A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of ttys could lead to a use-after-free.

commit 9fbe5c87eaa9b72db08425c52c373eb5f6537a0a Author: Greg Kroah-Hartman Date: Thu Apr 2 08:02:32 2020 +0200 Linux 5.6.2 commit cea1c66b816e4f13ad7609cd0082e8f1ff98de0f Author: Georg Müller Date: Mon Feb 3 21:11:06 2020 +0100 platform/x86: pmc\_atom: Add Lex 2I385SW to critclk\_systems DMI table commit 95b31e35239e5e1689e3d965d692a313c71bd8ab upstream. The Lex 2I385SW board has two Intel I211 ethernet controllers. Without this patch, only the first port is usable. The second port fails to start with the following message: igb: probe of 0000:02:00.0 failed with error -2 Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK\_IS\_CRITICAL") Tested-by: Georg Müller Signed-off-by: Georg Müller Reviewed-by: Hans de Goede Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 4d8b01733206b8016f6f5c853fdf02ec07f8e25c Author: Eric Biggers Date: Sat Mar 21 20:43:05 2020 -0700 vt: vt\_ioctl: fix use-after-free in vt\_in\_use() commit 7cf64b18b0b96e751178b8d0505d8466ff5a448f upstream. vt\_in\_use() dereferences console\_driver->ttys\[i\] without proper locking. This is broken because the tty can be closed and freed concurrently. We could fix this by using 'READ\_ONCE(console\_driver->ttys\[i\]) != NULL' and skipping the check of tty\_struct::count. But, looking at console\_driver->ttys\[i\] isn't really appropriate anyway because even if it is NULL the tty can still be in the process of being closed. Instead, fix it by making vt\_in\_use() require console\_lock() and check whether the vt is allocated and has port refcount > 1. This works since following the patch "vt: vt\_ioctl: fix VT\_DISALLOCATE freeing in-use virtual console" the port refcount is incremented while the vt is open. Reproducer (very unreliable, but it worked for me after a few minutes): #include #include int main() { int fd, nproc; struct vt\_stat state; char ttyname\[16\]; fd = open("/dev/tty10", O\_RDONLY); for (nproc = 1; nproc < 8; nproc \*= 2) fork(); for (;;) { sprintf(ttyname, "/dev/tty%d", rand() % 8); close(open(ttyname, O\_RDONLY)); ioctl(fd, VT\_GETSTATE, &state); } } KASAN report: BUG: KASAN: use-after-free in vt\_in\_use drivers/tty/vt/vt\_ioctl.c:48 \[inline\] BUG: KASAN: use-after-free in vt\_ioctl+0x1ad3/0x1d70 drivers/tty/vt/vt\_ioctl.c:657 Read of size 4 at addr ffff888065722468 by task syz-vt2/132 CPU: 0 PID: 132 Comm: syz-vt2 Not tainted 5.6.0-rc5-00130-g089b6d3654916 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223\_100556-anatol 04/01/2014 Call Trace: \[...\] vt\_in\_use drivers/tty/vt/vt\_ioctl.c:48 \[inline\] vt\_ioctl+0x1ad3/0x1d70 drivers/tty/vt/vt\_ioctl.c:657 tty\_ioctl+0x9db/0x11b0 drivers/tty/tty\_io.c:2660 \[...\] Allocated by task 136: \[...\] kzalloc include/linux/slab.h:669 \[inline\] alloc\_tty\_struct+0x96/0x8a0 drivers/tty/tty\_io.c:2982 tty\_init\_dev+0x23/0x350 drivers/tty/tty\_io.c:1334 tty\_open\_by\_driver drivers/tty/tty\_io.c:1987 \[inline\] tty\_open+0x3ca/0xb30 drivers/tty/tty\_io.c:2035 \[...\] Freed by task 41: \[...\] kfree+0xbf/0x200 mm/slab.c:3757 free\_tty\_struct+0x8d/0xb0 drivers/tty/tty\_io.c:177 release\_one\_tty+0x22d/0x2f0 drivers/tty/tty\_io.c:1468 process\_one\_work+0x7f1/0x14b0 kernel/workqueue.c:2264 worker\_thread+0x8b/0xc80 kernel/workqueue.c:2410 \[...\] Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle") Cc: # v3.4+ Acked-by: Jiri Slaby Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200322034305.210082-3-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman commit 903f879e510838969d93506eea1a498fc9928c51 Author: Eric Biggers Date: Sat Mar 21 20:43:04 2020 -0700 vt: vt\_ioctl: fix VT\_DISALLOCATE freeing in-use virtual console commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 upstream. The VT\_DISALLOCATE ioctl can free a virtual console while tty\_release() is still running, causing a use-after-free in con\_shutdown(). This occurs because VT\_DISALLOCATE considers a virtual console's 'struct vc\_data' to be unused as soon as the corresponding tty's refcount hits 0. But actually it may be still being closed. Fix this by making vc\_data be reference-counted via the embedded 'struct tty\_port'. A newly allocated virtual console has refcount 1. Opening it for the first time increments the refcount to 2. Closing it for the last time decrements the refcount (in tty\_operations::cleanup() so that it happens late enough), as does VT\_DISALLOCATE. Reproducer: #include #include #include #include int main() { if (fork()) { for (;;) close(open("/dev/tty5", O\_RDWR)); } else { int fd = open("/dev/tty10", O\_RDWR); for (;;) ioctl(fd, VT\_DISALLOCATE, 5); } } KASAN report: BUG: KASAN: use-after-free in con\_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 Write of size 8 at addr ffff88806a4ec108 by task syz\_vt/129 CPU: 0 PID: 129 Comm: syz\_vt Not tainted 5.6.0-rc2 #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223\_100556-anatol 04/01/2014 Call Trace: \[...\] con\_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 release\_tty+0xa8/0x410 drivers/tty/tty\_io.c:1514 tty\_release\_struct+0x34/0x50 drivers/tty/tty\_io.c:1629 tty\_release+0x984/0xed0 drivers/tty/tty\_io.c:1789 \[...