Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RCE. Show all posts

Critical Vulnerabilities in CleanTalk WordPress Plugin Put 200,000 Websites at Risk

 

Defiant has raised alarms about two significant vulnerabilities affecting CleanTalk’s anti-spam WordPress plugin, which could enable attackers to execute arbitrary code remotely without requiring authentication. These vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, are classified with a high severity score of 9.8 on the CVSS scale. They impact the “Spam protection, Anti-Spam, FireWall by CleanTalk” plugin, which boasts over 200,000 active installations on WordPress sites globally. 

The flaws pose a significant risk by allowing remote attackers to install and activate arbitrary plugins, including potentially vulnerable ones that can then be exploited for remote code execution (RCE). According to Defiant, the first vulnerability, CVE-2024-10542, involves an authorization bypass issue. This weakness exists in a function responsible for handling remote calls and plugin installations, where token-based authorization is used to secure these actions. 

However, two related functions intended to verify the originating IP address and domain name are vulnerable to exploitation. Attackers can manipulate these checks through IP and DNS spoofing, enabling them to specify an IP address or subdomain under their control. This bypasses the plugin’s authorization process, allowing the attacker to carry out actions such as installing, activating, deactivating, or uninstalling plugins without proper permissions. The vulnerability was discovered in late October and was addressed with the release of version 6.44 of the plugin on November 1. 

However, this update inadvertently introduced another vulnerability, CVE-2024-10781, which provided attackers with an alternative method of bypassing token authorization. CVE-2024-10781 arises from a flaw in how the plugin processes tokens for authorization. Specifically, if a website has not configured an API key in the plugin, attackers can use a token that matches an empty hash value to authenticate themselves. This effectively nullifies the intended security measures and allows attackers to install and activate arbitrary plugins, which can then be exploited for malicious purposes, such as executing remote code. 

The CleanTalk development team addressed this second vulnerability with the release of version 6.45 on November 14, which contains fixes for both CVE-2024-10542 and CVE-2024-10781. Despite the availability of this updated version, data from WordPress indicates that as of November 26, approximately half of the plugin’s active installations are still running outdated and vulnerable versions. This exposes a significant number of websites to potential exploitation. The risks associated with these vulnerabilities are considerable, as attackers could gain complete control over affected websites by leveraging these flaws. This includes the ability to install additional plugins, some of which may themselves contain vulnerabilities that could be exploited for further malicious activities. 

Website administrators using the CleanTalk anti-spam plugin are strongly urged to update to version 6.45 or later as soon as possible. Keeping plugins up to date is a critical step in maintaining the security of WordPress websites. By applying the latest updates, administrators can protect their sites against known vulnerabilities and reduce the risk of being targeted by cyberattacks. In addition to updating plugins, security experts recommend implementing additional security measures, such as monitoring for unauthorized changes, using a robust firewall, and conducting regular security audits. 

These practices can help ensure that websites remain secure against evolving threats. By addressing these vulnerabilities and staying proactive about updates, WordPress site owners can safeguard their online presence and protect the sensitive data entrusted to their platforms.

Managing LLM Security Risks in Enterprises: Preventing Insider Threats

 

Large language models (LLMs) are transforming enterprise automation and efficiency but come with significant security risks. These AI models, which lack critical thinking, can be manipulated to disclose sensitive data or even trigger actions within integrated business systems. Jailbreaking LLMs can lead to unauthorized access, phishing, and remote code execution vulnerabilities. Mitigating these risks requires strict security protocols, such as enforcing least privilege, limiting LLM actions, and sanitizing input and output data. LLMs in corporate environments pose threats because they can be tricked into sharing sensitive information or be used to trigger harmful actions within systems. 

Unlike traditional tools, their intelligent, responsive nature can be exploited through jailbreaking—altering the model’s behavior with crafted prompts. For instance, LLMs integrated with a company’s financial system could be compromised, leading to data manipulation, phishing attacks, or broader security vulnerabilities such as remote code execution. The severity of these risks grows when LLMs are deeply integrated into essential business operations, expanding potential attack vectors. In some cases, threats like remote code execution (RCE) can be facilitated by LLMs, allowing hackers to exploit weaknesses in frameworks like LangChain. This not only threatens sensitive data but can also lead to significant business harm, from financial document manipulation to broader lateral movement within a company’s systems.  

Although some content-filtering and guardrails exist, the black-box nature of LLMs makes specific vulnerabilities challenging to detect and fix through traditional patching. Meta’s Llama Guard and other similar tools provide external solutions, but a more comprehensive approach is needed to address the underlying risks posed by LLMs. To mitigate the risks, companies should enforce strict security measures. This includes applying the principle of least privilege—restricting LLM access and functionality to the minimum necessary for specific tasks—and avoiding reliance on LLMs as a security perimeter. 

Organizations should also ensure that input data is sanitized and validate all outputs for potential threats like cross-site scripting (XSS) attacks. Another important measure is limiting the actions that LLMs can perform, preventing them from mimicking end-users or executing actions outside their intended purpose. For cases where LLMs are used to run code, employing a sandbox environment can help isolate the system and protect sensitive data. 

While LLMs bring incredible potential to enterprises, their integration into critical systems must be carefully managed. Organizations need to implement robust security measures, from limiting access privileges to scrutinizing training data and ensuring that sensitive data is protected. This strategic approach will help mitigate the risks associated with LLMs and reduce the chance of exploitation by malicious actors.

Apache Addresses Severe RCE Vulnerability in OFBiz with an Urgent Patch

 


In a recent release, the Apache OFBiz project developers have been working on a patch to fix a new critical flaw of software that can be exploited by unauthenticated attackers to execute arbitrary code on the server. Considering that attackers are likely to exploit this vulnerability in real-world attacks, users are advised to deploy the patch as soon as possible to avoid falling victim to this vulnerability.

