Ubuntu Security Notice 6222-1 - Jiasheng Jiang discovered that the HSA Linux kernel driver for AMD Radeon GPU devices did not properly validate memory allocation in certain situations, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service. Zheng Wang discovered that the Intel i915 graphics driver in the Linux kernel did not properly handle certain error conditions, leading to a double-free. A local attacker could possibly use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6222-1  
July 12, 2023

linux-xilinx-zynqmp vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors

Details:

Jiasheng Jiang discovered that the HSA Linux kernel driver for AMD Radeon  
GPU devices did not properly validate memory allocation in certain  
situations, leading to a null pointer dereference vulnerability. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2022-3108)

Zheng Wang discovered that the Intel i915 graphics driver in the Linux  
kernel did not properly handle certain error conditions, leading to a  
double-free. A local attacker could possibly use this to cause a denial of  
service (system crash). (CVE-2022-3707)

It was discovered that the infrared transceiver USB driver did not properly  
handle USB control messages. A local attacker with physical access could  
plug in a specially crafted USB device to cause a denial of service (memory  
exhaustion). (CVE-2022-3903)

Haowei Yan discovered that a race condition existed in the Layer 2  
Tunneling Protocol (L2TP) implementation in the Linux kernel. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-4129)

Jordy Zomer and Alexandra Sandulescu discovered that syscalls invoking the  
do_prlimit() function in the Linux kernel did not properly handle  
speculative execution barriers. A local attacker could use this to expose  
sensitive information (kernel memory). (CVE-2023-0458)

Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did  
not properly implement speculative execution barriers in usercopy functions  
in certain situations. A local attacker could use this to expose sensitive  
information (kernel memory). (CVE-2023-0459)

It was discovered that the Human Interface Device (HID) support driver in  
the Linux kernel contained a type confusion vulnerability in some  
situations. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1073)

It was discovered that a memory leak existed in the SCTP protocol  
implementation in the Linux kernel. A local attacker could use this to  
cause a denial of service (memory exhaustion). (CVE-2023-1074)

It was discovered that the TLS subsystem in the Linux kernel contained a  
type confusion vulnerability in some situations. A local attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information. (CVE-2023-1075)

It was discovered that the TUN/TAP driver in the Linux kernel did not  
properly initialize socket data. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-1076)

It was discovered that the Real-Time Scheduling Class implementation in the  
Linux kernel contained a type confusion vulnerability in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-1077)

It was discovered that the Reliable Datagram Sockets (RDS) protocol  
implementation in the Linux kernel contained a type confusion vulnerability  
in some situations. An attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1078)

It was discovered that the ASUS HID driver in the Linux kernel did not  
properly handle device removal, leading to a use-after-free vulnerability.  
A local attacker with physical access could plug in a specially crafted USB  
device to cause a denial of service (system crash). (CVE-2023-1079)

Duoming Zhou discovered that a race condition existed in the infrared  
receiver/transceiver driver in the Linux kernel, leading to a use-after-  
free vulnerability. A privileged attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1118)

It was discovered that the Traffic-Control Index (TCINDEX) implementation  
in the Linux kernel contained a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-1281)

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux  
kernel did not properly perform data buffer size validation in some  
situations. A physically proximate attacker could use this to craft a  
malicious USB device that when inserted, could cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-1380)

Xingyuan Mo discovered that the x86 KVM implementation in the Linux kernel  
did not properly initialize some data structures. A local attacker could  
use this to expose sensitive information (kernel memory). (CVE-2023-1513)

It was discovered that the Xircom PCMCIA network device driver in the Linux  
kernel did not properly handle device removal events. A physically  
proximate attacker could use this to cause a denial of service (system  
crash). (CVE-2023-1670)

It was discovered that the Traffic-Control Index (TCINDEX) implementation  
in the Linux kernel did not properly perform filter deactivation in some  
situations. A local attacker could possibly use this to gain elevated  
privileges. Please note that with the fix for this CVE, kernel support for  
the TCINDEX classifier has been removed. (CVE-2023-1829)

It was discovered that a race condition existed in the Xen transport layer  
implementation for the 9P file system protocol in the Linux kernel, leading  
to a use-after-free vulnerability. A local attacker could use this to cause  
a denial of service (guest crash) or expose sensitive information (guest  
kernel memory). (CVE-2023-1859)

Jose Oliveira and Rodrigo Branco discovered that the Spectre Variant 2  
mitigations with prctl syscall were insufficient in some situations. A  
local attacker could possibly use this to expose sensitive information.  
(CVE-2023-1998)

It was discovered that a use-after-free vulnerability existed in the iSCSI  
TCP implementation in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash). (CVE-2023-2162)

It was discovered that the BigBen Interactive Kids' gamepad driver in the  
Linux kernel did not properly handle device removal, leading to a use-  
after-free vulnerability. A local attacker with physical access could plug  
in a specially crafted USB device to cause a denial of service (system  
crash). (CVE-2023-25012)

Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu  
Linux kernel contained a race condition when handling inode locking in some  
situations. A local attacker could use this to cause a denial of service  
(kernel deadlock). (CVE-2023-2612)

Lianhui Tang discovered that the MPLS implementation in the Linux kernel  
did not properly handle certain sysctl allocation failure conditions,  
leading to a double-free vulnerability. An attacker could use this to cause  
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)

It was discovered that a use-after-free vulnerability existed in the HFS+  
file system implementation in the Linux kernel. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-2985)

Reima Ishii discovered that the nested KVM implementation for Intel x86  
processors in the Linux kernel did not properly validate control registers  
in certain situations. An attacker in a guest VM could use this to cause a  
denial of service (guest crash). (CVE-2023-30456)

Gwangun Jung discovered that the Quick Fair Queueing scheduler  
implementation in the Linux kernel contained an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-31436)

Sanan Hasanov discovered that the framebuffer console driver in the Linux  
kernel did not properly perform checks for font dimension limits. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2023-3161)

Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in  
the netfilter subsystem of the Linux kernel when processing batch requests,  
leading to a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-32233)

It was discovered that the NET/ROM protocol implementation in the Linux  
kernel contained a race condition in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-32269)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1024-xilinx-zynqmp  5.4.0-1024.28  
   linux-image-xilinx-zynqmp       5.4.0.1024.27

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6222-1  
   CVE-2022-3108, CVE-2022-3707, CVE-2022-3903, CVE-2022-4129,  
   CVE-2023-0458, CVE-2023-0459, CVE-2023-1073, CVE-2023-1074,  
   CVE-2023-1075, CVE-2023-1076, CVE-2023-1077, CVE-2023-1078,  
   CVE-2023-1079, CVE-2023-1118, CVE-2023-1281, CVE-2023-1380,  
   CVE-2023-1513, CVE-2023-1670, CVE-2023-1829, CVE-2023-1859,  
   CVE-2023-1998, CVE-2023-2162, CVE-2023-25012, CVE-2023-2612,  
   CVE-2023-26545, CVE-2023-2985, CVE-2023-30456, CVE-2023-31436,  
   CVE-2023-3161, CVE-2023-32233, CVE-2023-32269

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1024.28

Ubuntu Security Notice USN-6222-1

In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.



