This HTTP Headers WordPress plugin before 1.18.11 allows arbitrary data to be written to arbitrary files, leading to a Remote Code Execution vulnerability.

CVE-2023-1208

The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.




**Summary**

The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.

**Description**

To send an HCI command synchronously, the HCI stack involves different functions for its synchronization:

1.  bt_hci_cmd_send_sync creates a local semaphore variable (which gets allocated on the stack of bt_hci_cmd_send_sync) and stores a reference to this local semaphore variable in the global cmd_data array via cmd(buf)->sync: https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L325
2.  hci_cmd_done, which is called while handling sending completion (via the reception of matching completion or status priority HCI events, or in certain error cases), checks whether the reference to this synchronization semaphore is set, and optionally giving/releasing the semaphore: https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L2102
3.  To support asynchronous sending, bt_hci_cmd_create initializes cmd(buf)->sync to NULL while a command buffer is initially created.

The issue of this way of handling synchronous sending of HCI commands lies in the fact that while handling the completion, the reference to the synchronization semaphore is not cleared (hci_cmd_done uses cmd(buf)->sync, but never clears the reference).

This implementation works correctly as long as the HCI Controller layer always sends completion/status priority events only once for each synchronously-sent command, or delays sending it enough such that the corresponding command buffer is correctly re-initialized and the semaphore reference is valid again.

The implementation causes a stale reference to the application stack memory to be used as a semaphore, however, if the Controller layer sends a second completion event for the same command before it is re-initialized for sending a new HCI command. In this situation, the pointer stored in cmd(buf)->sync has first been used as expected, and indicated to bt_hci_cmd_send_sync that the transmission is completed. As a result, bt_hci_cmd_send_sync returns and releases its local variables in the process. Another function re-claims the stack space for its own local variables, and overwrites the contents in the location which cmd(buf)->sync still references. When the second completion event is sent by the malicious/malfunctioning Controller layer, the reference stored in cmd(buf)->sync still references the invalidated stack memory, such that this reference is used via k_sem_give(cmd(buf)->sync); (https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L2104). In this situation, arbitrary data may reside in the affected memory location (which may or may not be attacker-controllable), and may be wrongly used as a pointer to a k_sem structure in a call to k_sem_give.

**Impact**

A malicious / malfunctioning HCI Controller may cause a dangling reference to be used as a semaphore object in the host layer, resulting in a crash (DoS) or potential Remote Code Execution (RCE) on the Bluetooth host layer.

**Proposed Fix**

To avoid this issue, when receiving HCI responses to synchronously sent HCI commands (cmd(buf)->sync is not NULL), the HCI logic should ensure that the semaphore reference in cmd(buf)->sync is (atomically) cleared and will not be re-used while handling another HCI response.

For example, hci_cmd_done could (atomically) read cmd(buf)->sync and NULL the reference after retrieving it.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2023-07-04

CVE-2023-1901: HCI send_sync Dangling Semaphore Reference Re-use

The bluetooth HCI host layer logic not clearing a global reference to a state pointer after handling connection events may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.

**Summary**

The bluetooth HCI host layer logic not clearing a global reference to a state pointer after handling connection events may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.

**Description**

To handle connection state, the HCI stack involves different functions:

1.  bt_le_create_conn_ext / bt_le_create_conn_legacy: these functions create a local struct bt_hci_cmd_state_set state variable. They call bt_hci_cmd_state_set_init to store a reference to this local state variable in the global cmd_data array via cmd(buf)->state = state;: https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L685 / https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L123
2.  hci_cmd_done, which is called while handling sending completion (via the reception of matching completion or status priority HCI events, or in certain error cases), checks whether the reference to the state is set, and optionally updating the state accordingly: https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L2095
3.  To support non-connection related sending, bt_hci_cmd_create initializes cmd(buf)->state to NULL while a command buffer is initially created.

