By Habiba Rashid
Researchers at Sophos X-Ops Rapid Response (RR), Mandiant, and SentinelOne have confirmed Microsoft's blunder.
This is a post from HackRead.com Read the original post: Microsoft-Signed Drivers Helped Hackers Breach System Defenses

Evidence suggests that the Cuba ransomware gang used malicious hardware drivers certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack.

Remember when, in 2021, **a report surfaced** that revealed Microsoft had signed a driver called Netfilter, and later it turned out it contained malware? Well, it has happened again, but on a larger scale.

Sophos X-Ops Rapid Response (RR) recently discovered evidence which proves that threat actors potentially belonging to the Cuba ransomware gang used malicious hardware drivers certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack. 

Drivers — the software that allows operating systems and apps to access and communicate with hardware devices — require highly privileged access to the operating system and its data, which is why Windows requires drivers to bear an approved cryptographic signature before allowing the driver to load.

However, cybercriminals have long since found approaches to **exploit vulnerabilities** found in existing Windows drivers from legitimate software publishers. These hackers make an effort to progressively move up the trust pyramid, using increasingly well-trusted cryptographic keys to digitally sign their drivers. 

**Sophos** along with researchers from **Google-owned Mandiant** and SentinelOne warned Microsoft about these signed malicious drivers which were being planted into targeted machines using a variant of the BurntCigar loader utility. These two then worked in tandem to kill processes associated with **antivirus (AV)** and endpoint detection and response (EDR) products. 

“Ongoing Microsoft Threat Intelligence Center analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware,” Microsoft **said in an advisory** published as part of its monthly scheduled release of security patches, known as Patch Tuesday.

On left is a valid signature identified by Mandiant – On the right is a valid signature identified by Sophos

Microsoft concluded its investigation by stating that “no compromise has been identified,” and proceeded to suspend the partners’ seller accounts. Moreover, they released Windows security updates to revoke the abused certificates. 

Mandiant’s report is available **here**. In SentinelOne’s **blog post**, the security firm reported that it had seen several attacks where a threat actor used malicious signed drivers to evade security products which usually trust components signed by Microsoft.

The threat actors were observed to be targeting organisations in the business process outsourcing (BPO), telecommunications, entertainment, transportation, MSSP, financial and cryptocurrency sectors and in some instances, **SIM swapping was the end goal**.

Code signing overview

Cuba Ransomware group was identified to be involved in gaining $60 million from attacks against 100 organisations globally, according to **a joint advisory** earlier this month from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

The advisory also included warnings regarding the ransomware group which has been active since 2019 and continues to attack US entities in critical infrastructure, including financial services, government facilities, healthcare and public health, and critical manufacturing and information technology.

This is not the first time threat actors have used drivers signed by Microsoft in their operations, as we know it, and it seems that putting a stop to this practice has **not been an easy task for Microsoft**.

1.  **Microsoft Office Most Exploited Software in Malware Attacks**
2.  **BlueBleed Breach Microsoft Exposed 2.4 TB of Customer Data**
3.  **Microsoft security patch bypassed to drop Formbook malware**
4.  **Retired Software Boa Exploited To Target Power Grids, Microsoft**
5.  **Malware Apps Signed with Hacked Android Platform Certificates**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Microsoft-Signed Drivers Helped Hackers Breach System Defenses

**SANTA ROSA, Calif.--**(BUSINESS WIRE)--Keysight Technologies, Inc. (NYSE: KEYS), a leading technology company that delivers advanced design and validation solutions to help accelerate innovation to connect and secure the world, announced the new APS-M8400 Modular Network Cybersecurity Test Platform, which provides data center network equipment manufacturers (NEM) and operators with the industry’s highest density 8-port 400GE Quad Small Form Factor Pluggable Double Density (QSFP-DD) network security test platform.

Data center operators and service providers are facing exponential growth in encrypted traffic volumes and security threats driven by increases in video streaming, cloud computing, artificial intelligence (AI), machine learning (ML), and internet of things (IoT) devices. In addition, with the introduction of 400GE, critical infrastructure is placed under even greater demand as these growing volumes of encrypted traffic are being delivered at unprecedented speed. To meet these requirements, data center NEMs and operators need tools that can validate that their products and services support hyperscale loads without compromising security and usability.

Keysight’s APS-M8400 addresses this challenge by delivering a modular, 400GE network security test platform that aggregates compute and field programmable gate array (FPGA) resources to deliver hyperscale application and cybersecurity test and validation.