_Published July 5, 2023 | Updated July 10, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-07-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-07-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-07-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could allow possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20918

A-243794108 \[2\] \[3\]

EoP

High

11, 12, 12L, 13

CVE-2023-20942

A-258021433 \[2\] \[3\]

EoP

High

12, 12L, 13

CVE-2023-21145

A-265293293

EoP

High

11, 12, 12L, 13

CVE-2023-21245

A-222446076

EoP

High

11, 12, 12L, 13

CVE-2023-21251

A-204554636

EoP

High

11, 12, 12L, 13

CVE-2023-21254

A-254736794

EoP

High

13

CVE-2023-21257

A-257443065

EoP

High

13

CVE-2023-21262

A-279905816

EoP

High

12, 12L, 13

CVE-2023-21238

A-277740848

ID

High

11, 12, 12L, 13

CVE-2023-21239

A-274592467

ID

High

12, 12L, 13

CVE-2023-21249

A-217981062

ID

High

13

CVE-2023-21087

A-261723753

DoS

High

11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21250

A-261068592

RCE

Critical

11, 12, 12L, 13

CVE-2023-2136

A-278113033

RCE

High

13

CVE-2023-21241

A-271849189

EoP

High

11, 12, 12L, 13

CVE-2023-21246

A-273729476

EoP

High

11, 12, 12L, 13

CVE-2023-21247

A-277333781

EoP

High

12, 12L, 13

CVE-2023-21248

A-277333746

EoP

High

12, 12L, 13

CVE-2023-21256

A-268193384

EoP

High

13

CVE-2023-21261

A-271680254

ID

High

11, 12, 12L, 13

CVE-2023-20910

A-245299920 \[2\]

DoS

High

11, 12, 12L, 13

CVE-2023-21240

A-275340417

DoS

High

11, 12, 12L, 13

CVE-2023-21243

A-274445194

DoS

High

11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

WiFi

CVE-2023-20910, CVE-2023-21240, CVE-2023-21243

**2023-07-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-07-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-42703

A-253167854  
Upstream kernel

EoP

High

MemoryManagement

CVE-2023-21255

A-275041864  
Upstream kernel

EoP

High

Binder

**Kernel components**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Subcomponent

CVE-2023-25012

A-268589017  
Upstream kernel \[2\] \[3\] \[4\]

EoP

High

HID

**Arm components**

These vulnerabilities affect Arm components and further details are available directly from Arm. The severity assessment of these issues is provided directly by Arm.

   

CVE

References

Severity

Subcomponent

CVE-2021-29256

A-283489460\*

High

Mali

CVE-2022-28350

A-226921651\*

High

Mali

CVE-2023-28147

A-274005916 \*

High

Mali

CVE-2023-26083

A-272073598\*

Moderate

Mali

**Imagination Technologies**

This vulnerability affects Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of this issue is provided directly by Imagination Technologies.

   

CVE

References

Severity

Subcomponent

CVE-2021-0948

A-281905774\*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Subcomponent

CVE-2023-20754

A-280380543  
M-ALPS07563028 \*

High

keyinstall

CVE-2023-20755

A-280374982  
M-ALPS07510064 \*

High

keyinstall

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2023-21672

A-276751075  
QC-CR#3313322

High

Audio

CVE-2023-22386

A-276750584  
QC-CR#3355665 \[2\]

High

WLAN

CVE-2023-22387

A-276750306  
QC-CR#3356023 \[2\] \[3\] \[4\]

High

Kernel

CVE-2023-24851

A-276751076  
QC-CR#3359589 \[2\] \[3\]

High

WLAN

CVE-2023-24854

A-276750639  
QC-CR#3366343 \[2\]

High

WLAN

CVE-2023-28541

A-276750665  
QC-CR#3144133

High

WLAN

CVE-2023-28542

A-276750246  
QC-CR#3104318

High

WLAN

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2023-21629

A-264414032\*

Critical

Closed-source component

CVE-2023-21631

A-264415234\*

High

Closed-source component

CVE-2023-22667

A-276750583\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-07-01 or later address all issues associated with the 2023-07-01 security patch level.
*   Security patch levels of 2023-07-05 or later address all issues associated with the 2023-07-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-07-01\]
*   \[ro.build.version.security\_patch\]:\[2023-07-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-07-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-07-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-07-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

July 5, 2023

Bulletin published

1.1

July 10, 2023

Bulletin revised to include AOSP links

CVE-2023-21256: Android Security Bulletin—July 2023

An issue in AVG AVG Anti-Spyware v.7.5 allows an attacker to execute arbitrary code via a crafted script to the guard.exe component.

**Get free antivirus that's trusted by experts**

Get powerful, effective protection against viruses and other malware with free antivirus. It’s just one simple download.

2022  
Top Rated product

award-winning antivirus

ransomware protection

Lightweight and easy to use

Trusted by 435 million worldwide

**What problem can we help you solve?**

Or solve everything quickly and easily with AVG Ultimate

AVG Internet Security

**Protect what’s yours with Internet Security**

What’s yours is yours, and we keep it that way. Our new **Webcam Protection** and **Ransomware Protection** features make sure no one can use your built-in camera, or change your files without your permission.

AVG Antivirus for Android

**Smart phone, safe phone**

AVG AntiVirus for Android guards your mobile phone against malware attacks and threats to your privacy. We give you on-the-go protection against unsafe apps, anti-theft locker & tracker, and plenty more security and performance features.

