Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21764.

CVE-2023-21763

Microsoft Cryptographic Services Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21551, CVE-2023-21730.

CVE-2023-21561

Microsoft Cryptographic Services Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21561, CVE-2023-21730.

CVE-2023-21551

A link-manipulation issue was discovered in Mega HOPEX 15.2.0.6110 before V5CP4.

**Architecting a Future-Proof Enterprise to Plan and Adapt to Change**

Build a digital representation of your enterprise by connecting business, IT, data, and risk perspectives in a single platform to share a single source of truth. Derive actionable insights and collaborate with stakeholders to align on your company’s business objectives and demonstrate the immediate business value of your projects. Seamlessly integrate the HOPEX Platform into your digital ecosystem for faster time-to-value.

Shift from a documentation tool to an operational tool and accelerate business transformation

Turn your data into a strategic asset

Optimize and transform your business processes

Federate your GRC activities to enhance operational resilience

**HOPEX Platform Main Benefits**

HOPEX improves collaboration and alignment by removing silos and sharing a single source of truth to all business and IT stakeholders. They get actionable insights to make the right decisions using a smart, automated, and connected platform.

**Smart: Get data-driven insights based on algorithms**

Get smart recommendations based on data-driven algorithms and share actionable insights using a collaborative enterprise portal and mobile apps that increase decision-making velocity.

**Connected: Improve collaboration and alignment**

Use automated discovery of applications, data, and processes as well as automated diagram generation and intelligent workflows to improve productivity, accelerate project delivery, and reduce time-to-value.

**Automated: Accelerate your project delivery**

Improve collaboration, develop synergies, avoid duplicative efforts, and ensure stakeholder alignment on strategic objectives by connecting strategy, business, IT, data, and risk perspectives on the same platform.

Scalable, Secure and Flexible SaaS Solution

The MEGA HOPEX Platform is available on SaaS giving you the flexibility and scalability required to meet the ever-changing needs of your business. It relies on Microsoft Azure infrastructure using industry-leading security measures and privacy policies, while adhering to international compliance programs. MEGA HOPEX successfully completed the SOC 2 Type 2 examination, based on the trust principles of security, availability, and confidentiality.

**HOPEX Platform Main Capabilities**

Reporting and dashboarding

Use out-of-the-box templates or build your own reports to monitor and govern your projects with actionable insights and recommendations.

Assessment engine

Launch surveys and assessment campaigns to quickly build and update your repository using a crowdsourcing approach.

Intuitive modeling engine

Build business process, IT and data diagrams to visually communicate how your operations work and see how business, IT, and data are connected.

Intuitive workflows

Simply built workflows  foster collaboration among all stakeholders and accelerate business value delivery.

Enterprise portal

Share insights across your organization and demonstrate tangible business results to the C-suite with HOPEX 360, a ready-to-use enterprise portal.

Contextual search

Easily find accurate and trusted data using a modern contextual search engine and further filter to narrow your search results.

Flexible metamodel configurability

Adapt MEGA HOPEX to your operating model with easy-to-use customization options, and expand functionalities as well as import ready-to-use content through the HOPEX store.

Open APIs

Based on Microsoft Azure and certified SOC2, MEGA HOPEX cloud is perfectly suited to your business needs and your security imperatives.

Gartner Peer Insights

MEGA International received the 2022 Gartner Customers’ Choice recognition for Enterprise Architecture tools

**Accelerate the delivery of your projects with out of the box integrations**

**Standardize your practice by following leading frameworks and meeting compliance requirements**

**Take a test drive**

Sign up for a 30-day trial version to see how you can demonstrate immediate value of your projects.

CVE-2022-38482: HOPEX Platform

Microsoft released its monthly security update on Tuesday, disclosing 101 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 89 are classified as “Important”, no vulnerability classified as “Moderate.”

Tuesday, January 10, 2023 14:01

Microsoft released its monthly security update on Tuesday, disclosing 98 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 87 are classified as “Important”, no vulnerability classified as “Moderate.”

