Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Critical Flaw. Show all posts

New Flaws in Fortinet, SonicWall, and Grafana Pose Significant Threats

 

Cyble Research and Intelligence Labs (CRIL) has discovered new IT vulnerabilities that affect Fortinet, SonicWall, Grafana Labs, and CyberPanel, among others. 

The report for the week of October 23-29 identifies seven security flaws that require immediate attention from security teams, especially given the large number of exposed devices. The most recent discoveries show that vulnerabilities in Fortinet, SonicWall, and Grafana Labs affect over 1 million web-facing assets.

Notably, two critical vulnerabilities in CyberPanel have already been exploited in huge ransomware assaults. Organisations are recommended to quickly investigate their environments for these vulnerabilities and apply the relevant fixes and mitigations. 

Cyble's researchers have detailed the following top vulnerabilities, emphasising their potential impact on IT security: 

CVE-2024-40766: SonicWall SonicOS 

CVE-2024-40766 indicates an improper access control flaw within the administrative interface of SonicWall's SonicOS, with a severity rating of 9.8. This vulnerability has piqued the interest of managed security organisations such as Arctic Wolf, who report that ransomware gangs such as Fog and Akira are exploiting it in SSL VPN setups to breach networks. 

CVE-2024-9264: Grafana labs 

The 9.4-rated vulnerability, CVE-2024-9264, affects Grafana Labs' open-source analytics and monitoring platform's SQL Expressions capability. This flaw allows for command injection and local file inclusion since user input in 'duckdb' queries is not properly sanitised. 

CVE-2024-46483: Xlight FTP server

This critical integer overflow bug impacts the Xlight FTP Server, allowing hackers to exploit packet parsing logic and cause heap overflows. With the accessibility of public Proof of Concepts (PoCs), this vulnerability could be used in a variety of attack tactics. 

Prevention tips 

  • Ensure that all software and hardware systems receive the most recent patches from official vendors. 
  • Use an organised approach to inventory management, patch assessment, testing, deployment, and verification. 
  • To reduce the attack surface, isolate key assets with firewalls, VLANs, and access controls. 
  • Establish and maintain an incident response strategy, which should be evaluated on a regular basis to respond to emerging threats. 
  • Employ complete monitoring technologies to discover and analyse suspicious actions in real time. Keep up with vendor, CERT, and other sources' alerts to promptly fix issues.

Ransomware Attackers Are Weaponizing PHP Flaw to Infect Web Servers

 

Security researchers revealed that ransomware attackers have swiftly turned a simple-to-exploit PHP programming language vulnerability—which allows malicious code to be executed on web servers—into a weapon. 

As of Thursday last week, Censys' Internet scans had found 1,000 servers infected with the TellYouThePass ransomware strain, down from 1,800 on Monday. The servers, which are largely based in China, no longer display their typical content; instead, many list the site's file directory, which shows that all files have a.locked extension, indicating that they have been encrypted. The accompanying ransom note demands around $6,500 in exchange for the decryption key. 

The vulnerability, identified as CVE-2024-4577 and assigned a severity rating of 9.8 out of 10, results from flaws in PHP's conversion of Unicode characters to ASCII. Best Fit, a feature integrated into Windows, enables attackers to utilise argument injection to turn user-supplied data into characters that send malicious commands to the main PHP application. Exploits enable attackers to circumvent CVE-2012-1823, a significant code execution vulnerability addressed in PHP in 2012. 

CVE-2024-4577 only affects PHP when it is run in CGI mode, which involves a web server parsing HTTP requests and passing them to a PHP script for processing. Even if PHP is not configured to use CGI mode, the vulnerability may still be exploitable if PHP executables such as php.exe and php-cgi.exe are located in directories accessible to the web server. This setup is fairly uncommon, with the exception of the XAMPP platform, which includes it by default. An extra requirement appears to be that the Windows locale, which is used to personalise the OS to the user's local language, be set to Chinese or Japanese. 

The critical vulnerability was made public on June 6, along with a security fix. The attackers were exploiting it within 24 hours to install TellYouThePass, Imperva researchers disclosed last week. The exploits ran malware that exploited the Windows binary mshta.exe to launch an HTML application hosted on an attacker-controlled server. The use of the programme revealed a strategy known as living off the land, in which attackers employ native OS features and tools to blend in with routine, non-malicious behaviour.

