New web targets for the discerning hacker

New web targets for the discerning hacker

The US Department of Justice (DoJ) has said it won’t prosecute security researchers acting “in good faith”, as part of changes to the Computer Fraud and Abuse Act (CFAA). While the DoJ says this was always the case in practice, the changes provide more certainty for researchers, pen testers, and bug bounty hunters.

Meanwhile, the UK government remains half-hearted about bug bounty programs, with Dr Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), saying there are no plans for a broad rollout any time soon. Speaking at the CyberUK conference, he commented: “The reason for that is that we just don’t seem to need to – people are more than happy to come and tell government we’ve screwed up.”

LinkedIn, meanwhile, has launched a public bug bounty program with rewards of up to $18,000 that replaces its invite-only program. Hosted by HackerOne, LinkedIn invites hackers to probe its main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API and Android and iOS mobile apps.

Blockchain bridge Wormhole has handed over a record $10 million reward to a bug hunter with the online pseudonym ‘satya0x’. Had it been exploited successfully, the critical vulnerability that attracted the reward could have seen all the funds residing in in the Wormhole core bridge contract on Ethereum lost forever.

In other payout news, Youssef Sammouda netted $44,625 for discovering a series of bugs that could have allowed a malicious actor to take over Facebook accounts. They included a cross-site request forgery (CSRF) bug allowing an attacker to force a victim to log out from their Facebook account in their browser, and a flaw forcing a login to the attacker’s Facebook account inside the victim’s browser.

Pwn2Own Vancouver, the flagship hacking contest, took place last month, handing out more than $1 million for bugs in products from Microsoft, Mozilla, Apple, and others. Participants unearthed 27 qualifying vulnerabilities in total, with a team from Star Labs in Singapore being crowned this year’s Masters of Pwn.

And finally, Vidoc Security Lab has published a security advisory warning of more than 60 instances of a web security flaw in the Swagger-UI library, potentially leading to account takeover. Bug bounty programs operated by PayPal, Shopify, Atlassian, Microsoft, GitLab, and Yahoo were alerted, among others.

**The latest bug bounty programs for June 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Aztec Network**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$1 million

Outline:  
A privacy-first recursive, zero-knowledge rollup built on Ethereum that purports to being the “only zkRollup built from the ground up to be privacy-preserving”.

Notes:  
Bounties on offer potentially range up to $1 million, with $25,000 for high severity issues, and $5,000 for medium severity bugs.

Check out the Aztec Network bug bounty page at Immunefi for more details

**Balancer**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$2.4 million

Outline:  
“Community-driven protocol, liquidity provider, and price sensor that empowers decentralized exchange and the automated portfolio management of tokens on the Ethereum blockchain and other EVM compatible systems.”

Notes:  
Payouts in Ethereum could reach $2.4 million, while high severity vulnerabilities can command rewards of up to $600,000.

Check out the Balancer bug bounty page at Immunefi for more details

**Chain**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$5 million

Outline:  
Eye-watering payouts in the millions on offer by Chain, which builds “cryptographic ledgers that underpin breakthrough financial products and services”.

Notes:  
Payouts are issued in USDC, XCN, USDT and ETH, with the ratio at Chain’s discretion.

Check out the Chain bug bounty page at Immunefi for more details

**Cudos Network**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
$4,500

Outline:  
A decentralised platform that runs over multiple p2p nodes and enables developers to build complex smart contract functionality.

Notes:  
Top-tier rewards given for cryptographic exploits allowing for the manipulation of BFT consensus, while certain DDoS exploits qualify as tier two.

Check out the Cudos Network bug bounty page at Bugcrowd for more details

**Doctolib**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
€20,000

Outline:  
Doctolib develops appointment booking software used by more than 300,000 healthcare personnel and 60 million patients across Europe.

Notes:  
High severity issues command rewards of up to €4,000 and critical bugs will net hackers up to €20,000, with two web domains and iOS and Android apps in play.

Check out the Doctolib bug bounty page at YesWeHack for more details

**Gojek**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$5,000

Outline:  
Gojek is an Indonesian, on-demand, multi-service platform and digital payment technology group.

Notes:  
Maximum bounty of $5,000 on offer for tier-one assets, and $2,000 for tier-two assets.

Check out the Gojek bug bounty page at HackerOne for more details

**LinkedIn**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$15,000

Outline:  
LinkedIn has launched a public bug bounty program to replace the invite-only program running since 2014, as previously reported by The Daily Swig.

Notes:  
Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5,000 up to $15,000.

Read our previous coverage to find out more

**Razorpay**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$3,000

Outline:  
Razorpay claims to be the only payments solution in India that allows businesses to accept, process, and disburse payments.

Notes:  
Critical flaws will command bounties of between $1,000 and $3,000, with four in-scope targets comprising the dashboard, API, checkout, and invoice domains.