According to Microsoft all “Critical“ vulnerability are either less likely or unlikely to be exploited, except of the security bypass vulnerability CVE-2023-21743 on Microsoft SharePoint Server machines. This vulnerability has a low complexity and can be easily triggered by an attacker. In a network-based attack, an unauthenticated user could make an anonymous connection to the targeted SharePoint server.

Two of the “Critical“ vulnerabilities, which Microsoft considers to be “less likely” to be exploited due to their complexity are CVE-2023-21535 and CVE-2023-21548. These are remote code execution (RCE) vulnerability in the Windows Secure Socket Tunneling Protocol (SSTP) which allow an unauthenticated attacker to send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server and run unauthorized commands on the compromised system.

There are also five “Critical“ Remote Code Execution Vulnerability which affect the Windows Layer 2 Tunneling Protocol (L2TP). Successful exploitation could allow an unauthenticated attacker to execute code on RAS servers. These five vulnerabilities are CVE-2023-21543, CVE-2023-21546, CVE-2023-21555, CVE-2023-21556 and CVE-2023-21679.

The last “Critical“ vulnerability which we want to mention is CVE-2023-21730. It is a Remote Code Execution Vulnerability in the Windows Cryptographic Services. Microsoft did not released many details about the vulnerability, except that it is triggered from the network and of low complexity.

Developers are also at risk due to CVE-2023-21779 a Remote Code Execution vulnerability in Visual Studio Code flagged as “Important“. The user would have be enticed to open a malicious file in vscode. Users should never open anything that they do not know or trust to be safe.

Talos would also like to highlight 6 “Important“ vulnerabilities that Microsoft considers “more likely” to be exploited and can be used for privilege elevation.

*   CVE-2023-21532 Windows GDI Elevation of Privilege Vulnerability 
*   CVE-2023-21541 Windows Task Scheduler Elevation of Privilege Vulnerability 
*   CVE-2023-21552 Windows GDI Elevation of Privilege Vulnerability 
*   CVE-2023-21725 Microsoft Windows Defender Elevation of Privilege Vulnerability
*   CVE-2023-21726 Windows Credential Manager User Interface Elevation of Privilege Vulnerability
*   CVE-2023-21768 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

There are more vulnerabilities marked as “Important“ in the Microsoft advisory. This includes Microsoft Office and 3D Builder applications, a Microsoft ODBC Driver and others. A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61060-61065. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300358-300360.

Microsoft Patch Tuesday for January 2023  — Snort rules and prominent vulnerabilities

The cryptomining malware, which typically targets Linux, is exploiting weaknesses in an open source container tool for initial access to cloud environments.

A malware that typically targets Linux environments for cryptocurrency mining has found a new target: vulnerable images and weakly configured PostgreSQL containers in Kubernetes that can be exploited for initial access, Microsoft has found.

Kinsing is a Golang-based malware best known for its targeting of Linux environments, but Microsoft researchers recently observed the Kinsing malware evolving its tactics, Microsoft security researcher Sunders Bruskin divulged in a recently published report. 

Kubernetes, meanwhile, has become the standard open source tool for managing enterprise application deployment mainly because it's cost-effective, offers autoscaling, and can run on any infrastructure. Indeed, 85% of IT leaders consider Kubernetes "extremely important" to cloud-native strategies.

That Kinsing would begin to find new ways to exploit Kubernetes clusters is on brand for the malware, especially because Kubernetes, like the cloud itself, is notoriously difficult to secure. Attackers have found multiple holes in Kubernetes — including the discovery of more than 380,000 open Kubernetes API servers exposed on the Internet — that have made it open season on cloud environments that use the management platform. Threat actors are even using compromised Kubernetes clusters to launch further malicious attacks.

"Exposing the cluster to the Internet without proper security measures can leave it open to attack from external sources," Bruskin acknowledged in the post.

