Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.

Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.

Apple is urging macOS, iPhone and iPad users immediately to install respective updates this week that includes fixes for two zero-days under active attack. The patches are for vulnerabilities that allow attackers to execute arbitrary code and ultimately take over devices.

Patches are available for effected devices running iOS 15.6.1 and macOS Monterey 12.5.1. Patches address two flaws, which basically impact any Apple device that can run either iOS 15 or the Monterey version of its desktop OS, according to security updates released by Apple Wednesday.

One of the flaws is a kernel bug (CVE-2022-32894), which is present both in iOS and macOS. According to Apple it is an “out-of-bounds write issue \[that\] was addressed with improved bounds checking.”

The vulnerability allows an application to execute arbitrary code with kernel privileges, according to Apple, which, in usual vague fashion, said there is a report that it “may have been actively exploited.”

The second flaw is identified as a WebKit bug (tracked as CVE-2022-32893), which is an out-of-bounds write issue that Apple addressed with improved bounds checking. The flaw allows for processing maliciously crafted web content that can lead to code execution, and also has been reported to be under active exploit, according to Apple. WebKit is the browser engine that powers Safari and all other third-party browsers that work on iOS.

**Pegasus-Like Scenario**

The discovery of both flaws, about which little more beyond Apple’s disclosure are known, was credited to an anonymous researcher.

One expert expressed worry that the latest Apple flaws “could effectively give attackers full access to device,” they might create a Pegasus-like scenario similar to the one in which nation-state APTs barraged targets with spyware made by Israeli NSO Group by exploiting an iPhone vulnerability.

“For most folks: update software by end of day,” tweeted Rachel Tobac, the CEO of SocialProof Security, regarding the zero-days. “If threat model is elevated (journalist, activist, targeted by nation states, etc): update now,” Tobac warned.

**Zero-Days Abound**

The flaws were unveiled alongside other news from Google this week that it was patching its fifth zero-day so far this year for its Chrome browser, an arbitrary code execution bug under active attack.

The news of yet more vulnerabilities from top tech vendors being barraged by threat actors demonstrates that despite the best efforts from top-tier tech companies to address perennial security issues in their software, it remains an uphill battle, noted Andrew Whaley, senior technical director at Promon, a Norwegian app security company.

The flaws in iOS are especially worrying, given the ubiquity of iPhones and users’ utter reliance on mobile devices for their daily lives, he said. However, the onus is not only on vendors to protect these devices but also for users to be more aware of existing threats, Whaley observed.

“While we all rely on our mobile devices, they are not invulnerable, and as users we need to maintain our guard just like we do on desktop operating systems,” he said in an email to Threatpost.

At the same time, developers of apps for iPhones and other mobile devices also should add an extra layer of security controls in their technology so they are less reliant on OS security for protection, given the flaws that frequently crop up, Whaley observed.

“Our experience shows that this is not happening enough, potentially leaving banking and other customers vulnerable,” he said.

iPhone Users Urged to Update to Patch 2 Zero-Days

Red Hat Security Advisory 2022-6113-01 - Red Hat Application Interconnect 1.0 introduces a service network, linking TCP and HTTP services across the hybrid cloud. A service network enables communication between services running in different network locations or sites. It allows geographically distributed services to connect as if they were all running in the same site. This is an update to the rpms for Red Hat Application Interconnect 1.0 to fix some security issues in the golang compiler.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat Application Interconnect 1.0 Release (rpms)  
Advisory ID:       RHSA-2022:6113-01  
Product:           Red Hat Application Interconnect  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6113  
Issue date:        2022-08-18  
CVE Names:         CVE-2022-1705 CVE-2022-1962 CVE-2022-28131  
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-30632  
                   CVE-2022-30633 CVE-2022-32148  
====================================================================  
1. Summary:

Red Hat Application Interconnect 1.0 introduces a service network, linking  
TCP and HTTP services across the hybrid cloud.  
A service network enables communication between services running in  
different network locations or sites.  
It allows geographically distributed services to connect as if they were  
all running in the same site.

This is an update to the rpms for Red Hat Application Interconnect 1.0  
to fix some security issues in the golang compiler.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

2. Relevant releases/architectures:

8Base-Application-Interconnect-1 - x86_64

3. Description:

This release addresses several security issues in the underlying golang  
compiler by moving to golang version 1.17.12.