The issue of this way of handling connection state within HCI commands lies in the fact that while handling the completion, the reference to the state structure is not cleared (hci_cmd_done uses cmd(buf)->state, but never clears the reference).

This implementation works correctly as long as the HCI Controller layer always sends completion/status priority events only once for each connection-related command, or delays sending it enough such that the corresponding command buffer is correctly re-initialized and the state struct reference is valid again.

The implementation causes a stale reference to the application stack memory to be used as a struct bt_hci_cmd_state_set, however, if the Controller layer sends a second completion event for the same command before it is re-initialized for sending a new HCI command. In this situation, the pointer stored in cmd(buf)->state has first been used as expected, and indicated to bt_le_create_conn_ext / bt_le_create_conn_legacy calling bt_hci_cmd_send_sync that the transmission is completed. As a result, bt_le_create_conn_ext / bt_le_create_conn_legacy return and release their local variables in the process. As other functions get called, they re-claim the stack space for their own local variables, and overwrite the contents in the location which cmd(buf)->state still references. When the second completion event is sent by the malicious/malfunctioning Controller layer, the reference stored in cmd(buf)->state still references the invalidated stack memory, such that this reference is involved in a write operation via atomic_set_bit_to(state->target, state->bit, state->val); (https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L2098). In this situation, arbitrary data may reside in the affected memory location (which may or may not be attacker-controllable). As a result, a now corrupted (and potentially attacker-controlled) pointer state->target is used in a write operation.

**Impact**

A malicious / malfunctioning HCI Controller may cause a dangling reference to be used as a pointer in a write operation in the host layer, resulting in a crash (DoS) or Remote Code Execution (RCE) on the Bluetooth host layer.

**Proposed Fix**

To avoid this issue, when receiving HCI responses to synchronously sent HCI commands (cmd(buf)->state is not NULL), the HCI logic should ensure that the state structure reference in cmd(buf)->state is (atomically) cleared and will not be re-used while handling another HCI response.

For example, hci_cmd_done could (atomically) read cmd(buf)->state and NULL the reference after retrieving it.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2023-07-04

CVE-2023-1902: HCI Connection Creation Dangling State Reference Re-use

The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad.
The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023.
RomCom, also tracked under the names

The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad.

The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023.

RomCom, also tracked under the names Tropical Scorpius, UNC2596, and Void Rabisu, was recently observed staging cyber attacks against politicians in Ukraine who are working closely with Western countries and a U.S.-based healthcare organization involved with aiding refugees fleeing the war-torn country.

Attack chains mounted by the group are geopolitically motivated and have employed spear-phishing emails to point victims to cloned websites hosting trojanized versions of popular software. Targets include militaries, food supply chains, and IT companies.

The latest lure documents identified by BlackBerry impersonate Ukrainian World Congress, a legitimate non-profit, ("Overview\_of\_UWCs\_UkraineInNATO\_campaign.docx") and feature a bogus letter declaring support for Ukraine's inclusion to NATO ("Letter\_NATO\_Summit\_Vilnius\_2023\_ENG(1).docx").

"Although we haven't yet uncovered the initial infection vector, the threat actor likely relied on spear-phishing techniques, engaging their victims to click on a specially crafted replica of the Ukrainian World Congress website," the Canadian company said in an analysis published last week.

Opening the file triggers a sophisticated execution sequence that entails retrieving intermediate payloads from a remote server, which, in turn, exploits Follina (CVE-2022-30190), a now-patched security flaw affecting Microsoft's Support Diagnostic Tool (MSDT), to achieve remote code execution.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

The result is the deployment of RomCom RAT, an executable written in C++ that's designed to collect information about the compromised system and remote commandeer it.

"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine," BlackBerry said.

"Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

RomCom RAT Targeting NATO and Ukraine Support Groups

Categories: News
Categories: Ransomware
Tags: TrueBot

Tags:  Cl0p

Tags:  Silence Group

Tags:  CVE-2022-31199

Tags:  Raspberry Robin

Tags:  FlawedGrace

Tags:  Cobalt Strike

Tags:  Teleport

CISA, the FBI, the MS-ISAC, and the CCCS have warned about increased activity of the TrueBot malware in the US and Canada.



