An out of bounds read vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.7.7. A specially-crafted PE file can trigger this vulnerability to cause denial of service and termination of malware scan. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

An out of bounds read vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.7.7. A specially-crafted PE file can trigger this vulnerability to cause denial of service and termination of malware scan. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

ESTsoft Alyac 2.5.7.7

**Product URLs**

Alyac - https://www.estsecurity.com/public/product/alyac

**CVSSv3 Score**

5.0 - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

**CWE**

CWE-823 - Use of Out-of-range Pointer Offset

**Details**

Alyac is an antivirus program for Microsoft Windows, developed by ESTsecurity, which is part of ESTsoft.

There exists a vulnerability in a module called coen.aym used by Alyac when scanning PE executable files. Module coen.aym is reponsible for loading different engines and modules for handling archive formats and initiating the scan. the

While parsing the malformed PE executable file, function sub_180086C30 is called. This function tries to locate the section header of .text section by parsing the PE file. At \[1\] below, rax register stores the address of the PE\0\0 signature.

    .text:0000000180086C69 loc_180086C69:                          ; CODE XREF: sub_180086C30+24↑j
    .text:0000000180086C69                                         ; sub_180086C30+2A↑j
    .text:0000000180086C69                 mov     rax, [rdi+10h]                                   [1]
    .text:0000000180086C6D
    .text:0000000180086C6D loc_180086C6D:                          ; DATA XREF: .rdata:0000000180405CAC↓o
    .text:0000000180086C6D                                         ; .rdata:0000000180405CC8↓o ...
    .text:0000000180086C6D                 mov     [rsp+28h+arg_0], rbx
    .text:0000000180086C72                 xor     ebx, ebx
    .text:0000000180086C74                 mov     [rsp+28h+arg_8], rsi
    .text:0000000180086C79                 mov     [rsp+28h+arg_10], r14
    .text:0000000180086C7E                 cmp     bx, [rax+6]     ; Number of sections             [2]
    .text:0000000180086C82                 jnb     short loc_180086CC1
    .text:0000000180086C84                 mov     r14d, ecx
    .text:0000000180086C87                 nop     word ptr [rax+rax+00000000h]
    .text:0000000180086C90
    .text:0000000180086C90 loc_180086C90:                          ; CODE XREF: sub_180086C30+8F↓j
    .text:0000000180086C90                 lea     rcx, [rbx+rbx*4]
    .text:0000000180086C94                 mov     r8, r14         ; MaxCount
    .text:0000000180086C97                 lea     rsi, ds:0[rcx*8]
    .text:0000000180086C9F                 mov     rdx, rbp        ; String2 ".text"
    .text:0000000180086CA2                 mov     rcx, [rdi+18h]  ;                                [3]
    .text:0000000180086CA6                 add     rcx, rsi        ; String1 SectionHeader->Name
    .text:0000000180086CA9                 call    cs:_strnicmp    ; crash!                         [4]
    .text:0000000180086CAF                 test    eax, eax
    .text:0000000180086CB1                 jz      short loc_180086CDD
    .text:0000000180086CB3                 mov     rax, [rdi+10h]
    .text:0000000180086CB7                 inc     ebx
    .text:0000000180086CB9                 movzx   ecx, word ptr [rax+6]                            
    .text:0000000180086CBD                 cmp     ebx, ecx                                         [5]
    .text:0000000180086CBF                 jb      short loc_180086C90
    

Next, it goes into a loop enumerating each section header to find one with the Name field set as .text. Section table, which follows the PE header, is a list of section headers. Each section header has an 8-byte field at offset +0 to store the name.

RBX register is used as the loop counter, which is initialized to 0. It is compared to the NumberOfSections field in the file header (part of PE header) at \[2,5\] so it does not search beyond number of sections. Inside the loop, the offset to the section header is increased by 40 bytes each iteration, which is equal to the size of the section header. The offset is added to RCX register, which stores the location of the section table from \[3\].

