Red Hat Security Advisory 2022-5236-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:5236-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5236  
Issue date:        2022-06-28  
CVE Names:         CVE-2022-1729 CVE-2022-1966   
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux for Real Time (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: race condition in perf_event_open leads to privilege escalation  
(CVE-2022-1729)

* kernel: a use-after-free write in the netfilter subsystem can lead to  
privilege escalation to root (CVE-2022-1966)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update to the latest RHEL7.9.z15 source tree (BZ#2081074)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2086753 - CVE-2022-1729 kernel: race condition in perf_event_open leads to privilege escalation  
2092427 - CVE-2022-1966 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root

6. Package List:

Red Hat Enterprise Linux for Real Time for NFV (v. 7):

Source:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.71.1.rt56.1212.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-kvm-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-kvm-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-kvm-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-kvm-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm

Red Hat Enterprise Linux for Real Time (v. 7):

Source:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.71.1.rt56.1212.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1729  
https://access.redhat.com/security/cve/CVE-2022-1966  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrr1h9zjgjWX9erEAQgoug//X+2272c6fT57aJDp7fTx1jWR/C1btEgx  
1ntHeoWo63OEPOTEBBvzumm8Snc3ha3Si5rLUED4jFqrZF2x4tL5ysPdZVzmEhKb  
TbRs6qvO4DaC8DRiPDlCMRjTyr6LALFkukVZnNp27pdfIQaPAZT2rw5vqM9eBxaP  
ujhlJHF+UhxhjczV5maDObvtqv9tXw4aAcCSwLJ3G7DjIIjclYZVCZyQ2vutMR2v  
mdUcCYJ0FpT5AdgyqJAytVHBg3SuqocWECvcgo81v5OyVRpJSPISr8QJ9A7ArRmP  
Opgc9eGp0VUZST/YEn5moJohXQ3CP7A7plg9HUjo6wSqMjaoYuA6O55htGP4cMu0  
q2fnnrhQNDTqmMr3mdtnvJegzDbgkm4BiGUagpzu8KzCiDuQICWtKpD7yR5nWeeU  
8rCy4gG2umSyy3YIbYQBUw1dpDyQGZEx1rkCb7E9Q+dY6V+kfY9VOdayL9lwKjDB  
hiXCR4CJI7VhAUx8vBZJjjDKuZsPps/C/qgFnuAozXi9zseeCvi8oaqwAfFOlWN1  
9yJjElvhMj8/KZBK+sILO/mBjyTzZWrWseMkqgoULpmKwDjx5JsyOyfGiPbsEfnm  
IA1ytujJQbZLDODOIsx+9RqH20eMylVIzkVaNte1nBZoHJwY525CNMZmirnF9zHu  
SsJW0x6Eodc=  
=ZYzg  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5236-01

Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.

@@ -298,6 +298,18 @@ public function \_\_construct(array $attributes = null)

$this\->setFontDir($rootDir . "/lib/fonts");

$this\->setFontCache($this\->getFontDir());

  

$ver = "";

$versionFile = realpath(\_\_DIR\_\_ . "/../VERSION");

if (file\_exists($versionFile) && ($version = trim(file\_get\_contents($versionFile))) !== false && $version !== '$Format:<%h>$') {

$ver = "/$version";

}

$this\->setHttpContext(\[

"http" => \[

"follow\_location" => false,

"user\_agent" => "Dompdf$ver https://github.com/dompdf/dompdf"

\]

\]);

  

if (null !== $attributes) {

$this\->set($attributes);

}

CVE-2022-0085: Add a default context · dompdf/dompdf@bb1ef65

‘Manual workaround’ kickstarts phased recovery after cybercrooks disrupt meal provision to vulnerable people

‘Manual workaround’ kickstarts phased recovery after cybercrooks disrupt meal provision to vulnerable people

Deliveries of prepared meals to thousands of vulnerable people in England continue to be disrupted following a “sophisticated” cyber-attack on food distributor Apetito.

Apetito’s impacted UK arm delivers ready meals to hospitals, care homes, schools, childcare facilities, and the homes of vulnerable people across the west of England.

In an update (PDF) posted to its website yesterday (June 27), Paul Freeston, chair and CEO of Apetito UK and North America, reiterated that the firm would be unable to fulfill deliveries until and including Thursday June 30 following the cyber-attack over the weekend.

He advised customers with “deliveries on these days to make contingency plans”.

