In Keylime before 6.3.0, current keylime installer installs the keylime.conf file, which can contain sensitive data, as world-readable.

**oss-sec mailing list archives**

_From_: Matthias Gerstner <mgerstner () suse de>  
_Date_: Fri, 28 Jan 2022 13:57:23 +0100  

Hello list,

I have been reviewing the Keylime TPM remote attestation solution \[1\]
which resulted in a number of security related findings, including an
arbitrary remote code execution in the Keylime Agent component. The
upstream project published security advisories, fixes and an update
strategy to Keylime version 6.3.X today. Please find the details in the
following full report:

1) Scope of Review
==================

I've been looking into the four main components of Keylime: the Agent,
Registrar, Verifier and Tenant applications. I have been looking into
version 6.2.0. Any source code locations mentioned in this report relate
to this version.

2) Findings in the Agent Component
==================================

a) \`check\_mounted()\` Function Logic can be Fooled by Unprivileged Mounts (CVE-2022-23948)
-----------------------------------------------------------------------------------------

The \`check\_mounted()\` function in \`secure\_mount.py\` attempts to make
sure that a "secure" tmpfs is mounted at \`/var/lib/keylime/secure\` to
store sensitive data on that never gets written to disk. To do so the
function parses the output of the \`mount\` utility to determine whether
this file system is already mounted at the desired location.

There can exist the possibility of unprivileged users performing certain
mount operations, one of the most prominent examples being the
\`fusermount\` setuid-root binary for mounting FUSE file systems. In view
of this, parsing mount table output needs prudence. I described the
basic issue previously already in another report \[2\].

The following is a reproducer using \`fusermount\` that shows the basic local
attack vector:

    user$ export \_FUSE\_COMMFD=0
    user$ fusermount some/path/ -ononempty,fsname="tmpfs on /var/lib/keylime/secure"

This will fool the parsing logic in \`check\_mounted()\` and thus the
function assumes that the "secure" tmpfs is already mounted, while it
actually isn't.  Thus this will allow a local attacker on the system to
prevent this security feature to be effective, \*if\* the local attacker
manages to create such a mount entry before the \`keylime\_agent\` is
starting up.

The attack vector can also be used to perform a local DoS against
\`keylime\_agent\` by claiming a different \`fsname\` than tmpfs.
\`check\_mounted()\` will throw an Exception in this case and the Agent
won't start.

On a side note there are calls to \`secure\_mount.mount()\` spread
throughout the Keylime codebase (for example three times in
\`keylime\_agent.py\`, two times in \`tpm\_main.py\` and two times in
\`ca\_impl\_cfssl.py\`. There is no code to \*clean up\* this mount again,
however. So it potentially leaves behind a stale mount after services
are shutdown. Furthermore, if multiple Keylime processes should operate
in parallel this could result in a race condition where the "secure"
tmpfs is mounted twice, in the worst case mounting a fresh tmpfs over
previously stored content there.

My recommendation is to parse the \`/proc/self/mountinfo\` pseudo file for
mount table information instead. Whitespace is specially encoded in this
file. Furthermore the responsibility of mounting and unmounting this
file system should be more clearly defined during startup/shutdown of
processes and maybe a reference counting / locking scheme to prevent
race conditions should be used.

### Upstream Security Advisory

https://github.com/keylime/keylime/security/advisories/GHSA-wj36-qcfg-5j52

### Upstream Fixes

https://github.com/keylime/keylime/commit/1a4f31a6368d651222683c9debe7d6832db6f607
https://github.com/keylime/keylime/commit/d37c406e69cb6689baa2fb7964bad75209703724

b) Possible Information Leaks via Unauthenticated Agent Quote Interface
-----------------------------------------------------------------------

A TPM quote can be requested without authentication from the Agent service via
the network:

    $ curl "keyagent-host:9002/?api\_version=500&quotes=myquote&nonce=mynonce"
    {
        "code": 200,
        "status": "Success",
        "results": {
            "quote": <base64-data>, "hash\_alg": "sha256", "enc\_alg": "rsa", "sign\_alg": "rsassa",
            "pubkey": <PEM key>", "boottime": 1639999864
        }
    }

This exposes for example the \*boottime\* of the host where the Agent is
running, information that is not otherwise easily publicly available.
Furthermore: Could the contents of the TPM quote data also be
interesting data? Could it for example allow deductions about which kind
of operating system kernel is running on the host?

I recommend to somehow authenticate and cryptographically secure this
Agent interface to prevent information leaks of this kind.

### Upstream Fixes

This issue did not receive a dedicated CVE and fix. It is covered
together with the following issue 2.c).

c) Arbitrary Remote Code Execution in the Agent via Unauthenticated Bootstrap Interface (CVE-2021-43310)
--------------------------------------------------------------------------------------------------------

Note that this issue has been discovered in parallel also by Thore
Sommer, a Keylime upstream developer.

It looks like it is possible to simply post arbitrary new values for the
U and V key parts and provide a new configuration payload to the Agent,
only knowing the Agent's UUID. The Agent's UUID can be public or
semi-public information like when \`agent\_uuid=hostname\` is configured.
From the Keylime paper \[3\] (section 3.2.2) it sounds like the UUID HMAC
check is not considered a security feature but only a sanity check:

> This provides the node with a quick check to determine if Kb is correct.

When \`extract\_payload\_script=true\` (default) and
\`payload\_script=autorun.sh\` (default) are configured in \`keylime.conf\`
then the provided payload will be unzipped and a potentially contained
\`autorun.sh\` script is executed with full root privileges. Attached you
can find a reproducer script \`post\_key.py\` that demonstrates the issue
by creating a file \`/tmp/evil\` on the Agent host by only providing the
Agent hostname and UUID as input parameters.