Check out the Razorpay bug bounty page at HackerOne for more details

**Quebec Ministry of Cybersecurity and Digital**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
C$1,500

Outline:  
Le ministère de la Cybersécurité et du Numérique has launched its program, with details written in French, on Paris-base bug bounty platform YesWeHack.

Notes:  
The ministry has 12 web assets in scope and is offering a maximum payout of C$1,500.

Check out Le ministère de la Cybersécurité et du Numérique bug bounty page at YesWeHack for more details

**Wealthsimple**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$20,000

Outline:  
The Canadian investment management service has financial tools for stock trading, ETFs, managed investing, and crypto.

Notes:  
Critical bugs can attract $20,000 rewards, while high and medium severity vulnerabilities could net bug hunters $5,000 or $1,000 respectively.

Check out the Wealthsimple bug bounty page at HackerOne for more details

**Other bug bounty and VDP news this month**

*   Another nine new programs in a bumper May for Immunefi included programs from the Bancor Protocol (max reward $900,000) plus Orca and Wombat Exchange (both with a maximum payout of $500,000)
*   Cloudflare and security researchers from Assetnote have documented the discovery and remediation of vulnerabilities in Cloudflare Pages
*   YesWeHack is launching an ethical hacking virtual reality game and holding a live bug bounty challenge at the upcoming International Cybersecurity Forum in June
*   The US Cyber Games, a NICE-NIST collaboration, enters its second season in July, starting with Capture the Flag (CTF) competitions and culminating in the top cybersecurity athletes representing the US internationally
*   Some 401 security flaws were remediated during the 12-month pilot of the US Defense Industrial Base\-Vulnerability Disclosure Program (DIB-VDP), which concluded in April

Additional reporting by Emma Woollacott.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for May 2022

Bug Bounty Radar // The latest bug bounty programs for June 2022

Plus: Google patches 36 Android vulnerabilities, Cisco fixes three high-severity issues, and VMWare closes two “serious” flaws.

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15-point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel, as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft’s update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another updateFirefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities, including an issue already being exploited by attackers. This exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it has taken a while to reach devices.

You Need to Update iOS, Chrome, Windows, and Zoom ASAP

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15 point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft's update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another update, Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities including an issue already being exploited by attackers. The already exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it’s taken a while to reach devices.

Validation check loopholes exposed

Malicious actors can take unauthorized ownership of online accounts even before their victims sign up for services, according to new research backed by the Microsoft Security Response Center (MSRC).

Dubbed ‘account pre-hijacking’, the class of attack involves an attacker setting an account takeover exploit in motion before the victim has even registered with an online service. After the victim signs up, the attacker takes advantage of security holes in the service’s authentication mechanisms to access or take ownership of the newly-created account.

The study (PDF) found dozens of high-traffic services to be vulnerable to at least one type of pre-hijacking attack. The research sheds light on the security issues surrounding account creation, a seldom scrutinised issue.

**More than one way to pre-hijack an account**

The research was supported by one of the Identity Project Research Grants awarded by the MSRC in early 2020.

“In this project, we explored several topics, but soon noticed a pattern emerging around the ‘pre-hijacking’ threat model,” Andrew Paverd, a senior researcher at MSRC, and independent researcher Avinash Sudhodanan told The Daily Swig.

Account pre-hijacking assumes that the victim doesn’t yet have an account on the target service and the attacker knows the email and other basic details of the victim. The researchers discovered five types of pre-hijacking attack scenarios.

Some take advantage of multiple account creation modes supported by many online services. On many websites, users can directly provide an email address and password to create their account or use federated authentication by using a consumer-focused single sign-on (SSO) service, as provided by the likes of Facebook, Google, and Microsoft.

DON’T FORGET TO READ Security ‘researcher’ hits back against claims of malicious CTX file uploads

For example, in one type of attack, the attacker creates an account with the victim’s email address. The victim then creates an account using the federated approach. In some services, this merges the attacker’s and victim’s accounts, giving them both simultaneous access to the same account.

In another type of attack, the attacker creates an account with the victim’s email and associates their own federated identity to the same account. When the victim tries to create their account, they will be prompted to reset their password. The victim will obtain access to the account, but the attacker will also be able to access the account through the SSO identity.

The researchers said: “It’s very positive to see how many online services are moving towards single sign-on \[but\] this means that they might have to support multiple login mechanisms. This in itself is not necessarily an issue, and many services do this securely.

“Our research simply points out some subtle pitfalls to be aware of when supporting multiple login mechanisms,” the researchers added.

**Switch hitter**

Paverd and Sudhodanan pointed out that three of the attacks they found do not require the service to support multiple login mechanisms.

For example, in one scheme, the attacker’s session might remain active even after the victim recovers their account and resets the password.

Catch up on the latest authentication news and analysis

In yet another scenario, the attacker creates an account with the victim’s email and initiates an email change request to the attacker’s own email address. The attacker then waits for the victim to claim the account before completing the email change request and taking ownership of the account.

