Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RCE Flaw. Show all posts

Cisco Fixes a Major Issue in Small Business Routers


Several end-of-life (EoL) VPN routers are affected by a critical authentication bypass flaw that Cisco alerted customers. The issue has publicly available attack code. Hou Liuyang of Qihoo 360 Netlab discovered the security hole (CVE-2023-20025) in the internet management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.

CVE-2023-20025 validation of user input within incoming HTTP packets could enable an unauthorized remote attacker to bypass authorization on an affected system. An attacker could send false HTTP requests to the router, bypass authentication, and get root access to the operating system due to a flaw where user input within inbound HTTP packets is not properly validated.

The second vulnerability, identified as CVE-2023-20026, could enable remote code execution (RCE), but in order to exploit it, an attacker must have access to the device in question. As a result, the bug is graded medium and has a CVSS score of 6.5.

According to Cisco, the flaws do not need to be exploited in tandem by attackers and are independent of one another. However, it would be simple to exploit an authentication bypass with a remote code execution flaw that first requires attackers to be able to authenticate.

An effective mitigation, as per Cisco, is to stop remote administration of the routers and block access to ports 443 and 60443, making the routers only reachable through the LAN interface, even though there are no fixes for the issues. Despite the routers were stopped, researchers found that the installed base still exists. Out-of-date equipment frequently remains in commercial settings even after it has been disconnected, providing a fertile target for cyber attacker's.

As per Mike Parkin, senior technical engineer at Vulcan Cyber, the Cisco small business routers afflicted by such flaws still see pretty broad usage, even they are all finally end of term.  A difficulty is that the devices are frequently used by people who may not have the money to replace them or by smaller firms with limited resources.

SMB routers are widely used, since many users now work from home or hybrid offices, not just SMBs that are affected. The susceptible product could be used by branch offices, COEs, or even home offices.



Researchers Find an Akamai WAF Access Point

The bypassing of Spring Boot-based Akamai web app firewalls (WAF) by a hacker could result in remote code execution (RCE).

The WAF from Akamai uses adaptive technologies to prevent known online security risks and was modified a few months ago in order to reduce the danger of Distributed Denial-of-Service (DDoS) attacks.

According to security researcher Peter M, the exploit employed Spring Expression Language (SpEL) injection, better known by the alias 'pmnh'. Usman Mansha and the analyst Peter H. claimed that Akamai has subsequently corrected the vulnerability, which was not given a CVE number.  

"This was the second RCE via SSTI we identified on this program, after the first one, the program added a WAF which we were able to overcome in a different portion of the application," GitHub explanation of the Akamai WAF RCE read. 

Access Point for WAF

The most straightforward approach to access the java.lang. Runtime class was through the SpEL reference $T(java.lang.Runtime), however, Akamai's software prevented this. 

Discovering a connection to a random class was the next step. Peter M., a technical writer, said that this would enable reflection-based or direct method invocation to access the desired method. 

Peter M. and Mansha constructed an arbitrary String using the java.lang and used a reflection mechanism to gain access to Class.forName.Accessible runtime value through Java.lang.

A second string was made to access the Runtime.getRuntime function and java.lang.Runtime, allowing for the creation of an effective RCE payload. The server recognized the final payload as a GET request because it was less than 3kb in size. 

The WAF was a difficult obstacle to get over, though. Finding an access point required more than 14 hours and 500 roughly designed tries, according to Peter M. In order to stop blatant copycats, the researcher chose not to provide the final payload in text format. 


This OpenSSL Flaw Could Lead to Remote Code Execution

 

A high-severity vulnerability in OpenSSL might allow a hostile actor to execute the malware on server-side devices. 

OpenSSL is a widely used encryption library that provides an open source version of the SSL and TLS protocols. It offers tools for, among other things, creating RSA private keys and performing encryption and decryption.  

An alert indicates that the OpenSSL 3.0.4 version introduced a "serious bug" in the RSA implementation for X86 64 CPUs supporting the AVX512IFMA instructions. Because of this flaw (CVE-2022-2274), the RSA implementation with 2048-bit private keys is incorrect, resulting in memory corruption during the computation. 

As a result of the memory corruption, an attacker may be able to perform RCE on the system performing the computation, OpenSSL maintainers said. On June 22, 2022, Xi Ruoyao, who also built the patch, reported this problem to OpenSSL. 

