Categories: Business
There are a lot of benefits to ChatGPT, but many in the security community have concerns about it. Malwarebytes' CEO Marcin Kleczynski takes a deep dive into the topic.



(Read more...)




The post ChatGPT: Cybersecurity friend or foe? appeared first on Malwarebytes Labs.

ChatGPT: Cybersecurity friend or foe?

The Linux kernel 6.3 has a use-after-free in iopt_unmap_iova_range in drivers/iommu/iommufd/io_pagetable.c.

**Xingyuan Mo**

unread,

Apr 12, 2023, 1:51:47 PMApr 12

to Jason Gunthorpe, Kevin Tian, Joerg Roedel, Will Deacon, Robin Murphy, syzk...@googlegroups.com, io...@lists.linux.dev

Hello,

Recently, when using our tool to fuzz kernel, the following bug was  
triggered.

HEAD commit: 09a9639e56c0 ("Linux 6.3-rc6")  
git tree: mainline  
compiler: gcc (Ubuntu 10.3.0-1ubuntu1~20.04) 10.3.0  
kernel config: https://drive.google.com/file/d/1FoYieVV2RhjXXwTcmsUzz8dT6\_DN61w8/view?usp=share\_link  
C reproducer: https://drive.google.com/file/d/1OGmuq\_C9DsG78CTMex3Wiq7sPBB6fKkX/view?usp=share\_link

IMPORTANT: if you fix the issue, please add the following tag to the commit:  
Reported-by: Xingyuan Mo <hdt...@gmail.com\>

Kernel log:

BUG: KASAN: slab-use-after-free in iopt\_unmap\_iova\_range+0x5ba/0x5f0 drivers/iommu/iommufd/io\_pagetable.c:499  
Read of size 4 at addr ffff88814fb28984 by task syz-executor410/8190

CPU: 0 PID: 8190 Comm: syz-executor410 Not tainted 6.3.0-rc6 #3  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
\_\_dump\_stack lib/dump\_stack.c:88 \[inline\]  
dump\_stack\_lvl+0xd9/0x150 lib/dump\_stack.c:106  
print\_address\_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:319  
print\_report mm/kasan/report.c:430 \[inline\]  
kasan\_report+0x11c/0x130 mm/kasan/report.c:536  
iopt\_unmap\_iova\_range+0x5ba/0x5f0 drivers/iommu/iommufd/io\_pagetable.c:499  
iopt\_unmap\_all+0x27/0x50 drivers/iommu/iommufd/io\_pagetable.c:555  
iommufd\_ioas\_unmap+0x3d1/0x480 drivers/iommu/iommufd/ioas.c:300  
iommufd\_fops\_ioctl+0x317/0x4b0 drivers/iommu/iommufd/main.c:337  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x197/0x210 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7f5bc153dbdd  
Code: c3 e8 97 2a 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64  
89 01 48  
RSP: 002b:00007f5bc14c2d88 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 00007f5bc15d12f8 RCX: 00007f5bc153dbdd  
RDX: 0000000020000000 RSI: 0000000000003b86 RDI: 0000000000000000  
RBP: 00007f5bc15d12f0 R08: 00007f5bc14c3700 R09: 0000000000000000  
R10: 00007f5bc14c3700 R11: 0000000000000246 R12: 00007f5bc15d12fc  
R13: 00007f5bc159e074 R14: 6d6f692f7665642f R15: 00007f5bc14c2e80  
</TASK>

