HPSFViewer might allow Escalation of Privilege. This potential vulnerability was remediated on July 29th, 2022. Customers who opted for automatic updates should have already received the remediation.

HPSFViewer might allow Escalation of Privilege. This potential vulnerability was remediated on July 29th, 2022. Customers who opted for automatic updates should have already received the remediation.

Severity

High

HP Reference

HPSBHF03821 Rev. 2

Release date

December 6, 2022

Last updated

December 6, 2022

Category

PC

**Relevant Common Vulnerabilities and Exposures (CVE) List**

Reported by: Ammarit Thongthua, Nattapol Puknah, and Wirapong Petshagun (Secure D Research team).

List of CVE IDs     

CVE ID

CVSS

Severity

Vector

Vendor ID

CVE-2022-3990

8.8

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

HP

PSR-2022-0097

**Resolution**

HP strives to address all security issues with HP apps at best possible speed and make the latest version available with the fixes. HP recommends that you update to the latest version of HP Support Assistant v9.20 or higher from the Microsoft Store and recommends keeping Microsoft Store updates turned on so that the application is always kept up to date.

Alternately, you can also get the latest version at https://support.hp.com/help/hp-support-assistant.

HP recommends keeping your system up to date with the latest firmware and software.

Note:

This bulletin might be updated when new information and/or SoftPaqs are available. Sign up for HP Subscriptions to be notified and receive:

*   Product support eAlerts
    
*   Driver updates
    
*   Security Bulletin updates
    

**Affected products**

Identify the affected products.

*   HPSFViewer versions lower than 8.6.3.1
    

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

2

Added list of individuals who reported the issue under Relevant common vulnerabilities and exposures (CVE) list.

December 6, 2022

1

Initial Release

December 6, 2022

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2022 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2022-3990: Privilege escalation via HPSFViewer | HP® Customer Support

Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities.

HP Elite Slice for Meeting Rooms

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP Elite Slice G2 - Audio Ready with Zoom Rooms

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP Elite Slice G2 - Partner Ready with Microsoft Teams Rooms

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP Elite Slice G2 with Microsoft Teams Rooms

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP Elite Slice G2 with Intel Unite

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP Elite Slice G2 with Zoom Rooms

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP EliteDesk 705 G3 Desktop Mini PC

