Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Flaws. Show all posts
zero-day exploit
CVE-2024-11972 Flaws Hunk Companion plugin malware plugin security WordPress RCE flaws Wordpress Vulnerability zero-day exploit

Critical Security Flaw in "Hunk Companion" Plugin Exploited by Hackers

 


Hackers are actively exploiting a serious security vulnerability in the "Hunk Companion" plugin to install and activate other plugins that contain known vulnerabilities from the WordPress.org repository. This targeted attack allows the installation of plugins with a variety of vulnerabilities, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS), and even enables the creation of unauthorized admin backdoors.

Exploitation of Outdated Plugins

By focusing on outdated plugins with existing exploits, attackers can execute malicious actions, compromising WordPress sites. WPScan discovered the malicious activity and reported the issue to the developers of Hunk Companion. In response, a security update addressing the zero-day vulnerability was released yesterday.

Hunk Companion is an add-on plugin designed to enhance WordPress themes developed by ThemeHunk. Although it is installed on over 10,000 WordPress sites, it remains a relatively niche tool within the WordPress ecosystem, according to WordPress.org statistics.

Details of the Vulnerability

The critical vulnerability, identified by WPScan researcher Daniel Rodriguez, is tracked as CVE-2024-11972. This flaw allows attackers to install plugins via POST requests without authentication, creating a serious security risk for affected WordPress sites.

All versions of Hunk Companion prior to version 1.9.0, released yesterday, are affected. During an investigation of an infected site, WPScan found evidence of active exploitation of CVE-2024-11972. This exploit enabled the installation of a compromised version of the WP Query Console plugin, which has not been updated in over seven years. The hackers used this plugin to execute malicious PHP code by exploiting the RCE flaw CVE-2024-50498.

According to WPScan, “In the infections we've analyzed, attackers use the RCE to write a PHP dropper to the site’s root directory. This dropper allows continued unauthenticated uploads via GET requests, enabling persistent backdoor access to the site.”

Previous Attempts to Fix the Vulnerability

A similar flaw was addressed in version 1.8.5 of Hunk Companion, tracked as CVE-2024-9707. However, this fix was found to be insufficient, and attackers managed to bypass it.

Due to the severity of this vulnerability and the ongoing exploitation, users of Hunk Companion are strongly advised to update to version 1.9.0 immediately. At the time of reporting, version 1.9.0 had been downloaded around 1,800 times, leaving approximately 8,000 sites still vulnerable to attacks.

Read more »
Vulnerabilities and Exploits
Data Flaws Patch Safety Security flaw Vulnerabilities and Exploits

CISA Issues Warning on Critical Vulnerabilities in Vonets WiFi Bridge Devices, No Patch Released

 

The Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory highlighting several critical vulnerabilities discovered in Vonets WiFi Bridge devices. These vulnerabilities present significant risks, including the potential for attackers to execute arbitrary code, access sensitive data, or disrupt device operations.

This poses a serious threat to the security of industrial and commercial networks that depend on these devices. Despite the gravity of these issues, Vonets has not responded to CISA’s outreach for collaboration on mitigation efforts, leaving users at risk.

Key Vulnerabilities and Their Impacts:

The vulnerabilities identified in the Vonets devices vary in severity and include:

  • CVE-2024-41161 (CVSSv4 8.7): This flaw involves the use of hard-coded credentials, allowing unauthorized users to bypass authentication and gain full device access using pre-set administrator credentials that cannot be disabled. This makes it a particularly dangerous vulnerability.
  • CVE-2024-29082 (CVSSv4 8.8): An issue with improper access control permits attackers to bypass authentication and perform a factory reset on the device through unprotected endpoints, leading to potential service disruptions and loss of configuration data.
  • CVE-2024-41936 (CVSSv4 8.7): A directory traversal vulnerability that enables attackers to read arbitrary files on the device, bypassing authentication and exposing sensitive information.
  • CVE-2024-37023 (CVSSv4 9.4): OS command injection vulnerabilities allow authenticated attackers to execute arbitrary operating system commands on the device, potentially giving them control over its operation.
  • CVE-2024-39815 (CVSSv4 8.7): A flaw in the handling of exceptional conditions could lead to a denial-of-service (DoS) scenario when attackers send specially crafted HTTP requests to the device.
  • CVE-2024-39791 (CVSSv4 10): The most severe vulnerability, a stack-based buffer overflow, allows remote attackers to execute arbitrary code, potentially gaining full control of the device without needing authentication.
  • CVE-2024-42001 (CVSSv4 6.1): An issue with improper authentication enables attackers to bypass authentication by sending specially crafted requests during an active user session.

