In permissions of AndroidManifest.xml, there is a possible way to grant signature permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-244216503

_Published February 6, 2023_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2023-02-05 or later from the February 2023 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The issue in this bulletin is a high security vulnerability in the Platform Service component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

**Announcements**

*   In addition to the security vulnerabilities described in the February 2023 Android Security Bulletin, the February 2023 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

**2023-02-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-02-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Platform Service**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20927

A-244216503

EoP

High

13

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2023-02-01 or later address all issues associated with the 2023-02-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-02-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-02-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

February 6, 2023

Bulletin Published

CVE-2023-20927: Android Automotive OS Update Bulletin—February 2023

Improper input validation vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to execute JavaScript by launching a web page.

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer  
Samsung Electronics (UK) Limited  
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

**Cookies**

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

**Essential Cookies**: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie

Domain

Purpose

JSESSIONID

security.samsungmobile.com

to keep login session

lastActivityTime

security.samsungmobile.com

to save the user's last activity time to automatically logout after 30 minutes of inactivity

**Managing Cookies and Other Technologies**

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

CVE-2023-21434: Samsung Mobile Security

Missing Authorization vulnerability in One Hand Operation + prior to version 6.1.21 allows multi-users to access owner&#39;s widget without authorization via gesture setting.

CVE-2023-21450: Samsung Mobile Security

Improper access control vulnerability in WindowManagerService prior to SMR Feb-2023 Release 1 allows attackers to take a screen capture.

CVE-2023-21440: Samsung Mobile Security

A Stack-based overflow vulnerability in IpcRxEmbmsSessionList in SECRIL prior to Android S(12) allows attacker to cause memory corruptions.

CVE-2023-21451: Samsung Mobile Security

An improper implementation logic in Secure Folder prior to SMR Jan-2023 Release 1 allows the Secure Folder container remain unlocked under certain condition.

CVE-2023-21419: Samsung Mobile Security

Moscow promised residents lower crime rates through an expansive smart city project. Then Vladimir Putin invaded Ukraine.

Sergey Vyborov was on his way to the Moscow Metro’s Aeroport station last September when police officers stopped him. The 49-year-old knew that taking the metro could spell trouble. During a protest against Russia’s invasion of Ukraine, police had fingerprinted and photographed him. He’d already been detained four times in 2022. But he was rushing to his daughter’s birthday, so he took a chance.

Vyborov wasn’t arrested that day, but the police informed him that he was under surveillance through Sfera, one of Moscow’s face recognition systems, for participating in unsanctioned rallies. Considered one of the most efficient surveillance systems, Sfera led to the detention of 141 people last year. “Facial recognition, and video cameras in general in a totalitarian state, are an absolute evil,” Vyborov says. 

Vyborov finds himself at the bottom of a slippery slope that privacy advocates have long warned about. Under the guise of smart city technology, authoritarian and democratic governments have rolled out huge networks of security cameras and used artificial intelligence to try to ensure there is no place to hide. Cities have touted the ability of such systems to tackle crime, manage crowds, and better respond to emergencies. Privacy campaigners say such systems could be used as tools of oppression. In Moscow, Vyborov and countless others now face that oppression on a daily basis.

The Russian capital is now the seventh\-most-surveilled city in the world. Across Russia, there are an estimated 21 million surveillance cameras, and the country ranks among the top in the world in terms of the number of connected surveillance cameras. The system created by Moscow’s government, dubbed Safe City, was touted by city officials as a way to streamline its public safety systems. In recent years, however, its 217,000 surveillance cameras, designed to catch criminals and terrorists, have been turned against protestors, political rivals, and journalists. 

“Facial recognition was supposed to be the ‘cherry on top,’ the reason why all of this was built,” says a former employee of NTechLab, one of the principal companies building Safe City’s face recognition system.

Following Russia’s invasion of Ukraine, Safe City’s data collection practices have become increasingly opaque. The project is now seen as a tool of rising digital repression as Russia wages war against Ukraine and dissenting voices within its own borders. It is an example of the danger smart city technologies pose. And for the engineers and programmers who built such systems, its transformation into a tool of oppression has led to a moment of reckoning. 

An Innocent Start

Founded in 2015, NTechLab caught the attention of the global press with the February 2016 launch of FindFace, an app that allowed anyone to identify faces by matching them with images gathered from social network VKontakte, Russia’s Facebook equivalent. Met with warnings of the “end to public anonymity,” the app was reportedly downloaded by 500,000 people within two months of its launch. But for NTechLab, it was primarily a proof of concept for its nascent face recognition algorithm.