**Top services affected**

In their study, the researchers examined 75 services that ranked among Alexa’s list of top-150 high-traffic domains. At least 35 were affected by one or more account pre-hijacking attacks, including Dropbox, Instagram, LinkedIn, WordPress.com, and Zoom. Fortunately, all the affected services were notified of the vulnerabilities and have implemented the necessary fixes.

“We think that a lack of awareness may have been the main cause of these potential vulnerabilities. We are therefore publishing this research to raise awareness and help organizations mitigate these vulnerabilities,” Paverd and Sudhodanan said.

The most important takeaway, the researchers concluded, is “to verify that the user actually owns any user-supplied identifiers (e.g., email address or phone number) before using them to create a new account or adding them to an existing account”. This would mitigate all types of pre-hijacking attacks identified to date.

The researchers’ paper also describes several other possible defense-in-depth strategies.

They recommended that users enable multi-factor authentication (MFA) whenever possible because it stops most pre-hijacking attacks they uncovered.

Another sign of account pre-hijacking is receiving an email about an account that you did not create, which users usually ignore. “Report this to the relevant website,” the researchers said.

YOU MAY ALSO LIKE Tails users warned not to launch bundled Tor browser until security hole is fixed

Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds

UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible.
Windows Version Link to KB article LInk to Catalog Windows 8.1, Windows Server 2012 R2 5015805 Download Windows Server 2012 5015805 Download Windows 7, Windows Server 2008 R2 5015805 Download Windows Server 2008 SP2 5015805 Download On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

**UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible.**

Windows Version

Link to KB article

LInk to Catalog

Windows 8.1, Windows Server 2012 R2

5015805

Download

Windows Server 2012

5015805

Download

Windows 7, Windows Server 2008 R2

5015805

Download

Windows Server 2008 SP2

5015805

Download

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. On Tuesday June 14, 2022, Microsoft issued Windows updates to address this vulnerability. Microsoft recommends installing the following KB5015805 for Windows 8.1 and below according to the following table. The defense in depth fix is incorporated into the cumulative updates for Windows 10 and newer.

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

**Workarounds Workarounds**

**To disable the MSDT URL Protocol**

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

1.  Run **Command Prompt** as **Administrator**.
2.  To back up the registry key, execute the command “reg export HKEY_CLASSES\_ROOT\\ms-msdt \_filename_”
3.  Execute the command “reg delete HKEY\_CLASSES\_ROOT\\ms-msdt /f”.

**How to undo the workaround**

1.  Run **Command Prompt** as **Administrator**.
2.  To restore the registry key, execute the command “reg import _filename”_

**Microsoft Defender Detections & Protections Microsoft Defender Detections & Protections****Microsoft Defender Antivirus (MDAV) Microsoft Defender Antivirus (MDAV)**

Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build **1.367.851.0** or higher:

*   **Trojan:Win32/Mesdetty.A**
*   **Trojan:Win32/Mesdetty.B**
*   **Behavior:Win32/MesdettyLaunch.A!blk**
*   **Trojan:Win32/MesdettyScript.A**
*   **Trojan:Win32/MesdettyScript.B**
*   **Behavior:Win32/MesdettyPayload.B**
*   **Behavior:Win32/MesdettyLaunch.D**

Customers with Microsoft Defender Antivirus (MDAV) should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

**Microsoft Defender for Endpoint (MDE) Microsoft Defender for Endpoint (MDE)**

Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:

*   **Suspicious behavior by an Office application**
*   **Suspicious behavior by Msdt.exe**

Microsoft Defender for Endpoint through its network inspection capabilities created a network-based detection to intercept any possible exploits for this vulnerability over the internal network.

*   **Possible exploitation attempt of CVE-2022-30190**

and since the signatures above for Antivirus are getting expanded to include more scenarios I like to remove the sentences between brackets for each signature

*   **Trojan:Win32/Mesdetty.A** (blocks msdt command line)
*   **Trojan:Win32/Mesdetty.B** (blocks msdt command line)
*   **Behavior:Win32/MesdettyLaunch.A!blk** (terminates the process that launched msdt command line)
*   **Trojan:Win32/MesdettyScript.A** (to detect HTML files that contain msdt suspicious command being dropped)
*   **Trojan:Win32/MesdettyScript.B** (to detect HTML files that contain msdt suspicious command being dropped)

**Microsoft Defender for Office 365 (MDO) Microsoft Defender for Office 365 (MDO)**

Microsoft Defender for Office 365 provides detections and protection for emails containing malicious documents or URL used to exploit this vulnerability:

*   Trojan\_DOCX\_OLEAnomaly\_AC
*   Trojan\_DOCX\_OLEAnomaly\_AD
*   Trojan\_DOCX\_OLEAnomaly\_AE
*   Trojan\_DOCX\_OLEAnomaly\_AF
*   Exploit\_UIA\_CVE\_2022\_30190
*   Exploit\_CVE\_2022\_30190\_ShellExec
*   Exploit\_HTML\_CVE\_2022\_30190\_A
*   Exploit\_Win32\_CVE\_2022\_30190\_B

**FAQ FAQ**

**Q:** Does Protected View and Application Guard for Office provide protection from this vulnerability?

**A:** If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.

*   For information about Protected View, see What is Protected View?
*   For information about Application Guard for Office, see Application Guard for Office.