CISA’s Recommendations

In light of Vonets' lack of response, CISA has issued several recommendations to help organizations mitigate the risks associated with these vulnerabilities:

  • Minimize Network Exposure: Ensure that control system devices and networks are not directly accessible from the internet to reduce the risk of unauthorized access.
  • Isolate Control Systems: Position control system networks and remote devices behind firewalls and separate them from business networks to prevent cross-network attacks.
  • Secure Remote Access: When remote access is necessary, use secure methods like Virtual Private Networks (VPNs). However, it's crucial to keep VPNs updated and ensure the security of connected devices.
CISA stresses the importance of conducting thorough impact analysis and risk assessments before implementing any defensive measures to avoid unintended operational disruptions.

While no public exploitation of these vulnerabilities has been reported yet, the critical nature of these issues demands immediate attention. Organizations and individuals must act swiftly to safeguard their networks and reduce the risk of potential attacks
Read more »
Vulnerability
attacks Flaws Openfire Servers Risk Vulnerabilities and Exploits Vulnerability

Recent Vulnerability Puts 3,000 Openfire Servers at Risk of Attack

More than 3,000 instances of Openfire servers have not undergone patching to address a recent vulnerability, leaving them susceptible to potential attacks exploiting a newly discovered exploit, according to a report by VulnCheck, a firm specializing in vulnerability intelligence.

Openfire, developed by Ignite Realtime, functions as a cross-platform real-time collaboration server written in Java. Operating on the XMPP protocol, it allows web interface administration.

The vulnerability, identified as CVE-2023-32315, is classified as high-severity and pertains to Openfire's administration console. It is characterized as a path traversal flaw within the setup environment, enabling unauthorized attackers to gain entry to restricted sections of the admin console.

The root of the problem stems from Openfire's inadequate protection against specific non-standard URL encoding for UTF-16 characters. The webserver's lack of support for these characters allowed the inclusion of the new encoding without an accompanying update to the protection measures.

All iterations of Openfire, starting from version 3.10.0 launched in April 2015 up to versions 4.7.5 and 4.6.8 issued in May 2023 for vulnerability remediation, are impacted by this flaw.

Exploitations of this vulnerability have been observed over a span of more than two months. Cyber threat actors have been establishing fresh user accounts in the admin console to introduce a new plugin. This plugin houses a remote web shell, affording the attackers the ability to execute arbitrary commands and infiltrate server data.

Publicly available exploits targeting CVE-2023-32315 adhere to a uniform pattern. However, VulnCheck asserts the identification of a novel exploit path that doesn't necessitate the creation of an administrative user account.

VulnCheck has identified a total of over 6,300 accessible Openfire servers on the internet. Of these, around half have either been patched against the vulnerability, run non-vulnerable older versions, or are divergent forks that might remain unaffected.

The firm highlights that approximately 50% of externally facing Openfire servers operate on the impacted versions. Despite their relatively small number, the firm underscores the significance of this issue due to the trusted role these servers hold in connection with chat clients.

The vulnerability's implications allow an attacker lacking authentication to access the plugin administration endpoint. This provides the attacker with the capability to directly upload the plugin and subsequently access the web shell, all without authentication.

VulnCheck clarifies that this strategy avoids triggering login notifications in the security audit log, ensuring a discreet operation. The absence of a security audit log entry is notable, as it eliminates evidence of the breach. 

While signs of malicious activity might be present in the openfire.log file, the attacker can exploit the path traversal to eliminate the log through the web shell. This leaves the plugin as the sole compromise indicator, an aspect of the situation that VulnCheck warns about.

“This vulnerability has already been exploited in the wild, likely even by a well-known botnet. With plenty of vulnerable internet-facing systems, we assume exploitation will continue into the future,” VulnCheck concludes.

Read more »
Vulnerabilities and Exploits
Bugs Flaws Hackers Proof of concept Safety Security Vulnerabilities and Exploits

New Exploit Unleashed for Cisco AnyConnect Bug Granting SYSTEM Privileges

Proof-of-concept (PoC) exploit code has been released for a significant vulnerability found in Cisco Secure Client Software for Windows, previously known as AnyConnect Secure Mobility Client. This flaw allows attackers to elevate their privileges to the SYSTEM level. Cisco Secure Client is a VPN software that enables employees to work remotely while ensuring a secure connection and providing network administrators with telemetry and endpoint management capabilities.

