The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-0585: Updates.php in all-in-one-seo-pack/tags/4.2.9/app/Common/Main – WordPress Plugin Repository

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor+ role to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-0586: PostSettings.php in all-in-one-seo-pack/tags/4.2.9/app/Common/Admin – WordPress Plugin Repository

Categories: Business
CRN named Malwarebytes one of the “Coolest Endpoint And Managed Security Companies” on the 2023 CRN Security 100.



(Read more...)




The post Malwarebytes wins 2023 CRN 'Coolest Endpoint And Managed Security Companies' award appeared first on Malwarebytes Labs.

CRN, a trusted source for IT channel news and analysis, has named Malwarebytes one of the “Coolest Endpoint And Managed Security Companies” on the 2023 CRN Security 100 list.

The CRN Security 100 highlights channel-friendly cybersecurity vendors across a number of market segments including Endpoint and Managed Security, Identity Management and Data Protection, Network Security, and more. Solutions that leverage cloud-native technologies and provide more comprehensive detection capabilities are featured prominently on the list.

By featuring Malwarebytes on their list of key cybersecurity vendors for 2023, CRN recognizes the strides we’ve made to best serve our channel partners in the past year, including:

*   Expanding our partner network to more than **3,000 global MSP partners and over 250 percent growth YoY**
*   Forming new strategic partnerships with **Addigy, Atera, ConnectWise, GCN Group, Kaseya/Datto, Sherweb, TeamViewer, and Pax8, among others.**
*   Growing the MSP sales and marketing team **175 percent YoY to support partners across geographies and industries.**
*   Continuing to expand the Malwarebytes OneView platform to offer **Vulnerability & Patch Management, Application Block, DNS Filtering and MDR** in combination with award-winning EDR.

And on the Value Added Reseller (VAR) front:

*   Continuing to strengthen key partnerships with distribution and partners, including **TD Synnex, Carahsoft, CDW, SHI, Insight, and Howard Technologies**.
*   **Increasing transactions 100 percent YoY with VARs in the US**.
*   Working to align with key partners and distributors in EMEA and APAC, including **Climb Channel Solutions, Sysob, BlueChip, and ACA Pacific**.
*   Focusing on the K-12 market with VAR partners and distributors and **bringing our brand new mobile solution to schools** to secure the more than 50 million Chromebooks being used in K-12 globally.

Learn more about our partner program here: https://www.malwarebytes.com/partners

**The state of MSP cybersecurity**

As the attack surface gets bigger and bigger for businesses, it’s become clear that Managed Service Providers (MSPs) need a solution that both grows their business and meets the security needs of their customers.

But there’s a problem.

Constrained staff resources, skyrocketing costs, and the complexities of managing multiple solutions all make it difficult for MSPs to adapt to the constantly evolving cybersecurity landscape, leading to lengthy incident response times and business inefficiencies that limit growth.

In fact, Kaseya’s 2022 MSP Benchmark Survey shows that the second and third most common business challenges for MSPs right now are security and hiring, respectively.

*   In 2022, **39 percent of all ransomware attacks targeted service providers**, followed by 12 percent for healthcare and 9 percent for the manufacturing industry.
*   Many MSPs must support multiple tools in various environments with limited people. **Multiple licenses and vendors equals higher cost and less visibility.**
*   MSPs need to maintain **multiple compliance requirements** for their customers, including HIPAA, PCI DSS, and GDPR.

**Malwarebytes OneView**

Enter Malwarebytes OneView, a powerful and affordable security management platform that gives MSP security teams maximum control. For Value-added Resellers (VARs), Malwarebytes Nebula is the equivalent platform.

**Precise, thorough remediation**

As threats occur, OneView and Nebula offer intuitive and automated controls for rapid response powered by our award-winning Endpoint Detection and Response (EDR) technology. We offer seven layers of protection, multi-mode isolation, 72-hour ransomware rollback, and more.

**Single multi-tenant console**

OneView’s multi-tenancy enables MSPs to streamline operations with centralized management of customer server and workstation endpoints, license subscriptions, reporting, and global policies.

