An authenticated attacker could create an audit file that bypasses PowerShell cmdlet checks and executes commands with administrator privileges.

_This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TNS-2022-11

Credit

Tudor Enache (CVE-2022-32974)

Phil Castellanos (CVE-2022-32973)

CVSSv3 Base / Temporal Score

7.5 / 6.7 (CVE-2018-25032)

6.5 / 5.7 (CVE-2022-25313)

7.5 / 6.5 (CVE-2022-25314)

9.8 / 8.5 (CVE-2022-25315)

9.8 / 8.5 (CVE-2022-25235)

9.8 / 8.5 (CVE-2022-25236)

9.8 / 8.5 (CVE-2022-23990)

9.8 / 8.5 (CVE-2022-23852)

6.1 / 5.3 (CVE-2021-41182)

6.1 / 5.3 (CVE-2021-41183)

6.1 / 5.3 (CVE-2021-41184)

8.4 / 7.6 (CVE-2022-32973)

4.2 / 3.8 (CVE-2022-32974)

CVSSv3 Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C (CVE-2018-25032)

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C (CVE-2022-25313)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C (CVE-2022-25314)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-25315)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-25235)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-25236)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-23990)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-23852)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C (CVE-2021-41182)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C (CVE-2021-41183)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C (CVE-2021-41184)

AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:H/MUI:R/MS:C/MC:H/MI:H/MA:H (CVE-2022-32973)

AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C/CR:H/IR:X/AR:X/MAV:N/MAC:H/MPR:H/MUI:R/MS:U/MC:H/MI:N/MA:N (CVE-2022-32974)

****FREE FOR 30 DAYS****

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Thank You**

Thank you for your interest in Tenable.ot. A representative will be in touch soon.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

FREE FOR 30 DAYS Enjoy full access to detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of your software development lifecycle.

**Buy Tenable.cs**

Contact a Sales Representative to learn more about Cloud Security and how you can secure every step from code to cloud.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See Tenable.ep In Action**

Know the exposure of every asset on any platform.

CVE-2022-32973: [R2] Nessus Version 10.2.0 Fixes Multiple Vulnerabilities

In Spring Cloud Function versions prior to 3.2.6, it is possible for a user who directly interacts with framework provided lookup functionality to cause a denial-of-service condition due to the caching issue in the Function Catalog component of the framework.

All Vulnerability Reports

**CVE-2022-22979: Spring Cloud Function Dos Vulnerability**  
**Severity**

High

**Vendor**

Spring by VMware

**Description**

In Spring Cloud Function versions 3.2.5 and older unsupported versions, it is possible for a user who directly interacts with framework provided lookup functionality to cause denial of service condition due to the caching issue in Function Catalog component of the framework. At the time of writing of this CVE such interaction is only possible via spring-cloud-function-web module.

**Affected VMware Products and Versions**

Severity is high unless otherwise noted.

*   Spring Cloud Function
    *   3.2.5
    *   Older, unsupported versions are also affected

**Mitigation**

Users of affected versions should upgrade to 3.2.6. No other steps are necessary. Releases that have fixed this issue include:

*   Spring Cloud Function
    *   3.2.6

**Credit**

This vulnerability was initially discovered and responsibly reported by Yaniv.Nizry@checkmarx.com.

**References**

*   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H
*   https://cwe.mitre.org/data/definitions/770.html
*   https://cwe.mitre.org/data/definitions/497.html

**History**

2022-06-15: Initial vulnerability report published.

CVE-2022-22979: CVE-2022-22979 | Security

A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Summary**

Multiple Autodesk products have been affected by Use After Free, Out-of-bound-write, Stack-based Buffer, Memory Corruption, and Buffer Overflow vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-25789 - A maliciously crafted DWF, 3DS and DWFX files in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

2) CVE-2022-25790 - A maliciously crafted DWF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022, 2020, and 2019 can be used to write beyond the allocated boundaries when parsing the DWF files. Exploitation of this vulnerability may lead to code execution.

3) CVE-2022-25791 - A Memory Corruption vulnerability for DWF and DWFX files in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022, 2020, and 2019 may lead to code execution through maliciously crafted DLL files.

4) CVE-2022-25792 - A maliciously crafted DXF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022 can be used to write beyond the allocated buffer through Buffer overflow vulnerability. This vulnerability can be exploited to execute arbitrary code.