NTechLab still felt like a startup when one former employee, who asked not to be named for privacy reasons, joined the company. And he was drawn in by the complexity of the work.

“From \[an\] engineering point of view, it’s very interesting to work with: It’s very difficult,” he says. 

After the release of FindFace, NTechLab began selling its face recognition tech to small businesses, such as shopping malls that could use it to catch shoplifters or see how many people return to certain stores. But NTechLab was also working with the Moscow Department of IT Technology (DIT), the government department tasked with building Moscow’s digital infrastructure. In 2018, when Russia hosted the FIFA World Cup, NTechLab’s face recognition tech was connected to more than 450 security cameras around Moscow, and its tech reportedly helped police detain 180 people whom the state deemed “wanted criminals.”

At its inception, Moscow’s face recognition system was fed official watchlists, like the database of wanted people. The system uses these lists to notify the police once a person on the list is detected, but law enforcement can also upload an image and search for where a person has appeared. Over the years, security and law enforcement agencies have compiled a database of the leaders of the political opposition and prominent activists, according to Sarkis Darbinyan, cofounder of digital rights group Roskomsvoboda, which has been campaigning for a suspension of the technology. It remains unclear who is in charge of adding activists and protesters to watchlists.

In March 2019, following the success of the World Cup trial—some of Russia’s “most wanted” people were arrested while trying to attend matches—the Moscow Department of Transportation, which operates the city’s metro, launched its own surveillance system, Sfera. By October 2019, 3,000 of the city’s 160,000 cameras were enabled with face recognition tech, according to interior minister Vladimir Kolokoltsev.

NTechLab was one of many companies building the slew of systems that would later be branded Safe City. International companies, from US tech firms such as Nvidia, Intel, and Broadcom to South Korea’s Samsung and Chinese camera maker Hikvision, worked alongside local firms such as HeadPoint, Netris, and Rostelecom that have developed various components of the surveillance systems. According to procurement documents cited by the UK’s BBC, three companies besides NTechLab created face recognition tech for Moscow’s growing surveillance apparatus, including Tevian, and Kipod, and VisionLabs. Moscow's Transportation Department said in social media posts that Sfera was built using VisionLabs technology, although the company downplays its involvement.

NtechLab says it operates in compliance with local laws and does not have access to customer data or camera video streams. Nvidia and Intel say they left Russia in 2022, with Nvidia adding that it does not create software or algorithms for surveillance. Broadcom and Samsung also say they stopped doing business in Russia following the invasion. VisionLabs says it only provides the Moscow Metro with its face recognition payment system. Other companies did not respond to requests for comment. The DIT and the Moscow Department of Transportation did not respond to requests for comment.

At the end of 2018, as Russia cracked down harder on political dissent online and in the streets, the DIT started to change, says a former employee who asked to remain anonymous for safety reasons. The department used to just be the “technical guys” providing assistance to security services, with the Moscow government recruiting highly paid IT specialists to make the most efficient systems possible, according to Andrey Soldatov, an investigative journalist and Russian security services expert. But according to the former employee, the DIT was beginning to reflect the Kremlin’s authoritarian bent.

Then came Covid. 

Safe City launched in 2020, at the height of the Covid-19 pandemic. Russia, like some other countries, seemingly used the pandemic as grounds to expand its surveillance systems to catch people breaking self-isolation rules. By mid-March 2020, Safe City’s face recognition system had caught 200 people breaking lockdown restrictions. At the same time, Moscow introduced a regulatory sandbox for the development of AI applications with the participation of large IT companies, exempting authorities from the country’s already lax data protection requirements. “With Covid, \[the DIT\] essentially became a part of the repressive apparatus,” says Soldatov.

In addition to its network of more than 200,000 cameras, Safe City also incorporates data from 169 information systems, managing data on citizens, public services, transportation, and nearly everything else that makes up Moscow’s infrastructure. This includes anonymized cell phone geolocation data collection, vehicle license plate recognition, data from ride-hailing services, and voice recognition devices. As Safe City was still rolling out in 2020, the Russian government announced plans to spend $1.3 billion deploying similar Safe City systems across Russia. From the outside, the potential for the system to be abused seemed obvious. But for those involved in its development, it looked like many other smart city projects. “No one expected that the country would turn into hell in two years,” says one former NTechLab employee, who asked to remain anonymous for safety reasons.

