The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security issues an advisory that identifies nine “vulnerabilities affecting versions of the Dominion Voting Systems Democracy Suite ImageCastX, which is an in-person voting system used to allow voters to mark their ballot.”

CISA identified 9 Dominion malicious code & forgery vulnerabilities in June 2022.

The 9 identified vulnerabilities are as follows (emphasis added; links in sub-heads go to official definitions of vulnerabilities):

  • Improper verification of cryptographic signature. “An attacker could leverage this vulnerability to install malicious code, which could also be spread to other vulnerable ImageCast X devices via removable media.”
  • Mutable attestation or measurement reporting data. “The tested version of ImageCast X’s on-screen application hash display feature, audit log export, and application export functionality rely on self-attestation mechanisms. An attacker could leverage this vulnerability to disguise malicious applications on a device.”
  • Hidden functionality. “The tested version of ImageCast X has a Terminal Emulator application which could be leveraged by an attacker to gain elevated privileges on a device and/or install malicious code.”
  • Improper protection of alternate path. “The tested version of ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code.”
  • Path traversal ‘../filedir.’ “The tested version of ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS.”
  • Execution with unnecessary privileges. “Applications on the tested version of ImageCast X can execute code with elevated privileges by exploiting a system level service. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code.”
  • Authentication bypass by spoofing. “The authentication mechanism used by technicians on the tested version of ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions.”
  • Incorrect privilege assignment. “The authentication mechanism used by poll workers to administer voting using the tested version of ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment.”
  • Origin validation error. “The authentication mechanism used by voters to activate a voting session on the tested version of ImageCast X is susceptible to forgery. An attacker could leverage this vulnerability to print an arbitrary number of ballots without authorization.”

“Exploitation of these vulnerabilities would require physical access to individual ImageCastX devices, access to the Election Management System (EMS), or the ability to modify files before they are uploaded to ImageCastX devices,” CISA says in its summary.

CISA says it “has no evidence that these vulnerabilities have been exploited in any elections.”

Source:
1. https://www.cisa.gov/news-events/ics-advisories/icsa

1. Don’t several of these issues show that a foreign regime, if it owned or controlled source codes of software, could do exactly what CISA says could be done to manipulate American elections?

2. Since CISA states absolutely that it “has no evidence that these vulnerabilities have been exploited in any elections,” isn’t CISA saying that the intelligence community has never detected anything, anywhere?

3. What does that have to say about our intelligence capabilities, and the people running them, if they cannot detect ANY foreign exploitation of our election system vulnerabilities?

4. Why did the Department of Justice approve the Premier sale to Dominion of Dominion was wreaked with so many security flaws?

5. What does this say about the DOJ’s action?

6. How did assets as well-connected as Frank Holder influence the collection, analysis, and assessments of intelligence on Venezuela or Cuba’s attempts to influence or manipulate our elections through exploiting Venezuela-origin technology?