The vulnerability, identified as CVE-2023-20178, enables authenticated threat actors to escalate their privileges to the SYSTEM account without requiring complex attacks or user interaction. Exploiting this flaw involves manipulating a specific function within the Windows installer process.

To address this security issue, Cisco issued security updates on the previous Tuesday. The company's Product Security Incident Response Team (PSIRT) stated that there was no evidence of any malicious activities or public exploit code targeting the vulnerability at that time.

The fix for CVE-2023-20178 was included in the release of AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.

Recently, security researcher Filip Dragović discovered and reported the Arbitrary File Delete vulnerability to Cisco. This week, Dragović published a PoC exploit code, which was tested against Cisco Secure Client (version 5.0.01242) and Cisco AnyConnect (version 4.10.06079).

Dragović explains that when a user establishes a VPN connection, the vpndownloader.exe process starts in the background and creates a directory in the format "<random numbers>.tmp" within the c:\windows\temp directory. By taking advantage of default permissions, an attacker can abuse this behavior to perform arbitrary file deletion using the NT Authority\SYSTEM account.

The attacker can further leverage this Windows installer behavior and the fact that a client update process is executed after each successful VPN connection to spawn a SYSTEM shell, thus escalating their privileges. The technique for privilege escalation is described in detail.

It's worth noting that in October, Cisco urged customers to patch two additional security flaws in AnyConnect, which had public exploit code available and had been fixed three years earlier due to active exploitation. Furthermore, in May 2021, Cisco patched an AnyConnect zero-day vulnerability with public exploit code, following its initial disclosure in November 2020.

Read more »
Vulnerabilities and Exploits
Bugs Flaws Safety Security Twitter Vulnerabilities and Exploits

This Twitter Bug is Making Users Secret Circle Tweets Public

 

Twitter launched Circle in August 2022, allowing you to limit your tweets to a chosen group of users without making your account private. While the function was designed to limit the visibility of your tweets to a group smaller than your number of followers, a recent issue has reportedly exposed your private tweets to many others outside your Circle, even if they do not follow you.

Many users have observed that tweets intended for Twitter Circles are reaching all followers rather than just those in the Circle. Amanda Silberling of TechCrunch, who saw another person's ostensibly private tweet, notes that personal posts display under Twitter's newly launched "For You" area.

Because the feature is intended to allow users to tweet secretly, many people use it to express sensitive thoughts and sentiments, as well as restricted media such as naked photographs, and the flaw poses a significant privacy risk to the account that posts all of those private tweets.

For months, Twitter Circle has been buggy. Certain users have reported that their tweets from the Circle have reached other followers outside of it. Meanwhile, some users claim that the tweets are available to anyone other than followers. Affected users discovered the flawed nature of the service when a few strangers responded with tweets intended for the inner circle.

While it's difficult to pinpoint a specific cause for the glitch, it could be related to recent changes to Twitter's recommendation algorithm, which divided the feed into "For You" and "Following" timelines. As the names suggest, For You also displays tweets from users you don't follow.

Elon Musk's private jet was made public on Twitter in October. Musk compared the incident to "doxing" and responded by suspending the @ElonJet account as well as the accounts of journalists who reported on it. 

However, when it comes to users' privacy — despite using a mechanism that ostensibly guarantees it — Musk does not appear to be concerned. Twitter Circle has allegedly been plagued by bugs for several months. These difficulties have not piqued Twitter's interest, despite the digital titan persistently promoting the platform's paid tier, Twitter Blue.

This could be considered a violation of users' permission and a data breach under EU legislation. Any monetary punishment, however, may be subject to interference by US authorities and legislators.


Read more »
Vulnerabilities and Exploits
attacks Bugs Flaws Hackers Safety Security Vulnerabilities and Exploits

Hackers can Open Smart Garage Doors From Anywhere in the World

 

According to findings from a security researcher, hackers can remotely tap into a specific brand of smart garage door opener controllers and open them all over the world due to a number of security weaknesses that the firm, Nexx, has refused to repair. 

The flaws represent a major risk to Nexx users, who have access to wi-fi-connected garage door opener controllers among other things. As per a copy of an email obtained with Motherboard, the researcher who discovered the vulnerability claims that Nexx has not reacted to their attempts to responsibly report the vulnerabilities for months.

“Completely remote. Anywhere in the world,” Sam Sabetan, the security researcher, told Motherboard, describing the hack.

Nexx describes its goods as "easy-to-use products that work with things you already own." Its garage product links to a person's existing garage door opener and allows them to remotely activate it via a smartphone app. “Life is complicated enough. Remembering whether or not you left your garage door open should be the least of your worries: Get peace of mind,” the company advertises on its website. Nexx has run campaigns on Kickstarter.