The Black Box Problem

Attempts to break open Moscow’s digital black box have been stonewalled. Alena Popova, whose image was captured during a protest against politician Leonid Eduardovich Slutsky in April 2018, filed the first lawsuit against Moscow’s DIT for allegedly violating her privacy, seeking a ban on face recognition tech. The case was thrown out, but Popova has continued to file lawsuits, including one at the European Court of Human Rights—which Russia is no longer a part of. 

While Moscow operates one of the world’s most pervasive surveillance systems, Russian law does not safeguard individual privacy. With seemingly no hope of recourse, some activists have been forced to leave Russia altogether. Popova is now on the list of foreign agents and is living in an undisclosed overseas location. “I will not apply to any political asylum in any country because I would like to go back to my own country and fight back,” she says.

A key concern is that Moscow’s surveillance system was designed to conceal its data collection from Moscow’s 12 million residents, says Sergey Ross, founder of the Collective Action Center think tank and a former Moscow politician. Although the system is run by the Moscow government, elected members of the Moscow City Duma say they are excluded from regulating face recognition systems and have little insight into how it is being used. “It’s a complete black box,” says Ross.

“It was clear that sooner or later the technology would be used to catch activists and dissenters,” says Roskomsvoboda’s Darbinyan. 

Russia made almost 20,500 political arrests in 2022, according to data from human rights media organization OVD-Info, which characterizes the number as “unprecedented.” The arrests have sparked fears that Safe City will be expanded to catch draft dodgers—although former NTechLab employees say that doing so would be technically difficult to pull it off because of too many false positives. Still, Moscow police appear to be using face recognition to aid Russia’s war efforts in other ways.

In September 2022, just after Putin announced additional mobilization for the war against Ukraine, Viktor Kapitonov, a 27-year-old activist who’d protested regularly since 2013, was stopped by two police officers after being flagged by face recognition surveillance while he approached the turnstiles in Moscow’s marble-covered Avtozavdodskaya metro station. The officers took him to the military recruitment office, where around 15 people were waiting to enlist in Putin’s newly announced draft. 

“They let me in without waiting in line as if I were some sort of VIP person,” he says. The recruiters wanted to force Kapitonov to enlist, but he ended up escaping the draft. “I explained that I am not fit, I have a disability.”

A Guilty Conscience

From 2017 to 2020, NTechLab became one of Russia’s fastest-growing companies. Other face recognition firms have cashed in as well: The revenue of Russian face recognition developers grew between 30 and 35 percent in 2022, thanks in part to deals struck in the Middle East, Southeast Asia, India, and South America. Russia’s national AI strategy has supported such firms with grants, tax exemptions, and subsidies, which have benefited both startups and state corporations, including tech and finance giant Sber, telecom provider Rostelecom, and defense firm Rostec, which previously owned a minority stake in NTechLab. While NTechLab continues to work globally, reporting a revenue increase of 35 percent in 2022, it has also faced a backlash against its work with the Russian state.

In June of last year, a “name-and-shame” list of NTechLab employees was published \[in Russian\] with information collected from social media. The project went viral, and some employees reported being harassed online. Artem Zinnatullin, a software engineer now based in the US, says he published the list after NTechLab sold its new silhouette recognition technology to the Moscow government in June 2022. To him, it signaled support for Russia’s war in Ukraine. In the post, he called NTechLab “the blacksmith of the Digital Gulag.” Zinnatullin, who says he knew people arrested with the help of face recognition technology, believes publishing the list of NTechLab employees was only fair. “You recognize people on the street, it’s only fair if we use public data to recognize who you are,” he says.

Unlike many face recognition companies that keep a low profile, NTechLab’s splash with FindFace has turned it into a recognized brand. Employees say this high profile has made them into scapegoats. 

As arrests of activists and politicians mounted, the ethics of NTechLab’s technology became a recurring topic at company meetings. NTechLab staff have resisted the use of the company’s face recognition in rallies and refused to sell the technology to the military, according to people familiar with these discussions. Still, the NTechLab leadership concluded that the technology was ultimately positive—even if the occasional dissenting voice was arrested because of it. 

“We all saw these positive examples, we saw how it really catches criminals,” says one former NTechLab employee. “Most people in NTechLab would say they were doing something very good, technologies that can help and save people’s lives. It really did.”

