pdf_info 0.5.3 is vulnerable to Command Execution. An attacker using a specially crafted payload may execute OS commands by using command chaining because during object initalization there is no validation performed and the user provided path is used.

**Code injection in pdf\_info**

High severity GitHub Reviewed Published Feb 24, 2023 to the GitHub Advisory Database • Updated Feb 24, 2023

GHSA-9fh3-j99m-f4v7: Code injection in pdf_info

pdf_info 0.5.3 is vulnerable to Command Execution.

RubyGems.org is the Ruby community’s gem hosting service. Instantly publish your gems and then install them. Use the API to find out more about available gems. Become a contributor and improve the site yourself.

RubyGems.org is made possible through a partnership with the greater Ruby community. Fastly provides bandwidth and CDN support, Ruby Central covers infrastructure costs, and Ruby Together funds ongoing development and ops work. Learn more about our sponsors and how they work together.

We need your help to fund the developer time that keeps RubyGems.org running smoothly for everyone. Join Ruby Together today.

CVE-2022-36231: pdf_info | RubyGems.org | your community gem host

CSF 2.0 blueprint offered up for public review

CSF 2.0 blueprint offered up for public review

ANALYSIS The US National Institute of Standards and Technology (NIST) is planning significant changes to its Cybersecurity Framework (CSF) – the first in five years, and the biggest reform yet.

First published in 2014 and updated to version 1.1 in 2018, the CSF provides a set of guidelines and best practices for managing cybersecurity risks. The framework is designed to be flexible and adaptable rather than prescriptive, and is widely used by organizations and government agencies, both within and outside the US, to create cybersecurity programs and measure their maturity.

Following a long consultation, NIST has published a concept paper (pdf) for CSF 2.0 and opened it up to further review. The resulting feedback will be used to develop a final draft of the revised framework, due out sometime this summer.

“We think that there's been enough changes in the cybersecurity landscape to warrant a significant update this time around," says Cherilyn Pascoe, senior technology policy advisor at NIST and Cybersecurity Framework Program lead.

“There have been changes in cybersecurity standards, including those published by NIST but also elsewhere; there's been significant changes in the risk landscape and in technologies. And so even though the vast majority of our respondents said they still like the framework, there were a number of changes that folks are looking for, and so we thought it was time for us to do a refresh."

Cherilyn Pascoe, senior technology policy advisor at NIST and Cybersecurity Framework Program lead

**Expanded audience**

One notable change is who the framework is aimed towards. Since the publication of CSF 1.1, the US Congress has explicitly directed NIST to consider the needs of small businesses and higher education institutions, beyond its original target demographic of critical national infrastructure organizations (in utilities, telecoms, transport, banking etc).

"The scope was originally for critical infrastructure, as defined under \[a US President\] Executive Order, but over time lots of organizations have started to use it," says Pascoe.

"We don't want organizations to have to make that determination about whether or not they're critical infrastructure, which is sometimes a legal issue that comes with additional burdens, and so were proposing to broaden it to all organizations."

There are also plans to increase international collaboration, and encourage more countries to adopt the framework, either in full or in part.

Sign up to Daily Swig Deserialized, our new fortnightly rundown of web security, bug bounty, and hacking culture news

Meanwhile, a new ‘Govern’ function will join the existing five precepts – Identify, Protect, Detect, Respond, and Recover – with the aim of positioning cybersecurity risk alongside other enterprise risks such as threats to financial stability.

The new function would include determination of the priorities and risk tolerances of the organization, its customers, and larger society; assessment of cybersecurity risks and impacts; the establishment of cybersecurity policies and procedures; and an evaluation of cybersecurity roles and responsibilities.

“There has been a lot of work to better understand how cybersecurity risk can be incorporated as part of other enterprise risks, so alongside financial risk; the importance of senior leadership being aware of cybersecurity risks and the policies and procedures that would need to be in place to address cybersecurity," says Pascoe.

“I think there's become much more awareness that cybersecurity is not just a technical issue and that it's something that needs to be addressed by the upper levels of the organization,” she added.

This addition is largely a response to the growing use of the framework to structure discussions about cybersecurity risk between technologists and senior managers.