Sabtean demonstrated the hack in a video proof-of-concept. It shows his fist unlocking his own garage door with the Nexx app, as promised. He then accesses a tool that allows him to read communications sent by the Nexx device. Sabetan uses the app to close the door and records the data that the device sends to Nexx's server during this activity.

Sabetan not only receives information on his own device but also messages from 558 other gadgets. According to the video, he can now see the device ID, email address, and name associated with each. He then sends an order to the garage via software rather than the app, and his door opens once more. Sabetan only tested this on his own garage door, but he could have used this technique to open other users' garage doors as well.

Sabetan told Motherboard he could open doors “for any customer.” “That’s the craziest bug. But the disabling alarm and turning on [and] off smart plugs is pretty neat too,” he added, referring to another Nexx product that allows users to control power outlets in their home.

The repercussions of someone weaponizing these vulnerabilities are far-reaching, and might pose a serious security risk to Nexx's clients. A hacker might randomly open Nexx doors all across the world, exposing their garage contents and possibly their homes to opportunistic robbers. Pets could flee. Customers may become irritated if they see someone opening and closing their property without knowing why. In more extreme circumstances, a hacker could exploit the flaws as part of a targeted assault against the particular garage that used Nexx’s security system.

Sabetan and Motherboard have made numerous attempts to contact Nexx about the problems. Sabetan claimed that the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) had tried to contact him. The corporation has not responded or fixed the issues. This means that security flaws are still available to hackers who desire to exploit them. As a result, Motherboard will not go to great lengths on them, instead focusing on their influence on customers. On Tuesday, CISA issued its own advisory regarding security issues.

Nexx appears to be purposefully disregarding at least some inquiries attempting to alert them to the vulnerabilities. Sabetan contacted Nexx's support again because Nexx's support email did not react to his vulnerability report, this time stating that he needed assistance with his own Nexx product. According to a copy of the email Sabetan shared with Motherboard, Nexx's support personnel responded at the time.

“Great to know your support is alive and well and that I’ve been ignored for two months,” Sabetan replied. Please respond to ticket [ticket number,” he wrote, referring to his vulnerability report.


Read more »
Windows
Bug Flaws Privacy Bug Vulnerabilities and Exploits Windows

A Privacy Flaw in Windows 11's Snipping Tool Exposes Cropped Image Content

 

A serious privacy vulnerability known as 'acropalypse' has also been discovered in the Windows Snipping Tool, enabling people to partially restore content that was photoshopped out of an image. 

Security researchers David Buchanan and Simon Aarons discovered last week that a bug in Google Pixel's Markup Tool caused the original image data to be retained even when it was edited or cropped out. This flaw poses a significant privacy risk because it may be possible to partially recover the original photo if a user shares a picture, such as a credit card with a redacted number or revealing photos with the face removed.

To demonstrate the bug, the researchers created an online acropalypse screenshot recovery tool that attempted to recover edited images created on Google Pixel.

The Windows 11 Snipping Tool was also affected

Today, Chris Blume, a software engineer, confirmed that the 'acropalypse' privacy flaw also affects the Windows 11 Snipping Tool. Instead of truncating any unused data when opening a file in the Windows 11 Snipping Tool and overwriting an existing file, it leaves the unused data behind, allowing it to be partially recovered.

Will Dormann, a vulnerability expert, also confirmed the Windows 11 Snipping Tool flaw, and BleepingComputer confirmed the issue with Dormann's assistance. To put this to the test, Bleeping Computer opened an existing PNG file in Windows 11 Snipping Tool, cropped it (you can also edit or mark it up), and saved the changes to the original file. 

While the cropped image comprises far less data than the original, the file sizes for the original image (office-screenshot-original.png) and cropped image (office-screenshot.png) are identical. According to the PNG file specification, a PNG image file must always end with a 'IEND' data chunk, with any data added after that being ignored by image editors and viewers.

However, when used the Windows 11 Snipping Tool to overwrite the original image with the cropped version, the programme did not properly truncate the unused data, and it is still present after the IEND data chunk.

When you open the file in an image viewer, you'll only see the cropped image because anything after the first IEND is ignored. This untruncated data, on the other hand, can be used to partially recreate the original image, potentially revealing sensitive portions.

While the researcher's online acropalypse screenshot recovery app does not currently support Windows files, Buchanan did share with BleepingComputer a Python script that can be used to recover Windows files.

BleepingComputer successfully recovered a portion of the image using this script. This was not a complete recovery of the original image, which may leave you wondering why this poses a privacy risk.