There was a high-severity vulnerability identified as CVE-2024-45195 (CVSS score: 7.5) affecting Apache OFBiz, a popular open-source business enterprise resource planning (ERP) system that is adapted from Apache OFBiz. In the field of enterprise process automation, Apache OFBiz® from the Apache Software Foundation consists of framework components and applications as well as a business process automation framework. 

This vulnerability is caused by Apache's OFBiz implementation of Direct Request ('Forced Browsing'). It has been found that all versions of the software before 18.12.16 are affected by this bug. The project maintainers have been working on CVE-2024-45195 for several months now to prevent the occurrence of a severe sequence of vulnerabilities, CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were already addressed by the project maintainers previously. 

CVE-2024-32113 and CVE-2024-38856, both of which appear to be exploited actively in the wild and the former of which is used to distribute the Mirai botnet malware, are exploited extensively. This was due to Rapid7's inability to desynchronize the controller state from the view map state, something that was never completely resolved in any of the patches that were released, but which led to all three of the earlier shortcomings. 

Because of the vulnerability, attackers may be able to exploit it to execute code, and SQL queries, and remotely execute the code without the need for authentication by exploiting it. This latest patch was put in place to validate that a view should allow anonymous access if a user is not authenticated (rather than performing authorization checks solely based on the target controller)." CVE-2024-38856 and CVE-2024-32113 are, in fact, critical vulnerabilities, and they've been actively targeted by attackers in the past few months. 

The Cybersecurity and Infrastructure Security Agency has listed them in its catalogue of Known Exploited Vulnerabilities in August. There has been speculation that companies can have a hard time resolving the underlying causes of vulnerabilities because of their size. Sometimes it is difficult to judge whether a patch will be effective until several researchers have tried bypassing it to test its effectiveness. It was Rapid7 that identified and reported the vulnerability, and they suggest that the three security defects are essentially the same bug because they are both caused by the same source code. 

In a report published in early May, CVE-2024-32113 was described as an issue in which a malicious user would be able to navigate through an unauthenticated controller and interact with an authenticated view map, granting them access to an admin-only view map or allowing them to execute SQL commands on it. It has been observed that there have been attempts to exploit people in July.  

A second vulnerability, CVE-2024-36104, which was disclosed in early June, was also explained as a path traversal vulnerability. There were multiple issues with the URI, including semicolons and URL-encoded periods that need to be removed. In early August, Apache drew attention to a vulnerability referred to as CVE-2024-38856. 

This has been described as a security flaw that could allow code execution due to an incorrect authorization. CISA, the United States Cyber Defense agency, announced that the bug had been added to its list of Known Exploited Vulnerabilities (KEVs) towards the end of August. Rapid7 said that all three issues are the result of controller-view map state fragmentation, which can occur when an application begins receiving URI patterns that are not expected. 

Assuming the root cause of the three vulnerabilities is the same, CVE-2024-38856 works on systems that are affected by CVE-2024-32113 and CVE-2024-36104, "since the payload for all three vulnerabilities is the same". There was a CVE-2024-32113 OFBiz vulnerability (patched in May) that was being exploited in attacks by hacker groups, just days after SonicWall researchers published detailed technical details on CVE-2024-38856, a bug involving pre-authentication RCE. 

CISA issued a warning regarding this CVE in early August. In addition to adding the two security bugs to its catalogue of actively exploited vulnerabilities, CISA also announced that federal agencies must patch their servers as soon as possible after the three-week deadline mandated by the binding operational directive (BOD 22-01) issued in November 2021. 

Even though BOD 22-01 only applies to agencies of the Federal Civilian Executive Branch (FCEB), the Center for Information Security and Assurance (CISA) is urging organizations to patch these security flaws immediately to prevent the onset of attacks against their networks. A public proof of concept exploit for OFBiz pre-authentication remote code execution vulnerability (CVE-2023-49070) was used in December to identify Confluence servers that were vulnerable to the exploit. 

The exploit was based on public proof of concept exploits. Having discovered that Emmons now had a new view map to abuse called XmlDsDump, he could query the underlying database for any data that may be available and then write the results to any file, anywhere on the disk, without any restrictions. 

Among the data displayed in this presentation could be hashed passwords of users defined in the system, which could then be cracked to reveal their passwords. As a result of this study, the researcher has taken it one step further by combining it with a script he discovered that was present in the system, named ViewDataFile.groovy, which could write files to disk from requests and used it to build a web shell that enabled remote code execution on the server using the script. 

In response to this flaw, OFBiz developers came up with a more comprehensive fix that does not rely only on non-centralized authorization checks on view maps anymore but also takes into account non-centralized authorization checks for target controllers for the view maps as well.

Major Security Flaw Discovered in Popular Cloud Logging Tool

 



Researchers at Tenable have identified a severe memory corruption vulnerability in Fluent Bit, an open-source logging utility integral to major cloud services. With over 3 billion downloads as of 2022 and an additional 10 million deployments daily, Fluent Bit is a cornerstone of cloud infrastructure used by prominent organisations such as VMware, Cisco, Adobe, Walmart, LinkedIn, and cloud giants like AWS, Microsoft, and Google Cloud.

The issue, dubbed "Linguistic Lumberjack" by Tenable, stems from how Fluent Bit's embedded HTTP server handles trace requests. The vulnerability can be exploited to cause denial of service (DoS), data leaks, or even remote code execution (RCE) in cloud environments.

"While vulnerabilities in major cloud providers like Azure, AWS, and GCP grab headlines, it's crucial to scrutinise the underlying technologies these services rely on," says Jimi Sebree, senior staff research engineer at Tenable. "Critical components like Fluent Bit, which are embedded in many cloud services, pose significant risks if compromised."

Tenable's researchers stumbled upon this flaw while investigating another security issue in a cloud service. They discovered they could access various internal metrics and logging endpoints of the cloud service provider, which included Fluent Bit instances. This cross-tenant data leakage revealed a more profound problem.