Allocated by task 8189:  
kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45  
kasan\_set\_track+0x25/0x30 mm/kasan/common.c:52  
\_\_\_\_kasan\_kmalloc mm/kasan/common.c:374 \[inline\]  
\_\_\_\_kasan\_kmalloc mm/kasan/common.c:333 \[inline\]  
\_\_kasan\_kmalloc+0xa2/0xb0 mm/kasan/common.c:383  
kmalloc include/linux/slab.h:580 \[inline\]  
kzalloc include/linux/slab.h:720 \[inline\]  
iopt\_alloc\_area\_pages+0x94/0x560 drivers/iommu/iommufd/io\_pagetable.c:234  
iopt\_map\_pages drivers/iommu/iommufd/io\_pagetable.c:339 \[inline\]  
iopt\_map\_user\_pages+0x205/0x4e0 drivers/iommu/iommufd/io\_pagetable.c:404  
iommufd\_ioas\_map+0x329/0x5f0 drivers/iommu/iommufd/ioas.c:222  
iommufd\_fops\_ioctl+0x317/0x4b0 drivers/iommu/iommufd/main.c:337  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x197/0x210 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 8189:  
kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45  
kasan\_set\_track+0x25/0x30 mm/kasan/common.c:52  
kasan\_save\_free\_info+0x2e/0x40 mm/kasan/generic.c:521  
\_\_\_\_kasan\_slab\_free mm/kasan/common.c:236 \[inline\]  
\_\_\_\_kasan\_slab\_free+0x160/0x1c0 mm/kasan/common.c:200  
kasan\_slab\_free include/linux/kasan.h:162 \[inline\]  
slab\_free\_hook mm/slub.c:1781 \[inline\]  
slab\_free\_freelist\_hook+0x8b/0x1c0 mm/slub.c:1807  
slab\_free mm/slub.c:3787 \[inline\]  
\_\_kmem\_cache\_free+0xaf/0x2d0 mm/slub.c:3800  
iopt\_abort\_area drivers/iommu/iommufd/io\_pagetable.c:292 \[inline\]  
iopt\_unmap\_iova\_range+0x288/0x5f0 drivers/iommu/iommufd/io\_pagetable.c:509  
iopt\_unmap\_all+0x27/0x50 drivers/iommu/iommufd/io\_pagetable.c:555  
iommufd\_ioas\_unmap+0x3d1/0x480 drivers/iommu/iommufd/ioas.c:300  
iommufd\_fops\_ioctl+0x317/0x4b0 drivers/iommu/iommufd/main.c:337  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x197/0x210 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88814fb28900  
which belongs to the cache kmalloc-cg-192 of size 192  
The buggy address is located 132 bytes inside of  
freed 192-byte region \[ffff88814fb28900, ffff88814fb289c0)

The buggy address belongs to the physical page:  
page:ffffea00053eca00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14fb28  
memcg:ffff888150318b01  
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)  
raw: 057ff00000000200 ffff88801244ddc0 dead000000000122 0000000000000000  
raw: 0000000000000000 0000000080100010 00000001ffffffff ffff888150318b01  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask 0x12cc0(GFP\_KERNEL|\_\_GFP\_NOWARN|\_\_GFP\_NORETRY), pid 8173, tgid 8172 (syz-executor410), ts 70683710169, free\_ts 67978925587  
prep\_new\_page mm/page\_alloc.c:2553 \[inline\]  
get\_page\_from\_freelist+0x1190/0x2e20 mm/page\_alloc.c:4326  
\_\_alloc\_pages+0x1cb/0x4a0 mm/page\_alloc.c:5592  
alloc\_pages+0x1aa/0x270 mm/mempolicy.c:2283  
alloc\_slab\_page mm/slub.c:1851 \[inline\]  
allocate\_slab+0x25f/0x390 mm/slub.c:1998  
new\_slab mm/slub.c:2051 \[inline\]  
\_\_\_slab\_alloc+0xa9b/0x13e0 mm/slub.c:3193  
\_\_slab\_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292  
\_\_slab\_alloc\_node mm/slub.c:3345 \[inline\]  
slab\_alloc\_node mm/slub.c:3442 \[inline\]  
\_\_kmem\_cache\_alloc\_node+0x136/0x320 mm/slub.c:3491  
kmalloc\_trace+0x26/0xe0 mm/slab\_common.c:1061  
kmalloc include/linux/slab.h:580 \[inline\]  
kzalloc include/linux/slab.h:720 \[inline\]  
iommufd\_test\_alloc\_access drivers/iommu/iommufd/selftest.c:534 \[inline\]  
iommufd\_test\_create\_access drivers/iommu/iommufd/selftest.c:563 \[inline\]  
iommufd\_test+0x124a/0x2720 drivers/iommu/iommufd/selftest.c:810  
iommufd\_fops\_ioctl+0x317/0x4b0 drivers/iommu/iommufd/main.c:337  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x197/0x210 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
page last free stack trace:  
reset\_page\_owner include/linux/page\_owner.h:24 \[inline\]  
free\_pages\_prepare mm/page\_alloc.c:1454 \[inline\]  
free\_pcp\_prepare+0x5d5/0xa50 mm/page\_alloc.c:1504  
free\_unref\_page\_prepare mm/page\_alloc.c:3388 \[inline\]  
free\_unref\_page+0x1d/0x490 mm/page\_alloc.c:3483  
\_\_folio\_put\_small mm/swap.c:106 \[inline\]  
\_\_folio\_put+0xc5/0x140 mm/swap.c:129  
folio\_put include/linux/mm.h:1309 \[inline\]  
put\_page include/linux/mm.h:1378 \[inline\]  
anon\_pipe\_buf\_release+0x3fb/0x4c0 fs/pipe.c:138  
pipe\_buf\_release include/linux/pipe\_fs\_i.h:203 \[inline\]  
pipe\_read+0x614/0x1110 fs/pipe.c:324  
call\_read\_iter include/linux/fs.h:1845 \[inline\]  
new\_sync\_read fs/read\_write.c:389 \[inline\]  
vfs\_read+0x7fa/0x930 fs/read\_write.c:470  
ksys\_read+0x1ec/0x250 fs/read\_write.c:613  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Memory state around the buggy address:  
ffff88814fb28880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc  
ffff88814fb28900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\>ffff88814fb28980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc  
^  
ffff88814fb28a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
ffff88814fb28a80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc

CVE-2023-33250: KASAN: slab-use-after-free Read in iopt_unmap_iova_range

While the company’s new top-level domains could be used in phishing attacks, security researchers are divided on how big of a problem they really pose.

At the beginning of May, Google released eight new top-level domains (TLDs)—the suffixes at the end of URLs, like “.com” or “.uk.” These little addendums were developed decades ago to expand and organize URLs, and over the years, the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) has loosened restrictions on TLDs so organizations like Google can bid to sell access to more of them. But while Google's announcement included light-hearted offerings like “.dad” and “.nexus,” it also debuted a pair of TLDs that are uniquely poised to invite phishing and other types of online scamming: “.zip” and “.mov”.

The two stand out because they are also common file extension names. The former, .zip, is ubiquitous for data compression, while .mov is a video format developed by Apple. The concern, which is already starting to play out, is that URLs that look like file names will open up even more possibilities for digital scams like phishing that trick web users into clicking on malicious links that are masquerading as something legitimate. And the two domains could also expand the problem of programs mistakenly recognizing file names as URLs and automatically adding links to the file names. With this in mind, scammers could strategically buy .zip and .mov URLs that are also common file names—think, springbreak23.mov—so online references to a file with that name could automatically link to a malicious website.

“Attackers will use whatever they can to get inside an organization,” says Ronnie Tokazowski, a longtime phishing researcher and principal threat adviser at the cybersecurity firm Cofense. “Man, this all goes back a long time now. Nothing has changed.”

Researchers have already started seeing malicious actors buying up strategic .zip URLs and begin testing them in phishing campaigns. But reactions are mixed on how much of a negative impact .zip and .mov domains will have when scams that prey on URL confusion are already an inveterate threat. Additionally, proxies and other traffic management tools already deploy anti-phishing protections to cut down on the risks if users mis-click—and .zip and .mov will simply be incorporated into those defenses.

“The risk of confusion between domain names and file names is not a new one. For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows,” Google told WIRED in a statement. “Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip.” The company added that Google Registry already includes mechanisms to suspend or remove malicious domains across all of the company's top-level domains. “We will continue to monitor the usage of .zip and other TLDs, and if new threats emerge we will take appropriate action to protect users,” the company said.

Offering more TLDs broadens the number of URLs that are available to people. This means you have more choices and don't necessarily have to pay a premium to buy the site name you want from an existing owner or speculator who bought up a bunch of historic URLs. And some in the security community feel that, given the already extensive risk of phishing attacks, additions like .zip and .mov add negligible additional danger.