**Targeting Vulnerable Container Images**

One of the new ways Kinsing is targeting Kubernetes environments is by targeting images that are vulnerable to remote code execution (RCE), the researchers found. This allows attackers with network access to exploit the container and run their malicious payload, they said.

In their observations, Microsoft researchers observed several application images frequently infected with Kinsing malware, including PHPUnit, Liferay, Oracle WebLogic, and WordPress, Bruskin wrote.

A series of high-severity vulnerabilities in WebLogic that Oracle revealed in 2020 — CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883 — have become particular targets of attackers wielding the Kinsing malware, which goes after unpatched WebLogic server images, researchers said.

Attacks begin with scanning of a wide range of IP addresses, looking for an open port that matches the WebLogic default port (7001), Bruskin revealed.

"If vulnerable, attackers can use one of the exploits to run their malicious payload (Kinsing, in this case)," he wrote, using a malicious command.

**PostgreSQL in the Crosshairs**

Microsoft researchers also recently observed a significant amount of Kubernetes clusters running PostgreSQL containers that were infected with Kinsing. They attributed the infections to attackers targeting several common misconfigurations that expose these servers, they said.

One is to use the "trust authentication" setting to configure these containers, which means PostgreSQL will assume that anyone who can connect to the server is authorized to access the database with whatever database user name they specify.  
"However, in some cases, this range is wider than it should be or even accepts connections from any IP address (i.e. 0.0.0.0/0)," Bruskin explained in the post. "In such configurations, attackers can freely connect to the PostgreSQL servers without authentication, which may lead to code execution."

Some network configurations in Kubernetes also are prone to Address Resolution Protocol (ARP) poisoning, which allows attackers to impersonate applications in the cluster. This means that even specifying a private IP address in the "trust" configuration may pose a security risk, the researchers said. ARP is the process of connecting a dynamic IP address to a physical machine's MAC address.

Indeed, as a general rule, configuring a PostgreSQL container to allow access to a broad range of IP addresses is exposing it to a potential threat, Bruskin warned.

Even if administrators don't configure it using an unsecured "trust authentication" method, attackers can brute-force PostgreSQL accounts, use denial-of-service (DoS) or distributed DoS (DDoS) attackers on the container's availability, or exploit the container and the database itself to compromise Kubernetes clusters, he wrote.

**Protecting the Enterprise Cloud**

Researchers offered both general rules of thumb for enterprises implementing Kubernetes environments and specific mitigations to avoid exposing them to attacks that target vulnerable images and common PostgreSQL misconfigurations.

In general, security teams must remain aware of exposed containers and vulnerable images and try to mitigate the risk before they are breached, Bruskin advised.

"Regularly updating images and secure configurations can be a game changer for a company when trying to be as protected as possible from security breaches and risky exposure," he wrote.

To mitigate the risk of implementing containers with vulnerable images, organizations can take several steps when deploying an image to the container, the researchers said. The first is to ensure that the image is from a known registry and that it's been patched and updated to the latest version, they said.

Organizations should also scan all images for vulnerabilities, identifying which ones are vulnerable and what those vulnerabilities are, especially the ones that are used in exposed containers. Finally, the researchers said, minimizing access to the container by assigning access to specific IPs and applying the "least privileges" rule to the user can also prevent attackers from exploiting vulnerable images in Kubernetes environments.

Microsoft: Kinsing Targets Kubernetes via Containers, PostgreSQL

New Add-On Empowers SOCs and MSPs to Automate & Orchestrate Incident Response for Microsoft 365.

**SAN FRANCISCO****,** **Jan. 10, 2023** **/PRNewswire/ --** Vade, the global leader in threat detection and response with 1.4 billion mailboxes protected, today announced the availability of Threat Intel & Investigation. An add-on for Vade's flagship product, Vade for M365, Threat Intel & Investigation provides the integrations, intel, and tools for SOCs and MSPs to investigate and respond to email-borne threats transiting through networks.