\] Allocated by task 129: \[...\] kzalloc include/linux/slab.h:669 \[inline\] vc\_allocate drivers/tty/vt/vt.c:1085 \[inline\] vc\_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066 con\_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229 tty\_driver\_install\_tty drivers/tty/tty\_io.c:1228 \[inline\] tty\_init\_dev+0x94/0x350 drivers/tty/tty\_io.c:1341 tty\_open\_by\_driver drivers/tty/tty\_io.c:1987 \[inline\] tty\_open+0x3ca/0xb30 drivers/tty/tty\_io.c:2035 \[...\] Freed by task 130: \[...\] kfree+0xbf/0x1e0 mm/slab.c:3757 vt\_disallocate drivers/tty/vt/vt\_ioctl.c:300 \[inline\] vt\_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt\_ioctl.c:818 tty\_ioctl+0x9db/0x11b0 drivers/tty/tty\_io.c:2660 \[...\] Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle") Cc: # v3.4+ Reported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com Acked-by: Jiri Slaby Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman commit 4e1c0484b7f84f55713b1eb1faf641ae49496bb1 Author: Eric Biggers Date: Mon Feb 24 00:03:26 2020 -0800 vt: vt\_ioctl: remove unnecessary console allocation checks commit 1aa6e058dd6cd04471b1f21298270014daf48ac9 upstream. The vc\_cons\_allocated() checks in vt\_ioctl() and vt\_compat\_ioctl() are unnecessary because they can only be reached by calling ioctl() on an open tty, which implies the corresponding virtual console is allocated. And even if the virtual console \*could\* be freed concurrently, then these checks would be broken since they aren't done under console\_lock, and the vc\_data is dereferenced before them anyway. So, remove these unneeded checks to avoid confusion. Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200224080326.295046-1-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman commit e50d4c4fecccef226a86e2a6be20ad376138e9ec Author: Jiri Slaby Date: Wed Feb 19 08:39:48 2020 +0100 vt: switch vt\_dont\_switch to bool commit f400991bf872debffb01c46da882dc97d7e3248e upstream. vt\_dont\_switch is pure boolean, no need for whole char. Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20200219073951.16151-6-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit 270db0384de5867ca046c09418f129f5f78072f5 Author: Jiri Slaby Date: Wed Feb 19 08:39:44 2020 +0100 vt: ioctl, switch VT\_IS\_IN\_USE and VT\_BUSY to inlines commit e587e8f17433ddb26954f0edf5b2f95c42155ae9 upstream. These two were macros. Switch them to static inlines, so that it's more understandable what they are doing. Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20200219073951.16151-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit 3f0e2212be7c46a4a43df30c1dc4618e28ad94f9 Author: Jiri Slaby Date: Wed Feb 19 08:39:43 2020 +0100 vt: selection, introduce vc\_is\_sel commit dce05aa6eec977f1472abed95ccd71276b9a3864 upstream. Avoid global variables (namely sel\_cons) by introducing vc\_is\_sel. It checks whether the parameter is the current selection console. This will help putting sel\_cons to a struct later. Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20200219073951.16151-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit aab76df91483a8803a001c3f5e25b0a8d43f8151 Author: Lanqing Liu Date: Mon Mar 16 11:13:33 2020 +0800 serial: sprd: Fix a dereference warning commit efc176929a3505a30c3993ddd393b40893649bd2 upstream. We should validate if the 'sup' is NULL or not before freeing DMA memory, to fix below warning. "drivers/tty/serial/sprd\_serial.c:1141 sprd\_remove() error: we previously assumed 'sup' could be null (see line 1132)" Fixes: f4487db58eb7 ("serial: sprd: Add DMA mode support") Reported-by: Dan Carpenter Signed-off-by: Lanqing Liu Cc: stable Link: https://lore.kernel.org/r/e2bd92691538e95b04a2c2a728f3292e1617018f.1584325957.git.liuhhome@gmail.com Signed-off-by: Greg Kroah-Hartman commit 7908d2658f92b5164d715959d51ebb88f4ad891b Author: Johannes Berg Date: Sun Mar 29 22:50:06 2020 +0200 mac80211: fix authentication with iwlwifi/mvm commit be8c827f50a0bcd56361b31ada11dc0a3c2fd240 upstream. The original patch didn't copy the ieee80211\_is\_data() condition because on most drivers the management frames don't go through this path. However, they do on iwlwifi/mvm, so we do need to keep the condition here. Cc: stable@vger.kernel.org Fixes: ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211\_tx\_dequeue() case") Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Cc: Woody Suwalski Signed-off-by: Greg Kroah-Hartman commit cb7cd49c9c281cf00fa38a53c2e6ccf708318b87 Author: Daniel Borkmann Date: Fri Jan 24 14:21:14 2020 +0000 bpf: update jmp32 test cases to fix range bound deduction \[ no upstream commit \] Since commit f2d67fec0b43 ("bpf: Undo incorrect \_\_reg\_bound\_offset32 handling") has been backported to stable, we also need to update related test cases that started to (expectedly) fail on stable. Given the functionality has been reverted we need to move the result to REJECT. Reported-by: Naresh Kamboju Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman

CVE-2020-36557

Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated.

CVE-2022-29454: Better Messages – Live Chat for WordPress, BuddyPress, BuddyBoss, Ultimate Member, PeepSo

By Deeba Ahmed
In May 2020, researchers were able to demonstrate how attackers can steal data from air-gapped PC by turning…
This is a post from HackRead.com Read the original post: Hackers Can Now Steal Data from Air-Gapped PCs via SATA Cables

In May 2020, researchers were able to demonstrate how attackers can steal data from air-gapped PC by turning RAM into Wi-Fi Card. Now, the University of the Negev, Israel, researchers have published a study titled “SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables,” authored by Mordechai Guri, proving that hackers can extract data from a seemingly secure system by exploiting its SATA cable.

The attack has been named SATAn. It is worth noting that the SATA connection is used in hundreds of thousands of devices globally to connect hard drives and SSDs in the PC.

**SATAn Exploitation Explained**

Researchers demonstrated that an attacker could use the SATA cable as a wireless transmitter and intercept the data it carries as radio signals in the 6GHz band. It is a complex attack requiring the attacker to install specific malware on the target machine and use a specially designed shellcode to modify file system activity, which generates identifiable radio signals through SATA cables.

After the malicious software is installed, it starts encoding the data to be stolen after obtaining different types of file system access, such as read and write to generate a signal on the SATA cable.

The researcher noted that write or read operations can create correct signals more effectively but read operations don’t require higher permissions at a system level and generate stronger signals of up to 3 dB. The attacker receives this signal on a nearby device if the receiver is located within one meter of the transmitter range.

In this case, the laptop used a Software Defined Radio receiver for signal reception. The researchers entered ‘Secret’ on their targeted device, which the second machine picked up.