**Subscription management**

Intuitive design in OneView allows MSPs to easily track and manage customer license subscriptions across sites and provide a higher level of service and attention.

**Integrations**

With native integrations into leading remote monitoring and management (RMM) and professional services automation (PSA) platforms, Malwarebytes OneView enables your MSP team to streamline operations.

_Malwarebytes OneView dashboard view_

**Constantly expanding**

Malwarebytes has only continued to build upon both OneView for MSPs and Nebula for Value-Added Resellers (VARs), adding three new modules that simplify breach prevention within the same cloud interface MSPs already trust for detection and remediation:

**Vulnerability and Patch Management**

Enables MSPs to take control of their full vulnerability assessment and patching process, helping ensure defenses are up to date across their clients’ environments.

**DNS Filtering**

Regulate access to websites and other content on company-managed networks, which in turn reinforces the security of company data.

**Application Block**

Protects endpoints by preventing unauthorized software from executing across your clients’ sites.

For VARs, Malwarebytes Mobile Security is a new offering in Nebula which provides unified protection for Chromebooks, Android, and iOS mobile devices.

We plan to continue expanding OneView and Nebula with further product innovation, including adding more modules and in-platform integrations for OneView with other top remote monitoring and management (RMM) and professional services automation (PSA) platforms.

**Managed Detection And Response (MDR) For MSPs**

Gartner reports that, by 2025, 50 percent of organizations will be using Managed Detection and Response (MDR) services for threat monitoring, detection, and response functions that offer threat containment capabilities.

In other words, MDR is shaping out to be table stakes for any MSP provider in the coming years—but many MSPs lack staff or budget to build MDR programs in-house.

Launched last year, our purpose-built managed detection and response (MDR) offering for MSPs helps alleviate these challenges.

With our elite team of MDR analysts monitoring your customer endpoints 24x7, Malwarebytes MDR simply and effectively closes your security resources gap, reduces the risk of unknown threats to your customers, and increases your ability for new business growth.

**Value-Added Resellers (VARs) bolster their clients' cybersecurity with Nebula**

Our commitment to the channel doesn’t stop at MSPs.

By reselling our powerful solutions, VARs can combat the world’s most harmful threats and solve your customers’ unique security challenges.

Malwarebytes is committed to VAR success and has significantly invested in the channel with offerings that include sales and technical training, tools, and certifications.

**Partner Portal**

Our partner portal app is an easy way to access sales and marketing resources, register deals, and provide your customers with free trials.

**Sales and Technical Training**

Whether on-demand or onsite, Malwarebytes has the training curriculum to provide you with the necessary skillset to sell and support Malwarebytes solutions.

**Marketing Resources**

Malwarebytes will support your marketing initiatives and provide branded marketing and sales materials that can help you win deals.

_Malwarebytes Nebula dashboard view_

**Dedicated to MSP partner growth**

Malwarebytes is honored to receive the 2023 'Coolest Endpoint And Managed Security Companies' award by CRN—and we have no intentions of slowing down.

Apply today or reach out to us for a demo.

Malwarebytes wins 2023 CRN 'Coolest Endpoint And Managed Security Companies' award

Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.8.2.

**RosarioSIS Improper Access Control vulnerability**

High severity GitHub Reviewed Published Feb 24, 2023 to the GitHub Advisory Database • Updated Feb 24, 2023

