Five vulnerabilities in the baseboard management controller (BMC) software used by 15 major vendors could allow remote code execution if attackers gain network access.

Five vulnerabilities in the baseboard management controller (BMC) firmware used in servers of 15 major vendors could give attackers the ability to remotely compromise the systems widely used in data centers and for cloud services.

The vulnerabilities, two of which were disclosed this week by hardware security firm Eclypsium, occur in system-on-chip (SoC) computing platforms that use AMI's MegaRAC Baseboard Management Controller (BMC) software for remote management. The flaws could impact servers produced by at least 15 vendors, including AMD, Asus, ARM, Dell, EMC, Hewlett-Packard Enterprise, Huawei, Lenovo, and Nvidia.

Eclypsium disclosed three of the vulnerabilities in December, but withheld information on two additional flaws until this week in order to allow AMI more time to mitigate the issues.

Since the vulnerabilities can only be exploited if the servers are connected directly to the Internet, the extent of the vulnerabilities is hard to measure, says Nate Warfield, director of threat research and intelligence at Eclypsium.

"We really don't know what the what the blast radius is on this, because while we know some of the platforms, we don't have any details as to \[how\] prolific these things are," he says. "You know, did they sell 100,000 of them? Did they sell 10 million of them? We just don't know."

Baseboard management controllers are typically a single chip — or system-on-chip (SoC) — installed on a motherboard to allow administrators to remotely manage servers with near total control. AMI's MegaRAC is a collection of software based on the Open BMC firmware project, an open source project for developing and maintaining an accessible baseboard management controller firmware.

Many server makers rely on BMC software to allow administrators to take complete control of the server hardware at a low level, giving it access to "lights-out" features, the Eclypsium advisory stated. Because the software is widely used, the footprint of the vulnerable features is quite large.

"\[V\]ulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services," Eclypsium stated in its advisory. "As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use."

AMI is the latest baseboard management controller (BMC) software maker to have vulnerabilities found in their code. In 2022, Eclypsium also found vulnerabilities in Quanta Cloud Technology (QCT) servers that have found common use by cloud firms. And previous research by the company in 2020 found that the lack of signed firmware in laptops and servers could allow an attacker to install a Trojan horse to remote control the devices.

**December Flaws Most Serious**

The two latest flaws released on January 30 include two lower severity issues. The first vulnerability (CVE-2022-26872) gives an attacker the ability to reset a password if they can time the attack during a narrow window between when a one-time password is validated and when the new password is sent by the user. In the second security issue (CVE-2022-40258), the password file is hashed with a weak algorithm, Eclypsium stated.

Both issues are less severe than the three vulnerabilities disclosed in December, which include two vulnerabilities — a dangerous command in the BMC's API (CVE-2022-40259) and a default credential (CVE-2022-40242) — that could allow simple remote code execution, Eclypsium stated in the advisory. The other vulnerability (CVE-2022-2827) allows an attacker to remotely enumerate usernames via the API.

The Redfish API replaces previous versions of the Intelligent Platform Management Interface (IPMI) in modern data centers, with support from major server vendors and the Open BMC project, according to Eclypsium.

Eclypsium conducted its analysis of the AMI software after the code was leaked to the Internet by a ransomware group. AMI is not thought to be the source of the leaked software code; rather, the code is a result of a third-party vendor being hit by ransomware, Warfield says.

"What we've discovered back in the summer was that somebody had leaked intellectual property for a bunch of technology companies onto the Internet," he says. "And, as we were digging through it ... trying to figure out what it was and who had it, we came across some of AMI's intellectual property. So we kind of started digging into that to see what we could find."

**Patching Rate Unknown**

AMI has issued patched software for all five vulnerabilities, and now the mitigation of the vulnerabilities is in the hands of server makers and their customers.

Already, many vendors — such as HPE, Intel, and Lenovo — have issued advisories to their customers. However, patching those servers will be up to the companies who have the servers deployed in their data centers.

Firmware patching tends to happen at a glacial rate, which should be a worry, says Warfield.

"The tricky part is the the time between the patches coming out and people actually applying them," he says. "BMC is not something with, sort of, a Windows update mechanism, where you can say, 'Oh, I've got 100,000 servers that are affected. Let me just push this out to all of them.'"