Security Fixes:

Important:  
- - golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

Moderate:  
- - golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)  
- - golang: go/parser: stack exhaustion in all Parse* functions  
(CVE-2022-1962)  
- - golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)  
- - golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)  
- - golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)  
- - golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)  
- - golang: net/http/httputil: NewSingleHostReverseProxy - omit  
X-Forwarded-For  
not working (CVE-2022-32148)

For more details about the security issue(s), including the impact; a CVSS  
score; acknowledgments; and other related information refer to the CVE  
page(s)  
listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip  
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

6. Package List:

8Base-Application-Interconnect-1:

Source:  
skupper-cli-1.0.2-2.el8.src.rpm

x86_64:  
skupper-cli-1.0.2-2.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-1962  
https://access.redhat.com/security/cve/CVE-2022-28131  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30633  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_application_interconnect

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYv5/vdzjgjWX9erEAQiB6g//UbjIL6OmAWLg0ZrxWiIoZCIaQxj5MO6U  
hYyH7+ni4zi0kzZRX3wRgE+UGactlpcxwGEVVAcRAGAaS6ZlUoizsX3mmRVJROaN  
pKfvj1LYigEwuCFBpDI+i76d9C7Sdqkby7HdRowMRLwIZ8kQCit0C6OL/q/ulN31  
LuPk9dj5cg6TT5ESYJKs+oiJg2pK/MTaAXhRhUsIA+K8pICtdDjqDvZ0qLJvbSjr  
eMhYR4sWwwFKKVcptfPmODQQw7GXCUbKrAYcUgjqjz+vTgSi1VPwdwXVcBeLqpr9  
NhXVbTCQzRCB6y1MKZohrLQFNXxn0H735cJXWEYeMre3+FJ6+carSyvcazXNc2Ta  
/ZZYSfQDK7Hag76rTRxhW0Oig4e/k4/Ipd9zX4pgbzp7Bxmyqk2fixi0mNkEeIOS  
jZfo35UHQvXFn58/LO+YSmeaJFGsJ74uwvabUiQEEVAGD1rOHeRGfKrirfhueyEy  
Z46akO8C5DB3v7CZHqP9RipQyr0z+PaCT24RA6wsadeLfDY3V8AdSsUBdsKhdNzX  
ySRYJ+mSWUU3MEyyHzmt9RUeFR5HkfZpb/xL/RMcrZLB6EWMdbsFPDTeqUnpqlpA  
7dp1RgyGzw3BZ+iYo0KgfGuyhgdZKXwoHubpIv5AbTGdJS0azs1Q+ddYLOikd/fa  
7VvQiybU3pg=AImo  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6113-01

Kiosk breakout (without quit password) in Safe Exam Browser (Windows) <3.4.0, which allows an attacker to achieve code execution via the browsers' print dialog.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-36220: Kiosk escape (vulnerability disclosure) · Issue #434 · SafeExamBrowser/seb-win-refactoring

A security researcher claims that Apple mobile devices keep connections open if they are created before a VPN is activated.

A security researcher says that Apple's iOS devices don't fully route all network traffic through VPNs as a user might expect, a potential security issue the device maker has known about for years.

Michael Horowitz, a longtime computer security blogger and researcher, puts it plainly—if contentiously—in a continually updated blog post. "VPNs on iOS are broken," he says.

Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz's findings with advanced router logging, can still send data outside the VPN tunnel while it's active.

In other words, you might expect a VPN client to kill existing connections before establishing a secure connection so they can be reestablished inside the tunnel. But iOS VPNs can't seem to do this, Horowitz says, a finding that is backed up by a similar report from May 2020.

"Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

Privacy company Proton previously reported an iOS VPN bypass vulnerability that started at least in iOS 13.3.1. Like Horowitz's post, ProtonVPN's blog noted that a VPN typically closes all existing connections and reopens them inside a VPN tunnel, but that didn't happen on iOS. Most existing connections will eventually end up inside the tunnel, but some, like Apple's push notification service, can last for hours.

The primary issue with non-tunneled connections persisting is that they could be unencrypted and that the IP address of the user and what they're connecting to can be seen by ISPs and other parties. "Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common," ProtonVPN wrote at the time. That might not be a pressing concern for typical VPN users, but it's notable.

ProtonVPN confirmed that the VPN bypass persisted in three subsequent updates to iOS 13. ProtonVPN indicated in its blog post that Apple would add functionality to block existing connections, but this functionality as added did not appear to make a difference in Horowitz's results.