GHSA-prjg-28jg-m3p5: RosarioSIS Improper Access Control vulnerability

@@ -65,10 +65,8 @@ function StudentAssignmentSubmit( $assignment\_id, &$error ) $files = issetVal( $old\_data\['files'\] );  
$timestamp = new \\DateTime();  
// @since 8.9.5 Add microseconds to filename format to make it harder to predict. $timestamp = $timestamp\->format( 'Y-m-d H:i:s.u' ); $timestamp = date( 'Y-m-d His' ) . '.' . substr( (string) microtime(), 2, 6 );  
$assignments\_path = GetAssignmentsFilesPath( $assignment\['STAFF\_ID'\] );  
@@ -530,10 +528,8 @@ function UploadAssignmentTeacherFile( $assignment\_id, $teacher\_id, $file\_input\_i return ''; }  
$microseconds = new \\DateTime();  
// @since 9.0 Add microseconds to filename format to make it harder to predict. $microseconds = $microseconds\->format( 'u' ); $microseconds = substr( (string) microtime(), 2, 6 );  
// Filename = \[course\_title\]\_\[assignment\_ID\].ext. $file\_name\_no\_ext = no\_accents( $assignment\['COURSE\_TITLE'\] . '\_' . $assignment\_id . '.' . $microseconds );

CVE-2023-0994: PHP<7 Fix add microseconds to filename to make it harder to predict · francoisjacquet/rosariosis@630d3e3

**BE'ER SHEVA, Israel, Feb. 23, 2023 /PRNewswire/ --** Rezilion announced today the release of the company's new research, "Hiding in Plain Sight: Hidden Vulnerabilities in Popular Open Source Containers," uncovering the presence of hundreds of docker container images containing vulnerabilities that are not detected by most standard vulnerability scanners and SCA tools.

The research revealed numerous high severity/critical vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively. This includes high-profile vulnerabilities with publicly known exploits. Some of the hidden vulnerabilities are known to be actively exploited in the wild and are part of the CISA known exploited vulnerabilities catalog, including CVE-2021\-42013, CVE-2021\-41773, CVE-2019\-17558.

This finding follows Part I of the research, released in October, which was the first quality assessment for leading open-source and commercial vulnerability scanners and SCA tools. The vulnerability scanner benchmark survey discovered the most common causes for scanner misidentifications, including false positive and negative results.

The new research dives deeper into one of the root causes identified in the assessment - inability to detect software components not managed by package managers. The study explains how the inherent method of operation of standard vulnerability scanners and SCA tools relies on acquiring data from package managers to know what packages exist in the scanned environment, making them susceptible to missing vulnerable software packages in multiple common scenarios in which software is deployed in ways that circumvent these package managers. This research shows precisely how wide this gap is and its impact on organizations using third-party software. The report provides numerous real-world examples of some of the most popular docker container images that contain dozens of such hidden vulnerabilities. The report also offers recommendations on minimizing the risk presented in the research.

According to the report, package managers circumventing deployment methods are extremely common in Docker containers. The research team has identified over 100,000 container images that deploy code in a way that bypasses the package managers, including most of DockerHub's official container images. These containers either already contain hidden vulnerabilities or are prone to have hidden vulnerabilities if a vulnerability in one of these components is identified.

The report identifies four different scenarios in which software is deployed without interaction with package managers, such as the application itself, runtimes required for the operation of the application, dependencies as are necessary for the application to work, and dependencies required for the deployment/build process of the application that are not deleted at the end of the container image build process and shows how hidden vulnerabilities can find their way to the container images.

"We hope this research will educate developers and security practitioners of the existence of this gap so that they will be able to take appropriate actions to minimize the risk as well as push vendors and open-source projects to add support for these types of scenarios," said Yotam Perkal, Director, Vulnerability Research at Rezilion. "It's important to note that as long as vulnerability scanners and SCA tools fail to accommodate for these situations, any container image that installs packages or executables in this manner may eventually contain 'hidden' vulnerabilities if any of these components become vulnerable."

To download the full report, please visit: https://info.rezilion.com/scanner-research-part-ii

**About Rezilion:**

Rezilion's software supply chain security platform automatically assures that the software you use and deliver is free of risk. Rezilion detects third-party software components on any layer of the software stack and understands the actual risk they carry, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable risk across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours, while giving DevOps teams time back to build.

Learn more about Rezilion's platform at www.rezilion.com and get a 30-day free trial.

Rezilion Research Discovers Hidden Vulnerabilities in Hundreds of Docker Container Images

CloudNativeSecurityCon North America 2023 was a vendor-neutral cloud-native security conference. Here's why it was important.