Firmware Flaws Could Spell 'Lights Out' for Servers

By Deeba Ahmed
This is a critical vulnerability affecting almost 190 models of devices from 66 different manufacturers.
This is a post from HackRead.com Read the original post: Critical Realtek Vulnerability Impacting IoT Devices Worldwide

As of December 2022, Unit 42 researchers had observed 134 million exploit attempts leveraging this vulnerability, and around 97 of them occurred at the beginning of August 2022.

According to a new report from Palo Alto Networks’ Unit 42 researchers, between August and October 2022, cybercriminals increased their efforts to exploit a Realtek Jungle SDK vulnerability.

Usually, researchers record 10% of all attacks targeting a single vulnerability. But in this case, over 40% of all attacks involved exploitation of the Realtek remote code execution **(RCE)** vulnerability.

**Vulnerability Analysis**

The Realtek Jungle SDK RCE is tracked as **CVE-2021-35394**, rated 9.8. As of December 2022, Unit 42 researchers had observed 134 million exploit attempts leveraging this vulnerability, and around 97 of them occurred at the beginning of August 2022.

This is a critical vulnerability affecting almost 190 models of devices from 66 different manufacturers.

Hackers find it useful because it can create **supply-chain issues** that make it difficult for users to identify the products that attackers are exploiting. It’s an arbitrary command injection and buffer overflow bug that could be leveraged to execute arbitrary code and gain the highest level of privileges, eventually hijacking the infected device appliance.

**Attack Details**

According to Unit 42’s **blog post**, most of the attacks observed were attempts to deliver malware and compromise **vulnerable IoT devices**, indicating that threat actors aim to launch large-scale attacks against internet-connected devices worldwide.

Around 50% of the attacks (48.3% to be precise) were launched from the USA, followed by Vietnam (17.8%) and Russia (14.6%). Other prominent regions include the Netherlands (7.4%), Germany (2.3%), France (6.4%), and Luxembourg (1.6%).

Moreover, 95% of the attacks targeting the vulnerability and originating from Russia were launched against Australian organizations.

**Potential Dangers**

Unit 42 identified three kinds of payloads that were distributed through in-the-wild exploitation of this bug. The first payload was a script that executed a shell command on the targeted server and downloaded another malware.

The second payload is an injected command that writes a binary payload to a file and executes that file. The third is an injected command that directly reboots the targeted server to launch DoS (denial of service) attacks.

Additionally, attackers can exploit this bug to deliver known botnets such as **Mozi**, **Mirai**, **Gafgyt**, and the new Golang-based DDoS botnet called RedGoBot.

Vulnerable IoT devices include IP cameras, routers, residential gateways, and Wi-Fi repeaters from at least 66 vendors, including Belkin, D-Link, ASUS, Huawei, LG, ZTE, Logitech, Zyxel, and **NETGEAR**.

**_More IoT Security News_**

1.  BotenaGo botnet malware targeting millions of IoT devices
2.  IoT Devices Hacked to Install Ransomware on OT Networks
3.  ThroughTek Flaw Exposed Millions of IoT Cameras to Spying
4.  Millions of IoT devices, baby monitors open to video snooping
5.  Access:7 Supply Chain Flaws Impact ATMs, Medical, IoT devices

Critical Realtek Vulnerability Impacting IoT Devices Worldwide

The PowerVR GPU kernel driver maintains an "Information Page" used by its cache subsystem. This page can only be written by the GPU driver itself, but prior to DDK 1.18 however, a user-space program could write arbitrary data to the page, leading to memory corruption issues.Product: AndroidVersions: Android SoCAndroid ID: A-259967780

_Published January 3, 2023 | Updated January 10, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-01-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-01-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-01-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20456

A-242703780

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20489

A-242703460

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20490

A-242703505

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20492

A-242704043

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20493

A-242846316

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20912

A-246301995

EoP

High

13

CVE-2023-20916

A-229256049

EoP

High

12, 12L

CVE-2023-20919

A-252663068

EoP

High

13

CVE-2023-20920

A-204584366

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20921

A-243378132

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20494

A-243794204

DoS

High

10, 11, 12, 12L, 13

CVE-2023-20908

A-239415861

DoS

High

10, 11, 12, 12L, 13

CVE-2023-20922

A-237291548

DoS

High

11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to local escalation of privilege of BLE with no additional execution privileges needed.