Even if \`payload\_script\` is disabled then the extraction of a ZIP file
as \_root\_ might result in a remote root exploit by extracting files
outside of the intended target directory. I did not test this variant of
the attack vector, though. Furthermore by providing a ZIP bomb as
payload the Agent process can be subjected to a remote DoS through
memory exhaustion.

Retrieving the full symmetric key previously stored in
\`/var/lib/keylime/secure/derived\_tci\_key\` should not be possible this
way, because when performing the bootstrap protocol, the previous data
is removed in \`keylime\_agent.py:242\`. A skillful attacker might attempt
to first compromise the Agent node and then wait for the Tenant to
re-deploy the Agent using authentic keys and payload. Should this
succeed then the attacker can obtain the secret symmetric key from the
compromised Agent node after all.

Similar to issue b) I recommend to somehow authenticate and
cryptographically secure this Agent interface to prevent these attacks.
As a hotfix disabling the relevant configuration features should at
least prevent the remote code execution and memory exhaustion attack
vectors. Setting non-predictable UUID values can also help (but one
should also consider item 3.a in this context).  Even then this
interface still allows to disrupt the operational state of the Agent
host by simply overwriting its current configuration.

### Upstream Security Advisory

https://github.com/keylime/keylime/security/advisories/GHSA-2m39-75g9-ff5r

### Upstream Fixes

The fix consists of a larger number of upstream commits regarding
introduction of "mTLS" for the Agent interface. This means the
connection towards the Agent will in the future be cryptographically
secured and thus only trusted actors can use the Agent interface.

The upgrade path is a bit complicated because of this (see upstream
advisory).  Upstream version 6.3.X will introduce the new mTLS support
but not enforce it, to allow upgrading of all Keylime components on all
nodes. Only upstream version 6.4.x will enforce the new protocol.

d) Key Exchange and Bootstrap Protocol Susceptible to Replay Attacks
--------------------------------------------------------------------

Authentic payloads being passed from the Tenant to the Agent should be
reasonably safe from attackers (when not considering issue c)), since
the two halves of the symmetric key are encrypted using the per-agent
node RSA public key. The bootstrap protocol seems to be susceptible to
certain replay attacks, however. Since the interface does not employ
transport security, the bootstrap protocol can simply be recorded and
replayed to activate an authentic configuration payload. This could e.g.
be used by an attacker to activate an outdated or even insecure older
configuration of the Agent node.

### Upstream Fixes

This issue did not receive a dedicated CVE and fix. It is covered
together with the previous issue 2.c).

3) Findings in the Registrar Component
======================================

a) UUID of Agents is Received on Unprotected HTTP Interface
-----------------------------------------------------------

The Registrar provides two separate HTTP interfaces, a TLS protected one
and an unprotected one. Part of the unprotected interface is the Agent
registration.  As part of the Agent registration the Agent UUID is
passed unencrypted (processed in \`registrar\_common.py:229\`).

This is not a security issue in its own but relates to issue 2.c where
the knowledge of the UUID facilitates remote code execution on the Agent
nodes.  This means if an attacker can listen in on the Registrar's Agent
registration communication then even unpredictable Agent UUIDs no longer
hinder the attack described in issue 2.c).

As outlined in 2.c) the UUID does not seem to have been thought of as a
security property in the first place so I see no urge to change anything
here. Although when the bootstrap protocol should get TLS protection
then for completeness it could also make sense to protect this Registrar
interface as well the same way.

### Upstream Fixes

This specific aspect is covered by the following commit:

https://github.com/keylime/keylime/commit/e5f033c66403a899685b81a3af03cd59f76e455f

There is no dedicated CVE but it is covered together with the
overarching introduction of mTLS as outlined in issue 2.c).

b) Unsanitized UUID passed on Unprotected HTTP Interface Facilitates Log Spoofing (CVE-2022-23949)
--------------------------------------------------------------------------------------------------

Since the Registrar's unprotected HTTP interface requires no
authentication, anybody can post arbitrary Agent registrations with
arbitrary parameters. The Agent ID (UUID) parameter is not sanitized in
any way and is used unfiltered in log messages (e.g.
\`registrar\_common.py:107\`).

As a result the Agent ID parameter can be used to inject seemingly valid
additional log lines that appear e.g. in \`journalctl -u
keylime\_registrar.service\`. The attached reproducer script
\`post\_agent.py\` can be used to demonstrate this:

    $ ./post\_agent.py --host registrar-host --log-line "Please run rm -rf /\* to protect your system"

In the journal we will then see:

    Dec 21 11:44:22 registrar-host keylime\_registrar\[1426\]: 2021-12-21 11:44:22.281 - keylime.registrar - WARNING - 
POST for trusted-agent
    Dec 21 11:44:22 registrar-host keylime\_registrar\[1426\]: 2021-12-21 11:44:22.931 - keylime.registrar - WARNING - 
Please run rm -rf /\* to protect your system
    Dec 21 11:44:22 registrar-host keylime\_registrar\[1426\]: 2021-12-21 11:44:22.940 - keylime.registrar - DEBUG - 
returning 400 response. \[...\]

Such log spoofing could be used to entice Administrators to perform
actions that can be harmful or otherwise in the interest of an attacker.

My recommendation is on the one hand to diligently sanitize untrusted
input parameters. On the other hand it might make sense to authenticate
this currently untrusted interface.

### Upstream Advisory

https://github.com/keylime/keylime/security/advisories/GHSA-87gh-qc28-j9mm

### Upstream Fixes

The UUID sanitazion is introduced via these commits:

https://github.com/keylime/keylime/commit/387e320dc22c89f4f47c68cb37eb9eec2137f34b
https://github.com/keylime/keylime/commit/e429e95329fc60608713ddfb82f4a92ee3b3d2d9
https://github.com/keylime/keylime/commit/65c2b737129b5837f4a03660aeb1191ced275a57

Otherwise the introduction of mTLS as outlined in issues 3.a) and 2.c)
further protect this.