In a post published Friday, Censys researchers stated that the TellYouThePass gang's exploitation began on June 7 and mirrored previous incidents in which opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of affected servers have IP addresses in China, Taiwan, Hong Kong, or Japan, most likely because Chinese and Japanese localities are the only ones verified to be vulnerable, Censys researchers noted in an email.

“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI or XAMPP service stops responding—hence the drop in detected infections,” researchers added. “Another point to consider is that there are currently no observed ransom payments to the only Bitcoin address listed in the ransom notes (source). Based on these facts, our intuition is that this is likely the result of those services being decommissioned or going offline in some other manner.”

Apple Warns Windows Users: Critical Security Vulnerability in iTunes

Apple Warns Windows Users: Critical Security Vulnerability in iTunes

Apple confirms the finding of a critical security flaw in the iTunes program for Windows 10 and Windows 11 users, which could have allowed malicious attackers to execute code remotely at will.

Willy R. Vasquez, a security researcher at the University of Texas in Austin, uncovered the vulnerability, known as CVE-2024-27793. This vulnerability affects the CoreMedia framework, which processes media samples and manages media data queues in iTunes.

A major security flaw in the iTunes app for Windows 10 and Windows 11 users could have allowed malicious attackers to execute code remotely, Apple said in a support article published on May 8.

About CVE-2024-27793

Willy R. Vasquez, a Ph.D. scholar and security expert at The University of Texas at Austin, discovered CVE-2024-27793 and contributed sandboxing code to the Firefox 117 web browser. The vulnerability, rated critical by the Common Vulnerability Scoring System v3, affects the CoreMedia framework, which provides the media pipeline used to process media samples and handle batches of media information, says Apple.

The flaw allows an attacker to execute arbitrary code by sending a maliciously crafted request during the file processing. It is critical to highlight that the attacker does not need physical access to the Windows PC, as the exploitation can be carried out remotely. 

The vulnerability explained

The CVSS v3 critical grade of 9.1 out of 10 is mostly due to the potential for remote code execution. The basic root of the flaw was found as inadequate checks inside the CoreMedia framework component, which Apple fixed with enhanced checks in the most recent release.

Based on the Vulnerability Database resource, CVE-2024-27793 can be leveraged remotely without authentication, although successful exploitation requires human involvement. This interaction could include clicking a link or visiting a website where CoreMedia processes the malicious file

The ease of exploitation and potential impact of arbitrary code execution emphasize the seriousness of this issue. Users should upgrade their iTunes programs to the most recent version to protect themselves from any attacks exploiting this security weakness.

Protecting Your System

Here are some steps you can take to safeguard your system:

  • Update iTunes: Ensure that you’re running the latest version of iTunes. Apple’s security patches are typically included in software updates, so staying up-to-date is essential.
  • Be Cautious: Avoid clicking on suspicious links or visiting untrusted websites. Malicious actors often use social engineering tactics to trick users into interacting with harmful content.
  • Regular Backups: Regularly back up your data to an external drive or cloud storage. In case of a security breach, having backups ensures that you won’t lose critical files.
  • Use Antivirus Software: Install reputable antivirus software and keep it updated. Antivirus tools can detect and block known threats, providing an additional layer of defense.

Atlassian Warns of Critical Confluence Vulnerability Resulting in Data Loss

 

Just weeks after state-backed hackers targeted its products, Australian software giant Atlassian has warned of a critical security flaw that could result in "significant data loss" for customers. 

The company issued an advisory this week urging clients to patch against the vulnerability affecting on-premise versions of Atlassian Confluence Data Centre and Server, a frequently used collaborative wiki system used by enterprises to manage and share work. This item was recently the target of Chinese state-sponsored hackers, who compromised a "handful" of Atlassian customers by exploiting a separate 10.0 maximum-rated vulnerability. 

This most recent vulnerability has been classified as an "improper authorization vulnerability." It is tracked as CVE-2023-22518 and has received a rating of 9.1 out of 10 on the vulnerability severity scoring system. According to Atlassian, "significant data loss if exploited by an unauthenticated attacker" could result from it. 

There is "no impact to confidentiality as an attacker cannot exfiltrate any instance data," according to Atlassian, which stated that as of October 31, there had been no reports of active exploitation. Additionally, this vulnerability does not impact sites hosted on the Atlassian Cloud that are accessible through an atlassian.net domain. 