**Google Play system updates**

The following issues are included in Project Mainline components.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20461

A-228602963

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20904

A-246300272

EoP

High

12L, 13

CVE-2023-20905

A-241387741

EoP

High

10

CVE-2023-20913

A-246933785

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20915

A-246930197

EoP

High

10, 11, 12, 12L, 13

 

Subcomponent

CVE

MediaProvider

CVE-2023-20912

**2023-01-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-01-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-42719

A-253642087  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\] \[7\] \[8\] \[9\] \[10\] \[11\] \[12\] \[13\] \[14\]

RCE

Critical

mac80211

CVE-2022-42720

A-253642015  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\] \[7\] \[8\] \[9\] \[10\] \[11\] \[12\] \[13\] \[14\]

RCE

Critical

WLAN

CVE-2022-42721

A-253642088  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\] \[7\] \[8\] \[9\] \[10\] \[11\] \[12\] \[13\] \[14\]

RCE

Critical

Multiple Modules

CVE-2022-2959

A-244395411  
Upstream kernel

EoP

High

Pipe

**Kernel components**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-41674

A-253641805  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\] \[7\] \[8\] \[9\] \[10\] \[11\] \[12\] \[13\] \[14\]

RCE

Critical

WLAN

CVE-2023-20928

A-254837884  
Upstream kernel

EoP

High

Binder driver

**Kernel LTS**

The following kernel versions have been updated. Kernel version updates are dependent on the version of Android OS at the time of device launch.

  

References

Android Launch Version

Minimum Kernel Version

A-224575820

12

5.10.101

**Imagination Technologies**

This vulnerability affects Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of this issue is provided directly by Imagination Technologies.

    

CVE

References

Severity

Subcomponent

CVE-2022-20235  

A-259967780 \*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

    

CVE

References

Severity

Subcomponent

CVE-2022-32635  

A-257714327  
M-ALPS07573237 \*

High

gps

CVE-2022-32636  

A-257846591  
M-ALPS07510064 \*

High

keyinstall

CVE-2022-32637  

A-257860658  
M-ALPS07491374 \*

High

hevc decoder

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

    

CVE

References

Severity

Subcomponent

CVE-2022-44425  

A-258731891  
U-2028856 \*

High

Kernel

CVE-2022-44426  

A-258728978  
U-2028856 \*

High

Kernel

CVE-2022-44427  

A-258736883  
U-1888565 \*

High

Kernel

CVE-2022-44428  

A-258741356  
U-1888565 \*

High

Kernel

CVE-2022-44429  

A-258743555  
U-1981296 \*

High

Kernel

CVE-2022-44430  

A-258749708  
U-1888565 \*

High

Kernel

CVE-2022-44431  

A-258741360  
U-1981296 \*

High

Kernel

CVE-2022-44432  

A-258743558  
U-1981296 \*

High

Kernel

CVE-2022-44434  

A-258760518  
U-2064988 \*

High

Android

CVE-2022-44435  

A-258759189  
U-2064988 \*

High

Android

CVE-2022-44436  

A-258760519  
U-2064988 \*

High

Android

CVE-2022-44437  

A-258759192  
U-2064988 \*

High

Android

CVE-2022-44438  

A-258760781  
U-2064988 \*

High

Android

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-22088  

A-231156521  
QC-CR#3052411

Critical

Bluetooth

CVE-2022-33255  

A-250627529  
QC-CR#3212699

High

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2021-35097  

A-209469821 \*

Critical

Closed-source component

CVE-2021-35113  

A-209469998 \*

Critical

Closed-source component

CVE-2021-35134  

A-213239776 \*

Critical

Closed-source component

CVE-2022-23960  

A-238203772 \*

High

Closed-source component

CVE-2022-25725  

A-238101314 \*

High

Closed-source component

CVE-2022-25746  

A-238106983 \*

High

Closed-source component

CVE-2022-33252  

A-250627159 \*

High

Closed-source component

CVE-2022-33253  

A-250627591 \*

High

Closed-source component

CVE-2022-33266  

A-250627569 \*

High

Closed-source component

CVE-2022-33274  

A-250627236 \*

High

Closed-source component

CVE-2022-33276  

A-250627271 \*

High

Closed-source component

CVE-2022-33283  

A-250627602 \*

High

Closed-source component

CVE-2022-33284  

A-250627218 \*

High

Closed-source component

CVE-2022-33285  

A-250627435 \*

High

Closed-source component

CVE-2022-33286  

A-250627240 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-01-01 or later address all issues associated with the 2023-01-01 security patch level.
*   Security patch levels of 2023-01-05 or later address all issues associated with the 2023-01-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-01-01\]
*   \[ro.build.version.security\_patch\]:\[2023-01-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-01-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-01-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-01-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