BIOS

02.38

Rev 1

SP139824

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139824.exe

HP EliteDesk 705 G3 Microtower PC

BIOS

02.38

Rev 1

SP139855

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139855.exe

HP EliteDesk 705 G3 Small Form Factor PC

BIOS

02.38

Rev 1

SP139855

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139855.exe

HP EliteDesk 705 G4 Desktop Mini PC

BIOS

02.17.00

Rev 1

SP136818

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136818.exe

HP EliteDesk 705 G4 Microtower PC

BIOS

02.17.00

Rev 1

SP137054

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137054.exe

HP EliteDesk 705 G4 Small Form Factor PC

BIOS

02.12.00

Rev 1

SP137069

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137069.exe

HP EliteDesk 705 G4 Workstation Edition

BIOS

02.17.00

Rev 1

SP137054

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137054.exe

HP EliteDesk 705 G5 Desktop Mini PC

BIOS

02.11.00

Rev 1

SP136520

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136520.exe

HP EliteDesk 705 G5 Small Form Factor PC

BIOS

02.11.00

Rev 1

SP136508

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136508.exe

HP EliteDesk 800 35W G3 Desktop Mini PC

BIOS

02.40

Rev 3

SP139781

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139781.exe

HP EliteDesk 800 35W G4 Desktop Mini PC

BIOS

02.18.00

Rev 1

SP136969

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136969.exe

HP EliteDesk 800 65W G3 Desktop Mini PC

BIOS

02.40

Rev 3

SP139781

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139781.exe

HP EliteDesk 800 65W G4 Desktop Mini PC

BIOS

02.18.00

Rev 1

SP136969

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136969.exe

HP EliteDesk 800 95W G4 Desktop Mini PC

BIOS

02.18.00

Rev 1

SP136969

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136969.exe

HP EliteDesk 800 G3 Small Form Factor PC

BIOS

02.40

Rev 1

SP139852

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139852.exe

HP EliteDesk 800 G3 Tower PC

BIOS

02.40

Rev 1

SP139852

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139852.exe

HP EliteDesk 800 G4 Small Form Factor PC

BIOS

02.17.00

Rev 1

SP136495

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136495.exe

HP EliteDesk 800 G4 Tower PC

BIOS

02.17.00

Rev 1

SP136495

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136495.exe

HP EliteDesk 800 G4 Workstation Edition

BIOS

02.17.00

Rev 1

SP136495

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136495.exe

HP EliteDesk 800 G5 Desktop Mini PC

BIOS

02.11.00

Rev 1

SP136572

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136572.exe

HP EliteDesk 800 G5 Small Form Factor PC

BIOS

02.11.00

Rev 1

SP136499

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136499.exe

HP EliteDesk 800 G5 Tower PC

BIOS

02.11.00

Rev 1

SP136499

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136499.exe

HP EliteDesk 880 G3 Tower PC

BIOS

02.40

Rev 1

SP139852

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139852.exe

HP EliteDesk 880 G4 Tower PC

BIOS

02.17.00

Rev 1

SP136495

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136495.exe

HP EliteDesk 880 G5 Tower PC

BIOS

02.11.00

Rev 1

SP136499

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136499.exe

HP EliteOne 1000 G1 23.8-in All-in-One Business PC

BIOS

02.40

Rev 1

SP139698

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139698.exe

HP EliteOne 1000 G1 23.8-in Touch All-in-One Business PC

BIOS

02.40

Rev 1

SP139698

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139698.exe

HP EliteOne 1000 G1 27-in 4K UHD All-in-One Business PC

BIOS

02.40

Rev 1

SP139698

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139698.exe

HP EliteOne 1000 G1 34-in Curved All-in-One Business PC

BIOS

02.40

Rev 1

SP139698

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139698.exe

HP EliteOne 1000 G2 23.8-in All-in-One Business PC

BIOS

02.18.00

Rev 1

SP136988

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136988.exe

HP EliteOne 1000 G2 23.8-in Touch All-in-One Business PC

BIOS

02.18.00

Rev 1

SP136988

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136988.exe

HP EliteOne 1000 G2 27-in 4K UHD All-in-One Business PC

BIOS

02.18.00

Rev 1

SP136988

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136988.exe

HP EliteOne 1000 G2 34-in Curved All-in-One Business PC

BIOS

02.18.00

Rev 1

SP136988

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136988.exe

HP EliteOne 800 G3 23.8 Non-Touch Healthcare Edition All-in-One Business PC

BIOS

02.40

Rev 1

SP139797

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139797.exe

HP EliteOne 800 G3 23.8-inch Non-Touch All-in-One PC

BIOS

02.40

Rev 1

SP139797

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139797.exe

HP EliteOne 800 G3 23.8-inch Non-Touch GPU All-in-One PC

BIOS

02.40

Rev 1

SP139797

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139797.exe

HP EliteOne 800 G3 23.8-inch Touch All-in-One PC

BIOS

02.40

Rev 1

SP139797

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139797.exe

HP EliteOne 800 G3 23.8-inch Touch GPU All-in-One PC

BIOS

02.40

Rev 1

SP139797

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139797.exe

HP EliteOne 800 G4 23.8-in Healthcare Edition All-in-One Business PC

BIOS

02.18.00

Rev 1

SP137015

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137015.exe

HP EliteOne 800 G4 23.8-inch Non-Touch All-in-One PC

BIOS

02.18.00

Rev 1

SP137015

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137015.exe

HP EliteOne 800 G4 23.8-inch Non-Touch GPU All-in-One PC

BIOS

02.18.00

Rev 1

SP137015

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137015.exe

HP EliteOne 800 G4 23.8-inch Touch All-in-One PC

BIOS

02.18.00

Rev 1

SP137015

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137015.exe

HP EliteOne 800 G4 23.8-inch Touch GPU All-in-One PC

BIOS

02.18.00

Rev 1

SP137015

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137015.exe

HP EliteOne 800 G5 23.8-in Healthcare Edition All-in-One

BIOS

2.11.01

Rev 1

SP136705

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136705.exe

HP EliteOne 800 G5 23.8-inch All-in-One

BIOS

2.11.01

Rev 1

SP136705

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136705.exe

HP ProDesk 400 G3 Desktop Mini PC

BIOS

02.40

Rev 3

SP139783

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139783.exe

HP ProDesk 400 G4 Desktop Mini PC

BIOS

02.18.00

Rev 1

SP136964

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136964.exe

HP ProDesk 400 G4 Microtower PC

BIOS

02.40

Rev 1

SP139854

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139854.exe

HP ProDesk 400 G4 Small Form Factor PC

BIOS

02.40

Rev 1

SP139796

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139796.exe

HP ProDesk 400 G5 Desktop Mini PC

BIOS

02.11.00

Rev 1

SP136574

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136574.exe

HP ProDesk 400 G5 Microtower PC

BIOS

02.17.00

Rev 1

SP136497

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136497.exe

HP ProDesk 400 G5 Small Form Factor PC

BIOS

2.17

Rev 1

SP136532

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136532.exe

HP ProDesk 400 G6 Microtower PC

BIOS

02.11.00

Rev 1

SP136501

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136501.exe

HP ProDesk 400 G6 Small Form Factor PC

BIOS

02.11.00

Rev 1

SP136515

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136515.exe

HP ProDesk 405 G4 Desktop Mini PC

BIOS

02.17.00

Rev 1

SP136824

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136824.exe

HP ProDesk 405 G4 Small Form Factor PC

BIOS

02.12.00

Rev 1

SP137069

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137069.exe

HP ProDesk 480 G4 Microtower PC

BIOS

02.40

Rev 1

SP139854

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139854.exe

HP ProDesk 480 G5 Microtower PC

BIOS

02.17.00

Rev 1

SP136497

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136497.exe

HP ProDesk 480 G6 Microtower PC

BIOS

02.11.00

Rev 1

SP136501

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136501.exe

HP ProDesk 600 G3 Desktop Mini PC

BIOS

02.40

Rev 3

SP139782

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139782.exe

HP ProDesk 600 G3 Microtower PC

BIOS

02.40

Rev 1

SP139853

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139853.exe

HP ProDesk 600 G3 Small Form Factor PC

BIOS

02.40

Rev 1

SP139795

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139795.exe

HP ProDesk 600 G4 Desktop Mini PC

BIOS

02.18.00

Rev 1

SP136957

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136957.exe

HP ProDesk 600 G4 Microtower PC

BIOS

02.17.00

Rev 1

SP136496

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136496.exe

HP ProDesk 600 G4 Microtower PC (with PCI slot)

BIOS

02.17.00

Rev 1

SP136496

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136496.exe

HP ProDesk 600 G4 Small Form Factor PC

BIOS

02.18.00

Rev 1

SP136961

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136961.exe

HP ProDesk 600 G5 Desktop Mini PC

BIOS

02.11.00

Rev 1

SP136573

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136573.exe

HP ProDesk 600 G5 Microtower PC

BIOS

02.11.00

Rev 1

SP136500

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136500.exe

HP ProDesk 600 G5 Microtower PC (with PCI slot)

