On November 30, 2022, Qualys' Threat Research Unit revealed about a new Linux vulnerability that can be chained with two other harmless Linux vulnerabilities to gain root privileges. The new vulnerability, tracked as CVE-2022-3328, is a race condition in Snapd which is a Canonical-developed tool for packaging and deploying Snap software. In particular, the flaw affects Snapd's 'snap-confine' program, which creates the Snap application execution environment. The Snapd's 'snap-confine' program is present by default on Ubuntu, whose developers describe CVE-2022-3328 as a high-severity flaw that can lead to privilege escalation and arbitrary code execution. The researchers say that, if the CVE-2022-3328 flaw, which was introduced in February 2022 to patch the flaw tracked as CVE-2021-44731, with the other recently discovered flaws described as CVE-2022-41973 and CVE-2022-41374, an unprivileged user can gain root privileges on a vulnerable device. These two linked vulnerabilities affect Multipathd, a daemon that checks for failed paths and runs as root by default installation of Ubuntu and other distributions. The first vulnerability (CVE-2022-41973) identified in the Multipathd can be used to force the execution of malicious code, and the second flaw (CVE-2022-41374) can be exploited by an unprivileged user to submit privileged commands to Multipathd. In addition, even by combining the Snapd vulnerability with these two Multipathd flaws, any unprivileged user can gain root privileges on a vulnerable device. Security researchers from cybersecurity firm Qualys have also verified the vulnerability, and developed an exploit, as well as achieved full root privileges on Ubuntu's default installation. Also, Qualys warns that the vulnerability can also be exploited by an unprivileged user, including exploiting remotely. Further, the cybersecurity firm released the technical information, but a proof-of-concept exploit has yet to be released.
Zscaler ThreatLabz researchers have uncovered a surge in fraudulent websites hosted on popular web hosting and blogging platforms, part of an elaborate strategy to spread malware t...
The Federal Trade Commission (FTC) has announced that it will distribute $5.6 million in refunds to Ring users affected by privacy and security issues. The refunds come as part of ...
In the summer of 2023, the Lazarus Group, a threat actor linked to North Korea, employed its well-known fabricated job lures to deliver a new remote access trojan (RAT) named Kaoli...