Freeston added that “a limited number of test deliveries from a manual system will be made tomorrow”, and if successful, “we hope to extend \[this system\] further this week”.

**Emergency procedures**

Freeston said on Sunday that the company had activated “emergency procedures” to ensure “most” customers of meals on wheels (home-delivered hot food) should still receive a meal – “although it may not be the meal they chose”.

Apetito subsidiary Wiltshire Farm Foods, which delivers frozen ready meals to the homes of mostly vulnerable people, usually seniors, managed to make “a limited number of local deliveries” yesterday using “a manual work-around system” that would “continue this week”.

Read more of the latest cyber-attack news

As expected, Monday’s Apetito deliveries to businesses, including other ‘meals-on-wheels’ operators, proceeded normally “as these orders were already picked” before systems were disrupted.

On the production front, “a significant but restricted” program was up and running as of yesterday.

Meal orders submitted by businesses after 7.30pm on Friday “should be assumed not to have been received”, said Freeston.

Wiltshire Farm Foods is apparently unable to take orders over the phone or via its website and app, with fulfilment new orders expected to resume from July 4.

**‘Designed to extort money’**

Apetito, announced on Sunday (June 26) that it shut down many IT systems following the cyber-attack, which was “designed to extort money from the company”.

The company said it was “building new hardware and software to replace the affected systems”, which did not include its UK Microsoft systems, while “email communication is fully functional”.

RELATED Ransomware market evolution results in fewer variants, but rise in off-the-shelf cybercrime kits continues

It was also “seeking to establish whether any personally identifiable information (PII) has been compromised” and would alert customers and the Information Commissioner’s Office (ICO) if necessary.

Freeston said he was confident that payment card data was not compromised since this data was not held on Apetito’s systems.

“Our crisis management team is meeting multiple times each day to review progress, direct resources and respond to emerging issues”, he continued, adding that Apetito would continue providing updates at least daily.

“I would like to thank our customers and other contacts who are being so supportive during this issue. Our team continue to work tirelessly on the recovery and I am very grateful for their amazing efforts.”

Apetito declined to comment further when contacted by The Daily Swig.

YOU MIGHT ALSO LIKE Statutory defense for ethical hacking under UK Computer Misuse Act tabled

Ready meal distributor Apetito restores ‘limited’ deliveries in UK following cyber-attack

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Internet Protocol) application and using it as a springboard plant malware on targeted systems. The critical remote code execution (RCE) flaw, tracked as CVE-2022-29499, was first report by Crowdstrike in April as a zero-day vulnerability and is now patched.

Mitel is popularly known for providing business phone systems and unified communication as a service (UCaaS) to all forms of organizations. The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.

According to Crowdstrike, the vulnerability affects the Mitel MiVoice appliances SA 100, SA 400 and Virtual SA. The MiVoice provides a simple interface to bring all communications and tools together.

****Bug Exploited to Plant Ransomware**  **

Researcher at Crowdstrike recently investigated a suspected ransomware attack. The team of researchers handled the intrusion quickly, but believe the involvement of the vulnerability (CVE-2022-29499) in the ransomware strike.

The Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance. Further analysis led to the discovery of a novel remote code exploit.

“The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,” Patrick Bennet wrote in a blog post.

The exploit involves two GET requests. The first one targets a “get\_url” parameter of a PHP file and the second one originates from the device itself.

“This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses,” the researcher explained.

The second request executes the command injection by performing an HTTP GET request to the attacker-controlled infrastructure and runs the stored command on the attacker’s server.

According to the researchers, the adversary uses the flaw to create an SSL-enabled reverse shell via the “mkfifo” command and “openssl\_client” to send outbound requests from the compromised network. The “mkfifo” command is used to create a special file specified by the file parameter and can be opened by multiple processes for reading or writing purposes.

Once the reverse shell was established, the attacker created a web shell named “pdf\_import.php”. The original content of the web shell was not recovered but the researchers identifies a log file that includes a POST request to the same IP address that the exploit originated from. The adversary also downloaded a tunneling tool called “Chisel” onto VoIP appliances to pivot further into the network without getting detected.

The Crowdstrike also identifies anti-forensic techniques performed by the threat actors to conceal the activity.

“Although the threat actor deleted all files from the VoIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor,” said Bennett.

Mitel released a security advisory on April 19, 2022, for MiVoice Connect versions 19.2 SP3 and earlier. While no official patch has been released yet.