The APS-M8400 test platform offers the following benefits:

*   **Industry leading 400GE port density:** The APS-M8400 offers the ability to test 8 x 400GE QSFP-DD, supporting industry moves from 100GE to 400GE without the need for additional switches or infrastructure.
*   **Ease of management:** The APS-M8400 provides a centralized, “single pane of glass” management of up to 16 compute nodes reducing the management learning curve and simplifying system upgrades and maintenance.
*   **Flexible testing options:** The APS-M800 offers flexible aggregation of compute and FPGA resources to optimize the performance and scalability requirements for any simulated workload, using one or multiple 400GE test interfaces.
*   **Hyperscale performance:** The APS-M8400 can drive hyperscale application and cybersecurity test performance, including encrypted traffic loads, to effectively emulate the rigorous demands put upon data center and service provider infrastructure. This platform can generate up to 3+ Tbps of Layer 4-7 traffic, 5+ billion concurrent connections, 2.4 Tbps of transport layer security (TLS) traffic, and 2.4 million TLS connections per second.
*   **Scalable solution:** The APS-M8400 is designed as a “pay-as-you-grow" solution, allowing users to build out a system that supports today’s test needs and spending constraints, with the flexibility to add capacity as requirements change and budgets allow.

**John Maddison, Executive Vice President of Products and Chief Marketing Officer at Fortinet, said:** “The world’s fastest NGFWs need an equally nimble testing platform to validate their capabilities. Fortinet is the only vendor delivering 400GE interface speeds on a hyperscale firewall via the FortiGate 7121F, 4800F, and 3700F. Keysight’s groundbreaking 8x400GE APS-M8400 cybersecurity test platform delivers the port density, multi-terabit application and TLS throughput rates, and session scalability that help Fortinet test and validate the performance and real-time threat protection our customers expect.”

**Ram Periakaruppan, Vice President and General Manager, Keysight's Network Test and Security Solutions, said:** “Data center NEMs and operators face conflicting demands to produce solutions that support ever increasing data volumes and traffic speeds driven by new standards like 400GE, while protecting systems against a growing, dynamic cybersecurity threat landscape - all without breaking the bank. Keysight’s APS-8400 meets these teams where they are, delivering hyperscale application and cybersecurity test loads via an industry leading 8 x 400GE of test port density in a flexible solution that allows users to add test capacity as demands and budgets change."

**Resources**

*   APS-M8400 Network Cybersecurity Test Platform

**About Keysight Technologies**

Keysight delivers advanced design and validation solutions that help accelerate innovation to connect and secure the world. Keysight’s dedication to speed and precision extends to software-driven insights and analytics that bring tomorrow’s technology products to market faster across the development lifecycle, in design simulation, prototype validation, automated software testing, manufacturing analysis, and network performance optimization and visibility in enterprise, service provider and cloud environments. Our customers span the worldwide communications and industrial ecosystems, aerospace and defense, automotive, energy, semiconductor and general electronics markets. Keysight generated revenues of $5.4B in fiscal year 2022. For more information about Keysight Technologies (NYSE: KEYS), visit us at www.keysight.com.

Additional information about Keysight Technologies is available in the newsroom at https://www.keysight.com/go/news and on Facebook, LinkedIn, Twitter and YouTube.

Keysight Announces 400GE Network Cybersecurity Test Platform

VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI). A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

Advisory ID: VMSA-2022-0033

CVSSv3 Range: 5.9-9.3

Issue Date: 2022-12-13

Updated On: 2022-12-13 (Initial Advisory)

CVE(s): CVE-2022-31705

Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705)

****1\. Impacted Products****

*   VMware ESXi
*   VMware Workstation Pro / Player (Workstation)
*   VMware Fusion Pro / Fusion (Fusion)
*   VMware Cloud Foundation

****2\. Introduction****

A heap out-of-bounds write vulnerability in VMware ESXi, Workstation, and Fusion was privately reported to VMware. Updates and workarounds are available to remediate this vulnerability in affected VMware products.  

****3\. Heap out-of-bounds write vulnerability in EHCI controller (CVE-2022-31705)****

VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

To remediate CVE-2022-31705 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds for CVE-2022-31705 have been listed in the 'Workarounds' column of the 'Response Matrix' below.  

VMware would like to thank the organizers of GeekPwn 2022 and Yuhao Jiang for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

ESXi

8.0

Any

CVE-2022-31705

5.9

moderate

ESXi80a-20842819

KB87617

None

ESXi

7.0

Any

CVE-2022-31705

5.9

moderate

ESXi70U3si-20841705

KB87617

None

Fusion

13.x

OS X

CVE-2022-31705

N/A

N/A

Unaffected

N/A

N/A

Fusion

12.x

OS X

CVE-2022-31705

9.3

critical

12.2.5

KB79712

None

Workstation

17.x

Any

CVE-2022-31705

N/A

N/A

Unaffected

N/A

N/A

Workstation

16.x

Any

CVE-2022-31705

9.3

critical

16.2.5

KB79712

None

**Impacted Product Suites that Deploy Response Matrix Components:**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Cloud Foundation (ESXi)

4.x/3.x

Any

CVE-2022-31705

5.9

moderate

KB90336

KB87617

None

****4\. References****

****5\. Change Log****

**2022-12-13 VMSA-2022-0033**  
Initial security advisory.

****6\. Contact****

CVE-2022-31705: VMSA-2022-0033

Version 2.0 of the Common Security Advisory Framework will enable organizations to automate vulnerability remediation.