5) CVE-2022-25796 - A Double Free vulnerability allows remote malicious actors to execute arbitrary code on DWF file in Autodesk Navisworks 2022 within affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

6) CVE-2022-27528 - A maliciously crafted DWFX and SKP files in Autodesk Navisworks 2022, 2020, and 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution

7) CVE-2022-27868 - A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions**

**Update Source**

Autodesk® Navisworks®

2022, 2020, 2019

2022.2, 2020.5, 2019.7

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Architecture

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Electrical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Map 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mechanical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® MEP

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Plant 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® LT

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mac

2022

2022.2.2

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mac LT

2022

2022.2.2

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D®

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends users of the 2019, 2020, 2021, 2022 and 2023 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD® or AutoCAD LT 2022 updates, as applicable, via the Autodesk Desktop App or the Accounts Portal. An update is not available for 32bit AutoCAD 2019. Customers using this version should plan to upgrade to 64bit AutoCAD 2019 or a newer AutoCAD version as soon as possible to avoid downtime and potential security vulnerabilities.

In addition, users of Autodesk® Navisworks ® should install the latest 2022 Update 2, which is available via the Autodesk Desktop App or Accounts Portal. This version of Autodesk® Navisworks® includes security updates that address the DWF, and DWFX file vulnerabilities. As a general best practice, we also recommend that customers only open DWF, or DWFX files from trusted sources.

Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative for reporting CVE-2022-25789, CVE-2022-25790, CVE-2022-25791, CVE-2022-25792, CVE-2022-25796, CVE-2022-27528
*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-25789
*   Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative for reporting CVE-2022-27868

**Related Information**

More information on related security advisories can be found on the Autodesk Trust Center.

**Revision History**

**Revision**

**Date**

**Description**

1.0

2/28/2022

Initial Release of the Security Advisory

1.1

3/31/2022

Update of the Security Advisory for Addition to Navisworks and AutoCAD supported versions in Product Table

1.2

4/25/2022 

Update of the Security Advisory for Addition to AutoCAD 2023 supported versions in Product Table and CVE-2022-27868 description

1.3

4/28/2022 

Update of the Security Advisory for Addition to Navisworks 2020 supported version in Product Table

1.4

5/25/2022 

Update of the Security Advisory for Addition to Navisworks 2019 supported version in Product Table

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

CVE-2022-27868: Security Advisories | Autodesk Trust Center

The Quectel RG502Q-EA modem before 2022-02-23 allow OS Command Injection.

I recently researched a relatively new 5G-capable modem from Quectel: the RG500Q-EA. I identified a security issue with how the OTA download procedure operates which allows an attacker to execute commands on the modem as root.

**Previous research**

I've previously posted about an issue affecting older Quectel modems present in the PinePhone. The issue, which was assigned the CVE ID CVE-2021-31698, is similar to the one described in this article. The article presents some background on how the modem and the mainboard (the "host" machine) communicate - usually, the mainboard sends AT commands over a serial line to the modem, which runs its own black-box operating system entirely independent of the mainboard. These AT commands are parsed by a daemon running on the modem, which then indicates whether the command executed successfully and optionally returns some data.

**Analyzing the daemon**

In the previously mentioned issue, I described that the AT commands were parsed by a daemon on the modem called atfwd_daemon. While this is still technically somewhat true, a bulk of the core functionality is offloaded to other components or libraries. Some AT commands are executed by the modem's QDSP processor, which is at the time of writing still quite difficult to reverse engineer. The library we're interested in is libql_atcop.so, which is an ARMv8 shared library present on the modem's host OS.

I identified the vulnerable command AT+QFOTADL. In practice, this command is used to point to an OTA download link, for example:

    AT+QFOTADL="https://sif.ee/Quectel-OTA.bin"
    

The modem downloads the OTA, extracts it, verifies whether it's installable, and finally installs it on the modem device.

This command is handled in libql_atcop.so by a procedure named ql_exec_qfotadl_cmd_proc():

This procedure first matches the provided schema and checks to see which protocol is being used (plain HTTP, HTTPS, or FTP):

Code flow is then passed to another procedure, which formats the provided URL into a system command using snprintf() and initiates the download:

Disassembling the binary further revealed that there is no user input sanitization in place and the provided user input is used in the command as-is, which is executed using system() (provided by a wrapper function in another library).

**Code execution**

From this, we can deduce that arbitrary command execution is possible. We can, for example, enter a valid schema and use backticks to execute our commands in a subshell. As an example, to reboot the modem:

    AT+QFOTADL="http://`reboot`"
    

Due to the fact that the daemon runs as root, the code is also being executed as the root user on the modem.

As an example, in this Asciinema recording, I use the nc binary present to establish a reverse shell (over 5G!) to my server.