Cloud-native technology is growing in importance, and the Cloud Native Computing Foundation (CNCF), part of the Linux Foundation, is a key organization driving collaboration on cloud security throughout the industry.

That collaboration includes events such as KubeCon Americas and Europe, which often feature cloud-native security as a key topic, but seeing the importance of cloud native security, CNCF took the next step and created a separate event.

CloudNativeSecurityCon North America 2023 (CNSC) recently took place in Seattle, and served as the first vendor-neutral, practitioner-driven conference focused exclusively on cloud-native security. The event featured over 800 attendees and 50 sponsors. It had 70-plus sessions for all security levels of technologists.

**Security Is People-Powered; Industry Collaboration Is a Solution**

Security remains a pressing issue for the cloud-native and open source community, said Priyanka Sharma, Executive Director, CNCF. During her keynote, she said there are 7.1 million-plus cloud-native developers according to Slash Data.

She emphasized that the industry needs "a paradigm shift to level up our performance," as cloud usage will continue to grow, and so will the threats related to it.

Though the organizations are doing their part to secure their cloud environments, Sharma indicated that top-down approach may not be the best way, instead having a more bottom-up approach from the community, pointing to software security vendor Snyk's "2022 State of Cloud Security Report," which showed 77% of organizations saw poor training and collaboration as a major cloud security challenge.

    

Source: CNSC

Having siloed teams working in different countries, using different tools, and counting on unmonitored policies are common security challenges in many enterprise security scenarios, but when they involve the cloud, it multiplies difficulties to the security environment further. Hence, Sharma stated, "Security is people-powered," and having industry-level collaboration from all the stakeholders along with a shared asset directory will improve cloud security across the industry. Even after all the talks about innovation and right approach done in the cloud-native space, a skill shortage is something the industry is still facing. CNCF announced Kubernetes and Cloud Associate (KCSA) certification, to address the biggest challenge of lack of technical expertise in cloud-native environment.

CNCF organizes itself with Technical Advisory Groups (TAGs) for different focus areas, and it is looking to a Security TAG to help organizations with facilitating the security for projects across the cloud-native ecosystem. It's a 165-member team that supports CNCF projects through education, partnership, and project engagement. This group will help with security features for any CNCF projects; any incubating project within the organization must now go through a security audit by the Security TAG. The Sigstore project that was adopted by Kubernetes was an example of such open, multivendor collaboration.

**Key Conference Topics**

Themes that popped up during the event — including SBOM, runtime security, infrastructure as-a-code security, code to secure policies and authentication, and ChatGPT — indicated that the adoption of cloud-native applications will continue to grow, and the industry must prioritize security for these applications. The thought of having an open source security tool for securing open source code makes sense. Today, CNCF has 21 security-related open-source projects: Open Policy Agent (OPA) and Update Framework TUF have graduated with five other incubating projects, and the rest are in the sandbox stage.

**Software Supply Chain Security**

    

Source: CNSC

Many sessions at the conference were focused on understanding what the software supply chain means and why securing it remains important.

A talk by a Yahoo representative highlighted how 85% to 97% of enterprise code uses open source components, and any vulnerabilities in these may pose security threats. That issue underscores the importance of having security ingrained at every stage of the software development life cycle (SDLC), from application development to CI/CD pipeline down to production.

Code dependencies have become one of the most common reasons leading to supply chain attacks. According to a recent report on software supply chain security, supply chain attacks have grown 742% year-over-year in the past three years. Therefore, a DevSecOps approach is important to ensure the DevOps workflow is maintained by making security seamless. It means having security as an intrinsic part of application development, integration, and operation in DevOps-centric environments.

**"Shift Right" Is as Important as "Shift Left"**

Deployment of applications in the cloud has been a fast-track initiative for many enterprises, often in support of digital transformation initiatives, but many of the same security challenges, such as software vulnerabilities, managing configuration and permission, compliance, and detecting and responding to threats, plaguing traditional applications also hamper cloud application security.