“I don't agree with the assertion that the new TLDs will increase the effectiveness of phishing in any meaningful way—primarily because people are already so easily fooled by URLs,” says security researcher Troy Hunt, who runs the breach-tracking service HaveIBeenPwned. “Not only can we, myself included, not tell the difference between so many ambiguous characters, we also usually have no idea what the correct URL is for many services. I bet you this all blows over before you know it with no incidents of consequence.”

Some researchers feel strongly, though, that a company like Google, which invests so much in anti-scam and anti-phishing work, could have simply opted not to offer these particular TLDs. Even if other top-level domains exist that are also file extensions, they argue that the world doesn't need more of these overlaps.

“Nobody said this was new. In fact, half the issue is that it’s not new,” says security researcher Marcus Hutchins. “We’ve had this issue in the past, and Google has just gone and caused the same problem again. It really seems like they created a big usability and security issue for downstream providers to clean up, all for no reason other than a low-effort money grab.”

The Real Risks in Google’s New .Zip and .Mov Domains

Plus: The FBI gets busted abusing a spy tool, an ex-Apple engineer is charged with corporate espionage, and collection of airborne DNA raises new privacy risks.

OpenAI’s new ChatGPT app for iOS couldn’t have arrived soon enough. Its absence left open a void in Google Play and Apple’s App Store, which have been quietly filling with scam apps that sucker users into paying for weekly or monthly subscriptions, according to research from security firm Sophos. The official ChatGPT app, meanwhile, is free, and an Android version is arriving soon.

But just because something is free doesn’t make it good. Telly TV is offering 55-inch televisions for $0 to the first 500,000 people who join its reservation list. Of course, “free” comes with a catch: The company reserves the right to collect heaps of data about your viewing habits, and the TV includes a built-in camera that can track your movements. Oh, and it has a second screen primarily for bombarding you with ads. But hey, nothing beats free, right?

Elsewhere in the world of tech that has people freaked out, Montana this week became the first state in the US to ban TikTok. The ban, which goes into effect in 2024, is already facing legal challenges on the grounds that it violates TikTok users’ First Amendment rights. Even if the ban remains, getting around it is trivial—just use a VPN.

The families of four people killed in a racism-fueled mass shooting at a grocery store in Buffalo, New York, are suing a slew of companies the plaintiffs say bear some responsibility for the massacre. The companies include Meta, Alphabet, Amazon, Snap, Reddit, and 4chan. Also on the list of defendants is Good Smile, a Japanese toy company that in 2015 purchased a 30 percent stake in 4chan, where the gunman sought advice on how to carry out his attack.

The United States Postal Service doesn’t just deliver mail—it also carries out warrantless mass surveillance. A bipartisan group of US senators this week launched an effort to curb the use of so-called mail covers, which USPS investigators use to gather the information on the outside of letters and packages. The senators say the practice, which does not require a court order, “threatens both our privacy and First Amendment rights.” 

In the UK, the government is working to expand a controversial surveillance program that collects web histories and other “internet connection records” on millions of people. The program began after the 2016 passage of the Investigatory Powers Act, often called the Snooper’s Charter by privacy advocates and other critics. Records show that the program appears to be moving out of its trial phase and may be rolled out nationally. 

Meanwhile, researchers at security firm Kaspersky released new details about a mysterious hacker group that has carried out operations in Ukraine for far longer than people realized. Dubbed Red Stinger by researchers at Malwarebytes, the group has targeted both pro-Ukraine and pro-Russian figures as part of apparent espionage operations. Initially linked to hacks dating back to 2020, researchers now believe Red Stinger has been active for at least 15 years.

But wait, there’s more. Each week we round up the security stories we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Most TikTok challenges you hear about are fake. This one, however, is deadly serious. Automaker Huyandai this week agreed to pay around $200 million to customers whose vehicles were stolen following a viral TikTok challenge that exposed a major security flaw in some Hyundai and Kia vehicles. 

The challenge began after the user “Kia Boys” posted a video to TikTok showing that it was possible to hot-wire the vulnerable vehicles using a USB cable. According to Engadget, at least 14 crashes and eight deaths have been linked to the challenge. Hyundai will pay affected customers up to $6,125 for stolen vehicles and up to $3,375 to cover the cost of damage caused by those who took advantage of the flaw. The company also has an “anti-theft update” available for affected vehicles. Check to see if your vehicle is impacted here.

