An issue was discovered in VERMEG AgileReporter 21.3. Attackers can gain privileges via an XSS payload in an Add Comment action to the Activity log.

For a strategic solution you seek:

*   Cost reduction & risk reduction
*   Efficiency optimisation
*   Embedded regulatory change management
*   Straight through process control
*   Senior management certification obligations
*   Regulatory reporting certainty, globally
*   Machine-readable regulatory reporting readiness

**SaaS**

Reduce your TCO. Let VERMEG handle the IT complexity​

**AGILE MI**

Gain valuable insights from your regulatory data​​

**AGILE Assure**

Bring the DataOps revolution to your regulatory data management ​​

​​

**Digital Transformation**

Extend, customise and innovate with AGILE Design Studio and Veggo ​​

**AGILE Reporter value for our clients**

Calculation & allocation: Comprehensive calculations from Basel III risks to national statistical allocations

Ratios: Credit & Market Risk, Leverage, Liquidity Coverage, Large Exposures, IRFS standard computations, integration of models and own analysis reporting

International reporting: Coverage including EBA & ECB (COREP, AnaCredit etc), and multiple international regulators in EU, UK, US, and MAS, HKMA, APRA and others

Added value: Capital utilisation, CFO & management information, dashboard status, threshold alerts, key performance metrics

Change management: VERMEG regulatory change management includes horizon management, impact analyses, data deltas and reporting update service

Workflow and maximised automation: Validations, variance, trend and other sanity checks achieve optimised straight-through processing

Process control: Enjoy ‘exceptions only’ intervention & instantly traceable attestation & approval audit trail

Sized & delivered to suit you: Choose from enterprise-wide full automation, or local last mile, on premise, in the cloud or Regulatory-Reporting-As-A-Service

Download our brochure about AGILE Reporter (PDF).

Granular Data Reporting – a new paradigm of innovation in regulatory reporting or just new challenges?

**Download the Whitepaper**

**Client stories**

**Client 1  
Tier 1 Domestic Bank**

**Challenge**

*   To find a Regulatory Reporting solution capable of integrating with external calculation and processing capabilities
*   To reduce operational risk
*   To increase reporting consistency and transparency
*   To facilitate accelerated regulatory change management

**Client 2  
Neobank growing from start-up**

**Challenge**

*   To find a partner for its Finance team to assist with regulatory reporting requirements in the immediate term and the future as the organisation evolves and scales to a fully fledged bank.
*   The need for a solution/system that minimises the resource requirements of bank’s teams in the areas of Solution Delivery
*   To find a vendor to provide not just a solution but also subject matter expertise to complement the in house team, and to ensure all new regulatory reporting requirements can be met.

**Solution**

*   Provision of AGILE Reporter’s out of the box integration to Oracle’s OFSAA (Oracle Financial Services Analytical Applications) platform.
*   Improved Straight Through Processing (STP) achieved from direct coupling of outputs from OFSAA Results data to AGILE Reporter.
*   VERMEG Subject Matter Expertise around the interpretation of client requirements and business for reporting purposes and the delivery of the operational process to fulfil these.
*   Ability to incorporate data from sources outside of OFSAA into regulatory reporting workflow to ensure completeness of automated reporting coverage.

**Solution**

*   Full scope automated AGILE Reporter deployment
*   VERMEG regulatory expertise to provide guidance on current and future regulatory requirements
*   Analysis Module to facilitate Bank scrutiny of Regulatory Data
*   Hosted on VERMEG cloud platform (Amazon Web Services)

**Results**

*   Streamlined overall Regulatory Reporting workflow while minimising manual intervention in the process
*   Increased accuracy of reporting results through use of the consolidated platform
*   Transparency of process by providing lineage of reporting data from source to regulatory return

**Results**

*   Automated, end-to-end solution providing population of regulatory returns from source data without manual intervention or work arounds
*   Flexible data mapping that meets the needs of a growing business and an evolving IT Architecture
*   Consistent data lineage from source through to final returns
*   Comprehensive validation checks ensure integrity of regulator submissions
*   Cloud solution minimises burden on Bank’s technical resources with regard to both delivery and ongoing maintenance

****Awards & Certifications****

**VEREMG is delighted to share that we were recently awarded ‘Best Vendor Solution for APRA APS 220′ AND ‘Best MAS 610 Solution’ by the RegTech Insight APAC Awards 2022 for our AGILE Reporter solution.**

Read More

CVE-2022-34834: AgileReporter | Regulatory Reporting Solution by VERMEG

The "iLeakage" attack affects all recent iPhone, iPad, and MacBook models, allowing attackers to peruse your Gmail inbox, steal your Instagram password, or scrutinize your YouTube history.

Researchers have developed a side-channel exploit for Apple CPUs, enabling sophisticated attackers to extract sensitive information from browsers.