****Vulnerable Mitel Devices on Shodan****

The security researcher Kevin Beaumont shared a string “http.html\_hash:-1971546278” to search for vulnerable Mitel devices on the Shodan search engine in a Twitter thread.

According to Kevin, there are approximately 21,000 publicly accessible Mitel appliances worldwide, the majority of which are located in the United States, succeeded by the United Kingdom.

****Mitel Mitigation Recommendations** **

Crowdstrike recommends that organizations tighten defense mechanisms by performing threat modeling and identifying malicious activity. The researcher also advised segregating the critical assets and perimeter devices to restrict the access control in case perimeter devices are compromised.

“Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,” Bennett explained.

Mitel VoIP Bug Exploited in Ransomware Attacks

RaaS model continues to be adopted by criminals looking to maximize their ROI, new study indicates

RaaS model continues to be adopted by criminals looking to maximize their ROI, new study indicates

The number of new ransomware families and unique variants has fallen over the last year, according to new research from WithSecure.

The company, formerly known as F-Secure Business, says in its latest Ransomware Threat Update (PDF) that the number of new families and unique variants appearing each year peaked around 2017, but stayed relatively stable for most of the second half of the last decade.

Last year, though, saw a significant drop in the amount of new ransomware families discovered by the researchers.

The main reason, says the firm, appears to be a consolidation of efforts by attackers, who are increasingly exploiting off-the-shelf Ransomware-as-a-Service (RaaS) packages.

**RELATED** DBIR 2022: Ransomware surge increases global data breach woes

“These days, cybercriminals are often operating as organisations, and they want to maximise their ROI,” Paolo Palumbo, vice president of WithSecure’s Tactical Defense Unit, tells _The Daily Swig_.

“In this sense, they are focusing their resources on getting a foothold in a victim’s system, rather than developing their own ransomware. People often forget that this isn’t a game of who makes the best ransomware – it’s about getting money out of victims.”

**Rise of RaaS**

Importantly, Palumbo says that the fall in the number of ransomware families doesn’t necessarily imply a fall in the number of attackers.

“Like many other businesses, cybercriminals are taking advantage of specialist tech vendors who prepare readily-available platforms to conduct these types of scams and attacks,” he says.

“But we shouldn’t assume it makes the users of these systems incompetent or any less expert.”

Read more of the latest infosec research news

Ransomware was the most widespread threat type identified in 2021, accounting for nearly 17% of identified threats.

And WannaCry was the most prevalent ransomware family – by a considerable margin, accounting for more than half of non-generic ransomware detections.

This was followed by three RaaS families: GandCrab, REvil, and Phobos.

**Double extortion**

In terms of tactics, threat actors are increasingly finding new ways of extorting cash from victims, for example by stealing data before encryption and threatening to leak it, with Maze and REvil the most notable examples of what’s been dubbed ‘double extortion’.

Malicious Microsoft Office documents and downloads were the most commonly observed ransomware attack vectors in 2021, followed by exploiting vulnerabilities and accessing networks via exposed Remote Desktop Protocol (RDP) ports.

WithSecure points out that many of these vectors rely on unpatched vulnerabilities – particularly in internet-facing infrastructure – poor password hygiene, lack of multi-factor authentication to secure online accounts, and other weaknesses that organizations should be able to address.

Meanwhile, says Palumbo, governments have their part to play.

“The role of governments and agencies is extremely important and multi-faceted,” he says.

“They need to continue pushing the importance of cybersecurity education and hygiene for both individuals and organizations, making it more difficult for cybercriminals to take advantage and extort money.”

**DON’T MISS** Researchers crack MEGA’s ‘privacy by design’ storage, encryption

Ransomware market evolution results in fewer variants, but rise in off-the-shelf cybercrime kits continues

A stored cross-site scripting (XSS) vulnerability in LightCMS v1.3.11 allows attackers to execute arbitrary web scripts or HTML via uploading a crafted PDF file.