January 3, 2022

Bulletin Published

1.1

January 5, 2022

Bulletin revised to include AOSP links

1.2

January 10, 2022

Revised CVE Table

CVE-2022-20235: Android Security Bulletin—January 2023  |  Android Open Source Project

In ApplicationsDetailsActivity of AndroidManifest.xml, there is a possible DoS due to a tapjacking/overlay attack. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-183410508

_Published January 3, 2022_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2023-01-05 or later from the January 2023 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The most severe of these issues is a high security vulnerability in the Platform Apps component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

**Announcements**

*   In addition to the security vulnerabilities described in the January 2023 Android Security Bulletin, the January 2023 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

**2023-01-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-01-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Media Framework**

The vulnerability in this section could lead to local information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20353

A-221041256

ID

High

10, 11

**Platform Apps**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39738

A-216190509

EoP

High

10, 11, 12, 12L

CVE-2022-20425

A-255830464

DoS

High

10, 11

**Additional vulnerability details**

The section below provides details for security vulnerabilities that are being provided for disclosure purposes. **These issues are not required for SPL compliance.**

**Platform Apps**

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20213

A-183410508

DoS

Moderate

10, 11, 12

CVE-2022-20215

A-183794206

DoS

Moderate

10, 11, 12

CVE-2022-20214

A-183411210

EoP

Low

10, 11, 12

**System UI**

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20458

A-205567776

EoP

Moderate

12L

**Kernel Components**

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-28389

A-228694270  
Upstream kernel

EoP

Moderate

USB CAN bus driver

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2023-01-01 or later address all issues associated with the 2023-01-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-01-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-01-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**6\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-01-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**Versions**

  

Version

Date

Notes

1.0

January 3, 2022

Bulletin Published

CVE-2022-20213: Android Automotive OS Update Bulletin—January 2023  |  Android Open Source Project

Manufacturer complacency ‘translates into an unacceptable risk for consumers’, warns security expert

Manufacturer complacency ‘translates into an unacceptable risk for consumers’, warns security expert

IoT vendors are making slow progress in making it easy for security researchers to report security bugs, with only 27.1% of suppliers offering a vulnerability disclosure policy.

The figure, based on the latest annual report from the IoT Security Foundation (IoTSF), compares to the 9.7% of IoT (Internet of Things) vendors that were reported to have a disclosure policy in the 2018 edition of the same study.

BACKGROUND IoT Security Foundation launches vulnerability disclosure platform for smart device vendors

Vulnerability management ought to be a cornerstone of connected product security, widely recommended in 30 cybersecurity guidance initiatives including the IoTSF’s IoT Security Assurance Framework.

Straightforward reporting of security issues is essential for security lifecycle maintenance, and vendors risk falling foul of newly enacted UK regulations if they ignore best practice mandates.

The UK’s Product Security and Telecoms Infrastructure – which became law in early December 2022 – requires that IoT manufacturers, importers, and distributors offer a vulnerability disclosure policy, with suppliers who breach this risking potential sanctions including penalties of up to £20,000 per day in the most severe cases.

Catch up on the latest vulnerability disclosure policy news

The IoTSF’s latest study was based on a review of practice of 332 companies who sell consumer-focused IoT products. The review, carried out by mobile and IoT security consultancy Copper Horse, covered security practices tied to a range of products ranging from tablets and routers to smart home lighting controls and smart speakers.

Vendors from Asia tended to be better at establishing vulnerability disclosure programs, with European suppliers trailing significantly behind (34.7% versus 14.5%, respectively).

Laurie Mercer, senior manager of security engineering at HackerOne, said: “Knowing about security vulnerabilities within products and services through a Vulnerability Disclosure Policy (VDP) is an important way to identify and rectify them as part of the product security lifecycle.

“It’s a best practice that customers are increasingly looking for their supplier to adopt, but this research suggests it is not yet common practice.”