The vulnerability lies in the /api/v1/traces endpoint of Fluent Bit's monitoring API. The service fails to validate data types properly, allowing attackers to input non-string values that cause memory corruption. By manipulating these inputs, attackers can crash the service and leak sensitive data. Although exploiting this for RCE would require sophisticated, targeted efforts, the potential for harm remains high.

The bug affects Fluent Bit versions 2.0.7 through 3.0.3 and is tracked under CVE-2024-4323, with critical CVSS scores exceeding 9.5 out of 10. After reporting the issue on April 30, Fluent Bit's developers promptly addressed it by validating input data types in the problematic endpoint. The fix was implemented in the project's main branch on GitHub by May 15.

Organisations using Fluent Bit are strongly advised to update their software to the latest version immediately. Alternatively, administrators should review and restrict access to Fluent Bit's monitoring API to authorised users only, or disable it entirely if feasible.

The discovery of this vulnerability accentuates the importance of scrutinising not just the cloud services themselves but also the foundational technologies they depend on. Ensuring the security of tools like Fluent Bit is vital for maintaining the integrity of cloud environments across industries.



Microsoft Discovers BlackCat's Sphynx Ransomware Exploiting Impacket & RemCom

A new strain of ransomware known as BlackCat's Sphynx has recently been discovered by cybersecurity researchers at Microsoft. It has gained notice because it incorporates advanced hacking tools like Impacket and RemCom. This finding highlights the increasing sophistication and power of current ransomware attacks, creating concerns for both individuals and companies.

A new strain of ransomware known as BlackCat's Sphynx has recently been discovered by cybersecurity researchers at Microsoft. It has gained notice because it incorporates advanced hacking tools like Impacket and RemCom. This finding highlights the increasing sophistication and power of current ransomware attacks, creating concerns for both individuals and companies.

Impacket, an open-source collection of Python classes, enables the manipulation of network protocols and facilitates the creation of network-aware tools. It has legitimate uses in areas like network testing and penetration testing but can be weaponized by threat actors to infiltrate systems. RemCom, on the other hand, is a tool that grants remote access and control over compromised systems, allowing hackers to execute arbitrary commands.

Microsoft's analysis reveals that BlackCat's Sphynx leverages these tools to infiltrate networks, escalate privileges, and finally deploy ransomware to encrypt victims' data. The combination of these powerful tools amplifies the threat potential, as it grants attackers multiple avenues to compromise systems and ensure the success of their ransom demands.

The implications of this discovery extend beyond the immediate threat posed by BlackCat's Sphynx ransomware. The integration of well-established tools like Impacket and RemCom indicates an evolution in the tactics and techniques employed by ransomware operators. This also highlights the importance of organizations and individuals staying updated on the latest cybersecurity threats and fortifying their defenses against emerging attack vectors.

As ransomware attacks continue to surge and become increasingly sophisticated, cybersecurity experts stress the significance of a multi-layered defense strategy. Regularly updating software, educating users about phishing and social engineering tactics, and implementing robust network segmentation are among the recommended measures to minimize the risk of falling victim to such attacks.


Microsoft Confirms Zero Day Exploits, Prompts Users to Update


This week Microsoft confirmed around 132 security vulnerabilities in its product lines, including a total of six zero-day flaws that are currently being actively exploited. Because of this, security professionals advise Windows users to upgrade right away.

One of these zero-day vulnerabilities is of remote code executive (RCE) type, affecting Windows HTML and Microsoft Office. Microsoft has surprisingly not yet released a patch for CVE-2023-36884, opting instead to provide configuration mitigation methods, despite this being a Patch Tuesday rollout. Microsoft has connected the exploitation of this vulnerability to the Russian cybercrime group RomCom, which is suspected to be acting in the interests of Russian intelligence.

According to Rapid7 vulnerability risk management specialist Adam Barnett, the RomCom gang has also been linked to ransomware assaults that have been directed at a variety of targets. More such security experts are raising concerns given the number of vulnerabilities and the multiple zero-days that they are coming across, regarding which they are warning Windows users to adopt the updated versions promptly. The Microsoft Security Update Guide contains a comprehensive list of the vulnerabilities fixed by the most recent Patch Tuesday release. Security professionals have, however, drawn attention to some of the more crucial ones.

CVE-2023-36884 

According to Microsoft, “investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

While this vulnerability is still unpatched, Microsoft says it will “take the appropriate action to help protect our customers” ones they are done with the investigations. However, speculations claims that this will happen via an out-of-band security update rather than leaving an actively exploited zero-day up for patch for next month’s Patch Tuesday rollout. Microsoft directs users to a threat intelligence blog article that offers workaround mitigations in the meantime.

CVE-2023-32046 

This flaw is a Windows MSHTML platform elevation of privilege vulnerability that is being exploited. The zero-day flaw exploits the MSHTML core Windows components, that are used to produce content like HTML.

According to Kev Breen, director of cyber threat research at Immersive Labs, “This is not limited to browsers.” He warns, “other applications like Office, Outlook, and Skype also make use of this component.” It is likely that the attack vectors would include typical suspects—a malicious document attached to an email or a malicious website or web page. . “This vulnerability would likely be used as an initial infection vector[…]allowing the attacker to gain code execution in the context of the user clicking the link or opening the document,” says Breen.

Netwrix Auditor RCE Bug Abused in Truebot Malware Campaign

 

A severe remote code execution (RCE) vulnerability in the Netwrix Auditor software was used in attacks against organisations across the United States and Canada, according to a warning issued today by CISA and the FBI. These assaults targeted organisations in the United States and Canada. 

Unauthorised attackers can run malicious code with the privileges of the SYSTEM user thanks to a security flaw that affects the Netwrix Auditor server and the agents installed on monitored network systems (tagged as CVE-2022-31199). 

Since December 2022, TA505 hackers (connected with the FIN11 organisation) have exploited TrueBot, a malware downloader related to the Russian-speaking Silence cybercrime group, to install Clop ransomware on compromised networks. 

