Jul 29, 2024
Don't let others silence your voice.
seen from Finland
seen from Georgia
seen from T1
seen from China
seen from Belgium
seen from United States
seen from Belgium
seen from Japan
seen from T1
seen from Kazakhstan
seen from T1
seen from Japan
seen from Georgia
seen from Türkiye
seen from Germany
seen from Romania
seen from Australia
seen from T1
seen from India
seen from United Kingdom
Don't let others silence your voice.
I'm old enough to remember it was a conspiracy theory when Trump said so.
Now the government admits how vulnerable the system is.
1. SUMMARY This advisory identifies vulnerabilities affecting versions of the Dominion Voting Systems Democracy Suite ImageCast X, which is
2.2 VULNERABILITY OVERVIEW
NOTE: Mitigations to reduce the risk of exploitation of these vulnerabilities can be found in Section 3 of this document.
2.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347
The tested version of ImageCast X does not validate application signatures to a trusted root certificate. Use of a trusted root certificate ensures software installed on a device is traceable to, or verifiable against, a cryptographic key provided by the manufacturer to detect tampering. An attacker could leverage this vulnerability to install malicious code, which could also be spread to other vulnerable ImageCast X devices via removable media.
CVE-2022-1739 has been assigned to this vulnerability.
2.2.2 MUTABLE ATTESTATION OR MEASUREMENT REPORTING DATA CWE-1283
The tested version of ImageCast X’s on-screen application hash display feature, audit log export, and application export functionality rely on self-attestation mechanisms. An attacker could leverage this vulnerability to disguise malicious applications on a device.
CVE-2022-1740 has been assigned to this vulnerability.
2.2.3 HIDDEN FUNCTIONALITY CWE-912
The tested version of ImageCast X has a Terminal Emulator application which could be leveraged by an attacker to gain elevated privileges on a device and/or install malicious code.
CVE-2022-1741 has been assigned to this vulnerability.
2.2.4 IMPROPER PROTECTION OF ALTERNATE PATH CWE-424
The tested version of ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code.
CVE-2022-1742 has been assigned to this vulnerability.
2.2.5 PATH TRAVERSAL: '../FILEDIR' CWE-24
The tested version of ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS.
CVE-2022-1743 has been assigned to this vulnerability.
2.2.6 EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250
Applications on the tested version of ImageCast X can execute code with elevated privileges by exploiting a system level service. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code.
CVE-2022-1744 has been assigned to this vulnerability.
2.2.7 AUTHENTICATION BYPASS BY SPOOFING CWE-290
The authentication mechanism used by technicians on the tested version of ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions.
CVE-2022-1745 has been assigned to this vulnerability.
2.2.8 INCORRECT PRIVILEGE ASSIGNMENT CWE-266
The authentication mechanism used by poll workers to administer voting using the tested version of ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment.
CVE-2022-1746 has been assigned to this vulnerability.
2.2.9 ORIGIN VALIDATION ERROR CWE-346
The authentication mechanism used by voters to activate a voting session on the tested version of ImageCast X is susceptible to forgery. An attacker could leverage this vulnerability to print an arbitrary number of ballots without authorization.
CVE-2022-1747 has been assigned to this vulnerability.
2.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS Government Facilities / Election Infrastructure
COUNTRIES/AREAS DEPLOYED: Multiple
COMPANY HEADQUARTERS LOCATION: Denver, Colorado
2.4 RESEARCHER
J. Alex Halderman, University of Michigan, and Drew Springall, Auburn University, reported these vulnerabilities to CISA.
3. MITIGATIONS
CISA recommends election officials continue to take and further enhance defensive measures to reduce the risk of exploitation of these vulnerabilities. Specifically, for each election, election officials should:
Contact Dominion Voting Systems to determine which software and/or firmware updates need to be applied. Dominion Voting Systems reports to CISA that the above vulnerabilities have been addressed in subsequent software versions.
Ensure all affected devices are physically protected before, during, and after voting.
Ensure compliance with chain of custody procedures throughout the election cycle.
Ensure that ImageCast X and the Election Management System (EMS) are not connected to any external (i.e., Internet accessible) networks.
Ensure carefully selected protective and detective physical security measures (for example, locks and tamper-evident seals) are implemented on all affected devices, including on connected devices such as printers and connecting cables.
Close any background application windows on each ImageCast X device.
Use read-only media to update software or install files onto ImageCast X devices.
Use separate, unique passcodes for each poll worker card.
Ensure all ImageCast X devices are subjected to rigorous pre- and post-election testing.
Disable the “Unify Tabulator Security Keys” feature on the election management system and ensure new cryptographic keys are used for each election.
As recommended by Dominion Voting Systems, use the supplemental method to validate hashes on applications, audit log exports, and application exports.
Encourage voters to verify the human-readable votes on printout.
Conduct rigorous post-election tabulation audits of the human-readable portions of physical ballots and paper records, to include reviewing ballot chain of custody and conducting voter/ballot reconciliation procedures. These activities are especially crucial to detect attacks where the listed vulnerabilities are exploited such that a barcode is manipulated to be tabulated inconsistently with the human-readable portion of the paper ballot. (NOTE: If states and jurisdictions so choose, the ImageCast X provides the configuration option to produce ballots that do not print barcodes for tabulation.)
Contact Information
For any questions related to this report, please contact the CISA at:
Wow, this is really screwed up, and nobody knows about it. Let's shine a light on this critical topic.
Why doesn't congress know about this? Let's tag MTG, Jim Jordan, and Matt Gaetz?
Thank you, Anon!
Love, JD 😜💋
Our Man Patrick Howley! Biden Implicated in Dominion Voting Scam
Our Man Patrick Howley! Biden Implicated in Dominion Voting Scam
What do we know is Biden took money from numerous countries that include Serbia! Patrick Howley is one of the last investigative journalists on the planet willing, to tell the truth, no matter which side you’re on. Following him on Twitter and follow the National File. Dominion Voting Systems shares an office floor with the George Soros-funded left-wing Tides Foundation in Toronto, NATIONAL…
View On WordPress
Did you know about this?
This is a scam that appears especially targeted to millennials and new voters.
Please spread the word.