The Atlassian CISO, Bala Sathiamurthy, stated in the company's advisory that customers need to take “immediate action” to protect their instances even though the flaw isn’t being actively exploited yet. 

Attention must be given immediately to all publicly accessible versions of Confluence Data Centre and Server, as they "are at critical risk." If administrators are unable to promptly upgrade to a fixed version, Atlassian has advised them to implement temporary mitigations. 

"Until you can patch, instances that are accessible to the public internet, including those that require user authentication, should be restricted from accessing external networks," the company stated. 

The video messaging startup Loom is set to be acquired by Atlassian for $975 million, the company noted earlier this month. For its platform, particularly Jira and Confluence, the company stated that it believes Loom can be a helpful collaboration tool.

PUMA Network: Unmasking a Cybercrime Empire

A massive cybercrime URL shortening service known as "Prolific Puma" has been uncovered by security researchers at Infoblox. The service has been used to deliver phishing attacks, scams, and malware for at least four years, and has registered thousands of domains in the U.S. top-level domain (usTLD) to facilitate its activities.

Prolific Puma works by shortening malicious URLs into shorter, more memorable links that are easier to click on. These shortened links are then distributed via email, social media, and other channels to unsuspecting victims. When a victim clicks on a shortened link, they are redirected to the malicious website.

Security researchers were able to track Prolific Puma's activity by analyzing DNS data. DNS is a system that translates domain names into IP addresses, which are the numerical addresses of websites and other devices on the internet. By analyzing DNS data, researchers were able to identify the thousands of domains that Prolific Puma was using to deliver its malicious links.

Prolific Puma's use of the usTLD is particularly noteworthy. The usTLD is one of the most trusted TLDs in the world, and many people do not suspect that a link with a usTLD domain could be malicious. This makes Prolific Puma's shortened links particularly effective at deceiving victims.

The discovery of Prolific Puma is a reminder of the importance of being vigilant when clicking on links, even if they come from seemingly trusted sources. It is also a reminder that cybercriminals are constantly developing new and sophisticated ways to attack their victims.

Here are some tips for staying safe from Prolific Puma and other malicious URL shortening services:

  • Be wary of clicking on links in emails, social media posts, and other messages from unknown senders.
  • If you are unsure whether a link is safe, hover over it with your mouse to see the full URL. If the URL looks suspicious, do not click on it.
  • Use a security solution that can detect and block malicious links.
  • Keep your web browser and operating system up to date with the latest security patches.

The security researchers who discovered Prolific Puma have contacted the United States Computer Emergency Readiness Team (US-CERT) and the Department of Homeland Security (DHS) about the service. Both agencies are working to take down Prolific Puma's infrastructure and prevent it from being used to launch further attacks.

Prolific Puma is not the first malicious URL-shortening service to be discovered. In recent years, there have been a number of other high-profile cases of cybercriminals using URL shortening services to deliver malware and phishing attacks.

The discovery of Prolific Puma is a reminder that URL shortening services can be abused for malicious purposes. Users should be cautious when clicking on shortened links, and should take steps to protect themselves from malware and phishing attacks.

Citrix Bleed Bug Delivers Sharp Blow: Vulnerability is Now Under "Mass Exploitation"

Citrix Bleed Bug

Citrix Bleed Bug: A Critical Vulnerability in Widespread Use

Despite the fact that a patch has been available for three weeks, ransomware hackers are exploiting a vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using Citrix hardware. 

What exactly is Citrix Bleed?

CVE-2023-4966, which exists in Citrix's NetScaler Application Delivery Controller and NetScaler Gateway, has been actively exploited since August. The vulnerability has a severity rating of 9.4 out of a possible 10, which is quite high for a simple information-disclosure fault. 

According to some estimates, 20,000 smartphones have already been compromised. The reason for this is that the information released may contain session tokens, which are assigned by the hardware to devices that have previously successfully provided credentials, including those delivering MFA

Attacks on the rise

Attacks have just lately increased, forcing security researcher Kevin Beaumont to write on Saturday, "This vulnerability is now under mass exploitation." He went on to describe the situation as follows: "From talking to multiple organizations, they are seeing widespread exploitation."