Side-channel attacks are usually overlooked, often physical counterparts to traditional software hacks. Rather than an unsecured password or a vulnerability in a program, they take advantage of the extra information a computer system or hardware generates — in the form of sound, light, or electromagnetic radiation, for example, or in the time it takes to complete certain computations (a timing attack).

On Wednesday, four researchers — including two of those responsible for uncovering the Spectre processor vulnerability back in 2018 — published the details of such an attack, which they've named "iLeakage," affecting all recent iPhone, iPad, and MacBook models.

The researchers informed Apple of their findings on Sept. 12, 2022, according to their website, and the company has since developed a mitigation. However, it's still considered unstable, it's not enabled on devices by default, and mitigating is only possible on Macs, not mobile devices.

In comments provided to Dark Reading on background, an Apple spokesperson wrote, "This proof of concept advances our understanding of these types of threats. We are aware of the issue and it will be addressed in our next scheduled software release."

**How iLeakage Works**

iLeakage takes advantage of A- and M-series Apple silicon CPUs' capacity to perform speculative execution.

Speculative execution is a method by which modern CPUs predict tasks before they're even prompted, in order to speed up information processing. "This technique has been around for over 20 years, and today all modern CPUs use it — it significantly speeds up processing, even accounting for times it might get the anticipated instructions wrong," explains John Gallagher, vice president of Viakoo Labs.

The rub is that "cache inside the CPU holds a lot of valuable data, including what might be staged for upcoming instructions. iLeakage uses the Apple WebKit capabilities inside a browser to use JavaScript to gain access to those contents."

Specifically, the researchers used a new speculation-based gadget to read the contents of another webpage when a victim clicked on their malicious webpage.

"Alone, WebKit would not enable the cache contents to be divulged, nor would how A-Series and M-Series perform speculative execution — it's the combination of the two together that leads to this exploit," Gallagher explains.

**A Successor to Meltdown/Spectre**

"This builds on a line of attacks against CPU vulnerabilities that started around 2017 with Meltdown and Spectre," Lionel Litty, chief security architect at Menlo Security points out. "High level, you want to think about applications and processes, and trust that the operating system with help from the hardware is properly isolating these from one another," but those two exploits broke the fundamental isolation between different applications, and an application and operating system, that we tend to take for granted as users, he says.

iLeakage, then, is a spiritual successor that focuses on breaking the isolation between browser tabs.

The good news is, in their website's FAQ section, the researchers described iLeakage as "a significantly difficult attack to orchestrate end-to-end," which "requires advanced knowledge of browser-based side-channel attacks and Safari's implementation." They also noted that successful exploitation hasn't been demonstrated in the wild.

Were a capable enough attacker to come along and try it, however, this method is powerful enough to siphon just about any data users traffic online: logins, search histories, credit card details, what have you. In YouTube videos, the researchers demonstrated how their exploit could expose victims' Gmail inboxes, their YouTube watch histories, and their Instagram passwords, as just a few examples.

**iPhone Users Are Especially Affected**

Though it takes advantage of the idiosyncrasies in Safari's JavaScript engine specifically, iLeakage affects all browsers on iOS, because Apple's policies force all iPhone browser apps to use Safari's engine.

"Chrome, Firefox and Edge on iOS are simply wrappers on top of Safari that provide auxiliary features such as synchronizing bookmarks and settings. Consequently, nearly every browser application listed on the App Store is vulnerable to iLeakage," the researchers explained.

iPhone users are doubly in trouble, because the best fix Apple has released thus far only works on MacBooks (and, for that matter, only in an unstable state). But for his part, Gallagher backs Apple's ability to design an effective remediation.

"Chip-level vulnerabilities are typically hard to patch, which is why it is not surprising that there is not a fix for this right now. It will take time, but ultimately if this becomes a real exploited vulnerability a patch will likely be available," he says.

Safari Side-Channel Attack Enables Browser Theft

Preventative security should be driven by data and risk assessment, not compliance.

As organizations increasingly move their data and workloads to the cloud, securing cloud identities has become paramount. Identities are the keys to accessing cloud resources, and, if compromised, they enable attackers to gain access to sensitive data and systems.

Most attacks we see today are client-side attacks, in which attackers compromise someone's account and use their privileges to move laterally and access sensitive data and resources. To prevent this, you need visibility into your cloud's identity infrastructure. Unless you know the identity of all the people and objects that are accessing systems, their permissions, and their relationships, you won't have the context necessary to effectively assess your risk and take preventative measures.

A number of high-profile attacks illustrate this problem. A compromised cloud identity gave attackers access to SolarWinds' Orion software, where they deployed malicious code to thousands of their customers, including government agencies and Fortune 500 companies. Another example is the Microsoft Exchange attack, in which attackers exploited a vulnerability in Exchange to gain access to email accounts. From there, they stole sensitive data and sent phishing emails in an attempt to compromise other accounts.