While a check is made to make sure only the specified number of section headers is processed, it doesn’t check if the PE executable file is big enough to store the number of section headers as defined in the file header. So if given a large number of section headers without .text section header, the loop will continue reading until it goes out of bounds of file size, which will eventually cause access violation at \[4\]. This leads to a crash of the Alyac scanning process, which effectively neutralizes the antivirus scan.

**Crash Information**

    0:018> k
    # Child-SP          RetAddr               Call Site
    00 00000053`d1c9e3c8 00007ff8`8b286caf     ucrtbase!_ascii_strnicmp+0xe
    01 00000053`d1c9e3d0 00007ff8`8b23f8ba     coen!Coen_Clean+0x72d1f
    02 00000053`d1c9e400 00007ff8`8b27d32c     coen!Coen_Clean+0x2b92a
    03 00000053`d1c9e4c0 00007ff8`8b27cd06     coen!Coen_Clean+0x6939c
    04 00000053`d1c9e770 00007ff8`8b263534     coen!Coen_Clean+0x68d76
    05 00000053`d1c9e910 00007ff8`8b2191c2     coen!Coen_Clean+0x4f5a4
    06 00000053`d1c9ebb0 00007ff8`8b205a50     coen!Coen_Clean+0x5232
    07 00000053`d1c9ed30 00007ff8`8b213a4a     coen+0x5a50
    08 00000053`d1c9ee70 000001eb`7cddd73e     coen!Coen_ScanHandle+0xba
    09 00000053`d1c9eee0 000001eb`7cdc6907     ecm!GetModuleConfigValue+0x64ae
    0a 00000053`d1c9ef90 000001eb`7cdfa88e     ecm+0x56907
    0b 00000053`d1c9f110 000001eb`7cdd69f0     ecm!GetModuleConfigValue+0x235fe
    0c 00000053`d1c9f1f0 00007ff8`d5632a51     ecm!ScanFile+0x40
    0d 00000053`d1c9f230 00007ff8`d564c219     scn+0x32a51
    0e 00000053`d1c9f350 00007ff8`d564b63f     scn!ForceCloseScan+0xebf9
    0f 00000053`d1c9f850 00007ff8`d564ab3d     scn!ForceCloseScan+0xe01f
    10 00000053`d1c9fa70 00007ff8`eb6c6c0c     scn!ForceCloseScan+0xd51d
    11 00000053`d1c9faa0 00007ff8`ec8654e0     ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x4c
    12 00000053`d1c9fad0 00007ff8`edec485b     KERNEL32!BaseThreadInitThunk+0x10
    13 00000053`d1c9fb00 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
    

**Vendor Response**

The product was updated to 2.5.7.7

https://www.estsecurity.com/public/product/alyac

**Timeline**

2022-01-31 - Vendor disclosure  
2022-04-12 - Talos reissued copies of report  
2022-04-29 - Vendor patched  
2022-05-10 - Public Release  

Discovered by Jaewon Min of Cisco Talos.

CVE-2022-21147: TALOS-2022-1452 || Cisco Talos Intelligence Group

Insufficient control flow management in the Intel(R) Advisor software before version 7.6.0.37 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Advisor Advisory**

**Summary: **

A potential security vulnerability in the Intel® Advisor software may allow escalation of privilege.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-21128

Description: Insufficient control flow management in the Intel(R) Advisor software before version 7.6.0.37 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® Advisor software before version 7.6.0.37.

**Recommendations:**

Intel recommends updating the Intel® Advisor software to version 7.6.0.37 or later.

Updates are available for download at these locations: Intel® Advisor is available as a standalone installation and as part of the Intel® oneAPI Base Toolkit.