It's very possible that this vulnerability affects other Quectel products as well, as firmware is commonly reused, but I do not possess other hardware to test it on. Most probably, it affects all RG50xQ products, if not more. Vendor did not clarify which products this vulnerability affects.

**Timeline**

*   **22/02/2022** - Attempted to contact vendor
*   **23/02/2022** - Vendor confirmed vulnerability
*   **23/02/2022** - Vendor informs of fix in codebase
*   **25/02/2022** - Assigned ID CVE-2022-26147
*   **14/06/2022** - Notified vendor of imminent public disclosure of vulnerability, no response from vendor
*   **21/06/2022** - Article published

CVE-2022-26147: Code execution as root via AT commands on the Quectel RG500Q-EA 5G modem

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. This vulnerability may be exploited to execute arbitrary code.

**Summary**

Applications and Services that utilize versions of PDFTron prior to 9.1.17 may be impacted by Heap-based Buffer Overflow, and Untrusted Pointer Dereference vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-27871: Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. This vulnerability may be exploited to execute arbitrary code.

2) CVE-2022-27872 : A maliciously crafted PDF file may be used to dereference a pointer for read or write operation while parsing PDF files in Autodesk Navisworks 2022. The vulnerability exists because the application fails to handle a crafted PDF file, which causes an unhandled exception. An attacker can leverage this vulnerability to cause a crash or read sensitive data or execute arbitrary code.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions\***

**Update Source**

Revit®

2022, 2021, 2020 

2022.1.2, 2021.1.6, 2020.2.8

Autodesk Desktop App, or Accounts Portal

Navisworks®

2022, 2020, 2019

2022.2, 2020.5, 2019.7

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD®

2022, 2021, 2020,2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Architecture

2022, 2021, 2020,2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Electrical

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Map 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Mechanical

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® MEP

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Plant 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® LT

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Mac

2022

2022.2.2

Autodesk Knowledge Network

AutoCAD® LT for Mac

2022

2022.2.2

Autodesk Knowledge Network

Autodesk ® Design Review

2018

2018 Hotfix 6

Autodesk Knowledge Network

Autodesk® 3ds Max®

2022, 2021

2022.3.3, 2021.3.8

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends that users of the affected products listed above apply the available hotfix for their version via the Autodesk Desktop App or the Accounts Portal. As a general best practice, we also recommend that customers only open PDF files from trusted sources.

In addition, users of the 2019, 2020, 2021 and 2022 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD®, AutoCAD LT 2022 Updates via the Autodesk Desktop App or Accounts Portal. An update is not available for 32bit AutoCAD 2019. Customers using this version should plan to upgrade to 64bit AutoCAD 2019 or a newer AutoCAD version as soon as possible to avoid downtime and potential security vulnerabilities.

Users of Autodesk® Navisworks ® should install the latest 2022 Update 2, which is available via the Autodesk Desktop App or Accounts Portal. This version of Autodesk ® Navisworks ® includes security updates that address the PDF file vulnerabilities. As a general best practice, we also recommend that customers only open PDF files from trusted sources.

Customers using previous versions that no longer qualify for full support should upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following researchers for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-27871 and CVE-2022-27872

**Related Information**

More information on related security advisories can be found on the Autodesk Trust Center.

**Revision History**

**Revision**

**Date**

**Description**

1.0

5/25/2022

Initial Release of Security advisory

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

CVE-2022-27871: Security Advisories | Autodesk Trust Center

Comodo Antivirus 12.2.2.8012 has a quarantine flaw that allows privilege escalation. To escalate privilege, a low-privileged attacker can use an NTFS directory junction to restore a malicious DLL from quarantine into the System32 folder.

CVE-2022-34008: Download Free Antivirus Software | Get Complete PC Virus Protection

AI can help companies more effectively identify and respond to threats, as well as harden applications.

Much has been made of the use of artificial intelligence in security. Some experts will tell you it is the single biggest key to success, while others will tell you that AI is little more than marketing jargon without any real-world value. I think the truth is somewhere in the middle. AI absolutely has a place in security, but it is not a silver bullet. With that said, there are three primary ways that organizations should be using AI to act as a force multiplier for security teams.

**1\. Attack Prevention**

The use of AI in security should be very focused on multiplying the efforts of security teams, especially considering the current shortage of security skills.

A recent report from JupiterOne found that security teams are responsible for more than 165,000 cyber assets across cloud workloads, devices, network assets, applications, data assets, and users. Trying to defend that many assets is a daunting task. In fact, according to a report by Capgemini Research Institute, 61% of organizations said they would not be able to identify critical threats without AI.