Horowitz tested ProtonVPN's app in mid-2022 on an iPad iOS 15.4.1 and found that it still allowed persistent, non-tunneled connections to Apple's push service. The Kill Switch function added to ProtonVPN, which describes its function as blocking all network traffic if the VPN tunnel is lost, did not prevent leaks, according to Horowitz.

Horowitz tested again on iOS 15.5 with a different VPN provider and iOS app (OVPN, running the WireGuard protocol). His iPad continued to make requests to both Apple services and to Amazon Web Services.

ProtonVPN had suggested a workaround that was "almost as effective" as manually closing all connections when starting a VPN: Connect to a VPN server, turn on airplane mode, then turn it off. "Your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%," ProtonVPN wrote. Horowitz suggests that iOS's Airplane Mode functions are so confusing as to make this a non-answer.

Ars Technica reached out to both Apple and OpenVPN for comment and will update this article with any responses.

Horowitz's post doesn't offer specifics on how iOS might fix the issue. He also doesn't address VPNs that offer "split tunneling," focusing instead on the promise of a VPN capturing all network traffic. For his part, Horowitz recommends a $130 dedicated VPN router as a truly secure VPN solution.

VPNs, especially commercial offerings, continue to be a complicated piece of internet security and privacy. Picking a "best VPN" has long been a challenge. VPNs can be brought down by vulnerabilities, unencrypted servers, greedy data brokers, or by being owned by Facebook.

_This story originally appeared on_ _Ars Technica__._

iOS Can Stop VPNs From Working as Expected—and Expose Your Data

Categories: News
Categories: Privacy
Tags: Krause

Tags:  inappbrowser.com

Tags:  Meta

Tags:  Facebook

Tags:  Instagram

Tags:  TikTok

A developer and privacy expert created a platform that allows iOS users to see injected JavaScript in their in-app browsers



(Read more...)




The post Spying on the spies. See what JavaScript commands get injected by in-app browsers appeared first on Malwarebytes Labs.

Developer and privacy expert Felix Krause aka KrauseFx announced this week that he had introduced a simple tool to list the JavaScript commands executed by iOS apps when they deployed an in-app web browser to render webpages. He already shared some eye-opening results on his Twitter feed.

By opening Krause's tool—new website inappbrowser.com—in a designated app, the website checks for one of many hundreds of attack vectors, which is JavaScript injection from the app itself. Disclaimer: a green checkmark is no guarantee that there is no JavaScript injection going on.

**The reason**

According to his announcement the development of the tool was triggered by his own report on the risks of mobile apps using in-app browsers. Instead of opening links to external websites in the default browser of the device, many apps render these links inside their own app. More importantly, those apps rarely offer an option to use a standard browser as default, instead of the in-app browser. Since it would be a lot easier for a developer to implement the use of an already present browser, there must be a reason they want you to open the links inside the own app.

Well, one of those reasons is that they can inject their own code into the website they just opened, which allows them to collect all the taps on a webpage, keyboard inputs, website title, and more. This is a privacy risk as such data can be used to create a digital fingerprint of a person. App-makers also claim, with some truth, that users do not like to hop from app to app—leaving their current environment only to be brought to another environment, like a separate web browser, when, for instance, shopping online. 

**How to use**

If you would like to check on some of the apps you are using, here’s how. First, you open an app that you want to analyze. Then you share the URL “https://InAppBrowser.com” somewhere inside the app (you can send it as a DM to a friend). Tap the link inside the app to open it and get a report about the JavaScript commands. Below you can find some results for apps that Krause tested.

**Meta**

Unsurprisingly, Instagram and Facebook have the ability to track interactions like searches, clicks, screenshots, and “form inputs.” Form inputs are a big deal since they can include things like passwords and credit card numbers. According to Meta’s response to Krause’s report, the injected script helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.

One small bonus point for Facebook and Instagram is that they offer you the option to open third-party links in another browser (use that option!), which is more than we can say for TikTok.

**TikTok**

This should not come as a surprise, given that the FCC already called TikTok an unacceptable security risk. When you open any link on the TikTok iOS app, it’s opened inside their in-app browser. There is no alternative. While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click. There is no way to know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites. TikTok confirmed that those features exist in the code, but said that it is not using them.

"Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience—like checking how quickly a page loads or whether it crashes,” said spokesperson Maureen Shanahan in a statement offered to Forbes.