BIOS

02.11.00

Rev 1

SP136500

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136500.exe

HP ProDesk 600 G5 Small Form Factor PC

BIOS

02.11.00

Rev 1

SP136514

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136514.exe

HP ProDesk 680 G3 Microtower PC

BIOS

02.40

Rev 1

SP139853

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139853.exe

HP ProDesk 680 G4 Microtower PC

BIOS

02.17.00

Rev 1

SP136496

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136496.exe

HP ProDesk 680 G4 Microtower PC (With PCI slot)

BIOS

02.17.00

Rev 1

SP136498

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136498.exe

HP ProOne 400 G3 20-inch Non-Touch All-in-One PC

BIOS

02.40

Rev 3

SP140061

https://ftp.hp.com/pub/softpaq/sp140001-140500/sp140061.exe

HP ProOne 400 G3 20-inch Touch All-in-One PC

BIOS

02.40

Rev 3

SP140061

https://ftp.hp.com/pub/softpaq/sp140001-140500/sp140061.exe

HP ProOne 400 G4 20-inch Non-Touch All-in-One Business PC

BIOS

02.17.00

Rev 1

SP136516

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136516.exe

HP ProOne 400 G4 23.8-inch Non-Touch All-in-One Business PC

BIOS

02.17.00

Rev 1

SP136516

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136516.exe

HP ProOne 400 G5 20-inch All-in-One Business PC

BIOS

02.11.01

Rev 1

SP136660

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136660.exe

HP ProOne 400 G5 23.8-inch All-in-One Business PC

BIOS

02.11.01

Rev 1

SP136660

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136660.exe

HP ProOne 440 G4 23.8-inch Non-Touch All-in-One Business PC

BIOS

02.17.00

Rev 1

SP136516

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136516.exe

HP ProOne 440 G5 23.8-in All-in-One Business PC

BIOS

02.11.01

Rev 1

SP136660

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136660.exe

HP ProOne 480 G3 20-inch Non-Touch All-in One PC

BIOS

02.40

Rev 3

SP140061

https://ftp.hp.com/pub/softpaq/sp140001-140500/sp140061.exe

HP ProOne 600 G3 21.5-inch Non-Touch All-in-One PC

BIOS

02.40

Rev 3

SP140060

https://ftp.hp.com/pub/softpaq/sp140001-140500/sp140060.exe

HP ProOne 600 G4 21.5-inch Touch All-in-One Business PC

BIOS

02.17.00

Rev 1

SP136516

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136516.exe

HP ProOne 600 G5 21.5-in All-in-One Business PC

BIOS

02.11.01

Rev 1

SP136660

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136660.exe

CVE-2021-3809: HP PC BIOS - May 2022 Security Updates

Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email.
"The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting

Enterprise Security / Authentication

Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email.

"The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps," the tech giant said. "This phishing campaign targeted a subset of customers primarily based in the U.K. and Ireland."

Consent phishing is a social engineering attack wherein users are tricked into granting permissions to malicious cloud applications, which can then be weaponized to gain access to legitimate cloud services and sensitive user data.

The Windows maker said it became aware of the campaign on December 15, 2022. It has since alerted affected customers via email, with the company noting that the threat actors abused the consent to exfiltrate mailboxes.

On top of that, Microsoft said it implemented additional security measures to improve the vetting process associated with the Microsoft Cloud Partner Program (formerly MPN) and minimize the potential for fraud in the future.

The disclosure coincides with a report released by Proofpoint about how threat actors have successfully exploited Microsoft's "verified publisher" status to infiltrate the cloud environments of organizations.

What's notable about the campaign is that by mimicking popular brands, it was also successful at fooling Microsoft in order to gain the blue verified badge. "The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD," the company explained.

These attacks, which were first observed on December 6, 2022, employed lookalike versions of legitimate apps like Zoom to deceive targets into authorizing access and facilitate data theft. Targets included financial, marketing, managers, and senior executives.

Proofpoint noted the malicious OAuth apps had "far-reaching delegated permissions" such as reading emails, adjusting mailbox settings, and gaining access to files and other data connected to the user's account.

It also said that unlike a previous campaign that compromised existing Microsoft verified publishers to take advantage of OAuth app privileges, the latest attacks are designed to impersonate legitimate publishers to become verified and distribute the rogue apps.

Two of the apps in question were named "Single Sign-on (SSO)," while the third app was called "Meeting" in an attempt to masquerade as video conferencing software. All three apps, created by three different publishers, targeted the same companies and leveraged the same attacker-controlled infrastructure.

"The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse," the enterprise security firm said.

The campaign is said to have come to an end on December 27, 2022, after Proofpoint informed Microsoft of the attack on December 20 and the apps were disabled.

The findings demonstrate the sophistication that has gone into mounting the attack, not to mention bypass Microsoft's security protections and misuse the trust users place in enterprise vendors and service providers.

This is not the first time bogus OAuth apps have been used to target Microsoft's cloud services. In January 2022, Proofpoint detailed another threat activity dubbed OiVaVoii that targeted high-level executives to seize control of their accounts.

Then in September 2022, Microsoft revealed that it dismantled an attack that made use of rogue OAuth applications deployed on compromised cloud tenants to ultimately seize control of Exchange servers and distribute spam.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Hack Corporate Email Accounts

An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell.

L’ **Offensive Security Team** di **Swascan** ha identificato **3** vulnerabilità sul prodotto.