This problem affects SSL/TLS servers and other servers that use 2048-bit RSA private keys and operate on computers that implement AVX512IFMA instructions of the X86 64 architecture. 

“On a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment,” the advisory reads. 

Users using OpenSSL 3.0.4 should update to OpenSSL 3.0.5. This problem does not affect OpenSSL 1.1.1 or 1.0.2.

Businesse's Pascom Cloud Phone System Contains Severe RCE Flaws

 

Pascom's Cloud Phone System has been completely compromised since a combination of three unique vulnerabilities was discovered by security researchers. Daniel Eshetu of Ethiopian infosec firm Kerbit utilized a trio of less critical security issues to gain full pre-authenticated remote code execution (RCE) on the business-focused Voice over IP (VoIP) and generic communication platform. 

A path traversal vulnerability, a web server request forgery (SSRF) fault in an arbitrary piece of software, and a post-authentication RCE flaw were the three components of the successful exploit. 

The Pascom Cloud Phone Software is a complete collaboration and communication solution which enables enterprises to host and build up private telephone networks across several platforms, as well as manage, maintain, and upgrade virtual phone systems. 

According to the company's LinkedIn, "Pascom, which was founded in 1997 and is the creator of the unique pascom IP phone system software, has over 20 years of expertise providing custom VoIP telecommunications and network infrastructure solutions. By offering organizations a unique, highly professional software-based IP PBX solution, our VoIP phone systems help them add value to the communications."

An arbitrary path traversal flaw in the web interface, a server-side request forgery (SSRF) owing to an outdated third-party dependency (CVE-2019-18394), and a post-authentication command injection utilizing a daemon service are among the three flaws ("exd.pl"). 

  • The SSRF issue was caused by an out-of-date Openfire (XMPP server) jar it was vulnerable to CVE-2021-45967. This is related to CVE-2019-18394, a vulnerability in Openfire's technology that was found three years ago.
  • Instant messaging, presence, and contact list functions are all handled by XMPP, an open communication protocol. 
  • The most recent flaw was command injection in a scheduled task (CVE-2021-45966). 
To look at it another way, the vulnerabilities can be chained together to acquire access to non-exposed endpoints by sending arbitrary GET requests to obtain the administrator password, then utilizing those passwords to gain remote code execution via the scheduled job.

"This provides users full control of the device and an easy means to escalate privileges," Daniel Eshetu said, adding the attack chain may be used "to execute commands as root." The issues were reported to Pascom on January 3, 2022, and patches were released as a result. Customers who host CPS should update to the most recent version (pascom Server 19.21) as soon as possible to avoid any potential dangers.

Last Year, Brute-Forcing Passwords and ProxyLogon Exploits were Among the Most Common Attack Vectors

 

Last year, brute-forcing passwords and exploiting ProxyLogon vulnerabilities against Microsoft Exchange Server were among the most prominent attack methods. According to ESET's Q3 Threat Report, which covers September to December 2021, while supply chain attacks increased over 2020, the year 2021 was marked by the continuous discovery of zero-day vulnerabilities potent enough to wreak havoc on enterprise systems. The discovery of zero-day flaws in Exchange Server, as well as Microsoft's emergency patches to address on-premise issues, haunted IT admins well into the year.

The end of the year was similarly tumultuous in terms of RDP attacks, which grew in severity throughout 2020 and 2021. Despite the fact that 2021 was no longer distinguished by the chaos of freshly imposed lockdowns and fast migrations to remote work, the data from the final weeks of T3 2021 eclipsed all prior records, amounting to a remarkable yearly surge of 897% in total attack attempts thwarted. The only positive news from the RDP attack front is that the number of targets has been gradually decreasing, albeit the rampage does not appear to be coming to a stop anytime soon. 

Ransomware, previously described as "more aggressive than ever" in the Q4 2020 Threat Report, outperformed the worst predictions in 2021, with attacks on critical infrastructure, outrageous ransom demands, and over US$5 billion in bitcoin transactions tied to potential ransomware payments identified in the first half of 2021 alone. 

However, the pressure from the opposing side has been increasing as well, as evidenced by increased law enforcement efforts against ransomware and other cybercriminal endeavors. While the intensive crackdown prompted numerous gangs to quit the scene – even providing decryption keys – it appears that other attackers are becoming even more daring: T3 saw the biggest ransom demand yet, US$240 million, tripling the prior report's figure. 