AVG Tuneup

**Faster, cleaner, clever PC**

AVG TuneUp is your one-screen suite that makes your PC run faster, smoother, and longer: just how you like it.

**NEW**: Software Uninstaller removes bloatware and adware taking up space on your  
PC, giving you more memory for the things you really care about.

AVG Secure VPN

**Untrackable,  
unhackable,  
unbreakable Secure VPN**

Connect boldly to public Wi-Fi with our bank-grade, 256-bit AES encryption. We keep all your online activity private and away from hackers, nosy neighbors and curious agencies. And it doesn’t hurt that you can access your favorite content worldwide.

**For your business, safety first**

Give your small and medium business the security it needs. From antivirus and spyware protection to data transaction and file server security, our Business Edition products have all the features your business needs to survive and thrive beyond cyber threats.

Protect your business Protect your business

**World-class protection**

We’ve added **25 new accolades** in the past two years to the hundreds we have won since we started in 1991. Our top marks means you know you’re in good hands.

2022  
Top Rated product

2020  
Excellent

2022  
Top Rated product

**Get expert advice on security, privacy, and device performance**

**How to Get Rid of a Virus & Other Malware on Your Computer**

Need to remove a computer virus? We'll show you how to scan for signs and get rid of viruses and malware from your PC, Mac, or laptop.

Read More **The Ultimate Guide to Mac Security**

Think you've got Mac security covered? Learn how to protect your Mac from common threats like viruses, thieves and snoops with our essential safety tips.

Read More **How to Fix Windows 10 and 11 Black Screen Issues Before or After Logging In**

Learn how to fix black screen issues on a Windows 10 or 11 PC or laptop, if it appears before or after login, upon startup, or while working.

Read More **What Is a VPN and How Does It Work?**

Virtual private network (VPN) explained. Learn what a VPN is, why you need one, and how to use it. Then choose the right VPN service.

Read More **Why Your Phone Gets Hot and How to Fix It**

Is your Android phone getting too hot? Learn why your phone may be heating up, how to cool it down, and how to prevent your phone from overheating.

Read More **How to Find and Remove Viruses on Android Phones and iPhones**

Learn how to remove viruses from your Android phone and iPhone with our expert guide. Scan and remove mobile malware, then protect against future threats.

Read More **How to Unblock Websites & Access Restricted Content**

Learn how to unblock a website and bypass restrictions at school, home, and work with this guide — including with a VPN, Tor, and proxy servers.

Read More **How to Boost FPS and Optimize Your PC for Gaming**

Low FPS and stutter can totally destroy your gaming experience. Find out how to optimize your gaming PC's performance and increase your FPS.

Read More

Whatever devices you use, AVG has you covered

CVE-2023-36167: AVG 2023 | FREE Antivirus, VPN & TuneUp for All Your Devices

Tenda FH1203 V2.0.1.6 was discovered to contain a stack overflow via the deviceId parameter in the addWifiMacFilter function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-37701: IoT-Vulns/tenda/6908 at main · FirmRec/IoT-Vulns

Tenda FH1203 V2.0.1.6 was discovered to contain a stack overflow via the ssid parameter in the form_fast_setting_wifi_set function.

CVE-2023-37700: IoT-Vulns/tenda/6905 at main · FirmRec/IoT-Vulns

Vulnerabilities in electric vehicle charging stations and a lack of broad standards threaten drivers—and the power grid.

_This story was co-published with_ _Grist__, a nonprofit media organization covering climate, justice, and solutions._

With his electric Kia EV6 running low on power, Sky Malcolm pulled into a bank of fast-chargers near Terre Haute, Indiana, to plug in. As his car powered up, he peeked at nearby chargers. One in particular stood out.

Instead of the businesslike welcome screen displayed on the other Electrify America units, this one featured a picture of President Biden pointing his finger, with an “I did that!” caption. It was the same meme the president’s critics started slapping on gas pumps as prices soared last year, cloned 20 times across the screen.

"It was, unfortunately, not terribly surprising,” Malcolm says of the hack, which he stumbled upon last fall. Such shenanigans are increasingly common. At the beginning of the war in Ukraine, hackers tweaked charging stations along the Moscow–Saint Petersburg motorway in Russia to greet users with anti-Putin messages. Around the same time, cyber-vandals in England programmed public chargers to broadcast pornography. Just this year, the hosts of YouTube channel The Kilowatts tweeted a video showing it was possible to take control of an Electrify America station’s operating system.

While such breaches have so far remained relatively innocuous, cybersecurity experts say the consequences would be far more severe at the hands of truly nefarious miscreants. As companies, governments, and consumers sprint to install more chargers, the risks could only grow.

In recent years, security researchers and white-hat hackers have identified sprawling vulnerabilities in internet-connected home and public charging hardware that could expose customer data, compromise Wi-Fi networks, and, in a worst-case scenario, bring down power grids. Given the dangers, everyone from device manufacturers to the Biden administration is rushing to fortify these increasingly common machines and establish security standards.

“This is a major problem,” says Jay Johnson, a cybersecurity researcher at Sandia National Laboratories. “It is potentially a very catastrophic situation for this country if we don't get this right.”

Vulnerabilities in EV charger security aren’t hard to find. Johnson and his colleagues summarized known shortcomings in a paper published last fall in the journal _Energies_. They found everything from the possibility of hackers being able to track users to vulnerabilities that “may expose home and corporate \[Wi-Fi\] networks to a breach.” Another study, led by Concordia University and published last year in the journal _Computers & Security_, highlighted more than a dozen classes of “severe vulnerabilities,” including the ability to turn chargers on and off remotely, as well as deploy malware.

When British security research firm Pen Test Partners spent 18 months analyzing seven popular EV charger models, it found five had critical flaws. For instance, it identified a software bug in the popular Chargepoint network that hackers could likely exploit to obtain sensitive user information (the team stopped digging before acquiring such data). A charger sold in the UK by Project EV allowed researchers to overwrite its firmware.

Such cracks could conceivably permit hackers to access vehicle data or consumers’ credit card information, says Ken Munro, a cofounder of Pen Test Partners. But perhaps the most worrying weakness to him was that, as with the Concordia testing, his team discovered that many of the devices allowed hackers to stop or start charging at will. That could leave frustrated drivers without a full battery when they need one, but it’s the cumulative impacts that could be truly devastating.