The US Foreign Intelligence Surveillance Court yesterday unsealed an April 2022 opinion that exposes rampant FBI misuse of the so-called Section 702 database, a vast trove of electronic communication records used by the bureau and the National Security Agency. The court found that the FBI improperly queried the database, established under Section 702 of the Foreign Intelligence Surveillance Act, more than 287,000 times in 2020 and 2021. Targets of the FBI’s searches include January 6 demonstrators, people arrested while protesting the police murder of George Floyd in Minneapolis, and some 19,000 American political donors to an unidentified US congressional campaign. 

Section 702 gives the US government the authority to collect communications of targets overseas. Communications of Americans can get swept into the database when they communicate with someone outside the US. An audit released by the Office of the Director of National Intelligence late last year found several similar instances of the FBI misusing the Section 702 database to perform searches on American citizens, including US congressman Darin LaHood. Following both the ODNI audit and this week’s release of the court’s opinion, the FBI says the abuse was the result of a “misunderstanding” and vowed that it has fixed the problem. Regardless, Section 702 will expire at the end of the year without reauthorization from Congress, which the FBI’s repeated and widespread misuse could jeopardize.

The US Department of Justice on Tuesday announced charges against a former Apple engineer accused of stealing the company’s source code related to its self-driving-car technology. Weibao Wang allegedly stole the “sensitive” documents in the final days of his employment at Apple in April 2018. Wang left Apple five months after he signed an agreement to work for a US-based subsidiary of a company headquartered in China, according to the Justice Department. After US law enforcement searched his Mountain View, California, home in June 2018, 35-year-old Wang fled to China, the Justice Department says. If convicted, Wang faces up to 10 years in prison plus fines.

Everyone knows how much data can be collected about you anytime you’re online. But a bigger concern may be what someone can collect about you anytime you’re anywhere. That’s the warning in a new research paper, which found that it’s possible to collect “environmental DNA”—traces of genetic material floating in the air or liquids, also called eDNA—that can be linked to a person’s medical or ancestral details. Legal experts who spoke to the _The New York Times_ warn that if police or other government authorities begin collecting eDNA, as scientists studying animals have done for a decade, it could create widespread privacy and civil liberties abuses.

A TikTok ‘Car Theft’ Challenge Is Costing Hyundai $200 Million

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a medium-severity flaw affecting Samsung devices.
The issue, tracked as CVE-2023-21492 (CVSS score: 4.4), impacts select Samsung devices running Android versions 11, 12, and 13.
The South Korean electronics giant described the issue as an information disclosure flaw that could be exploited by a

Mobile Security / Cyber Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a medium-severity flaw affecting Samsung devices.

The issue, tracked as CVE-2023-21492 (CVSS score: 4.4), impacts select Samsung devices running Android versions 11, 12, and 13.

The South Korean electronics giant described the issue as an information disclosure flaw that could be exploited by a privileged attacker to bypass address space layout randomization (ASLR) protections.

ASLR is a security technique that's designed to thwart memory corruption and code execution flaws by obscuring the location of an executable in a device's memory.

Samsung, in an advisory released this month, said it was "notified that an exploit for this issue had existed in the wild," adding it was privately disclosed to the company on January 17, 2023.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Other details about how the flaw is being exploited are currently not known, but vulnerabilities in Samsung phones have been weaponized by commercial spyware vendors in the past to deploy malicious software.

Back in August 2020, Google Project Zero also demonstrated a remote zero-click MMS attack that leveraged two buffer overwrite flaws in the Quram qmg library (SVE-2020-16747 and SVE-2020-17675) to defeat ASLR and achieve code execution.

In light of active abuse, CISA has added the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, alongside two Cisco IOS flaws (CVE-2004-1464 and CVE-2016-6415), urging Federal Civilian Executive Branch (FCEB) agencies to apply patches by June 9, 2023.

Last week, CISA also added seven vulnerabilities to the KEV catalog, the oldest of which is a 13-year-old bug impacting Linux (CVE-2010-3904) that allows an unprivileged local attacker can escalate their privileges to root.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Samsung Devices Under Active Exploitation! CISA Warns of Critical Flaw

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.

