lesspipe before 2.06 allows attackers to execute code via Perl Storable (pst) files, because of deserialized object destructor execution via a key/value pair in a hash.

**Bug 865631** \- <app-text/lesspipe-2.06: Perl storable (pst) files security fix

Summary: <app-text/lesspipe-2.06: Perl storable (pst) files security fix

Status:

IN\_PROGRESS

Alias:

None

Product:

Gentoo Security

Classification:

Unclassified

Component:

Vulnerabilities (show other bugs)

Hardware:

All Linux

Importance:

Normal normal (vote)

Assignee:

Gentoo Security

URL:

Whiteboard:

B2 \[glsa\]

Keywords:

Depends on:

872749

Blocks:

 

Show dependency tree

Reported:

2022-08-18 02:58 UTC by Sam James

Modified:

2022-10-31 15:37 UTC (History)

CC List:

1 user (show)

See Also:

Package list:

Runtime testing required:

\---

  

Attachments

Add an attachment (proposed patch, testcase, etc.)

  

Note You need to log in before you can comment on or make changes to this bug.

CVE-2022-44542: Perl storable (pst) files security fix

A lax API governance strategy can lead to abandoned or overlooked APIs that open up organizations to security threats.

**Question: What is the difference between zombie APIs and shadow APIs?**

**Nick Rago, Field CTO, Salt Security:** Zombie APIs and shadow APIs represent by-products of a larger challenge that enterprises are struggling to tackle today: API sprawl.

As companies seek to maximize the business value associated with APIs, APIs have proliferated. Digital transformation, app modernization to microservices, API-first app architectures, and advancements in rapid continuous software deployment methods have fueled the high-velocity growth of the number of APIs created and in use by organizations. As a result of this rapid API production, API sprawl has manifested itself across multiple teams who leverage multiple technology platforms (legacy, Kubernetes, VMs, etc.) across multiple distributed infrastructures (on-premises data centers, multiple public clouds, etc.). Unwanted entities such as zombie APIs and shadow APIs emerge when organizations do not have the proper strategies in place to manage API sprawl.

Simply put, a zombie API is an exposed API or an API endpoint that has become abandoned, outdated, or forgotten. At one point, the API served a function. However, that function may no longer be needed or the API has been replaced/updated with a newer version. When an organization does not have proper controls in place around versioning, deprecating, and sunsetting old APIs, those APIs may linger on indefinitely — hence, the term zombie.

Because they are essentially forgotten, zombie APIs don't receive any ongoing patching, maintenance, or updates in any functional or security capacity. Therefore, the zombie APIs become a security risk. In fact, Salt Security's "State of API Security" report names zombie APIs as organizations' No. 1 API security concern over its past four surveys.

In contrast, a shadow API is an exposed API or an API endpoint whose creation and deployment were done "under the radar." Shadow APIs have been created and deployed outside of an organization's official API governance, visibility, and security controls. Consequently, they can pose a wide variety of security risks, including:

*   The API may not have proper authentication and access gates in place.
*   The API may be exposing sensitive data improperly.
*   The API may not be adhering to best practices from a security standpoint, making it vulnerable to many of the OWASP API Security Top 10 attack threats.

A number of motivating factors are behind why a developer or app team would want to deploy an API or endpoint quickly; however, a strict API governance strategy must be followed to enforce controls and process over how and when an API gets deployed regardless of the motivation.

Adding to the risks, API sprawl and the emergence of zombie and shadow APIs extend beyond APIs developed in-house. Third-party APIs deployed and utilized as part of packaged applications, SaaS-based services, and infrastructure components can also introduce problems if not properly inventoried, governed, and maintained.

Zombie and shadow APIs pose similar security risks. Depending on an organization's existing API controls (or lack thereof), one may be less or more problematic than the other. As a first step to tackle the challenges of zombie and shadow APIs, organizations must use a proper API discovery technology to help inventory and understand all of the APIs deployed in their infrastructures. Additionally, organizations must adopt an API governance strategy that standardizes how APIs are built, documented, deployed, and maintained — regardless of team, technology, and infrastructure.