**Why Does This Technique Work?**

Air-gapped systems are where the world’s most sensitive data is usually stored. These systems aren’t connected to a network, internet, or any connection to the outside world. Moreover, the air-gapped system doesn’t rely on hardware to enable wireless communications such as Wi-Fi hardware or Bluetooth.

Therefore, stealing data from these systems involves advanced and highly sophisticated skills. This attack works by converting the standard SATA cable into a radio transmitter without physically modifying the hardware. The SATA bus creates electromagnetic interference when performing its regular operation, and this interference is manipulated to transmit data.

According to the university’s report , the researcher used the cable as a wireless antenna operating on the 6 GHz frequency band to transmit a short message to a nearby laptop. However, attackers can use this technique with keyloggers to steal sensitive data, including passwords, files, and images.

**Should You Be Concerned?**

Using this technique, an attacker can exfiltrate data from systems that aren’t even connected to the internet and transmit the data to a receiver located 1meter away. And, they don’t need to physically modify the SATA cable or hardware since it is a purely software-based attack. The attacker can utilize a VM (virtual machine) to make this technique successful.

But, it is a complex method, and the attacker needs access to the target computer since they have to install the malware on an air-gapped system directly.

Moreover, SATA signal emission is generally weak; hence, this isn’t a flawless attack technique, and many countermeasures can help prevent it. Such as using network security protocols and technologies, enabling electromagnetic shielding, avoiding using SATA drives altogether, and opting for M.2 drives.

**More Air-Gapping PC Security News**

1.  Hackers can steal data from air-gapped PC using screen brightness
2.  A Malware attack can trick biologists into producing dangerous toxins
3.  WikiLeaks’ Latest Dump Exposes CIA Hacking Tools for air-gapped PCs
4.  Malware can extract data from air-gapped PC through the power supply
5.  Hackers can steal data from Air-Gapped PCs with microphones & speakers

Hackers Can Now Steal Data from Air-Gapped PCs via SATA Cables

The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'name' GET parameter in 'delsnap.pl' Perl/CGI script which is used for deleting snapshots taken from the webcam.

Title: Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit  
Advisory ID: ZSL-2022-5710  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 20.07.2022

**Summary**

SpaceLogic C-Bus Home Automation System Lighting control and automation solutions for buildings of the future, part of SpaceLogic. SpaceLogic C-Bus is a powerful, fully integrated system that can control and automate lighting and many other electrical systems and products. The SpaceLogic C-Bus system is robust, flexible, scalable and has proven solutions for buildings of the future. Implemented for commercial and residential buildings automation, it brings control, comfort, efficiency and ease of use to its occupants.

Wiser Home Control makes technologies in your home easy by providing seamless control of music, home theatre, lighting, air conditioning, sprinkler systems, curtains and shutters, security systems... you name it. Usable anytime, anywhere even when you are away, via preset shortcuts or direct control, in the same look and feel from a wall switch, a home computer, or even your smartphone or TV - there is no wiser way to enjoy 24/7 connectivity, comfort and convenience, entertainment and peace of mind homewide!

The Wiser 2 Home Controller allows you to access your C-Bus using a graphical user interface, sometimes referred to as the Wiser 2 UI. The Wiser 2 Home Controller arrives with a sample project loaded and the user interface accessible from your local home network. With certain options set, you can also access the Wiser 2 UI from anywhere using the Internet. Using the Wiser 2 Home Controller you can: control equipment such as IP cameras, C-Bus devices and non C-Bus wired and wireless equipment on the home LAN, schedule events in the home, create and store scenes on-board, customise a C-Bus system using the on-board Logic Engine, monitor the home environment including C-Bus and security systems, control ZigBee products such as Ulti-ZigBee Dimmer, Relay, Groups and Curtains.

Examples of equipment you might access with Wiser 2 Home Controller include lighting, HVAC, curtains, cameras, sprinkler systems, power monitoring, Ulti-ZigBee, multi-room audio and security controls.

**Description**

The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'name' GET parameter in 'delsnap.pl' Perl/CGI script which is used for deleting snapshots taken from the webcam.