Today, nearly every party that issues security advisories uses its own format and structure. Plus, most security advisories are only human-readable, not machine-readable.

System administrators have to read each advisory, determine if they use the products and versions listed, and evaluate the potential risk and existing mitigations. Based on their system's exposure and the business value, they make a decision about if and when to patch.

It’s a time-consuming process that delays vulnerability remediation and increases risk. Vendors and providers of software and hardware need to disclose security vulnerabilities in a way that accelerates this process and empowers customers to use automation.

**The New Standard for Security Advisories**

The Common Security Advisory Framework (CSAF) 2.0 supports the automation of vulnerability management by standardizing the creation and distribution of structured machine-readable security advisories.

CSAF is an official standard of OASIS Open. The technical committee that developed CSAF includes numerous public- and private-sector technology leaders, users, and influencers.

Manufacturers can use CSAF to standardize the format, content, distribution, and discovery of security advisories. These machine-readable JSON documents enable administrators to automate the comparison of advisories against a user’s asset database or even a supplier's software bill of materials (SBOM) database.

The automated system can filter vulnerabilities based on the products of interest and prioritize based on business value and exposure. This dramatically speeds up the evaluation process and enables administrators to focus on managing risk and fixing vulnerabilities.

**CSAF, VEX, and SBOMs**

Vulnerability Exploitability eXchange (VEX) is a profile in CSAF. VEX was developed in the SBOM community as a way for manufacturers to easily convey that a product is not affected by issuing a so-called negative security advisory. VEX is designed to work with SBOMs, although it is not necessary to have an SBOM to use VEX documents.

A VEX document must include information about the disposition of each vulnerability as it impacts each product. A product can be marked as under investigation, fixed, known affected, or known not affected. For those products that are marked as known not affected, VEX requires that the publisher include a justification for that status.

Being able to communicate the various statuses of a vulnerability — including under investigation and not affected — means customers can get that information without calling the vendors or manufacturers, which will be a relief to customer support. Moreover, it enables customers to better manage vulnerability risk.

When paired with an SBOM, VEX documents enable administrators to use asset management systems to quickly determine what vulnerabilities are not exploitable, which frees them to focus on any vulnerabilities that could put their businesses at risk.

**Other CSAF Profiles**VEX is one of five profiles in the CSAF schema. Each profile has certain required fields and is designed to address a specific need.

The CSAF base profile serves as the foundation for all of the other profiles. It defines the default required fields for any CSAF document — primarily information about the document itself, such as who published it, when it was published, and if it has been revised.

The security advisory profile includes information that we see in most security advisories today — details about the vulnerability, products affected, and remediations.

The informational advisory profile can be used to provide information about a security issue that is not a vulnerability, such as a misconfiguration.

Finally, the security incident response profile can be used to provide information about a security breach or incident that happened at the company, or about the impact that an incident involving another party (like a contractor or component manufacturer) had on the company.

**CSAF Tools and Guidance**

CSAF defines conformance targets that help consumers and producers to find the right tool for their requirements. The OASIS CSAF technical committee also developed a suite of tools for using CSAF, including:

*   Secvisogram is an online editor to create, update, and view CSAF documents. It also can produce a human-readable version of the document.
*   CSAF CMS back end is a work-in-progress implementation of a CSAF content management system. The system will support producers of CSAF documents by providing workflows and automation of metadata creation.
*   CSAF validator service is a REST-based service that implements the CSAF full validator target. It tests a given CSAF file according to the specification.
*   CSAF Provider is an implementation of the role CSAF Trusted Provider and offers a simple HTTPS-based management service. It acts as a static site generator to present CSAF files as required by the standard.
*   CSAF Checker is a tool for testing a CSAF Trusted Provider according to Section 7 of the CSAF standard. It checks requirements without considering the indicated role.
*   CSAF Downloader is a tool for downloading advisories from a CSAF provider.

To help issuing parties to write actionable CSAF documents, there is guidance for each field, which can be found here.

CSAF Is the Future of Vulnerability Management

Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day vulnerability in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell, and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week's Patch Tuesday.

**Microsoft** has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various **Windows** operating systems and related software. The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web, a critical bug in **PowerShell**, and a dangerous flaw in **Windows 11** systems that was detailed publicly prior to this week’s Patch Tuesday.