CVE-2023-2276: Changeset 2907455 – WordPress Plugin Repository

In an advisory released by the company, Apple revealed patches for three previously unknown bugs it  says may already have been used by attackers.

Three zero-day vulnerabilities — tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 — were found in Apple's WebKit browser platform and affect iOS, macOS, and iPad products.

These vulnerabilities affect "iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later," Apple said in one of its new advisories.

CVE-2023-32409 is a vulnerability in which a remote attacker is "able to break out of Web Content sandbox," according to Apple. The vendor said CVE-2023-28204 entails processing Web content that may disclose sensitive information, and CVE-2023-32373 warns that processing "maliciously crafted Web content may lead to arbitrary code execution."

Apple said it's aware that the bugs may have already been actively exploited by threat actors but did not elaborate on any of these attacks.

While Apple reported that two of the three vulnerabilities were reported by anonymous researchers after they were first addressed, one of them — CVE-2023-32409 — was reported by Clément Lecigne, a security engineer in Google's Threat Analysis Group, and Donncha Ó Cearbhaill, a security researcher and hacker in Amnesty International's Security Lab.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Apple Patches 3 Zero-Days Possibly Already Exploited

The data shows how most cyberattacks start, so basic steps can help organizations avoid becoming the latest statistic.

Most ransomware attackers use one of three main vectors to compromise networks and gain access to organizations' critical systems and data.

The most significant vector in successful ransomware attacks in 2022, for example, involved the exploitation of public-facing applications, which accounted for 43% of all breaches, followed by the use of compromised accounts (24%) and malicious email (12%), according to Kaspersky's recently released report, "The Nature of Cyber Incidents."

Both exploitation of applications and malicious emails declined as a share of all attacks compared with the previous year, while the use of compromised accounts increased from 18% in 2021.

Bottom line: Doubling down on the most common attack vectors can go a long way to preventing a ransomware attack. "A lot of companies are not the initial targets for attackers but have weak IT security and \[allowing them to\] be hacked easily, so cybercriminals take the opportunity," says Konstantin Sapronov, head of the global emergency response team at Kaspersky. "If we look at top three initial vectors, which together account for almost 80% of all cases, we can implement some defensive measures to mitigate them, and go a very long way to decreasing the likelihood of becoming a victim."

The top initial vectors cited by Kaspersky match an earlier report by incident-response firm Google Mandiant, which found that the same common vectors made up the top three techniques — exploitation of vulnerabilities (32%), phishing (22%), and stolen credentials (14%) — but that ransomware actors tended to focus on exploitation and stolen credentials, which together accounted for nearly half (48%) of all ransomware cases.

Ransomware took off in 2020 and 2021, but leveled off last year — even dropping slightly. But this year, ransomware and a related attack — data leaks with a goal of collecting a ransom — appear to be increasing, with the number of organizations posted to data leak sites increasing in the first part of 2023, says Jeremy Kennelly, lead analyst for financial crime analysis at Mandiant.

"This may be an early warning that the respite we saw in 2022 will be short-lived," he says, adding that the ability to continue to use the same initial access vectors has helped attacks.

"Actors engaging in ransomware operations haven’t needed to evolve their tactics, techniques, and procedures (TTPs) significantly in recent years, as well understood strategies have continued to prove effective," Kennelly says.

**Unsurprising Trio: Exploits, Credentials, Phishing**

In December 2022, the Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were commonly using five initial access vectors, including the three identified by both Kaspersky and Mandiant, as well as external remote services — such as VPNs and remote administration software — and third-party supply chain attacks, also known as trusted relationships.

Most compromises are either quick or slow: Quick attacks compromise systems and encrypt data in days, while slow ones are where threat actors typically infiltrate deeper into the network over months, possibly conducting cyber espionage and then deploying ransomware or sending a ransom note, according to Kaspersky's report.

Exploitation of public-facing applications and the use of legitimate credentials also tend to be harder to detect without some sort of application or behavioral monitoring, leading to longer dwell times for attackers, says Kaspersky's Sapronov.

"\[N\]ot enough attention is paid to application monitoring," he says. "Also, when attackers use \[exploitation\], they need to take more steps to reach their goals."