\--------------------------------------------------------------------------------

/www/delsnap.pl:  
----------------

01: #!/usr/bin/perl  
02: use IO::Handle;  
03:  
04:  
05: select(STDERR);  
06: $| = 1;  
07: select(STDOUT);  
08: $| = 1;  
09:  
10: #print "\r\n\r\n";  
11:  
12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/';  
13: use CGI;  
14:  
15: my $PROGNAME = "delsnap.pl";  
16:  
17: my $cgi = new CGI();  
18:  
19: my $name = $cgi->param('name');  
20: if ($name eq "list") {  
21:     print "\r\n\r\n";  
22:     print "DATA=";  
23:     print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;  
24:     exit(0);  
25: }  
26: if ($name eq "deleteall") {  
27:     print "\r\n\r\n";  
28:     print "DELETINGALL=TRUE&";  
29:     print `rm /mnt/microsd/clipsal/ugen/imgs/*`;  
30:     print "COMPLETED=true\n";  
31:     exit(0);  
32: }  
33: #print "name $name\n";  
34: print "\r\n\r\n";  
35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";  
36:  
37: unlink $filename or die "COMPLETED=false\n";  
38:  
39: print "COMPLETED=true\n";

  
\--------------------------------------------------------------------------------

**Vendor**

Schneider Electric SE - https://www.se.com

**Affected Version**

SpaceLogic C-Bus Home Controller (5200WHC2)  
formerly known as C-Bus Wiser Home Controller MK2  
V1.31.460 and prior  
Firmware: 604

**Tested On**

Machine: OMAP3 Wiser2 Board  
CPU: ARMv7 revision 2  
GNU/Linux 2.6.37 (armv7l)  
BusyBox v1.22.1  
thttpd/2.25b  
Perl v5.20.0  
Clipsal 81  
Angstrom 2009.X-stable  
PICED 4.14.0.100  
lighttpd/1.7  
GCC 4.4.3  
NodeJS v10.15.3

**Vendor Status**

\[27.03.2022\] Vulnerability discovered.  
\[31.03.2022\] Reported the vulnerability to the vendor.  
\[31.03.2022\] Vendor receives PoC, starts analysis and creates SE-6334 (Remote Root Exploit).  
\[11.04.2022\] Asked vendor for confirmation and status update.  
\[11.04.2022\] Vendor is still analyzing the vulnerability. Will let us know once the case is confirmed.  
\[20.04.2022\] Asked vendor for confirmation and scheduled patch release date.  
\[21.04.2022\] Vendor is still analyzing.  
\[30.04.2022\] Asked vendor for status update.  
\[02.05.2022\] Vendor states that the product team has finalized their action plan and has provided a tentative fix release date of end of June.  
\[02.05.2022\] Replied to the vendor.  
\[02.05.2022\] The product team is working diligently on the fix. If there are any changes to the release date, we will let you know immediately.  
\[03.06.2022\] Asked vendor for status update.  
\[03.06.2022\] Vendor responds, tentative fix release date remains end of June.  
\[27.06.2022\] Asked vendor for status update.  
\[28.06.2022\] Vendor is finalizing the security notification and expecting to disclose on July 12th 2022.  
\[30.06.2022\] Vendor sends encrypted draft advisory for review.  
\[02.07.2022\] Sent our encrypted draft advisory for alignment of content.  
\[08.07.2022\] Vendor reviews the advisory and agrees that it is aligned with the contents. Provided advisory URL and asked for release date.  
\[10.07.2022\] Replied to the vendor with scheduled advisory release date.  
\[12.07.2022\] Vendor released advisory SEVD-2022-193-02.  
\[20.07.2022\] Coordinated public security advisory released.

**PoC**

SpaceLogic.ps1

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp  
\[2\] https://download.schneider-electric.com/files?p\_enDocType=Security+and+Safety+Notice&p\_File\_Name=SEVD-2022-193-02\_SpaceLogic-C-Bus-Home-Controller-Wiser\_MK2\_Security\_Notification.pdf  
\[3\] https://www.se.com/ww/en/work/support/cybersecurity/wall-of-thanks.jsp  
\[4\] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753  
\[5\] https://nvd.nist.gov/vuln/detail/CVE-2022-34753

**Changelog**

\[20.07.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit

The debug interface of Goldshell ASIC Miners v2.2.1 and below was discovered to be exposed publicly on the web interface, allowing attackers to access passwords and other sensitive information in plaintext.