After installing TrueBot on compromised networks, the hackers install the FlawedGrace Remote Access Trojan (RAT), which is likewise affiliated with the TA505 group and allows them to escalate privileges and establish persistence on the compromised systems. 

Hackers will also deploy Cobalt Strike beacons hours after the initial breach, which might potentially be exploited to perform various post-exploitation tasks such as data theft and delivering other malware payloads such as ransomware. 

"Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199," the two federal agencies explained in a joint report with MS-ISAC and the Canadian Centre for Cyber Security.

"As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organisations in the U.S. and Canada."

Based on the nature of Truebot operations documented thus far, the primary purpose of attackers behind Truebot is to acquire confidential data from compromised systems for monetary gain.

Following the guidelines laid out in joint advisory, security teams are advised to search for evidence of malicious activity pointing to a Truebot infection.

If they find any indicators of compromise (IOCs) within their organization's network, they should immediately implement the mitigation and incident response steps suggested in the advisory and report the incident to CISA or the FBI.

Several RCE Bugs Making Industrial IoT Devices Vulnerable to Cyberattacks


Eleven vulnerabilities in the cloud-management platforms of three industrial cellular router vendors put operational technology (OT) networks at risk for remote code execution, even when the platform is not actively set up for cloud management.

Eran Jacob, team leader of the security research team at Otorio, and Roni Gavrilov, security researcher, warn that the vulnerabilities are critical as they can be used to exploit thousands of industrial Internet of Things (IIoT) devices and networks in a variety of sectors, even though they affect devices from only three vendors, namely Sierra Wireless AirLink, Teltonika Networks RUT, and InHand Networks InRouter. 

"Breaching of these devices can bypass all of the security layers in common deployments, as IIoT devices are commonly connected both to the Internet and the internal OT network[…]It also raises additional risk for propagation to additional sites through the built-in VPN," the researchers said.

The researchers added that in case the attackers acquire a direct connection to the internet OT environment, it may further impact production and pose safety risks for users in their virtual environment.

Attackers can also use a variety of vectors to take advantage of the flaws, according to the researchers, including compromising devices in the production network to enable unauthorized access and control with root privileges, gaining root access through a reverse shell, and using compromised devices to exfiltrate sensitive data and carry out actions like shutdown.

Where the Issues Lie 

Multiple devices can connect to the Internet using a cellular network thanks to an industrial cellular router. According to the researchers, these routers are frequently utilized in industrial environments like factories or oil rigs where typical wired Internet connections would not be viable or dependable.

"Industrial cellular routers and gateways have become one of the most prevalent components in the IIoT landscape[…]They offer extensive connectivity features and can be seamlessly integrated into existing environments and solutions with minimal modifications," Gavrilov wrote in the report.

In order to give clients remote management, scalability, analytics, and security across their OT networks, vendors of these devices use cloud platforms. The researchers further noted that they discovered a number of vulnerabilities that "pertain to the connection between IIoT devices and cloud-based management platforms," which is, in some cases, enabled by default.

"These vulnerabilities can be exploited in various scenarios, affecting devices that are both registered and unregistered with remote management platforms[…]Essentially, it means that there are security weaknesses in the default settings of certain devices' connectivity to cloud-based management platforms, and these weaknesses can be targeted by attackers," they said.

Mitigation Strategies

Researchers have provided vendors of these devices as well as OT network administrators with a number of mitigation measures. They recommended that OT network managers uninstall any inactive cloud features if they are not actively using the router for cloud management in order to avoid device takeovers and minimize the attack surface.

Administrators can also restrict direct connection from IIoT devices to routers because built-in security mechanisms like firewalls and VPN tunnels lose their effectiveness after being compromised, according to the researchers.

"Adding separate firewall and VPN layers can assist with delimitering and reduce risks from exposed IIoT devices used for remote connectivity," Gavrilov added in the report.  

The RCE Vulnerability in ConnectWise Has Been Resolved

 


As part of the ConnectWise Recover and R1Soft Server Backup Manager (SBM) secure backup solutions, ConnectWise has released security updates that address a critical vulnerability within those products. 

In an advisory published by the company today, the company describes the security flaw as being due to an injection vulnerability. This occurs when special elements in output are not adequately neutralized before entering a downstream component. 

Among the affected software, versions are ConnectWise Recover, earlier versions of the product, and R1Soft SBM versions 6.16.3 and earlier versions. 

Several security researchers have reported that this is a critical vulnerability that could expose confidential information or allow attackers to execute code remotely using the vulnerability.

Additionally, it categorized this as a high-priority issue, meaning that it may be exploited in attacks or at a high risk of being targeted in the wild if it is not addressed immediately. 

In a report released by Huntress Labs CEO Kyle Hanslovan, security researchers have discovered, rediscovered, and expanded on the vulnerability discovered by Code White security researcher Florian Hauser. According to Huntress Labs CEO Kyle Hanslovan, the vulnerability can be exploited to spread ransomware to thousands of R1Soft servers exposed to the Internet. This is done via R1Soft servers exposed to the Internet. 

Approximately 4,800 R1Soft servers that are exposed to the Internet may be vulnerable to attacks as a result of this RCE bug. According to a Shodan scan, these servers may not be patched since ConnectWise has released patches for this issue. 

There have been automatic updates applied to ConnectWise Recover SBMs that have been impacted by the vulnerability (v2.9.9), ConnectWise announced. 

It should be noted that Cryptree users are being advised to upgrade their R1Soft backup manager to the latest release, SBM v6.16.4, released on October 28, 2022, by following the steps detailed in the R1Soft upgrade wiki.

As part of the company's recommendation, all R1Soft backup servers that are impacted should be patched as soon as possible. 

Even though patching critical vulnerabilities is always something that cybersecurity professionals are strongly encouraged to do, they do not think it is wise to do it on a Friday evening, as it can be a potentially disastrous timing decision. 