**Acknowledgements:**

The following issue was found internally by an Intel employee.  Intel would like to thank Alexey Murashov.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21128: INTEL-SA-00661

Improper access control for some Intel(R) Xeon(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2022.1 IPU - Intel® Xeon® Advisory**

Intel ID:

INTEL-SA-00616

Advisory Category:

Firmware

Impact of vulnerability:

Denial of Service, Information Disclosure

Severity rating:

LOW

Original release:

05/10/2022

Last revised:

05/10/2022

**Summary:**

Potential security vulnerabilities in some Intel® Xeon® Processors may allow information disclosure or denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-21131

Description: Improper access control for some Intel(R) Xeon(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 3.3 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2022-21136

Description: Improper input validation for some Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 2.7 Low

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

**Affected Products:**

**Processor**

**CPU ID**

**CVE**

Intel® Xeon Scalable Processors

50653, 50654

CVE-2022-21131, CVE-2022-21136

Intel® Xeon® D-2100 Processor

50654

CVE-2022-21131, CVE-2022-21136

2nd Generation Intel® Xeon® Scalable Processors

50656, 50657

CVE-2022-21131

Intel® Core™ i9, 79xxX, 78xxX

50654

CVE-2022-21131, CVE-2022-21136

**Recommendations:  
**

Intel recommends that users of Intel® Xeon Processors update to the latest version provided by the system manufacturer that addresses these issues

**Acknowledgements:**

CVE-2022-21136 issue was found internally by Intel employees, CVE-2022-21131was found externally.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21131: INTEL-SA-00616

Uncontrolled resource consumption in the Linux kernel drivers for Intel(R) SGX may allow an authenticated user to potentially enable denial of service via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® SGX Linux Kernel Drivers Advisory**

**Summary: **

A potential security vulnerability in Intel® SGX Linux kernel drivers may allow denial of service.  Intel is working with the Linux kernel maintainers to create a mitigation.

**Vulnerability Details:**

CVEID: CVE-2021-33135

Description: Uncontrolled resource consumption in the Linux kernel drivers for Intel® SGX may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 3.2 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L

**Affected Products:**

Intel® SGX Linux kernel driver from Intel version 2.14 and before.

Linux kernel driver for Intel® SGX from upstream/kernel.org.

**Recommendations:**

Intel® SGX Linux kernel driver mitigation available for download at:

https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/driver/linux

Linux community mitigation available for download at kernel.org.

**Acknowledgements:**

This issue was found internally by Intel employees.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-33135: INTEL-SA-00603

Insecure default variable initialization of Intel(R) RealSense(TM) ID Solution F450 before version 2.6.0.74 may allow an unauthenticated user to potentially enable information disclosure via physical access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® RealSense™ ID Solution F450 Advisory**

**Summary: **

A potential security vulnerability in the Intel® RealSense™ ID Solution F450 may allow escalation of privilege.  Intel is releasing firmware updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2021-33130

Description: Insecure default variable initialization of Intel(R) RealSense(TM) ID Solution F450 before version 2.6.0.74 may allow an unauthenticated user to potentially enable information disclosure via physical access.

CVSS Base Score: 4.8 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

**Affected Products:**

Intel® RealSense™ ID Solution F450 before version 2.6.0.74.

**Recommendations:**

Intel recommends updating the Intel® RealSense™ ID Solution F450 to version 2.6.0.74 or later.

Updates are available for download at this location: https://github.com/IntelRealSense/RealSenseID/releases/tag/v0.17.1

**Acknowledgements:**

The following issue was found internally by Intel employees.  Intel would like to thank Julien Lenoir, Kristin Paget, Peter Bosch, John Whiteman, Nael Masalha and William Burton.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-33130: INTEL-SA-00595

Improper access control for some 3rd Generation Intel(R) Xeon(R) Scalable Processors before BIOS version MR7, may allow a local attacker to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**3rd Generation Intel® Xeon® Scalable Processors Advisory**

**Summary: **

A potential security vulnerability in some 3rd Generation Intel® Xeon® Scalable Processors may allow information disclosure.  Intel is releasing firmware updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2021-33117

Description: Improper access control for some 3rd Generation Intel(R) Xeon(R) Scalable Processors before BIOS version MR7, may allow a local attacker to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

**Product Family**

**Processor**

**Vertical Segment**

**CPU ID**

**Platform ID**

3rd Generation Intel® Xeon® Scalable Processors

06\_6AH

Server

606AX

0x87

**Recommendations:  
**

Intel recommends that users of affected 3rd Generation Intel® Xeon® Scalable Processors update to the latest version firmware provided by the system manufacturer that addresses these issues. 