CVE-2022-24660: Cryptocurrency ASIC Miners – Security and Hacking Audit – James A. Chambers

300 restaurants and at least 50,000 payment cards compromised by two separate campaigns against MenuDrive, Harbortouch and InTouchPOS services.

300 restaurants and at least 50,000 payment cards compromised by two separate campaigns against MenuDrive, Harbortouch and InTouchPOS services.

Magecart campaigns have been skimming payment-card credentials of unsuspecting customers using three online restaurant-ordering systems, affecting about 300 restaurants that use the services and compromising tens of thousands of cards so far, researchers have found.

Two separate ongoing Magecart campaigns have injected e-skimmer scripts into the online ordering portals of restaurants using three separate platforms: MenuDrive, Harbortouch, and InTouchPOS, researchers from Recorded Future revealed in a blog post this week. One appears to have begun last November, and the other in January, they said.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

“Across all three platforms, at least 311 restaurants have been infected with Magecart e-skimmers, a number that is likely to grow with additional analysis,” researchers from Recorded Future’s Insikt Group wrote in the report.

Magecart is a general term for cybercriminals who use card-skimming technology to steal credentials from payment cards used at point-of-sale (POS) or e-commerce systems. They typically end up selling these stolen credentials on hacker forums on the dark web.

The infections on the restaurants’ websites affected in the two campaigns observed by Recorded Future “often result in the exposure of customers’ payment card data and PII (their billing information and contact information),” researchers noted.

So far, researchers have identified more than 50,000 compromised payment card records from the campaigns posted for sale on the dark web, and they expect more stolen data to be posted in the future, they said.

****Campaign Specifics****

Researchers found that MenuDrive and Harbortouch were targeted by the same Magecart attacker, a campaign that resulted in e-skimmer infections on 80 restaurants using MenuDrive and 74 using Harbortouch.

“This campaign likely began no later than Jan. 18, 2022, and as of this report, a portion of the restaurants remained infected,” they noted in the post. However, the malicious domain used for the campaign, which researchers identified as authorizen\[.\]net, has been blocked since May 26, they said.

A separate and unrelated Magecart campaign targeted InTouchPOS even earlier, beginning no later than Nov. 12, 2021, researchers said. In that one, 157 restaurants using the platform were infected by e-skimmers, a portion of which remain this way, and the malicious domains associated with the campaign–bouncepilot\[.\]net and pinimg\[.\]org–remain active, they said.

Moreover, the tactics and indicators of compromise associated with the campaign targeting InTouchPOS are similar to those of other cybercriminal activity targeting 400 e-commerce websites that deal in different types of transactions since May 2020, according to Recorded Future. More than 30 of the affected sites in the related campaign remain compromised as of June 21, researchers said.

****Low-Hanging Fruit****

While centralized restaurant ordering platforms like Uber Eats and DoorDash dominate the market for such systems and are far more well-known than the ones affected by the campaigns, the hundreds of smaller platforms on the internet that serve local restaurants remain a valuable target for cybercriminals, researchers noted.

“Even small-scale platforms may have hundreds of restaurants as clients,” they said, which means targeting a smaller platform can expose scores of online transactions and payment-card info. Indeed, these platforms serve as low-hanging fruit for attackers, who tend to “seek the highest payout for the least amount of work,” researchers noted.

E-commerce sites in general face persistent challenges in securing their sites, and often contain vulnerable code from third-party or supply-chain partners that is easy for attackers to compromise and can have downstream effects, noted one security professional.

“This is another example of the web attack lifecycle–the cyclical and continuous nature of cyberattacks–where a data breach on one site, perhaps as a result of a Magecart attack, fuels carding, credential stuffing or account take-over attacks on another site,” Kim DeCarlis, chief marketing officer at cybersecurity company PerimeterX, wrote in an email to Threatpost.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Magecart Serves Up Card Skimmers on Restaurant-Ordering Systems

Under increased scrutiny, certain period-tracking apps are seeing a surge of new users. Which are as safe as they claim to be?

This not only shifts the burden of risk assessment to individual users, but also makes evaluating the privacy and security of apps difficult to begin with. To do so, we consulted evaluation frameworks pioneered by the Beth Israel Deaconess Medical Center (MIND) and The Digital Standard to arrive at four core questions to guide our study.