A stored cross-site scripting (XSS) vulnerability exists in LightCMS that allows an user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

    %PDF-1.4
    %1111
    1 0 obj
    <<
    /CreationDate (D:20210619104632+08'00')
    /Creator (xss)
    /Producer (PDF-XChange Core API SDK $7.0.324.2$)
    >>
    endobj
    2 0 obj
    <<
    /Metadata 3 0 R
    /Pages 4 0 R
    /Type /Catalog
    >>
    endobj
    3 0 obj
    <<
    /Length 2983
    /Subtype /XML
    /Type /Metadata
    >>
    stream
    <?xpacket begin="﻿" id="W5M0MpCehiHzreSzNTczkc9d"?>
    <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 5.5.0">
    	<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
    		<rdf:Description rdf:about=""
    				xmlns:dc="http://purl.org/dc/elements/1.1/"
    				xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"
    				xmlns:xmp="http://ns.adobe.com/xap/1.0/"
    				xmlns:pdf="http://ns.adobe.com/pdf/1.3/">
    			<dc:format>application/pdf</dc:format>
    			<xmpMM:DocumentID>uuid:9c93bc08-8e4e-46cb-b28f-824c693821a4</xmpMM:DocumentID>
    			<xmpMM:InstanceID>uuid:2cd63bea-24ca-4ef8-a12c-015da3b28c96</xmpMM:InstanceID>
    			<xmp:CreateDate>2021-06-19T10:46:32+08:00</xmp:CreateDate>
    			<xmp:CreatorTool>迅捷PDF编辑器 7.0.324.2</xmp:CreatorTool>
    			<xmp:ModifyDate>2021-06-19T10:52:02+08:00</xmp:ModifyDate>
    			<pdf:Producer>PDF-XChange Core API SDK (7.0.324.2)</pdf:Producer>
    		</rdf:Description>
    	</rdf:RDF>
    </x:xmpmeta>

CVE-2022-33009: A stored cross-site scripting (XSS) vulnerability exists in LightCMS "contents" field · Issue #30 · eddy8/LightCMS

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.

**Impact**

Incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the  
/config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM.

**Patches**

The issue is fixed in version 8.0.

**Workarounds**

None

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in https://github.com/LDAPAccountManager/lam/issues
*   Email us on lam-public mailinglist

**Credits**

Arseniy Sharoglazov and Andrey Medov

CVE-2022-31086

ETH Zurich finds flaws in the firm’s cryptographic infrastructure

ETH Zurich finds flaws in the firm’s cryptographic infrastructure

MEGA claims that its storage service is private by design, but according to researchers, the technology is beset with “serious” security issues.

Based in New Zealand, MEGA is a cloud storage service and messaging platform that offers end-to-end encryption to more than 250 million users. MEGA also allows users to make audio and video calls.

The company calls itself a “zero-knowledge” encryption service built with “privacy by design”.

“All your data on MEGA is encrypted with a key derived from your password; in other words, your password is your main encryption key,” the organization says. “MEGA does not have access to your password or your data.”

However, according to the ETH Zurich University, based in Switzerland, in-depth testing of the platform has revealed “security holes that would allow the provider to decrypt and manipulate customer data”, despite its marketing claims to the contrary.

ETH Zurich cryptography researchers Matilda Backendal, Miro Haller, and Professor Kenneth Paterson analyzed MEGA’s source code and cryptographic architecture, uncovering a total of five vulnerabilities.

**Encryption cracked**

After recreating part of the MEGA platform and attempting to brute-force their own accounts, the team says they found that using one main key represents a “fundamental” weakness in the service.

A paper (PDF) describing the flaw says that the MEGA client derives an authentication key from a user’s password. This key is then used to encrypt other key material, files, and more.

A lack of integrity protection of ciphertexts containing keys breaks the confidentiality of the master key and overall encryption system, according to the researchers. This permits integrity attacks, RSA key and plaintext recovery attacks, and establishes an RSA decryption attack vector.

Catch up on the latest cloud security-related news

By hijacking only a session ID, it takes a maximum of 512 login attempts to break into a MEGA account.

“An additional manipulation of the MEGA software program on the computer of the victim can force their user account to constantly log in automatically,” the researchers said. “This shortens the time needed to fully reveal the key to just a few minutes.”

It then may be possible to compromise other keys used on the MEGA platform.

Potential post-attack vectors could include stealing user data or even uploading files – such as illegal or compromising images and video – locking up the account, and then blackmailing the targeted individual.

**MEGA response**

Paterson said the team reported its findings to MEGA on March 24 and proposed ways to resolve the security holes.

While MEGA apparently “decided to react in ways that are different than what we suggested,” according to the researcher, the initial attack vector on the RSA key has now been patched.