“It’s not about your charger, it’s about everyone’s charger at the same time,” he says. Many home users leave their cars connected to chargers even if they aren’t drawing power. They might, for example, plug in after work and schedule the vehicle to charge overnight when prices are lower. If a hacker were to switch thousands, or millions, of chargers on or off simultaneously, it could destabilize and even bring down entire electricity networks. 

“We’ve inadvertently created a weapon that nation-states can use against our power grid,” says Munro. The United States glimpsed what such an attack might look like in 2021 when hackers hijacked Colonial Pipeline and disrupted gasoline supplies nationwide. The attack ended once the company paid millions of dollars in ransom.

Munro’s top recommendation for consumers is to not connect their home chargers to the internet, which should prevent the exploitation of most vulnerabilities. The bulk of safeguards, however, must come from manufacturers.

“It's the responsibility of the companies offering these services to make sure they are secure,” says Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation, a digital rights nonprofit. “To some degree, you have to trust the device you're plugging into.”

Electrify America declined an interview request. With regard to the issues Malcolm and the Kilowatts documented, spokesperson Octavio Navarro wrote in an email that the incidents were isolated and the fixes were quickly deployed. In a statement, the company said, “Electrify America is constantly monitoring and reinforcing measures to protect ourselves and our customers and focusing on risk-mitigating station and network design.”

Pen Test Partners wrote in its findings that companies were by and large responsive to fixing the vulnerabilities it identified, with ChargePoint and others plugging gaps in less than 24 hours (though one company created a new hole while trying to patch the old one). Project EV did not respond to Pen Test Partners but did eventually implement “strong authentication and authorization.” Experts, however, argue that it’s far past time for the industry to move beyond this whack-a-mole approach to cybersecurity.

“Everybody knows this is an issue and lots of people are trying to figure out how to best solve it,” says Johnson, adding that he has seen progress. For example, many public charging stations have upgraded to more secure methods of transmitting data. But as for a coordinated set of standards, he says, “there's not much regulation out there.”

There has been some movement toward changing that. The 2021 Bipartisan Infrastructure Law included some $7.5 billion to expand the electric vehicle charging network across the US, and the Biden administration has made cybersecurity part of that initiative. Last fall, the White House convened manufacturers and policymakers to discuss a path toward ensuring that increasingly vital electric vehicle charging hardware is properly protected.

“Our critical infrastructure needs to meet a baseline level of security and resilience,” says Harry Krejsa, chief strategist at the White House Office of the National Cyber Director. He also argued that bolstering EV cybersecurity is as much about building trust as it is mitigating risk. Secure systems, he says, “give us the confidence in our next-generation digital foundations to aim higher than we possibly could have otherwise.”

Earlier this year, the Federal Highway Administration finalized a rule requiring states to implement “appropriate” cybersecurity strategies for chargers funded under the infrastructure law. But Johnson says the regulation omits devices installed outside that expansion, not to mention the more than 100,000 units already in place nationwide. Plus, he says, states haven’t offered much detail about what they’ll do. “If you drill down into the state plans, you'll find that they are actually extremely light on cyber requirements,” he says. “The vast majority that I saw just say they will follow best practices.”

Just what constitutes best practice remains ill-defined. Johnson and his colleagues at Sandia published recommendations for charger manufacturers, and he noted that the National Institute of Standards and Technology is developing a framework for fast-charging that could help shape future regulation. But, ultimately, he would like to see something akin to the 2022 Protecting and Transforming Cyber Health Care Act that’s geared toward electric vehicles.

“Regulation is a way to drive the entire industry to improve their baseline security standards,” he says, pointing to recent laws in other countries as models or starting points for policymakers in the United States. Last year, for instance, the United Kingdom rolled out a host of requirements for EV chargers, such as enhanced encryption and authentication standards, tamper detection alerts, and randomized delay functionality.

The latter means that a charger must be able to turn on and off with a random time delay of up to 10 minutes. That would mitigate the impact of all the chargers in an area coming online simultaneously after a power outage or hack. “You don’t get that spike, which is great,” says Munro. “It removes the threat from the power grid.”

Johnson is optimistic that the industry is moving in the right direction, albeit more slowly than is ideal. “I can't imagine \[stricter standards\] won't happen. It's just taking a long time,” he says. And he certainly doesn’t want to spark undue alarm, but rather apply steady pressure for improvement.

“It's scary stuff,” he says, “but it shouldn't be fear-mongering.”

EV Charger Hacking Poses a ‘Catastrophic’ Risk

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07978760; Issue ID: ALPS07363410.

**July 2023 Product Security Bulletin**

Published 2023-07-03

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and Wi-Fi chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2023-20754, CVE-2023-20755

Medium

CVE-2023-20753, CVE-2023-20756, CVE-2023-20757, CVE-2023-20758, CVE-2023-20759, CVE-2023-20760, CVE-2023-20761, CVE-2023-20766, CVE-2023-20767, CVE-2023-20768, CVE-2023-20771, CVE-2023-20772, CVE-2023-20773, CVE-2023-20774, CVE-2023-20775, CVE-2023-20689, CVE-2023-20690, CVE-2023-20691, CVE-2023-20692, CVE-2023-20693, CVE-2022-32666, CVE-2023-20748

****Details****

CVE

**CVE-2023-20754**

Title

Integer overflow or wraparound in keyinstall

Severity

High

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20755**

Title

Improper input validation in keyinstall

Severity

High

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20753**

Title

Out-of-bounds write in rpmb

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In rpmb, there is a possible out of bounds write due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20756**

Title

Integer overflow or wraparound in keyinstall

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20757**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20758**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible memory corruption due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20759**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible memory corruption due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20760**

Title

Improper input validation in apu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In apu, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6895, MT6983, MT8195

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20761**

Title

Improper input validation in ril

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In ril, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8321, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20766**

Title

Improper input validation in gps

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In gps, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6753, MT6757, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6886, MT6891, MT6893, MT6895, MT6983, MT6985, MT8167, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20767**

Title

Improper input validation in pqframework

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In pqframework, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT8167, MT8168, MT8195, MT8673