\*A score of (0) = the app did not fulfill the privacy requirement, (1) = the app partially fulfilled the privacy requirement, (2) = the app fulfilled the privacy requirement, and (3) = the app fulfilled the privacy requirement well

\*\*’Clear specification’ is defined here as an index of third-party companies and the data they receive.

Local vs. Cloud Storage

Understanding _where_ companies store your data is pivotal to assessing the privacy risk that comes with using their products. Most popular mobile apps store user data in the cloud—across multiple servers in multiple locations—which allows them to process large amounts of easily recoverable information. It also means that your data is more vulnerable to bad actors. This is why organizations like Givens’ prefer apps that store information directly on users’ devices. If an app stores data directly on your mobile phone, you’ll have more complete control of it. None of the apps reviewed above gave users the option to store their data locally, but Euki and Mozilla Foundation-backed Drip do.

Third-Party Sharing

If you’ve used Facebook to log in to a website or app recently, you’re already familiar with some of the ways that app developers share information with third parties. Understanding which third parties a company works with and what type of data is passed on to them is a helpful way to evaluate your level of protection. For example, Period Tracker’s privacy policy admits to sharing users’ device IDs with advertising networks, which is quite risky. It also expresses their willingness to sell or transfer user data as a result of a corporate merger or sale. Typically, apps who lay out plainly who they’re providing info to and why—like Clue does —are more trustworthy.

It’s also helpful to know whether data is routinely anonymized (stripped of identifying user information) before being shared with these third parties. However, this isn’t a panacea. Stripped-down data can still lead back to individual users under certain conditions. Machine learning makes this threat even more real, since the technology can speed up shady “re-identification” processes. Despite vowing to refrain from sharing user data themselves, Clue passes on anonymized data to certain third-party research groups. While Stardust expresses a commitment to limiting the information they share with third parties, their policy states it could share information in order to “comply with or respond to law enforcement,” or to protect the “security of the Company.” Ideally, apps are extremely selective with which third-parties they’re willing to share info with—or they don't share with third-parties at all.

Data Deletion

Every app should have established protocols that allow users to delete their personal data from the developers’ systems at will. While many US-based apps include these protocols to comply with the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), users should look out for privacy policies that _clearly_ extend these erasure privileges to all users, regardless of location. Even so this can be tricky, says Givens: “If you’re not a resident of the jurisdiction that the law is covering, there’s no guarantee that they are going to honor it.”

Even apps that invite data deletion requests may not always execute them in a timely or complete fashion. Flo, whose security practices placed them under FTC scrutiny in 2021, states specifically in their privacy policy that upon deletion of their app, they “retain your personal data for a period of 3 years in case you decide to re-activate.” Period Tracker admits to retaining users’ mobile device IDs “for up to 24 months” after receiving a request. The safest apps should retain your data for 30 days or less, and ideally submit deletion requests to third parties on your behalf, like Clue does.

Location Tracking

If an app explicitly stores location data (like Period Calendar and Period Tracker do) it presents a greater privacy issue. While three out of the five apps analyzed here didn’t appear to save location data explicitly, each app saves users’ IP addresses, which can be used to determine someone’s general location. Flo, for example, explicitly shares IP addresses with third-parties such as AppsFlyer.

Stardust’s practices decouple users’ IP addresses from their health data, which increases security. But critics say their methods fall short of true end-to-end encryption. Regardless, when IP addresses are combined with outside data, such as a user’s search history or even other publicly available information about the user, they can easily reveal that person’s identity and their activities. The CDT and other privacy advocates have warned that users’ text messages and search histories have already been used against them in legal proceedings involving their reproductive health, and the practice is likely to expand.

The Bottom Line

At the end of the day, a period-tracking app like Clue presents users with slightly less risk than apps like Flo, Stardust, Period Calendar, and Period Tracker. However, all five of these apps, chosen for their outsize popularity, falter when compared with more secure options like Euki and Drip, as corroborated by Consumer Reports. Insofar as it’s possible for users to analyze _all_ of their apps according to standards set forth in The Digital Standard, Mhealth Index, and elsewhere, users can make educated decisions about which companies to align with—but evaluating the risks of using specific apps is an imperfect science. In addition to being extremely time consuming and often confusing, it’s nowhere near a suitable replacement for a lack of widespread legal privacy protections available for all Americans.