As a result, all Internet-exposed servers such as websites will be compromised to the fullest extent by malicious actors as soon as they discover a vulnerability. 

There is also a tendency for hackers to be especially active on weekends since most IT teams and security teams are away from their computers during these busy times. 

As a result of an end-of-the-week release, it is also more difficult to patch any vulnerable servers before the weekend, potentially exposing more systems for a few days to attack, especially if the release takes place along with a holiday weekend. 

There is a concern that not patching the R1Soft SBM backup solution quickly may lead to a significant security incident. This is because the R1Soft SBM backup solution is a popular tool among managed service providers and cloud hosting providers.

Malicious Actors Exploit Zero-Day RCE Bug in Sophos Firewall

 

Sophos, security software and hardware vendor published a patch update for its firewall product after it identified that hackers were exploiting a new critical zero-day vulnerability to target its users' network. 

The vulnerability tracked as CVE-2022-3236 was spotted in the User Portal and Webadmin of Sophos Firewall, its exploitation can lead to code execution (RCE). 

“A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed,” the company stated. “Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.” 

The company says it has released hotfixes for Sophos Firewall versions affected by this security bug (v19.0 MR1 (19.0.1) and older) that will roll out automatically to all instances since automatic updates are enabled by default. 

The firm fixed the vulnerability with the released Firewall v19.0 MR1 (19.0.1) and older, and also offered a solution by advising customers not to expose User Portal, and Webadmin to WAN and to disable WAN access to the User Portal and Webadmin. The company also recommended employing VPN and/or Sophos Central (preferred) for remote access and management.

"Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management," the company added. 

Earlier this year in March, Sophos fixed an identical critical vulnerability, tracked as CVE-2022-1040, identified in the User Portal and Webadmin areas of Sophos Firewall. The vulnerability received a CVSS score of 9.8 and affected Firewall versions 18.5 MR3 (18.5.3) and older. The security bug was reported to the security firm by an anonymous threat analyst via its bug bounty program. 

A remote hacker with access to the Firewall’s User Portal or Webadmin interface can exploit the vulnerability to circumvent authentication and execute arbitrary code to target multiple organizations.

Volexity researchers investigated the security vulnerability and disclosed that a Chinese APT group they track as DriftingCloud, exploited CVE-2022-1040 since early March, a little over three weeks before Sophos issued a patch. The hackers employed a zero-day exploit to drop a web shell backdoor and target the customer’s staff.

Prototype Bug in Blitz.js. Allows RCE on Node.js Servers

 

Blitz.js, a JavaScript web online framework, has issued a patch for a critical prototype pollution bug to prevent remote code execution (RCE) on Node.js servers. 

Prototype pollution is a specific kind of JavaScript vulnerability that allows hackers to manipulate the structure of the programming language and exploit it in multiple ways, Paul Gerste, security researcher at Sonar explained. It also allowed hackers to exploit the code in the Blitz.js app to design a reverse shell and run arbitrary commands on the server. 

Blitz is designed on top of Next.js, a React-based framework, and adds components to turn it into a full-stack web development platform. One of the popular components of Blitz.js is its ‘Zero-API’ layer, which allows the customer to employ specific functions to call server-side business logic without having to design API code. 

Additionally, it makes an RPC call to the server in the background and returns the response to the client function call. Gerste identified a chain of exploits that could be exploited via the prototype pollution bug and lead to RCE. 

The attackers target Node.js by sending a JSON request, a browser service that enables two-way data exchange with any JSON data server without exposing users’ data, to the server, which triggers the routing function of Blitz.js to load a JavaScript file with the polluted prototype. This allows the hacker to employ the malicious JavaScript object to implement arbitrary code. 

In an ideal scenario, the hacker would design and run a file on the server. But Blitz.js does not support upload functionality. However, it has a CLI wrapper script that uses JavaScript’s spawn() function to launch a new process. 

The attacker could use this function to launch a CLI process and run an arbitrary command on the server. The vulnerability can be triggered without any authentication, which means any user who can access the Blitz.js application will be able to launch RCE attacks.  

“This attack technique leverages a code pattern that isn’t a vulnerability in itself,” Gerste explained. “Prototype pollution can influence the target application in a very invasive way, and it would require a lot of work to get rid of all code that could be influenced by prototype pollution.” 

In his blog post, the researcher mentioned some general recommendations to safeguard JavaScript apps against prototype pollution, including freezing 'object.prototype or using the --disable-proto=delete flag in Node.js

“I think prototype pollution is still unknown to many JavaScript developers,” Gerste added. “I don’t see developers often use the patterns that we recommended in our article. With our blog posts, we try to help educate JavaScript developers and share this knowledge.”

Gitlab Patches a Critical RCE Flaw in Latest Security Advisory

 

Security researchers at Gitlab have issued a patch for a critical vulnerability that allows hackers to execute code remotely. 

The security bug tracked as CVE-2022-2185, impacts all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authorized user could import a maliciously designed project to launch remote code execution. 

GitLab is a web-based DevOps life cycle platform offering an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have manufactured the program.

 Multiple security flaws 

Fixes for a number of other vulnerabilities were also released in the latest version, including two separate cross-site scripting (XSS) bugs. The vulnerabilities impacted both GitLab Community Edition and Enterprise Edition. Security researchers have recommended users upgrade to the latest version. 

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected,” an advisory from GitLab reads. 

Last year in July, Gitlab patched multiple vulnerabilities — including two high-impact online security flaws by updating its software development infrastructure. In GitLab's GraphQL API, a cross-site request forgery (CSRF) developed a mechanism for a hacker to call modifications while impersonating their victims. The Gitlab Webhook feature was exploited for denial- of service (DoS) assaults because of a second high-level security vulnerability. 