As Russia furthered its march toward authoritarianism in 2021, NTechLab leadership began talking about moving the company abroad, according to people familiar with internal company discussions. But with lucrative government contracts abounding—NTechLab received a $13 million investment from the Russian Direct Investment Fund, the country’s sovereign wealth fund, in September 2020—its investors resisted the idea. The company was also changing. Its founders, Alexander Kabakov and Artem Kukharenko, stepped down from NTechLab—and both left Russia in December 2021 and February 2022, respectively, declaring their anti-war stance on social media. 

Other employees left amid an exodus of IT talent from Russia. The war changed how they viewed their work. “Looking back, we realize that we shouldn’t have done it,” says an NTechLab employee. “But even in 2017 and 2018, it was a completely different country. At least, that’s how it seemed to those who weren’t very immersed in politics.”

A Growing Threat

Russia’s Safe City projects show no sign of slowing. As more surveillance systems are deployed across the country, Moscow’s DIT is planning to centralize video streams collected across all regions into its own system. And new projects to digitize public services may make it even easier for the government to eventually create large databases where everyone can be found, according to Popova. “It is really scary,” she says. “If they digitalize all the databases and combine them to make this joint database, they can find everybody.” In July, Putin signed a federal law that funnels personal biometric data collected in the country into a single system—an effort to obtain an “almost unlimited monopoly” on the collection and storage of biometrics, says Roskomsvoboda’s Darbinyan. 

In a further expansion of the Safe City project, Rostec is also reportedly developing software that will help authorities predict riots and prevent their escalation by analyzing media reports, data from social networks, video cameras, and other sources. Rostec did not respond to a request for comment on its development of these systems.

Similar systems have been developed in some Chinese cities, and Russia is now playing catch-up. “The Russian government would probably like to move toward China, but they do not yet have the necessary technology,” says Kiril Koroteev, head of international practice at the Russia-based Agora International Human Rights Group.

For now, many activists in Russia are left to do whatever they can to skirt the country’s growing surveillance apparatus, including avoiding the Moscow Metro. Kapitonov hopes that a balaclava will keep him safe, while Vyborov aims to ride the metro early in the morning, when there are fewer police around to detain him. 

“I think that it was inevitable that such a system would be made sooner or later,” says one former NTechLab employee. Face recognition is like a knife, he says: It can be used to cut food, but it can also be used to cut innocent people. He now regrets that NTechLab played a key role in building Moscow’s Safe City project. He has left Russia and doesn’t think he will work on face recognition again. “I do not want to mess with it anymore,” he says.

_Update 9:25 am ET, February 6, 2023: Clarified the role of VisionLabs in the Sfera system and that NTechLab's founders have since left the company._

Inside Safe City, Moscow’s AI Surveillance Dystopia

Do you know where your secrets are? If not, I can tell you: you are not alone.
Hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, don't know either. No matter the organization's size, the certifications, tools, people, and processes: secrets are not visible in 99% of cases.
It might sound ridiculous at first: keeping secrets is an obvious first thought when

Do you know where your secrets are? If not, I can tell you: you are not alone.

Hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, don't know either. No matter the organization's size, the certifications, tools, people, and processes: secrets are not visible in 99% of cases.

It might sound ridiculous at first: keeping secrets is an obvious first thought when thinking about security in the development lifecycle. Whether in the cloud or on-premise, you know that your secrets are safely stored behind hard gates that few people can access. It is not just a matter of common sense since it's also an essential compliance requirement for security audits and certifications.

Developers working in your organization are well-aware that secrets should be handled with special care. They have put in place specific tools and procedures to correctly create, communicate, and rotate human or machine credentials.

Still, do you know where your secrets are?

Secrets sprawl everywhere in your systems, and faster than most realize. Secrets are copied and pasted into configuration files, scripts, source code, or private messages without much thought. Think about it: a developer hard-codes an API key to test a program quickly and accidentally commits and pushes their work on a remote repository. Are you confident that the incident can be detected in a timely manner?

Insufficient audit and remediation capabilities are some of the reasons why secrets management is hard. They are also the least addressed by security frameworks. Yet these grey areas—where unseen vulnerabilities remain hidden for a long time—are blatant holes in your defense layers.

Recognizing this gap, we developed a self-assessment tool to evaluate the size of this unknown. To take stock of your _real_ security posture regarding secrets in your organization, take five minutes to answer the eight questions (it's completely anonymous).