From the cloud-native point of view, two trends are most visible. The first is the way in which "shift left" corresponds to the usage of CI/CD security, having centralized responsibilities and dependencies that can be monitored. It points to moving security toward an earlier stage in the software development life cycle, namely that security is built in from the time the source code is created.

But the second trend is "shift right," which is gaining equal importance in understanding what is going on in the runtime environment as the workload deployed on microservices and orchestrated by Kubernetes. The Falco project with CNCF (originally started by Sysdig), which is based on eBPF technology, seeks to help organizations understand what every process is doing in its containers and hosts. It is like a security camera for the cloud environment.

**Software Bill of Materials**

Log4j was a top of mind during the show, highlighting how it disrupted the operations of many organizations in so many different ways.

Similar high-profile attacks on the supply chain were the reason for the US federal government to issue an executive order to create guidelines for securing software solutions used for the government. The change of approach to building software using third-party dependencies makes having full transparency in the application important.

So, the approach of maintaining a software bill of materials (SBOM) that will offer a listing all components, modules, and libraries used in the application and also drawing the relationship between supply chain components is becoming increasingly important.

One interesting exchange during the conference tackled how to handle metadata that will be collected over time by each software element. In a panel, a Google representative mentioned its new product, Graph for Understanding Artifact Composition (GUAC), which functions like an aggregator for this metadata in a high-fidelity graph database.

**Sponsor Landscape**

    

Source: Omdia

CNSC was a relatively small-scale conference, but its sponsors represented vendors distributed across the industry. Approximately 55% were security vendors, 18% technology vendors offering some security, 12% were technology vendors that use in-house security product but do not sell the security product as a stand-alone offering, and 15% non-security vendors.

**A Strong Start**

The first-ever CNSC was a strong start for the cloud-native community to create a place to gather each year for a focused look at security challenges and opportunities in cloud-native environments.

CNCF is doing a great job getting different types of vendors together and supporting cloud-native security projects. This is exposing developers to security concerns. On the contrary, traditional security teams also must learn to work better with developers and ensure security approaches align with development priorities and business objectives.

This is just a first step toward solving the problems related to cloud-native security. There is more collaboration with people and process to be done in future.

Top Takeaways From CloudNativeSecurityCon 2023

Categories: News
The LockBit gang has released a chat history showing its negotiations with Royal Mail.



(Read more...)




The post Royal Mail schools LockBit in leaked negotiation appeared first on Malwarebytes Labs.

The LockBit group has finally given up any prospect of extracting a ransom from Royal Mail and published the files it stole from the company in a recent ransomware attack. The leak brings weeks of negotiations to a close, leaving Royal Mail without a decryptor, and LockBit without a payday.

Malwarebytes regards LockBit as one of the five most serious cyberthreats facing businesses in 2023. It was the most widely used ransomware-as-a-service (RaaS) in 2022, by far. It accounted for almost a third of all known RaaS attacks last year, and the largest ransom demand it made was a staggering $50 million. In February 2023 it asked Royal Mail for $80 million.

Alongside the leaked files, the LockBit gang have released a chat history that shows the negotiations between the two parties. Perhaps the group is trying to justify its decision to call off the negotiation and leak the stolen files, or perhaps it's a warning to other victims.

You could read this as a failed negotiation or a missed opportunity for Royal Mail, but I don’t. I think the chat between Royal Mail and LockBit shows something quite different.

I suspect that Royal Mail never intended to pay a ransom. It certainly showed no willingness to engage with the ludicrous $80 million that was demanded of it, and it seems to have had the LockBit negotiator dancing to its tune throughout.

The negotiation began on January 12, 2023, and like any Internet chat, the conversation takes place between two avatars who may or may not be who they say they are. When the LockBit negotiator asks who they're talking to, the Royal Mail’s representative says “I work in our IT.”

Maybe they did work in IT, but having spent years working in IT myself, and after seeing how the Royal Mail’s representative conducted themselves, I will simply say they aren’t like anyone I ever met. Perhaps they’re just naturally good negotiators, or perhaps they listened to our recent podcast about ransomware negotiations, but there is every chance they were actually a professional ransomware negotiator.