**Increased regulation**

Lawmakers across the world are looking to introduce regulations in order to push IoT vendors into making their products more secure. For example in the US lawmakers have established the IoT Cybersecurity Improvement Act (2020).

The draft European Cyber Resilience Act covers similar ground.

David Rogers, CEO of Copper Horse, told The Daily Swig: “The trend is towards mandating it – which makes you wonder again, why aren’t companies realising this? The writing is on the wall!”

Rogers added: “Even with the threat of incoming legislation, there is complacency in manufacturers that translates into an unacceptable risk for consumers when it comes to the security of IoT devices.”

During the study, researchers identified increases in the use of the ‘/security’ contact page, the use of machine-readable ‘secuity.txt’ files and a small decline in PGP key usage for secure submissions.

Other trends uncovered were an increase in the number of vendors that updated their policies and a rise in the number of companies using a third-party ‘proxy service’ to host and maintain their policies.

**Best practice**

It’s not all doom and gloom, however, as the report did highlight examples of good practice by some vendors.

Rogers explained: “Some companies and industries are starting to act in a much better way – there are some examples in the car industry such as Volkswagen Group where they have completely transformed their approach, in a positive way.

“I think these companies can set a good example to their peers in showing that you can work with the security research community without all the brinksmanship.”

Vendors would do well to have a safe harbor policy, a legal framework that allows ethical hackers to look for flaws in systems with risking legal threats or potential prosecution. LG, for example, operates a safe harbor policy for its IoT products.

Looking more broadly, the IoTSF report commends 34 vendors that “meet or exceed what will be required by legislation” based on a review of their policies by security researchers from Copper Horse. Firms listed include Bosch, BT, Canon, Huawei, LG, Logitech, Microsoft, Peloton, Samsung, and Wink.

YOU MAY ALSO LIKE WAGO fixes config export flaw threatening data leak from industrial devices

IoT vendors faulted for slow progress in setting up vulnerability disclosure programs

Categories: News
Tags: Google

Tags:  Chromium

Tags:  Rust

Tags:  memory safety

Tags:  rule of two

Google has announced that it will support the use of third-party Rust libraries in Chromium which is a step forward in memory safety for the browsers.



(Read more...)




The post Google to support the use of Rust in Chromium appeared first on Malwarebytes Labs.

In a blog by the Chrome security team we learned that the Chromium project is going to support the use of third-party Rust libraries from C++ in Chromium.

This is good news because Rust is a so-called memory-safe programming language. So using it in a widespread program like Chrome and the other members of the Chromium family means that almost everyone can benefit from this step forward.

Besides Google’s own Chrome browser, Microsoft Edge, Opera, and many other browsers are based on Chromium code. Reportedly, there are over 25 million lines of code in 36 programming languages in the Chromium browser codebase.

**Rust**

Rust is a community project and the product is a high-level, general-purpose programming language that enforces memory safety. Rust started in 2006 as a personal project by Mozilla Research employee Graydon Hoare as part of the development of the Servo browser engine. Then, in February 2021, the Servo team was disbanded and the Rust Foundation was announced by its five founding companies (AWS, Huawei, Google, Microsoft, and Mozilla).

Rust is designed to be memory safe, because poor memory management has been the root cause for way too many vulnerabilities, for way too long. Only a few months ago, the NSA urged a shift to memory safe programming languages.

**Memory vulnerabilities**

If you ever read our posts describing security vulnerabilities, you will see a lot of phrases like "buffer overflow", "failure to release memory", "use after free", "memory corruption", and "memory leak". These are all memory management issues. And the best way to prevent memory management issues is to use a memory-safe language, which manages memory automatically instead of relying on a programmer to code things correctly.

In an earlier article about the effects of the introduction of memory safe languages in Android we showed a steady decline of memory safety vulnerabilities in Android. With the introduction of memory-safe languages like Kotlin, Java, and Rust in the development of the Android operating system, the contributions to the software that ties everything together in the background coded in C and C++ have gone down considerably.

**Rule of two**

Google’s goals for allowing the use of Rust libraries in Chromium are to provide a simpler and safer way to satisfy the rule of two, in order to speed up development and improve the security of Chrome.