For securing the cloud, I advise implementing an approach known as applied risk, which allows security practitioners to make decisions about preventative actions based on contextual data about the relationship between identities and what the downstream impacts of threats are in their specific environments. Here are some practical tips for adopting applied risk.

**Treat Cloud Protection as a Security Project, Not a Compliance Exercise**

For starters, shift your mindset. Gone are the simple days of client-server computing. The cloud environment is a complicated system of data, users, systems, and interactions between all of them.

Checking a series of boxes won't bring greater security if you don't understand how everything works together. Most teams take an unguided approach to preventive security, putting blind faith in the prioritization and remediation strategy put in place years ago. Yet security requires a bespoke approach tailored to every security team based on the organization's broader risk exposure. Not every "critical" alert from a security vendor is necessarily the biggest risk to that specific environment.

To accurately prioritize remediation and reduce risk, you must consider the entire attack surface. Understanding the relationships between exposures, assets, and users help you to determine which issues pose the greatest risk. When you take into account additional context, the "critical" finding may not be the biggest issue.

**Get Visibility Into Your Cloud Identity Infrastructure**

Next, visibility is key. To credibly identify the applied risk, you should do a comprehensive audit of all the identities and access control points in your cloud identity infrastructure. You need to know what resources you have in your environment, whether they're in the cloud or on-premises, how they're provisioned and configured, and other variables.

When securing the cloud, you can't only look at how cloud-specific resources are configured — you have to audit the identity aspect: virtual machines (VMs), serverless functions, Kubernetes clusters, and containers, for instance. One admin may have an account tied to AWS, an Active Directory account with a different role to log into their local systems, an account on GitHub, a Salesforce account, etc. You also have to consider things like the hygiene of the machines that the developers, DevOps, and IT teams are using. A successful phishing attack on a DevOps engineer can have a massive impact on the security posture of your cloud environments.

From there, you should map the relationships between identities and the systems they access. This is an important part of understanding your attack surface. Cloud-native application protection platforms (CNAPPs) are designed to help with this. Having a strong CNAPP platform gives the security team the ability to detect abnormal behavior around a particular identity and detect when configurations start to drift.

**Align Your Different Teams**

Once you have the identities and the relationships mapped out, you need to tie them to vulnerabilities and misconfigurations to determine where you are most vulnerable and start quantifying the applied risk. You can't create an effective remediation strategy without that.

But data and strategy will take you only so far. Teams tend to operate in silos, and each follows prioritization actions based on the specific software they are using, without communication with other teams or alignment on a holistic vision for minimizing risk. Because not every attack surface is the same, you need to structure the organization so that different skill sets can take mitigative action based on the variables specific to their environment.

When teams are coupled more closely, organizational risk drops. Let's say you have a cross-site scripting vulnerability in one of your Web applications. Wouldn't it make sense to prioritize any security or configuration issue associated with the infrastructure running that application? The inverse is also true. Does it not make more sense to address the vulnerability that is running in production or sitting on the Internet versus a vulnerability running in a dev environment with no chance of exploitation?

A large part of the reason security teams work in these silos is because the vendor landscape has kind of forced them to work this way. Until recently, there hasn't been a way to do the things I'm proposing here — at least not for anyone but the 1% of organizations that have vast security budgets and built in-house tools and teams.

To sum up, protecting identities — cloud and otherwise — requires adopting a mindset shift from compliance to a holistic security, applied risk approach that involves gaining visibility into your cloud infrastructure with CNAPP and aligning different teams on prioritizing remediation.

Securing Cloud Identities to Protect Assets and Minimize Risk

When investing in a unified endpoint management solution, prioritize the needs of your network and users ahead of brand names. This Tech Tip focuses on questions to ask.

A high-caliber, enterprise-grade unified endpoint management (UEM) solution is more critical than ever in today's remote, hybrid, and constantly fluctuating work landscape. If you're in procurement or finance, you're likely under a lot of pressure to choose the right one. You must drive operational efficiency through cost savings and overhead optimization.

For many organizations, Microsoft Intune (rebranded from Microsoft Endpoint Manager \[MEM\] and generally sold as part of an MS Enterprise License Agreement \[ELA\]) looks like a solid choice for endpoint management. It's a cloud-based solution with clear name recognition. Another plus: Microsoft's Intune plan pricing seems very approachable.

Other options have less name recognition than Microsoft but may be a better fit depending on an organization's needs. For example, according to G2, Ivanti Neurons for UEM gets high ratings for quality of support and ease of use. Atera offers particular expertise for small businesses. NinjaOne is rated well for being "a good partner in doing business."

The upshot: Organizations should not be making purchasing decisions based on brand name and pricing. Instead, companies should look beneath the surface before investing in technology, particularly in high-stakes scenarios with serious return on investment (ROI) potential.