According to a 2021 report, breaches caused by phishing emails take an average of 213 days to be identified and another 80 days to be contained. This lag time gives cybercriminals the runway they need to conduct additional attacks on an organization, causing even more damage than the initial attack.

"Email is the #1 vector for cyberattacks," said Adrien Gendre, Chief Technology & Product Officer and cofounder at Vade. "Unfortunately, SOCs and MSPs don't always have visibility into how or when an email threat infiltrated their organization or how far it has spread throughout the network. The speed at which today's cybercriminals are working means that organizations cannot afford to lose precious time on incident response."

Vade for M365 is an AI-based email security solution for Microsoft 365 that catches the advanced phishing, spear phishing and malware threats that bypass Microsoft's native security. The Threat Intel & Investigation add-on for Vade for M365 features five core capabilities designed to empower SOCs and MSPs to automate investigations, orchestrate responses and move swiftly and with precision to live threats:

*   **File Inspector:** Deconstructs files and attachments directly in the Vade for M365 interface—without exposing administrators to risk. File Inspector reveals critical details about files and attachments, providing admins with the data required to make faster decisions, cross-check threats across networks and accelerate incident response across affected endpoints and users.
*   **Log Export:** Injects live email and event logs into any security management system, a powerful two-way integration powered by the Vade for M365 API. Connect Vade's email threat intelligence into your organizations' SIEM or SOAR to trigger automation playbooks and enhance your disaster recovery program.
*   **Reported emails:** Automates collection of user-reported emails and clusters similar, unreported emails in one dashboard, speeding user-based incident response and eliminating time-consuming, manual investigations. Receive alerts when users report emails via Outlook and quickly triage and remediate reported emails, similar emails, and forwarded emails with one click.
*   **Download emails/attachments:** Provides access to raw email intelligence for objective evaluation by threat analysts, saving precious time and resources that are typically wasted on searching for and analyzing raw email data.
*   **Add-on for Splunk:** Integrates Vade for M365 with Splunk without the need for custom software development. Combine Vade's threat intelligence with Splunk's SIEM and SOAR capabilities to have better visibility into the threat landscape and actionable insights with which to orchestrate rapid responses.

Vade partners and customers are already experiencing the benefits of Threat Intel & investigation, including Huntington Technology, a US-based MSP offering comprehensive managed services and managed security services:

"One of my helpdesk technicians excitedly came into my office last week. He asked if I had seen the new 'Reported emails' function within Vade," said William Bluford, Vice President, Huntington Technology. "He explained that we can now see which emails are reported as malicious. Not only can we see those emails, but we can see how many users are affected, and we can then remediate and remove those emails from all user mailboxes. This saves time for my helpdesk team and keeps our clients protected."

"Our customers have made clear that they need better visibility into their cybersecurity landscape," Gendre said. "They're challenged to monitor and manage threats from an array of end points, and IT is overburdened by too many complex tools. Threat Intel & Investigation was designed to give our customers the tools they need to thoroughly investigate threats, cross check those threats across their networks, and develop incident response processes—without the burden of complexity."

Threat Intel & Investigation on brings all these capabilities to Vade for M365. Vade's latest innovation will reduce incident response time, eliminate the need for additional security investments, and free up critical IT resources. Threat Intel & Investigation is available today in Vade for M365. To learn more, visit Threat Intel & Investigation.

**About Vade**

Vade is a global cybersecurity company specializing in the development of threat detection and response technology with artificial intelligence. Vade's products and solutions protect consumers, businesses, and organizations from email-borne cyberattacks, including malware/ransomware, spear phishing/business email compromise, and phishing.

Founded in 2009, Vade protects more than 1.4 billion corporate and consumer mailboxes and serves the ISP, SMB, and MSP markets with award-winning products and solutions that help increase cybersecurity and maximize IT efficiency.

To learn more, please visit www.vadesecure.com and follow us on Twitter @vadesecure or LinkedIn https://www.linkedin.com/company/vade-secure/.