The rule of two is demonstrated in the image below:

_Image courtesy of Google_

It says not to pick more than two of these possibly unsafe circumstances:

*   untrustworthy inputs
*   unsafe implementation language
*   high privilege

By eliminating the “code written in an unsafe language” factor wherever you can, you lessen the need to run code in a sandbox. So, there is less code needed and less need for security reviews. This speeds up development while improving the security. Eliminating the untrustworthy input is almost impossible when you are working on a browser.

The Chrome browser runs as an OS-level account representing a person which is considered a high privilege. In Chrome, sandboxing is applied to attain privilege reduction, which means running the code in a process that has had some or many of its privileges revoked.

**Libraries**

Rust was set out to be the foundation for a secure browser and has already proven its use in a browser for Mozilla. But for now, Google will only support third-party libraries. Third-party libraries are written as standalone components, they don’t hold implicit knowledge about the implementation of Chromium.

For future developments, Google is investing in Crubit, an experiment in how to increase the fidelity of interop between C++ and Rust and express or encapsulate the requirements of each language to the other.  Interop refers to two or more browsers behaving the same.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google to support the use of Rust in Chromium

The HW_KEYMASTER module has a problem in releasing memory.Successful exploitation of this vulnerability may result in out-of-bounds memory access.

**HUAWEI EMUI/Magic UI security updates January 2023**

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the December 2022 Android security bulletin:

Critical: CVE-2022-20411, CVE-2022-20472, CVE-2022-20473, CVE-2022-20498

High: CVE-2021-0934, CVE-2022-20124, CVE-2022-20449, CVE-2022-20466, CVE-2022-20469, CVE-2022-20470, CVE-2022-20474, CVE-2022-20476, CVE-2022-20478, CVE-2022-20479, CVE-2022-20480, CVE-2022-20483, CVE-2022-20484, CVE-2022-20485, CVE-2022-20486, CVE-2022-20487, CVE-2022-20488, CVE-2022-20491, CVE-2022-20495, CVE-2022-20496, CVE-2022-20500, CVE-2022-20501, CVE-2022-20611, CVE-2022-33268

Medium: CVE-2022-20468, CVE-2022-25677, CVE-2022-1419, CVE-2022-28390, CVE-2022-30594, CVE-2022-20571, CVE-2022-20572

Low: none

Already included in previous updates: CVE-2022-20426, CVE-2022-20425, CVE-2022-20392, CVE-2022-25669, CVE-2022-25688, CVE-2022-25658, CVE-2022-25659

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-46856: Path traversal vulnerability in the Multi-screen Collaboration module

Severity: Medium

Affected versions: EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2021-46867: The HW\_KEYMASTER module does not release memory

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause out-of-bounds access.

CVE-2021-46868: The HW\_KEYMASTER module does not release memory

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause out-of-bounds access.

CVE-2022-46761: Vulnerability of the dynamic hiding and restoring of app icons in the system

Severity: Medium

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability allows app icons to be dynamically hidden or restored using special methods.

CVE-2022-46762: Logic bypass vulnerability in the memory management module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2022-47974: DoS attack vulnerability in the Bluetooth AVRCP module

Severity: Medium

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause the Bluetooth process to restart.

CVE-2022-47975: Double free vulnerability of the DUBAI module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-47976: Control connection replacement vulnerability in the DMSDP module of the distributed hardware

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may disconnect normal service connections.

CVE-2021-46868: January

Huawei Aslan Children's Watch has an improper authorization vulnerability. Successful exploit could allow the attacker to access certain file.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Back to Main Menu

Huawei Websites

Corporate

Corporate news and information

Consumer

Phones, laptops, tablets, wearables & other devices

Enterprise

Enterprise products, solutions & services

Carrier

Products, solutions & services for carrier networks

Huawei Cloud

Cloud products, solutions & services

*   SA No:huawei-sa-IAViaHCW-21a3acd8-en
*   Initial Release Date: 2022-11-30
*   Last Release Date: 2022-11-30

  

Huawei Aslan Children's Watch has an improper authorization vulnerability. Successful exploit could allow the attacker to access certain file. (Vulnerability ID:HWPSIRT-2022-62345)  
This vulnerability has been assigned a (CVE) ID: CVE-2022-45874

Affected Product

Affected Version

Resolved Versions

Aslan-AL10

Aslan-AL10-OTA 11.1.0.118(C00M06)-11.1.0.10118(C00M06)  

Aslan-AL10 11.1.0.135(C00M08)  

Aslan-AL10 11.1.0.118(C00M06)  

  

Aslan-AL10

Aslan-AL10-OTA 11.1.0.118(C00M06)-11.1.0.10118(C00M06)

Aslan-AL10-OTA 11.1.0.135(C00M08log)-11.1.0.10135(C00M08log)

Aslan-AL10

Aslan-AL10-OTA 11.1.0.118(C00M06)-11.1.0.10118(C00M06)

Aslan-AL10-OTA 11.1.0.135(C00M08log)-11.1.0.10135(C00M08log)

HWPSIRT-2022-62345:  
Successful exploit could allow the attacker to access certain file.