An attack by a Denial-of-Service (DoS) is designed to shut down a user computer system or network, which makes it unreachable to its intended users. DoS attacks achieve this by flooding or delivering information to the target causing a crash. 'Afewgoats' researchers identified DoS vulnerability and reported it via a HackerOne-operated GitLab bug reward program. 

For both higher intensity vulnerabilities, CVE trackers were requested, although identification was not assigned. "The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days," afewgoats explained. 

"It's the only Denial of Service, but it could tie up huge amounts of memory on the victim servers." To mitigate the risks, Gitlab patched 15 medium severity and two low-impact issues. These add-on vulnerabilities also included a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and the audit log problem of the stored XSS.

Attackers Exploit Telerik Vulnerabilities to Deploy Cobalt Strike

 

A hacker called ‘Blue Mockingbird’ is exploiting Telerik UI flaws to breach servers, install Cobalt Strike beacons, and deploy cryptomining malware. 

The vulnerability tracked as CVE-2019-18935 with a critical severity score (CVSS v3.1: 9.8), impacts the Telerik UI library for ASP.NET AJAX and is a high-risk deserialization security bug that can lead to remote code execution. 

Blue Mockingbird was also identified in May 2020 targeting susceptible Microsoft IIS servers that employed Telerik UI, even though it had been a year after the vendor had published security patches. Earlier this week, Sophos researchers revealed that Blue Mockingbird is leveraging the same flaw to launch new cyberattacks. 

To exploit CVE-2019-18935, the hackers must secure the encryption keys that guard Telerik UI’s serialization on the target. This may be done by using CVE-2017-11317 and CVE-2017-11357 or abusing another vulnerability in the target web app. 

Since multiple web apps were used as projects that embedded the Telerik UI framework version at the time of development and later were discontinued, they are still legitimate targets accessible for exploitation. Once the keys are acquired, the hackers can compile a malicious DLL containing the code to be executed during deserialization and launch it in the context of the ‘w3wp.exe’ process. 

According to the researchers, in recent assaults, Blue Mockingbird employed a readily available proof-of-concept (PoC) vulnerability to manage the encryption logic and automate the DLL compilation. The payload used in the recent assaults is a Cobalt Strike beacon, a stealthy, legitimate penetration testing tool hacker exploits for executing encoded PowerShell commands. 

Persistence is achieved by Active Directory Group Policy Objects (GPOs), which manufacture scheduled tasks in a new registry entry that contains base64-encoded PowerShell. To mitigate Windows Defender detection, the script employs typical AMSI-bypassing methodologies to download and load a Cobalt Strike DLL into memory. 

The second-stage program (‘crby26td.exe’) is an XMRig Miner, a common open-source cryptocurrency miner for Monero, one of the least detected cryptocurrencies. Notably, this was the primary goal of the threat actor’s 2020 campaign; therefore, the attack chain, methodologies, and goals haven’t altered significantly. 

On the other hand, Cobalt Strike allows for simple lateral movement within an exploited network, data exfiltration, account takeover, and the deployment of more powerful payloads like ransomware. It remains unclear whether Blue Mockingbird is interested in investigating these possibilities; for the time being, or they’re only focused on Monero mining.

Software Vendor VMware Patches Critical Bug Exploited in the Wild

 

Malicious actors are actively exploiting a critical bug, tracked as CVE-2022-22954, in VMware Workspace ONE Access and Identity Manager recently addressed by the vendor. The vulnerability is used in active attacks that infect servers with coin miners. 

Earlier this month, VMWare rolled out an update to resolve a critical security flaw (CVSS: 9.8) in several of their products, including VMware’s Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products.

The software vendor also warned regarding the possibility of an attacker with network access triggering a server-side template injection that results in RCE. The vulnerability is not unprecedented: in late September 2022, CVE-2021-22005 enabled malicious actors to strike vulnerable systems with RCE attacks, achieving root privileges and reaching the vCenter Server over the network. 

“VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the security advisory. “A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.”

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011. The ramifications of this vulnerability are serious,” the software vendor said while urging its customers to address the vulnerabilities immediately to prevent its exploitation. 

In the past two weeks, multiple security researchers designed working exploits for CVE-2022-22954, with at least one proof-of-concept exploit released on Twitter. While publishing public exploits raises the risks that threat actors will use them in attacks, they are also meant to help secure systems through testing and serve as validators of existing fixes/patches. 

According to cybersecurity intelligence firm Bad Packets, malicious actors are actively scanning for vulnerable hosts to exploit the flaw in the wild. The IP address, 106.246.224.219, used in the payload, was recently seen dropping the Linux Tsunami backdoor in other attacks. However, it remains unclear what the 'one' executable is, as it is no longer accessible. Security researcher Daniel Card also joined the queue by releasing proof-of-concept exploits on Twitter and stated that the vulnerability was being exploited to deploy coinminer payloads.

SpringShell Attacks Target About One in Six Vulnerable Orgs

 

According to figures from one cybersecurity firm, about one out of every six firms affected by the Spring4Shell zero-day vulnerability has already been targeted by threat actors. 

The exploitation attempts occurred within the first four days of the severe remote code execution (RCE) issue, CVE-2022-22965, and the associated attack code was publicly disclosed. 37,000 Spring4Shell attacks were discovered over the weekend alone, according to Check Point, which generated the statistics based on their telemetry data. Software vendors appear to be the most hit industry, accounting for 28% of the total, possibly due to their high vulnerability to supply chain threats. 

Based on their visibility, Check Point ranks Europe #1 in terms of the most targeted region, with 20%. This suggests that the malicious effort to exploit existing RCE possibilities against vulnerable systems is well underway, and threat actors seem to be turning to Spring4Shell while unpatched systems are still exposed. North America accounts for 11% of Check Point's detected Spring4Shell attacks, while other entities have confirmed active exploitation in the United States. 

Spring4Shell was one of four flaws posted to the US Cybersecurity & Infrastructure Security Agency's (CISA) inventory of vulnerabilities known to be used in actual attacks yesterday. The agency has uncovered evidence of attacks on VMware products, in which the software vendor published security upgrades and alerts. 