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20768**

Title

Access of resource using incompatible type ('type confusion') in ion

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In ion, there is a possible out of bounds read due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8168, MT8195, MT8321, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2023-20771**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-662 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In display, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6739, MT6761, MT6765, MT6768, MT6771, MT6779, MT6785, MT8168, MT8781

Affected Software Versions

Android 12.0

CVE

**CVE-2023-20772**

Title

Improper authentication in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-287 Improper Authentication

Description

In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8781, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20773**

Title

Improper authentication in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-287 Improper Authentication

Description

In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8781, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20774**

Title

Improper input validation in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6789, MT6835, MT6855, MT6886, MT6895, MT6983, MT6985, MT8195, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20775**

Title

Buffer copy without checking size of input ('classic buffer overflow') in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Description

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6885, MT6886, MT6889, MT6890, MT6893, MT6895, MT6983, MT6985, MT6990, MT8168, MT8183, MT8195, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0 / OpenWrt 21.02 / RDKB 2022Q3

CVE

**CVE-2023-20689**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20690**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8168, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20691**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20692**

Title

Null pointer dereference in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-476 NULL Pointer Dereference

Description

In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8168, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20693**

Title

Null pointer dereference in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-477 NULL Pointer Dereference

Description

In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6895, MT6983, MT8167, MT8168, MT8195, MT8321, MT8365, MT8385, MT8666, MT8765, MT8781, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2022-32666**

Title

User interface (ui) misrepresentation of critical information in Wi-Fi

Severity

Medium

Vulnerability Type

DoS

CWE

CW3-451 User Interface (UI) Misrepresentation of Critical Information

Description

In Wi-Fi, there is a possible low throughput due to misrepresentation of critical information. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7613, MT7615, MT7622, MT7628, MT7629, MT7915, MT7916, MT7981, MT7986, MT8365

Affected Software Versions

7.6.6.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20748**

Title

Improper input validation in display

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

July 3, 2023

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2023-20775: July 2023

com.perimeter81.osx.HelperTool in Perimeter81 10.0.0.19 on macOS allows Local Privilege Escalation (to root) via shell metacharacters in usingCAPath.

Share feedback

Thanks for sharing your feedback!

**MacOS agent 10.0.0.19**

**May 7th, 2023**

**New Features:**

*   The agent now supports the new Exclude configuration option for Split Tunneling (so that all traffic except specific addresses will go through the tunnel).

**Resolved Issues:**

*   P81-23365 - Mac agent launching twice, 2 different instances running at the same time
*   P81-26071 - OpenVPN connection sometimes taking too long

**MacOS agent 9.0.1.9**

**New Features:**

*   You can now switch between protocols while the agent is connected to a network! Simply select a protocol in the Protocols tab to switch to it.
*   When the user session expires (according to the session length set by the administrator), the agent will be automatically logged out during local night time, in order to avoid disconnections during the workday. This applies to session lengths of 2 days and above.

**Enhancements:**

*   Logging improvements
*   Agent installation will be prevented on unsupported MacOS version 10.14 and below

**Resolved Issues:**

*   P81-18590 - On macOS 13.0, sometimes the quick access UI and Full agent UI were displayed simultaneously when changing networks
*   P81-20543 - Incorrect icon state after silent upgrade of the agent
*   P81-23034 - Agent disconnection after OS upgrade to Mac OS 13.2
*   P81-23462 - SWG Web Filtering not working when a rule is set with two custom URLs that one is contained within the other
*   P81-7337 - Agent logs show that user is using macOS 10.16 when it is actually a higher version

**MacOS agent 9.0.0.28**

**New Features:**

*   Secure Web Gateway (SWG) now includes Malware Protection! SWG users now have an additional layer of protection against malicious software, on top of the existing web filtering functionality. Malware Protection actively scans content before it reaches the user's browser, blocks multiple types of threats, and notifies the user. Admins can view logs of blocked malware in a new page under the Monitor and Logs section.

**Enhancements:**

*   Log file size decreased, implemented log rotation
*   Added support for long-life certificates for SDP sessions
*   Updated internal frameworks to support minimum target OS of 10.15
*   Improved SWG module behaviour, increased reliability of Proxy module
*   Improved memory usage of agent and fixed issues with memory leaks
*   Improved stability
*   Improved connectivity

**Resolved Issues:**  
P81-21296 - Fixed an issue related to the Disable Sign-out feature  
P81-22039 - Fixed issue when agent UI was out of sync with Daemon  
P81-14902 - Fixed Trusted Wired Network MAC address case-insensitive comparison

**MacOS agent 8.0.6.166**

**Resolved Issues:**  
P81-16293 - Excessive memory consumption when using SWG

**MacOS agent 8.0.6.163**

**New Features:**

*   The agent can now remain connected while P81 SDP backend is restarted/offline, for better connection stability

**Enhancements:**

*   Added additional logging events on VPN reconnection and Probe failure
*   In the Protocols section, relabeled 'Automatic' protocol to 'Default'
*   Improved mechanism for fetching Public IP
*   Increased shared codebase between MacOS and iOS agents for better compatibility

**Resolved Issues:**  
P81-12527, P81-12562 - Unplanned disconnections  
P81-12869, P81-6732 - Sporadically cannot login to the agent - 'your session was not established'  
P81-14787 - Routing table not updated on Split Tunneling update until user disconnects  
P81-13988 - Agent User Interface is cut off when it’s the rightmost icon in the macOS tray  
P81-7450 - Fixed sorting in Quick Access networks list  
P81-14953 - Install update prompt appears without user interaction  
P81-16096, P81-16864 - DPC failed although conditions passed, until reboot  
P81-16189, P81-16949 - While connecting to VPN on unsecured WiFi, Internet is unavailable for 40-60 seconds

**MacOS agent 8.0.5.143**

**New Features:**

*   New wake from sleep mechanism logic
*   Added 'Quit' button to the agent's quick-UI for easier access
*   Added 'Reset Agent' button to the loading screen if it does not connect within 60 seconds
*   Added 'Reset Agent' button to the full UI (under the Support tab) to provide the ability to reset the agent at any time