The security updates include patches for **Azure**, **Microsoft Edge,** **Office**, **SharePoint Server**, **SysInternals**, and the **.NET framework**. Six of the update bundles earned Microsoft’s most dire “critical” rating, meaning they fix vulnerabilities that malware or malcontents can use to remotely commandeer an unpatched Windows system — with little to no interaction on the part of the user.

The bug already seeing exploitation is CVE-2022-44698, which allows attackers to bypass the Windows SmartScreen security feature. The vulnerability allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web,” despite being downloaded from untrusted sites.

“This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros,  
said **Greg Wiseman**, product manager at security firm **Rapid7**. This is the second Mark of the Web flaw Microsoft has patched in as many months; both were first publicly detailed over the past two months on Twitter by security researcher Will Dormann.

Publicly disclosed (but not actively exploited for now) is CVE-2022-44710, which is an elevation of privilege flaw in the DirectX graphics component of Windows 11.

Another notable critical bug is CVE-2022-41076, a remote code execution flaw in PowerShell — a key component of Windows that makes it easier to automate system tasks and configurations.

**Kevin Breen** at **Immersive Labs** said while Microsoft doesn’t share much detail about CVE-2022-41076 apart from the designation ‘Exploitation More Likely,’ they also note that successful exploitation requires an attacker to take additional actions to prepare the target environment.

“What actions are required is not clear; however, we do know that exploitation requires an authenticated user level of access,” Breen said. “This combination suggests that the exploit requires a social engineering element, and would likely be seen in initial infections using attacks like MalDocs or LNK files.”

Speaking of malicious documents, **Trend Micro’s Zero Day Initiative** highlights CVE-2022-44713, a spoofing vulnerability in **Outlook for Mac**.

“We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice,” ZDI’s **Dustin Childs** wrote. “This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive\_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.”

Microsoft also released guidance on reports that certain software drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.

Three different companies reported evidence that malicious hackers were using these signed malicious driver files to lay the groundwork for ransomware deployment inside victim organizations. One of those companies, **Sophos**, published a blog post Tuesday detailing how the activity was tied to the Russian ransomware group **Cuba**, which has extorted an estimated $60 million from victims since 2019.

Of course, not all scary and pressing security threats are Microsoft-based. Also on Tuesday, **Apple** released a bevy of security updates to iOS, iPadOS, macOS, tvOS and Safari, including  a patch for a newly discovered zero-day vulnerability that could lead to remote code execution.

Anyone responsible for maintaining **Fortinet** or **Citrix** remote access products probably needs to update, as both are dealing with active attacks on just-patched flaws.

For a closer look at the patches released by Microsoft today (indexed by severity and other metrics) check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Microsoft Patch Tuesday, December 2022 Edition

SAP@ Host Agent suffers from a privilege escalation vulnerability.

SAP@ Host Agent Privilege Escalation

Red Hat Security Advisory 2022-8973-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow, code execution, memory leak, out of bounds write, and privilege escalation vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2022:8973-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8973  
Issue date:        2022-12-13  
CVE Names:         CVE-2022-1158 CVE-2022-2639 CVE-2022-2959   
                   CVE-2022-21123 CVE-2022-21125 CVE-2022-21166   
                   CVE-2022-23816 CVE-2022-23825 CVE-2022-26373   
                   CVE-2022-29900 CVE-2022-29901 CVE-2022-43945   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
(CVE-2022-1158)

* kernel: openvswitch: integer underflow leads to out-of-bounds write in  
reserve_sfa_size() (CVE-2022-2639)

* kernel: watch queue race condition can lead to privilege escalation  
(CVE-2022-2959)

* kernel: nfsd buffer overflow by RPC message over TCP with garbage data  
(CVE-2022-43945)

* hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR)  
(CVE-2022-21123)

* hw: cpu: incomplete clean-up of microarchitectural fill buffers (aka  
SBDS) (CVE-2022-21125)

* hw: cpu: incomplete clean-up in specific special register write  
operations (aka DRPW) (CVE-2022-21166)

* hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return  
Instructions (CVE-2022-23816, CVE-2022-29900)

* hw: cpu: AMD: Branch Type Confusion (non-retbleed) (CVE-2022-23825)

* hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions  
(CVE-2022-26373)

* hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return  
Instructions (CVE-2022-29901)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* sched/pelt: Fix attach_entity_load_avg() corner case (BZ#2105360)

* RHEL9[fleetwood][P9]:kdump fails to capture vmcore when crash is  
triggered while running forkoff. (BZ#2109144)

* ISST-LTE:[P10 Everest] [5.14.0-70.9.1.el9_0.ppc64le] HPT:RHEL9.0:ecolp95:  
lpar crashed at __list_del_entry_valid+0x90/0x100 and LPM failed  
(BZ#2112823)