Microsoft also released guidelines for detecting and preventing Spring4Shell attacks, as well as a statement that they are already analyzing exploitation attempts. Spring MVC and Spring WebFlux apps operating on JDK 9+ are affected by CVE-2022-22965, hence all Java Spring installations should be considered potential attack vectors. Spring Framework versions 5.3.18 and 5.2.2, as well as Spring Boot 2.5.12, were published by the vendor to address the RCE issue. 

As a result, upgrading to these versions or later is strongly advised. System administrators should also be aware of the remote code execution vulnerabilities in the CVE-2022-22963 and CVE-2022-22947 remote code execution flaws in the Spring Cloud Function and Spring Cloud Gateway. These flaws already have proof-of-concept exploits that are publicly available.

Web Applications Attacks are on the Rise

 

Imperva Research Labs discovered that attacks are increasing by 22% per quarter in a survey of approximately 4.7 million web application-related cyber security incidents. Worryingly, the pace of increase in such attacks has continued to rise, with a 67.9% increase from Q2 2021 to Q3. One of the most noticeable rises was in Remote Code Execution (RCE) / Remote File Inclusion (RFI) assaults, which increased by 271%. RCE / RFI attacks are used by hackers to steal information, compromise servers, or even take over websites and manipulate their content. 

“Application security was traditionally very low on CISOs’ priority list but, as the attacks targeting applications increase in frequency, it’s getting more attention,” said Eugene Dzihanau, Senior Director of Technology Solutions at EPAM Systems. “The application layer is quickly becoming more exposed to the outside world, drastically increasing the attack surface. Applications are deployed on the public cloud, mobile phones, and IoT devices. Also, applications process a lot more data than before, making them a more frequent target of an attack.” 

As a result of the growth in web app attacks, there has been a significant increase in data breaches. Imperva Research Labs discovered earlier this year that online applications are the source of 50% of all data breaches. With the frequency of breaches increasing by 30% each year and the number of records stolen increasing by an astounding 224%, it is anticipated that 40 billion records will be compromised by the end of 2021, with web application vulnerabilities expected to be responsible for roughly 20 billion. 

“The pandemic placed immense urgency on businesses to get all kinds of digital transformation projects live as quickly as possible, and that is almost certainly a driving factor behind this surge in attacks,” says Peter Klimek, Director of Technology at Imperva. 

The changing nature of application development is also extremely important. Developments such as the rapid growth of APIs and the shift to cloud-native computing are advantageous to DevOps, but these changes in application architecture and the accompanying increased attack surface are making security teams' tasks much harder, according to Peter. 

During the pandemic, losses from fraud and cybercrime have spiraled out of control, with the National Fraud Intelligence Bureau estimating that over £1.3 billion was lost in the first half of 2021 alone, more than three times the amount lost in the same period in 2020. These estimates indicate that the problem will increase during 2022.

The usual approach of the security team identifying vulnerabilities and the development team correcting them will not work; Dzihanau said that the feedback cycle must be swift and collaborative.

An Attacker Could Take Advantage of a Flaw in WinRAR to Execute Arbitrary Code

 

A new security flaw in the WinRAR trialware file archiver programme for Windows has been discovered, which might be exploited by a remote attacker to execute arbitrary code on targeted systems, highlighting how software flaws can serve as a gateway for a variety of assaults. 

The bug, tracked as CVE-2021-35052, affects the trial version of the software running version 5.70. In a technical write-up, Positive Technologies' Igor Sak-Sakovskiy stated, "This vulnerability allows an attacker to intercept and change requests sent to the user of the application. This can be used to get remote code execution (RCE) on the PC of a victim." 

Before gently urging customers to acquire a license, WinRAR offers a free trial license. The .rar archive, with which it is most closely connected, is not opened by Windows Explorer, hence WinRAR is popular among individuals who need to work with the format, or who just had to download a .rar archive once and required software to open it. 

An investigation into WinRAR began after Sak-Sakovskiy noticed a JavaScript error rendered by MSHTML, a proprietary browser engine for the now-defunct Internet Explorer that is used in Office to render web content inside Word, Excel, and PowerPoint documents, leading to the discovery that the error window is displayed once every three times when the application is launched after the trial period has expired. 

Positive Technologies discovered that by intercepting the response code sent when WinRAR notifies the user about the end of the free trial period via "notifier.rarlab[.]com" and changing it to a "301 Moved Permanently" redirect message, the redirection to an attacker-controlled malicious domain could be cached for all subsequent requests.

An almost two-decades-old flaw was discovered in WinRAR a few years ago, impacting an older file compression format initially developed in the 1990s. Positive Technologies was sanctioned by the US government earlier this year after the US claimed the company had transferred vulnerabilities to Russian state hackers rather than revealing them. The company has categorically disputed these allegations and continues to publish security research. 

Application security expert Sean Wright said of the vulnerability, "Remote Code Execution vulnerabilities should always be taken seriously and handled with a sense of urgency, as the risk they pose is significant. Even so, in the case of WinRAR's vulnerable trial, the likelihood of an attacker being able to successfully exploit the vulnerability in question seems fairly limited, as there are a number of conditions and stages that the victim would need to fulfill before the attacker could achieve RCE."

Severe Remote Code Execution Flaws Discovered in Motorola Halo+ Baby Monitors

 

On Tuesday, Randy Westergren, a cybersecurity expert, published his study on the Motorola Halo+, a popular baby monitor. He revealed two severe flaws in the protocol and remote code execution (RCE) of the Motorola Halo+ that would allow threat actors to hijack the device. 

The Motorola Halo+ comprises an over-the-crib monitor, a handheld unit for parents, and a Wi-Fi-connected mobile application to monitor children that works in Full HD. 

Westergren, engineering director of US financial services company Marlette Funding discovered the flaws when he and his wife were hunting for a suitable monitor for their first child and selected the Motorola Halo+ as their preferred option. 