Why Are Zombie APIs and Shadow APIs So Scary?

The WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection

CVE-2022-3254

While fewer cloud providers are suffering outages, customers should prepare for the uncommon event, especially when relying on cloud services for security.

When cybersecurity software-as-a-service offerings are impacted by an outage, it can result in a significant disruption, especially if the service protects business-critical portions of a firm's infrastructure. 

In the past two weeks, for example, outages at cybersecurity services firm Zscaler resulted in latency, packet loss, and outages for some businesses. On Oct. 25, a traffic-forwarding issue caused disruptions and packet loss to some of the cybersecurity provider's regional customers. The previous week, the company warned clients that they could experience packet loss due to damage to a transoceanic cable near France.

Unfortunately, many companies weren't prepared. "Took down entire company for several hours this morning," one IT security engineer said on Twitter of the impact on his firm.

While outages of any cloud service can have a dramatic impact on business operations — an Amazon Web Services outage in December 2021 took down swaths of the web for hours, for example — cyberdefenses often have a favored position within a company's infrastructure, making an outage more impactful. A business software-as-a-service (SaaS) application typically only impacts its own user base, whereas cybersecurity SaaS services can often have impacts across applications.

Companies need to be prepared for such outages, even if rare, says Merritt Maxim, vice president and research director for security and risk at Forrester Research.

Zscaler "is not the first cloud outage and won’t be the last, either," he says, adding: "Cloud products and services are not necessarily more susceptible to outages than on-prem equivalents, \[but\] the issue is often that because of this perception, organizations do not properly assess all possible causes of cloud outages and develop mitigation plans in response to these threats."

Indeed, the Zscaler incidents are not unique. In October 2020, an outage affected Microsoft Azure AD, the company's SaaS identity and access management service, blocking businesses and users from connecting to their applications. A year later, a six-hour Facebook outage blocked many users — including some businesses — from using the company's single sign-on technology and slowed many websites when scripts relying on the company's service failed to run.  

**Cloud Outages Increasingly Rare, But Impactful**

Overall, there has been a reduction in the number of significant outages among cloud services, with 60% of operators saying that they have had an outage in the past three years, down from 78% in 2020, according to survey results published by the Uptime Institute.

And compared with on-premises cybersecurity software and appliances, cloud-based services are nonetheless more reliable, says Jim Reavis, CEO of the Cloud Security Alliance, an industry organization.

"Mature cloud providers, including those with cybersecurity offerings, operate much like public utilities that provide on-demand services to large customer bases," he says. "They are generally very reliable, which is why their intermittent failures, like public utilities, are newsworthy."

For that reason, the two disruptions weathered by Zscaler stand out — as does companies' unpreparedness for them.  

"Things will happen as long as humans and nature are involved," says Misha Kuperman, senior vice president of cloud operations and ecosystem at Zscaler. He adds, "With the right tools, we can deliver more reliability and work around such incidents, as we have done on multiple occasions."

**Building in Cloud Security Redundancy**

Businesses also should ensure that they realize the cloud security and reliability is a shared responsibility model. Cloud providers — including cybersecurity services based in the cloud — are responsible for their infrastructure, but companies should architect their cloud or hybrid infrastructure to handle outages.  

Companies that know their cloud vendor's architecture will be better prepared for outages, says CSA's Reavis.

"It is important to understand how the provider achieves redundancy in its architecture, operating procedures including software updates, and its footprint of global data centers," he says. "The customer should then understand how that redundancy satisfies their own risk requirements and if their own architecture takes full advantage of the redundancy capabilities."

Business customers should also regularly re-evaluate their technology landscape and risk profile. While network and power failures — and natural disasters — used to dominate resilience discussions, malicious threats such as ransomware and denial-of-service attacks are often more likely to dominate discussions today, says Forrester's Maxim.