**Q:** Is configuring the GPO setting **Computer Configuration\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\“Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider”** to **“Disabled”** another workaround?

Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ Value Name: DisableQueryRemoteServer Type: REG_DWORD Value: 0

**A:** No, this GPO does not provide protection against this vulnerability. “Interactive communication with support provider” is a special mode MSDT runs in when launched with no parameters which has no impact on MSDT support for URL protocol.

**Q:** Is configuring the GPO setting **Computer Configuration - Administrative Templates - System - Troubleshooting and Diagnostics - Microsoft Support Diagnostic Tool\\“Troubleshooting: Allow users to access recommended troubleshooting for known problems”** to " **Disabled**" another workaround?

**A:** No, enabling or disabling this group policy has no effect on the vulnerable part of Troubleshooter functionality, so it is not a viable workaround.

**Q:** Is blocking MSDT using technologies such as Windows Defender Application Control (WDAC) equivalent to removing MSDT handler “HKEY\_CLASSES\_ROOT\\ms-msdt” a viable workaround?

**A:** Blocking MSDT will prevent all MSDT-based Windows Troubleshooters from launching, such as the Network Troubleshooter, and the Printer Troubleshooter. The recommended workaround disables support for clicking on MSDT links and users can continue to use the familiar Windows Troubleshooters.

**Q** : What Windows versions require the workaround?

**A** : The MSDT URL protocol is available in Windows Server 2019 & Windows 10 version 1809 and later supported versions of Windows. The registry key mentioned in the workaround section will not exist in earlier supported versions of Windows, so the workaround is not required.

We will update CVE-2022-30190 with further information.

The MSRC Team

Revisions:  
06/06/2022 - Added more FAQs.  
06/07/2022 - Added one more question and answer.  
06/07/2022 - Added additional detection information.  
06/14/2022 - Announced updates that address the vulnerability.  
07/12/2022 - Announced defense in depth update availability.

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

Organizations must ensure their kubelets and related APIs aren’t inadvertently exposed or lack proper access control, offering an easy access point for malicious actors.

Kubernetes clusters provide a scalable and resilient backbone to many modern Internet-facing applications. However, if adversaries can access the nodes in those clusters, they essentially take over your infrastructure. They can compromise the integrity of your systems and hijack the infrastructure and use it for their own purposes.

Recent data from Shodan shows 243,469 Kubernetes clusters that are publicly exposed. These clusters also exposed port 10250, used by the kubelet (the agent that runs on each node and ensures that all containers are running in a pod) as a default setting. Attackers could potentially use the kubelet API as an entry point in targeting Kubernetes clusters to mine for cryptocurrency.

Trend Micro researcher Magno Logan looked at how cybercriminals could abuse these clusters and exposed kubelet ports.

First, there is the problem of sensitive information leakage by returning data on the running pods on the node.

In addition, since the kubelet API is exposed, there is another endpoint _/run_ that would allow an attacker to execute commands inside the running pods of the cluster just by sending a _POST_ request to the specific pods and using the parameter _cmd_ to execute the desired shell commands. Trend Micro says threat actor TeamTNT performed multiple _/run_ commands in just this manner to compromise multiple clusters last year. This technique can make things easier for attackers to take over clusters, Logan says in the report.

Logan called it "very concerning" that hackers could use the kubelet API as an entry point when targeting Kubernetes clusters.

"Those 600 kubelets we've found to be completely exposed and without authentication or authorization could easily be compromised via simple API requests," he said. "That would allow an attacker to execute commands on the pods running inside that node, most of the time to mine cryptocurrencies."

**Exposed Kubelets Leave Door Open to Malicious Actors**

According to Michael Isbitski, director of cybersecurity strategy for Sysdig, when Kubernetes clusters or kubelets are improperly exposed or don't enforce proper access control, it leaves the door open for a wide range of malicious activity.

"Attackers can potentially harvest sensitive data being transmitted within the cluster, spin-up new workloads, reconfigure elements of a node, disable access controls, erase audit trails, add vulnerable dependencies, bootstrap malicious cryptominers, and more," he says.

Isbitski notes that many Kubernetes configurations are secure by default with current platform offerings, but some organizations may be sitting on old or misconfigured deployments.

He points out organizations also sometimes inadvertently override secure defaults to get a cluster to an operational state without understanding the potential security risks.

"We've seen issues with vulnerabilities in runtime components, which can result in container escapes and lateral movement within networks if attackers are successful in their exploitation attempts," he says.