When approached for comment, MEGA pointed us toward a security advisory which says the first fix has been rolled out and additional patches are being developed.

According to MEGA, only customers that have logged into their account at least 512 times could be at risk – and this does not include resuming existing sessions.

Furthermore, the organization says that to take advantage of the cryptographic flaws, attackers would need to “gain control over the heart of MEGA’s server infrastructure or achieve a successful man\[ipulator\]-in-the-middle attack on the user’s TLS connection to MEGA”.

“The reported vulnerabilities would have required MEGA to become a bad actor against certain of its users, or otherwise could only be exploited if another party compromised MEGA’s API servers or TLS connections without being noticed,” the firm added.

The Daily Swig passed on this reaction to researchers at ETH Zurich who responded by saying MEGA had only resolved some of the security shortcomings that they had identified:

  

As detailed on the webpage of the paper \[1\], we contacted MEGA on March 24, 2022, to inform them of the vulnerabilities. They responded the same day and acknowledged the issues. They have been very open and communicative throughout. As part of our disclosure, we provided them with three sets of countermeasures, ranging from ‘immediate’ to ‘recommended’.

MEGA decided to go with a different patch, which protects against the first three out of our five attacks. You can read more about this in their blog post \[2\]. We continue to stand by our recommended countermeasures, which we believe would protect against our attacks (and others) in a more robust way than the fix that MEGA decided for.

YOU MIGHT ALSO LIKE Oracle patches ‘miracle exploit’ impacting Middleware Fusion, cloud services

Researchers crack MEGA’s ‘privacy by design’ storage, encryption

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 17 and June 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for June 17 to June 24

An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via a crafted XCF file, causing a Denial of Service (DoS).

    GNU Image Manipulation Program version 2.10.30
    git-describe: Unknown, shouldn't happen
    Build: org.gimp.GIMP_official rev 0 for windows
    # C compiler #
    	Using built-in specs.
    	COLLECT_GCC=W:\msys64-gtk2\mingw64\bin\gcc.exe
    	COLLECT_LTO_WRAPPER=W:/msys64-gtk2/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/11.2.0/lto-wrapper.exe
    	Target: x86_64-w64-mingw32
    	Configured with: ../gcc-11.2.0/configure --prefix=/mingw64 --with-local-prefix=/mingw64/local --build=x86_64-w64-mingw32 --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --with-native-system-header-dir=/mingw64/x86_64-w64-mingw32/include --libexecdir=/mingw64/lib --enable-bootstrap --enable-checking=release --with-arch=x86-64 --with-tune=generic --enable-languages=c,lto,c++,fortran,ada,objc,obj-c++,jit --enable-shared --enable-static --enable-libatomic --enable-threads=posix --enable-graphite --enable-fully-dynamic-string --enable-libstdcxx-filesystem-ts --enable-libstdcxx-time --disable-libstdcxx-pch --disable-libstdcxx-debug --enable-lto --enable-libgomp --disable-multilib --disable-rpath --disable-win32-registry --disable-nls --disable-werror --disable-symvers --with-libiconv --with-system-zlib --with-gmp=/mingw64 --with-mpfr=/mingw64 --with-mpc=/mingw64 --with-isl=/mingw64 --with-pkgversion='Rev5, Built by MSYS2 project' --with-bugurl=https://github.com/msys2/MINGW-packages/issues --with-gnu-as --with-gnu-ld --with-boot-ldflags='-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high -Wl,--disable-dynamicbase -static-libstdc++ -static-libgcc' 'LDFLAGS_FOR_TARGET=-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high' --enable-linker-plugin-flags='LDFLAGS=-static-libstdc++\ -static-libgcc\ -pipe\ -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high\ -Wl,--stack,12582912'
    	Thread model: posix
    	Supported LTO compression algorithms: zlib zstd
    	gcc version 11.2.0 (Rev5, Built by MSYS2 project) 
    
    # Libraries #
    using babl version 0.1.88 (compiled against version 0.1.88)
    using GEGL version 0.4.34 (compiled against version 0.4.34)
    using GLib version 2.70.2 (compiled against version 2.70.2)
    using GdkPixbuf version 2.42.6 (compiled against version 2.42.6)
    using GTK+ version 2.24.33 (compiled against version 2.24.33)
    using Pango version 1.50.2 (compiled against version 1.50.2)
    using Fontconfig version 2.13.94 (compiled against version 2.13.94)
    using Cairo version 1.17.4 (compiled against version 1.17.4)
    

    -------------------
    
    Error occurred on Friday, June 3, 2022 at 15:37:43.
    
    gimp-2.10.exe caused an Access Violation at location 00007FF692DE9E5C in module gimp-2.10.exe Writing to location 000000000000008C.
    