4) Findings in the Verifier Component
=====================================

a) Revocation Notifier Uses Fixed /tmp Path for UNIX Domain Socket (CVE-2022-23950)
-----------------------------------------------------------------------------------

In \*revocation\_notifier.py\* a fixed path in the world writable location
\*/tmp/keylime.verifier.ipc\* is used. The code (in this case the third
party \`zeromq\` Python module) forcefully removes any file object found
there earlier.  Should the program be running as non-root, or if another
local user simply places a \*directory\* at this location, then this
serves as a local DoS attack against the revocation notifier process,
because the socket cannot be created.

This situation doesn't even seem to be noticed by the Verifier main
process, because the child process \`broker\_proc\` is never waited on.
This means that the local attacker could even replace the "blocking"
directory by his own UNIX domain socket later on and will then receive
revocation events from invocations of the \`notify()\` function in the
main Verifier process.  The full impact of this would have to be
researched further. It looks like failed quote notifications would
longer be sent out.

I recommend to place UNIX domains sockets in a dedicated safe directory
in /run that cannot be staged with attacks by other local users in the
system.

### Upstream Advisory

https://github.com/keylime/keylime/security/advisories/GHSA-9r9r-f8xc-m875

### Upstream Fixes

This fix places the socket into a private /run/keylime directory:

https://github.com/keylime/keylime/commit/ea5d0373fa2c050d5d95404eb779be7e8327b911

b) Get Quote Response Contains Possibly Untrusted ZIP Data (CVE-2022-23951)
---------------------------------------------------------------------------

The Verifier process periodically performs quote operations on
registered Agents. As part of this \`process\_quote\_response()\` is called
and furthermore \`check\_quote()\` and finally \`\_tpm2\_checkquote()\`. In
\`tpm\_main.py:1018\` a couple of ZIP data streams are uncompressed via
\`zlib.decompress()\`.

Since this is processing possibly untrusted data - the Verifier is
attempting to verify the current trust status of the node after all - it
needs to be assumed that malicous data can also be supplied here.

Therefore the question arises whether \`zlib.decompress()\` is robust
against processing invalid ZIP data streams. One thing I already found
out is that it is not robust against delivering ZIP bombs that will
cause a memory exhaustion in the Verifier process.

This finding also is valid similarly for all other Keylime interface
that process ZIP data, like in the Agent.

### Upstream Advisory

https://github.com/keylime/keylime/security/advisories/GHSA-6xx7-m45w-76m2

### Upstream Fixes

This fix simply removes the ZIP compression from the Verifier interface:

https://github.com/keylime/keylime/commit/6e44758b64b0ee13564fc46e807f4ba98091c355

5) General Findings
===================

This section contains findings that apply to all keylime components
alike.

a) World-Readable keylime.conf Contains Potentially Sensitive Data (CVE-2022-23952)
-----------------------------------------------------------------------------------

The configuration \`/etc/keylime.conf\` is installed world-readable:

    $ ls -l /etc/keylime.conf
    -rw-r--r-- 1 root root 26770 Dec 16 14:54 /etc/keylime.conf

This is the case for installations performed manually via the provided
\`installer.sh\` script as well as for the RPM packaging found in both
openSUSE Tumbleweed and Fedora 35 Linux distributions. Further
distributions might be affected.

\`keylime.conf\` contains a lot of information, some of it sensitive like
the TPM ownership password (\`tpm\_ownerpassword\`), TLS certificate
private key passwords (\`private\_key\_pw\`, \`registrar\_private\_key\_pw\`) or
the database password for the Registrar (\`database\_password\`). Thus this
is a local information leak, because arbitrary local users can obtain
these passwords from the configuration file.

My recommendation is to make this file only accessible to \_root\_ and
adjust all installation routines and possibly documentation. The Keylime
code could perform a sanity check of the permissions of the
configuration file before reading it in.

### Upstream Advisory

https://github.com/keylime/keylime/security/advisories/GHSA-fchm-5w2v-qfm8

### Upstream Fixes

The following fix explicitly sets the permissions for the configuration
file in the installer:

https://github.com/keylime/keylime/commit/883085d6a4bcea3012729014d5b8e15ecd65fc7c

b) Lack of Privilege Separation
-------------------------------

All keylime services are currently designed to run as root all the time
(except for testing purposes, see \`REQUIRE\_ROOT\` in \`config.py\`). Only
few bits of the keylime components actually should need root privileges.
Most notably the bootstrapping scripts in the Agent component or the
ability to bind privileged ports.

Implementing a privilege separation approach would increase the defense
in depth for keylime considerably, avoiding smaller security issues to
become severe fast.

### Upstream Statement

Keylime upstream states that it is already possible to run Keylime as
non-root. The \`REQUIRE\_ROOT\` bits are not strictly necessary any more
and can be removed from the code. The Debian packaging already makes use
of the privilege separation.

6) Timeline
===========

2021-12-09: I started the review on the code
2021-12-23: I contacted the upstream security contact and upstream
            developer Thore Sommer privately by email and provided them
            the report results, offering coordinates disclosure.
2022-01-04: Upstream confirmed most of my findings and work on the fixes
            began. Alberto Planas, a SUSE colleague and maintainer of
            the SUSE Keylime packaging also contributed some fixes.
2022-01-28: Publication of the security advisories and fixes by upstream
            took place. Upstream also discovered some further security
            issues themselves in the meanwhile.

\[1\]: https://github.com/keylime/keylime
\[2\]: https://www.openwall.com/lists/oss-security/2020/06/04/5
\[3\]: https://www.ll.mit.edu/sites/default/files/publication/doc/2018-04/2016\_12\_07\_SchearN\_ACSAC\_FP.pdf

Cheers

Matthias

-- 
Matthias Gerstner <matthias.gerstner () suse de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev

**Attachment: post\_agent.py**  
_Description:_

**Attachment: post\_key.py**  
_Description:_

**Attachment: signature.asc**  
_Description:_

**Current thread:**

*   **keylime: Multiple Security Issues (including remote code execution in the Agent component)** _Matthias Gerstner (Jan 28)_

CVE-2022-23952: Multiple Security Issues (including remote code execution in the Agent component)

As ransomware attacks continue to evolve, beyond using security best practices organizations can build resiliency with extended detection and response solutions and fast response times to shut down attacks.