**Serenissima Informatica SpA**

_Serenissima Informatica è un’azienda che si occupa dello sviluppo di soluzioni per la gestione di PMI, Hotel e catene alberghiere, ristoranti e GDO._

**FastCheckIn – descrizione prodotto**

_Il prodotto FastCheckin (Web Check-In)_ in particolare aiuta gli utenti di Hotel e catene alberghiere nella compilazione dei propri dati e nella gestione delle proprie prenotazione online.

**Technical summary**

L’Offensive Security Team di Swascan ha identificato importanti vulnerabilià su: _FastCheckIn_:

**Vulnerabilità**

**CWE-ID**

**CVSSv3.1 Vector String**

**CVSSv3.1 Base Score**

**Arbitrary File Write (non autenticato)**

CWE-22

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

**9.8 – Critical**

**SQL Injection (non autenticato)**

CWE-89

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**9.8 – Critical**

**Absolute/Relative Path Traversal (non autenticato)**

CWE-22

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

**8.6 – High**

 Swascan ha scelto di non divulgare i dettagli tecnici della vulnerabilità.

Nella sezione seguente la Proof-of-Concept con evidenze offuscate sulle vulnerabilità riscontrate.

**Arbitrary File Write (non autenticato) – CVE-2022-47769****Descrizione**

L’applicazione risulta vulnerabile ad Arbitrary File Write. 

Un attaccante, remotamente e in modalità non autenticata, potrà scrivere nella web root dell’applicazione, qualsiasi file dal contenuto arbitrario per alterare e/o bloccare il funzionamento dell’applicativo oppure per ottenere l’accesso al server tramite web shell.

**Proof of Concept**

Si mostra di seguito come sia stato possibile scrivere una web shell nella web root dell’applicazione web ed ottenere accesso al server.

Per ottenere tale risultato sono stati effettuati i seguenti passaggi:

1.  Esecuzione di una HTTP Post Request per scrivere una WebShell (nell’esempio con il nome _70347276-ee93-4366-b396-e1496f67ed6d.aspx_ ) all’interno della web root;
2.  Esecuzione di comandi sul server tramite WebShell.

Evidenza 1 Richiesta HTTP contenente la WebShell

Il file C:\\\\FastCheckIn\\\\FastCI\\\\70347276-ee93-4366-b396-e1496f67ed6d.aspx è stato quindi creato con successo e raggiungibile dal web come mostrato nell’evidenza successiva:

Evidenza 2  Esecuzione tramite webshell del comando “whoami”

**Riferimenti**

https://cwe.mitre.org/data/definitions/20.html

http://cwe.mitre.org/data/definitions/22.html

https://owasp.org/www-community/attacks/Path\_Traversal

https://cheatsheetseries.owasp.org/cheatsheets/Input\_Validation\_Cheat\_Sheet.html

**SQL Injection (non autenticato) – CVE-2022-47770****Descrizione**

L’applicazione web è vulnerabile ad attacchi di tipo SQL Injection non autenticati.

Un potenziale attaccante sarà in grado accedere remotamente, completamente ed in maniera non autenticata alle informazioni contenute nella banca dati ed effettuare operazioni come esfiltrazione e modifica di account utente ed amministrativi, dati personali di utenti ed altre informazioni in essa contenute.

**Proof of Concept**

Si mostrano di seguito le evidenze della vulnerabilità e di come sia possibile estrarre informazioni sensibili dall’interno della banca dati.

Di seguito l’evidenza dell’enumerazione del DMBS, Microsoft SQL Server e la lista offuscata) di tutti i database presenti sul server:

Evidenza 4 SQLMap Lista database

Ciò conferma la presenza della vulnerabilità.

A fronte della corretta exploitation di questo tipo di vulnerabilità, un attaccante potrebbe acquisire i diritti di amministratore dell’applicativo web, con conseguente accesso a tutte le funzionalità del portale.

**Riferimenti**

https://www.owasp.org/index.php/SQL\_Injection

https://cwe.mitre.org/data/definitions/89.html

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SQL\_Injection\_Prevention\_Cheat\_Sheet.md

https://owasp.org/Top10/A03\_2021-Injection/

https://www.cve.org/CVERecord?id=CVE-2022-47770

**Path Traversal (non autenticato) – CVE-2022-47768****Descrizione**

La vulnerabilità Path Traversal (Relative e Absolute) consente l’accesso a file presenti nel sistema operativo che risiedono al di fuori della web root dell’applicazione. Manipolando le variabili che richiedono i file, attraverso l’uso dei caratteri “../” o di un path assoluto (eg. C:\\…) è possibile accedere arbitrariamente ai file e/o cartelle contenuti nel sistema operativo come il codice sorgente dell’applicazione o file sensibili che risiedono nella macchina.

**Proof of Concept**

Di seguito vengono mostrate le evidenze di come è possibile leggere il contenuto di file sul filesystem. Nell’esempio viene mostrata la possibilità di leggere il file c:\\windows\\win.ini:

Evidenza 5 Richiesta e Risposta HTTP della vulnerabilità Absolute Path Traversal

**Riferimenti**

https://cwe.mitre.org/data/definitions/22.html

https://cwe.mitre.org/data/definitions/23.html

https://owasp.org/Top10/A01\_2021-Broken\_Access\_Control/

https://owasp.org/www-community/attacks/Path\_Traversal

https://www.cve.org/CVERecord?id=CVE-2022-47768

**Remediation**

Swascan consiglia di non esporre l’applicativo su Internet o, qualora fosse necessario, di accedervi esclusivamente tramite connessione VPN in attesa che il vendor rilasci una patch o un aggiornamento.