**Joined-up thinking**

One issue highlighted during the request for information was the need to improve the alignment of the framework with other NIST and non-NIST security programmes, such as the Risk Management Framework and Workforce Framework for Cybersecurity.

Respondents also called for more practical guidance on applying the framework, leading to a new section focused on implementation examples. While the framework remains focused on high level outcomes rather than specific processes, according to Pascoe, “these examples will help give a starting point for organizations to think about different ways that they can implement the higher level subcategory outcomes”.

**Risk management**

For the first time, the new framework will have a significant focus on supply chain risk management, helping and encouraging organizations to address third-party risks of all kinds, from cloud computing to computers, software and networking equipment, along with the non-technology supply chain.

However, says Pascoe, there are mixed opinions about how to do this: in particular, whether cybersecurity supply chain management should be integrated into the framework's existing structures or split off as a separate function.

“Everyone thinks yes, this is a really important issue, but feedback was mixed, so we've said let's think some more about this and how to address it,” she says.

“It sometimes goes by sector, and is sometimes based off their existing regulatory requirements; so, for example, the financial sector is very regulated for cybersecurity and they have existing third party requirements that they're hoping to see within the framework, so they're probably the most vocal about wanting a significant expansion for third party \[responsibilities\].”

**Measure for measure**

CSF 2.0 is also set to include more guidance on measurement and assessment, with a common taxonomy and lexicon to communicate the outcome of an organization's measurement and assessment efforts, regardless of the underlying risk management process.

"NIST is a measurement science agency and so we're always striving to develop tools to measure things – but cybersecurity measurement is probably one of the hardest things that we've ever tackled,” says Pascoe.

Catch up with the latest cybersecurity policy and legislation news

“Organizations are asking the question: 'Now that I've used the framework for a decade, how do I know that my cybersecurity posture is improving and the actions that I'm taking are beneficial to reduce the risk?''"

The plan is to provide additional guidance about how to do access levels of security maturity – some in CSF 2.0 itself, and some in separate guidance.

**Privacy, zero trust conundrums**

NIST decided not to merge its privacy framework with the CSF after consulting stakeholders, although Pascoe says that could be a move for a future CSF 3.0 given increasing "overlap between the two”.

Pascoe foresees disagreement, or at least significant further discussion, on topics such as the applicability within the framework of zero trust – a network security concept that urges organizations not to trust any device by default, regardless of whether it sits outside or inside an organization’s perimeter.

NIST’s view is that zero trust need not be incorporated into the framework, even though applying the architecture is a priority for the Biden administration.

**Vendor neutral?**

Another area still very much up for discussion is NIST's proposal to keep the framework technology- and vendor-neutral, with some calling for it to address specific topics, technologies, and applications.

"The framework has always been tech-neutral, but organizations are looking for more guidance when they are, say, leveraging cloud or leveraging the internet of things or operational technologies,” says Pascoe.

“And so that one's going to be a really particular struggle to make sure that we are remaining tech-neutral, while also not excluding any particular systems - but I think there are a number of organizations that were looking for us to go further than that, and have specific guidance for each of these technologies.”

Comments on the proposals can be submitted to NIST at cyberframework@nist.gov until March 3, with a draft planned for summer, followed by a public review.

“So we're going to try and find consensus where we can, but some of these changes on governance and supply chain are really large. Hopefully we'll be able to find a solution,” Pascoe concluded.

YOU MAY ALSO LIKE Belgium will protect ethical hackers under a nationwide safe harbor framework

NIST plots biggest ever reform of Cybersecurity Framework

A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server.

CVE-2023-22974: OpenEMR Patches - OpenEMR Project Wiki

pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters.

closed

 

**Potential XSS from URL and URL Table alias URLs**

Category:

Aliases / Tables

Plus Target Version:

22.05

**Description**

The URL from a URL or URL Table type alias is not sanitized before display on firewall_alias.php, which can potentially lead to a stored XSS when viewing the list of aliases on the **URL** or **All** tabs.

The URL from a URL table alias is also not sanitized when included in the alias popup on various firewall and NAT rule pages, but that mechanism has its own safety measures which prevent it from being a concern there. Even so, it's best to encode it in the popup.