    AddrPC           Params
    00007FF692DE9E5C 000001C7F701D540 00007FF692DB3D5F 000001C700000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DB55A4 000001C7F5B001D0 0000007EBE1FEE90 000001C700000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DB6B74 0000007EBE1FEF52 00007FF6931F7610 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C83BCF 000001C7EBD2D290 00007FFBB6D653A6 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C7F340 000001C7EBDC8310 000001C7F663A430 000001C7B1B27370  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C7F4F9 000001C7EBDC8810 000001C7F4594560 0000000000000001  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D21BE0 000001C7EBEC7240 000001C7EBEF50B0 000001C700000003  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D14FF9 0000000000000003 00007FF692D14AF4 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D0E43C 0000000000000000 0000000000000020 000001C7F7156780  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D0E8B7 000001C7EBE70C80 000001C7EBECA230 000001C7F663A430  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692E304A4 0000000000000000 0000000000000000 000001C7F663A430  gimp-2.10.exe!gimp_core_pixbufs_get_resource
    00007FF692DDA679 000001C7EBD2D290 0000000000000000 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DDA785 000001C7F7021760 000001C7F7043F10 000001C7F65BC168  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C4AE7C 000001C7B3B79860 00007FFBB6B5BB20 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FFBB6B58D47 000001C700000000 0000007EBE1FF688 000001C7B3B26870  libglib-2.0-0.dll!g_clear_list
    00007FFBB6B5BEDE 0000000000000000 0000000000000000 000001C7EBD2D290  libglib-2.0-0.dll!g_main_context_check
    00007FFBB6B5C3FC 0000000000000000 0000000000000000 0000000000000000  libglib-2.0-0.dll!g_main_loop_run
    00007FF692A31A2B 00007FFC2C7093B0 000001C7B1B4E480 000001C7B1C00860  gimp-2.10.exe!0x7ff600001a2b
    00007FF692ECF67F 0000000000000000 000001C7B1B50E60 0000000000000000  gimp-2.10.exe!gimp_core_pixbufs_get_resource
    00007FF692A313B1 0000000000000000 0000000000000000 0000000000000000  gimp-2.10.exe!0x7ff6000013b1
    00007FF692A314C6 0000000000000000 0000000000000000 0000000000000000  gimp-2.10.exe!0x7ff6000014c6
    00007FFC2C7054E0 0000000000000000 0000000000000000 0000000000000000  KERNEL32.DLL!BaseThreadInitThunk
    00007FFC2E80485B 0000000000000000 0000000000000000 0000000000000000  ntdll.dll!RtlUserThreadStart
    