**What to Ask Before Investing in a UEM Solution**

We cannot attempt to discuss the pros and cons of every major UEM solution available. With that in mind, here's what I recommend asking when evaluating a UEM solution:

1.  What type of devices will I be using the UEM solution for? Is it primarily mobile, mostly laptops or desktops, or a combination?
2.  Are my endpoints dispersed regionally, globally, or mostly on-site behind a perimeter?
3.  How is my IT help desk going to support and troubleshoot these devices? What is the additional cost per year to support?
4.  How many employees will be involved, and what's the cost per employee?
5.  What are the licensing agreements like? Do I need to buy a whole pie when I only want a slice?
6.  How is pricing structured? Will it scale based on usage?
7.  Do my employees exclusively use one type of device and operating system or a mix? If it's the latter, will the UEM solution work just as well regardless of the device type and OS used?
8.  Would my IT and security team benefit more from a central dashboard with a single-pane-of-glass view or integrated Mobile Threat Defense capabilities?
9.  How does the solution integrate with my other vendors/solutions and third-party apps?
10.  How many more IT employees will it take to manage? Does it require more servers?

Some of those questions might sound overly technical to those in finance and procurement, but your answers can significantly affect your true usability and costs.

**Get the Full Picture of Your Total Cost of Ownership**

As a rule, technology must suit the organization using it, and no technology solution is suitable for everyone. Total cost of ownership, for instance, is important, and it varies among solutions. Let's look at Intune as an example.

For all its strengths and lightweight supports on operating systems such as Android and macOS, Intune is not recommended for some verticals and businesses that require robust support on third-party applications. It is not intended as a complete systems-management platform. Part of the reason it might look like you're saving money by switching to Intune is because it's built primarily for a narrow subset of needs — and those needs are more cost-effective for Microsoft to handle.

Suppose you have diverse endpoints and many third-party apps to manage and integrate. In that case, you'll end up in a tough spot — either tolerating significant vulnerability or shelling out more for a comprehensive solution to pick up the slack. You'll also likely need to acquire additional software to run on certain operating systems. Furthermore, Microsoft charges additional costs per year for its Remote Help/Remote View of mobile devices.

There are more gaps like this, but perhaps most critically for finance, Microsoft Intune's pricing is based in part on the volume of data transmitted. These usage fees are challenging to predict and budget for and can add up. It becomes problematic when deciding between facilitating an unlimited flow of protected data or managing costs. Additionally, I've seen many enterprises having to buy more servers to manage Intune and hire additional administrators to manage those servers.

**The Bottom Line for Your Bottom Line**

In this example, Microsoft Intune is a fantastic option if:

*   You need a robust solution for lightweight mobile applications mainly on the same OS.
*   Your use case is straightforward enough that a single-pane-of-glass view isn't relevant.
*   The numbers look favorable based on your usage needs.

If you have more complicated requirements, perform due diligence to identify more flexible options.

Regardless of where you end up, do not go _without_ a UEM solution. Your company's security depends on it.

Understand the True Cost of a UEM Before Making the Switch

Categories: Exploits and vulnerabilities
Categories: News
Tags: iLeakage

Tags:  side-channel

Tags:  Safari

Tags:  CVE-2023-40413

Tags:  CVE-2023-40416

Tags:  CVE-2023-40423

Tags:  CVE-2023-42487

Tags:  CVE-2023-42841

Tags:  CVE-2023-41982

Tags:  CVE-2023-41997

Tags:  CVE-2023-41988

Tags:  CVE-2023-40447

Tags:  CVE-2023-42852

Tags:  CVE-2023-32434

Tags:  CVE-2023-41989

Tags:  CVE-2023-38403

Tags:  CVE-2023-42856

Tags:  CVE-2023-40404

Tags:  CVE-2023-41977

Tags:  Vim

Apple has released security updates for its phones, iPads, Macs, watches and TVs.



(Read more...)




The post Update now! Apple patches a raft of vulnerabilities appeared first on Malwarebytes Labs.

Apple has released security updates for its phones, iPads, Macs, watches and TVs.

Updates are available for these products:

*   iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later get iOS 17.1 or iPadOS 17.1.
*   iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later get iOS 16.7.2 or iPadOS 16.7.2.
*   iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) get iOS 15.8 or iPadOS 15.8.
*   Macs get one of macOS Sonoma 14.1, macOS Ventura 13.6.1, macOS Monterey 12.7.1, and Safari 17.1.
*   Apple TV HD and Apple TV 4K (all models) get tvOS 17.1.
*   Apple Watch Series 4 and later get watchOS 10.1.