AI and machine learning can reduce the workload for analysts by automatically sifting through data logs and identifying relevant threats. When used effectively, artificial intelligence will not only alert security professionals to threats but also will classify types of attack, allowing security teams to prepare appropriate responses. With this type of ongoing, comprehensive analysis of behavior patterns, analysts can manage even complex threats with far less manual effort, reducing mistakes made due to burnout and exhaustion.

**2\. Intrusion Detection**

Prevention and detection go hand in hand because, as all security professionals know, a determined and skilled attacker will get in eventually. Identifying such a breach is highly dependent on anomaly detection, and this is another security area where AI shines. AI doesn’t get bored and tired like humans do while scanning through the never-ending tedium of operations logs looking for odd behavior.

AI can be even more help when it comes to alert fatigue, a boogeyman of our own creation. Our efforts to identify every possible threat has resulted in an overwhelming number of security alerts. However, most of the alerts that hit the security operations center are false positives that security teams have to wade through to find actual threats. AI can be used to help security teams spend their time and energy wisely by identifying which alerts need immediate attention, which can wait, and which can be ignored entirely.

**3\. Application Security and Developer Productivity**

One of the often-overlooked use cases for AI is application security. In today's competitive climate, companies are constantly launching new apps and updates. It's easy for AppSec teams to fall behind, and these challenges only snowball when vulnerabilities within code are discovered and both AppSec and development teams must divert their time and attention to remediating the issue.

As with attack prevention and intrusion detection, the key value proposition for AI in AppSec is acting as a force multiplier by taking on repetitive and menial tasks. Ensuring the delivery of a secure application involves going through hundreds or thousands of security findings to uncover relationships and gain insight into the risk a vulnerability represents. AI can significantly reduce the time AppSec teams sit with each new application launch or update so that they can focus on more intensive and important tasks.

**Conclusion**

There may be a day when AI is a security savior, but, for the time being, it can be incredibly valuable in helping security teams make sense of the mountains of data an enterprise generates and in ensuring that applications are launched securely.

AI Is Not a Security Silver Bullet

An advanced persistent threat (APT) actor codenamed ToddyCat has been linked to a string of attacks aimed at high-profile entities in Europe and Asia since at least December 2020.
The relatively new adversarial collective is said to have commenced its operations by targeting Microsoft Exchange servers in Taiwan and Vietnam using an unknown exploit to deploy the China Chopper web shell and

An advanced persistent threat (APT) actor codenamed **ToddyCat** has been linked to a string of attacks aimed at high-profile entities in Europe and Asia since at least December 2020.

The relatively new adversarial collective is said to have commenced its operations by targeting Microsoft Exchange servers in Taiwan and Vietnam using an unknown exploit to deploy the China Chopper web shell and activate a multi-stage infection chain.

Other prominent countries targeted include Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the U.K., and Uzbekistan, just as the threat actor evolved its toolset over the course of different campaigns.

"The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443," Russian cybersecurity company Kaspersky said in a report published today.

"The malware allows arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network."

ToddyCat, also tracked under the moniker Websiic by Slovak cybersecurity firm ESET, first came to light in March 2021 for its exploitation of ProxyLogon Exchange flaws to target email servers belonging to private companies in Asia and a governmental body in Europe.

The attack sequence post the deployment of the China Chopper web shell leads to the execution of a dropper that, in turn, is used to make Windows Registry modifications to launch a second-stage loader, which, for its part, is designed to trigger a third-stage .NET loader that's responsible for running Samurai.

The backdoor, besides using techniques like obfuscation and control flow flattening to make it resistant to reverse engineering, is modular in that it the components make it possible to execute arbitrary commands and exfiltrate files of interest from the compromised host.

Also observed in specific incidents is a sophisticated tool named Ninja that's spawned by the Samurai implant and likely functions as a collaborative tool allowing multiple operators to work on the same machine simultaneously.

Its feature similarities to other post-exploitation toolkits like Cobalt Strike notwithstanding, the malware enables the attacker to "control remote systems, avoid detection, and penetrate deep inside a targeted network."

Despite the fact that ToddyCat victims are related to countries and sectors traditionally targeted by Chinese-speaking groups, there is no evidence tying the modus operandi to a known threat actor.

"ToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low profile," Kaspersky security researcher Giampaolo Dedola said.

"The affected organizations, both governmental and military, show that this group is focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New ToddyCat Hacker Group on Experts' Radar After Targeting MS Exchange Servers

maccms8 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-31302: There are four storage XSS vulnerabilities · Issue #1 · maccmspro/maccms8

maccms10 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field.

Tag

#mac