This CVE requires a Microcode Security Version Number (SVN) update. To address this vulnerability, an SGX TCB recovery is planned for Q2 2022. Refer to:

https://www.intel.com/content/www/us/en/security-center/technical-details/sgx-attestation-technical-details.html

for more information on the SGX TCB recovery process.

**Acknowledgements:**

This issue was found internally by Intel employees.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

1.1

05/11/2022

Updated recommendations

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-33117: INTEL-SA-00586

One year after it was issued, has President Biden's Cyber Executive Order had an impact?

When it was signed a year ago today, Executive Order 14028, Improving the Nation's Cybersecurity, was a measured response to an urgent problem. Just days prior, the Colonial Pipeline was shut down by a ransomware attack, thrusting the issue of cyber-risk to critical US infrastructure into the spotlight. One year later, what progress has been made? Here's a scorecard to help you keep track.

**Section 1: Policy  
**Last October, the president signed the K-12 Cybersecurity Act into law, providing resources for school districts to combat cyberattacks. In March, he signed the Strengthening American Cybersecurity Act of 2022. Still, huge swaths of US critical infrastructure are in private hands, and questions remain about how to improve private sector cybersecurity and resilience.

**Grade:** B

**What would earn an "A"?** To really put a dent in cyberattacks against the US, the federal government, new laws, and regulations need to set a high bar and impose high costs on firms for failing to clear that bar.

**Section 2: Removing Barriers to Sharing Threat Information  
**Under the direction of Director Jen Easterly, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted many successful efforts to promote sharing of threat intelligence. These include coordinated responses to threats, like the Shields Up initiative, in response to Log4j. The Strengthening American Cybersecurity Act also contains substantive new requirements for federal agencies for information sharing.

**Grade:** B+

**What would earn an "A"?** Information sharing within critical industry sectors is still a patchwork effort and often limited to the largest and wealthiest organizations. CISA needs to improve threat intelligence sharing in sectors where it's not the norm and draw in smaller organizations that are often left out of the loop due to operational immaturities.

**Section 3: Modernizing Federal Government Cybersecurity  
**Section 3 of the Executive Order lays out requirements for the federal government to address cyber-risk by promoting movement to cloud-based services and adoption of zero-trust architectures. A year after the EO was signed, we see some progress on that. CISA published a Cloud Security Technical Reference and guidance for building zero-trust architectures. Government and defense organizations are adopting cloud-native security solutions and building cloud-first approaches.

**Grade:** B

**What would earn an "A"?** Incremental approaches to modernization aren't enough. An April 2021 report by Government Accountability Office found that the US government spends substantial portions of its $100 billion IT budget to operate and maintain legacy systems. Breaking that cycle and grasping the holy grail of zero trust requires a "whole of government" approach.

**Section 4: Enhanced Software Supply Chain  
**Not much has been done here. As we noted in February, NIST published Version 1.1 of the Secure Software Development Framework (SSDF) but punted on guidance for software bills of materials (SBOMs). Also, the guidance exempted software development organizations working within the federal government.

**Grade:** C

**What would earn an "A"?** Development organizations within the federal government should be bound by the same rules and standards as third parties who sell to Uncle Sam. Guidance on the use of SBOMs also needs to be clarified and enforced.

**Section 5: Establishing the Cyber Safety Review Board  
**This is one of the more concrete elements of the EO and, so far, the federal government has complied with the EO's requirement. The Department of Homeland Security launched the Cyber Safety Review Board in February 2022. As part of the launch, CSRB said its first review will focus on the Log4j vulnerabilities, but a report on that is not due out until the summer.