    gimp-2.10.exe	2.10.30.0
    ntdll.dll   	10.0.22000.653
    KERNEL32.DLL	10.0.22000.675
    KERNELBASE.dll	10.0.22000.675
    msvcrt.dll  	7.0.22000.1
    ole32.dll   	10.0.22000.120
    msvcp_win.dll	10.0.22000.1
    ucrtbase.dll	10.0.22000.1
    GDI32.dll   	10.0.22000.1
    win32u.dll  	10.0.22000.675
    gdi32full.dll	10.0.22000.675
    USER32.dll  	10.0.22000.282
    combase.dll 	10.0.22000.653
    RPCRT4.dll  	10.0.22000.675
    SHELL32.dll 	10.0.22000.593
    libgimpmodule-2.0-0.dll
    libgimpcolor-2.0-0.dll
    libgimpmath-2.0-0.dll
    libgimpconfig-2.0-0.dll
    libgimpthumb-2.0-0.dll
    libgimpwidgets-2.0-0.dll
    libgimpbase-2.0-0.dll
    exchndl.dll 	0.8.2.0
    PSAPI.DLL   	10.0.22000.1
    libbabl-0.1-0.dll
    libcairo-2.dll
    dbghelp.dll 	6.3.9600.17298
    libfontconfig-1.dll
    libgdk_pixbuf-2.0-0.dll	2.42.6.0
    libfreetype-6.dll	2.11.1.0
    ADVAPI32.dll	10.0.22000.653
    sechost.dll 	10.0.22000.556
    libgexiv2-2.dll
    libgio-2.0-0.dll	2.70.2.0
    libgobject-2.0-0.dll	2.70.2.0
    libglib-2.0-0.dll	2.70.2.0
    SHLWAPI.dll 	10.0.22000.1
    WS2_32.dll  	10.0.22000.1
    libharfbuzz-0.dll
    libintl-8.dll	0.19.8.0
    libjson-glib-1.0-0.dll
    liblcms2-2.dll
    libmypaint-0.dll
    libpangoft2-1.0-0.dll	1.50.2.0
    libpango-1.0-0.dll	1.50.2.0
    libpangocairo-1.0-0.dll	1.50.2.0
    zlib1.dll
    libgdk-win32-2.0-0.dll	2.24.33.0
    libgegl-0.4-0.dll
    libgegl-npd-0.4.dll
    libgtk-win32-2.0-0.dll	2.24.33.0
    IMM32.dll   	10.0.22000.1
    libgmodule-2.0-0.dll	2.70.2.0
    mscms.dll   	10.0.22000.469
    comdlg32.dll	10.0.22000.527
    VERSION.dll 	10.0.22000.1
    shcore.dll  	10.0.22000.613
    MSIMG32.dll 	10.0.22000.1
    mgwhelp.dll 	0.8.2.0
    libgcc_s_seh-1.dll
    libpixman-1-0.dll
    libexpat-1.dll
    libpng16-16.dll
    libiconv-2.dll	1.16.0.0
    gdiplus.dll 	10.0.22000.675
    libbz2-1.dll
    libbrotlidec.dll
    libstdc++-6.dll
    libffi-7.dll
    DNSAPI.dll  	10.0.22000.653
    IPHLPAPI.DLL	10.0.22000.282
    USP10.dll   	10.0.22000.1
    libexiv2.dll
    libwinpthread-1.dll	1.0.0.0
    libpcre-1.dll
    libgraphite2.dll
    libjson-c-5.dll
    libpangowin32-1.0-0.dll	1.50.2.0
    libfribidi-0.dll
    libthai-0.dll
    COMCTL32.dll	5.82.22000.1
    bcrypt.dll  	10.0.22000.1
    cfgmgr32.dll	10.0.22000.1
    WINSPOOL.DRV	10.0.22000.675
    libatk-1.0-0.dll	2.36.0.0
    libbrotlicommon.dll
    libcurl-4.dll
    CRYPT32.dll 	10.0.22000.348
    WLDAP32.dll 	10.0.22000.675
    libdatrie-1.dll
    libnghttp2-14.dll
    libidn2-0.dll
    libcrypto-1_1-x64.dll	1.1.1.12
    libpsl-5.dll
    libssh2-1.dll
    libssl-1_1-x64.dll	1.1.1.12
    libzstd.dll
    libunistring-2.dll	0.9.10.0
    NSI.dll     	10.0.22000.1
    windows.storage.dll	10.0.22000.675
    wintypes.dll	10.0.22000.527
    kernel.appcore.dll	10.0.22000.71
    bcryptPrimitives.dll	10.0.22000.376
    uxtheme.dll 	10.0.22000.120
    MSCTF.dll   	10.0.22000.527
    avx2-int8.dll
    cairo.dll
    CIE.dll
    double.dll
    fast-float.dll
    float.dll
    gegl-fixups.dll
    gggl-lies.dll
    gggl-table-lies.dll
    gggl-table.dll
    gggl.dll
    gimp-8bit.dll
    grey.dll
    half.dll
    HCY.dll
    HSL.dll
    HSV.dll
    naive-CMYK.dll
    simple.dll
    sse-half.dll
    sse2-float.dll
    sse2-int16.dll
    sse2-int8.dll
    sse4-int8.dll
    two-table.dll