Consider taking a screenshot of a sensitive spreadsheet, confidential documents, or even a naked picture and cropping out sensitive information or portions of the image. Even if you are unable to fully recover the original image, someone may be able to recover sensitive information that you do not want made public. It should also be noted that this flaw does not affect all PNG files, such as optimised PNGs.

"Your original PNG was saved with a single zlib block (common for "optimised" PNGs) but actual screenshots are saved with multiple zlib blocks (which my exploit requires)," Buchanan explained to BleepingComputer.

BleepingComputer also discovered that if you open an untruncated PNG file in an image editor, such as Photoshop, and save it to another file, the unused data at the end is stripped away, rendering it unrecoverable.

Finally, the Windows 11 Snipping Tool behaves similarly to the above with JPG files, leaving data untruncated if overwritten. However, Buchanan told BleepingComputer that his exploit does not currently work on JPGs but that it might in the future. Microsoft confirmed to BleepingComputer that they are aware of the reports and are investigating them.

"We are aware of these reports and are investigating. We will take action as needed to help keep customers protected," a Microsoft spokesperson told BleepingComputer.

Read more »
Vulnerabilities and Exploits
Data Flaws Intercm Security spying Vulnerabilities and Exploits

Unpatched Akuvox Smart Intercom Flaws Can Be Exploited for Spying

 

The E11, a popular smart intercom and videophone from Chinese company Akuvox, contains more than a dozen flaws, including a critical bug that allows unauthenticated remote code execution (RCE). Malicious actors could use these to gain access to an organization's network, steal photos or video captured by the device, control the camera and microphone, and even lock and unlock doors. 

The flaws were discovered and highlighted by Claroty's Team82, a security firm that became aware of the device's flaws when they moved into an office where the E11 was already installed. Team82 members' interest in the device grew into a full-fledged investigation as they discovered 13 vulnerabilities, which they classified into three categories based on the attack vector used.

The first two types can occur via RCE within a local area network or through remote activation of the E11's camera and microphone, allowing the attacker to collect and exfiltrate multimedia recordings. The third attack vector focuses on gaining access to an external, insecure file transfer protocol (FTP) server, which allows the actor to download stored images and data.

The Akuvox 311 contains a critical RCE bug

One critical threat — CVE-2023-0354, with a CVSS score of 9.1 — allows the E11 Web server to be accessed without any user authentication, potentially giving an attacker easy access to sensitive information.

"The Akuvox E11 Web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs," according to the Cybersecurity and Infrastructure Security Agency (CISA), which published an advisory about the bugs, including a vulnerability overview.

Another notable vulnerability (CVE-2023-0348, with a CVSS score of 7.5) affects the SmartPlus mobile app, which iOS and Android users can use to interact with the E11. The main problem is that the app uses the open-source Session Initiation Protocol (SIP) to allow communication between two or more participants over IP networks. The SIP server does not validate SmartPlus users' authorization to connect to a specific E11, which means that anyone with the app installed can connect to any E11 connected to the Internet, including those behind a firewall.

"We tested this using the intercom at our lab and another one at the office entrance," according to the Claroty report. "Each intercom is associated with different accounts and different parties. We were, in fact, able to activate the camera and microphone by making a SIP call from the lab's account to the intercom at the door."

Unpatched Akuvox Security Vulnerabilities

Beginning in January 2022, Team82 detailed their efforts to bring the vulnerabilities to the attention of Akuvox, but after several outreach attempts, Claroty's account with the vendor was blocked. Following that, Team82 published a technical blog detailing the zero-day vulnerabilities and enlisted the help of the CERT Coordination Center (CERT/CC) and CISA.

Organizations that use the E11 should disconnect it from the Internet until the vulnerabilities are fixed, or ensure that the camera is not capable of recording sensitive information. According to the Claroty report, "organizations are advised to segment and isolate the Akuvox device from the rest of the enterprise network" within the local area network. 

"Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints."

A world of increasingly connected devices has provided sophisticated adversaries with a vast attack surface.As per Juniper Research, the number of industrial internet of things (IoT) connections alone — a measure of total IoT device deployment — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020.

And, despite the fact that the National Institute of Standards and Technology (NIST) has agreed on a standard for encrypting IoT communications, many devices remain vulnerable and unpatched. Akuvox is the latest in a long line of these that have been found to be severely lacking in device security. Last year, for example, a critical RCE vulnerability in Hikvision IP video cameras was disclosed.
Read more »
Subscribe to: Posts (Atom)