**Grade:** A

**Section 6: Standardize Federal Playbooks for Incident Response (IR) and Vulnerability Management  
**This is another concrete deliverable in the Executive Order. CISA published the playbooks in November 2021. The question is whether they are being put to use, and that is hard to know without a mechanism that can anonymize and share an aggregate MRT (mean time to response) per industry.

**Grade:** B+

**What would earn an "A"?** With playbooks in hand, the question is how to operationalize them across the federal government (and its contractors and partners). Keeping close tabs on agencies' use of the playbooks and progress on IR and vulnerability management is a good start.

**Section 7: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks  
**Section 7 of the EO exhorts federal agencies to improve their vulnerability and threat detection capabilities. The goal is to empower federal agencies to engage in cyber hunt, detection, and response. News of successful attacks on federal IT infrastructure suggest that there is still much work to be done, however.

**Grade:** C

**What would earn an "A"?** The private sector has embraced automation and new tooling. At the federal level, there is scant evidence that such efforts are underway. The federal government should mount an effort to deploy more tools like Sigma, Suricata, and YARA rules to improve IR.

**Section 8: Improve Federal Government Investigative & Remediation Capabilities  
**This part of the EO directs federal agencies to improve logging and data retention to facilitate investigations, but the government's investigative and remediation capabilities are little improved from a year ago, with no modern frameworks deployed (to the best of my knowledge).

**Grade:** D

**What would earn an "A"?** The federal government needs to leverage automation and modern threat intelligence and IR frameworks, taking a "whole of government" approach to threat hunting.

**Section 9: National Security Systems  
**This section requires the secretary of defense and the director of national intelligence (DNI) to implement requirements for national security systems that are equivalent to or exceed the requirements in the EO. Much of this work is classified, but I see a strategic shift to adopt CTO leadership philosophies and build agile approaches to decentralizing risks.

**Grade:** B

**What would earn an "A"?** With Avril Haines recently sworn in as the DNI, we expect there to be progress for improved execution, although the breadth and focus of the Ukraine-Russia conflict might take precedence before real results are evident.

Needs Improvement: Scoring Biden's Cyber Executive Order

resi-calltrace in RESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

**Finalità e modalità operative**

**CVE-2022-29539 – RESI S.p.A**

**CVE-2022-29538 – RESI S.p.A**

**CVE-2022-28862 – ARCHIBUS Web Central**

**CVE-2022-27880 – F5 Traffix Signal Delivery Controller**

**CVE-2022-27662 – F5 Traffix Signal Delivery Controller**

**CVE-2022-26484 – Veritas Operations Manager**

**CVE-2022-26483 – Veritas Operations Manager**

**CVE-2022-25344 – Olivetti d-COLOR MF3555**

**CVE-2022-25343 – Olivetti d-COLOR MF3555**

**CVE-2022-25342 – Olivetti d-COLOR MF3555**

**CVE-2021-41555 – ARCHIBUS Web Central**

**CVE-2021-41554 – ARCHIBUS Web Central**

**CVE-2021-41553 – ARCHIBUS Web Central**

**CVE-2021-38123 – Micro Focus Network Automation**

**CVE-2021-35492 – Wowza Streaming Engine**

**CVE-2021-35491 – Wowza Streaming Engine**

**CVE-2021-35490 – Thruk**

**CVE-2021-35489 – Thruk**

**CVE-2021-35488 – Thruk**

**CVE-2021-32571 – Ericsson OSS-RC**

**CVE-2021-32569 – Ericsson OSS-RC**

**CVE-2021-31540 - WOWZA Streaming Engine**

**CVE-2021-31539 - WOWZA Streaming Engine**

**CVE-2021-29661 – Softing AG OPC Toolbox**

**CVE-2021-29660 – Softing AG OPC Toolbox**

**CVE-2021-28979 - Thales SafeNet KeySecure Management Console**

**CVE-2021-28488 – Ericsson Network Manager**

**CVE-2021-28250 – CA eHealth Performance Manager**

**CVE-2021-28249 – CA eHealth Performance Manager**

**CVE-2021-28248 – CA eHealth Performance Manager**

**CVE-2021-28247 – CA eHealth Performance Manager**

**CVE-2021-28246 – CA eHealth Performance Manager**

**CVE-2021-26597 – NOKIA NetAct**

**CVE-2021-26596 – NOKIA NetAct**

**CVE-2021-3314 - Oracle GlassFish Server**

**CVE-2021-2005 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-35590 – WordPress Plugin Limit Login Attempts Reloaded**