**Resolved Issues:**

*   P81-14321 - Infinite connection attempts
*   P81-14317 - The loading screen does not disapear
*   P81-13962 - Agent says it's connected but loses all Internet connectivity
*   P81-13257 - Possible command injection vector via DPC
*   P81-13188 - DPC stuck after machine reboot
*   P81-12978 - Proxy communication issue
*   P81-12749 - Presented with a "You have reached your pre-configured connection time limit" error
*   P81-12698 - DPC: Device Activity Log does not appears in web console at admission time, only after DPC scheduled recheck time (20 minutes)
*   P81-12360 - Agent log files take too much space (0.4 GB)
*   P81-7128 - The Device Activity log shows 'No Hostname' instead of the device name
*   P81-6628 - The user is not signed out properly after the agent receives a new token

**MacOS agent 8.0.4.132**

**New Features:**

*   Disable Sign-Out (enforce Always On) - this feature is being gradually rolled out and will be available to all customers in a few weeks. Requires this version of the agent and above.
*   Agent sign-out brute-force prevention
*   Allow admins to control whether using the internal DNS is enforced or not, in order to support co-existing with products that require control over DNS

**Enhancements:**

*   Agent version is now displayed before login, for easier troubleshooting
*   The Quit button has been re-added to the agent extended UI, allowing users to shut down the agent application and the Perimeter 81 service in case they need to
*   P81-11453 - SWG bootstrap certificate enhancement

**Resolved Issues:**

*   P81-13378 - Changing settings on the console would cause the agent to Reconnect
*   P81-12977 - RegionName always showed N/A
*   P81-12747, P81-12674, P81-12571, P81-12525, P81-12164 - Issues connencting after sleep
*   P81-12746 - Connectivity issue when using SWG
*   P81-12417, P81-12618 - Connectivity issues
*   P81-12560 - Sign-in failing to open browser
*   P81-12539, P81-12519 - Websites unreachable
*   P81-12536 - SWG rules issues
*   P81-12461 - Internet connection issue after session timeout
*   P81-12419 - Reconnection process takes too long
*   P81-12269 - Public IP stuck in "Refreshing" and losing Internet connectivity
*   P81-11170, P81-11171, P81-12807 - Internal log fixes
*   P81-6859 - Silent Upgrade improvements
*   P81-6467 - UI bugs
*   P81-11531 - Better handling of ProtocolFilters in regards to certificates
*   P81-12720 - SWG bug fixes

**MacOS agent 8.0.4.124**

**Enhancements:**

*   Changed MTU for Wireguard to 1380 to improve connectivity in low-MTU scenarios
    
*   The Perimeter 81 certificate is now installed only if using Secure Web Gateway. If needed, users are referred to a webpage on how to complete the certificate and add-on setup
    
*   'Start Minimized' removed from Settings screen
    

**Resolved Issues:**

P81-11830/P81-10601 Connection is not restored after sleep  
P81-11673 Sometimes the app Signed Out incorrectly  
P81-11251/P81-11163 Agent stuck with connect button not responding  
P81-11211 DNS fails after sleep on latest Mac version (Monterey 12.3)  
P81-11074/P81-10889 Constant disconnections  
P81-11071 Connection issue with IKE protocol  
P81-11035/P81-11034/P81-8381Connection issue with Wireguard  
P81-11027/P81-11026/P81-10631 Internet connection blocked/unstable  
P81-10922/P81-10916 After sleep, the agent is connected but there is no internet connectivity  
P81-10874 Sign In button not working after session timeout  
P81-10556 Network adaptor changing every several minutes  
P81-9987 Split tunneling configuration didn't updated till Agent reconnection  
P81-9804 Client generates certificate errors  
P81-8032 "Connected to Network" notification doesn't hide automatically  
P81-7340 After upgrading XPC between Daemons, Proxy is not starting  
P81-6312/P81-3930 "Private DNS" icon not displayed on network with "Regional Private DNS"  
P81-6080 Closed Mac agent pops up every time Firewall rule is changed

**MacOS agent 8.0.4.116**

Fixed Issues:

*   P81-9839/P81-9833/P81-9795 - App crash
*   P81-9794/P81-9493 Connection issue - agent stuck in 'Reconnecting'
*   P81-9500 Failed to connect while returning from sleep mode
*   P81-9181 Agent takes a while to reconnect after sleep
*   P81-9152 Sign Out pop-up header displayed incorrectly
*   P81-8233 Device Activity Log - MacBook still appears as Healthy even though found Not Healthy
*   P81-8048 Apple M1 Pro - Disconnect during Zoom
*   P81-7340 SWG - Proxy not starting after upgrading XPC between Daemons
*   P81-5273 .pkg error - 'The Package is unsigned'
*   P81-910 .pkg installer file - Unsupported file format in MobileIron
*   P81-8236 Icons for Support, Settings, Sign Out are blurred

New features:

*   P81-9985 When installing using pkg file, the P81 certificate will not be installed unless specified by admin
*   P81-7551 The agent now allows admins to pre-populate the workspace value during installation via CLI.

**MacOS agent 8.0.4.108**

Fixed Issues:

*   P81-6326 - Failed to login after agent upgrade.
*   P81-4795 - DNS lost randomly when using split tunneling + custom DNS.
*   P81-7608 - IPv6 behavior is unpredictable.
*   P81-5029 - Improved messaging when pre-configured connection time limit is reached.
*   P81-2455 - agent UI pops up upon changing firewall rules.
*   P81-5034 - renamed 'diagnose issues' button to 'Send logs to support'.

New Features:

*   The Perimeter 81 agent now runs as a service in the background! There is no need to keep the agent UI open - it is always up and available via an icon in the system tray.
*   Connectivity and stability have been improved.
*   The agent now has a brand new “quick access” UI, which allows you to perform most operations from a single screen by clicking on the tray icon. The classic UI is still available, and can still be accessed in order to configure settings, contact support etc.
*   This agent version supports Secure Web Gateway (SWG).

**MacOS agent 7.0.3.37**

Fixed issues:

*   P81-2389 - Helper tool installation requires admin permissions
*   P81-5385 - Crash on changing networks while OpenVPN connected on TWN
*   P81-5332 - Post connection loss authentication issue
*   P81-4796 - Correction of description for Automatic Protocol
*   P81-4764 - Agent stuck in reconnecting when coming out of sleep mode
*   P81-4368 - Agent stuck in Reconnecting state

New features:

*   P81-5029 - Improve the output message after "Automatically log out Client "
*   P81-5026 - Remove "contact support" suggestion when failing DPC
*   P81-5034 - Rename "diagnose issues" button
*   P81-4699 - Compatibility with MacOS 12.0 Monterey

**MacOS agent 7.0.3.28**

Fixed issues:

*   P81-3293 - Added latency measurements BI events
*   P81-3312 - Fixed device register issue caused by UDID non-escaping

**MacOS agent 7.0.2.21**

Fixed issues:

*   P81-1995 — Device posture check says that disk is not encrypted when it actually is encrypted
*   P81-2021 — Incorrect VPN status on Home screen if Start Minimized=ON and VPN has connected automatically
*   P81-2532 — Agent stuck on reconnecting
*   P81-3111 — DPC failed for all the rules that should pass
*   P81-3179 — App hanging during TWN check processing

**MacOS agent 7.0.2.19**

Fixed issues:

*   P81-2680 — Trusted Wired Networks - Agent user still needs to enter code on Quit/sign out while connected to TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWNP81-2198
*   P81-2633 — The Always On Not restored 0n turning Netwotk's toggle if Network above in list is Disabled
*   P81-2231 — Attempt to connect to the VPN is made on setting AlwaysOn by user
*   P81-2199 — No "Connected to Trusted Network" badge on Home screen when computer on TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWN
*   P81-2215 — The app connected to VPN on user setting AlwaysOn=ON while connected to TWN
*   P81-2550 — Show appropriate text when hovering over the "Connected to Trusted Network" badge
*   P81-2798 — MacOS P81 DPC: Condition "AND" for "Process Running" doesn't work

**MacOS 7.0.1.12**

*   Silent upgrade feature imlemented

**MacOS 7.0.1.7**

*   Fixed issue when agent app pops up with every ZTA change — P81-1117, P81-1115
*   Fixed wrong Device Name documented in Device Activity — P81-1364
*   Fixed Internal IP Not Defined issue, when VPN get connected — P81-1347
*   Moved Snowplow session cache file outside of the user’s Documents folder — P81-937

**MacOS 7.0.1.6****New features:**

*   Device Posture Check feature implemented

**Resolved Issues:**

*   Fixed app crash issue — P81-726
*   Fixed app re-connect issue when losing WiFi — P81-906
*   Fixed Run on StartUp issue — P81-914
*   Fixed Sign Out” and “Quit” option from doesn’t work if app is not in foreground — P81-1027
*   Fixed app re-login when DPC check has failed — P81-1452
*   Fixed Disconnect/Connect notifications showing — P81-1110
*   Fixed high CPU consumption issue when the app is in background — P81-438
*   Fixed SDP socket re-connect issue after sleep-mode

**MacOS 7.0.0 (7):****Bug fixes:**

*   Application complete re-design, Main view, Settings page, Support page, OnBoarding page
*   Implemented new login flow using default browser with SSO support
*   Implemented accessToken token rotation before performing Logout call -- #MAC-1056
*   Added timeout for LoginSucceeded event -- #MAC-1075
*   Added full username showing inside of the Main view (if it’s available) -- #MAC-1083
*   Added support ticket number for the user if it’s available from Troubleshooting -- #MAC-1074
*   Change user’s email address fetching from JWT to channel.OnUpdated data payload -- #MAC-1066
*   Fixed Connection/Reconnection initiated from Connect on Launch can’t be interrupted -- #MAC-1079
*   Fixed Hide Automatic Location from Icon/Dock menus -- #MAC-1086
*   Fixed issue when Admin can’t enforce upgrade to the latest version -- #MAC-942
*   Disable KillSwitch by default for AlwaysON -- #MAC-1081
*   Fixed Sleep/awake re-connect issue -- #MAC-1061
*   Fixed Disconnect button non-responsiveness when agent connecting/reconnecting -- #MAC-1078
*   Fixed expand/collapse Shared Networks issue, when hover stopped to work -- #MAC-1062
*   Fixed issues when “Change Network” button displayed incorrectly when “Upgrade Application” is enforced -- #MAC-1111
*   Added BI events sending support
*   Added osVersion as a part of channel.open payload
*   Implemented automated Troubleshooting script, now avg processing time is ~1 min -- #MAC-1093
*   Fixed “Sign Out” and “Quit” options from notification area context menu when app is in background mode -- #MAC-1100, #MAC-1099
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Added tooltips for SignOut / Exit Settings buttons, Main + OnBoarding windows appear at the same time -- #MAC-1088
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Fixed UI blinking when switching between Home tab and any other -- #MAC-1073
*   Fix network selection logic -- #MAC-1087

Was this article helpful?

CVE-2023-33298: MacOS - Agent

By Deeba Ahmed
This attack method can help attackers surpass all barriers to exploit side channels, which so far were not possible.
This is a post from HackRead.com Read the original post: Researchers Use Power LED to Extract Encryption Keys in Groundbreaking Attack

The cybersecurity researchers from the Ben-Gurion University of the Negev and Cornell University have revealed how a side-channel attack targeting a smart card reader’s power LED can recover encryption keys.

This ground-breaking method can help adversaries extract encryption keys from a device simply by analyzing the video footage of its power LED. This happened because the CPU’s cryptographic computations can change the power consumption of a device and impact the brightness of its power LED.

This ingenious attack method leverages the connection between a device’s power consumption and the brightness of its power LED. Adversaries can obtain secret keys from the RGB values as the LED’s brightness changes when the CPU performs cryptographic operations.

They exploited the flickering of the power LED during this operation and used their understanding of the card reader’s inner workings to decode the keys and gain access.

The team conducted two side-channel cryptanalytic timing attacks using this video-based cryptanalysis method. After examining the video footage of the power LED, they recovered a 256-bit ECDSA key from the smart card using a compromised internet-connected security camera. They placed the camera at a distance of 16 meters from the smart card reader.

Next, they recovered a 378-bit SIKE key from a Samsung Galaxy S8 by analyzing the video footage of the power LED of Logitech Z120 USB speakers connected to the USB hub they used to charge the Galaxy S8.

“This is caused by the fact that the power LED is connected directly to the power line of the electrical circuit, which lacks effective means (e.g., filters, voltage stabilizers) of decoupling the correlation with the power consumption,” researchers explained in their **report**.

But, this technique is not as simple as it seems because merely observing the LED with a camera cannot help recover security keys, even if the frame rate is considerably high. To record the rapid changes in an LED’s brightness using a standard webcam or smartphone camera, turning on the rolling shutter effect is essential, as this is when camera sensors start recording images line by line.

In a regular setting, the camera will record the entire image sensor. Using the same technique, attackers can exploit the video camera of an internet-connected security camera or even an iPhone 13 camera to obtain cryptographic keys. Cybersecurity researchers have shown concerns as this attack method will help attackers surpass all barriers to exploit side channels, which so far were not possible. The method’s non-intrusiveness makes it even more sinister.

However, as with every attack, there are some limitations to this one. For example, apart from being placed at a 16m distance, the camera should be in the direct line of sight view of the LED, and signatures should be recorded for 65 minutes.

Countering such attacks is possible if LED manufacturers add capacitors to reduce power consumption fluctuations. An alternate solution is covering the power LED with black tape to prevent information exposure.

Researchers have shared their explosive findings in a paper titled “Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED,” available **here** (PDF).

1.  Self-driving cars can be fooled by displaying virtual objects
2.  Locating malicious drone operators using deep neural networks
3.  Malware attack tricks biologists into producing dangerous toxins
4.  Stealing data from air-gapped PC by turning RAM into Wi-Fi Card
5.  Hackers can steal data from air-gapped PC using screen brightness
6.  Malware can extract data from air-gapped PC through power supply
7.  Lamphone attack recovers secret conversation via hanging light bulb

Researchers Use Power LED to Extract Encryption Keys in Groundbreaking Attack

Key findings from the research also show three of the four new malware threats on this quarter's top-ten list originated in China and Russia, living-off-the-land attacks on the rise, and more.

**SEATTLE – June 28, 2023 –** WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the findings of its latest Internet Security Report, detailing the top malware trends and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q1 2023. Key findings from the data show phishers leveraging browser-based social engineering strategies, new malware with ties to nation states, high amounts of zero day malware, living-off-the-land attacks on the rise, and more. This edition of the report also features a new, dedicated section for the Threat Lab team’s quarterly ransomware tracking and analysis.

"Organizations need to pay more active, ongoing attention to the existing security solutions and strategies their businesses rely on to stay protected against increasingly sophisticated threats," said Corey Nachreiner, chief security officer at WatchGuard. "The top themes and corresponding best practices our Threat Lab have outlined for this report strongly emphasize layered malware defenses to combat living-off-the-land attacks, which can be done simply and effectively with a platform for unified security run by dedicated managed service providers."

Among its most notable findings, the Q1 2023 Internet Security Report reveals:

*   **New browser-based social engineering trends –** Now that web browsers have more protections preventing pop-up abuse, attackers have pivoted to using the browser notifications features to force similar types of interactions. Also of note from this quarter’s top malicious domains list is a new destination involving SEO-poisoning activity.
*   **Threat actors from China and Russia behind 75% of new threats in the Q1 Top 10 list –** Three of the four new threats that debuted on our top ten malware list this quarter have strong ties to nation states, although this doesn’t necessarily mean those malicious actors are in fact state-_sponsored_. One example from WatchGuard’s latest report is the Zusy malware family, which shows up for the first time in the top 10 malware list this quarter. One Zusy sample the Threat Lab found targets China’s population with adware that installs a compromised browser; the browser is then used to hijack the system’s Windows settings and as the default browser.
*   **Persistence of attacks against Office products, End-of-Life (EOL) Microsoft ISA Firewall –** Threat Lab analysts continue to see document-based threats targeting Office products in the most widespread malware list this quarter. On the network side, the team also noticed exploits against Microsoft’s now-discontinued firewall, the Internet Security and Acceleration (ISA) Server, getting a relatively high number of hits. Considering this product has long been discontinued and without updates, it is surprising to see attackers targeting it.
*   **Living-off-the-land attacks on the rise –** The ViperSoftX malware reviewed in the Q1 DNS analysis is the latest example of malware leveraging the built-in tools that come with operating systems to complete their objectives. The continued appearance of Microsoft Office- and PowerShell-based malware in these reports quarter after quarter underscores the importance of endpoint protection that can differentiate legitimate and malicious use of popular tools like PowerShell.
*   **Malware droppers targeting Linux-based systems –** One of the new top malware detections by volume in Q1 was a malware dropper aimed at Linux-based systems. A stark reminder that just because Windows is king in the enterprise space, this doesn’t mean organizations can afford to turn a blind eye to Linux and macOS. Be sure to include non-Windows machines when rolling out Endpoint Detection and Response (EDR) to maintain full coverage of your environment.
*   **Zero day malware accounting for the majority of detections –** This quarter saw 70% of detections coming from zero day malware over unencrypted web traffic, and a whopping 93% of detections from zero day malware from encrypted web traffic. Zero day malware can infect IoT devices, misconfigured servers, and other devices that don’t use robust host-based defenses like WatchGuard EPDR (Endpoint Protection Detection and Response).  
*   **New insights based on ransomware tracking data –** In Q1 2023, the Threat Lab tallied 852 victims published to extortion sites and discovered 51 new ransomware variants. These ransomware groups continue to publish victims at an alarmingly high rate; some are well-known organizations and companies in the Fortune 500. (Stay tuned for more ransomware tracking trends and analysis as part of WatchGuard’s quarterly Threat Lab research in future reports!)

Consistent with WatchGuard’s Unified Security Platform® approach and the WatchGuard Threat Lab’s previous quarterly research updates, the data analyzed in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts.   
New for this Q1 2023 analysis, the Threat Lab team has updated the methods used to normalize, analyze, and present the report findings. While previous quarterly research results have primarily been presented in the aggregate (as global total volumes), this quarter and going forward the network security results will be presented as “per device” averages for all reporting network appliances. The full report includes additional detail around this evolution and the rationale behind the updated methodology, as well as details on additional malware, network, and ransomware trends from Q1 2023, recommended security strategies, critical defense tips for businesses of all sizes and in any sector, and more.

For a more in-depth view of WatchGuard’s research, read the complete Q1 2023 Internet Security Report here.

**About WatchGuard Technologies, Inc.**

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

_WatchGuard is a registered trademark of WatchGuard Technologies, Inc. All other marks are property of their respective owners._

Tag

#wifi