    

Exploitation is the top initial access vector and tends to lead to a quick ransomware attack or longer espionage. Source: Kaspersky

**Tip: Track Exploitation Trends**

Knowing the most common approaches attackers likely will take can help inform defenders. Companies should continue to prioritize vulnerabilities that have exploits in the wild, for example. By paying attention to the shifts in the threat ecosystem, companies can make sure that they are prepared for likely attacks, Mandiant's Kennelly says.

"Due to the velocity at which threat actors can weaponize exploit code to support intrusion operations, understanding which vulnerabilities are being actively exploited, whether exploit code is publicly available, and if a particular patch or remediation strategy is effective can easily save organizations from dealing with one or more active intrusions," he says.

But avoid putting too much emphasis on protecting against specific initial access vectors, as attackers continually adapt to defenses, Kennelly adds.

"The specific infection vectors that are most common at a given time should not broadly change an organization's defensive posture, as threat actors continually shift their operations to focus on whichever vectors prove most successful," he says. "\[A\] decrease in the prevalence of any given vector does not mean it poses a significantly lower threat — for example, there has been a slow decline in the proportion of intrusions where access was obtained via phishing, but email is still used by many high-impact threat groups."

3 Common Initial Attack Vectors Account for Most Ransomware Campaigns

Montana’s TikTok ban will be impossible to enforce. But it could encourage copycat crackdowns against the social media app.

Montana’s TikTok ban is a technological nightmare. Experts warn it will be incredibly difficult for officials to enforce and incredibly easy for almost anyone to get around. But more than that, it’s a move that undermines America’s history of fostering an open, democratic internet.

The law, which comes into effect at the start of 2024, will both block TikTok from mobile app stores in Montana while also banning TikTok from operating in the state. It’s a move that brings with it a host of First Amendment concerns, and may never be enacted if legal challenges block it. But, if it does go ahead, experts warn it is likely to be a mess.

“From a technical perspective, even if this was a national law, there would be challenges to try to make this work,” says John Morris, principal, US internet policy and advocacy at the Internet Society, a nonprofit that promotes an open internet. But because people can use VPNs to change their browsing location, it’s even harder to ensure a local ban will work. “State boundaries are not something that’s built into the internet.” 

The new law is the first on the books following years of anxiety in the US around TikTok as a national security risk. That perceived threat looms because TikTok’s parent company, ByteDance, is Chinese-owned. TikTok has also become one of the most popular apps in the world, with 150 million users in the US alone. 

The Montana law calls for $10,000 penalties to be levied on mobile app stores when they allow people to download or use TikTok. TikTok could also be fined for operating in the state. The fines would not apply to people who download the app. 

The US has historically advocated for an open internet and criticized countries that censor online access. China is successful in its mass censorship because of its Great Firewall—a system unlike anything in the US, and one that Montana could not build for itself. Other countries, including Indonesia and Pakistan, have banned TikTok and then rescinded the blocks. India’s TikTok ban, introduced in June 2020, is still in place. Montana, along with other states, and the US federal government have blocked TikTok from government devices, but geoblocking from specific regions within the US would prove much harder.

An older version of the Montana bill would have forced internet services providers to block TikTok in the state. But ISPs said it would be impossible to do so, and the requirement was removed. Mobile app providers like Apple and Google did not respond to requests for comment. And while Montana has now passed the law banning TikTok, it remains to be seen how it plans to do so.

Montana officials have suggested tech that restricts online sports gambling, which remains illegal in more than a dozen US states, could be employed to boot TikTok out of its borders. If anyone reports a violation, officials would investigate it, and if a breach was verified, cease-and-desist letters would be sent to the companies, the state attorney general’s office told the Associated Press. 

Such blocks are regularly circumvented using VPNs. And VPNs have their own security issues—people who use them can become targets for hackers. Some VPNs also keep logs of user data, which can be accessed by law enforcement with subpoenas. 

But there’s no way for TikTok to know whether people are using VPNs within Montana to access the social network, which makes this law “very complicated,” and “very difficult to enforce” if TikTok is the liable party rather than the service provider, says Kevin Du, a professor of electrical engineering and computer science at Syracuse University. 