Ransomware is the most significant cybersecurity threat facing organizations today. But recently, leaders from the National Security Agency and the FBI both indicated that attacks declined during the first half of 2022. The combination of sanctions on Russia, where many cybercriminal gangs originate, and crashing cryptocurrency markets may have had an effect, making it difficult for ransomware gangs to extract funds and get their payouts.

But we aren't out of the woods yet. Despite a temporary dip, ransomware is not only thriving but also evolving. Today, ransomware-as-a-service (RaaS) has evolved from a commoditized, automated model relying on prepackaged exploit kits, to a human-operated, highly targeted, and sophisticated business operation. That's reason for businesses of any size to be concerned.

**Becoming RaaS**

It is widely known that today's cybercriminals are well equipped, highly motivated, and very effective. They didn't get that way by accident, and they haven't remained so effective without continuously evolving their technologies and methodologies. The motivation of massive financial gain has been the only constant.

Early ransomware attacks were simple, technology-driven attacks. The attacks drove increased focus on backup and restore capabilities, which led adversaries to seek out online backups and encrypt those, too, during an attack. Attacker success led to larger ransoms, and the larger ransom demands made it less likely that the victim would pay, and more likely that law enforcement would get involved. Ransomware gangs responded with extortion. They transitioned to not only encrypting data, but exfiltration and threatening to make public the often-sensitive data of the victim's customers or partners, introducing a more complex risk of brand and reputational damage. Today, it isn't unusual for ransomware attackers to seek out a victim's cyber-insurance policy to help set the ransom demand and make the whole process (including payment) as efficient as possible.

We have also seen less disciplined (but equally damaging) ransomware attacks. For example, choosing to pay a ransom in turn also identifies a victim as a reliable fit for a future attack, increasing the likelihood it will be hit again, by the same or a different ransomware gang. Research estimates between 50% to 80% (PDF) of organizations that paid a ransom suffered a repeat attack.

As ransomware attacks have evolved, so have security technologies, especially in areas of threat identification and blocking. Anti-phishing, spam filters, antivirus, and malware-detection technologies have all been fine-tuned to address modern threats to minimize the threat of a compromise through email, malicious websites, or other popular attack vectors.

This proverbial "cat and mouse" game between adversaries and security providers that deliver better defenses and sophisticated approaches to stopping ransomware attacks has led to more collaboration within global cybercriminal rings. Much like safecrackers and alarm specialists used in traditional robberies, experts in malware development, network access, and exploitation are powering today's attacks and created conditions for the next evolution in ransomware.

**The RaaS Model Today**

RaaS has evolved to become a sophisticated, human-led operation with a complex, profit sharing business model. A RaaS operator who may have worked independently in the past now contracts with specialists to increase chances of a success.

A RaaS operator — who maintains specific ransomware tools, communicates with the victim, and secures payments — will now often work alongside a high-level hacker, who will perform the intrusion itself. Having an interactive attacker inside the target environment enables live decision-making during the attack. Working together, they identify specific weaknesses within the network, escalate privileges, and encrypt the most sensitive data to ensure payouts. In addition, they carry out reconnaissance to find and delete online backups and disable security tooling. The contracted hacker will often work alongside an access broker, who is responsible for providing access to the network through stolen credentials or persistence mechanisms that are already in place.

The attacks resulting from this collaboration of expertise have the feel and appearance of "old-fashioned," state-sponsored advanced persistent threat-style attacks, but are much more prevalent.

**How Organizations Can Defend Themselves**

The new, human operated RaaS model is much more sophisticated, targeted, and destructive than the RaaS models of the past, but there are still best practices organizations can follow to defend themselves.

Organizations must be disciplined about their security hygiene. IT is always changing, and any time a new endpoint is added, or a system is updated, it has the potential to introduce a new vulnerability or risk. Security teams must remain focused on security best practices: patching, using multifactor authentication, enforcing strong credentials, scanning the Dark Web for compromised credentials, training employees on how to spot phishing attempts, and more. These best practices help reduce the attack surface and minimize the risk that an access broker will be able to exploit a vulnerability to gain entry. Additionally, the stronger security hygiene an organization has, the less "noise" there will be for analysts to sort through in the security operations center (SOC), enabling them to focus on the real threat when one is identified.

Beyond security best practices, organizations must also ensure they have advanced threat detection and response capabilities. Because access brokers spend time performing reconnaissance in the organization's infrastructure, security analysts have an opportunity to spot them and stop the attack in its early stages — but only if they have the right tools. Organizations should look to extended detection and response solutions that can detect and cross-correlate telemetry from security events across their endpoints, networks, servers, email and cloud systems, and applications. They also need the ability to respond wherever the attack is identified to shut it down quickly. Large enterprises may have these capabilities built into their SOC, whereas midsize organizations may want to consider the managed detection and response model for 24/7 threat monitoring and response.

Despite the recent decline in ransomware attacks, security professionals shouldn't expect the threat to go extinct anytime soon. RaaS will continue to evolve, with the latest adaptations replaced by new approaches in response to cybersecurity innovations. But with a focus on security best practices paired with key threat prevention, detection, and response technologies, organizations will become more resilient against attacks.

Ransomware: The Latest Chapter

Ubuntu Security Notice 5618-1 - It was discovered the Ghostscript incorrectly handled memory when processing certain inputs. By tricking a user into opening a specially crafted PDF file, an attacker could cause the program to crash.