**Practice Defense In-Depth, Zero Trust**

Matt Dupre, director of software engineering at Tigera, a provider of security and observability for containers, Kubernetes, and cloud, points out that sufficiently privileged access to the kubelet amounts to a complete compromise of that host and potentially any other workloads running on it.

Access to the Kubernetes API has the same potential impact: Admin access essentially provides complete control of the cluster and everything in it.

He notes that while the security risk is significant, an overwhelming majority of the clusters that accepted connections from the Internet rejected the requests due to lack of authentication or authorization.

"Given that, there are two concerns: firstly, that you fall in that misconfigured 613 clusters, or that a new critical vulnerability that bypasses authn or authz is found, and this would be a very significant vulnerability," Dupre says. "Organizations' internal APIs are probably a bigger worry in practice."

He advises practicing defense in depth by following zero-trust principles and not allowing connections to your kubelets from unknown sources, such as the Internet.

"Additionally, you could port-scan your infrastructure and investigate any responses," he adds. "Keeping careful control of access tokens is always important — they should never be published, and you should have processes in place to ensure that they and other secrets are stored properly."

**Avoid Exposing the Kubelet Default Port**

As a basic kubelet security practice, Logan says organizations shouldn’t expose their kubelet port (10250 by default) to the Internet.

"If you need to do that, at least enable kubelet authentication and authorization on the kubelet API to avoid attackers being able to perform requests to the API and receive the 401 – Unauthorized response," he adds.

Mark Lambert, vice president of products at ArmorCode, an application security provider, says when deploying these types of systems, take a "zero-trust mindset" and remember that the default configurations are usually set up for ease of use, not security.

"This means you need to pay close attention to configuration files, disable features you are not using, change default ports, and minimize information leakage so that hackers cannot gain insight that could provide them another point of attack," he says.

Finally, all this needs to be operationalized as part of your application security program, and development teams must be engaged early, as they play a key role in building security into the design of the application from the start.

Besides enabling the kubelet authentication and authorization on the kubelet API, Logan advises restricting the kubelet permissions via the least privilege principle and periodically rotating the kubelet certificates to reduce the attack surface.

"Organizations should also investigate tools for runtime protection such as Falco to prevent and alert when there are suspicious execution happening inside their containers," he says.

**Constantly Analyze IaaC, Monitor Clusters in Runtime**

Isbitski says native capabilities and tooling from cloud providers and Kubernetes platform providers can provide a starting point for keeping kubelets protected.

He adds that security teams must continuously analyze the infrastructure-as-code used to configure and operate clusters, scan dependencies used by workloads, and monitor clusters in runtime to detect malicious activity, such as when an attacker attempts unauthorized access to the Kubernetes APIs.

"Appropriate access control should also be implemented at multiple points of a cluster," he says. "Native capabilities like Kubernetes network policy also help with restricting communication within a cluster and enforce zero trust principles."

Isbitski points out the Kubernetes control plane is also multilayered when working with managed Kubernetes.

In those scenarios, security teams should also continuously validate the cloud tenant configurations, along with IAM policies, for misconfigurations and excessive permissions.

Exposed Kubernetes Clusters, Kubelet Ports Can Be Abused in Cyberattacks

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, macOS Monterey 12.4, iOS 15.5 and iPadOS 15.5. An application may be able to execute arbitrary code with kernel privileges.

Released May 16, 2022

**AMD**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26772: an anonymous researcher

**AMD**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2022-26741: ABC Research s.r.o

CVE-2022-26742: ABC Research s.r.o

CVE-2022-26749: ABC Research s.r.o

CVE-2022-26750: ABC Research s.r.o

CVE-2022-26752: ABC Research s.r.o

CVE-2022-26753: ABC Research s.r.o

CVE-2022-26754: ABC Research s.r.o

**apache**

Available for: macOS Monterey

Impact: Multiple issues in apache

Description: Multiple issues were addressed by updating apache to version 2.4.53.

CVE-2021-44224

CVE-2021-44790

CVE-2022-22719

CVE-2022-22720

CVE-2022-22721

**AppleGraphicsControl**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26697: Qi Sun and Robert Ai of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-26698: Qi Sun of Trend Micro

**AVEVideoEncoder**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26736: an anonymous researcher

CVE-2022-26737: an anonymous researcher

CVE-2022-26738: an anonymous researcher

CVE-2022-26739: an anonymous researcher

CVE-2022-26740: an anonymous researcher

**Contacts**

Available for: macOS Monterey

Impact: A plug-in may be able to inherit the application's permissions and access user data

Description: This issue was addressed with improved checks.

CVE-2022-26694: Wojciech Reguła (@\_r3ggi) of SecuRing

**CVMS**

Available for: macOS Monterey

Impact: A malicious application may be able to gain root privileges

Description: A memory initialization issue was addressed.