* [rhel9] livepatch panic: RIP: 0010:0xffffffffc0e070c4  
seq_read_iter+0x124/0x4b0 (BZ#2122625)

* System crashes due to list_add double add at  
iwl_mvm_mac_wake_tx_queue+0x71 (BZ#2123315)

* [Dell EMC 9.0 BUG] Any process performing I/O doesn't fail on degraded  
LVM RAID and IO process hangs (BZ#2126215)

* [HPEMC RHEL 9.0 REGRESSION] net, e810, ice: not enough device MSI-X  
vectors (BZ#2126491)

* RHEL9.0 - zfcp: fix missing auto port scan and thus missing target ports  
(BZ#2127874)

* Enable check-kabi (BZ#2132372)

* Add symbols to stablelist (BZ#2132373)

* Update RHEL9.1 kabi tooling (BZ#2132380)

* kABI: Prepare the MM subsystem for kABI lockdown (BZ#2133464)

* [Dell Storage 9.1 BUG] NVME command hang during storage array node reboot  
(BZ#2133553)

* WARNING: CPU: 116 PID: 3440 at arch/x86/mm/extable.c:105  
ex_handler_fprestore+0x3f/0x50 (BZ#2134589)

* crypto/testmgr.c should not list dh, ecdh-nist-p256, ecdh-nist-p384 as  
.fips_allowed = 1 (BZ#2136523)

* FIPS self-tests for RSA pkcs7 signature verification (BZ#2136552)

* [ovs-tc] Bad length in dpctl/dump-flows (BZ#2137354)

* [RHEL9] s_pf0vf2: hw csum failure for mlx5 (BZ#2137355)

* kernel memory leak while freeing nested actions (BZ#2137356)

* ovs: backports from upstream (BZ#2137358)

* kernel should conform to FIPS-140-3 requirements (both parts)  
(BZ#2139095)

* [DELL EMC 9.0-RT BUG] System is not booting into RT Kernel with perc12.  
(BZ#2139214)

* Fix panic in nbd/004 test (BZ#2139535)

* Nested KVM is not working on RHEL 8.6 with hardware error 0x7  
(BZ#2140141)

* [RHEL9] Practically limit "Dummy wait" workaround to old Intel systems  
(BZ#2142169)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2069793 - CVE-2022-1158 kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
2084479 - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()  
2090226 - CVE-2022-23816 CVE-2022-29900 hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2090237 - CVE-2022-21123 hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR)  
2090240 - CVE-2022-21125 hw: cpu: incomplete clean-up of microarchitectural fill buffers (aka SBDS)  
2090241 - CVE-2022-21166 hw: cpu: incomplete clean-up in specific special register write operations (aka DRPW)  
2103148 - CVE-2022-29901 hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2103153 - CVE-2022-23825 hw: cpu: AMD: Branch Type Confusion (non-retbleed)  
2103681 - CVE-2022-2959 kernel: watch queue race condition can lead to privilege escalation  
2115065 - CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions  
2141752 - CVE-2022-43945 kernel: nfsd buffer overflow by RPC message over TCP with garbage data

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-devel-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-devel-matched-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-devel-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-devel-matched-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-headers-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
perf-5.14.0-70.36.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm

noarch:  
kernel-doc-5.14.0-70.36.1.el9_0.noarch.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-devel-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-devel-matched-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-devel-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-devel-matched-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-headers-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
perf-5.14.0-70.36.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-devel-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-devel-matched-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-devel-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-devel-matched-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-headers-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-matched-5.14.0-70.36.1.el9_0.s390x.rpm  
perf-5.14.0-70.36.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-devel-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-devel-matched-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-devel-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-devel-matched-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-headers-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
perf-5.14.0-70.36.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS EUS (v.9.0):

Source:  
kernel-5.14.0-70.36.1.el9_0.src.rpm

aarch64:  
bpftool-5.14.0-70.36.1.el9_0.aarch64.rpm  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-core-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-core-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-modules-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-modules-extra-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-modules-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-modules-extra-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-libs-5.14.0-70.36.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
python3-perf-5.14.0-70.36.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm

noarch:  
kernel-abi-stablelists-5.14.0-70.36.1.el9_0.noarch.rpm

ppc64le:  
bpftool-5.14.0-70.36.1.el9_0.ppc64le.rpm  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-core-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-core-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-modules-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-modules-extra-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-modules-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-modules-extra-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-libs-5.14.0-70.36.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
python3-perf-5.14.0-70.36.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm

s390x:  
bpftool-5.14.0-70.36.1.el9_0.s390x.rpm  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-core-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-core-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-modules-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-modules-extra-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-modules-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-modules-extra-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-tools-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-core-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-extra-5.14.0-70.36.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
python3-perf-5.14.0-70.36.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm

x86_64:  
bpftool-5.14.0-70.36.1.el9_0.x86_64.rpm  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-core-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-core-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-modules-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-modules-extra-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-modules-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-modules-extra-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-libs-5.14.0-70.36.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
python3-perf-5.14.0-70.36.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-cross-headers-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
kernel-tools-libs-devel-5.14.0-70.36.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.aarch64.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-cross-headers-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
kernel-tools-libs-devel-5.14.0-70.36.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-cross-headers-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-cross-headers-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
kernel-tools-libs-devel-5.14.0-70.36.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.36.1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1158  
https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/cve/CVE-2022-2959  
https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/cve/CVE-2022-23816  
https://access.redhat.com/security/cve/CVE-2022-23825  
https://access.redhat.com/security/cve/CVE-2022-26373  
https://access.redhat.com/security/cve/CVE-2022-29900  
https://access.redhat.com/security/cve/CVE-2022-29901  
https://access.redhat.com/security/cve/CVE-2022-43945  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/solutions/6971358

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5j9+dzjgjWX9erEAQjSXxAAhEihoM+2Y0PUAdnoM55yPu0hNbruEYor  
/a+0kD2hhj9jeHm0ixX7bEa6g4dFRRVHxCGjPkvCuxmwB2+z27XWyDssyGP6NHG9  
z4hKa2yFVG0QCNDxum2FjF8GVhHELESuuGm+9ouJ6y18YUSkbmVts08PBa2pA79v  
0HLCMg7lHqdVIpgJ1eUIWBxU9t9yd09NZazyQEx4nKuAw44tJvljw96xpxp1Nnhe  
pIMsceSrmT3HYuhkhqaScT5gy0MHKSbLC8iJeX54UFJeY/tD2XX7DwdAB1jdxEv3  
8+vkmkgNFmCcxQlryjANle7URr/Z2i5An0ejRTN9tL1fWxB6UJbsU55x2zjQQBRs  
u90Yingm1b5vwEQp7+J0R1tSW34MnXwBcP8lU0ZTeZ6c7gaRkHArJpEfDXndJUDy  
OjGf5OI93n1ixyLUgCAF6/jwUNRy+yGWiqvvaHD4pJb79O/IESotOFxNWZ3vYPfL  
QElAENKuEF0SiS3gTe/2RZ5I+wIpnrdGmTkS4as4kyb1zvSERJY2eTC6UDQgMi15  
8u8yxMqpdtYO8+4knYwSDxYaplH+cC6Ktxso8cpskOdOstSChWC6plblOvGfRFTA  
VeDwyTZ3bG0v7WKZJ0Xl3L3ZR9yDz3XSUBADx2PN8VdyoetCFX7xgDPK7fL2rhvV  
jBvWwm6iwuc=  
=qCP1  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8973-01

Red Hat Security Advisory 2022-8974-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow, code execution, out of bounds write, and privilege escalation vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:8974-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8974  
Issue date:        2022-12-13  
CVE Names:         CVE-2022-1158 CVE-2022-2639 CVE-2022-2959   
                   CVE-2022-21123 CVE-2022-21125 CVE-2022-21166   
                   CVE-2022-23816 CVE-2022-23825 CVE-2022-26373   
                   CVE-2022-29900 CVE-2022-29901 CVE-2022-43945   
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time EUS (v.9.0) - x86_64  
Red Hat Enterprise Linux Real Time for NFV EUS (v.9.0) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
(CVE-2022-1158)

* kernel: openvswitch: integer underflow leads to out-of-bounds write in  
reserve_sfa_size() (CVE-2022-2639)

* kernel: watch queue race condition can lead to privilege escalation  
(CVE-2022-2959)

* kernel: nfsd buffer overflow by RPC message over TCP with garbage data  
(CVE-2022-43945)

* hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR)  
(CVE-2022-21123)

* hw: cpu: incomplete clean-up of microarchitectural fill buffers (aka  
SBDS) (CVE-2022-21125)

* hw: cpu: incomplete clean-up in specific special register write  
operations (aka DRPW) (CVE-2022-21166)

* hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return  
Instructions (CVE-2022-23816, CVE-2022-29900)

* hw: cpu: AMD: Branch Type Confusion (non-retbleed) (CVE-2022-23825)

* hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions  
(CVE-2022-26373)

* hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return  
Instructions (CVE-2022-29901)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-9.0.z5 Batch  
(BZ#2137580)