    ==========================================================================Ubuntu Security Notice USN-5618-1September 20, 2022ghostscript vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Ghostscript could be made to crash if it opened a specially crafted.Software Description:- ghostscript: PostScript and PDF interpreterDetails:It was discovered the Ghostscript incorrectly handled memory whenprocessing certain inputs. By tricking a user into opening a speciallycrafted PDF file, an attacker could cause the program to crash.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   ghostscript                      9.26~dfsg+0-0ubuntu0.16.04.14+esm4   ghostscript-x                   9.26~dfsg+0-0ubuntu0.16.04.14+esm4   libgs9                              9.26~dfsg+0-0ubuntu0.16.04.14+esm4In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5618-1   CVE-2020-27792

Ubuntu Security Notice USN-5618-1

XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393.

Post Reply

*   Print view

Advanced search

3 posts • Page **1** of **1**

cyth

**Posts:** 2

**Joined:** Sat Aug 20, 2022 9:49 am

**null pointer dereference caused by no-check malloc pointer**

*   Quote

Post by **cyth** » Sat Aug 20, 2022 10:03 am

Hello.  
I find a npd bug in xpdf 4.04 in FoFiType1C.cc:2393, it may caused by WebFont.cc:198 ( a no-check pointer).  
It can be triggered by a crafted file in attachment by using pdftohtml.

Attachments

npd\_poc.zip

(11.43 KiB) Downloaded 12 times

Top

derekn

**Posts:** 797

**Joined:** Wed Apr 05, 2017 6:57 pm

**Re: null pointer dereference caused by no-check malloc pointer**

*   Quote

Post by **derekn** » Tue Aug 23, 2022 6:49 pm

I'll have that fixed in the next release.

Thanks for the bug report.

Top

cyth

**Posts:** 2

**Joined:** Sat Aug 20, 2022 9:49 am

**Re: null pointer dereference caused by no-check malloc pointer**

*   Quote

Post by **cyth** » Thu Aug 25, 2022 2:53 am

Thanks for your confirmation.

Top

Post Reply

*   Print view

Display: Sort by: Direction:

3 posts • Page **1** of **1**

Return to “Xpdf open source”

Jump to

*   XpdfReader
*   Xpdf open source

CVE-2022-38928: null pointer dereference caused by no-check malloc pointer

A stacked combination of hardware and software protects the next version of Windows against the latest generation of firmware threats.

Microsoft on Tuesday released a hefty PDF detailing Windows 11's new security-focused features, with a heavy emphasis on supporting zero trust.

For a couple of years now, Microsoft, Google, and Amazon have been working with the US federal government on improving cybersecurity through zero trust, among other techniques. It's no coincidence that these are the big three cloud service providers, of course; they are best positioned to institute controls to prevent catastrophic cyberattacks.

But Microsoft is also moving security way down the stack to where cloud rivals can't follow: firmware.

**Hardware Security Under Attack**

While network-level security is mandatory, it is not sufficient to protect against attackers who target firmware and other low-level elements of a computer.

Flaws in firmware for CPUs, printers, and other hardware can open a door to a corporate network. Malware like TrickBot, MoonBounce, and LoJax that worms its way into the silicon is difficult to dislodge.

"These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors which store sensitive business information," Microsoft stated in the new report. "With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone." 

Besides the extra strength of the protection, Microsoft touts less slowdown using hardware-based protection versus running it in software.

The foundation of the built-in hardware security is a partnership between hardware root-of-trust and silicon-assisted security.

**Hardware Root-of-Trust**

Hardware root-of-trust is, by definition, "a starting point that is implicitly trusted." In the case of a PC, it's the part that checks BIOS code to ensure it's legitimate before it boots up. And anyone who's had to remove malware from a machine with infected BIOS knows how vital that is.

The new security measures include storing sensitive data such as cryptographic keys and user credentials isolated from the operating system within a separate secure area. Microsoft requires a Trusted Platform Module (TPM) 2.0 chip to be installed on both new and upgraded Windows 11 machines. The company had required TPM 2.0 capabilities on all new Windows 10 machines, but the latest version of Windows won't even run if the PC doesn't have a TPM 2.0 security chip.

"With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional barriers separated from the operating system," Microsoft wrote in its new report. "As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering."

To provide TPM 2.0 protection directly on the motherboard, Windows 11 machines include the Microsoft Pluton security processor on the system-on-chip. While Pluton is not brand new – it was previewed back in November 2020 – integrating TPM 2.0 capabilities in this way eliminates one attack vector: the bus interface between the CPU and the TPM chip.

Not all Windows 11 machines will have a Pluton chip, but they will all have a TPM 2.0 chip.

**Silicon-Assisted Security**

The silicon-assisted security measures in Windows 11 start with a secure kernel carved out using virtualization-based security (VBS). 

"The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory," Microsoft wrote. "Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment."

Hypervisor-protected code integrity (HCVI) uses VBS to check the validity of code within the secure VBS environment instead of in the main Windows kernel. Kernel mode code integrity (KMCI), as that's called, fends off attempts to modify drivers and the like. KMCI verifies that all kernel code is properly signed and has not been altered before it allows it to run. HVCI is supported in all versions of Windows 11 and enabled by default in most editions.

A further measure of protection against such attacks as memory corruption and zero-day exploits is offered by hardware-enforced stack protection. 

"Based on Controlflow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack," Microsoft explained. The OS does this by creating a "shadow stack," set apart from other stacks, for return addresses.

To protect against physical incursions where an intruder surreptitiously installs malware from a device, Microsoft's line of Secured-core PCs will only run executables signed by "known and approved authorities," keeping external peripherals from accessing memory without authorization.

Even more firmware protection comes from Windows 11's universal implementation of the Unified Extensible Firmware Interface (UEFI) Secure Boot standard. The TPM stores a boot audit log, the Static Root of Trust for Measurement (SRTM), to check whether any attempts to subvert the boot were made.