He stated that as of Saturday, he has discovered an estimated 20,000 instances of compromised Citrix machines with stolen session tokens. He stated that his estimate was based on establishing a honeypot of servers disguised as susceptible Netscaler devices to track opportunistic Internet attacks. Beaumont then compared the results to other data sources, such as Netflow and the Shodan search engine.

Meanwhile, GreyNoise, a security firm that also uses honeypots, was reporting CVE-2023-4966 attacks coming from 135 IP addresses. This is a 27-fold rise from the five IPs discovered by GreyNoise five days earlier.

Easy to exploit vulnerabilities 

According to the most recent data from security firm Shadowserver, there were approximately 5,500 unpatched machines. Beaumont has admitted that the amount contradicts his previous estimate of 20,000 affected devices. It's unclear what was causing the disparity.

The vulnerability is reasonably simple to exploit for experienced users. A simple reverse-engineering of the Citrix patch reveals the vulnerable methods, and it's not difficult to develop code that exploits them from there. A number of proof-of-concept exploits are available online, making attacks considerably easier.

What next? What should companies do to be safe?

Citrix Bleed is similar to Heartbleed, another major information leak vulnerability that rocked the Internet in 2014. This weakness, which was found in the OpenSSL code library, was widely exploited, allowing the theft of passwords, encryption keys, banking credentials, and other sensitive information. Citrix Bleed is less severe because fewer vulnerable devices are in operation.

Citrix Bleed, on the other hand, is still quite awful. All Netscaler devices should be considered hacked by organizations. This involves patching any unpatched devices that remain. Then, all credentials should be rotated to guarantee that any potentially leaked session tokens are expired. Mandiant, a security firm, provides comprehensive security advice here.

Multiple Severe Flaws Uncovered in CyberPower and Dataprobe Products

 

Alarm bells are ringing for the security of critical data centre operations after a number of security flaws were uncovered in Dataprobe's iBoot power distribution unit (PDU) and CyberPower's PowerPanel Enterprise Data Centre Infrastructure Management (DCIM) platform. 

The consequences of these vulnerabilities were outlined in a blog post written earlier this week by Trellix cybersecurity researchers Sam Quinn, Jesse Chick, and Philippe Laulheret. 

With severity ratings ranging from 6.7 to 9.8, these flaws might allow malicious actors to carry out large-scale attacks, penetrate and manipulate data, and even shut down entire data centres. 

The Dataprobe iBoot PDU vulnerabilities include CVE-2023-3259, which enables an attacker to overcome authentication by deserializing untrusted data, and CVE-2023-3260, which permits authorised remote code execution via OS command injection. 

A buffer overflow vulnerability known as CVE-2023-3261 results in a denial-of-service (DoS) issue. CVE-2023-3262 further draws attention to the risk posed by the system's reliance on hard-coded credentials. The last vulnerability is identified as CVE-2023-3263, which allows for the bypass of alternate name authentication. 

A couple of the CyberPower PowerPanel Enterprise vulnerabilities involve the use of hard-coded credentials, such as CVE-2023-3264, and an authentication bypass through the inappropriate neutralisation of escape, meta, or control sequences, such as CVE-2023-3265. 

Additionally, CVE-2023-3266 demonstrates an authentication bypass resulting from inaccurate standard protocol security check implementation, and CVE-2023-3267 makes it possible for authenticated remote code execution via OS command injection.

The most recent versions of PowerPanel Enterprise (2.6.9) and the Dataprobe iBoot PDU firmware (1.44.08042023, respectively) have patches for these vulnerabilities, although their potential effects are still wide-ranging.

Last week, when the researchers presented their discoveries at the DEFCON security conference, they made sure to emphasise that there is currently no proof that these vulnerabilities are being actively exploited. 

To maintain the security of their data centres, organisations must nevertheless take proactive actions. Customers are urged to download and apply the fixes right now.

To further reduce the dangers related to potential zero-day exploits, additional measures are recommended. As part of this, make sure the PowerPanel Enterprise or iBoot PDU is cut off from the public internet, especially by blocking remote access via Dataprobe's cloud service.

Critical Baicells Device Vulnerability Could Make Telecom Networks Vulnerable to Spying

 

Baicells Technologies is a US-based manufacturer of 4G and 5G telecommunications equipment. According to the company, more than 100,000 of its base stations have been installed in 64 different nations worldwide. 