SOURCE Vade

Vade Releases Advanced Threat Intel & Investigation Capabilities

401 distinct cloud apps shown to deliver malware; Microsoft OneDrive delivered 30% of all cloud malware downloads.

**SANTA CLARA, Calif.****,** **Jan. 10, 2023** **/PRNewswire/ --** Netskope, a leader in Secure Access Service Edge (SASE), today unveiled new research showing that over 400 distinct cloud applications delivered malware in 2022, nearly triple the amount seen in the prior year. Netskope researchers also found that 30% of all cloud malware downloads in 2022 originated from Microsoft OneDrive.

Cloud apps are widely used by businesses, a fact not lost on attackers, which view these apps as an ideal home for hosting malware and causing harm. The Cloud & Threat Report from Netskope Threat Labs examines how these cloud security trends are shifting and advises organizations on how to improve their security posture based on those shifts.

"Attackers are increasingly abusing business-critical cloud apps to deliver malware by bypassing inadequate security controls," said Ray Canzanese, Threat Research Director, Netskope Threat Labs. "That is why it is imperative that more organizations inspect all HTTP and HTTPS traffic, including traffic for popular cloud apps, both company and personal instances, for malicious content."

**Rise in Uploads to Cloud Apps Means Rise in Malware-Delivered Downloads** 

The most significant change in cloud application use in 2022, compared to 2021, was the marked increase in the percentage of users uploading content to the cloud. According to Netskope data, over 25% of users worldwide uploaded documents daily to Microsoft OneDrive, while 7% did so for Google Gmail and 5% for Microsoft Sharepoint. The drastic increase in active cloud users across a record number of cloud applications led to a sizable increase in cloud malware downloads in 2022 from 2021, after remaining close to flat in 2021 compared to 2020.

The correlation between uploads and downloads among the most popular apps is no coincidence. Nearly a third of all cloud malware downloads originated from Microsoft OneDrive, with Weebly and GitHub coming in the next closest among cloud apps at 8.6% and 7.6%, respectively. 

**Cloud-Delivered Malware Is Increasingly More Prevalent Than Web-Delivered Malware**

Industries have increased their reliance on cloud applications and cloud infrastructure to support business operations over the last several years—a trend further accelerated by the COVID-19 pandemic and a worldwide shift toward hybrid work. As a result, cloud-delivered malware is now responsible for a much higher percentage of all malware delivery than ever before, especially in certain geographic regions and industries.

In 2022, several geographic regions saw significant increases in the overall percentage of cloud vs. web-delivered malware compared to 2021, including:

*   Australia (50% in 2022 compared to 40% in 2021)
*   Europe (42% in 2022 compared to 31% in 2021)
*   Africa (42% in 2022 compared to 35% in 2021)
*   Asia (45% in 2022 compared to 39% in 2021)

In certain industries, cloud-delivered malware also became more predominant globally, especially:

*   Telecom (81% in 2022 compared to 59% in 2021)
*   Manufacturing (36% in 2022 compared to 17% in 2021)
*   Retail (57% in 2022 compared to 47% in 2021)
*   Healthcare (54% in 2022 compared to 39% in 2021)

**Cyber Preparedness: The Remote Workforce is Here to Stay**

Companies have made considerable adjustments to enable remote and hybrid workplaces to flourish. While some industries sought to bring employees back to the office on a more frequent basis in 2022, remote work options appear to remain largely in place. According to Netskope data, user dispersion—the ratio of the number of users on the Netskope platform to the number of network locations from which those users' traffic originates—is 66%, the same percentage it was at the start of the pandemic over two years ago.

Remote and hybrid work dynamics continue to pose multiple cybersecurity challenges, including how to securely provide users access to the company resources they need to do their jobs and how to scalably and securely provide users access to the internet.

