comment.

CVE-2022-2344: patch 9.0.0046: reading past end of completion with duplicate match · vim/vim@baefde1

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.

**Description**

Heap-based Buffer Overflow in function ins\_compl\_add at insexpand.c:751

**vim version**

    git log
    commit 324478037923feef1eb8a771648e38ade9e5e05a (HEAD -> master, tag: v9.0.0042, origin/master, origin/HEAD)
    
    

**POC**

    ./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_hbor4_s.dat -c :qa!
    =================================================================
    ==3114==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e0000827cb at pc 0x0000009b3131 bp 0x7ffeee1a6850 sp 0x7ffeee1a6848
    READ of size 1 at 0x61e0000827cb thread T0
        #0 0x9b3130 in ins_compl_add /home/fuzz/fuzz/vim/afl/src/insexpand.c:751:10
        #1 0x9b1294 in ins_compl_add_infercase /home/fuzz/fuzz/vim/afl/src/insexpand.c:697:12
        #2 0x9d137b in get_next_default_completion /home/fuzz/fuzz/vim/afl/src/insexpand.c:3629:6
        #3 0x9cc7f7 in get_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:3694:24
        #4 0x9c9a7e in ins_compl_get_exp /home/fuzz/fuzz/vim/afl/src/insexpand.c:3767:20
        #5 0x9c8438 in find_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:4002:21
        #6 0x9c0f04 in ins_compl_next /home/fuzz/fuzz/vim/afl/src/insexpand.c:4103:9
        #7 0x9c197c in ins_complete /home/fuzz/fuzz/vim/afl/src/insexpand.c:4954:9
        #8 0x674939 in edit /home/fuzz/fuzz/vim/afl/src/edit.c:1281:10
        #9 0xb989c7 in op_change /home/fuzz/fuzz/vim/afl/src/ops.c:1758:14
        #10 0xbb25f7 in do_pending_operator /home/fuzz/fuzz/vim/afl/src/ops.c:4041:7
        #11 0xb21ac3 in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:961:2
        #12 0x8156fe in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8814:6
        #13 0x814f28 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8777:5
        #14 0x814ad9 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8695:6
        #15 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
        #16 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
        #17 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
        #18 0xe59396 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
        #19 0xe58cd3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
        #20 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
        #21 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
        #22 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
        #23 0x7cf591 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
        #24 0x1427482 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
        #25 0x142361b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
        #26 0x1418b2d in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
        #27 0x7fd83cb66082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #28 0x41ea5d in _start (/home/fuzz/fuzz/vim/afl/src/vim+0x41ea5d)
    
    0x61e0000827cb is located 125 bytes to the right of 2766-byte region [0x61e000081c80,0x61e00008274e)
    allocated by thread T0 here:
        #0 0x499cbd in malloc (/home/fuzz/fuzz/vim/afl/src/vim+0x499cbd)
        #1 0x4cb392 in lalloc /home/fuzz/fuzz/vim/afl/src/alloc.c:246:11
        #2 0x4cb27a in alloc /home/fuzz/fuzz/vim/afl/src/alloc.c:151:12
        #3 0xf90f0d in vim_strnsave /home/fuzz/fuzz/vim/afl/src/strings.c:44:9
        #4 0x9b349a in ins_compl_add /home/fuzz/fuzz/vim/afl/src/insexpand.c:768:26
        #5 0x9b1294 in ins_compl_add_infercase /home/fuzz/fuzz/vim/afl/src/insexpand.c:697:12
        #6 0x9d137b in get_next_default_completion /home/fuzz/fuzz/vim/afl/src/insexpand.c:3629:6
        #7 0x9cc7f7 in get_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:3694:24
        #8 0x9c9a7e in ins_compl_get_exp /home/fuzz/fuzz/vim/afl/src/insexpand.c:3767:20
        #9 0x9c8438 in find_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:4002:21
        #10 0x9c0f04 in ins_compl_next /home/fuzz/fuzz/vim/afl/src/insexpand.c:4103:9
        #11 0x9c197c in ins_complete /home/fuzz/fuzz/vim/afl/src/insexpand.c:4954:9
        #12 0x674939 in edit /home/fuzz/fuzz/vim/afl/src/edit.c:1281:10
        #13 0xb989c7 in op_change /home/fuzz/fuzz/vim/afl/src/ops.c:1758:14
        #14 0xbb25f7 in do_pending_operator /home/fuzz/fuzz/vim/afl/src/ops.c:4041:7
        #15 0xb21ac3 in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:961:2
        #16 0x8156fe in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8814:6
        #17 0x814f28 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8777:5
        #18 0x814ad9 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8695:6
        #19 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
        #20 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
        #21 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
        #22 0xe59396 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
        #23 0xe58cd3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
        #24 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
        #25 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
        #26 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
        #27 0x7cf591 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
        #28 0x1427482 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
        #29 0x142361b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzz/vim/afl/src/insexpand.c:751:10 in ins_compl_add
    Shadow bytes around the buggy address:
      0x0c3c800084a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c800084b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c800084c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c800084d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c800084e0: 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa fa
    =>0x0c3c800084f0: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
      0x0c3c80008500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c80008510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c80008520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c80008530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c80008540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3114==ABORTING
    

poc\_hbor4\_s.dat

**Impact**

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

CVE-2022-2343: Heap-based Buffer Overflow in function ins_compl_add in vim

File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.