A serious flaw in wireless communication base stations made by Baicells Technologies can be used to take full control of voice and data traffic or to disrupt telecom networks, the latest report revealed. 

Rustam Amin, a threat analyst, has found that at least a few of Baicells' Nova base station products are vulnerable to a serious command injection flaw that can be remotely exploited without authentication by sending specially crafted HTTP requests to the targeted device.

Amin said that by making use of the weakness, known as CVE-2023-24508, an attacker may be able to execute shell commands with root capabilities and seize total control of a device. The researcher explained that a device might be quickly shut down by an attacker in order to interrupt operations. A targeted network's phone calls and traffic might also be completely under their control. Phone numbers, IMEIs, and location data might all be obtained by a hacker.

However, carrying out such an assault is not a simple task and necessitates in-depth familiarity with the targeted network. Amin informed SecurityWeek that there are more than 1,150 internet-accessible devices, most of which are situated in the United States. On January 24, Baicells released a warning to let clients know about the flaw. 

The researcher reported that the vendor responded quickly to his notification and quickly released a patch. The impacted base stations are Nova 227, 233, 243, and 246. With the introduction of version 3.7.11.3, the security flaw has been fixed. Although other items may also be compromised, the vendor's advice only lists Nova products as being affected. 

Last week, a warning about CVE-2023-24508 was released by the US Cybersecurity and Infrastructure Security Agency (CISA). Amin recently found several flaws that might be used to manipulate traffic signals in the Econolite EOS traffic controller software.

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”

CVE-2021-26084: Critical Atlassian Confluence Flaw Exploited in the Wild

Atlassian has confirmed that malicious actors are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134, designed to install web shells with no fix available at this time. 

Atlassian released a security advisory in which it has stated that CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability that is compromising Confluence Server (7.18.0 ) and Data Center(7.4.0). 

It said that all versions of Atlassian's corporate Wiki system, Confluence are hit by a serious bug under active exploitation. Experts indicate a possibility of Chinese threat actors being behind the attack. 

“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.” reads the advisory published by the company. 

As of now, there are no patches available for this vulnerability, thus Atlassian suggested its customers make their servers inaccessible by following these steps  restricting Confluence Server and Data Center instances from the internet and Disabling Confluence Server and Data Center instances.

The attack was reported by security firm Volexity, the company announced the availability of the security fixes for supported versions of Confluence within 24 hours (estimated time, by EOD June 3 PDT). It has been further noted that organizations that are using Atlassian Cloud (accessible via atlassian.net) are safe from this vulnerability. 

“After successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. This is an ever-popular web server implant with source code available on GitHub. BEHINDER provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike…” reads the analysis published by Volexity.

“… As previously noted, this method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out. Once BEHINDER was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and a custom file upload shell.”

ExtraReplica: Microsoft Patches Cross-Tenant Bug in Azure PostgreSQL

 

Recently, Microsoft has patched pair of security vulnerabilities in its Azure Database for PostgreSQL Flexible Server which could have been exploited to execute malicious code. On Thursday, cyber security researchers from Wiz Research published an advisory on "ExtraReplica," wherein they described it as a "cross-account database vulnerability" in Azure's infrastructure. 

The first is a privilege escalation bug in a modification that Microsoft made to the PostgreSQL engine and the second bug leverages the privilege escalation enabled by the former to give attackers cross-account access. 

Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers, it also provides various services to different enterprises including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). 

It supports various programming languages, frameworks, and tools including both Microsoft-specific and third-party software and systems, as well as housing the data for various other Microsoft tools is one of its key features. 

According to the report, security vulnerabilities in the software could be used to bypass Azure's tenant isolation, which prevents software-as-a-service (SaaS) systems users from accessing resources belonging to other tenants. 

Also, ExtraReplica's core attack vector is based on a flaw that gave full access to customer data across multiple databases in a region without authorization, researchers from cloud security vendor Wiz Research recently added. 

"An attacker could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially exfiltrating all the information stored in the database…," 

 “…The vulnerabilities would have allowed attackers to bypass firewalls configured to protect the hosted databases unless an organization had configured it for private access only but this is not the default configuration," says Ami Luttwak, co-founder and CTO at Wiz. 

Following the attack, Microsoft said it has mitigated the security vulnerabilities in the second week of January 2022, less than 48 hours after Wiz had warned about the attack. However, the company said that its research showed no evidence that hackers has exploited the vulnerabilities to access customer data.