The important vulnerabilities that have been addressed in this raft of updates are:

CVE-2023-40423, a critical vulnerability in IOTextEncryptionFamily that could allow an app to execute arbitrary code with kernel privileges. Arbitrary code execution means an attacker could run any commands or code of their choice on a target machine or in a target process. Kernel privileges means the attacker would have the highest level of access to all machine resources.

CVE-2023-40413, a vulnerability in Find My that could allow another to read sensitive location information.

CVE-2023-40416, a vulnerability in ImageIO which means processing an image could result in disclosure of process memory.

CVE-2023-42847, a vulnerability in Passkeys could allow an attacker to access passkeys without authentication. A passkey is a way to sign in to an app or website account, without needing to create and remember a password.

CVE-2023-42841, a vulnerability in Pro Res could allow an app to execute arbitrary code with kernel privileges.

CVE-2023-41982, CVE-2023-41997, and CVE-2023-41988 are a set of vulnerabilities in Siri that would allow an attacker with physical access to use Siri to access sensitive user data.

CVE-2023-40447 and CVE-2023-42852 are vulnerabilities in WebKit that could be used for arbitrary code execution. Visiting a specially crafted website could cause WebKit to perform operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

CVE-2023-32434 is a vulnerability that could allow an app to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

CVE-2023-41989 could allow an attacker to execute arbitrary code as root from the Lock Screen due to a vulnerability in Emoji. The issue was addressed by restricting options offered on a locked device. Root is the superuser account in many opeating systems. It is a user account for administrative purposes, and typically has the highest access rights on the system.

CVE-2023-38403 is a vulnerability in iperf3 before 3.14 that could allow peers to cause an integer overflow and heap corruption via a crafted length field. iPerf3 is a tool for active measurements of the maximum achievable bandwidth on IP networks. An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it's expecting, which creates a route for the attacker to manipulate the program. Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

CVE-2023-42856 could be used to trigger unexpected app termination or arbitrary code execution due to a vulnerability in Model I/O. Model I/O provides the ability to access and manage 3D models.

CVE-2023-40404 could allow an app to execute arbitrary code with kernel privileges due to a vulnerability in Networking.

CVE-2023-41977 is a vulnerability in Safari that could allow a malicious website to reveal browsing history.

Notably absent from the bugs that have been fixed is iLeakage, a sophisticated side-channel attack in the Spectre family.

The updates above may already have reached you, but it doesn't hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading your iPhone or iPad or your Mac.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update now! Apple patches a raft of vulnerabilities

open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the 
/dev/uinput file descriptor allowing them to simulate user inputs.

Advisory ID: VMSA-2023-0024

CVSSv3 Range: 7.5 - 7.8

Issue Date: 2023-10-26

Updated On: 2023-10-26 (Initial Advisory)

CVE(s): CVE-2023-34057, CVE-2023-34058

Synopsis: VMware Tools updates address Local Privilege Escalation and SAML Token Signature Bypass vulnerabilities (CVE-2023-34057, CVE-2023-34058)

****1\. Impacted Products****

*   VMware Tools

****2\. Introduction****

Multiple vulnerabilities in VMware Tools were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. Local privilege escalation vulnerability in VMware Tools (macOS) (CVE-2023-34057)****

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local user access to a guest virtual machine may elevate privileges within the virtual machine.

To remediate CVE-2023-34057 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Dan Revah of Google for reporting this issue to us.

****3b. SAML Token Signature Bypass vulnerability in VMware Tools (CVE-2023-34058)****

VMware Tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

To remediate CVE-2023-34058 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

*   While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that has now been addressed.
*   CVE-2023-34058 also impacts open-vm-tools. Fixes have been provided to the Linux community for distribution.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34057

7.8

important

12.1.1

None

None

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34057

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34058

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34058

7.5

important

12.3.5

None

None

****4\. References****

****5\. Change Log****

**2023-10-26 VMSA-2023-0024  
**Initial security advisory.

****6\. Contact****

CVE-2023-34059: VMSA-2023-0024

Xpand IT Write-back manager v2.3.1 allows attackers to perform a directory traversal via modification of the siteName parameter.

During an authorised penetration testing assessment conducted on Xpand IT’s Write-Back software, Balwurk’s security team found multiple security vulnerabilities, first disclosed to the customer and then responsibly submitted to the MITRE CVE program.

The discovered vulnerability allows an attacker to change the directory to which an uploaded file is saved on the filesystem.

This blog post is the second post of a five-part series in which we will technically describe five security vulnerabilities and how they were detected and exploited.

**What is Write-Back?**

Write-Back is a Tableau extension that enables users to submit data directly from a Tableau dashboard to your database, allowing them to implement any actionable use case without leaving the analysis flow.

Write-Back allows users to take the Tableau usage further and implement use cases where you need users to input data, such as forecasting, planning, adding comments, or any actionable process. Includes features like on-premises execution, audit, multiple back-end databases, and integrated authentication.