UEFI is not unique to Windows machines, of course, but Windows 11 adds Dynamic Root of Trust for Measurement (DRTM) that checks the UEFI boot process for suspicious activity before allowing it to continue. Non-PC devices such as the Surface tablet use Firmware Attack Surface Reduction in place of DRTM.

Silicon-assisted security is part of the Pro, Pro Workstation, Enterprise, Pro Education, and Education versions of Windows 11. The Home editions will have some of these protections but not the full slate. See Microsoft's website for comparisons.

Microsoft Brings Zero Trust to Hardware in Windows 11

Protection mechanism failure in firmware for some Intel(R) SSD DC Products may allow a privileged user to potentially enable information disclosure via local access.

%PDF-1.7 %���� 1 0 obj <>/Metadata 511 0 R/ViewerPreferences 512 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 19 0 R 20 0 R 23 0 R 24 0 R 25 0 R 26 0 R 27 0 R 28 0 R 29 0 R\] /MediaBox\[ 0 0 612 792\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\[�n�H}7��#9XQ�{3(v��"�:�g��yPd�c �2�� ?�߸U�"EI�I�-/&d�"Y��}��5/�w7��2x�z8^.'�?�������ë߲����n6Y��g���/K��s6���Q���$��������\_�GI�࿔)hfc�<\`F��";>��O�����4H�?�e�8p7O���r���y� N�wo�AR �7��r~\_��|����$� Ț%B���i+#�,�\[p�LSk�@M'��Z�%'���������X\`���5L)x�L\`����W��0?hɴ�O,n /K������>D&�y40�W��Ï�kwt dxO��ӈ����y|��}ڌ�NZ�4��Y�:�AW�|FX{�� ���U�'�j�/#�+��3� O#�ߣgΣ�2�Id鶏��y���m�ÏW�@������~�����e݄�1�\_�-�zJ�r)��t� @\*��ls� ���(��Œ�V�ǋ��Dem�����4H:G�H6�jx��Aub����/c����o�U/�|�����b�qq�ļ��!������w�c߬�B+�� x�.�\*ϗM�:���\*\*���-A\]B��P���ix�w�B�S'T��^�l�Y��\`U����� ��\*������V�p�ᝳi~�:�a.��Pw���Ɣ�Z6�2�� �1\_6���l���{8��p��q ����&��~��n�0� ����#M{\]�������!٫�ɾ8SC!�&r�c V�3s�6 ��ڄ�v��$z4\` (�$��h �X�����.���T%#<���F�T�%�7��7

CVE-2021-33081

A call for federal agency "review and assessment" of cyber-safety plans at water treatment plants should better protect customers and move the industry forward.

Sparked by high-risk cyberattacks and subsequent mainstream press coverage, the federal government is moving toward new requirements for critical infrastructure cybersecurity.

A July Office of Management and Budget (OMB) memo (PDF) called for agencies across the federal government to establish specific cybersecurity "performance standards" for their respective industries — and, even more significantly, to budget for federal agency "review and assessment" of cyber-hardening plans prepared by organizations required to meet those new standards.

**Needed: Federal Review and Assessment of Plans**

This level of direct supervision extends the approach that today is applied only to the most critical national infrastructure — notably the electrical grid (regulated by the Department of Energy, the Federal Energy Reliability Commission, and the North Amerian Reliability Corp.) and oil and gas pipelines (Department of Homeland Security and the Transportation Security Administration) — across the full range of US industries that people rely on, including retail, pharmaceuticals, chemical, transportation and distribution, food and beverage, and many others.

One industry that's likely to feel this regulatory activity strongly, and see substantial changes as a result, is the water sector. Heavily vulnerable to cyberattacks, water utilities are in urgent need of refreshed — and enforced — security standards. In fact, the Biden administration recently hinted that the Environmental Protection Agency (EPA) is set to issue a new rule that would include cybersecurity in sanitation reviews of the nation's water facilities — further supporting higher standards when it comes to cybersecurity.

The stakes are high: A typical municipal water processing system filters 16 million gallons of water each day, and one successful hacker could taint the community's entire water supply. This is not a hypothetical fear — a hacking group recently managed to infiltrate a water treatment system in Oldsmar, Fla. By tinkering with the amount of lye in the water, they put an entire town at risk. And recently, the Clop ransomware gang targeted the South Staffordshire water utility in the UK. While these attacks are not always successful, the gravity of the risks has been made abundantly clear.

Despite previous attempts to improve security standards for the water sector, it remains vulnerable. Even America's Water Infrastructure Act of 2018 (AWIA), which stated that water utilities must develop emergency response plans that address cybersecurity threats as part of a broader effort to improve overall infrastructure and quality, did not significantly change the cybersecurity posture for the industry. The sector encompasses 50,000 separate utilities in the United States, most of which are small and managed by municipalities; this fragmentation, coupled with general unwillingness from operators to abandon existing practices, allowed the impetus for change to peter out.

But precedent tells us that, when done right, federal regulations can make a difference. We're already seeing progress in another vulnerable critical infrastructure sector: oil and gas. Following the high-profile Colonial Pipeline hack in 2021, the Department of Homeland Security's Transportation Security Administration (TSA) quickly released two Security Directives, with an update in 2022, doubling down on its efforts to ensure better protection for energy infrastructure nationwide. These directives emphasized credential management and access control, two things that would have helped block the ransomware attack in the first place.

Despite initial pushback from pipeline owners and operators, these first-of-their-kind TSA requirements are already leading the entire sector toward a more-protected environment. Operators are now leaning into security measures centered around proactivity and attack prevention.