**Disclosure Timeline**

*   07-08-2022: Scoperte le vulnerabilità
*   07-08-2022: Vendor contattato tramite mail (1° tentativo, nessuna risposta)
*   22-09-2022: Vendor contattato tramite mail (2° tentativo, con risposta)
*   22-09-2022: Invio del report contenente le vulnerabilità
*   11-01-2023: Swascan ricontatta il vendor per eventuale review del documento (nessuna risposta)
*   18-01-2023: Swasacan ricontatta il vendor per eventuale review (nessuna risposta)
*   31-01-2023: Swascan pubblica la vulnerabilità

CVE-2022-47769: Security Advisory: Serenissima Informatica – FastCheckIn (CVE-2022-47768/CVE-2022-47769/ CVE-2022-47770)

本ブログは、Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process の抄訳版です。最新の情報は原文を参照してくださ

Microsoft の調査 – 検証済みの発行者確認を悪用する脅威アクターの同意フィッシング キャンペーンについて

Everyone on Twitter wants a blue check mark. But Microsoft Azure's blue badges are even more valuable to a threat actor stealing your data via malicious OAuth apps.

Late last year, a group of threat actors managed to obtain "verified publisher" status through the Microsoft Cloud Partner Program (MCPP). This allowed them to surpass levels of brand impersonation ordinarily seen in phishing campaigns, as they distributed malicious applications bolstered by a verified blue badge only ever given to trusted vendors and service providers in the Microsoft ecosystem.

The MCPP is Microsoft’s channel partner program, inhabited by 400,000-plus companies that sell and support its enterprise products and services and also build their own solutions and software around them. Members include managed services providers, independent software vendors, and business app developers, among others.

Researchers from Proofpoint first discovered this activity on Dec. 6 of last year. A report published on Jan. 31 outlines how threat actors used their bogus status as verified app publishers within the MCPP program to infiltrate UK- and Ireland-based organizations' cloud environments. The fake solutions partners targeted employees in finance and marketing, as well as managers and executives, via malicious applications. Users who fell for the badge potentially exposed themselves to account takeover, data exfiltration, and business email compromise (BEC), and their organizations were laid open to brand impersonation.

Overall, the campaign "used unprecedented sophistication to bypass Microsoft’s security mechanisms," the researchers tell Dark Reading. "This was an extremely well-thought-out operation."

**How the Hackers Duped Microsoft**

To become a verified publisher, Microsoft Cloud Partners must meet a set of eight criteria. These criteria are largely technical and, as Microsoft outlined in its documentation, passing the bar "doesn't imply or indicate quality criteria you might look for in an app." But threat actors abusing the system to distribute malicious apps? That's not supposed to happen.

The trick in this case was that, before phishing end users, the attackers tricked Microsoft itself.

To wit: They registered as publishers under "displayed" names that mimicked legitimate companies. Meanwhile, their associated "verified publisher" names were hidden and slightly different. The example given by the researchers is that a publisher masquerading as "Acme LLC" might have a verified publisher name "Acme Holdings LLC."

Evidently, this was enough to skate by the systems' verification process. In fact, researchers noted, "in two cases, the verification was granted one day after the creation of the malicious application."

When reached for comment on the failure of the verification process, Proofpoint did not offer further details, and a Microsoft spokesperson merely noted, _“_Consent phishing is an ongoing, industrywide issue, and we’re continuously monitoring for new attack patterns. We've disabled these malicious apps and are taking additional steps to harden our services to help keep customers secure.” 

The spokesperson added, "The limited number of customers who were impacted by the campaign described in the Proofpoint blog have been notified."

**How the Hackers Duped Enterprise Users**

Having obtained their verified status, the threat actors began spreading malicious OAuth apps, an increasingly popular vehicle for cyberattackers in recent years. They rigged these apps to request broad access to victims' accounts.

"The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD," according to an advisory published Jan. 31. "The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps."

OAuth — short for "open authorization" — is a token-based framework that enables users to authorize certain data sharing between third-party applications, without needing to divulge their login credentials in the process. A common example is the "log in with Google" or "log in with Facebook" options that many websites offer to avoid having to create a new set of credentials to use with the sites. OAuth dialogues are common enough that users typically just hit "Accept," without digging into the fine details of what they're agreeing to.

Snuffing out this consent phishing campaign would have required a great deal more vigilance than that.

Beyond the "verified publisher" stamp of approval, the attackers gave vague and innocuous names to the apps requesting permissions: Two were called, simply, "Single Sign-on (SSO)," and one "Meeting." And though publishing under the guise of other impersonated organizations, the attackers chose a household name to display to users at the requested permissions stage.

"The attacker(s) used different data fields to fool targeted users," the Proofpoint researchers said. "They used one name, identical to the impersonated org's name, as the visible publisher name. The other name was used as a hidden parameter, not visible in the malicious app's consent page."

In one case, "they used an outdated version of the well-recognized Zoom icon," the Proofpoint authors explained in the report, "and redirected to Zoom-resembling URLs, as well as a genuine Zoom domain, to increase their credibility."

To conclude, they put it bluntly: "End users are likely to fall prey to the advanced social engineering methods outlined in this blog."

Victims who fell for the gambit granted their attackers permission to access special areas of their accounts, like their mailboxes and calendars. The permissions also included offline access, enabling the hackers to do what they wished entirely out of view.

**Bogus OAuth Apps: Takeaways for Business**

After learning about the campaign on Dec. 15, Microsoft disabled the malicious applications and associated publisher accounts. It then enlisted its Digital Crimes Unit to investigate further.

According to Microsoft, "We have implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future."

To defend against future campaigns of this kind, Proofpoint researchers recommended deploying effective cloud security solutions to help detect malicious applications, and pointed readers to Microsoft's advisory regarding consent phishing. Their most important bit of advice was "to exercise caution when granting access to third-party OAuth apps, even if they are verified by Microsoft."