So, how much do you _not_ know about your secrets?

**Secrets Management Maturity Model**

Sound secrets management is a crucial defensive tactic that requires some thought to build a comprehensive security posture. We built a framework (you can find the white paper here) to help security leaders make sense of their actual posture and adopt more mature enterprise secrets management practices in three phases:

1.  Assessing secrets leakage risks
2.  Establishing modern secrets management workflows
3.  Creating a roadmap to improvement in fragile areas

The fundamental point addressed by this model is that secrets management goes well beyond how the organization stores and distributes secrets. It is a program that not needs to align people, tools, and processes, but also to account for human error. Errors are _not_ evitable! Their consequences are. That's why detection and remediation tools and policies, along with secrets storage and distribution, form the pillars of our maturity model.

The secrets management maturity model considers four attack surfaces of the DevOps lifecycle:

*   Developer environments
*   Source code repositories
*   CI/CD pipelines & artifacts
*   Runtime environments

We then built a maturity ramp-up over five levels, going from 0 (Uninitiated) to 4 (Expert). Going 0 to 1 is mostly about assessing the risks posed by insecure software development practices, and starting auditing digital assets for hardcoded credentials. At the intermediate level (level 2), secrets scanning is more systematic, and secrets are cautiously shared across the DevOps lifecycle. Levels 3 (Advanced) and 4 (Expert) are focused on risk mitigation with clearer policies, better controls, and increased shared responsibility for remediating incidents.

Another core consideration for this framework is that making it hard to use secrets in a DevOps context will inevitably lead to the bypassing of the protective layers in place. As with everything else in security, the answers lay between protection and flexibility. This is why the use of a vault/secrets manager starts at the intermediate level only. The idea is that the use of a secrets manager should not be seen as a stand-alone solution but as an additional layer of defense. To be effective, it requires other processes, like continuous scanning of pull requests, to be mature enough.

Here are some questions that this model should raise in order to help you evaluate your maturity: how frequently are your production secrets rotated? How easy is it to rotate secrets? How are secrets distributed at the development, integration, and production phase? What measures are put in place to prevent the unsafe dissemination of credentials on local machines? Do CI/CD pipelines' credentials adhere to the least privileges principle? What are the procedures in place for when (not if) secrets are leaked?

Reviewing your secrets management posture should be top of mind in 2023. First, everyone working with source code has to handle secrets, if not daily, at least once in a while. Secrets are no longer the prerogative of security or DevOps engineers. They are required by more and more people, from ML engineers, data scientists, product, ops, and even more. Second, if you don't find where your secrets are, hackers will.

**Hackers will find your secrets**

The risks posed to organizations failing to adopt mature secrets management practices cannot be overstated. Development environments, source code repositories and CI/CD pipelines have become favorite targets for hackers, for whom secrets are a gateway to lateral movement and compromise.

Recent examples highlight the fragility of secrets management even in the most technologically mature organizations.

In September 2022, an attacker got access to Uber's internal network, where he found hardcoded admin credentials on a network drive. The secrets were used for logging in to Uber's privileged access management platform, where many more plaintext credentials were stored throughout files and scripts. The attacker was then able to take over admin accounts in AWS, GCP, Google Drive, Slack, SentinelOne, HackerOne, and more.

In August of the same year, the password manager LastPass fell victim of an attacker who gained access toits development environment by stealing the credentials of a software developer and impersonating that individual. Later in December, the firm disclosed that someone used that information to steal source code and customer data.

In fact, in 2022, source code leaks have proven to be a true minefield for organizations: NVIDIA, Samsung, Microsoft, Dropbox, Okta, and Slack, among others, have been victims of source code leaks. In May, we were warning about the important volume of credentials that could be harvested by analyzing these codebases. Armed with these, attackers can gain leverage and pivot into hundreds of dependent systems in what is known as supply chain attacks.

Finally, even more recently, in January 2023, the continuous integration provider CircleCI was also breached, leading to the compromise of hundreds of customer environment variables, tokens, and keys. The company urged its customers to immediately change their passwords, SSH keys, or any other secrets stored on or managed by the platform. Still, victims need to find out where these secrets are and how they are being used to press the emergency button!

This was a strong case for having an emergency plan ready to go.

The lesson from all these incidents is that attackers have realized that compromising machine or human identities gives a higher return on investment. They are all warning signs of the urgency to deal with hardcoded credentials and to dust off secrets management in general.