According to privacy experts like Givens, period-tracking apps represent the tip of the iceberg when it comes to digital privacy and security post-_Roe_. The CDT recommends that people assess their own risk level in order to determine whether using a period-tracking app is even worth it. In the meantime, taking steps to secure your personal information like text messages and search histories is probably more worthwhile.

For those looking to make a difference, experts recommend advocating directly to tech companies, especially precedent-setting organizations like Google and Meta (formerly Facebook) to demand better individual protections. It’s these corporations that will eventually have to respond to requests from law enforcement for user data, and many already promise to curtail their surveillance (but also lobby aggressively against privacy legislation and regulation). To pave the way for better policy, tech companies should aim to take serious inventory of the data they’re collecting, file transparency reports regularly, and, most importantly, take public stances in defense of privacy rights early and often.

The Most Popular Period-Tracking Apps, Ranked by Data Privacy

HiCOSâ€™ client-side citizen certificate component has a double free vulnerability. An unauthenticated physical attacker can exploit this vulnerability to corrupt memory and execute arbitrary code, manipulate system data or terminate service.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202206008

CVE ID

CVE-2022-32962

CVSS

6.8 (Medium)  
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

影響產品

HiCOS 自然人憑證元件客戶端  
Linux: libHicos\_p11v1.so CHT PKCS#11 3.0.3.30306  
Windows: HiCOSPKCS11.dll CHT PKCS#11 3.1.0.00002  
macOS: libHicos\_p11v1.dylib CHT PKCS#11 3.0.3.30404

問題描述

Hicos自然人憑證元件客戶端含有Double Free的漏洞，導致記憶體內容損壞，本機端攻擊者不須權限，即可利用此漏洞，執行任意程式碼、任意系統操作或中斷服務。

解決方法

至MOICA內政部憑證管理中心官網下載最新版

漏洞通報者

how2hack (CCoE)

公開日期

2022-07-12

CVE-2022-32962: HiCOS 自然人憑證元件客戶端 - Double Free

HICOSâ€™ client-side citizen digital certificate component has a stack-based buffer overflow vulnerability when reading IC card due to insufficient parameter length validation for token information. An unauthenticated physical attacker can exploit this vulnerability to execute arbitrary code, manipulate system data or terminate service.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202206007

CVE ID

CVE-2022-32961

CVSS

6.8 (Medium)  
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

影響產品

HiCOS 自然人憑證元件客戶端  
Linux: libHicos\_p11v1.so CHT PKCS#11 3.0.3.30306  
Windows: HiCOSPKCS11.dll CHT PKCS#11 3.1.0.00002  
macOS: libHicos\_p11v1.dylib CHT PKCS#11 3.0.3.30404

問題描述

HiCOS自然人憑證元件客戶端於讀取晶片卡之Token資訊時未作參數長度驗證，導致Stack-based buffer overflow漏洞，本機端攻擊者不須權限，即可利用此漏洞，執行任意程式碼、任意系統操作或中斷服務。

解決方法

至MOICA內政部憑證管理中心官網下載最新版

漏洞通報者

how2hack (CCoE)

公開日期

2022-07-12

CVE-2022-32961: HiCOS 自然人憑證元件客戶端 - Stack Buffer Overflow-3

HiCOSâ€™ client-side citizen digital certificate component has a stack-based buffer overflow vulnerability when reading IC card due to insufficient parameter length validation for card number. An unauthenticated physical attacker can exploit this vulnerability to execute arbitrary code, manipulate system data or terminate service.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202206006

CVE ID

CVE-2022-32960

CVSS

6.8 (Medium)  
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

影響產品

HiCOS 自然人憑證元件客戶端  
Linux: libHicos\_p11v1.so CHT PKCS#11 3.0.3.30306  
Windows: HiCOSPKCS11.dll CHT PKCS#11 3.1.0.00002  
macOS: libHicos\_p11v1.dylib CHT PKCS#11 3.0.3.30404

問題描述

Hicos自然人憑證元件客戶端於讀取晶片卡之卡號資訊時未作參數長度驗證，導致Stack-based buffer overflow漏洞，使本機端攻擊者不須權限，即可利用此漏洞，執行任意程式碼、任意系統操作或中斷服務。

解決方法

至MOICA內政部憑證管理中心官網下載最新版

漏洞通報者

how2hack (CCoE)

公開日期

2022-07-12

Tag

#mac