"Do not," they wrote, "trust and rely on OAuth apps based on their verified publisher status alone."

Phishers Trick Microsoft Into Granting Them 'Verified' Cloud Partner Status

Demand for skilled professionals will remain high, but cyber budgets will be eaten away.

We've recently seen substantial layoffs across the tech sector, to the tune of around 140,000 redundancies made by big names such as Amazon, Salesforce, Microsoft, and Tesla. As the recession bites, falling stock prices and further contraction in the market, together with merger and acquisition activity, are expected to force businesses to reduce head count further still. Yet the cybersecurity sector, thus far, has remained relatively unscathed with respect to cyber professionals (it’s a different story with vendors, which are subject to the mores of the market). The question is why, and will it continue to buck the trend?

Much of the reason why the security industry remains so buoyant is down to the fact that there simply isn't the fat to cut from security teams. Most businesses are struggling to recruit sufficient staff due to a widening skills gap — the ISC2 "2022 Cybersecurity Workforce Study" reports that while there is a global workforce of 4.7 million, the gap is almost as big at 3.4 million — and that means teams are often short-handed, leading to job creep, whereby staff have to take on extra responsibilities. "The State of Security 2022" report found that 76% of cybersecurity staff had to take on responsibilities they were not ready for in an attempt to fill the void. 

**Is My Job Safe?**

Yet despite professionals being in demand, the wider cybersecurity sector is beginning to feel the pain. Budgets themselves remain robust, with analyst houses such as Gartner predicting strong investment in cloud security, application security, and other information security software. But even if cybersecurity spending increases in 2023, it's being eroded by rising inflation and increasing solution/licensing costs, and the majority (70%) believe budgets will be cut or frozen this year, according to ESG Research.

So, what are the implications for the year ahead? First, cybersecurity talent will remain in short supply, while the annual shortfall, together with an exodus of talent, will see the gap widen, increasing demand still further. Jobs will, therefore, largely be safe, although this doesn't apply across the board.

The shortages are focused, with those with three to four years or more of experience most in demand, according to the Department for Digital, Culture, Media, and Sport, as well as those with experience in emerging or nascent technologies, such as cloud security, security operations center (SOC) analysts, and security admin and security architects, according to Fortinet's "2022 Cybersecurity Skills Gap" report. Those findings broadly tally with ISACA's "State of Cybersecurity 2022" report, which lists the top five skill sets as cloud computing, data protection, identity access management, incident response and DevSecOps. However, positions further down the hierarchy are likely to prove less recession-proof. 

**Investment in Tech**

Second, shrinking budgets could slow investment in automation, which many had hoped would alleviate the skills shortage and improve retention rate by providing security teams with some much-needed assistance. That's bad news for the industry, as it will stifle progress, but it could also see organizations become more exposed. The ISACA report found 69% of those businesses that suffered an attack last year were somewhat or significantly understaffed, and it's a problem that is turning out to be something of a self-fulfilling prophecy. Half of staff say they are much more likely to quit following a cyberattack, and job candidates are far less likely to want to work for a business that has suffered from cyberattacks, according to "The True Cost of Cyber."

However, the jury is still out on just how affected cyber spending will be. According to "The 2023 State of IT" report, cybersecurity is expected to increase its take out of IT budgets with respect to software (11%), hardware (7%), cloud (6%), and managed services (11%). Furthermore, the "2023 Global Tech Outlook" report found cybersecurity is now viewed as a higher-priority spend than innovation in digital transformation projects. IT security (44%) came out top as a spending priority for the next 12 months, followed by cloud infrastructure (36%) and IT/cloud management (35%).

**Wage Walkouts**

Third, we're unlikely to see salaries continue to escalate as they did pre- and post-pandemic, when some salaries experienced double-digit percentage growth. The Harvey Nash Hot Skills & Salary Report found that certain cybersecurity roles have plateaued, with 67% not receiving a pay rise. Realistically, this will make retention more difficult, and businesses are going to have to work to hang on to their hard-won talent (60% of businesses have already had staff poached, according to ISACA). That said, with the market contracting, some cybersecurity professionals may opt for job security over salary.

It looks unlikely that the cybersecurity sector will escape entirely the ravages of the recession. Demand for skilled professionals will remain high, but with cyber budgets being eaten away, there will be less cash to go round, forcing businesses to prioritize. In a bid to do more with less, workloads are likely to go up, in turn increasing staff turnover, jeopardizing business continuity. That means the one certainty we do seem to have is that businesses will be understaffed — and overexposed.

Will Cybersecurity Remain Recession-Proof in 2023?

SysKit report highlighting effects of digital transformation on IT admins and governance landscape released.

**CAMBRIDGE, England****,** **Jan. 31, 2023** **/PRNewswire/ —** SysKit, a SaaS software company, has published a report on the effects of digital transformation on IT admins and the current governance landscape. The survey found that 40% of companies experienced a data leak in the previous year, which can have severe consequences on an organization's efficiency and result in large fines, downtime, and loss of business-critical certifications and customers.

Improper implementation of zero trust and full trust approaches can lead to data leaks. Despite their drawbacks, 50% of respondents consider the full trust approach to governance optimal, and 68% believe the zero trust approach limits collaboration capabilities.

"We believe both approaches have disadvantages. Organizations lose amazing collaboration features with zero trust, and with full trust, you give up visibility and control over resources in the environment. That's why we developed a product for Microsoft 365 tenants that cancels out the negative sides of both approaches," said Toni Frankola, CEO of SysKit.

The research, conducted in November, surveyed 205 US IT professionals responsible for managing organizations' IT environments, and accurately represents the targeted population.