Before diving into more technical details, we should describe the layout of Write-Back’s high-level back-end architecture:

**Write-Back (Server)**: Tableau extensions are web-based and deployed on a separate application server from the Tableau Server/Cloud. This means that Write-Back should be placed side by side with Tableau, ideally on a separate machine. Users will interact with the Write-Back extension through the Tableau dashboards that can be on different Tableau platforms, i.e., Tableau Desktop, Tableau Server, or even Tableau Cloud.

**Write-Back Manager**: Centralizes all configurations and enables platform administrators to take full control of how Write-Back is configured. All of this is done on a web UI. Each Write-Back installation has its own Write-Back manager deployed on the same machine, allowing it to manage that instance.

**Technical description**

CVE-2023-27170 is a path or directory traversal security vulnerability that allows an authenticated user to upload a file to any location on the file system using any of the multiple file upload features on the Write-Back Manager.

This vulnerability was initially detected by changing the uploaded filename through a man-in-the-middle attack.

In the particular case of the customised logo upload feature, the name under which the logo file would be written to disk equalled the value passed in the siteName parameter, which by default was always 00000000-0000-0000-0000-000000000000. By manipulating the value of this parameter and adding special characters such as dots ‘.’ and slashes ‘/’, an attacker can change the path to which the file will be written:

**_Figure 1 – Logo file upload._**

In this example, the logo was placed in one folder hierarchically above the logos folder:

**_Figure 2 – Logo file uploaded to a different folder._**

The root cause of this vulnerability can be found in the uploadLogoFile function of the ThemesManager class, which handles the upload of a custom logo file:

**_Figure 3 – Cause of the vulnerability._**

The siteName parameter is simply concatenated together with the file extension and added to the writePath, resulting in the manipulation of the folder’s path to which the file is uploaded to.

**Impact**

This vulnerability could potentially be exploited in multiple manners. A malicious user could overwrite critical files, upload massive files, cause a file space denial of service, or upload dangerous files into the web tree to achieve code execution.

**CVE ID:** CVE-2023-27170  
**CVSS 3.1 Base Score:** 5.5  
**CVSS Vector:** AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L  
**Affected Vendor:** Xpand IT  
**Affected Product:** Write-Back  
**Affected Version:** Write-Back Manager v2.3.1

**Mitigation**

Update Write-Back to at least version 4.1.

**Timeline**

12-12-2022 – Vulnerability detected and reported to Write-Back.

22-02-2023 – Vulnerability submitted to MITRE.

10-03-2023 – Vulnerability accepted and CVE-2023-27170 reserved.

12-07-2023 – Official Patch released by Write-Back team.

20-10-2023 – Public disclosure of CVE-2023-27170.

**Credits**

**Bruno Pincho** | Penetration Tester at Balwurk 

**References**

*   https://writeback4t.com

CVE-2023-27170: CVE-2023-27170 - Improper Limitation of a Pathname to a Restricted Directory - Balwurk

Categories: Exploits and vulnerabilities
Categories: News
Apple has fixed a bunch of security flaws, but not iLeakage, a side-channel vulnerability in Safari.



(Read more...)




The post Patch...later? Safari iLeakage bug not fixed appeared first on Malwarebytes Labs.

Apple has released updates for its phones, Macs, iPads, watches, and TV streaming devices, fixing a bunch of security problems. But amid all that activity, one fix is notably absent—there is nothing to address the vulnerability dubbed iLeakage.

iLeakage is a side-channel attack that can force the Safari browser to divulge secrets like passwords and Gmail messages.

A side-channel attack looks at the indirect effects of a computer program, or computer hardware, which can reveal things about what's happening under the hood. It's like a thief looking at your house and concluding from the fact that there are no lights on and the car isn't in the driveway that you aren't home. The lights and the empty driveway are side channels.

In the case of iLeakage, the side channel is speculative execution, a performance enhancement feature found in modern CPUs. iLeakage is just the latest in a whole family of speculative execution bugs, known as Spectre, dating back to 2017.

Virtually every modern CPU uses some kind of performance optimization where it attempts to predict what a program will do next. Once a prediction is made, the CPU will execute instructions ahead of time, so that the answer is there immediately should you need it. If the CPU realizes its prediction was wrong it has to revert all the changes it made, but sometimes speculative execution leaves traces in the CPU's microarchitectural state, and especially the cache.

A group of cybersecurity researchers used these traces to show how an attacker can make Safari reveal sensitive information. The attacks use a malicious web page that exploits iLeakage. The page can be used to open Instagram, Gmail, YouTube, or any other website in a new tab. Behind the scenes, the same Safari computer process renders both the malicious page and the target web page, allowing the malicious page to pull information from the target, such as auto-filled passwords, using iLeakage.