Netskope recommends organizations take the following actions to avoid increased risk of security incidents stemming from cloud- and web-delivered malware:

*   Enforce granular policy controls to limit data flow, including flow to and from apps, between company and personal instances, among users, to and from the web, adapting the policies based on device, location, and risk.
*   Deploy multi-layered, inline threat protection for all cloud and web traffic to block inbound malware and outbound malware communications.
*   Enable multi-factor authentication for unmanaged enterprise apps.

Get the full Netskope Cloud and Threat Report: 2022 Year in Review here.

For more information on cloud-enabled threats and our latest findings from Netskope Threat Labs, visit Netskope's Threat Research Hub.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

Netskope Threat Research: Malware-Delivering Cloud Apps Nearly Tripled in 2022

Ubuntu Security Notice 5793-2 - It was discovered that the io_uring subsystem in the Linux kernel did not properly perform reference counting in some situations, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the Android Binder IPC subsystem in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5793-2  
January 09, 2023

linux-azure vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure: Linux kernel for Microsoft Azure Cloud systems

Details:

It was discovered that the io_uring subsystem in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-3910)

It was discovered that a race condition existed in the Android Binder IPC  
subsystem in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-20421)

David Leadbeater discovered that the netfilter IRC protocol tracking  
implementation in the Linux Kernel incorrectly handled certain message  
payloads in some situations. A remote attacker could possibly use this to  
cause a denial of service or bypass firewall filtering. (CVE-2022-2663)

It was discovered that the sound subsystem in the Linux kernel contained a  
race condition in some situations. A local attacker could use this to cause  
a denial of service (system crash). (CVE-2022-3303)

It was discovered that the Sunplus Ethernet driver in the Linux kernel  
contained a read-after-free vulnerability. An attacker could possibly use  
this to expose sensitive information (kernel memory) (CVE-2022-3541)

It was discovered that a memory leak existed in the Unix domain socket  
implementation of the Linux kernel. A local attacker could use this to  
cause a denial of service (memory exhaustion). (CVE-2022-3543)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3544, CVE-2022-3646)

Gwnaun Jung discovered that the SFB packet scheduling implementation in the  
Linux kernel contained a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2022-3586)

It was discovered that the hugetlb implementation in the Linux kernel  
contained a race condition in some situations. A local attacker could use  
this to cause a denial of service (system crash) or expose sensitive  
information (kernel memory). (CVE-2022-3623)

Khalid Masum discovered that the NILFS2 file system implementation in the  
Linux kernel did not properly handle certain error conditions, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service or possibly execute arbitrary code. (CVE-2022-3649)

It was discovered that a race condition existed in the MCTP implementation  
in the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-3977)

It was discovered that a race condition existed in the EFI capsule loader  
driver in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-40307)

Zheng Wang and Zhuorao Yang discovered that the RealTek RTL8712U wireless  
driver in the Linux kernel contained a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-4095)

It was discovered that a race condition existed in the SMSC UFX USB driver  
implementation in the Linux kernel, leading to a use-after-free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41849)

It was discovered that a race condition existed in the Roccat HID driver in  
the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-41850)

It was discovered that the USB monitoring (usbmon) component in the Linux  
kernel did not properly set permissions on memory mapped in to user space  
processes. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-43750)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   linux-image-5.19.0-1016-azure   5.19.0-1016.17  
   linux-image-azure               5.19.0.1016.12

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5793-2  
   https://ubuntu.com/security/notices/USN-5793-1  
   CVE-2022-20421, CVE-2022-2663, CVE-2022-3303, CVE-2022-3541,  
   CVE-2022-3543, CVE-2022-3544, CVE-2022-3586, CVE-2022-3623,  
   CVE-2022-3646, CVE-2022-3649, CVE-2022-3910, CVE-2022-3977,  
   CVE-2022-40307, CVE-2022-4095, CVE-2022-41849, CVE-2022-41850,  
   CVE-2022-43750