"Understanding the evolving risks and their respective impact on business is an imperative to prioritize the risks that you'd want to mitigate," he says. A business impact analysis conducted with internal teams "allows you to create tiers for application criticality that help determine if the default resilience of cloud services is enough — or if you need a more robust solution."

Zscaler's Cloud-Based Cybersecurity Outages Showcase Redundancy Problem

strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.

A vulnerability related to online certificate revocation checking was discovered in strongSwan that can lead to a denial-of-service attack. All versions may be affected.

Lahav Schlesinger reported a bug related to online certificate revocation checking that can lead to a denial-of-service attack.

**Using Untrusted URIs for Revocation Checking**

Because the _revocation_ plugin uses potentially untrusted OCSP URIs and CRL distribution points (CDP) in certificates, a remote attacker is able to initiate IKE\_SAs and send crafted certificates that contain URIs pointing to servers under their control, which can lead to a denial-of-service attack.  Affected are all strongSwan versions if they use the _revocation_ plugin or a custom plugin that implements similar features.

CVE-2022-40617 has been assigned for this vulnerability.

**Problematic Inline Revocation Checking in Trust Chain Validation**

strongSwan's credential manager component, which is responsible for verifying trust chains, always did online certificate revocation checks inline while traversing the certificate chain.  That is, for each certificate, starting with the end-entity certificate, it searches a matching issuer certificate and if the signature and lifetimes are valid, calls plugins via the cert_validator_t interface to do extended validation of the current certificate.  One of these plugins is the _revocation_ plugin that uses OCSP URIs and CDPs in the issued certificate to check its status (e.g. whether it was revoked by the issuing CA).

While this approach allows to immediately abort the validation if a revoked certificate is encountered, the problem is that the certificate chain might not yet be trusted when the revocation plugin accesses the contained URIs. Only for a single-level PKI is the trust immediately established when finding the trusted, self-signed CA certificate that issued the end-entity certificate. So if an attacker sends specifically crafted end-entity and intermediate CA certificates, the URIs in the end-entity certificate are used for online revocation checks before the intermediate CA certificate is later rejected because no trusted issuer certificate is found and the authentication fails.

This allows attackers to encode URIs to servers under their control and force a strongSwan instance to connect to them.

**Denial-of-Service Due To Attacker-Controlled OCSP URIs and CDPs**

As described above, attackers are able force the _revocation_ plugin to make requests to arbitrary servers. This can lead to different kinds of denial-of-service attacks, depending on how these servers react.

A first one can be caused via a server that lets clients complete the TCP three-way handshake but then sends no data. It has to be reachable as there is an initial connection timeout (for DNS resolution and TCP handshake completion). But because the _revocation_ plugin doesn't set an overall timeout for its requests and some fetcher plugins don't use one by default, in particular the commonly used _curl_ plugin, the worker thread will be blocked practically indefinitely (i.e. until the default TCP timeout of the underling TCP/IP stack). By initiating multiple IKE\_SAs with the same certificates, attackers are able to block worker threads to the point the daemon will not be able to process any further IKE messages or other events.

In a second potential attack, instead of sending no data, the server sends a lot of it. Because the fetched OCSP/CRL data is stored in memory and without any upper limits, the attacker might be able to exhaust all memory of the host strongSwan runs on, or at least force a system like Linux's OOM killer to terminate the IKE daemon.

Remote code execution is not possible due to this issue.

As mentioned in the introduction, credit to Lahav Schlesinger for finding this vulnerability.

**Mitigation**

Setups that don't use the _revocation_ plugin are not directly vulnerable. However, if custom plugins are loaded that implement the validate() method of the cert_validator_t interface, there could be similar problems due to the inline certificate validation described above.

The just released strongSwan 5.9.8 fixes this vulnerability by creating a trusted certificate chain before starting online revocation checks. For older releases, we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets (please note that we don't provide patches for versions < 5.1.0).