Critical Citrix DDoS Flaw Collapses Network Access

 

Cyberattackers could use a significant security flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway to disrupt entire corporate networks without requiring them to authenticate. 

The two Citrix solutions in issue (previously the NetScaler ADC and Gateway) are used to manage application-aware traffic and provide secure remote access, respectively. According to the alert, the federated working specialist released a security patch on Tuesday for the CVE-2021-22955 vulnerability, which permits unauthenticated denial of service (DoS) due to uncontrolled resource consumption. 

Citrix also fixed an issue of a lower severity that was caused by unmanaged resource usage. It affects both prior Citrix SD-WAN WANOP Edition products and the Citrix SD-WAN WANOP Edition appliance. The latter offers optimization for Citrix SD-WAN deployments, which enable secure connectivity and seamless access to virtual, cloud and software-as-a-service (SaaS) apps across enterprise and branch locations.

The second vulnerability, labelled CVE-2021-22956, allows for temporary interruption of a device's management GUI; the Nitro API for configuring and monitoring NetScaler appliances; and remote procedure call (RPC) communication, which is what facilitates Citrix's distributed computing in Citrix settings. 

In terms of exploitation's effect, all three products are extensively used over the world, with Gateway and ADC deployed in at least 80,000 firms in 158 countries as of early 2020, as per Positive Technologies analysis at the time. 

Any of the equipment being down could hinder remote and branch access to corporate assets and the blocking of cloud and virtual assets and apps in general. All of this makes them a tempting target for cybercriminals, and the Citrix ADC and Gateway, in particular, are far from novices when it comes to severe vulnerabilities. 

About affected versions: 

Though Citrix did not provide technical information on the new vulnerabilities, VulnDB stated on Wednesday that “the exploitability is told to be difficult. The attack can only be initiated within the local network. The exploitation doesn’t require any form of authentication.” 

Despite Citrix's internal classification of "critical," it gave the issue a severity score of 5.1 out of 10. The site stated that vulnerabilities are worth up to $5,000, and that "manipulation with an unknown input leads in a denial of service vulnerability...This will have a negative influence on availability." 

The vulnerabilities, according to the vendor, impact the following supported versions:
Citrix ADC and Citrix Gateway (CVE-2021-22955 and CVE-2021-22956): 
• Citrix ADC and Citrix Gateway 13.0 before 13.0-83.27 
• Citrix ADC and Citrix Gateway 12.1 before 12.1-63.22 
• Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.23 
• Citrix ADC 12.1-FIPS before 12.1-55.257 

Citrix SD-WAN WANOP Edition (CVE-2021-22956): 
• Models 4000-WO, 4100-WO, 5000-WO and 5100-WO 
• Version 11.4 before 11.4.2 
• Version 10.2 before 10.2.9c 
• The WANOP feature of SD-WAN Premium Edition is not impacted. 

Appliances have to be set up as a VPN or AAA virtual server to be vulnerable to the initial Citrix ADC and Gateway flaw. In the case of the second bug, appliances must have management interface access to NSIP or SNIP. Customers that use Citrix-managed cloud services will not be impacted.

Lenovo: No Fix for High-Severity Flaw in Legacy IBM System X Servers

 

Lenovo stated that two legacy IBM System x server models that were discontinued in 2019 are vulnerable to attack and will not receive security fixes. However, the firm is providing a workaround mitigation solution. 

Both the IBM System x 3550 M3 and IBM System x 3650 M3 are vulnerable to command injection attacks. An attacker can use a vulnerable programme called Integrated Management Module to execute arbitrary instructions on either server model's operating system (IMM). 

IMM performs system management functions. Serial and Ethernet connections on the back panel of System x models use the IMM for device management. 

According to a Lenovo advisory published Tuesday, the flaw is in the IMM firmware code and “could allow the execution of operating system commands over an authenticated SSH or Telnet session.” 

Secure Shell, often known as SSH, is a cryptographic network communication technology that allows two computers to interact or transfer files. Telenet is another network protocol that permits remote users to log into another machine on the same network. Telnet does not encrypt data delivered over its connection by default. 

The flaw, which has been assigned the number CVE-2021-3723, was discovered on Wednesday by Denver Abrey, a bug hunter. 