**Call for Attack Prevention Leads to More Protection**

The key difference here is that the TSA directives require implementation plans for cyber _protection_, not just for incident detection and response. Once operators were required to _protect_ themselves, not just respond to events after the fact — and once the federal government was reviewing their cyber-protection plans — the oil and gas sector began to move in earnest.

And now, with the OMB's guidance to agencies, the same direct supervision of cyber protection will come to other sectors, too, including water. In other words, the movement within oil and gas is a hint at what's to come for other critical infrastructure.

The 2021 Oldsmar hack showed the world just how easy — and how devastating — an attack on a water plant can be. Regardless of historical industry norms, a clear need for better cybersecurity has emerged, and it appears that the government is prepared to move ahead more aggressively than ever. Its broad push toward better security for critical infrastructure is poised to be the catalyst that many sectors, such as water, have desperately needed.

Plant owners and operators can no longer ignore the risks; heavier regulation is a "when," not an "if." Now is the time for them to pursue better, more modern cybersecurity.

Water Sector Will Benefit From Call for Cyber Hardening of Critical Infrastructure

A potential unathenticated file deletion vulnerabilty on Trend Micro Mobile Security for Enterprise 9.8 SP5 could allow an attacker with access to the Management Server to delete files.

This issue was resolved in 9.8 SP5 Critical Patch 2.

CVE-2022-40980

Genesys PureConnect as of their build on 08-October-2020 suffers from a cross site scripting vulnerability.

    Product: Genesys PureConnect - Interaction Web Tools Chat ServiceDescription: Interaction Web Tools Chat Service allows XSS within the Printable Chat History via the participant -> name JSON POST parameter.Vulnerability Type: XSSVendor of Product: Genesys PureConnectAffected Product Code Base: Interaction Web Tools - Chat Service - Appears to be all versions up to current releaseAffected Component: "Print" feature of the Interaction Web Tools Chat: https://help.genesys.com/pureconnect/mergedprojects/wh_tr/desktop/pdfs/web_tools_dg.pdfAttack Vectors:  *   To exploit the Cross-Site Scripting vulnerability, visit https://<vulnerable-domain>/I3Root/chatOrCallback.html<https://%3cvulnerable-domain%3e/I3Root/chatOrCallback.html>  *   Then select the 'I don't have an account" option, and enter the name "><script>alert(1)</script>  *   Then press 'Start Chat'  *   Then enter anything in the chat box like 'asdfg' and press send  *   Now select the 'Printable Chat History' in the top right corner  *   XSS will trigger. You can google dork for vulnerable versions with inurl:"/I3Root/chatOrCallback.html"I'm assuming if an admin tries to print the chat conversation, it will trigger for them as well. Unable to confirm though.Discoverer: Jake Murphy - Echelon Risk + Cyber - https://echeloncyber.com/> [References]> http://genesys.com> http://interaction.com

Genesys PureConnect Cross Site Scripting

A local unprivileged attacker may escalate to administrator privileges in Honeywell SoftMaster version 4.51, due to insecure permission assignment.