CVE-2022-26721: Yonghwi Jin (@jinmo123) of Theori

CVE-2022-26722: Yonghwi Jin (@jinmo123) of Theori

**DriverKit**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

**ImageIO**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow issue was addressed with improved input validation.

CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Monterey

Impact: Photo location information may persist after it is removed with Preview Inspector

Description: A logic issue was addressed with improved state management.

CVE-2022-26725: Andrew Williams and Avi Drissman of Google

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26720: Liu Long of Ant Security Light-Year Lab

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26769: Antonio Zekic (@antoniozekic)

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26770: Liu Long of Ant Security Light-Year Lab

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-26748: Jeonghoon Shin of Theori working with Trend Micro Zero Day Initiative

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-26756: Jack Dates of RET2 Systems, Inc

**IOKit**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-26701: chenyuwang (@mzzzz\_\_) of Tencent Security Xuanwu Lab

**IOMobileFrameBuffer**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26768: an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: An attacker that has already achieved code execution in macOS Recovery may be able to escalate to kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26743: Jordy Zomer (@pwningsystems)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs\_sg)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26757: Ned Williamson of Google Project Zero

**Kernel**

Available for: macOS Monterey

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: macOS Monterey

Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication

Description: A race condition was addressed with improved state handling.

CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

**LaunchServices**

Available for: macOS Monterey

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions on third-party applications.

CVE-2022-26706: Arsenii Kostromin (0x3c3e)

**LaunchServices**

Available for: macOS Monterey

Impact: A malicious application may be able to bypass Privacy preferences

Description: The issue was addressed with additional permissions checks.

CVE-2022-26767: Wojciech Reguła (@\_r3ggi) of SecuRing

**libresolv**

Available for: macOS Monterey

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-26776: Zubair Ashraf of Crowdstrike, Max Shavrick (@\_mxms) of the Google Security Team

CVE-2022-26708: Max Shavrick (@\_mxms) of the Google Security Team

**libresolv**

Available for: macOS Monterey

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2022-26775: Max Shavrick (@\_mxms) of the Google Security Team

**LibreSSL**

Available for: macOS Monterey

Impact: Processing a maliciously crafted certificate may lead to a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2022-0778

**libxml2**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-23308

**OpenSSL**

Available for: macOS Monterey

Impact: Processing a maliciously crafted certificate may lead to a denial of service

Description: This issue was addressed with improved checks.

CVE-2022-0778

**PackageKit**

Available for: macOS Monterey

Impact: A malicious application may be able to modify protected parts of the file system

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-26712: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Monterey

Impact: A malicious application may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2022-26727: Mickey Jin (@patch1t)

**Preview**

Available for: macOS Monterey

Impact: A plug-in may be able to inherit the application's permissions and access user data

Description: This issue was addressed with improved checks.

CVE-2022-26693: Wojciech Reguła (@\_r3ggi) of SecuRing

**Printing**

Available for: macOS Monterey

Impact: A malicious application may be able to bypass Privacy preferences

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-26746: @gorelics

**Safari Private Browsing**

Available for: macOS Monterey

Impact: A malicious website may be able to track users in Safari private browsing mode

Description: A logic issue was addressed with improved state management.

CVE-2022-26731: an anonymous researcher

**Security**

Available for: macOS Monterey

Impact: A malicious app may be able to bypass signature validation

Description: A certificate parsing issue was addressed with improved checks.

CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

**SMB**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26715: Peter Nguyễn Vũ Hoàng of STAR Labs

**SMB**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26718: Peter Nguyễn Vũ Hoàng of STAR Labs

**SMB**

Available for: macOS Monterey

Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26723: Felix Poulin-Belanger

**SoftwareUpdate**

Available for: macOS Monterey

Impact: A malicious application may be able to access restricted files

Description: This issue was addressed with improved entitlements.

CVE-2022-26728: Mickey Jin (@patch1t)

**Spotlight**

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: A validation issue existed in the handling of symlinks and was addressed with improved validation of symlinks.

CVE-2022-26704: an anonymous researcher

**TCC**

Available for: macOS Monterey

Impact: An app may be able to capture a user's screen

Description: This issue was addressed with improved checks.

CVE-2022-26726: an anonymous researcher

**Tcl**

Available for: macOS Monterey

Impact: A malicious application may be able to break out of its sandbox

Description: This issue was addressed with improved environment sanitization.

CVE-2022-26755: Arsenii Kostromin (0x3c3e)

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab

WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

**WebRTC**

Available for: macOS Monterey

Impact: Video self-preview in a webRTC call may be interrupted if the user answers a phone call

Description: A logic issue in the handling of concurrent media was addressed with improved state handling.

WebKit Bugzilla: 237524  
CVE-2022-22677: an anonymous researcher

**Wi-Fi**

Available for: macOS Monterey

Impact: A malicious application may disclose restricted memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26745: an anonymous researcher

**Wi-Fi**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-26761: Wang Yu of Cyberserval

**Wi-Fi**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-26762: Wang Yu of Cyberserval

**zip**

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to a denial of service

Description: A denial of service issue was addressed with improved state handling.