**Final word**

We have a saying in cybersecurity: "encryption is easy, but key management is hard." This still holds true today, although it isn't just about encryption keys anymore. Our hyper-connected services world relies on hundreds of types of keys, or secrets, to function properly. These could be as many potential attack vectors if mismanaged.

Knowing where your secrets are, not just in theory but in practice, and how they are used along the software development chain is crucial for security. To help you, we created a maturity model specifically about secrets distribution, leak detection, remediation process, and rotation habits.

The first step is always to get a clear audit of the organization's security posture regarding secrets: where and how are they used? Where do they leak? How to prepare for the worst? This alone could prove to be a lifesaver in an emergency situation. Find out where you stand with the questionnaire and learn where to go from there with the white paper.

In the wake of recent attacks on development environments and business tools, companies that want to defend themselves effectively must ensure that the grey areas of their development cycle are cleared as soon as possible.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

You Don't Know Where Your Secrets Are

January saw a slew of security patches for iOS, Chrome, Windows, and more.

The Android security patch is available to Google’s Pixel devices, which have their own specific updates, and Samsung’s Galaxy range, including Samsung Galaxy Note 10, Galaxy S21, and Galaxy A73. You can check for the update in your settings.

Microsoft Patch Tuesday

Microsoft fixed a rather hefty 98 security issues in its first Patch Tuesday of the year, including an already exploited vulnerability: CVE-2023-21674 is an elevation of privilege flaw impacting the Windows Advanced Local Procedure Call that could lead to browser sandbox escape. 

By exploiting the bug, an adversary could gain System privileges, Microsoft wrote, confirming that the flaw has been detected in real-life attacks.

Another elevation of privilege vulnerability in the Windows Credential Manager User Interface, CVE-2023-21726, is relatively easy to exploit and doesn’t require any interaction from the user.

January’s Patch Tuesday also saw Microsoft fix nine Windows Kernel vulnerabilities, eight of which are elevation of privilege issues and one information disclosure vulnerability.

Mozilla Firefox

Software firm Mozilla has released important updates for its Firefox browser, the most serious of which have been the subject of a warning by the US Cybersecurity and Infrastructure Security Agency (CISA). 

Among the 11 flaws fixed in Firefox 109 are four rated as having a high impact, including CVE-2023-23597, a logic bug in process allocation that could allow adversaries to read arbitrary files. Meanwhile, Mozilla said its security team found memory safety bugs in Firefox 108. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort, some could have been exploited to run arbitrary code,” it wrote.

An attacker could exploit some of these vulnerabilities to take control of an affected system, CISA said in its advisory. “CISA encourages users and administrators to review Mozilla’s security advisories for Firefox ESR 102.7 and Firefox 109 for more information and apply the necessary updates.”

VMWare

Enterprise software maker VMWare has published a security advisory detailing four flaws affecting its VMware vRealize Log Insight product. Tracked as CVE-2022-31706, the first is a directory traversal vulnerability with a CVSSv3 base score of 9.8. By exploiting the flaw, an unauthenticated, malicious actor could inject files into the operating system of an impacted appliance, resulting in RCE, VMWare says.

Meanwhile, a broken access control RCE vulnerability tracked as CVE-2022-31704 also has a CVCCv3 base score of 9.8. It goes without saying that those impacted by these vulnerabilities should patch as soon as possible.

Oracle

Software giant Oracle has released patches for a whopping 327 security vulnerabilities, 70 of which are rated as having a critical impact. Worryingly, 200 of the issues patched in January can be exploited by a remote unauthenticated attacker.

Oracle is recommending that people update their systems as soon as possible, warning that it has received reports of “attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”

In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches, it says.

SAP

SAP’s January Patch Day has seen the release of 12 new and updated security notes. With a CVSS score of 9.0, CVE-2023-0014 is rated as the most severe bug by security firm Onapsis. The flaw affects the majority of all SAP customers and its mitigation is a challenge, Onapsis says. 

The capture-replay vulnerability is a risk because it could allow malicious users to obtain access to an SAP system. “Complete patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations,” Onapsis explains.

You Really Need to Update Firefox and Android Right Now

Improper input validation in driver adgnetworkwfpdrv.sys in Adguard For Windows x86 up to version 7.11 allows attacker to gain local privileges escalation.

Tag

#samsung