The survey also found that most IT admins (82%) believe non-tech employees who are resource owners should be more involved in data reviews and care of their team's workspaces. However, when asked about their specific IT governance skills, half of the respondents reported non-tech employees don't know how to apply external sharing policies properly, 56% consider they don't know how to apply provisioning policies, and 30% report their colleagues are not taking care of their inactive content. This lack of skills can lead to data leaks, uncontrolled workspace sprawl, and additional storage costs.

The survey also found that the biggest challenges today for IT admins are a lack of understanding from superiors, huge workloads, and misalignment of IT and business strategies. Due to the complex IT changes companies faced during the accelerated digital transformation in the past two years, 70% of respondents felt burnout symptoms. Frankola commented on how to decrease IT admins' workload and limit security risks: "My advice would be to implement simple and intuitive tools that support delegating tasks and increase visibility. It's important to include all employees in executing governance policies. This way, companies can prevent certain cybersecurity risks and improve business efficiency".

**About SysKit:**

SysKit specializes in developing a data management and governance SaaS platform for Microsoft 365 environments. Through constant customer dialogue, SysKit addresses numerous challenges IT professionals and business users face daily. Gartner recently identified them as a representative vendor in their Market Guide for SaaS Management Platforms. SysKit Point is available for a free trial.

New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year

Do you know where your secrets are? If not, I can tell you: you are not alone.
Hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, don't know either. No matter the organization's size, the certifications, tools, people, and processes: secrets are not visible in 99% of cases.
It might sound ridiculous at first: keeping secrets is an obvious first thought when

Do you know where your secrets are? If not, I can tell you: you are not alone.

Hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, don't know either. No matter the organization's size, the certifications, tools, people, and processes: secrets are not visible in 99% of cases.

It might sound ridiculous at first: keeping secrets is an obvious first thought when thinking about security in the development lifecycle. Whether in the cloud or on-premise, you know that your secrets are safely stored behind hard gates that few people can access. It is not just a matter of common sense since it's also an essential compliance requirement for security audits and certifications.

Developers working in your organization are well-aware that secrets should be handled with special care. They have put in place specific tools and procedures to correctly create, communicate, and rotate human or machine credentials.

Still, do you know where your secrets are?

Secrets sprawl everywhere in your systems, and faster than most realize. Secrets are copied and pasted into configuration files, scripts, source code, or private messages without much thought. Think about it: a developer hard-codes an API key to test a program quickly and accidentally commits and pushes their work on a remote repository. Are you confident that the incident can be detected in a timely manner?

Insufficient audit and remediation capabilities are some of the reasons why secrets management is hard. They are also the least addressed by security frameworks. Yet these grey areas—where unseen vulnerabilities remain hidden for a long time—are blatant holes in your defense layers.

Recognizing this gap, we developed a self-assessment tool to evaluate the size of this unknown. To take stock of your _real_ security posture regarding secrets in your organization, take five minutes to answer the eight questions (it's completely anonymous).

So, how much do you _not_ know about your secrets?

**Secrets Management Maturity Model**

Sound secrets management is a crucial defensive tactic that requires some thought to build a comprehensive security posture. We built a framework (you can find the white paper here) to help security leaders make sense of their actual posture and adopt more mature enterprise secrets management practices in three phases:

1.  Assessing secrets leakage risks
2.  Establishing modern secrets management workflows
3.  Creating a roadmap to improvement in fragile areas

The fundamental point addressed by this model is that secrets management goes well beyond how the organization stores and distributes secrets. It is a program that not needs to align people, tools, and processes, but also to account for human error. Errors are _not_ evitable! Their consequences are. That's why detection and remediation tools and policies, along with secrets storage and distribution, form the pillars of our maturity model.

The secrets management maturity model considers four attack surfaces of the DevOps lifecycle:

*   Developer environments
*   Source code repositories
*   CI/CD pipelines & artifacts
*   Runtime environments

We then built a maturity ramp-up over five levels, going from 0 (Uninitiated) to 4 (Expert). Going 0 to 1 is mostly about assessing the risks posed by insecure software development practices, and starting auditing digital assets for hardcoded credentials. At the intermediate level (level 2), secrets scanning is more systematic, and secrets are cautiously shared across the DevOps lifecycle. Levels 3 (Advanced) and 4 (Expert) are focused on risk mitigation with clearer policies, better controls, and increased shared responsibility for remediating incidents.

Another core consideration for this framework is that making it hard to use secrets in a DevOps context will inevitably lead to the bypassing of the protective layers in place. As with everything else in security, the answers lay between protection and flexibility. This is why the use of a vault/secrets manager starts at the intermediate level only. The idea is that the use of a secrets manager should not be seen as a stand-alone solution but as an additional layer of defense. To be effective, it requires other processes, like continuous scanning of pull requests, to be mature enough.

Here are some questions that this model should raise in order to help you evaluate your maturity: how frequently are your production secrets rotated? How easy is it to rotate secrets? How are secrets distributed at the development, integration, and production phase? What measures are put in place to prevent the unsafe dissemination of credentials on local machines? Do CI/CD pipelines' credentials adhere to the least privileges principle? What are the procedures in place for when (not if) secrets are leaked?

Reviewing your secrets management posture should be top of mind in 2023. First, everyone working with source code has to handle secrets, if not daily, at least once in a while. Secrets are no longer the prerogative of security or DevOps engineers. They are required by more and more people, from ML engineers, data scientists, product, ops, and even more. Second, if you don't find where your secrets are, hackers will.

**Hackers will find your secrets**

The risks posed to organizations failing to adopt mature secrets management practices cannot be overstated. Development environments, source code repositories and CI/CD pipelines have become favorite targets for hackers, for whom secrets are a gateway to lateral movement and compromise.