    u16.dll
    u32.dll
    ycbcr.dll
    gegl-core.dll
    profapi.dll 	10.0.22000.1
    OLEAUT32.dll	10.0.22000.1
    clbcatq.dll 	2001.12.10941.16384
    propsys.dll 	7.0.22000.37
    apphelp.dll 	10.0.22000.282
    NetworkExplorer.dll	10.0.22000.51
    winhttp.dll 	10.0.22000.1
    exr-load.dll
    libIlmImf-2_5.dll
    libIex-2_5.dll
    libHalf-2_5.dll
    libIlmThread-2_5.dll
    libImath-2_5.dll
    gegl-common-gpl3.dll
    gegl-common.dll
    gif-load.dll
    jp2-load.dll
    libjasper-4.dll
    libjpeg-8.dll
    jpg-load.dll
    pdf-load.dll
    libpoppler-glib-8.dll
    libpoppler-115.dll
    nss3.dll    	3.73.1.0
    libnspr4.dll	4.31.0.0
    libplc4.dll 	4.31.0.0
    smime3.dll  	3.73.1.0
    libopenjp2-7.dll
    libtiff-5.dll
    libplds4.dll	4.31.0.0
    nssutil3.dll	3.73.1.0
    MSWSOCK.dll 	10.0.22000.1
    WINMM.dll   	10.0.22000.1
    libjbig-0.dll
    libdeflate.dll
    libLerc.dll
    liblzma-5.dll	5.2.5.0
    libwebp-7.dll
    pixbuf-load.dll
    png-load.dll
    ppm-load.dll
    raw-load.dll
    libraw-20.dll
    libgomp-1.dll
    rgbe-load.dll
    svg-load.dll
    librsvg-2-2.dll
    libcairo-gobject-2.dll
    USERENV.dll 	10.0.22000.1
    libxml2-2.dll
    text.dll
    tiff-load.dll
    webp-load.dll
    exr-save.dll
    jpg-save.dll
    npy-save.dll
    pixbuf-save.dll
    png-save.dll
    ppm-save.dll
    rgbe-save.dll
    sdl2-display.dll
    SDL2.dll    	2.0.18.0
    SETUPAPI.dll	10.0.22000.469
    tiff-save.dll
    webp-save.dll
    gegl-common-cxx.dll
    lcms-from-profile.dll
    npd.dll
    path.dll
    transformops.dll
    vector-stroke.dll
    seamless-clone-compose.dll
    gegl-generated.dll
    matting-levin.dll
    libumfpack.dll
    libamd.dll
    libsuitesparseconfig.dll
    libcholmod.dll
    libcamd.dll
    libccolamd.dll
    libmetis.dll
    libcolamd.dll
    libopenblas.dll
    libgfortran-5.dll
    libquadmath-0.dll
    seamless-clone.dll
    libgegl-sc-0.4.dll
    libwimp.dll
    libpixmap.dll
    libpixbufloader-png.dll
    libpixbufloader-svg.dll
    icm32.dll   	10.0.22000.469
    textinputframework.dll	10.0.22000.282
    CoreMessaging.dll	10.0.22000.71
    CoreUIComponents.dll	10.0.22000.132
    CRYPTBASE.DLL	10.0.22000.1
    PalmInputTSF.dll	2.7.0.1702
    ntmarta.dll 	10.0.22000.1
    AppXDeploymentClient.dll	10.0.22000.469
    urlmon.dll  	11.0.22000.653
    iertutil.dll	11.0.22000.653
    netutils.dll	10.0.22000.434
    srvcli.dll  	10.0.22000.613
    TextShaping.dll
    Windows.ApplicationModel.dll	10.0.22000.593
    mssprxy.dll 	7.0.22000.593
    mrmcorer.dll	10.0.22000.120
    windows.staterepositorycore.dll	10.0.22000.65
    windows.staterepositoryclient.dll	10.0.22000.653
    bcp47mrm.dll	10.0.22000.65
    Windows.UI.dll	10.0.22000.1
    CRYPTSP.dll 	10.0.22000.1
    rsaenh.dll  	10.0.22000.282
    shfolder.dll	10.0.22000.1
    webio.dll   	10.0.22000.1
    WINNSI.DLL  	10.0.22000.1
    SspiCli.dll 	10.0.22000.556
    rasadhlp.dll	10.0.22000.1
    fwpuclnt.dll	10.0.22000.593
    schannel.DLL	10.0.22000.675
    mskeyprotect.dll	10.0.22000.1
    NTASN1.dll  	10.0.22000.1
    ncrypt.dll  	10.0.22000.1
    ncryptsslp.dll	10.0.22000.1
    MSASN1.dll  	10.0.22000.1
    DPAPI.DLL   	10.0.22000.1
    comctl32.dll	6.10.22000.120
    WindowsCodecs.dll	10.0.22000.653
    
    Windows 10.0.22000
    DrMingw 0.8.2

Tag

#pdf