**Legitimate reasons**

There are some legitimate reasons for apps to use an in-app browser, but these should be limited to first party content. In which case the publisher still should offer the user the option to open the content in another browser or an explanation as to why that is not possible. Such reasons do not exist when it concerns third-party content and such content should always be opened in the browser that the user prefers to use.

**Incomplete**

The inappbrowser tool is unable to show you everything that is going on for a couple of reasons, so a green checkmark is no guarantee.

*   With iOS 14.3 (December of 2020), Apple introduced the support of running JavaScript code in the context of a specified frame and content world. JavaScript commands executed using this approach can still fully access the third party website, but can’t be detected by the website itself, like InAppBrowser.com.
*   The tool cannot detect other app tracking that may occur, such as custom gesture recognition, screenshot detection, or tracking of web request events.

The article and the tool are focused on iOS, because the developer feels he is not knowledgeable enough to talk about the Android side of things, but you can rest assured that the apps you shouldn’t trust will be the same on either platform.

Spying on the spies. See what JavaScript commands get injected by in-app browsers

This invasive malware isn’t just for phones—it can target your PC, too. But a new batch of algorithms aims to weed out this threat.

The surveillance-for-hire industry's powerful mobile spyware tools have gotten increasing attention lately as tech companies and governments grapple with the scale of the threat. But spyware that targets laptops and desktop PCs is extremely common in an array of cyberattacks, from state-backed espionage to financially motivated scams. Due to this growing threat, researchers from the incident response firm Volexity and Louisiana State University presented at the Black Hat security conference in Las Vegas last week new and refined tools that practitioners can use to catch more PC spyware in Windows 10, macOS 12, and Linux computers.

Widely used PC spyware—the type that often keylogs targets, tracks the movement of their mouse and clicks, listens in through a computer's microphone, and pulls still photos or video from the camera—can be difficult to detect because attackers intentionally design it to leave a minimal footprint. Rather than installing itself on a target's hard drive like a regular application, the malware (or its most important components) exists and runs only in the target computer's memory or RAM. This means that it doesn't generate certain classic red flags, doesn't show up in regular logs, and gets wiped away when a device is restarted. 

Enter the field of “memory forensics,” which is geared precisely toward developing techniques to assess what's going on in this liminal space. At Black Hat, the researchers specifically announced new detection algorithms based on their findings for the open source memory forensics framework Volatility. 

“Memory forensics was very different five or six years ago as far as how it was being used in the field both for incident response and by law enforcement,” Volexity director Andrew Case tells WIRED. (Case is also a lead developer of Volatility.) “It’s gotten to the point where even outside really intense malware investigations, memory forensics is needed. But for evidence or artifacts from a memory sample to be used in court or some type of legal proceeding, we need to know that the tools are working as expected and that the algorithms are validated. This latest stuff for Black Hat is really some hardcore new techniques as part of our effort to build out verified frameworks."

Case emphasizes that expanded spyware detection tools are needed because Volexity and other security firms regularly see real examples of hackers deploying memory-only spyware in their attacks. At the end of July, for example, Microsoft and the security firm RiskIQ published detailed findings and mitigations to counter the Subzero malware from an Austrian commercial spyware company, DSIRF.

“Observed victims \[targeted with Subzero\] to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,” Microsoft and RiskIQ wrote. Subzero’s main payload, they added, “resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins.”

The researchers particularly focused on honing their detections for how the different operating systems talk to “hardware devices” or sensors and components like the keyboard and camera. By monitoring how the different parts of the system run and communicate with each other and looking for new behaviors or connections, memory forensic algorithms can catch and analyze more potentially malicious activity. One potential tell, for example, is to monitor an operating system process that’s always running, say the feature that lets users log in to a system, and to flag it if additional code gets injected into that process after it starts running. If code was introduced later it could be a sign of malicious manipulation.

“If you work in the incident response field, you likely see this malware all the time,” Case said during his Black Hat talk last week. “We see this targeted at our clients on a daily basis. And if you read the reports from other security vendors, it’s pretty much universal that when you have a motivated threat group targeting an organization—whether that’s a research group inside the organization, whether it’s executives, whether it’s down to just an individual person—the malware that gets deployed on those machines are going to leverage access to hardware devices for truly sensitive information.”

To do forensic analysis of what's happening in a device's memory at a given time, researchers dump the memory into a sort of snapshot file of everything that was in there at that moment. If your laptop has 16 GB of RAM and the memory is full, you'll pull out a 16-GB file from it. But to detect attacks in real time, organizations need to set up forensic monitoring on their devices in advance. And not all operating systems make it easy to conduct such monitoring.