* [DELL EMC 9.0-RT BUG] System is not booting into RT Kernel with perc12  
[kernel-rt] (BZ#2139864)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2069793 - CVE-2022-1158 kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
2084479 - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()  
2090226 - CVE-2022-23816 CVE-2022-29900 hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2090237 - CVE-2022-21123 hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR)  
2090240 - CVE-2022-21125 hw: cpu: incomplete clean-up of microarchitectural fill buffers (aka SBDS)  
2090241 - CVE-2022-21166 hw: cpu: incomplete clean-up in specific special register write operations (aka DRPW)  
2103148 - CVE-2022-29901 hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2103153 - CVE-2022-23825 hw: cpu: AMD: Branch Type Confusion (non-retbleed)  
2103681 - CVE-2022-2959 kernel: watch queue race condition can lead to privilege escalation  
2115065 - CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions  
2141752 - CVE-2022-43945 kernel: nfsd buffer overflow by RPC message over TCP with garbage data

6. Package List:

Red Hat Enterprise Linux Real Time for NFV EUS (v.9.0):

Source:  
kernel-rt-5.14.0-70.36.1.rt21.108.el9_0.src.rpm

x86_64:  
kernel-rt-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-core-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-core-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-kvm-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-devel-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-kvm-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-modules-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm

Red Hat Enterprise Linux Real Time EUS (v.9.0):

Source:  
kernel-rt-5.14.0-70.36.1.rt21.108.el9_0.src.rpm

x86_64:  
kernel-rt-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-core-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-core-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-devel-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-modules-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-70.36.1.rt21.108.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1158  
https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/cve/CVE-2022-2959  
https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/cve/CVE-2022-23816  
https://access.redhat.com/security/cve/CVE-2022-23825  
https://access.redhat.com/security/cve/CVE-2022-26373  
https://access.redhat.com/security/cve/CVE-2022-29900  
https://access.redhat.com/security/cve/CVE-2022-29901  
https://access.redhat.com/security/cve/CVE-2022-43945  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/solutions/6971358

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5j98NzjgjWX9erEAQgJMg//YsMeDDnxaD5147QWtdvcUXAEPUwgTclc  
q1S5Csnsli/lgNjEJxENBGin22RzGKBue9dl7BbKUQMTTYyrzZcnY75g7J6/tOzw  
UmhtxESE7Zge4ghgHtuTRpG5QEWvh73SYfFUyeIwby0QM6ONJX2nXViA88JXrnke  
Eggo5lSUOBjhvJZgWfx8VSCBWjshMdy7Lin0B+gGQuaQCumacHxNPNaHM/11j7bg  
2PXxqjleqhD1eyGfj9W1REd4HiE+6WYKT4OS3mPDESbv7lbEVMOxGgi0dBbt6JI3  
m8/bqoMh48fEAlf7H0UWw9/R/mY7zY2UMsAj10RHXMSeNr/QkNxzxNIJ7SYFU13C  
EKMEnUw/vS4JWET/JUgrsxu08sP9oD3IwQtPTJWTrq/mhBUdHlYjxkZADtk03XHk  
Y7GXVNeJe66XnJACQnlHuWtqTE6WidbM30Rc3wI0SAfx0hcYAPgoGfQWX7EFTp8s  
UlMyN7wd8qGbceNw6uk/k3rPcWW3EGeNw6HsUhN9eIVdRBBnlAk/i/O5ofShSYRr  
jctm+3T/7x04oFGJFo56wNfkyTy8W6Lj4Oxr7us7cJFJBW5l+T52re3XtIA0Uaib  
An7Ka+5uBvmooYnCQJyR4qnpNXB+Csdav+vOfrT5EKVvh33YlyB0O792J9EGqgSB  
CW+f3k/Ec3g=  
=3xRb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8974-01

Ransom.Win64.AtomSilo malware suffers from a cryptography logic flaw.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/5559e9f5e1645f8554ea020a29a5a3ee.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnBackup media: infosec.exchange/@malvulnThreat: Ransom.Win64.AtomSiloVulnerability: Crypto Logic FlawFamily: AtomSiloType: PE64MD5: 5559e9f5e1645f8554ea020a29a5a3eeVuln ID: MVID-2022-0666Disclosure: 12/14/2022Description: AtomSilo ransomware FAILS to encrypt non PE files that have a ".exe" in the filename. Creating specially crafted file names successfully evaded encryption for this malware sample.E.g. Test.exe.docxTest.exe.pdfTested successfully in a virtual machine environment.PoC Video:https://www.youtube.com/watch?v=xyBt9Ppb-xcExploit/PoC:Create files with ".exe" within the filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Ransom.Win64.AtomSilo MVID-2022-0666 Cryptography Logic Flaw

An emerging cybercriminal group linked with Conti has expanded its partial encryption strategy and demonstrates other evasive maneuvers, as it takes aim at healthcare and other sectors.

The Royal ransomware gang has quickly risen to the top of the ransomware food chain, demonstrating sophisticated tactics — including partial and rapid encryption — that researchers believe may reflect the years of experience its members honed as leaders of the now-defunct Conti Group.