%PDF-1.3 %��������� 4 0 obj << /Length 5 0 R /Filter /FlateDecode >> stream x�\\mwݶ���\_Aٕ}�%Q���i�$u��v�X�nO�����J�c;'�?h��>�y@$��{�s��} ̿��Ͽzo��y���\_�VY�Z���ؼ�\]1���&��E^\[ׇKk�,�:o�:����/.Ln��|�\_�o�ͅ�������ŘA��������K@���\*�\`צ�����o���|c���7�6�k~�t��L���d֘���F'�SҘa�J2�u���}�ْ�O@�����n3�-�Et���ڢ�z��T%dp�E����m�T��lT�� R�Xd�8k��LQ(��� ��mv���E�S��h�RP�q�-����a��4�K��M\]����m~����#�ݶ)t��-Ȼ� �w��m~���k���˿�Π��y}\]\\���?s3�}/cfm\_}��XlE��h�nh�2Ð�� i�����{Y��E-��\\h������5uC��������u����Ջ�~z~��{����a���T\]QO���?�1��o�|"�3� ��ɫ�\*��a��5�y\[7E�+�>6��N���\\�����;�ca\]Բ�s�����uP�|s����V45�o3����/7~����;'~�}�p��S��}����v�#�-���0~p�č���\`��43=<�s���Eh#p�� ̱m\[�pU�l��yi\`@�ǽ�~�\] �Oq�T�k���\[\*3x���7Eӈ\`����F�����,�u���WAYZbv+�i�0�/���!��X�9�f,�b�����(&E���5̞��-S��Z����Tyݗ�(P؅�Ga�1�:� ��F4��h ��������l=�B�(��X�S�H�u�(0�UQ\[�hH@���\`)�̀W}a:3� ��7�}Xa��;��h�.~���u�����k � 6����:�K����m �� ��q���=된�2dO�дc��h���@;C��Hb�&Wy�9��K��Z�l�9A��П|�8��.Ϸ���l3p�~�s��~��x��������ӱ�ЁHp|����cH�Wx���d9\];�E��6$W����\_b��封R}��� T��~{�/l�#�}W�ȼ�XCמ�T}z�H�A�<���\*�Q�Ä�THbz��d�c�"�����R���.��7�a�<��� S� �:CH��u�S����^i/���"eX!���\]�,�q.��8��L% :c����?�-0o����Mf8�ַ�s��8\\o|s�}���%���W�N|c!v2a���3k|,j���\_�rC��+/D��"g���6a. �� ��Up~�ϱ��k>B8|�5'�l��� �+�A\_�ؖI�K�'�gB�� e52EBm{��񾽓يz�3��f�綈\]b�G<� v�}����T�@1��?�����Ԓ;�R�"�L8 ��!���L�\\�C���l��|�\`T��bxk 9x�\_��+l�V��6R.��N����4T�"XR��Æ��sWU�0�W���-d��5D��h�"P����}\]7;}�>+�td�:CX��}k${xrN�v�}d�tѢ�UlP�i��7��P�PU�P98�������(��YB��1"~� JrbA�h���-.!H����\\�Č��\\���2i��3���-� 0Y��~j��tkc� �N���K~v��F�g��Q��TR?��v�i��q�^��F)�� �$a�%\\n��b7�$���g3��bo����:�C�@ǳ�'y�ilsxr���@��h�g����\\��g\\�B�$RS�D\[g��1���F�\*�HN��)� �44T�x�P�;T�\\�o��\*%�T�A��ifx��L���7Sآ�5/'\*/��-���;QrDi������KQ,b��������k3��Y���j�Ss��16���>o+Dغ��M�bg÷�}\[sm��J����n7" ������l�1������1"W�nT�|1�좡 �de��9�B&Q�<�=���'c�\`����9 0�'�|5=�N��!j��.c��P���|�k�}ݎJ��/�G=�:��e���.�V-�uX�p���&�����\[A)����Tu���H�ȅ�;���6���Z�4@�i,�p���h$�uYRN?.A"e��|q�\`!�L:�<~?TpTp���\[�у��Y�K� ��@��B"��%Ě����,J�v���̌�q�n��7Q��&��n�����OP�q�J� L�� �tݰ�L�φ\[HwH�ٚع����1\\�����0r���� D�� K07N^^�������>WQ����s��2��cl�K?���K\\W��y,����;�,ϰ�+���2�Ȁ�o�m!9<ք�q����i��B�D�g��+�t��ǅ�����T�?@��֏?�aK���́�7M�r.�V�S�({��kJ6�\\ ��\_g:�7(ș���\*�\[�}����Yu�jD��\`��Yv�7&�G��!l���>�ƻ�, ���\_:�/�}�w �\`�;�+���F-�9�ދ���%����@xq&x|�D�i)>��%T��#��8t�;��l3�켠> l���G+�5r.9�4���#6:\*���vb�Q�'ʰ��'����v�4$�'�M�~�R$G}a�3P$�ݧx!:N2�{�g��/kJ���E"8�h&�����M,8Af$��Ϯ�stAYZ��iɢ�I��iu+dm5��Y5�q�O&��Z�zQǐ���hZ���B��������R��h���@�~�ǧǴ��>q�CHy"���K=^n��\_����{\\�\`^h+��xS��p�mڢ� ������n�H{z��������o�#z�.�RvOu��zjSh �T!�iz��Zn�����hlѷ�-n���̴uW4r|i�wO�ʅub�m4aq2���\_/o�p\_��<@X���rKy}�j)�h�Z9��m-�?M�V����i�����3 ���}Z��,��P ��>I��1NLF�"�ͥ��K��d\_:C��1�"��u��rp����'��^}�:��:���5��5\[<�ޱe��Z���c��<��E� ��\`��ib���j���6E"CĂ'��B���X�=��Ml8�&�V�!\]?�M\_\\#�L����)�vqe/B(G�q�����|�ts���~��ٽ�X���D��Eg8Z2��m����Y��dw|3ENʧ����� cfQ�3�^��CTF�I|r���y��M7G���W\\=�P���Nӣ����n�&��8m�>%�ߨ7���B\`���'~��)2$ ��S{דv6��o�K�Ax�g.b~n�8ʛ�� r �6�xW��6;&��h1ZPb���xd�h �!yGߺ>hi�����{�u�\`����x����3��� # -�'�Q��3?u} ����;�&-�h������@�^��-1�É��a �R�D�$G�L2���J�U������>�D��:z!��}�R����V����z��e1��o\[���/P�"3F�p�tۣ!������Y���h�peS�1�ÜV6gw��X|�^AZ�;�.V�|���>�q���� �k��&������϶� A��+��f�o⚪�A��>�'���.#u� g��KP�LW{�<ȋ\\���K�w�p�%�\]Ch�n1��jB��,�u�t�b^i�΂��\*z\`Ѐ��?L"��Q��h� �� '��~c��g�S:��B�0�N���ZM-�M�bJ��ʌ���sV�ˁ�v貈�┭z�ݱ GV�bs��΁!cp�S�a3�@g�q�}�5Sq�h��;�ɰ��ɁT̂p��LE��8�xF2>��Ĕ@(��ƑrXi�\`vёȁvP��f���"g �^�FT�\*�\*\_ȼd�X�W�w��AE.�Ù������z�9�т2��}-��i\`�R�3��5�Sa�lNm��c\*X~��A������w���8%�-�٣@�$/�^� H��Ƀ�� I�&��i��M��� �Pt���C�BL�1f��zE�� 3�zG-bB��E�c���v���������L�gL��N�8���.�'&�E��b�����J(�܆Ɂj�'bZZw�P�u�h��G��Q��;A�|7c��}(�BQ� ��7!��/C\]�w��2�s����۫�WM�o�d�����|����By=iWYl��������|�\_+�Dm s�!>. \*�y\`al���xOD!��B>�K��6�A ��Y �C?���73h��I2VG�N�y�  bWPY����=F� 0�P���\`�H�=r��;�{x"���b���~ӢC��i\[w$B���D�P�\`�.�L���Jl)�-6@L��\[�����ȹ}閭���6�7��&�p"C��q�\_\\3��$"đ��&!,�Q�QO�6vTL�����kJE#/�Y�%��K9c/�<���ƥnc+;Ǟ��wI��S�5� ��H���Td=u-�t�����^n��#sR��=2��80֢>���8�2SW�ً��ӌ8�W��(O�%Y������ ��1��l�lj�ܫ�b�$\*��ILՁ̌N�V���\[l��=����d�V&#�u��+.�-�A�t���U뢎�zST��-8=U�Uf=�:(V������|B\`r���Z����!�F?�/,�X�4��p��+�a~ Wm�a��%�������ߺ�g�zW��a1����89��f�

Tag

#pdf