Apple, in particular, is known for locking down access to macOS and iOS to minimize system visibility. The company says it takes this approach as a security measure because, in its estimation, users shouldn't need that level of access to operate within the tightly controlled Apple ecosystem. But the stance has been controversial for a number of reasons and has created tension with some security advocates, who say that when exploitable vulnerabilities do inevitably crop up in Apple's software, particularly iOS, the approach gives the hackers an advantage because defenders have more limited insight and control. 

“It can make exploitation harder, and it can make gaining malware persistence on a system harder,” Case says. “But it also makes forensics harder, so the argument goes both ways.” 

The team was able to make progress on developing detection tools for all three major desktop operating systems, though. And Case emphasizes that the goal is simply to detect as much spyware as possible wherever it can be done as the malware proliferates more and more.

“We work with a ton of very targeted organizations around the world and in the US, and it's organizations themselves being targeted. But also, many times, it’s individuals within the organization or within a political movement—these are the people who get targeted with this type of malware,” he says. “So the further we get on this research and the better our forensic tools are, the more we can find this behavior and make it harder for attackers to get into an environment, stay there, and get to data they want.”

Spyware Hunters Are Expanding Their Toolset

Improper buffer restrictions in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® NUC Laptop Kit Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® NUC Laptop Kits may allow escalation of privilege.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-28858

Description: Improper buffer restriction in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-33209

Description: Improper input validation in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-27493

Description: Improper initialization in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-34488

Description: Improper buffer restrictions in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-32579

Description: Improper initialization in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 6.9 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-34345

Description: Improper input validation in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 6.9 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

**Affected Products:**

Intel® NUC M15 Laptop Kit: LAPBC510, LAPBC710 before version BC0076.

**Recommendations:**

Intel recommends updating the Intel® NUCs listed above to version BC0076 or later.

Updates are available for download at this location: https://www.intel.com/content/www/us/en/download/19683/bios-update-for-the-intel-nuc-m15-laptop-kit-lapbcx10-bctgl357.html

**Acknowledgements:**

Intel would like to thank the Binarly efiXplorer team for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-34488: INTEL-SA-00712

Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® AMT and Intel® Standard Manageability Advisory**

Intel ID:

INTEL-SA-00709

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Information Disclosure

Severity rating:

HIGH

Original release:

08/09/2022

Last revised:

08/09/2022

**Summary: **

Potential security vulnerabilities in the Intel® Active Management Technology (AMT) and Intel® Standard Manageability may allow escalation of privilege or information disclosure. Intel is releasing prescriptive guidance to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-30601

Description: Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable information disclosure and escalation of privilege via network access.

CVSS Base Score: 8.8 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

CVEID: CVE-2022-30944

Description: Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 7.4 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

CVEID: CVE-2022-28697

Description: Improper access control in firmware for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.0 High

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

**Affected Products:**

All versions of Intel® AMT and Intel® Standard Manageability.

Note: Firmware versions of Intel® AMT 3.x through 10.x are no longer supported versions. There is no new general release planned for these versions.

Intel will only provide prescriptive guidance for supported versions; no code changes are planned.

**Recommendations:**

Intel recommends that users follow the steps below to address these issues:

For Intel® AMT and Intel® Standard Manageability, Intel recommends users follow existing security best practices and alternate security controls, including:

*   CVE-2022-30944, CVE-2022-30601: Enable Transport Layer Security (TLS) for Intel® AMT and Intel® Standard Manageability.
*   CVE-2022-28697: Enable BIOS password protection on the Intel® Management Engine BIOS Extension (Intel® MEBX).  Intel recommends end-users to reset and then set non-default password for Intel® AMT or Intel® Standard Manageability immediately following receipt of the system from the systems manufacturer.

Additional guidance is provided at this support page.

**Acknowledgements:**

Intel would like to thank Seth W Dailey (Z-winK) for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-30944: INTEL-SA-00709

Insufficiently protected credentials in the Intel(R) Datacenter Group Event iOS application, all versions, may allow an unauthenticated user to potentially enable information disclosure via network access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Datacenter Group Event App Advisory**

**Summary:**

A potential security vulnerability in Intel® Datacenter Group Event iOS application may allow information disclosure.  Intel is not releasing updates to mitigate this potential vulnerability and has issued a Product Discontinuation Notice for the Intel® Datacenter Group Event iOS application.