*   History
*   Notes
*   Property changes
*   Associated revisions

*   **Status** changed from _New_ to _Feedback_
*   **% Done** changed from _0_ to _100_

*   **Status** changed from _Feedback_ to _Resolved_

No issues on current snapshots

*   **Private** changed from _Yes_ to _No_

Also available in: Atom PDF

CVE-2022-29273: Bug #13060: Potential XSS from URL and URL Table alias URLs - pfSense

Integer overflow in PDF in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium)

CVE-2023-0933

The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable MIME type is associated with an un-sandboxed Mono CLR interpreter.

CVE-2023-26314: #972146 - /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code (CVE-2023-26314)

By Deeba Ahmed
The bugs allowed cybercriminals to bypass the iOS system's security protections and execute unauthorized code. 
This is a post from HackRead.com Read the original post: Apple Bug Could Allow Attackers Access to Photos and Messages

The findings are based on previous research from Google and Citizen Lab conducted in 2021 which discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to the Israeli NSO Group.

Apple devices and products are known for their advanced security mechanisms, particularly the iPhone and Macbook. However, the latest research reveals that even Apple products aren’t safe from the prying eyes of threat actors.

Researchers at the cybersecurity firm Trellix Advanced Research Center have disclosed details of a newly discovered privilege escalation bug class that, if exploited, could allow an attacker to sweep up call history, messages, and photos from the device.

According to researchers, the bugs allowed cybercriminals to bypass the iOS system’s security protections and execute unauthorized code. The security flaws were ranked as medium to high in terms of security.

Trellix’s vulnerability research director, Doug McKee, stated that although Apple has addressed the issue, the concern is that these vulnerabilities allow bypassing of Apple’s security model at a “fundamental level.”

Apple said the bugs weren’t exploited in the wild before being fixed.

**How Was the Bug Discovered?**

The findings are based on previous research from Google and Citizen Lab conducted in 2021. The organizations discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to NSO Group.

This was a highly sophisticated exploit found on a Saudi activist’s iPhone and was used for installing Pegasus malware developed by the NSO Group. The same spyware was also found on the iPhones of nine State Department officials in the United States.

This exploit had two key features: first, it tricked the iPhone into opening a malicious PDF disguised as a GIF file. Secondly, it enabled attackers to evade the sandbox that Apple introduced to prevent apps from accessing data from other apps or other parts of the device.

This second feature of ForcedEntry was the basis of Trellix’s research from senior vulnerability researcher Austin Emmitt. A proof-of-concept was released to demonstrate how the bugs could be exploited.

**Vulnerabilities**

Emmitt discovered a new class of vulnerabilities revolving around the NSPredicate tool that filters code within Apple’s systems. This tool was first exploited in ForcedEntry, as the 2021 research revealed, and Apple introduced new measures to prevent this abuse.

However, the mitigation methods were insufficient, as Trellix researchers found that these methods could also be bypassed since bugs in the NSPredicate class were found in multiple places in macOS and iOS systems.

This includes the Springboard app, which manages the home screen on an iPhone and can access photos, location data, and the camera. After exploiting the bugs, the attacker could access places they could not otherwise invade. Attackers trying to exploit it need to gain an initial foothold into the device.

Vulnerabilities in NSPredicate were discovered in macOS 13.2 and iOS 16.3, and Apple patched them with software updates in January. The company also issued CVEs for these flaws—CVE-2023-23530 and CVE-2023-23531—and released new versions of macOS and iOS.

1.  Apple AirTags used as trojan for credential hacking
2.  iOS Devices Receive Vital Security Updates from Apple
3.  Charging cable remotely steals data from Apple devices
4.  55 Apple bugs risked iCloud account takeover, data theft
5.  Study: Android sends more data to Google than iOS to Apple

Apple Bug Could Allow Attackers Access to Photos and Messages

JFrog argues vulnerability risk metrics need complete revamp

JFrog argues vulnerability risk metrics need complete revamp

ANALYSIS Weaknesses in the existing CVSS scoring system have been highlighted through new research, with existing metrics deemed responsible for “overhyping” some vulnerabilities.