CVE-2022-40617: strongSwan Vulnerability (CVE-2022-40617)

Ubuntu Security Notice 5706-1 - It was discovered that the BPF verifier in the Linux kernel did not properly handle internal data structures. A local attacker could use this to expose sensitive information. It was discovered that an out-of-bounds write vulnerability existed in the Video for Linux 2 implementation in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5706-1  
October 27, 2022

linux-azure-fde vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems

Details:

It was discovered that the BPF verifier in the Linux kernel did not  
properly handle internal data structures. A local attacker could use this  
to expose sensitive information (kernel memory). (CVE-2021-4159)

It was discovered that an out-of-bounds write vulnerability existed in the  
Video for Linux 2 (V4L2) implementation in the Linux kernel. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-20369)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux  
kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-26365)

Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan  
and Ariel Sabba discovered that some Intel processors with Enhanced  
Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET  
instructions after a VM exits. A local attacker could potentially use this  
to expose sensitive information. (CVE-2022-26373)

Eric Biggers discovered that a use-after-free vulnerability existed in the  
io_uring subsystem in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2022-3176)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the  
Linux kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux  
kernel incorrectly shared unrelated data when communicating with certain  
backends. A local attacker could use this to cause a denial of service  
(guest crash) or expose sensitive information (guest kernel memory).  
(CVE-2022-33741, CVE-2022-33742)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in  
the Linux kernel on ARM platforms contained a race condition in certain  
situations. An attacker in a guest VM could use this to cause a denial of  
service in the host OS. (CVE-2022-33744)

It was discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a reference counting error. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2022-36879)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1092-azure-fde  5.4.0-1092.97+cvm1.1  
   linux-image-azure-fde           5.4.0.1092.97+cvm1.32

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5706-1  
   CVE-2021-4159, CVE-2022-20369, CVE-2022-2318, CVE-2022-26365,  
   CVE-2022-26373, CVE-2022-3176, CVE-2022-33740, CVE-2022-33741,  
   CVE-2022-33742, CVE-2022-33744, CVE-2022-36879

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.4.0-1092.97+cvm1.1

Ubuntu Security Notice USN-5706-1

Horner Automation's Cscape version 9.90 SP7 and prior does not properly validate user-supplied data. If a user opens a maliciously formed FNT file, then an attacker could execute arbitrary code within the current process by writing outside the memory buffer.

CVE-2022-3379

Multiple command injection vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 via the ping and traceroute tools allow attackers to read arbitrary files on the system.

CVE-2022-42055: GL.iNET MT300N-V2 Vulnerabilities and Hardware Teardown

An access control issue in the password reset page of IP-COM EW9 V15.11.0.14(9732) allows unauthenticated attackers to arbitrarily change the admin password.

**Brand**:IP-COM

**Firmware link**:https://www.ip-com.com.cn/product/download/EW9.html

**Vulnerability details**

The Reset password page is not properly validated

**The details of attack**

The httpd service can be emulated using QEMU

Initializing and set password，at the same time, use a different browser or an anonymous mode to mimic the attacker scenario，Also visit http://192.168.189.169/quickset.html?9732，

First, the normal initialization password is admin, and login, can be used normally,

The second step uses attacker mode to access the password initialization page

At this point, the password will be reset, and the original password will be reset to 12345 to achieve a bypass

CVE-2022-43364: IOT_Vulnerability_Discovery/5_reset_the_password.md at main · splashsc/IOT_Vulnerability_Discovery

Supply chain attacks were all the rage in 2020 after SolarWinds, but we seem to have forgotten how important they are.

Thursday, October 27, 2022 14:10

Welcome to this week’s edition of the Threat Source newsletter.

There are plenty of jokes about whether we’re “aware” of cybersecurity during National Cybersecurity Awareness Month. But now I’m wondering if people are aware of supply chain attacks.