Although there are no fixes for iLeakage yet, there are mitigations. Unfortunately, all of them come with significant caveats. According to the researchers, the super-secure Lock Down mode that's available on Apple's Macs, phones, and tablets will disable iLeakage, but Lock Down mode can impact performance and, as Apple points out, "When Lockdown Mode is enabled, your device won’t function like it typically does."

You can also stop iLeakage by disabling JavaScript execution in your browser, but this will likely impact the behavior of every website you visit, making many of them unusable.

There is another mitigation that specifically targets iLeakage, but it's macOS only and it's not enabled by default. On top of that, the mitigation is considered unstable, and it requires users to open a computer terminal window, which will be beyond many users' comfort zones. If you really want to go there, you can read the instructions on the iLeakage site, under "How can I defend against iLeakage." We suggest that unless you're a high value target you probably don't need to bother, and if you are a high value target you should enable Lock Down mode anyway.

There is no evidence that iLeakage has been abused in the wild, and figuring out how the researchers did it will be a significant undertaking for cybercriminals.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Patch...later? Safari iLeakage bug not fixed

The newly launched AI & ML Security Library allows developers to analyze the code used in machine learning systems to identify and address risks.

As part of "shift left" to incorporate security discussions earlier in the software development life cycle, organizations are beginning to look at threat modeling to identify security flaws in software design. With developers increasingly incorporating machine learning in their applications, threat modeling is necessary for identifying the risks to the organization.

"People are still grappling with the whole idea that when you use that very new technology \[machine learning\], it brings along a bunch of risk, as well," says Gary McGraw, co-founder of the Berryville Institute of Machine Learning. "I've been in the unenviable position of saying, 'Well, there's this risk, and there's that risk, and the sky is falling,' and everybody goes, 'Well, what am I supposed to do about that?'"

There have been many conversations about machine learning risk, but the difficulty lies in figuring out how to address them, McGraw says. Threat modeling – identifying the types of threats that can cause harm to the organization – helps organizations think through security risks in machine learning systems such as data poisoning, input manipulation, and data extraction. If developers could understand the security flaws in their designs by threat modeling, it would reduce the time spent on security testing during development and before production. NIST's Guidelines on Minimum Standards for Developer Verification of Software recommends threat modeling to look for design-level security issues.

IriusRisk’s threat modeling tool addresses this challenge by automating both threat modeling and architecture risk analysis. Developers and security teams can import the code into the tool to generate diagrams and threat models. Threat modeling templates make threat modeling accessible even to those not familiar with diagramming tools or risk analysis.

And the newly launched AI & ML Security Library allows organizations using IriusRisk to threat model the machine learning system they are planning in order to understand what the security risks are, as well as how to mitigate those risks.

“We're finally getting around to building machinery that people can use to address the risk and control the risk," says McGraw, who is also a member of IriusRisk’s advisory board. "When you put machine learning into your \[system\] design, and you're using IriusRisk, now you know what risks are involved and what to do about that."

**What ML Threat Modeling Looks Like**

IriusRisk's AI & ML Security Library helps organizations ask necessary questions. For example:

1.  Asking where the data being used to train the machine learning model came from. It's important to also ask whether anyone had the opportunity to embed incorrect or malicious data to make the machine do the wrong thing.
2.  Consider how the machine keeps learning once it is in production. Machine learning systems that are online and keep on learning from users are more dangerous than the ones that are not online. "It depends on who is using it. Is it your people? Is it bad people? Is it everybody on Twitter, or X?" McGraw says, noting there have been examples of past projects that had to be taken offline after it learned objectionable information.
3.  Ask if confidential information can be extracted from the machine. If you put confidential information into your machine learning algorithm, it is not protected by cryptographic means and can be extracted. "If you put the data in the machine, it's in the machine," McGraw says. "You need to think about making sure that people using your machine learning system cannot extract that confidential data."

The AI & ML Security Library is based on the BIML ML Security Risk Framework, a taxonomy of machine learning threats, as well as an architectural risk assessment of typical machine learning components developed by McGraw. The framework is designed to be used by developers, engineers, and designers creating applications and services that use machine learning in the early design and development phases of the project. With IriusRisk's library, everybody who is using machine learning can use BIML's framework.

The AI & ML Security Library is available to IriusRisk customers and those using the community edition of the platform.

**Time to Be Threat Modeling**

The AI & ML Security Library was developed in response to interest from organizations about how to analyze and secure AI and ML systems, according to Stephen de Vries, CEO of IriusRisk.

"We have seen a surge in interest from our customers in the finance and technology sectors for guidance on how to analyze, and secure design ML systems," de Vries said in a statement. "Since these are often new projects that are still in the design phase, performing threat modeling here adds a lot of value, because those teams will very quickly understand where the security goalposts are – and what they need to do in order to get there."

