Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Apache. Show all posts
Third Party Supply Chain
AI vulnerabilities Apache Cryptographic Cyber Security CyberCrime CyberThreat https Software Third Party Supply Chain

Hidden Dangers in Third-Party Supply Chain

 


A supply chain attack refers to any cyberattack targeting a third-party vendor within an organization's supply chain. Historically, these attacks have exploited trust relationships, aiming to breach larger organizations by compromising smaller, less secure suppliers.

The Growing Threat of Software Supply Chain Attacks

While traditional supply chain attacks remain a concern, the software supply chain poses an even greater threat. Modern development practices rely heavily on third-party components, including APIs, open-source software, and proprietary products, creating vulnerabilities across multiple systems.

In the event of a security breach, the integrity of these systems can be compromised. A recent study highlights that many vulnerabilities in digital systems go unnoticed, exposing businesses to significant risks. Increased reliance on third-party software and complex supply chains has expanded the threat landscape beyond internal assets to external dependencies.

Key Findings from the 2024 State of External Exposure Management Report

The 2024 State of External Exposure Management Report underscores several critical vulnerabilities:

  • Web Servers: Web server environments are among the most vulnerable assets, accounting for 34% of severe issues across surveyed assets. Platforms such as Apache, NGINX, Microsoft IIS, and Google Web Server host more severe issues than 54 other environments combined.
  • Cryptographic Protocols: Vulnerabilities in protocols like TLS (Transport Layer Security) and HTTPS contribute to 15% of severe issues on the attack surface. These protocols, essential for secure communication, often lack proper encryption, making them a significant security concern.
  • Web Application Firewalls (WAFs): Only half of the web interfaces handling personally identifiable information (PII) are protected by a WAF. Moreover, 60% of interfaces exposing PII lack WAF coverage, increasing the risk of exploitation by cybercriminals.

Challenges in Vulnerability Management

Outdated vulnerability management approaches often leave assets exposed to increased risks. Organizations must adopt a proactive strategy to mitigate these threats, beginning with a thorough assessment of supply chain risks.

Steps to Secure the Supply Chain

  1. Assess Supplier Security Postures: Evaluate suppliers' data access and organizational impact, and categorize them into risk profiles based on vulnerability levels.
  2. Conduct Risk Assessments: Use questionnaires, on-site visits, and process reviews to identify weaknesses within the supply chain.
  3. Visualize Risks: Utilize interaction maps to gain a clearer understanding of supply chain vulnerabilities and develop a comprehensive security strategy addressing both physical and virtual risks.
  4. Collaborate with Leadership: Ensure senior leadership aligns security priorities to mitigate threats such as ransomware, data breaches, and sabotage.

Addressing Endpoint Vulnerabilities

With the rise of remote work, monitoring supplier endpoints has become critical. Risks such as device theft, data leaks, and shadow IT require proactive measures. While VPNs and virtual desktops are commonly used, they may fall short, necessitating continuous monitoring of telework environments.

Continuous Monitoring and Threat Management

Effective risk management requires continuous monitoring to protect critical assets and customer information. Organizations should prioritize advanced protective measures, including:

  • Threat Hunting: Identify potential breaches before they escalate, reducing the impact of cyberattacks.
  • Centralized Log Aggregation: Facilitate comprehensive analysis and anomaly detection through a unified system view.
  • Real-Time Monitoring: Enable swift response to security incidents, minimizing potential damage.

Building a Resilient Cybersecurity Framework

A robust, integrated risk monitoring strategy is essential for modern cybersecurity. By consolidating proactive practices into a cohesive framework, organizations can enhance visibility, close detection gaps, and fortify supply chains against sophisticated attacks. This approach fosters resilience and maintains trust in an increasingly complex digital landscape.

Read more »
Vulnerabilities and Exploits
Apache CyberCrime Cyberhackers Cybersecurity Cyberthreats RCE Software Vulnerabilities and Exploits

Apache Addresses Severe RCE Vulnerability in OFBiz with an Urgent Patch

 


In a recent release, the Apache OFBiz project developers have been working on a patch to fix a new critical flaw of software that can be exploited by unauthenticated attackers to execute arbitrary code on the server. Considering that attackers are likely to exploit this vulnerability in real-world attacks, users are advised to deploy the patch as soon as possible to avoid falling victim to this vulnerability.

There was a high-severity vulnerability identified as CVE-2024-45195 (CVSS score: 7.5) affecting Apache OFBiz, a popular open-source business enterprise resource planning (ERP) system that is adapted from Apache OFBiz. In the field of enterprise process automation, Apache OFBiz® from the Apache Software Foundation consists of framework components and applications as well as a business process automation framework. 