(Read more...)




The post Warning issued over increased activity of TrueBot malware appeared first on Malwarebytes Labs.

In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) have warned about newly identified TrueBot malware variants used against organizations in the US and Canada.

As we reported in our May 2023 ransomware review, ransomware groups like Cl0p gain access to a network and then sneakily deploy TrueBot malware and a Cobalt Strike beacon to infiltrate and creep around, grabbing data along the way.

At its core, Truebot is a Trojan.Downloader. Besides gathering system information, it is capable of downloading and executing additional payloads. As such, it is an ideal malware for IAB groups that want to plant a backdoor on a system and do some basic reconnaissance of the network. For those purposes, recent versions of Truebot collect the following: A screenshot, the computer name, the local network name, and active directory trust relations. Active Directory trust relations allow organizations to share users and resources across domains.

Previous TrueBot malware variants were primarily delivered by cybercriminals via malicious phishing email attachments. Newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199, a remote code execution vulnerability in the Netwrix Auditor application. This allows the attacker to deploy the malware at scale within the compromised environment. Through exploitation of this CVE, cybercriminals can gain initial access, as well as the ability to move laterally within the compromised network.

The advisory explains how TrueBot has been observed in association with:

*   Raspberry Robin: a wormable malware with links to other malware families and various infection methods, including installation via USB drive.
*   FlawedGrace: a remote access tool (RAT) that can receive incoming commands \[T1059\] from a C2 server, which is typically deployed minutes after TrueBot malware is executed.
*   Cobalt Strike: a collection of threat emulation tools cybercriminals use for persistence and data exfiltration purposes.
*   Teleport: a custom data exfiltration tool.

In a separate malware analysis report, interested parties can find a comprehensive analysis of a recently discovered TrueBot executable.

Malwarebytes blocks the download URLs and detects Truebot as Malware.AI.{id.nr.}. Cl0p ransomware is detected as Malware.Ransom.Agent.Generic. But obviously prevention is better than remediation. The Malwarebytes web protection module blocks the C2 servers mentioned in the Malware Analysis Report.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Warning issued over increased activity of TrueBot malware

US and Canadian government agencies find that new variants of the malware are increasingly being utilized.

An advisory from the Cybersecurity and Infrastructure Security Agency (CISA), several US organizations, and the Canadian Center for Cyber Security (CCCS) warns of Truebot malware variants that are increasingly being utilized by threat actors against various organizations in the US and Canada.

Truebot, alternatively known as Silence.Downloader, is a botnet used by malicious cybergroups such as Cl0p ransomware cybergang to gather information from the victims they target. Older variants of Truebot were mainly distributed by threat actors by phishing email attacks in the form of malicious attachments. Newer versions of the malware allow these threat actors to gain initial access by exploiting a remote code execution (RCE) vulnerability in Netwrix Auditor — otherwise listed as CVE-2022-31199.

Cyber-threat actors are also using phishing campaigns with malicious hyperlinks to deliver their Truebot variants. The agencies urge those searching for this kind of malicious activity to apply vendor patches to the 10.5 version of Netwrix Auditor and to use the outlined guidance in the joint advisory.

"Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this CSA and report the intrusion to CISA or the FBI," the organizations stated. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Truebot Malware Variants Abound, According to CISA Advisory

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the lang parameter in the setLanguageCfg function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-37170: Vuls/TOTOLINK/A3300R/cmdi_1 at main · kafroc/Vuls

In TravianZ 8.3.4 and 8.3.3, Incorrect Access Control in the installation script allows an attacker to overwrite the server configuration and inject PHP code.

CVE-2023-36994: TravianZ Hacked

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

CVE-2023-37064: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

Tag

#rce