**CVE-2020-35589 – WordPress Plugin Limit Login Attempts Reloaded**

**CVE-2020-28209 – Schneider Electric StruxureWare Building Operation Enterprise Server Installer – Enterprise Central Installer**

**CVE-2020-27583 – IBM InfoSphere Information Server**

**CVE-2020-17458 – MultiUX**

**CVE-2020-17457 – Fujitsu ServerView Suite iRMC**

**CVE-2020-15794 – Siemens Desigo Insight**

**CVE-2020-15793 – Siemens Desigo Insight**

**CVE-2020-15792 – Siemens Desigo Insight**

**CVE-2020-14843 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-14842 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-14690 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-12081 – FlexNet Publisher**

**CVE-2020-9050 – Johnson Controls Metasys MREWeb Service**

**CVE-2020-7573 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7572 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7571 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7570 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7569 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-2505 – QNAP QES**

**CVE-2020-2504 – QNAP QES**

**CVE-2020-2503 – QNAP QES**

**CVE-2019-19994 - Selesta Visual Access Manager**

**CVE-2019-19993 - Selesta Visual Access Manager**

**CVE-2019-19992 - Selesta Visual Access Manager**

**CVE-2019-19991 - Selesta Visual Access Manager**

**CVE-2019-19990 - Selesta Visual Access Manager**

**CVE-2019-19989 - Selesta Visual Access Manager**

**CVE-2019-19988 – Selesta Visual Access Manager**

**CVE-2019-19987 - Selesta Visual Access Manager**

**CVE-2019-19986 - Selesta Visual Access Manager**

**CVE-2019-19456 - WOWZA Streaming Engine**

**CVE-2019-19455 - WOWZA Streaming Engine**

**CVE-2019-19454 - WOWZA Streaming Engine**

**CVE-2019-19453 - WOWZA Streaming Engine**

**CVE-2019-17406 - NOKIA IMPACT**

**CVE-2019-17405 - NOKIA IMPACT**

**CVE-2019-17404 - NOKIA IMPACT**

**CVE-2019-17403 - NOKIA IMPACT**

CVE-2022-29539: Vulnerability Research & Advisor

A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia.
Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35,

A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia.

Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus).

"Elements of Cobalt Mirage activity have been reported as Phosphorus and TunnelVision," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News.

The threat actor is said to have conducted two different sets of intrusions, one of which relates to opportunistic ransomware attacks involving the use of legitimate tools like BitLocker and DiskCryptor for financial gain.

The second set of attacks are more targeted, carried out with the primary goal of securing access and gathering intelligence, while also deploying ransomware in select cases.

Initial access routes are facilitated by scanning internet-facing servers vulnerable to highly publicized flaws in Fortinet appliances and Microsoft Exchange Servers to drop web shells and using them as a conduit to move laterally and activate the ransomware.

However, the exact means by which the full volume encryption feature is triggered remains unknown, Secureworks said, detailing a January 2022 attack against an unnamed U.S. philanthropic organization.

Another intrusion aimed at a U.S. local government network in mid-March 2022 is believed to have leveraged Log4Shell flaws in the target's VMware Horizon infrastructure to conduct reconnaissance and network scanning operations.

"The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage," the researchers concluded.

"While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks

A biotech threat intelligence group is gaining supporters as urgency mounts around an overlooked vulnerable sector.

