Mozilla patches two 0-day vulnerabilities
Mozilla has issued a security advisory patching two 0-day vulnerabilities that are reportedly being actively exploited and affect Firefox, Focus and Thunderbird. Both vulnerabilities were reported by the company 360 ATA security team. The first one, classified as CVE-2022-26485, is a use-after-free vulnerability in XSLT parameter processing, which allows document conversion. The second one, classified as CVE-2022-26486, is a use-after-free vulnerability in the WebGPU IPC framework. If exploited, a threat actor could execute code remotely, bypassing security, and could even compromise the device by downloading malicious code. Both vulnerabilities are fixed in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0 and Focus 97.3.0. Mozilla recommends updating as soon as possible.
Dirty Pipe: new vulnerability in the Linux kernel
Security researcher Max Kellermann has published details of a new vulnerability in the Linux kernel from version 5.8 that would allow local users to gain root privileges through exploits that are already publicly available. Identified as CVE-2022-0847 and with a CVSSv3 of 7.8, the bug would allow an unprivileged local user to inject and overwrite random data in read-only files, including SUID processes running as root, leading to privilege escalation on the affected system and even making it possible to manipulate sensitive files such as those located in the /etc/passwd path, which would allow the root user’s password to be removed. In his publication, the researcher shares a proof of concept (PoC) and points out the similarity of this vulnerability with “Dirty Cow” (CVE-2016-5195), which came to light in October 2016, although on this occasion its exploitation would be less complex and groups such as Anonymous have already spoken out about it. The vulnerability has already been fixed in Linux versions 5.16.11, 5.15.25 and 5.10.102, so it is recommended to patch it as soon as possible given its potential impact if successfully exploited.
All the details: https://dirtypipe.cm4all.com/
Microsoft update bulletin
Microsoft has published its security bulletin for the month of March in which it reports the correction of a total of 74 flaws, including three critical vulnerabilities according to the firm and three 0-days that are reportedly not being actively exploited.
- Critical vulnerabilities according to Microsoft: The most critical of the three flaws (CVE-2022-23277 CVSSv3 8.8) affects Microsoft Exchange Server and allows an authenticated attacker to target server accounts with the goal of executing remote code with ADMIN privileges, due to a flaw in memory management by the server. The other two flaws also classified as critical by Microsoft, CVE-2022-22006 and CVE-2022-24501, both with CVSSv3 7.8, affect the HEVC and VP9 video extensions but their exploitation requires social engineering as it requires the victim to download and open a specially modified file.
- 0-days: The most serious flaw of this type, CVE-2022-21990 CVSSv3 8.8, allows remote code execution in RDP. Some researchers point out that this flaw should be considered critical and stress that, although it is not actively exploited yet, it may be exploited soon since a proof-of-concept is already available. The other two 0-day fixes are identified as CVE-2022-23285 CVSSv3 8.8 and CVE-2022-24503 CVSSv3 5.4.
UEFI firmware vulnerabilities
HP, in conjunction with the Binarly team, have discovered multiple high-impact vulnerabilities related to UEFI firmware, which are reportedly affecting different HP products such as laptops and desktops, or perimeter nodes and point-of-sale (PoS) systems. These have been classified as CVE-2021-39298 with CVSSv3 8.8, CVE-2021-39297, CVE-2021-39299, CVE-2021-39300 and CVE-2021-39301, all with CVSSv3 of 7.5. When exploited, a threat agent could inject malicious code, escalate privileges, as well as remain on devices after operating system updates. HP has provided firmware updates and instructions on how to update the BIOS.
All the information: https://support.hp.com/us-en/document/ish_5661066-5661090-16
Analysis of the resurgence of Emotet
Researchers at Black Lotus Labs have published an analysis of evidence of the resurgence of the Emotet botnet since November 2021. The researchers indicate that since then, the botnet has shown a sharp increase in activity through approximately 130,000 unique bots spread across 179 countries, accumulating more than 1.6 million infected devices. The malware resurfaced using Trickbot as a delivery method, and although its Command&Control (C2) structure was reportedly reinstated in November, the addition of bots was not announced until January. The technical details of the report reveal that Emotet has made notable changes to its operation, such as the algorithm used to encrypt network traffic, which is now based on elliptic cryptography (ECC); or the change in the tiering model, marked by the absence of Bot C2, although it is not known whether this is a temporary or permanent change. As Emotet is distributed via compromised emails with malicious attachments, the researchers recommend intensifying anti-phishing preventive measures and monitoring network resources to prevent possible downstream incidents.
More info: https://blog.lumen.com/emotet-redux/