This vulnerability is caused by Apache's OFBiz implementation of Direct Request ('Forced Browsing'). It has been found that all versions of the software before 18.12.16 are affected by this bug. The project maintainers have been working on CVE-2024-45195 for several months now to prevent the occurrence of a severe sequence of vulnerabilities, CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were already addressed by the project maintainers previously. 

CVE-2024-32113 and CVE-2024-38856, both of which appear to be exploited actively in the wild and the former of which is used to distribute the Mirai botnet malware, are exploited extensively. This was due to Rapid7's inability to desynchronize the controller state from the view map state, something that was never completely resolved in any of the patches that were released, but which led to all three of the earlier shortcomings. 

Because of the vulnerability, attackers may be able to exploit it to execute code, and SQL queries, and remotely execute the code without the need for authentication by exploiting it. This latest patch was put in place to validate that a view should allow anonymous access if a user is not authenticated (rather than performing authorization checks solely based on the target controller)." CVE-2024-38856 and CVE-2024-32113 are, in fact, critical vulnerabilities, and they've been actively targeted by attackers in the past few months. 

The Cybersecurity and Infrastructure Security Agency has listed them in its catalogue of Known Exploited Vulnerabilities in August. There has been speculation that companies can have a hard time resolving the underlying causes of vulnerabilities because of their size. Sometimes it is difficult to judge whether a patch will be effective until several researchers have tried bypassing it to test its effectiveness. It was Rapid7 that identified and reported the vulnerability, and they suggest that the three security defects are essentially the same bug because they are both caused by the same source code. 

In a report published in early May, CVE-2024-32113 was described as an issue in which a malicious user would be able to navigate through an unauthenticated controller and interact with an authenticated view map, granting them access to an admin-only view map or allowing them to execute SQL commands on it. It has been observed that there have been attempts to exploit people in July.  

A second vulnerability, CVE-2024-36104, which was disclosed in early June, was also explained as a path traversal vulnerability. There were multiple issues with the URI, including semicolons and URL-encoded periods that need to be removed. In early August, Apache drew attention to a vulnerability referred to as CVE-2024-38856. 

This has been described as a security flaw that could allow code execution due to an incorrect authorization. CISA, the United States Cyber Defense agency, announced that the bug had been added to its list of Known Exploited Vulnerabilities (KEVs) towards the end of August. Rapid7 said that all three issues are the result of controller-view map state fragmentation, which can occur when an application begins receiving URI patterns that are not expected. 

Assuming the root cause of the three vulnerabilities is the same, CVE-2024-38856 works on systems that are affected by CVE-2024-32113 and CVE-2024-36104, "since the payload for all three vulnerabilities is the same". There was a CVE-2024-32113 OFBiz vulnerability (patched in May) that was being exploited in attacks by hacker groups, just days after SonicWall researchers published detailed technical details on CVE-2024-38856, a bug involving pre-authentication RCE. 

CISA issued a warning regarding this CVE in early August. In addition to adding the two security bugs to its catalogue of actively exploited vulnerabilities, CISA also announced that federal agencies must patch their servers as soon as possible after the three-week deadline mandated by the binding operational directive (BOD 22-01) issued in November 2021. 

Even though BOD 22-01 only applies to agencies of the Federal Civilian Executive Branch (FCEB), the Center for Information Security and Assurance (CISA) is urging organizations to patch these security flaws immediately to prevent the onset of attacks against their networks. A public proof of concept exploit for OFBiz pre-authentication remote code execution vulnerability (CVE-2023-49070) was used in December to identify Confluence servers that were vulnerable to the exploit. 

The exploit was based on public proof of concept exploits. Having discovered that Emmons now had a new view map to abuse called XmlDsDump, he could query the underlying database for any data that may be available and then write the results to any file, anywhere on the disk, without any restrictions. 

Among the data displayed in this presentation could be hashed passwords of users defined in the system, which could then be cracked to reveal their passwords. As a result of this study, the researcher has taken it one step further by combining it with a script he discovered that was present in the system, named ViewDataFile.groovy, which could write files to disk from requests and used it to build a web shell that enabled remote code execution on the server using the script. 

In response to this flaw, OFBiz developers came up with a more comprehensive fix that does not rely only on non-centralized authorization checks on view maps anymore but also takes into account non-centralized authorization checks for target controllers for the view maps as well.
Read more »
Subscribe to: Posts (Atom)