CVE-2021-29281: Unrestricted File Upload | OWASP Foundation

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than hyper-focused on cybersecurity — about the amount of information we share on our blog and social media profiles. Our blog serves as the main mouthpiece for Talos, but I’m also always talking to our audience, directly or indirectly, through social media channels, our podcasts, or out in the world at conferences. But during these conversations, readers may wonder if we’re indirectly “helping” the bad guys by pointing out what they’re doing wrong or what we are doing to track them. 

There will always be pros and cons to any type of disclosure of information at this level of cybersecurity. But it’s important to know that we don’t take this issue lightly. When we publicize a technique — whether it be in a blog post, conference talk or podcast — those attackers are actively using, it forces them to change tactics and take time to make tweaks and changes. Unfortunately, we alone do not have the power to bring an end to cybercrime. However, if we can increase the cost of doing business for a threat actor, it's a win for defenders and potential victims. As defenders, we must keep attackers out of their comfort zone and force them to innovate or perish. Without that information being out there publicly, these bad actors could keep using the same tactics indefinitely to infect other targets. 

This is by no means an easy decision to make, it’s a fine line all cybersecurity defenders must continually walk. But as we’ve pointed out several times, cybersecurity is a team sport. Prior to publishing any blog post, we take several steps to make sure everyone is on the same page, including victim notifications and information sharing with our partners like the Cyber Threat Alliance. I think we should all play on the same team and provide our teammates with as much information as possible so they’re ready for game time. To continue the analogy, information sharing with the public allows under-resourced teams to take action to defend themselves without needing to further strain their budgets and people.  

It does us no good to either keep this information to ourselves and try to go out on our own and single-handedly defeat these threat actors because that’s never going to work. And it also doesn’t make sense to be super competitive. We always seek to protect our customers first and foremost, and that includes responsible disclosure policies from our vulnerability management team to our threat researchers. Our intelligence pushes research and defenders forward, and we will always seek to arm them with as much information as possible.  

**The one big thing **

U.S. federal agencies unveiled a great deal about the MedusaLocker ransomware group last week with a joint advisory on the attackers’ operations. The U.S. Cybersecurity Infrastructure Security Agency, FBI and others shared several IOCs related to the actor, warning that they’ve spotted a recent uptick in MedusaLocker’s operations. MedusaLocker gains access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations or with malicious phishing and spam emails. Once on the targeted system, the attackers encrypt a victim’s files and await ransom payment while propagating across the network. 

> **Why do I care? **Cisco Talos first observed MedusaLocker operating in 2019. Clearly, the group has only expanded its operations since then and is now part of the massive ransomware-as-a-service industry that features several major threat actors. This group made its name by targeting health care organizations during the COVID-19 pandemic, but CISA’s advisory states any industry could be a target. The advisory includes new information on potential mitigations for this malware family, along with known IOCs to block associated with the group.   
> **So now what? **In addition to implementing the mitigations outlined in the advisory, Cisco Secure also has several options available to defend against this attack. There are multiple Snort rules that detect this ransomware’s activity along with several ClamAV signatures. As with all ransomware activity, it’s important to have physical backups on hand in the event of an attack so you can recover quickly. And you can always be prepared for the worst with a Cisco Talos Incident Response plan and/or playbook. 

**Other news of note**

The North Korean state-sponsored actor Lazarus Group is suspected to be behind a recent $100 million cryptocurrency theft. Members of the group allegedly exploited the Harmony Horizon Bridge software that allows users to trade virtual currency between the Harmony blockchain and other blockchains. Attackers obtained username and passwords of Harmony employees that they then used to break into the bridge and deploy several money laundering techniques to hide their actions. The tactics in this case are similar to another attack in April in which attackers stole $600 million from Ronin Bridge. (Bloomberg, Fortune) 