The library doesn't help organizations that don't have visibility into their machine learning use. Just as organizations can have shadow IT – where different business stakeholders set up their own servers and Web applications without IT oversight – they can also have shadow machine learning, McGraw says. Different departments are trying out new applications and tools, but there is a gap between what individual employees are using and what risks IT and security teams know about.

“Everybody's like, 'I don't think I have any machine learning in my organization,'" McGraw says. "But as soon as they find out that they do … they find it everywhere.”

Many organizations do not incorporate threat modeling during software design, and those that do rely on manual processes where a person analyzes the threats one at a time.

"If you have a mature threat modeling program and you're using a tool like IriusRisk, you can also now handle machine learning. So the people who are already doing the best are going to do even better," McGraw says. "What about the people who aren't doing threat modeling? Maybe they should start. It's not new. It's time to do it."

IriusRisk Brings Threat Modeling to Machine Learning Systems

**PRESS RELEASE**

**SEATTLE – Oct. 24, 2023 –** WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the launch of WatchGuard MDR, a new 24/7 cybersecurity service purpose-built to make MDR vastly more accessible to managed service providers (MSPs) working to address soaring customer demand for managed cybersecurity delivery. The new service is managed by an elite team of cybersecurity experts and powered by AI. It requires no investment in a traditional security operation center (SOC) infrastructure, advanced technologies, or security experts, which addresses the pressures of scarce cybersecurity professionals and funding faced by MSPs.

“WatchGuard’s new solution has effectively super charged our managed security services business by allowing us to effortlessly tap into the immense potential of MDR and offer it as a value-added service to customers,” said Raul Zayas, president of ZTek Solutions. “By removing the burden on us to create a modern SOC, WatchGuard MDR expedited our ability to give customers what they need the most: top-notch, comprehensive cybersecurity backed by industry-leading cyber experts to ensure a resilient defense against evolving cyber threats. Not only has WatchGuard put us in the fast lane in that regard, they also make it all incredibly simple to do through their Unified Security Platform architecture to help ensure we stay ahead of the curve.”  

Highly customizable and scalable, this new MDR service further strengthens WatchGuard's Unified Security Platform architecture, providing advanced threat detection and response capabilities on top of WatchGuard EDR, EPDR, and Advanced EPDR that empower MSPs to build out robust, comprehensive security offerings for their customers. It comes with the support of WatchGuard’s automated Zero-Trust Application Service, Threat Hunting Service, advanced security analytics, threat intelligence, and a dedicated team of skilled cybersecurity analysts that monitor, detect, and respond to threats 24/7. 

“As a 100% channel-driven company, we wanted to deliver an enterprise-class MDR solution that would allow our MSP partners to expand their business without the expense of building their own SOC or adding to the challenges they already face in finding cybersecurity talent,” said Andrew Young, chief product officer at WatchGuard Technologies. “We are dedicated to supporting our MSP community, and the launch of WatchGuard MDR represents another milestone in the long-term trusted relationships we build with our partners. Not only does this service help MSPs break through existing barriers to entry for delivering managed security services – it allows them to capitalize on a growing opportunity with an innovative new solution we’ve purpose-built for them specifically.” 

**Key Features and Benefits**

WatchGuard MDR is the ideal choice for service providers looking to elevate the security posture of their customers, expand their portfolio, and generate recurring revenue streams with zero investment in modern security operations center (SOC), sophisticated and expensive AI-based technology, and scarce cybersecurity experts. Capabilities include:  

*   **24/7 Endpoint Activity Monitoring and Data Collection –** to provide real-time and retrospective monitoring using event data captured by WatchGuard EPDR or Advanced EPDR in WatchGuard’s modern SOC.
*   **24/7 Proactive Hunting and Detection** – to reduce time to detect and mitigate threats using AI, machine learning, and other advanced techniques to identify indicators of attack, while WatchGuard’s MDR threat hunters search for threats lurking in endpoints.
*   **24/7 Investigation and Validation** – to minimize the impact of potential threats by relying on WatchGuard experts to quickly investigate and accurately validate incidents to determine their nature and severity.
*   **Immediate Incident Notification** – to provide prompt notification with key insights such as affected machines and tactics used when a validated incident occurs so MSPs can take immediate action.
*   **Options for Mitigation and Guidelines for Remediation** – to give MSPs the flexibility to choose the strategy that works best for their business. They can rely on their own team with guidance from WatchGuard experts on how to contain and remove traces of an attack, restore data, patch vulnerabilities, and install additional controls. Or they can outsource the initial response and the containment through endpoint isolation to automated playbooks developed by WatchGuard MDR experts.
*   **Weekly Security Health Status Report and Monthly Activity Reporting** – to build trust with customers by providing regular reports on their security status, which service providers can customize to better engage customers with their MDR service and provide valuable feedback throughout the process.  

For more information about WatchGuard MDR, click here.

**About WatchGuard Technologies, Inc.**

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

Tag

#mac