Royal ransomware operates around the world, and reportedly on its own; it does not appear that the group uses affiliates through ransomware-as-a-service (RaaS) or to target a specific sector or country. The group is known to make ransom demands of up to $2 million and claims to have published 100% of the data it extracts from its victims.

A deeper dive into how the Royal ransomware group works shows a surefooted and innovative group with varied ways to deploy ransomware and evade detection so it can do significant damage before victims have a chance to respond, researchers from the Cybereason Security Research & Global SOC Team revealed in a blog post published Dec. 14.

One key aspect of Royal's tactics is the concept of partial encryption, where it locks up only a predetermined portion of file content rather than all of it. While partial encryption is not a new tactic, it is key to Royal's strategy, with the group taking it to a new level not seen much before in ransomware activity, the researchers said.

Recently, for instance, Royal has expanded the idea by basing the tactic on flexible-percentage encryption that can be tailored to the target, thus making detection more challenging, the Cybereason researchers said.

The group also employs multiple threads to accelerate the encryption process, giving victims less time to stop it once it starts, and the encryption also initially starts and deploys in different ways, which also makes detection challenging, according to Cybereason.

**Taking the Crown as a Rapidly Evolving Threat**

The US Department of Health and Human Services sounded an alarm last week about Royal ransomware specifically targeting the healthcare sector; however, the group has been active since early this year and appears agnostic when it comes to its victims, the researchers noted.

"The group does not seem to focus on a specific sector, and its victims vary from industrial companies to insurance companies, and more," the Cybereason researchers wrote.

While Royal began its activity by deploying other types of ransomware, by September the rapidly evolving cybercriminal group had developed its own. And by November, Royal ransomware was reported to be the most prolific ransomware in the e-crime landscape, dethroning the dominant Lockbit for the first time in more than a year, the researchers said.

And even though Royal sets its sites on a diverse range of victims, its targeting of the healthcare sector demonstrates that the group is likely as ruthless as Conti was before it, noted one security expert.

"While some larger ransomware gangs have demonstrated scruples at either avoiding targeting healthcare institutions or providing decryption keys at no cost, it's clear that is not the case when it comes to Royal ransomware," says Shawn Surber, senior director of technical account management at Tanium, a converged endpoint management provider.

Targeting the healthcare industry could literally mean life or death for some of those affected by a ransomware attack, given that it can prevent clinicians from having access to key patient data, he says. This sector also tends to have a dearth of cybersecurity funds to defend itself against ransomware and other cyber threats, making it especially vulnerable, Surber says.

"This is especially concerning considering virtually any outage or disruption in operations will cause a financial — and often physical — impact in a patient care setting," he says.

**A New Twist on Partial Encryption**

While most ransomware bases partial encryption only on the file size, then encrypts a set percentage of the file the same way each time, Royal ransomware lets the operator choose a specific percentage and lower the amount of encrypted data even if the file size is large, the researchers said.

When a targeted file is being encrypted, the ransomware calculates the percentage to encrypt and divides the file content — encrypted and unencrypted — into equal segments, researchers explained in the post. The fragmentation — and thus the low percentage of encrypted file content that results — lowers the chance of being detected by anti-ransomware solutions.

"This ability to change the amount of the file to be encrypted gives Royal ransomware an advantage when it comes to evading detection by security products," the researchers noted.

The file size that Royal chooses for its partial encryption threshold — 5.24MB — also is the same as what Conti Group used in the past, encrypting 50% of a file in a divided manner if it was over this size, "much like Royal ransomware," the researchers wrote.

Though it's widely believed that Conti's former operators are behind Royal, this similarity is not strong enough evidence to confirm that link definitively, the researchers added.

Another technique unique to Royal is how it multithreads encryption, choosing the number of running threads by using the API call _GetNativeSystemInfo_ to collect the number of processors in a machine, the researchers divulged. It will then multiply the result by two and create the appropriate number of threads accordingly. This allows for rapid encryption, another show of sophistication by the group, the researchers said.

**Shielding the Enterprise From a Royal Threat**

To avoid rolling out the red carpet for Royal and other ransomware, researchers recommend that enterprises deploy a multilayer approach to malware protection that leverages threat intelligence, machine learning, anti-ransomware, next-generation antivirus, and variant payload-prevention capabilities.

For healthcare organizations with limited cybersecurity resources that may not have such tools in their arsenal, one security expert advised the adoption of low-code security automation to help detect and respond to threats in real time by allowing complete visibility into IT environments.

_"_Endpoint security tools that integrate low-code security automation give healthcare organizations a cohesive protection strategy that protects patients and employees from data theft and extortion," Daniel Selig, security automation architect at security automation provider Swimlane, tells Dark Reading.

Tag

#mac