So-called “overinflated” ratings are potentially eating up the limited time of cybersecurity teams who may then not be focused on the bugs most likely to impact their organizations in favor of issues deemed critical across the board.

Catch up with the latest security vulnerability research and analysis

An analysis, put together by security tools vendor JFrog, involved accessing the popular Common Vulnerability Scoring System (CVSS), an open industry standard framework for assessing the severity of security problems. The system is managed by the non-profit Forum of Incident Response and Security Teams (FIRST) with the National Vulnerability Database (NVD) providing CVSS scores for confirmed vulnerabilities.

JFrog’s analysis, which focused on accessing the impact of security bugs in open source software, concluded that public CVSS impact metrics may be oversimplifying the risk posed by vulnerabilities because it lacks context, among other factors.

**Critical assessment**

According to the report (PDF), “Analysis of Open Source Security Vulnerabilities Most Impactful to DevOps and DevSecOps Teams”, there is a “discrepancy” between public severity ratings and the internal JFrog assessments of the top 50 CVEs of 2022.

JFrog’s security researchers say that in ‘most’ cases, the company’s own CVE (Common Vulnerabilities and Exposures) severity assessment is lower than the rating assigned in the NVD – “meaning oftentimes these vulnerabilities are being overhyped”.

For example, a buffer overrun in X.509 certificate verification, CVE-2022-3602 (CVSS 7.5), was of grave concern – until the release of the exploit’s technical details, which showed there was a marginal real-world impact, according to the researchers.

In total, 64% of the top 50 CVEs were given a lower JFrog severity rating, whilst 90% received a lower or equal rating.

**Context dependant**

JFrog says that many NVD security ratings were “undeserved” as they were not as simple to exploit as reported. Furthermore, many of the analyzed vulnerabilities required complex configuration environments or particular conditions for a successful attack.

Another criticism made by the cybersecurity firm is that there may be a lack of context when assigning CVE attack complexity metrics. For example, considering how potentially vulnerable software is deployed, the network environment, how the software is used, or whether a vulnerable API could end up parsing untrusted data should all be analyzed. The result is that severity ratings might either be set either too high or too low.

**Misdirecting priorities risk**

JFrog also observed that 10 of the most prevalent vulnerabilities in 2022 impacting the enterprise tended to have low severity ratings and so are either regarded as a lower priority for enterprise IT teams and open source project maintainers – so remediation work is either delayed or (worse) entirely disregarded.

If a bug is considered too small to bother with, developers may not create a patch, which JFrog says can only increase the number of affected systems over time. In contrast, if a CVSS rating is high but the real-world impact is considered minuscule, the threat level could be faulted as misleading.

Speaking to The Daily Swig, Shachar Menashe, senior director of security research at JFrog, said the best solution would be to update the CVSS standard to contain fields that would provide more context, such as exploitability in default configurations and whether or not there are context-dependent attack vectors.

Menashe added:

“Since everybody already uses CVSS this is the path of least resistance. CVSS v4.0 has been in the works for a very long time, but it still does not have a concrete availability date.

“On top of that, NVD needs to be more open to CNA-submitted CVSS scores (the CNA-submitted CVSS is ignored many times). There’s also another new comparative scheme – EPSS, but I think its viability hasn’t been proven yet, and its implementation is very opaque, so we can only wait and judge it by empirical results in the future.”

Sign up to Daily Swig Deserialized, our new fortnightly rundown of web security, bug bounty, and hacking culture news

Many cybersecurity experts acknowledge that the existing CVSS system is limited, and experience is what fills the gaps during vulnerability assessments. The quantitative research carried out by JFrog backs the “gut feeling” of many infosec professionals that the current vulnerability scoring system needs a revamp.

**FIRST responder**

Asked about JFrog’s critique, Chris Gibson, executive director of FIRST, said that in general, “scoring providers supply ‘reasonable worst case’ base scores, and rely on the consumers to mitigate (lower) the final score”.

Temporal threat information, asset criticality, compensating controls – such as firewall filters – and other environmental scores are “designed to lower the score to a more apt, applicable level, according to Gibson.