CVE-2022-0530

**zlib**

Available for: macOS Monterey

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-25032: Tavis Ormandy

**zsh**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause arbitrary code execution

Description: This issue was addressed by updating to zsh version 5.8.1.

CVE-2021-45444

CVE-2022-26738: About the security content of macOS Monterey 12.4

An authentication issue was addressed with improved state management. This issue is fixed in tvOS 15.5. A local user may be able to enable iCloud Photos without authentication.

Released May 16, 2022

**AppleAVD**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26702: an anonymous researcher

**AppleAVD**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22675: an anonymous researcher

**AuthKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A local user may be able to enable iCloud Photos without authentication

Description: An authentication issue was addressed with improved state management.

CVE-2022-26724:  Jorge A. Caballero (@DataDrivenMD)

**AVEVideoEncoder**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26736: an anonymous researcher

CVE-2022-26737: an anonymous researcher

CVE-2022-26738: an anonymous researcher

CVE-2022-26739: an anonymous researcher

CVE-2022-26740: an anonymous researcher

**DriverKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

**ImageIO**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend Micro Zero Day Initiative

**IOKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-26701: chenyuwang (@mzzzz\_\_) of Tencent Security Xuanwu Lab

**IOMobileFrameBuffer**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26768: an anonymous researcher

**IOSurfaceAccelerator**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26771: an anonymous researcher

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs\_sg)

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26757: Ned Williamson of Google Project Zero

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication

Description: A race condition was addressed with improved state handling.

CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

**LaunchServices**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions on third-party applications.

CVE-2022-26706: Arsenii Kostromin (0x3c3e)

**libxml2**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-23308

**Security**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A malicious app may be able to bypass signature validation

Description: A certificate parsing issue was addressed with improved checks.

CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab

WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

**Wi-Fi**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A malicious application may disclose restricted memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26745: an anonymous researcher

CVE-2022-26724: About the security content of tvOS 15.5

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.3.1, iOS 15.4.1 and iPadOS 15.4.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..

Released May 16, 2022

**apache**

Available for: macOS Big Sur

Impact: Multiple issues in apache

Description: Multiple issues were addressed by updating apache to version 2.4.53.

CVE-2021-44224

CVE-2021-44790

CVE-2022-22719

CVE-2022-22720

CVE-2022-22721

**AppKit**

Available for: macOS Big Sur

Impact: A malicious application may be able to gain root privileges

Description: A logic issue was addressed with improved validation.

CVE-2022-22665: Lockheed Martin Red Team

**AppleAVD**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22675: an anonymous researcher

**AppleGraphicsControl**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-26698: Qi Sun of Trend Micro

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26697: Qi Sun and Robert Ai of Trend Micro

**CoreTypes**

Available for: macOS Big Sur

Impact: A malicious application may bypass Gatekeeper checks

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2022-22663: Arsenii Kostromin (0x3c3e)

**CVMS**

Available for: macOS Big Sur

Impact: A malicious application may be able to gain root privileges

Description: A memory initialization issue was addressed.

CVE-2022-26721: Yonghwi Jin (@jinmo123) of Theori

CVE-2022-26722: Yonghwi Jin (@jinmo123) of Theori

**DriverKit**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

**Graphics Drivers**

Available for: macOS Big Sur

Impact: A local user may be able to read kernel memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2022-22674: an anonymous researcher

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26720: Liu Long of Ant Security Light-Year Lab

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26770: Liu Long of Ant Security Light-Year Lab

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-26756: Jack Dates of RET2 Systems, Inc

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26769: Antonio Zekic (@antoniozekic)

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-26748: Jeonghoon Shin of Theori working with Trend Micro Zero Day Initiative

**IOMobileFrameBuffer**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26768: an anonymous researcher

**Kernel**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs\_sg)

**Kernel**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26757: Ned Williamson of Google Project Zero

**LaunchServices**

Available for: macOS Big Sur

Impact: A malicious application may be able to bypass Privacy preferences

Description: The issue was addressed with additional permissions checks.

CVE-2022-26767: Wojciech Reguła (@\_r3ggi) of SecuRing

**LaunchServices**

Available for: macOS Big Sur

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions on third-party applications.

CVE-2022-26706: Arsenii Kostromin (0x3c3e)

**libresolv**

Available for: macOS Big Sur

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-26776: Zubair Ashraf of Crowdstrike, Max Shavrick (@\_mxms) of the Google Security Team

**LibreSSL**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted certificate may lead to a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2022-0778

**libxml2**

Available for: macOS Big Sur

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-23308

**OpenSSL**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted certificate may lead to a denial of service

Description: This issue was addressed with improved checks.