**Vulnerability Details:**

CVEID: CVE-2022-30296

Description: Insufficiently protected credentials in the Intel(R) Datacenter Group Event iOS application, all versions, may allow an unauthenticated user to potentially enable information disclosure via network access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

**Affected Products:**

Intel® Datacenter Group Event Advisory iOS application all versions.

**Recommendation:**

Intel has issued a Product Discontinuation notice for the Intel® Datacenter Group Event iOS application and recommends that users of the Intel® Datacenter Group Event iOS application uninstall it or discontinue use at their earliest convenience.

**Acknowledgements:**

Intel would like to thank Sheikh Rishad for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-30296: INTEL-SA-00703

libjpeg commit 281daa9 was discovered to contain an infinite loop via the component Frame::ParseTrailer.

version: latest commit 14bf94c  
poc: poc.zip  
command: ./jpeg poc /dev/null

The backtrace in gdb:

    (gdb) bt
    #0  ByteStream::Get (this=0x790ae0) at bytestream.cpp:223
    #1  0x000000000042331e in IOStream::PeekWord (this=0x790ae0)
        at iostream.cpp:543
    #2  0x00000000004c38d5 in Frame::ParseTrailer (this=0x792590, io=0x790ae0)
        at frame.cpp:1018
    #3  0x000000000043aac9 in JPEG::ReadInternal (this=0x7904c8,
        tags=0x7fffffffdd50) at jpeg.cpp:332
    #4  0x000000000043988b in JPEG::Read (this=0x7904c8, tags=0x7fffffffdd50)
        at jpeg.cpp:210
    #5  0x000000000041cabb in Reconstruct (infile=<optimized out>,
        outfile=0x7fffffffe70c "/dev/null", colortrafo=1, alpha=0x0, upsample=true)
        at reconstruct.cpp:121
    #6  0x0000000000408b6a in main (argc=<optimized out>, argv=0x790f29)
        at main.cpp:747
    

**Root cause:**

There is a loop in frame.cpp:1017-1118.

In line 1018, the program continuously reads marker in the stream by calling IOStream::PeekWord() function.  

LONG marker = io->PeekWord();

In cases of the default branch, the loop won't exit.  

if (marker < 0xff00) {

JPG\_WARN(MALFORMED\_STREAM,"Frame::ParseTrailer",

"expecting a marker or marker segment - stream is out of sync");

// Advance to the next marker and see how it goes from there...

io->Get(); // Remove the invalid thing.

do {

marker = io->Get();

} while(marker != 0xff && marker != ByteStream::EOF);

//

if (marker == ByteStream::EOF) {

JPG\_WARN(UNEXPECTED\_EOF,"Frame::ParseTrailer",

"run into an EOF while scanning for the next marker");

return false;

}

io->LastUnDo();

// Continue parsing, check what the next marker might be.

} else {

// Something that looks like a valid marker. This could be the

// tables/misc section of the next frame or next scan, depending

// on whether we are hierarchical (next frame) or progressive (next scan).

// Unfortunately, what is what we only know after having received either

// the SOS marker (next scan) or an SOF marker (next frame).

// Thus, at this time, parse of the tables, place its data in the

// global table namespace, overriding what was there, then

// continue parsing here until we know what we have.

assert(m\_pTables);

// This might include EXP if we are hierarchical.

m\_pTables->ParseTables(io,NULL,m\_pParent->isHierarchical(),(m\_Type == JPEG\_LS)?true:false);

}

}

The problem is that the IOStream::PeekWord() function might always return a same value.

Specifically, the IOStream::PeekWord() calls ByteStream::Get().

LONG ByteStream::Get(void) // read a single byte (not inlined)

{

if (m\_pucBufPtr >= m\_pucBufEnd) {

if (Fill() == 0) // Found EOF

return EOF;

}

assert(m\_pucBufPtr < m\_pucBufEnd);

return \*m\_pucBufPtr++;

}

IOStream::PeekWord() returns at line 223 with m_pucBufPtr++. However, when using gdb to check the value of m_pucBufPtr, I found that the ByteStream::Get() functions repeatedly read the values from the same address. The 0x790f2a and 0x790f29 correspond to byte1 and byte2 in IOStream::PeekWord() and they never change.

IOStream::PeekWord() then always returns a same value (calculated by byte1 and byte2). Finally, the program never terminates because the return value forces the program to take the default branch.

Tag

#ios