I thought we hit the pinnacle of supply chain attacks in 2020 with the SolarWinds attack, when these types of attacks dominated headlines and defenders started shouting from the mountaintops about how important it is to be ready for supply chain attacks.

And then Kaseya came along a few months later when attackers found a different way to deploy malicious updates that were disguised as legitimate patches.

And still today, we’re warning about the dangers of how prevalent supply chain attacks are and how everyone needs to be ready for this attacker technique. This leaves me wondering if Kaseya and SolarWinds weren’t the breaking point — what is?

It seems like no matter how many times we see major ransomware attacks, even coming to the point of making it impossible for people to get gas, attackers are back again with another ransomware attack a few weeks later.

We still have several hurdles to overcome to fix the supply chain attack problem, as Jaeson Schultz from our Outreach team outlined in this recent post. But it’s clear that these attacks aren’t going anywhere, and neither are defenders’ warnings.

As I wrote at the start of October, it can be easy to poke fun at Cybersecurity Awareness Month because it’s impossible to define what it even means to be “aware” of cybersecurity. Clearly, there’s still awareness to spread, though, and we keep needing to spread it in regard to supply chain attacks, ransomware and pretty much every other type of cyber attack.

**The one big thing**

For the first time since collecting such data, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats in the third quarter of 2022. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.

**Why do I care?**

This data represents what Talos IR is actively seeing in the wild over the past few months and is likely representative of the broader threat landscape.

**So now what?**

A lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.

**Top security headlines of the week**

The Biden administration is preparing to release updated guidelines and warnings around election security with a few days left before the midterm elections. A bulletin reportedly being drafted includes information on threats from Russia, China and other state-sponsored actors. Election workers and local officials are also having to deal with physical threats to polling workers and locations, all while the number of volunteers is dwindling. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency released a PSA stating that malicious cyber activity is "unlikely to disrupt or prevent voting." (Politico, Axios, Voice of America)

Apple released security updates for its iOS and iPadOS operating systems this week, including fixes for a vulnerability that “may have been actively exploited.” There are 20 vulnerabilities fixed in these updates in all. CVE-2022-42827 is the most notable vulnerability, which could allow an attacker to execute code with Kernel privileges via an attacker-controlled app. This is the third Kernel-related out-of-bounds memory vulnerability that Apple has patched in each of its previous security updates: CVE-2022-32894 and CVE-2022-32917. CVE-2022-32917 was known to be used in attacks in the wild. (Forbes, The Hacker News)

Two vulnerabilities in Microsoft's Mark of the Web (MoTW) security feature could allow an attacker to send JavaScript files that could bypass security blocks in place. Attackers are reportedly actively exploiting both issues, though Microsoft has yet to issue any formal fixes for the vulnerabilities, and there are no workarounds available. Mark of the Web protects users against files from untrusted sources, but the two vulnerabilities could allow the attackers to construct the files in a way that they are not appropriately marked by Windows. Attackers commonly use .js files as attachments or downloads that can run outside a web browser. (Dark Reading, Bleeping Computer)

**Can't get enough Talos?**

*   Talos Takes Ep. #118: Threat Hunting 101
*   Beers with Talos Ep. #127: I’m a skiddie, and you can too!
*   A bug in Abode’s home security system could let hackers remotely switch off cameras
*   Talos Incident Response Q3 2022 Quarterly Report

**Upcoming events where you can find Talos**

**Click or Treat? How not to fall for a phishing attack this Halloween** (Oct. 31)  
Virtual

**BSides Lisbon** (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681  
**MD5:** f1fe671bcefd4630e5ed8b87c9283534  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Hackkms::1201

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
**MD5:** 2c8ea737a232fd03ab80db672d50a17a  
**Typical Filename:** LwssPlayer.scr  
**Claimed Product:** 梦想之巅幻灯播放器  
**Detection Name:** Auto.125E12.241442.in02

Tag

#perl