“Third parties, such as JFrog, can help consumers by providing threat intelligence (temporal score), allowing the use of the full CVSS score to better track patch priority and technical risk.”

Asked about potential improvements, Gibson said CVSS v4.0 is “coming soon” and will include a method for product developers to provide supplementary urgency ratings, leading to “a more accurate representation of the urgency of the vulnerability in their implementation, rather than relying on the OSS library provider’s worst-case scoring”.

“The CVSS system can be useful as long as its shortcomings are kept in mind. For instance, CVSS might score a vulnerability without considering important contextual factors like the environment in which it was found and the potential commercial or operational impact.”

Prashanth Samudrala, VP of product management at AutoRABIT, told The Daily Swig: “The system relies on currently available information, which means it could make decisions based on incomplete or incorrect information. While the CVSS system can be helpful, it should be used alongside other means of evaluation to get an accurate assessment.”

YOU MAY ALSO LIKE ‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector

CVSS system criticized for failure to address real-world impact

Security researchers found a class of flaws that, if exploited, would allow an attacker to access people’s messages, photos, and call history.

For years, Apple has hardened the security systems on iPhones and Macs. But no company is immune from such issues. Research reveals a new class of bugs that can affect Apple’s iPhone and Mac operating systems and if exploited could allow an attacker to sweep up your messages, photos, and call history.

Researchers from security firm Trellix’s Advanced Research Center are today publishing details of a bug that could allow criminal hackers to break out of Apple’s security protections and run their own unauthorized code. The team says the security flaws they found—which they rank as medium to high severity—bypass protections Apple had put in place to protect users.

“The key thing here is the vulnerabilities break Apple’s security model at a fundamental level,” says Doug McKee, director of vulnerability research at Trellix. McKee says that finding the new bug class means researchers and Apple will potentially be able to find more similar bugs and improve overall security protections. Apple has fixed the bugs the company found, and there is no evidence they were exploited.

Trellix’s findings build on previous work by Google and Citizen Lab, a University of Toronto research facility. In 2021, the two organizations discovered ForcedEntry, a zero-click, zero-day iOS exploit that was linked to Israeli spyware maker NSO Group. (The exploit, described as highly sophisticated, was found on the iPhone of a Saudi activist and used to install NSO’s Pegasus malware.)

Analysis of ForcedEntry showed it involved two key parts. The first tricked an iPhone into opening a malicious PDF that was disguised as a GIF. The second part allowed attackers to escape Apple’s sandbox, which keeps apps from accessing data stored by other apps and from accessing other parts of the device. Trellix’s research, by senior vulnerability researcher Austin Emmitt, focuses on that second part and ultimately used the flaws he found to bypass the sandbox.

Specifically, Emmitt found a class of vulnerabilities that revolve around NSPredicate, a tool that can filter code within Apple’s systems. NSPredicate was first abused in ForcedEntry, and as a result of that research in 2021, Apple introduced new ways to stop the abuse. However, those don’t appear to have been enough. “We discovered that these new mitigations could be bypassed,” Trellix says in a blog post outlining the details of its research.

McKee explains that the bugs within this new NSPredicate class existed in multiple places across macOS and iOS, including within Springboard, the app that manages the iPhone’s home screen and can access location data, photos, and the camera. Once the bugs are exploited, the attacker can access areas that are meant to be closed off. A proof-of-concept video published by Trellix shows how the vulnerabilities can be exploited. 

The new class of bugs “brings a lens to an area that people haven’t been researching before because they didn’t know it existed,” McKee says. “Especially with that backdrop of ForcedEntry because somebody at that sophistication level already was leveraging a bug in this class.”

Crucially, any attacker trying to exploit these bugs would require an initial foothold into someone’s device. They would need to have found a way in before being able to abuse the NSPredicate system. (The existence of a vulnerability doesn’t mean that it has been exploited.)

Apple patched the NSPredicate vulnerabilities Trellix found in its macOS 13.2 and iOS 16.3 software updates, which were released in January. Apple has also issued CVEs for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531. Since Apple addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These included security fixes for a bug that was being exploited on people’s devices. Make sure you update your iPhone, iPad, and Mac each time a new version of the operating system becomes available.

Tag

#pdf