Recent examples highlight the fragility of secrets management even in the most technologically mature organizations.

In September 2022, an attacker got access to Uber's internal network, where he found hardcoded admin credentials on a network drive. The secrets were used for logging in to Uber's privileged access management platform, where many more plaintext credentials were stored throughout files and scripts. The attacker was then able to take over admin accounts in AWS, GCP, Google Drive, Slack, SentinelOne, HackerOne, and more.

In August of the same year, the password manager LastPass fell victim of an attacker who gained access toits development environment by stealing the credentials of a software developer and impersonating that individual. Later in December, the firm disclosed that someone used that information to steal source code and customer data.

In fact, in 2022, source code leaks have proven to be a true minefield for organizations: NVIDIA, Samsung, Microsoft, Dropbox, Okta, and Slack, among others, have been victims of source code leaks. In May, we were warning about the important volume of credentials that could be harvested by analyzing these codebases. Armed with these, attackers can gain leverage and pivot into hundreds of dependent systems in what is known as supply chain attacks.

Finally, even more recently, in January 2023, the continuous integration provider CircleCI was also breached, leading to the compromise of hundreds of customer environment variables, tokens, and keys. The company urged its customers to immediately change their passwords, SSH keys, or any other secrets stored on or managed by the platform. Still, victims need to find out where these secrets are and how they are being used to press the emergency button!

This was a strong case for having an emergency plan ready to go.

The lesson from all these incidents is that attackers have realized that compromising machine or human identities gives a higher return on investment. They are all warning signs of the urgency to deal with hardcoded credentials and to dust off secrets management in general.

**Final word**

We have a saying in cybersecurity: "encryption is easy, but key management is hard." This still holds true today, although it isn't just about encryption keys anymore. Our hyper-connected services world relies on hundreds of types of keys, or secrets, to function properly. These could be as many potential attack vectors if mismanaged.

Knowing where your secrets are, not just in theory but in practice, and how they are used along the software development chain is crucial for security. To help you, we created a maturity model specifically about secrets distribution, leak detection, remediation process, and rotation habits.

The first step is always to get a clear audit of the organization's security posture regarding secrets: where and how are they used? Where do they leak? How to prepare for the worst? This alone could prove to be a lifesaver in an emergency situation. Find out where you stand with the questionnaire and learn where to go from there with the white paper.

In the wake of recent attacks on development environments and business tools, companies that want to defend themselves effectively must ensure that the grey areas of their development cycle are cleared as soon as possible.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

You Don't Know Where Your Secrets Are

January saw a slew of security patches for iOS, Chrome, Windows, and more.

The Android security patch is available to Google’s Pixel devices, which have their own specific updates, and Samsung’s Galaxy range, including Samsung Galaxy Note 10, Galaxy S21, and Galaxy A73. You can check for the update in your settings.

Microsoft Patch Tuesday

Microsoft fixed a rather hefty 98 security issues in its first Patch Tuesday of the year, including an already exploited vulnerability: CVE-2023-21674 is an elevation of privilege flaw impacting the Windows Advanced Local Procedure Call that could lead to browser sandbox escape. 

By exploiting the bug, an adversary could gain System privileges, Microsoft wrote, confirming that the flaw has been detected in real-life attacks.

Another elevation of privilege vulnerability in the Windows Credential Manager User Interface, CVE-2023-21726, is relatively easy to exploit and doesn’t require any interaction from the user.

January’s Patch Tuesday also saw Microsoft fix nine Windows Kernel vulnerabilities, eight of which are elevation of privilege issues and one information disclosure vulnerability.

Mozilla Firefox

Software firm Mozilla has released important updates for its Firefox browser, the most serious of which have been the subject of a warning by the US Cybersecurity and Infrastructure Security Agency (CISA). 

Among the 11 flaws fixed in Firefox 109 are four rated as having a high impact, including CVE-2023-23597, a logic bug in process allocation that could allow adversaries to read arbitrary files. Meanwhile, Mozilla said its security team found memory safety bugs in Firefox 108. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort, some could have been exploited to run arbitrary code,” it wrote.

An attacker could exploit some of these vulnerabilities to take control of an affected system, CISA said in its advisory. “CISA encourages users and administrators to review Mozilla’s security advisories for Firefox ESR 102.7 and Firefox 109 for more information and apply the necessary updates.”

VMWare

Enterprise software maker VMWare has published a security advisory detailing four flaws affecting its VMware vRealize Log Insight product. Tracked as CVE-2022-31706, the first is a directory traversal vulnerability with a CVSSv3 base score of 9.8. By exploiting the flaw, an unauthenticated, malicious actor could inject files into the operating system of an impacted appliance, resulting in RCE, VMWare says.

Meanwhile, a broken access control RCE vulnerability tracked as CVE-2022-31704 also has a CVCCv3 base score of 9.8. It goes without saying that those impacted by these vulnerabilities should patch as soon as possible.

Oracle

Software giant Oracle has released patches for a whopping 327 security vulnerabilities, 70 of which are rated as having a critical impact. Worryingly, 200 of the issues patched in January can be exploited by a remote unauthenticated attacker.

Oracle is recommending that people update their systems as soon as possible, warning that it has received reports of “attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”

In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches, it says.

SAP

SAP’s January Patch Day has seen the release of 12 new and updated security notes. With a CVSS score of 9.0, CVE-2023-0014 is rated as the most severe bug by security firm Onapsis. The flaw affects the majority of all SAP customers and its mitigation is a challenge, Onapsis says. 

The capture-replay vulnerability is a risk because it could allow malicious users to obtain access to an SAP system. “Complete patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations,” Onapsis explains.

Tag

#microsoft