In response to the ban, TikTok said it would “continue working to defend the rights” of users inside and outside Montana. The company has also called the ban unlawful. The law was also criticized by the American Civil Liberties Union, which says it violates “free speech rights under the guise of national security and lays the groundwork for excessive government control over the internet.” TikTok creators, who are often semipublic figures, have already sued the state of Montana, claiming the new law violates free speech rights.  

It might make up a tiny slice of TikTok’s global user base, but if Montana’s ban stands, it could influence legislation in other US states. A nationwide ban remains both complex and unlikely.

How You, or Anyone, Can Dodge Montana’s TikTok Ban

Ubuntu Security Notice 6090-1 - It was discovered that some AMD x86-64 processors with SMT enabled could speculatively execute instructions using a return address from a sibling thread. A local attacker could possibly use this to expose sensitive information. Zheng Wang discovered that the Intel i915 graphics driver in the Linux kernel did not properly handle certain error conditions, leading to a double-free. A local attacker could possibly use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6090-1  
May 18, 2023

linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop,  
linux-oracle-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-gke: Linux kernel for Google Container Engine (GKE) systems  
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems  
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems  
- linux-oracle-5.15: Linux kernel for Oracle Cloud systems

Details:

It was discovered that some AMD x86-64 processors with SMT enabled could  
speculatively execute instructions using a return address from a sibling  
thread. A local attacker could possibly use this to expose sensitive  
information. (CVE-2022-27672)

Zheng Wang discovered that the Intel i915 graphics driver in the Linux  
kernel did not properly handle certain error conditions, leading to a  
double-free. A local attacker could possibly use this to cause a denial of  
service (system crash). (CVE-2022-3707)

Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did  
not properly implement speculative execution barriers in usercopy functions  
in certain situations. A local attacker could use this to expose sensitive  
information (kernel memory). (CVE-2023-0459)

It was discovered that the TLS subsystem in the Linux kernel contained a  
type confusion vulnerability in some situations. A local attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information. (CVE-2023-1075)

It was discovered that the Reliable Datagram Sockets (RDS) protocol  
implementation in the Linux kernel contained a type confusion vulnerability  
in some situations. An attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1078)

Xingyuan Mo discovered that the x86 KVM implementation in the Linux kernel  
did not properly initialize some data structures. A local attacker could  
use this to expose sensitive information (kernel memory). (CVE-2023-1513)

It was discovered that the Android Binder IPC subsystem in the Linux kernel  
did not properly validate inputs in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-20938)

It was discovered that a use-after-free vulnerability existed in the iSCSI  
TCP implementation in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash). (CVE-2023-2162)

It was discovered that the NET/ROM protocol implementation in the Linux  
kernel contained a race condition in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-32269)

Duoming Zhou discovered that a race condition existed in the infrared  
receiver/transceiver driver in the Linux kernel, leading to a use-after-  
free vulnerability. A privileged attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1118)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1020-gkeop   5.15.0-1020.25  
   linux-image-5.15.0-1033-gke     5.15.0-1033.38  
   linux-image-5.15.0-1034-gcp     5.15.0-1034.42+1  
   linux-image-gcp-lts-22.04       5.15.0.1034.30  
   linux-image-gke                 5.15.0.1033.32  
   linux-image-gke-5.15            5.15.0.1033.32  
   linux-image-gkeop               5.15.0.1020.19  
   linux-image-gkeop-5.15          5.15.0.1020.19

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1033-gcp     5.15.0-1033.41~20.04.1  
   linux-image-5.15.0-1033-gke     5.15.0-1033.38~20.04.1  
   linux-image-5.15.0-1035-oracle  5.15.0-1035.41~20.04.1  
   linux-image-gcp                 5.15.0.1033.41~20.04.1  
   linux-image-gke-5.15            5.15.0.1033.38~20.04.1  
   linux-image-oracle              5.15.0.1035.41~20.04.1

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6090-1  
   CVE-2022-27672, CVE-2022-3707, CVE-2023-0459, CVE-2023-1075,  
   CVE-2023-1078, CVE-2023-1118, CVE-2023-1513, CVE-2023-20938,  
   CVE-2023-2162, CVE-2023-32269

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1034.42  
   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1033.38  
   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1020.25  
   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1033.41~20.04.1  
   https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1033.38~20.04.1

 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1035.41~20.04.1

Tag

#google