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure/5.19.0-1016.17

Ubuntu Security Notice USN-5793-2

Ubuntu Security Notice 5792-2 - Mingwei Zhang discovered that the KVM implementation for AMD processors in the Linux kernel did not properly handle cache coherency with Secure Encrypted Virtualization. A local attacker could possibly use this to cause a denial of service. It was discovered that a race condition existed in the Android Binder IPC subsystem in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5792-2  
January 09, 2023

linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde  
vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-azure: Linux kernel for Microsoft Azure Cloud systems  
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems  
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems  
- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems

Details:

Mingwei Zhang discovered that the KVM implementation for AMD processors in  
the Linux kernel did not properly handle cache coherency with Secure  
Encrypted Virtualization (SEV). A local attacker could possibly use this to  
cause a denial of service (host system crash). (CVE-2022-0171)

It was discovered that a race condition existed in the Android Binder IPC  
subsystem in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-20421)

David Leadbeater discovered that the netfilter IRC protocol tracking  
implementation in the Linux Kernel incorrectly handled certain message  
payloads in some situations. A remote attacker could possibly use this to  
cause a denial of service or bypass firewall filtering. (CVE-2022-2663)

It was discovered that the Intel 740 frame buffer driver in the Linux  
kernel contained a divide by zero vulnerability. A local attacker could use  
this to cause a denial of service (system crash). (CVE-2022-3061)

It was discovered that the sound subsystem in the Linux kernel contained a  
race condition in some situations. A local attacker could use this to cause  
a denial of service (system crash). (CVE-2022-3303)

Gwnaun Jung discovered that the SFB packet scheduling implementation in the  
Linux kernel contained a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2022-3586)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3646)

Khalid Masum discovered that the NILFS2 file system implementation in the  
Linux kernel did not properly handle certain error conditions, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service or possibly execute arbitrary code. (CVE-2022-3649)

Jann Horn discovered a race condition existed in the Linux kernel when  
unmapping VMAs in certain situations, resulting in possible use-after-free  
vulnerabilities. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2022-39188)

Hyunwoo Kim discovered that an integer overflow vulnerability existed in  
the PXA3xx graphics driver in the Linux kernel. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2022-39842)

It was discovered that a race condition existed in the EFI capsule loader  
driver in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-40307)

Zheng Wang and Zhuorao Yang discovered that the RealTek RTL8712U wireless  
driver in the Linux kernel contained a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-4095)

It was discovered that the USB monitoring (usbmon) component in the Linux  
kernel did not properly set permissions on memory mapped in to user space  
processes. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-43750)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1027-aws     5.15.0-1027.31  
   linux-image-5.15.0-1030-azure   5.15.0-1030.37  
   linux-image-5.15.0-1030-azure-fde  5.15.0-1030.37.1  
   linux-image-aws                 5.15.0.1027.25  
   linux-image-aws-lts-22.04       5.15.0.1027.25  
   linux-image-azure               5.15.0.1030.26  
   linux-image-azure-fde           5.15.0.1030.37.7  
   linux-image-azure-lts-22.04     5.15.0.1030.26

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1027-aws     5.15.0-1027.31~20.04.1  
   linux-image-5.15.0-1030-azure   5.15.0-1030.37~20.04.1  
   linux-image-aws                 5.15.0.1027.31~20.04.16  
   linux-image-azure               5.15.0.1030.37~20.04.20

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5792-2  
   https://ubuntu.com/security/notices/USN-5792-1  
   CVE-2022-0171, CVE-2022-20421, CVE-2022-2663, CVE-2022-3061,  
   CVE-2022-3303, CVE-2022-3586, CVE-2022-3646, CVE-2022-3649,  
   CVE-2022-39188, CVE-2022-39842, CVE-2022-40307, CVE-2022-4095,  
   CVE-2022-43750

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1027.31  
   https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1030.37  
   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1030.37.1  
   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1027.31~20.04.1  
   https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1030.37~20.04.1

Tag

#microsoft