CVE-2022-0778

**PackageKit**

Available for: macOS Big Sur

Impact: A malicious application may be able to modify protected parts of the file system

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-26712: Mickey Jin (@patch1t)

**Printing**

Available for: macOS Big Sur

Impact: A malicious application may be able to bypass Privacy preferences

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-26746: @gorelics

**Security**

Available for: macOS Big Sur

Impact: A malicious app may be able to bypass signature validation

Description: A certificate parsing issue was addressed with improved checks.

CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

**SMB**

Available for: macOS Big Sur

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26718: Peter Nguyễn Vũ Hoàng of STAR Labs

**SMB**

Available for: macOS Big Sur

Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26723: Felix Poulin-Belanger

**SMB**

Available for: macOS Big Sur

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26715: Peter Nguyễn Vũ Hoàng of STAR Labs

**SoftwareUpdate**

Available for: macOS Big Sur

Impact: A malicious application may be able to access restricted files

Description: This issue was addressed with improved entitlements.

CVE-2022-26728: Mickey Jin (@patch1t)

**TCC**

Available for: macOS Big Sur

Impact: An app may be able to capture a user's screen

Description: This issue was addressed with improved checks.

CVE-2022-26726: an anonymous researcher

**Tcl**

Available for: macOS Big Sur

Impact: A malicious application may be able to break out of its sandbox

Description: This issue was addressed with improved environment sanitization.

CVE-2022-26755: Arsenii Kostromin (0x3c3e)

**Vim**

Available for: macOS Big Sur

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating Vim.

CVE-2021-4136

CVE-2021-4166

CVE-2021-4173

CVE-2021-4187

CVE-2021-4192

CVE-2021-4193

CVE-2021-46059

CVE-2022-0128

**WebKit**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript

Description: A validation issue was addressed with improved input sanitization.

CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)

**Wi-Fi**

Available for: macOS Big Sur

Impact: A malicious application may disclose restricted memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26745: an anonymous researcher

**Wi-Fi**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-26761: Wang Yu of Cyberserval

**zip**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted file may lead to a denial of service

Description: A denial of service issue was addressed with improved state handling.

CVE-2022-0530

**zlib**

Available for: macOS Big Sur

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-25032: Tavis Ormandy

**zsh**

Available for: macOS Big Sur

Impact: A remote attacker may be able to cause arbitrary code execution

Description: This issue was addressed by updating to zsh version 5.8.1.

CVE-2021-45444

CVE-2022-22675: About the security content of macOS Big Sur 11.6.6

This issue was addressed with improved checks. This issue is fixed in iOS 15.5 and iPadOS 15.5. Processing a large input may lead to a denial of service.

Released May 16, 2022

**AppleAVD**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26702: an anonymous researcher

**AppleGraphicsControl**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**AVEVideoEncoder**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26736: an anonymous researcher

CVE-2022-26737: an anonymous researcher

CVE-2022-26738: an anonymous researcher

CVE-2022-26739: an anonymous researcher

CVE-2022-26740: an anonymous researcher

**DriverKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

**GPU Drivers**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26744: an anonymous researcher

**ImageIO**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow issue was addressed with improved input validation.

CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend Micro Zero Day Initiative

**IOKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-26701: chenyuwang (@mzzzz\_\_) of Tencent Security Xuanwu Lab

**IOSurfaceAccelerator**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26771: an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs\_sg)

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26757: Ned Williamson of Google Project Zero

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication

Description: A race condition was addressed with improved state handling.

CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

**LaunchServices**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions on third-party applications.

CVE-2022-26706: Arsenii Kostromin (0x3c3e)

**libxml2**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-23308

**Notes**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a large input may lead to a denial of service

Description: This issue was addressed with improved checks.

CVE-2022-22673: Abhay Kailasia (@abhay\_kailasia) of Lakshmi Narain College Of Technology Bhopal

**Safari Private Browsing**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious website may be able to track users in Safari private browsing mode

Description: A logic issue was addressed with improved state management.

CVE-2022-26731: an anonymous researcher

**Security**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious app may be able to bypass signature validation

Description: A certificate parsing issue was addressed with improved checks.

CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

**Shortcuts**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to access photos from the lock screen

Description: An authorization issue was addressed with improved state management.

CVE-2022-26703: Salman Syed (@slmnsd551)

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab

WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

**WebRTC**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Video self-preview in a webRTC call may be interrupted if the user answers a phone call

Description: A logic issue in the handling of concurrent media was addressed with improved state handling.

WebKit Bugzilla: 237524  
CVE-2022-22677: an anonymous researcher

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may disclose restricted memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26745: an anonymous researcher

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to elevate privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26760: 08Tc3wBB of ZecOps Mobile EDR Team

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote attacker may be able to cause a denial of service

Description: This issue was addressed with improved checks.

CVE-2015-4142: Kostya Kortchinsky of Google Security Team

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-26762: Wang Yu of Cyberserval

Tag

#ios