After securing the device, Westergren started examining its listening services and discovered a pre-authentication RCE security flaw (CVE-2021-3577) and the tools to obtain a full root shell. Examining system logs made it possible to identify the app’s API requests that gather information regarding its usage. 

The researcher also analyzed HTTP-based communication and how the app’s local API operated. Westergren was able to use local API commands to identify GET and SET lists, as well as “value” parameters that would accept user input, “potentially leading to RCE if not properly sanitized”.

Westergren then injected a reboot payload and used the device to perform the ‘set_city_timezone’ process. His action initiated a reboot, which granted the device shell access. He also discovered a flaw in the execution of MQTT (CVE-2021-3787) – an IoT messaging standard. 

Westergren identified that the client was set up to subscribe to #and $SYS/# by default, lowering Hubble device access control security. “A number of commands result from various devices. Though I did not attempt this, I think it was very likely that a client could easily control the entire device fleet by publishing arbitrary commands,” the researcher noted. 

While the product belongs to Motorola Mobility, its manufacturing unit was acquired by Lenovo in 2014. According to Westergren, after receiving the initial report, Lenovo’s security team has immediately started working on resolving the issues in Motorola Halo.

According to the latest updates from the tech giant, the first set of patches is incomplete, and as a result, the product would be delayed further. Both the RCE and MQTT problems have been fixed in firmware versions 3.50.06 and 3.50.14.

Node.js Pushes Out Immediate Fixes for the Severe HTTP Bug

 

Node.js has released patches for a high-severity vulnerability that could be used by attackers to corrupt the process and cause unexpected behaviour including application crashes and possibly remote code execution (RCE). The CVE-2021-22930 use-after-free vulnerability affects the way HTTP2 streams are handled in the language. 

Node.js is a back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside of a browser. Node.js allows developers to utilise JavaScript to create command-line tools and server-side scripting, which involves running scripts on the server before sending the page to the user's browser. This week, Node.js released patches for CVE-2021-22930, a high-severity use-after-free vulnerability. 

When a programme tries to access a resource at a memory address that has already been freed and no longer holds the resource, it is called a use-after-free vulnerability. In some situations, this might result in data corruption, unexpected behaviours including programme crashes, or even remote code execution (RCE). The changes were included in the most recent Node.js release 16.6.0, as well as versions 12.22.4 (LTS) and 14.17.4. (LTS). This flaw was discovered by Eran Levin, who is credited with reporting it. 

"We normally like to give advance notice and provide releases in which the only changes are security fixes, but since this vulnerability was already public we felt it was more important to get this fix out fast in releases that were already planned," announced Red Hat principal software engineer and NodeJS Technical Steering Committee (TSC) member Daniel Bevenius. 

When Node.js read incoming RST_STREAM frames with no error code or cancel code, the vulnerability was exploited. In HTTP/2 applications, the RST_STREAM frame is issued by the host when it wants to close a connection. In a client-server architecture, for example, a client programme would send a RST_STREAM frame to the server to terminate the connection. When the server receives the frame, it will stop replying to the client and terminate the connection. The server might then discard any "DATA" frames it was about to send to the client.

When a RST_STREAM frame was received by the server with a "cancel" code (nghttp2_cancel) in vulnerable Node.js versions, the receiver would try to "force purge" any data received. After that, an automatic call-back would perform the "close" function a second time, aiming to free up the memory that had already been freed in the previous phase. 

And, as a result of the double-free error, the application might crash or behave erratically. On June 8th, 2021, Matthew Douglass posted a public thread about this issue, which was previously considered of as a "bug" rather than an exploitable vulnerability.

Juniper Bug Allows RCE and DoS Against Carrier Networks

 

Juniper Networks' Steel-Belted Radius (SBR) Carrier Edition has a severe remote code-execution vulnerability that leaves wireless carrier and fixed operator networks vulnerable to tampering. By centralizing user authentication, giving the proper level of access, and verifying compliance with security standards, telecom carriers utilize the SBR Carrier server to manage policies for how subscribers use their networks. It enables carriers to distinguish service tiers, diversify revenue models, and manage network resources. 

Juniper Networks, Inc. is a multinational technology company based in Sunnyvale, California. Routers, switches, network management software, network security solutions, and software-defined networking technology are among the networking products developed and sold by the company. Pradeep Sindhu started the company in 1996, with Scott Kriens serving as the original CEO until September 2008. Juniper Networks began by specializing in core routers, which are used by internet service providers (ISPs) to execute IP address lookups and route internet traffic. 

SBR Carrier versions 8.4.1, 8.5.0, and 8.6.0 that use the extensible authentication protocol are affected by the bug (CVE-2021-0276). It was on Wednesday, Juniper released a patch. On the CVSS vulnerability-severity rating scale, it gets a 9.8 out of 10. According to Juniper's advisory, it's a stack-based buffer-overflow vulnerability that an attacker can exploit by sending specially designed packets to the platform, causing the RADIUS daemon to crash. This can cause RCE as well as denial-of-service (DoS), which prevents phone subscribers from having a network connection. 

The flaw is one of the dozens that the networking giant patched this week across its carrier and corporate product lines, including multiple high-severity flaws that could be used to launch DoS assaults. Juniper claims that one of these can also be used for RCE. CVE-2021-0277 is an out-of-bounds read vulnerability that affects Junos OS (versions 12.3, 15.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3 and 20.4), as well as Junos OS Evolved (all versions). 

The problem occurs when the Layer 2 Control Protocol Daemon (l2cpd) processes specially designed LLDP frames (l2cpd). On a local area network (usually over wired Ethernet), network devices utilize LLDP to advertise their identification, capabilities, and neighbors. “Continued receipt and processing of these frames, sent from the local broadcast domain, will repeatedly crash the l2cpd process and sustain the DoS condition,” Juniper said in its advisory, issued on Thursday.