A new partnership between the cybersecurity nonprofit Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) and the Johns Hopkins University Applied Physics Laboratory (APL), which works on emerging research with US government agencies, is highlighting the need for more resources to better secure biomedical, bioindustrial, and biomanufacturing entities.

The Covid-19 pandemic sparked regular people around the world to think about the logistics of vaccine development and production in a tangible and immediate way. But the so-called bioeconomy is silently embedded everywhere, from breeding programs used in agriculture to the development of biofuels. And as industry after industry faces a reckoning about the state of their cybersecurity defenses, researchers are increasingly realizing that the bioeconomy is vulnerable. During the pandemic, for example, Russia, China, and other state actors raced to hack vaccine makers and distributors for intelligence gathering, in a scramble that US officials warned could have been disruptive.

“A lot of the bioeconomy is small companies; that’s the real lifeblood of American biotech,” says BIO-ISAC cofounder Charles Fracchia. “Imagine if Moderna got hacked four years ago, even with some totally non-sophisticated malware, or they faced a ransomware attack. Small companies can go bankrupt really easily, and then we lose the work they're doing for the future. I'm very grateful that APL understood the mission of the BIO-ISAC and joined as a founding member. They want to help.”

Information sharing and analysis centers exist for many industries, from financial services to health care. And Charles Frick, a principal staff member at APL, says that the lab has been supporting ISACs and collaborating with them for many years. During the George W. Bush and Barack Obama administrations, Frick says, APL collaborated with the Department of Homeland Security and the National Security Agency to study the most efficient methods for large-scale threat intelligence sharing and security automation. APL participated in a 2018 financial services pilot for automatically screening and processing machine-readable threat intelligence data in which a process that had one taken 14 hours got whittled down to eight minutes.

All of this matters, because digital attacks on critical services and trends in attacks creep up quickly. The more information an organization can not only gather but also share, the better chance others have of defending themselves against similar hacks. APL's funding for the BIO-ISAC will go toward regular operations, including research, information sharing, and public disclosures. And crucially, it will also support incident response services the BIO-ISAC is launching so biotech and biomanufacturing organizations have someone to call if they're dealing with a digital attack or otherwise suspect that something is wrong. The services will be pay what you can to make them accessible to as many organizations as possible. Depending on demand, though, the BIO-ISAC may not have the capacity immediately to respond to every request. But the group hopes to begin filling a crucial gap in the services that are currently available.

“As we start identifying threats, it's a natural fit for us to say, well, we have an existing set of capabilities and skills that can be applied to this area, and we've demonstrated our ability to work with ISACs in collaboration," says Brian Haberman, an APL program area manager. "So this accomplishes our mission of supporting national priorities in a much faster way when you’re not going it alone. It's the biggest bang for your buck."

A few years ago, the idea of designating US election systems as government “critical infrastructure” was controversial to some. The designation simply unlocks funding and expanded resources from US government agencies, including the Cybersecurity and Infrastructure Security Agency, for critical sectors that work in the public interest. But while health care, food, and agriculture industries obviously have critical infrastructure designations that cover parts of the bioeconomy, the sector as a whole doesn't specifically have its own designation. Instead the US government has classified the bioeconomy with a “critical emerging tech” label.  As a result, groups like the BIO-ISAC are working ad hoc in a largely open field.

“The bioeconomy is an emerging sector of our economy if we really want to make meaningful change and impact, now is the time to get involved—not after it’s already this big thing and we try to go in reverse," says Andrew Kilianski, senior director for emerging infectious diseases at the International AIDS Vaccine Initiative. "We’ve done some of these sectors where we try to build out IT infrastructure and cybersecurity defenses later and it doesn’t work well." Kiliansk worked closely with the US government's Covid Operation Warp Speed initiative and a new member of the BIO-ISAC's national security advisory board.

“There's that squishy, beautiful life sciences spirit that, hey, we share everything, we’re open," Kilianski adds. "But now these discoveries have huge commercial value, not just societal value, and that makes all of this even more sensitive.”

Tag

#intel