The repercussions of a critical vulnerability in Log4j were also discovered in the last four months of 2021. The remote code execution (RCE) flaw in Log4j, tracked as CVE-2021-44228, received a CVSS severity level of 10.0, sending organizations scrambling to repair the problem. Threat actors immediately began attempting to exploit the flaw.

Despite the fact that the vulnerability was only made public in the last three weeks of 2021, ESET has classified CVE-2021-44228 as one of the top five attack vectors of the year. 

According to the study, there has been a significant increase in Android banking malware, with a 428% increase in 2021 compared to 2020. According to ESET, infection rates connected with Android banking Trojans including SharkBot, Anatsa, Vultur, and BRATA have now surpassed adware levels.

Servers for Dark Souls 3 Have Been Shut Down Due to a Critical RCE Bug

 

Bandai Namco has halted the Dark Souls role-playing game's online PvP feature, bringing its servers offline to investigate claims of a major security issue that may endanger players. According to Reddit user reports, the vulnerability is a remote code execution (RCE) vulnerability that might allow attackers to take control of the system, giving them access to sensitive information, allowing them to plant malware, or use resources for cryptocurrency mining. 

According to the reports, the exploit is currently being disseminated, and it may also work against Elden Ring, a Bandai Namco upcoming title. On Saturday, a Discord post clarified that the game developer received details about the RCE vulnerability via a responsible disclosure report directly from the individual who identified it. Bandai Namco is said to have ignored the report, but considering the gravity of the flaw, the reporter chose to demonstrate it on popular streamers to raise awareness and illustrate how critical it is. 

The exploit was demonstrated on the Twitch stream of a player named The Grim Sleeper. An unknown entity launched a PowerShell script on the streamer's PC, which used the Windows Narrator engine to read out crucial notes about the gameplay. 

"For example, the creator of the exploit has already shared information about the vulnerability with the developers of the Blue Sentinel plugin, a mod for Dark Souls designed to counteract cheats. And one can only guess who else could get this information," researchers wrote. "Also, once demonstrated, other hackers may try to replicate the exploit and use it to cause real harm to players," researchers continued. "There are various possible scenarios here: attackers can use it to steal passwords from game accounts or crypto-wallets, install good old ransomware, hidden miners and much more." 

According to Saryu Nayyar, CEO and Founder of Gurucul, this attack highlights the vulnerability of remote workers accessing corporate resources via home networks and personal devices. Because we connect our gaming systems to the same network as resources connected to the corporate network, the virus can simply migrate from home to a much larger operation, she explained. 

That is why, she adds, it is vital for security teams to understand how users use network resources and to include that knowledge into an evaluation of the risks and severity associated with attack campaigns. RCE vulnerabilities are not new, but they are hazardous when no one is aware of them, according to Jorge Orchilles, CTO of SCYTHE.

This NPM Package with Millions of Weekly Downloads Patched a RCE Flaw

 

A critical remote code execution (RCE) flaw has been fixed in the popular NPM package "pac-resolver." 

Developer Tim Perry discovered the vulnerability in the pac-resolver dependency, which could have enabled an attacker on a local network to launch malicious code within a Node.js process whenever an operator tried to submit an HTTP request. Node.js is the prominent JavaScript runtime for running web applications written in JavaScript. 

"This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy autodetection & configuration in Node.js," explains Perry. 

According to Perry, PAC, or "Proxy-Auto Config," refers to PAC files written in JavaScript that disseminate sophisticated proxy rules that direct an HTTP client which proxy to use for a particular hostname. They're delivered insecurely through HTTP rather than HTTPs from local network servers and distant servers. 

Proxy-Agent is utilised in the Amazon Web Services Cloud Development Kit (CDK), the Mailgun SDK, and Google's Firebase CLI, thus it's a widespread issue. 

As stated by Perry, the package receives three million downloads each week and has 285,000 public dependent repos on GitHub. 

The vulnerability was recently addressed in all of those packages' v5.0.0 versions and was assigned the CVE-2021-23406 designation when it was identified last week. As a result, it implies that many Node.js developers will have to update to version 5.0.

Anyone that use pac-resolver versions prior to 5.0.0 is significantly impacted by the issue, and also if developers have used any of the following three settings: 
  • Explicitly use PAC files for proxy configuration 
  • Read and use the operating system proxy configuration in Node.js, on systems with WPAD enabled 
  • Use proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from any other source that you wouldn't 100% trust to freely run code on your computer.
Perry added, "In any of those cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration."