By Owais Sultan
Originating in North Korea, the Holy Ghost ransomware operation has preyed primarily on small businesses, but that doesn’t mean larger businesses can ignore it. 
This is a post from HackRead.com Read the original post: Lessons from the Holy Ghost Ransomware Attacks

Ransomeware has become one of the defining malware types in the last few years. Locking, encrypting, and basically deleting the original data from the victim’s PC, the hackers, or let’s just call them cyber criminals, then **seek to extort money** for them in return for restored access to your critical data.

In the meantime, you have utterly no idea what’s been accessed and stolen, or if your extorted funds will even result in the release of your data. One of the most current threats, the so-called Holy Ghost Ransomware, or **Sienne Purple**, has several key lessons in cybersecurity to teach us. Let’s take a look.

**Cybersecurity: Thinking Small**

Originating in **North Korea**, the Holy Ghost ransomware operation has preyed primarily on small businesses, but that doesn’t mean larger businesses can ignore it. This is an interesting shift of focus, and highlights a key lesson straight out the gate- cybersecurity is now no longer just for ‘big’ or ‘important’ businesses.

With the pandemic-accelerated shift to **online and remote work**, staying safe in cyberspace has become a business-critical concern. It’s easy to assume you are too small or too ‘uninteresting’ to cyber criminals and hackers, but in a world that’s ever-increasingly connected, this is no longer a safe stance to assume. 

Hackers know that small enterprises are less likely to have safety controls in place, making them a juicy target ‘market’ that’s likely to grow as a target demographic. It’s no longer safe to assume any business, no matter their digital presence, can slide on security precautions.

Luckily, we’re seeing a concurrent rise in focus on products aimed to help tighten and enhance security across a range of industries, combining scalability, affordability, and ease of use with fast deployment. **Perimeter 81**, for example, has a full suite unified business security solution, making security for your workers across regions and the globe a simple process.

**The Double Extortion**

We’ve also seen a swing to **double extortion attempts** in recent Ransomware attacks. Alongside the typical play for cash to return data, there’s also the threat of publishing the victim’s name and stolen data to the wider **dark web**.

Do note that Holy Ghost, particularly, rarely actually delivers the decryption key or your software returned. Sadly, decryption is usually impossible without it, too, so the chances of recovering data after a breach are minimal. As always, strong preventative security and solid backups are the only solutions.

Prevention is the only cure, here. Victims are highly advised not to pay the ransom over, as it simply goes to support further illegal activity. The ransom is typically **asked for in Bitcoin**.

Holy Ghost Ransomware Gang’s note

1.  **US charges 3 North Korean hackers for extorting $1.3+ billion**
2.  **Beware of Fake Windows 11 Downloads Distributing Vidar Malware**
3.  **New Scam Utilizing AI-Generated Images to Represent Fake Law Firm**
4.  **Elite North Koreans aren’t opposed to exploiting internet for financial gain**
5.  **Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity**

**Evolving Ransomware**

Holy Ghost itself was first classified as Sienna Purple by the Microsoft Threat Intelligence Center (MSTIC). It started last June as a relatively unsophisticated BTLC\_C.exe form. In October 2021, the Go-based variants, now classified as SiennaBlue (HolyRS.exe, HolyLocker.exe, and BTLC.exe) have greatly expanded functionality.

You will now find internet/intranet support, multiple encryption options, public key management, and string obfuscation as standard. The ransomware gang itself is being traced as DEV-0530. They have some connection to the PLUTONIUM, or DarkSeoul, gang. The encrypted files typically end with the .h0lyenc suffix. **Microsoft’s full report** has more.

**The Importance of Security Updates**

Common targets have been schools, banks, social/event planning companies, and manufacturing organizations. Most of these likely became targets of opportunity through vulnerabilities in public-facing web applications or their content-management systems as original points of access. In fact, the DotCMS remote code execution vulnerability, CVE-2022-26352, is thought to have been a key access point. 

This highlights another critical point in the modern digital business environment- small and public institutions like these often fail to regularly **maintain and update** their OSs and programs across their organizations. And all it takes is one vulnerable PC on the network for the whole system to be infiltrated.

While enterprise-level companies tend to have better update policies in place, you’re never too large to check in on your regular IT maintenance protocols- a mistake in a large organization can easily be more costly.

Regular security updates are issued by most mainstream platforms, but many organizations lack a cohesive maintenance policy, and many workers are under-educated in the importance of cybersecurity tasks like security updates. They simply click away from the nag screen and return to work. After all, IT will handle that, right?

The need for cohesive and **organization-wide education** on the risks of cybercrime is critical but often neglected, especially in business.

**Being Careful With Trust**

Currently, the Holy Ghost website is down, and it may stay down, but it’s also critical to note that they were leveraging their limited online presence to pose as a legitimate cybersecurity entity, actively promising to help visitors ‘improve’ their online security presence.

Of course, one **malicious entity masquerading as a legitimate cybersecurity company** doesn’t mean all smaller cybersecurity companies are fake. However, the need for informed due diligence and being careful to work with well-known, trusted, and verified products/brands is clear. Again, they are trying to leverage the general public and business owners’ lack of knowledge about cybercrime and its infiltration methods to lure victims in.

**Political Interference**

This is certainly not a new feature, nor one unique to Holy Ghost, but it bears repeating- many ransomware efforts show signs of hostile political interference at their core. As with the **Maui ransomware** currently predating on healthcare organizations, there are some links to the North Korean government itself in the Holy Ghost attacks. As the international stage gets more and more politically fraught, this is a pattern we’re likely to see evolve.

As with all ransomware, the key takeaways from Holy Ghost ransomware include the need to invest in secure systems, no matter what size of business you are running. Deploying effective cybersecurity is a must of working in the digital age.

Always have secure backups through a variety of mediums, and make sure to stage them across time periods, so you don’t end up in the unenviable position where the backup carries over the virus.

Communicating **cybersecurity risks** to staff members is essential. Ransomware commonly spreads through phishing emails, remote desktop protocols that are not correctly secured or communicated, infected downloads from compromised sites, and the insertion of infected media and USB devices.

Ensuring staff is knowledgeable about these risks is one of the best possible investments, alongside proper security protocols and updates.

Ransomware as a malicious software category is set to grow further over the coming years, as **more workspaces enter the digital environment**. Having proper preventative protocols in place is a must. 

**More Ransomware News**

1.  **Conti Ransomware Gang Hits German Wind Turbine Giant Nordex**
2.  **GoodWill Ransomware demands food for the poor to decrypt locked files**
3.  **Cardiologist Charged for Developing Jigsaw v.2 and Thanos Ransomware**
4.  **PoC Shows IoT Devices Vulnerable to Install Ransomware on OT Networks**

Lessons from the Holy Ghost Ransomware Attacks

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in macOS Monterey 12.5, macOS Big Sur 11.6.8, Security Update 2022-005 Catalina. An app may be able to execute arbitrary code with kernel privileges.

Released July 20, 2022

**APFS**

Available for: macOS Big Sur

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32832: Tommy Muir (@Muirey03)

**AppleMobileFileIntegrity**

Available for: macOS Big Sur

Impact: An app may be able to gain root privileges

Description: An authorization issue was addressed with improved state management.

CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: This issue was addressed with improved checks.

CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py\_Cat) of Baidu Security, Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-32853: Ye Zhang (@co0py\_Cat) of Baidu Security

CVE-2022-32851: Ye Zhang (@co0py\_Cat) of Baidu Security

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32831: Ye Zhang (@co0py\_Cat) of Baidu Security

**Audio**

Available for: macOS Big Sur

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32825: John Aakerblom (@jaakerblom)

**Audio**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32820: an anonymous researcher

**Calendar**

Available for: macOS Big Sur

Impact: An app may be able to access sensitive user information

Description: The issue was addressed with improved handling of caches.

CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

**Calendar**

Available for: macOS Big Sur

Impact: An app may be able to access user-sensitive data

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2022-32849: Joshua Jones

**CoreText**

Available for: macOS Big Sur

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2022-32839: STAR Labs (@starlabs\_sg)

**FaceTime**

Available for: macOS Big Sur

Impact: An app with root privileges may be able to access private information

Description: This issue was addressed by enabling hardened runtime.

CVE-2022-32781: Wojciech Reguła (@\_r3ggi) of SecuRing

**File System Events**

Available for: macOS Big Sur

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-32819: Joshua Mason of Mandiant

**ICU**

Available for: macOS Big Sur

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**ImageIO**

Available for: macOS Big Sur

Impact: Processing an image may lead to a denial-of-service

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2022-32811: ABC Research s.r.o

**Kernel**

Available for: macOS Big Sur

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32815: Xinru Chi of Pangu Lab

CVE-2022-32813: Xinru Chi of Pangu Lab

**libxml2**

Available for: macOS Big Sur

Impact: An app may be able to leak sensitive user information

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-32823

**PackageKit**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: An issue in the handling of environment variables was addressed with improved validation.

CVE-2022-32786: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved checks.

CVE-2022-32800: Mickey Jin (@patch1t)

**PluginKit**

Available for: macOS Big Sur

Impact: An app may be able to read arbitrary files

Description: A logic issue was addressed with improved state management.

CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

**PS Normalizer**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

**Software Update**

Available for: macOS Big Sur

Impact: A user in a privileged network position can track a user’s activity

Description: This issue was addressed by using HTTPS when sending information over the network.

CVE-2022-32857: Jeffrey Paul (sneak.berlin)

**Spindump**

Available for: macOS Big Sur

Impact: An app may be able to overwrite arbitrary files

Description: This issue was addressed with improved file handling.

CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

**Spotlight**

Available for: macOS Big Sur

Impact: An app may be able to gain elevated privileges

Description: A validation issue in the handling of symlinks was addressed with improved validation of symlinks.

CVE-2022-26704: Joshua Mason of Mandiant

**TCC**

Available for: macOS Big Sur

Impact: An app may be able to access sensitive user information

Description: An access issue was addressed with improvements to the sandbox.

CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**Vim**

Available for: macOS Big Sur

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating Vim.

CVE-2022-0156

CVE-2022-0158

**Wi-Fi**

Available for: macOS Big Sur

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32847: Wang Yu of Cyberserval

**Windows Server**

Available for: macOS Big Sur

Impact: An app may be able to capture a user’s screen

Description: A logic issue was addressed with improved checks.

CVE-2022-32848: Jeremy Legendre of MacEnhance

CVE-2022-32811: About the security content of macOS Big Sur 11.6.8

Multiple out-of-bounds write issues were addressed with improved bounds checking. This issue is fixed in macOS Monterey 12.5, watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6. An app may be able to disclose kernel memory.

Released July 20, 2022

**APFS**

Available for: macOS Monterey

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32832: Tommy Muir (@Muirey03)

**AppleMobileFileIntegrity**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: An authorization issue was addressed with improved state management.

CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32810: Mohamed Ghannam (@\_simo36)

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32840: Mohamed Ghannam (@\_simo36)

**Apple Neural Engine**

Available for: macOS Monterey

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-32845: Mohamed Ghannam (@\_simo36)

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: This issue was addressed with improved checks.

CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py\_Cat) of Baidu Security, Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-32851: Ye Zhang (@co0py\_Cat) of Baidu Security

CVE-2022-32852: Ye Zhang (@co0py\_Cat) of Baidu Security

CVE-2022-32853: Ye Zhang (@co0py\_Cat) of Baidu Security

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32831: Ye Zhang (@co0py\_Cat) of Baidu Security

**Audio**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32820: an anonymous researcher

**Audio**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32825: John Aakerblom (@jaakerblom)

**Automation**

Available for: macOS Monterey

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved checks.

CVE-2022-32789: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

**Calendar**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: The issue was addressed with improved handling of caches.

CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

**CoreMedia**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom)

**CoreText**

Available for: macOS Monterey

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2022-32839: STAR Labs (@starlabs\_sg)

**File System Events**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-32819: Joshua Mason of Mandiant

**GPU Drivers**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: Multiple out-of-bounds write issues were addressed with improved bounds checking.

CVE-2022-32793: an anonymous researcher

**GPU Drivers**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-32821: John Aakerblom (@jaakerblom)

**iCloud Photo Library**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2022-32849: Joshua Jones

**ICU**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32841: hjy79425575

 **ImageIO**

 Available for: macOS Monterey

 Impact: Processing an image may lead to a denial-of-service

 Description: A null pointer dereference was addressed with improved validation.

 CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2022-32811: ABC Research s.r.o

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

**Kernel**

Available for: macOS Monterey

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32813: Xinru Chi of Pangu Lab

CVE-2022-32815: Xinru Chi of Pangu Lab

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32817: Xinru Chi of Pangu Lab

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: This issue was addressed with improved checks.

CVE-2022-32829: an anonymous researcher

**Liblouis**

Available for: macOS Monterey

Impact: An app may cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China (nipc.org.cn)

**libxml2**

Available for: macOS Monterey

Impact: An app may be able to leak sensitive user information

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-32823

**Multi-Touch**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

**Multi-Touch**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved state handling.

CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: An issue in the handling of environment variables was addressed with improved validation.

CVE-2022-32786: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved checks.

CVE-2022-32800: Mickey Jin (@patch1t)

**PluginKit**

Available for: macOS Monterey

Impact: An app may be able to read arbitrary files

Description: A logic issue was addressed with improved state management.

CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

**PS Normalizer**

Available for: macOS Monterey

Impact: Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

**SMB**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-32796: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32798: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: A user in a privileged network position may be able to leak sensitive information

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)

**SMB**

Available for: macOS Monterey

Impact: An app may be able to leak sensitive kernel state

Description: The issue was addressed with improved memory handling.

CVE-2022-32818: Sreejith Krishnan R (@skr0x1c0)

**Software Update**

Available for: macOS Monterey

Impact: A user in a privileged network position can track a user’s activity

Description: This issue was addressed by using HTTPS when sending information over the network.

CVE-2022-32857: Jeffrey Paul (sneak.berlin)

**Spindump**

Available for: macOS Monterey

Impact: An app may be able to overwrite arbitrary files

Description: This issue was addressed with improved file handling.

CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

**Spotlight**

Available for: macOS Monterey

Impact: An app may be able to gain root privileges

Description: This issue was addressed with improved checks.

CVE-2022-32801: Joshua Mason (@josh@jhu.edu)

**subversion**

Available for: macOS Monterey

Impact: Multiple issues in subversion

Description: Multiple issues were addressed by updating subversion.

CVE-2021-28544: Evgeny Kotkov, visualsvn.com

CVE-2022-24070: Evgeny Kotkov, visualsvn.com

CVE-2022-29046: Evgeny Kotkov, visualsvn.com

CVE-2022-29048: Evgeny Kotkov, visualsvn.com

**TCC**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user information

Description: An access issue was addressed with improvements to the sandbox.

CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**WebKit**

Available for: macOS Monterey

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@\_manfp) working with Trend Micro Zero Day Initiative

**WebRTC**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution.

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

**Wi-Fi**

Available for: macOS Monterey

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32837: Wang Yu of Cyberserval

**Wi-Fi**

Available for: macOS Monterey

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: This issue was addressed with improved checks.

CVE-2022-32847: Wang Yu of Cyberserval

**Windows Server**

Available for: macOS Monterey

Impact: An app may be able to capture a user’s screen

Description: A logic issue was addressed with improved checks.

CVE-2022-32848: Jeremy Legendre of MacEnhance

CVE-2022-32793: About the security content of macOS Monterey 12.5

The bug tracked as CVE-2022-0028 allows attackers to hijack firewalls without authentication, in order to mount DDoS hits on their targets of choice.

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.

The bug (CVE-2022-0028, CVSS severity score of 8.6), exists in the PAN-OS operating system that runs the firewalls, and could allow a remote threat actor to abuse them to deploy distributed denial-of-service (DDoS) attacks against targets of their choice — without having to authenticate.

Two weeks since its disclosure, CISA said that it has now seen the bug being adopted by cyber adversaries in the wild, and it's added it to its Known Exploited Vulnerabilities (KEV) catalogue. Attackers can exploit the flaw to deploy both reflected and amplified versions of DDoS floods.

Exploitation of the issue can help attackers to cover their tracks and location, according to the original Palo Alto Networks advisory issued earlier this month.

"The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target," according to the firm.

"The good news is that this vulnerability does not provide attackers with access to the victim's internal network," says Phil Neray, vice president of cyber-defense strategy at CardinalOps. "The bad news is that it can halt business-critical operations \[at other targets\] such as taking orders and handling customer service requests."

He notes that DDoS attacks aren't just mounted by small-time nuisance actors, as is often assumed: "DDoS has been used in the past by adversary groups like APT28 against the World Anti-Doping Agency."

The bug arises thanks to a URL-filtering policy misconfiguration, so instances that use a non-standard configuration are at risk. To be exploited, the firewall configuration "must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface," the advisory read.

**Exploited in the Wild**

Bud Broomhead, CEO at Viakoo, says bugs that can be marshaled into service to support DDoS attacks are in more and more demand by cybercriminals -- and are increasingly exploited.  

"The ability to use a Palo Alto Networks firewall to perform reflected and amplified attacks is part of an overall trend to use amplification to create massive DDoS attacks," he says. "Google's recent announcement of an attack which peaked at 46 million requests per second, and other record-breaking DDoS attacks will put more focus on systems that can be exploited to enable that level of amplification."

The speed of weaponization also fits the trend of cyberattackers taking increasingly less time to put newly disclosed vulnerabilities to work — but this also points to an increased interest in lesser-severity bugs on the part of threat actors.

"Too often, our researchers see organizations move to patch the highest-severity vulnerabilities first based on the CVSS," Terry Olaes, director of sales engineering at Skybox Security, wrote in an emailed statement. "Cybercriminals know this is how many companies handle their cybersecurity, so they've learned to take advantage of vulnerabilities seen as less critical to carry out their attacks."

But patch prioritization continues to be a challenge for organizations of all stripes and sizes thanks to the sheer number of patches that are disclosed in a given month — it totals hundreds of vulnerabilities that IT teams need to triage and assess, often without much guidance to go on. And furthermore Skybox Research Lab recently found that new vulnerabilities that went on to be exploited in the wild rose by 24% in 2022.

That said, "any vulnerability that CISA warns you about, if you have in your environment, you need to patch now," Roger Grimes, data-driven defense evangelist at KnowBe4, tells Dark Reading. "The \[KEV\] lists all the vulnerabilities that were used by any real-world attacker to attack any real-world target. Great service."

He notes that the list is exhaustive: "It isn't just full of Windows or Google Chrome exploits. I think the average computer security person would be surprised about what's on the list. It's full of devices, firmware patches, VPNs, DVRs, and a ton of stuff that isn't traditionally thought of as being highly targeted by hackers."

**Time to Patch & Monitor for Compromise**

For the newly exploited PAN-OS bug, patches are available in the following versions:

*   PAN-OS 8.1.23-h1
*   PAN-OS 9.0.16-h3
*   PAN-OS 9.1.14-h4
*   PAN-OS 10.0.11-h1
*   PAN-OS 10.1.6-h6
*   PAN-OS 10.2.2-h2
*   And all later PAN-OS versions for PA-Series, VM-Series and CN-Series firewalls.

To determine if the damage is already done, "organizations should ensure they have solutions in place capable of quantifying the business impact of cyber-risks into economic impact," Olaes wrote.

He added, "This will also help them identify and prioritize the most critical threats based on the size of financial impact, among other risk analyses such as exposure-based risk scores. They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them and how urgent it is to remediate."

Grimes notes that it's a good idea to subscribe to CISA's KEV emails as well.

"If you subscribe, you'll get at least an email a week, if not more, telling what the latest exploited vulnerabilities are," he says. "It isn't just a Palo Alto Networks problem. Not by any stretch of the imagination."

CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit

An insider threat or remote attacker with initial access could exploit CVE-2022-31676 to steal sensitive data and scoop up user credentials for follow-on attacks.

An important-rated security vulnerability in VMware Tools could pave the way for local privilege escalation (LPE) and complete takeover of virtual machines that house important corporate data, user info and credentials, and applications.

VMware Tools is a set of services and modules that enable several features in VMware products used to manage user interactions with guest operating systems (Guest OS). Guest OS is the engine that powers a virtual machine.

"A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine," according to VMware's security advisory, issued this week, which noted that the bug, tracked as CVE-2022-31676, carries a rating of 7.0 out of 10 on the CVSS vulnerability-severity scale.

Exploitation paths could take many forms, according to Mike Parkin, senior technical engineer at Vulcan Cyber.

"It is unclear from the release whether it requires access through the VMware virtual console interface or whether a user with some form of remote access to the Guest OS, such as RDP on Windows or shell access for Linux, could exploit the vulnerability," he tells Dark Reading. "Access to Guest OS should be limited, but there are many use cases that require logging into a virtual machine as a local user."

The virtualization virtuoso has patched the issue, with patched-version details available in the security alert. There are no workarounds for the flaw, so admins should apply the update to avoid compromise.

The issue, while not critical, should still be patched as soon as practicable, Parkin warns: "Even with cloud migration, VMware remains a staple of virtualization in many enterprise environments, which makes any privilege escalation vulnerability problematic."

To monitor for compromise, John Bambenek, principal threat hunter at Netenrich, recommends deploying behavioral analytics to detect credential abuse, as well as an insider threat program to detect problem employees who may abuse their already legitimate access.

"VMWare (and related) systems manage the most privileged systems, and compromising them is a force multiplier for threat actors," he says.

The patch comes on the heels of the disclosure of a critical bug earlier this month that would allow authentication bypass for on-premises VMware implementations, to give attackers initial local access and the ability to exploit LPE vulnerabilities such as this one.

VMware LPE Bug Allows Cyberattackers to Feast on Virtual Machine Data

An issue was discovered in 72crm 9.0. There is a SQL Injection vulnerability in View the task calendar.

****Brief of this vulnerability****

72crm v9 has sql injection vulnerability in View the task calendar

****Test Environment****

*   Windows10
*   PHP 5.6.9+Apache/2.4.39

****Affect version****

72crm v9

****Vulnerable Code****

application\\work\\controller\\Task.php line 506

The $param parameter is passed to getDateList

The start\_time parameter and stop\_time parameter are directly spliced ​​into $whereDate, and then executed on line 493. resulting in sql injection vulnerability

****Vulnerability display****

First enter the background

Click as shown,go to the View the task calendar and capture the packet

payload: start\_time=1&stop\_time=1))+or+sleep(2)--+

Sleep successfully for 2 seconds

If debug mode is enabled  
  
payload：start\_time=1&stop\_time=1))+or+updatexml(1,concat(0x7e,database(),0x7e,version()),1)--+  
  
Successfully obtained the database name and version number

CVE-2022-37178: 72crm v9 has sql injection vulnerability · Issue #34 · 72wukong/72crm-9.0-PHP

72crm 9.0 has an Arbitrary file upload vulnerability.

****Brief of this vulnerability****

72crm v9 has Arbitrary file upload vulnerability Where to upload the logo

****Test Environment****

*   Windows10
*   PHP 5.6.9+Apache/2.4.39

****Affect version****

72crm v9

****Vulnerable Code****

application\\admin\\controller\\System.php line 51  
  
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file  
  
follow-up move function（set filename）  
line 352:  
  
follow up function  
Generate time-based file names with php as a suffix  
  
then move\_uploaded\_file with this filename （thinkphp\\library\\think\\File.php line 369）  

****Vulnerability display****

First enter the background  
Click as shown,go to the Enterprise management background  
  
click this  
  
Just upload a picture and capture the package, modify the content as follows  
  
Back to enterprise management background  
  
access image address  
  
php code executed successfully  
Notice：Because it is uploaded at the logo, unauthorized users can also access this php code

CVE-2022-37181: 72crm v9 has Arbitrary file upload vulnerability · Issue #35 · 72wukong/72crm-9.0-PHP

A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 24 Jan 2022 14:05:01 +0000
From: Qualys Security Advisory <qsa@...lys.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2021-3998 and CVE-2021-3999 in glibc's realpath() and getcwd()

Hi all,

We discovered two vulnerabilities in the glibc, CVE-2021-3998 in
realpath() and CVE-2021-3999 in getcwd(). Patches are now available at
(many thanks to Siddhesh Poyarekar and Red Hat Product Security):

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ee8d5e33adb284601c00c94687bc907e10aec9bb
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=472e799a5f2102bc0c3206dbd5a801765fceb39c

Below is a short write-up (which is part of a longer advisory that is
mostly unrelated to the glibc and that we will publish at a later date):


========================================================================
CVE-2021-3998: Unexpected return value from glibc's realpath()
========================================================================

While auditing umount and fusermount, we also discovered a vulnerability
in the glibc's realpath() function, which is used internally by various
programs. Normally, when the output buffer "resolved" that is passed to
realpath() is not NULL, then realpath() either returns NULL on failure,
or it returns the output buffer "resolved" on success. Unfortunately,
since commit c6e0b0b ("stdlib: Sync canonicalize with gnulib") from
January 2021, realpath() can mistakenly return a malloc()ated buffer
that is neither NULL nor the output buffer "resolved":

------------------------------------------------------------------------
430 char \*
431 \_\_realpath (const char \*name, char \*resolved)
432 {
...
437   struct scratch\_buffer rname\_buffer;
438   return realpath\_stk (name, resolved, &rname\_buffer);
439 }
------------------------------------------------------------------------
197 static char \*
198 realpath\_stk (const char \*name, char \*resolved,
199               struct scratch\_buffer \*rname\_buf)
200 {
...
399   failed = false;
...
403   if (resolved != NULL && dest - rname <= get\_path\_max ())
404     rname = strcpy (resolved, rname);
...
410   if (failed || rname == resolved)
411     {
412       scratch\_buffer\_free (rname\_buf);
413       return failed ? NULL : resolved;
414     }
415 
416   return scratch\_buffer\_dupfree (rname\_buf, dest - rname);
417 }
------------------------------------------------------------------------

For example, if the input path "name" is "." and if the current working
directory is longer than PATH\_MAX, then:

- at line 399, "failed" is set to false;

- at lines 403-404, "rname" is NOT set to "resolved" and "resolved" is
  left untouched and uninitialized (because "dest - rname" is longer
  than PATH\_MAX);

- the code block at lines 410-414 is skipped (because "failed" is false
  and "rname" is not "resolved");

- at line 416, scratch\_buffer\_dupfree() returns a malloc()ated buffer
  that is NOT the output buffer "resolved".

The consequences of this vulnerability depend on the affected programs;
for example, fusermount (a SUID-root program) can disclose sensitive
information (pointers) when displaying the contents of a stack-based
buffer that is mistakenly left uninitialized by realpath() (we tested
this proof of concept on Ubuntu 21.04):

------------------------------------------------------------------------
$ gcc -o CVE-2021-3998-fusermount CVE-2021-3998-fusermount.c
$ ./CVE-2021-3998-fusermount > CVE-2021-3998-fusermount.output
...

$ hexdump -C CVE-2021-3998-fusermount.output
00000000  2f 75 73 72 2f 62 69 6e  2f 66 75 73 65 72 6d 6f  |/usr/bin/fusermo|
00000010  75 6e 74 3a 20 65 6e 74  72 79 20 66 6f 72 20 f0  |unt: entry for .|
00000020  83 9b 99 ff 7f 20 6e 6f  74 20 66 6f 75 6e 64 20  |..... not found |
00000030  69 6e 20 2f 65 74 63 2f  6d 74 61 62 0a 0a 2f 75  |in /etc/mtab../u|
00000040  73 72 2f 62 69 6e 2f 66  75 73 65 72 6d 6f 75 6e  |sr/bin/fusermoun|
00000050  74 3a 20 65 6e 74 72 79  20 66 6f 72 20 39 ac b7  |t: entry for 9..|
00000060  a5 a2 7f 20 6e 6f 74 20  66 6f 75 6e 64 20 69 6e  |... not found in|
00000070  20 2f 65 74 63 2f 6d 74  61 62 0a 0a              | /etc/mtab..|
------------------------------------------------------------------------


========================================================================
CVE-2021-3999: Off-by-one buffer overflow/underflow in glibc's getcwd()
========================================================================

While studying the vulnerability in realpath(), we also discovered a
vulnerability in the glibc's getcwd() function (which is used internally
by realpath() to resolve relative pathnames) -- an off-by-one buffer
overflow and underflow, but if and only if the "size" of "buf" is
exactly 1:

------------------------------------------------------------------------
 48 \_\_getcwd (char \*buf, size\_t size)
 49 {
 ..
 54   size\_t alloc\_size = size;
 ..
 76     path = buf;
 ..
 80   retval = INLINE\_SYSCALL (getcwd, 2, path, alloc\_size);
...
100   if (retval >= 0 || errno == ENAMETOOLONG)
101     {
...
110       result = \_\_getcwd\_generic (path, size);
------------------------------------------------------------------------
158 \_\_getcwd\_generic (char \*buf, size\_t size)
159 {
...
187   size\_t allocated = size;
...
247     dir = buf;
248 
249   dirp = dir + allocated;
250   \*--dirp = '\\0';
...
262   while (!(thisdev == rootdev && thisino == rootino))
263     {
...
441     }
...
449   if (dirp == &dir\[allocated - 1\])
450     \*--dirp = '/';
...
457   used = dir + allocated - dirp;
458   memmove (dir, dirp, used);
------------------------------------------------------------------------

If, at line 48, the "size" of "buf" is exactly 1:

- and if, at line 80, the kernel's getcwd() syscall fails with the error
  ENAMETOOLONG (because the current working directory is longer than
  PATH\_MAX),

- then, at line 110, a generic implementation of getcwd() is called;

- at line 250, a null byte is written to "dirp", which points exactly to
  "buf" (because "size", and hence "allocated", are exactly 1);

- if the code block at lines 262-441 is skipped entirely (if the current
  working directory corresponds to the "/" directory),

- then, at lines 449-450, a slash is written to "buf-1" (an off-by-one
  buffer underflow, because at line 449 "dirp" was still pointing
  exactly to "buf"),

- and, at lines 457-458, a null byte is written to "buf+1" (an
  off-by-one buffer overflow, because at line 457 "used" is exactly 2).

It may seem impossible to satisfy the condition at line 100 (the current
working directory is longer than PATH\_MAX) and the condition at line 262
(the current working directory corresponds to the "/" directory), but in
reality we can:

- in a child process:

  - create an unprivileged mount namespace;

  - create a directory longer than PATH\_MAX;

  - bind-mount "/" onto this directory;

  - open() this directory and send its file descriptor to the parent
    process (outside the unprivileged mount namespace);

- in the parent process:

  - receive the file descriptor of this directory (which corresponds to
    "/" and is longer than PATH\_MAX) and fchdir() to it;

  - execute a SUID program that calls getcwd() with a buffer of size 1,
    which triggers the off-by-one buffer overflow and underflow.

Apparently, this vulnerability was introduced in February 1995 by the
very first commit in the glibc's git history (28f540f, "initial import")
and could be triggered without an unprivileged mount namespace, by
simply chdir()ing to the "/" directory:

------------------------------------------------------------------------
190 getcwd (buf, size)
...
218     path = buf;
...
226   pathp = path + size;
227   \*--pathp = '\\0';
...
242   while (!(thisdev == rootdev && thisino == rootino))
243     {
...
351     }
352 
353   if (pathp == &path\[size - 1\])
354     \*--pathp = '/';
...
359   memmove (path, pathp, path + size - pathp);
------------------------------------------------------------------------

Although "the size of buf is exactly 1" is a strong requirement,
vulnerable code like the following may exist in the wild:

------------------------------------------------------------------------
#include <unistd.h>
#include <stdio.h>

int main(int argc, char \* argv\[\]) {
    char buf\[4096\];
    int len = snprintf(buf, sizeof(buf), "%s: cwd is ", argv\[0\]);
    if (len <= 0 || (unsigned)len >= sizeof(buf)) return \_\_LINE\_\_;
    if (!getcwd(buf + len, sizeof(buf) - len)) return \_\_LINE\_\_;
    puts(buf);
    return 0;
}
------------------------------------------------------------------------


Thank you very much! We are at your disposal for questions, comments,
and further discussions.

With best regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2021-3998: security - CVE-2021-3998 and CVE-2021-3999 in glibc's realpath() and getcwd()

Three of the world's leading browsers were measured for phishing and malware protection, with time to block and protection over time as key metrics in test scores.

**AUSTIN, Texas – Aug. 16, 2022** — CyberRatings.org, the nonprofit entity dedicated to providing transparency on cybersecurity product efficacy, has published the results of its 2022 Web Browser Security Test. Google Chrome, Microsoft Edge, and Mozilla Firefox were tested for Phishing Protection and Malware Protection running on Windows 10 and 11.

The Malware tests ran for 24 days with 96 discrete test runs. Phishing tests ran for 20 days with 80 discrete test runs. The reports include measurements of protection against fresh new attacks, consistency of protection over time, and how effective the browser protection was overall.

The ability to warn potential victims that they are about to land on a malicious website or click on a suspicious URL puts web browsers in a unique position to protect the user from an attack. Websites that trick users into downloading malware and phishing campaigns often used for criminal activity have short lifespans, so it is essential that the URL is discovered and added to the reputation system as quickly as possible. A good reputation system must be both accurate and fast to achieve high catch rates.

"Phishing attacks pose a significant risk to individuals and organizations by threatening to compromise or acquire sensitive personal and corporate information," said Vikram Phatak, CEO of CyberRatings.org. "Phishing and Ransomware attacks continue to rise year over year. Consumers should not override the warnings offered by their web browser protection but instead take advantage of the free offering."

*   Malware protection:

*   Microsoft Edge – 97.0%
*   Google Chrome – 88.4%
*   Mozilla Firefox – 84.6%

*   Phishing protection:

*   Microsoft Edge – 91.6%
*   Mozilla Firefox – 90.0%
*   Google Chrome – 89.6%

*   Average time to block a URL from malware:

*   Microsoft Edge 0:56:51
*   Google Chrome 4:46:39
*   Mozilla Firefox 5:18:40

*   Average time to block a phishing URL:

*   Microsoft Edge 0:44:07
*   Mozilla Firefox 1:23:37
*   Google Chrome 2:19:13

The Comparative Test Reports provide detailed results for each product. As a service to the community, CyberRatings.org is providing these reports for free.

**The following browsers were tested:**  

*   Google Chrome: Version 101.0.1210.53 - 102.0.5005.115
*   Microsoft Edge: Version 101.0.1210.47 - 102.0.1254.39
*   Mozilla Firefox: Version 100.0.1 - 101.0.1

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**

CyberRatings.org is a nonprofit 501(c)6 entity dedicated to quantifying cyber-risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CyberRatings.org Announces New Web Browser Test Results for 2022

Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.

  

> Read our Blog: https://goteleport.com/blog/

> Read our Documentation: https://goteleport.com/docs/getting-started/

**Table of Contents**

1.  Introduction
2.  Installing and Running
3.  Docker
4.  Building Teleport
5.  Why Did We Build Teleport?
6.  More Information
7.  Support and Contributing
8.  Is Teleport Secure and Production Ready?
9.  Who Built Teleport?

**Introduction**

Teleport is the easiest, most secure way to access all your infrastructure. Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, RDP, Kubernetes API, MySQL, MongoDB and PostgreSQL wire protocols.

On the server-side, Teleport is a single binary which enables convenient secure access to behind-NAT resources such as:

*   SSH nodes - SSH works in browsers too!
*   Kubernetes clusters
*   PostgreSQL, MongoDB, CockroachDB and MySQL databases
*   Internal Web apps
*   Windows Hosts
*   Networked servers

Teleport is trivial to set up as a Linux daemon or in a Kubernetes pod. It's rapidly replacing legacy sshd\-based setups at organizations who need:

*   Developer convenience of having instant secure access to everything they need across many environments and cloud providers.
*   Audit log with session recording/replay for multiple protocols
*   Easily manage trust between teams, organizations and data centers.
*   Role-based access control (RBAC) and flexible access workflows (one-time access requests)

In addition to its hallmark features, Teleport is interesting for smaller teams because it facilitates easy adoption of the best infrastructure security practices like:

*   No need to manage shared secrets such as SSH keys: Teleport uses certificate-based access with automatic certificate expiration time for all protocols.
*   Two-factor authentication (2FA) for everything.
*   Collaboratively troubleshoot issues through session sharing.
*   Single sign-on (SSO) for everything via Github Auth, OpenID Connect, or SAML with endpoints like Okta or Active Directory.
*   Infrastructure introspection: Use Teleport via the CLI or Web UI to view the status of every SSH node, database instance, Kubernetes cluster, or internal web app.

Teleport is built upon the high-quality Golang SSH implementation. It is _fully compatible with OpenSSH_, sshd servers, and ssh clients.

Project Links

Description

Teleport Website

The official website of the project.

Documentation

Admin guide, user manual and more.

Demo Video

3-minute video overview of Teleport.

Blog

Our blog where we publish Teleport news.

Forum

Ask us a setup question, post your tutorial, feedback, or idea on our forum.

Slack

Need help with your setup? Ping us in our Slack channel.

Cloud-hosted

We offer Enterprise with a Cloud-hosted option. For teams that require easy and secure access to their computing environments.

**Installing and Running**

| Follow the Installation Guide

Download the latest binary release, unpack the .tar.gz and run sudo ./install. This will copy Teleport binaries into /usr/local/bin.

Then you can run Teleport as a single-node cluster:

In a production environment, Teleport must run as root. For testing or non-production environments, run it as the $USER:

chown $USER /var/lib/teleport

*   In this case, you will not be able to log in as another user.

**Docker**

| Follow the Docker-Compose Getting Started Guide

**Deploy Teleport**

If you wish to deploy Teleport inside a Docker container:

    # This command will pull the Teleport container image for version 8
    docker pull public.ecr.aws/gravitational/teleport:8
    

View latest tags on Amazon ECR Public | gravitational/teleport

**For Local Testing and Development**

Follow the instructions in the docker/README file.

To run a full test suite locally, see the test dependecies list

**Building Teleport**

The teleport repository contains the Teleport daemon binary (written in Go) and a web UI written in Javascript (a git submodule located in the webassets/ directory).

If your intention is to build and deploy for use in a production infrastructure a released tag should be used. The default branch, master, is the current development branch for an upcoming major version. Get the latest release tags listed at https://goteleport.com/download/ and then use that tag in the git clone. For example git clone https://github.com/gravitational/teleport.git -b v9.1.2 gets release v9.1.2.

**Dockerized Build**

It is often easiest to build with Docker, which ensures that all required tooling is available for the build. To execute a dockerized build, ensure that docker is installed and running, and execute:

    make -C build.assets build-binaries
    

**Local Build****Dependencies**

Ensure you have installed correct versions of necessary dependencies:

*   Go version from go.mod
*   If you wish to build the Rust-powered features like Desktop Access, see the Rust and Cargo version in build.assets/Makefile (search for RUST_VERSION)
*   For tsh version > 10.x with FIDO support, you will need libfido and openssl 1.1 installed locally

For an example of Dev Environment setup on a Mac, see these instructions.

**Perform a build**

> **Important**
> 
> *   The Go compiler is somewhat sensitive to the amount of memory: you will need **at least** 1GB of virtual memory to compile Teleport. A 512MB instance without swap will **not** work.
> *   This will build the latest version of Teleport, **regardless** of whether it is stable. If you want to build the latest stable release, run git checkout and git submodule update --recursive to the corresponding tag (for example,
> *   run git checkout v8.0.0) **before** performing a build.

Get the source

git clone https://github.com/gravitational/teleport.git
cd teleport

To perform a build

To build tsh with Apple TouchID support enabled:

> **Important**
> 
> tsh binaries with Touch ID support are only functional using binaries signed with Teleport's Apple Developer ID and notarized by Apple. If you are a Teleport maintainer, ask the team for access.

make build/tsh TOUCHID=yes

To build tsh with libfido:

make build/tsh FIDO2=dynamic

*   On a Mac, with libfido and openssl 1.1 installed via homebrew
    
    export PKG\_CONFIG\_PATH="$(brew --prefix openssl@1.1)/lib/pkgconfig"
    make build/tsh FIDO2=dynamic
    

**Build output and running locally**

If the build succeeds, the installer will place the binaries in the build directory.

Before starting, create default data directories:

sudo mkdir -p -m0700 /var/lib/teleport
sudo chown $USER /var/lib/teleport

**Web UI**

The Teleport Web UI resides in the Gravitational Webapps repo.

**Rebuilding Web UI for development**

To clone this repository and rebuild the Teleport UI package, run the following commands:

git clone git@github.com:gravitational/webapps.git
cd webapps
make build-teleport

Then you can replace Teleport Web UI files with the files from the newly-generated /dist folder.

To enable speedy iterations on the Web UI, you can run a local web-dev server.

You can also tell Teleport to load the Web UI assets from the source directory. To enable this behavior, set the environment variable DEBUG=1 and rebuild with the default target:

# Run Teleport as a single-node cluster in development mode:
DEBUG=1 ./build/teleport start -d

Keep the server running in this mode, and make your UI changes in /dist directory. For instructions about how to update the Web UI, read the webapps README file.

**Updating Web UI assets**

After you commit a change to the webapps repo, you need to update the Web UI assets in the webassets/ git submodule.

Run make update-webassets to update the webassets repo and create a PR for teleport to update its git submodule.

You will need to have the gh utility installed on your system for the script to work. For installation instructions, read the GitHub CLI installation documentation.

**Managing dependencies**

All dependencies are managed using Go modules. Here are the instructions for some common tasks:

**Add a new dependency**

Latest version:

go get github.com/new/dependency

and update the source to use this dependency.

To get a specific version, use go get github.com/new/dependency@version instead.

**Set dependency to a specific version**

go get github.com/new/dependency@version

**Update dependency to the latest version**

go get -u github.com/new/dependency

**Update all dependencies****Debugging dependencies**

Why is a specific package imported?

go mod why $pkgname

Why is a specific module imported?

go mod why -m $modname

Why is a specific version of a module imported?

go mod graph | grep $modname

**Why did We Build Teleport?**

The Teleport creators used to work together at Rackspace. We noticed that most cloud computing users struggle with setting up and configuring infrastructure security because popular tools, while flexible, are complex to understand and expensive to maintain. Additionally, most organizations use multiple infrastructure form factors such as several cloud providers, multiple cloud accounts, servers in colocation, and even smart devices. Some of those devices run on untrusted networks, behind third-party firewalls. This only magnifies complexity and increases operational overhead.

We had a choice, either start a security consulting business or build a solution that's dead-easy to use and understand. A real-time representation of all of your servers in the same room as you, as if they were magically _teleported_. Thus, Teleport was born!

**More Information**

*   Teleport Getting Started
*   Teleport Architecture
*   Reference
*   FAQ

**Support and Contributing**

We offer a few different options for support. First of all, we try to provide clear and comprehensive documentation. The docs are also in Github, so feel free to create a PR or file an issue if you have ideas for improvements. If you still have questions after reviewing our docs, you can also:

*   Join Teleport Discussions to ask questions. Our engineers are available there to help you.
*   If you want to contribute to Teleport or file a bug report/issue, you can create an issue here in Github.
*   If you are interested in Teleport Enterprise or more responsive support during a POC, we can also create a dedicated Slack channel for you during your POC. You can reach out to us through our website to arrange for a POC.

**Is Teleport Secure and Production Ready?**

Teleport is used by leading companies to enable engineers to quickly access any computing resource anywhere. Teleport has completed several security audits from the nationally recognized technology security companies. We make some our audits public, view our latest audit reports.. We are comfortable with the use of Teleport from a security perspective.

You can see the list of companies who use Teleport in production on the Teleport product page.

You can find the latest stable Teleport build on our Releases page.

**Who Built Teleport?**

Teleport was created by Gravitational Inc. We have built Teleport by borrowing from our previous experiences at Rackspace. Learn more about Teleport and our history.

Tag

#windows