In June 2020, eight vulnerabilities in a subsequent version of IMM, known as IMM2, were discovered, three of which were of high severity. These issues were found in the client-side code called libssh2, which is accountable for executing the SSH2 protocol. 

The System x 3550 M3 and System x 3650 M3 were announced as medium‐sized corporate solutions on April 5, 2011. Lenovo stated on June 30, 2015, that both systems will be terminated, but security updates would be provided for another five years. 

Software and security support for the System x 3550 and 3650 ended on December 31, 2019, according to the Lenovo security notice. 

Lenovo wrote, “Lenovo has historically provided service and support for at least five years following a product’s withdrawal from marketing. This is subject to change at Lenovo’s sole discretion without notice. Lenovo will announce a product’s EOS date at least 90 days before the actual EOS date and in most cases longer.”

Lenovo stated on Wednesday that it recommends discontinuing the use of both servers, but that it had a mitigation approach. 

If it is not possible to stop using these systems, Lenovo suggests: 
  • Disable SSH and Telnet (This can be done in the Security and Network Protocol sections of the navigation pane after logging into the IMM web interface) 
  • During initial configuration, change the default Administrator password. 
  • Enforce the use of strong passwords. 
  • Only give trustworthy admins access. 
Lenovo did not comment if it was familiar with any active campaigns aimed at exploiting the flaw.

Millions of HP OMEN Gaming PCs Impacted by Driver Vulnerability

 

On Tuesday, security experts revealed data about a high-severity weakness in the HP OMEN driver software, which affects millions of gaming laptops worldwide and leaves them vulnerable to various cyberattacks. 

The vulnerability is tracked as CVE-2021-3437 with a CVSS score: 7.8. Threat actors may escalate privileges to kernel mode without having administrator rights, enabling them to deactivate security products, overwrite system components, and even damage the operating system. 

The complete list of vulnerable devices includes HP ENVY, HP Pavilion, OMEN desktop gaming systems, and OMEN and HP Pavilion gaming laptops. 

SentinelOne, a cybersecurity firm that identified and communicated the flaw to HP on February 17, claimed it discovered no trace of in-the-wild exploitation. Customers have subsequently received a security update from the company to address the flaw. 

The problems are caused by OMEN Command Center, a pre-installed component on HP OMEN laptops and desktops and can also be downloaded from the Microsoft Store. The program is meant to assist smooth network activity, overclock the gaming PC for quicker computer performance, and monitor the GPU, CPU, and RAM through a vitals dashboard. 

Souce of flaw

According to research shared with The Hacker News by SentinelOne, "The problem is that HP OMEN Command Center includes a driver that, while ostensibly developed by HP, is actually a partial copy of another driver full of known vulnerabilities." 

"In the right circumstances, an attacker with access to an organization's network may also gain access to execute code on unpatched systems and use these vulnerabilities to gain local elevation of privileges. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement." 

HpPortIox64.sys is the driver in issue, and it gets its functionality from OpenLibSys-developed-WinRing0.sys, which was the origin of a local privilege escalation flaw in EVGA Precision X1 software last year (CVE-2020-14979, CVSS score: 7.8). 

In August 2020, researchers from SpecterOps highlighted, "WinRing0 allows users to read and write to arbitrary physical memory, read and modify the model-specific registers (MSRs), and read/write to IO ports on the host. These features are intended by the driver's developers. However, because a low-privileged user can make these requests, they present an opportunity for local privilege escalation." 

This is the second time WinRing0.sys has been identified as a source of security vulnerabilities in HP products. 

In October 2019, SafeBreach Labs discovered a critical vulnerability in HP Touchpoint Analytics software (CVE-2019-6333), which is included with the driver, possibly enabling malicious actors to read arbitrary kernel memory and effectively allowlist malicious payloads via a signature validation bypass. 

The discovery is the third in a series of security flaws affecting software drivers that SentinelOne has discovered since the beginning of the year. 

Earlier this year, they found a 12-year-old privilege escalation problem in Microsoft Defender Antivirus (previously Windows Defender) that hackers could exploit to acquire admin access on unpatched Windows computers.

And last month, SentinelOne reported on a 16-year-old security flaw discovered in an HP, Xerox, and Samsung printer driver that allows attackers to obtain administrative access to computers running the vulnerable software.