Bad actors are creating fake job applications and attending virtual interviews with deepfake videos. A new warning from the FBI states the adversaries are trying to obtain contractor-level jobs at technology companies, likely to steal sensitive information or make money illegitimately. These fake applicants use stolen identities, fake videos and doctored voices during the application process, including adding in what seem like normal human coughing, sneezing and blinking. The FBI recommends that recruiters or hiring managers look out for telltale signs of deepfake videos like sounds that do not line up with the video on the screen or unnatural lip movements. (TechCrunch, Gawker) 

Google is warning of a high-severity vulnerability in the Chrome web browser for Android that is actively being exploited in the wild. CVE-2022-2294 is a heap buffer overflow bug that, if exploited, could lead to denial-of-service attacks or arbitrary code execution. The company released a security update to patch the vulnerability this week. This update also includes fixes for another high-severity vulnerability (CVE-2022-2295) and an unspecified internal issue discovered. This is the fourth zero-day vulnerability to pop up in Chrome this year. (Dark Reading, Decipher) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #102: Unmasking ransomware groups on the dark web
*   Researcher Spotlight: Around the security world and back again with Nick Biasini
*   Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web

  

**Upcoming events where you can find Talos **

**A New HOPE** (July 22 - 24, 2022)  
New York City 

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f   

**Typical Filename:** VID001.exe   

**Claimed Product:** N/A   

**Detection Name:** Win.Worm.Coinminer::1201 

**MD5:** 2c8ea737a232fd03ab80db672d50a17a    

**Typical Filename:** LwssPlayer.scr    

**Claimed Product:** 梦想之巅幻灯播放器    

**Detection Name:** Auto.125E12.241442.in02    

**MD5:** 10f1561457242973e0fed724eec92f8c    

**Typical Filename:** ntuser.vbe    

**Claimed Product:** N/A    

**Detection Name:** Auto.1A234656F8.211848.in07.Talos   

**MD5:** a7742a6d7d8b39f1a8cdf7f0b50f12bb    

**Typical Filename:** wrsanvs.exe  

**Claimed Product:** N/A      

**Detection Name:** W32.Auto:91e994229a.in03.Talos

Threat Source newsletter (July 7, 2022) — Teamwork makes the dream work

Four high, six medium, and one low severity issue fixed

Four high, six medium, and one low severity issue fixed

Fortinet has addressed a raft of security vulnerabilities affecting several of its endpoint security products.

The California-headquartered cybersecurity giant, which accounts for more than a third of all firewall and unified threat management shipments worldwide, released a huge number of firmware and software updates on Tuesday (July 5).

A quartet of high severity flaws includes multiple relative path traversal bugs in the management interface of FortiDeceptor, which spins up virtual machines that serve as honeypots for network intruders (CVE-2022-30302).

RECOMMENDED High severity OpenSSL bug could lead to remote code execution

Abuse of these “may allow a remote and authenticated attacker to retrieve and delete arbitrary files from the underlying filesystem via specially crafted web requests”, according to the corresponding Fortinet advisory.

Similarly, attackers could achieve privilege escalation in Windows versions of endpoint protection and VPN product FortiClient via path traversal in the named pipe responsible for the FortiESNAC service (CVE-2021-41031).

The FortiNAC network access control solution, meanwhile, suffered from an “empty password in configuration file vulnerability” through which an authenticated attacker could access the MySQL databases via the command line interface (CLI) (CVE-2022-26117).

**Additional bugs**

The other high severity issue, which applies to security event analysis appliance FortiAnalyzer, the FortiManager network management device, the FortiOS operating system, and the FortiProxy web proxy, “may allow a privileged attacker to execute arbitrary code or command via crafted CLI ‘execute restore image’ and ‘execute certificate remote’ operations with the TFTP protocol” (CVE-2021-43072).

Medium severity issues in the patch batch include SQL injection vulnerabilities in the FortiADC application delivery controller (CVE-2022-26120) and an OS command injection vulnerability in CLI in FortiAnalyzer and FortiManager (CVE-2022-27483).

Catch up with the latest enterprise security news

Meanwhile, cross-site scripting (XSS) issues in the FortiEDR endpoint security solution (CVE-2022-29057); a privilege escalation bug in FortiManager and FortiAnalyzer (CVE-2022-26118); and stack-based buffer overflows in diagnostic CLI commands affecting FortiOS and FortiProxy (CVE-2021-44170).

The sixth and final medium severity issue is an integer overflow in dhcpd daemon impacting FortiOS, FortiProxy, FortiSwitch ethernet switches, the FortiRecoder video surveillance system, and the FortiVoiceEnterprise communications system, (CVE-2021-42755).

Last and least, in threat terms, is a low severity XSS vulnerability affecting FortiOS (CVE-2022-23438).

YOU MIGHT ALSO LIKE Spring Data MongoDB hit by another critical SpEL injection flaw

Tag

#buffer_overflow