In the podcast, ransomware negotiator Kurtis Minder reveals that the first job in a situation like this is to play for time, without annoying the representative of the ransomware gang. A good way to lower the temperature is to adopt the ransomware gang’s self-serving vernacular, he says, and the Royal Mail’s “IT guy” does this in subtle ways, such as referring to LockBit’s criminal activity as “penetration testing.” Ransomware gangs like that sort of nonsense for some reason—maybe it helps them sleep at night.

Playing for time is important because it allows the victim to gather as much information as possible, understand their options, and decide their best response. They need to understand which systems are affected, how the organization can function without them temporarily, and what it will take to restore or rebuild them. They will also have numerous stakeholders to involve and duties to fulfill: Legal obligations must be met, law enforcement involved, cyberinsurance rules followed, customers and suppliers informed, and so on.

Royal Mail consistently succeeds in playing for time with LockBit. Although the first 24 hours of the chat are peppered with urgent and vaguely menacing language designed to rush the victim—“don't delay,” “hurry up,” “our patience is not infinite”—LockBit is quickly dragged into the weeds. The first two weeks of negotiation were almost entirely devoted to a tedious conversation about decrypting large files.

According to Royal Mail’s negotiator “my management have heard that your decryptor might not work on large files.” (This tactic of invoking a demanding or difficult to please manager will be familiar to anyone who’s ever haggled with a salesperson over a car.) Whether Royal Mail's curiosity about large file decryption was genuine or a ruse, it created a role reversal in the conversation, with Royal Mail asking the questions and LockBit providing the answers, to prove that it can meet Royal Mail's needs.

The Royal Mail negotiator also tried to earn trust by positioning themselves as a reasonable go between who’s trying to do the best for both parties. They consistently used language like “I am trying to help our Senior Team understand this,” “I am still trying to work with you here,” “I am doing what I can to drive things forward.”

When the conversation finally turned to money, it quickly found more weeds. This time the thorny undergrowth was formed by a disagreement about who LockBit had actually attacked. LockBit thought it was talking to Royal Mail. The victim told them they’re Royal Mail International, a loss-making subsidiary of Royal Mail with a vastly smaller turnover.

LockBit asked for a ransom of $80 million, 0.5 percent of Royal Mail’s annual global turnover. Royal Mail retorted that using LockBit's calculation, a good “starting figure” would be $4 million, based on Royal Mail International's finances.

At this point in the negotiation LockBit actually acknowledged what it was dealing with. “You are a very clever negotiator,” they wrote, “I appreciate your experience in stalling and bamboozling.”

They might have appreciated it, but they didn't seem able to do anything about it. By this point in the negotiation, Royal Mail was dictating the timeline: “We will not have anything new to speak about until Monday,” “Please confirm you will wait for their \[the board’s\] decision on Monday”.

LockBit did as it was told and waited. Finally, the last message from Royal Mail arrived on February 6, 2023. It suggested that the company probably never had any intention of paying. "To be honest with you I have heard that they \[the board\] might not want to pay you for this," it said. "In our perspective the files got leaked when you took them from our system, and paying you won’t undo that in any way."

Ransomware attacks can be devastating, and it's hard to say that being on the end of one is ever a "win" for the target. However, most experts agree that all you can ever do is reduce the chances an attack will occur and reduce the impact if it does. You can only ever play the hand you're dealt, and we think given the hand they were playing, Royal Mail's negotiation came as close to a win as a loss like this ever does.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Write an incident response plan**. The period after a ransomware attack can be chaotic. Make a plan that outlines how you'll isolate an outbreak, communicate with stakeholders, and restore your systems.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Royal Mail schools LockBit in leaked negotiation

ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.)

CVE-2023-26462: ThingsBoard Release Notes

An issue was discovered in the Linux kernel through 6.2.0-rc2. drivers/tty/vcc.c has a race condition and resultant use-after-free if a physically proximate attacker removes a VCC device while calling open(), aka a race condition between vcc_open() and vcc_remove().