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.  
HWPSIRT-2022-62345:  
Base score:8.4  
Temporary score:7.8  
Environmental Score:NA  
CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

HWPSIRT-2022-62345:  
This vulnerability can be exploited only when the following conditions are present:   
The attacker needs to install the app locally.  
Technical details:  
Huawei Aslan Children's Watch has an improper authorization vulnerability. An attacker can install the app locally to exploit this vulnerability. Successful exploit could allow the attacker to access certain file.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

HWPSIRT-2022-62345:  
This vulnerability was discovered by Huawei internal tester.

2022-11-30 V1.0 Initial Release;  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-45874: Security Advisory - Improper Authorization Vulnerability in a Huawei Children's Watch

There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router.Successful exploit could cause a denial of service (DoS) condition.

There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router.Successful exploit could cause a denial of service (DoS) condition. (Vulnerability ID:HWPSIRT-2022-59488)

This vulnerability has been assigned a (CVE) ID: CVE-2022-46740

Affected Product

Affected Version

Resolved Version

WS7100-20

WS7100-20 10.0.5.33

WS7100-20 11.0.5.5

Successful exploit could cause a denial of service (DoS) condition.

HWPSIRT-2022-59488:

Base score:4.3

Temporary score:4.0

Environmental Score:NA

CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C

HWPSIRT-2022-59488:

This vulnerability can be exploited only when the following conditions are present:

An attacker could send a crafted message to the device.

Technical details:

There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router. Due to incorrect verification of external messages, An attacker can exploit this vulnerability by sending crafted packets to the device.Successful exploitation of this vulnerability may cause a denial of service vulnerability on the WS7100-20.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

The vulnerability was discovered by external researchers Vyron Kampourakis and Efstratios Chatzoglou.

2022-12-09 V1.1 Updated "Source";  
2022-12-08 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-46740: huawei-sa-DoSViHSWR-8f632df1-en

Huawei Aslan Children's Watch has an improper input validation vulnerability. Successful exploitation may cause the watch's application service abnormal.

Huawei Aslan Children's Watch has an improper input validation vulnerability. Successful exploitation may cause the watch's application service abnormal. (Vulnerability ID:HWPSIRT-2022-53187)

This vulnerability has been assigned a (CVE) ID: CVE-2022-39012

Affected Product

Affected Version

Resolved Versions

Aslan-AL10

Aslan-AL10-OTA 11.1.0.118(C00M06)-11.1.0.10118(C00M06)

Aslan-AL10 11.1.0.135(C00M08)

Aslan-AL10

Aslan-AL10-OTA 11.1.0.118(C00M06)-11.1.0.10118(C00M06)

Aslan-AL10-OTA 11.1.0.135(C00M08log)-11.1.0.10135(C00M08log)

Aslan-AL10

Aslan-AL10-OTA 11.1.0.118(C00M06)-11.1.0.10118(C00M06)

Aslan-AL10-OTA 11.1.0.135(C00M08log)-11.1.0.10135(C00M08log)

HWPSIRT-2022-53187:  
Successful exploitation may cause the watch's application service abnormal.

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-53187:  
Base score:7.5  
Temporary score:7.0  
Environmental Score:NA  
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

HWPSIRT-2022-53187:  
This vulnerability can be exploited only when the following conditions are present:   
The attacker can send a specially crafted packet to the affected device.

Technical details:  
Huawei Aslan Children's Watch does not properly validate the external input, resulting in an improper input validation vulnerability. An attacker can send a specially crafted packet to exploit this vulnerability. Successful exploitation may cause the watch's application service abnormal.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

HWPSIRT-2022-53187:  
This vulnerability was discovered by Huawei internal tester.

2022-11-23 V1.0 Initial Release;  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

Tag

#huawei