This bug assumes that the hacker can physically access the  
target computer.

A race condition may occur if the user physically removes the  
vcc device while calling open().

This is a race condition between vcc\_open() function and  
the vcc\_remove() function, which may lead to Use-After-Free.

Therefore, add a refcount check to vcc\_remove() function  
to free the "vcc\_port" structure after the device is close()d.

\---------------CPU 0--------------------CPU 1-----------------  
vcc\_open() | vcc\_remove()  
\--------------------------------------------------------------  
port = vcc\_get\_ne(tty-> |  
index); — (1) |  
| struct vcc\_port \*port =  
| dev\_get\_drvdata(&vdev->dev);  
| ...  
| kfree(port); — (2)  
vccdbgl(port->vio.lp); — (3) |

This type of race condition is similar with CVE-2022-44032,  
CVE-2022-44033, and CVE-2022-44034.  
\---  
drivers/tty/vcc.c | 18 ++++++++++++++++++  
1 file changed, 18 insertions(+)

diff --git a/drivers/tty/vcc.c b/drivers/tty/vcc.c  
index 34ba6e54789a..31f274c4aa25 100644  
\--- a/drivers/tty/vcc.c  
+++ b/drivers/tty/vcc.c  
@@ -41,6 +41,8 @@ struct vcc\_port {

struct timer\_list rx\_timer;  
struct timer\_list tx\_timer;  
\+ struct vio\_dev \*vdev;  
\+ struct kref refcnt;  
};

/\* Microseconds that thread will delay waiting for a vcc port ref \*/  
@@ -104,6 +106,7 @@ static const struct ktermios vcc\_tty\_termios = {  
.c\_ospeed = 38400  
};

+static void vcc\_delete(struct kref \*kref);  
/\*\*  
\* vcc\_table\_add() - Add VCC port to the VCC table  
\* @port: pointer to the VCC port  
@@ -586,6 +589,8 @@ static int vcc\_probe(struct vio\_dev \*vdev, const struct vio\_device\_id \*id)  
goto free\_port;

port->vio.debug = vcc\_dbg\_vio;  
\+ port->vdev = vdev;  
\+ kref\_init(&port->refcnt);  
vcc\_ldc\_cfg.debug = vcc\_dbg\_ldc;

rv = vio\_ldc\_alloc(&port->vio, &vcc\_ldc\_cfg, port);  
@@ -673,6 +678,14 @@ static void vcc\_remove(struct vio\_dev \*vdev)  
{  
struct vcc\_port \*port = dev\_get\_drvdata(&vdev->dev);

\+ kref\_put(&port->refcnt, vcc\_delete);  
+}  
+  
+static void vcc\_delete(struct kref \*kref)  
+{  
\+ struct vcc\_port \*port = container\_of(kref, struct vcc\_port, refcnt);  
\+ struct viod\_dev \*vdev = port->vdev;  
+  
del\_timer\_sync(&port->rx\_timer);  
del\_timer\_sync(&port->tx\_timer);

@@ -752,12 +765,15 @@ static int vcc\_open(struct tty\_struct \*tty, struct file \*vcc\_file)  
pr\_err("VCC: open: TTY ops not defined\\n");  
return -ENXIO;  
}  
\+ kref\_get(&port->refcnt);

return tty\_port\_open(tty->port, tty, vcc\_file);  
}

static void vcc\_close(struct tty\_struct \*tty, struct file \*vcc\_file)  
{  
\+ struct vcc\_port \*port = vcc\_get\_ne(tty->index);  
+  
if (unlikely(tty->count > 1))  
return;

@@ -767,6 +783,8 @@ static void vcc\_close(struct tty\_struct \*tty, struct file \*vcc\_file)  
}

tty\_port\_close(tty->port, tty, vcc\_file);  
+  
\+ kref\_put(&port->refcnt, vcc\_delete);  
}

static void vcc\_ldc\_hup(struct vcc\_port \*port)  
\--  
2.39.0

Tag

#ios