Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label RCE. Show all posts
RCE
Aviatrix critical vulnerabilities CVE exploits CVE vulnerability Cyber Security Data Exfiltration data security RCE

Critical Command Injection Vulnerability Found in Aviatrix Network Controller (CVE-2024-50603)

 


Jakub Korepta, Principal Security Consultant at Securing, has discovered a critical command injection vulnerability in the Aviatrix Network Controller, identified as CVE-2024-50603. This flaw, impacting versions 7.x through 7.2.4820, has been assigned the highest possible CVSS severity score of 10.0. It allows unauthenticated attackers to remotely execute arbitrary code, posing a severe threat to enterprises utilizing Aviatrix’s cloud networking solutions.

The root of this vulnerability lies in improper input handling within the Aviatrix Controller's API. While certain input parameters are sanitized using functions like escapeshellarg, others—most notably the cloud_type parameter in the list_flightpath_destination_instances action—remain unprotected. This oversight permits attackers to inject malicious commands into API requests, leading to remote code execution (RCE).

Jakub Korepta demonstrated this flaw by crafting a malicious HTTP request that redirected sensitive system files to an attacker-controlled server. By appending harmful commands to the vulnerable parameter, attackers can gain unauthorized access and execute arbitrary code on the targeted system.


In a proof-of-concept attack, Korepta successfully extracted the contents of the /etc/passwd file, highlighting the potential for data theft. However, the threat extends beyond data exfiltration. Exploiting this vulnerability could allow attackers to:
  • Execute Remote Code: Attackers can run commands with full system privileges, gaining complete control over the Aviatrix Controller.
  • Steal or Manipulate Data: Sensitive data stored on the system can be accessed, stolen, or altered.
  • Compromise Entire Networks: Successful exploitation could lead to lateral movement within enterprise networks, escalating the attack's impact.

Research uncovered 681 publicly exposed Aviatrix Controllers accessible via the Shodan search engine. These exposed systems significantly increase the risk, providing attackers with easily identifiable targets for exploitation.

Aviatrix has responded promptly by releasing version 7.2.4996, which addresses this vulnerability through enhanced input sanitization. This update effectively neutralizes the identified risk. All users are strongly urged to upgrade to this patched version immediately to secure their systems and prevent exploitation. Failure to apply this update leaves systems vulnerable to severe attacks.

Recommended actions for organizations include:
  • Immediate Patch Deployment: Upgrade to version 7.2.4996 or later to eliminate the vulnerability.
  • Network Access Controls: Restrict public access to Aviatrix Controllers and enforce strict network segmentation.
  • Continuous Monitoring: Implement robust monitoring systems to detect unauthorized activity or anomalies.

Lessons in Proactive Security

This incident underscores the critical need for proactive cybersecurity measures and routine software updates. Even advanced networking solutions can be compromised if proper input validation and security controls are neglected. Organizations must remain vigilant, ensuring that both internal systems and third-party solutions adhere to stringent security standards.

The discovery of CVE-2024-50603 serves as a stark reminder of how overlooked vulnerabilities can escalate into significant threats. Timely updates and consistent security practices are vital to protecting enterprise networks from evolving cyber risks.
Read more »
Spam
critical vulnerabilities CVE CVE vulnerability CVEs Cyber Security Plugin Flaws plugin security Plugins RCE Spam

Critical Vulnerabilities in CleanTalk WordPress Plugin Put 200,000 Websites at Risk

 

Defiant has raised alarms about two significant vulnerabilities affecting CleanTalk’s anti-spam WordPress plugin, which could enable attackers to execute arbitrary code remotely without requiring authentication. These vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, are classified with a high severity score of 9.8 on the CVSS scale. They impact the “Spam protection, Anti-Spam, FireWall by CleanTalk” plugin, which boasts over 200,000 active installations on WordPress sites globally. 

The flaws pose a significant risk by allowing remote attackers to install and activate arbitrary plugins, including potentially vulnerable ones that can then be exploited for remote code execution (RCE). According to Defiant, the first vulnerability, CVE-2024-10542, involves an authorization bypass issue. This weakness exists in a function responsible for handling remote calls and plugin installations, where token-based authorization is used to secure these actions. 

However, two related functions intended to verify the originating IP address and domain name are vulnerable to exploitation. Attackers can manipulate these checks through IP and DNS spoofing, enabling them to specify an IP address or subdomain under their control. This bypasses the plugin’s authorization process, allowing the attacker to carry out actions such as installing, activating, deactivating, or uninstalling plugins without proper permissions. The vulnerability was discovered in late October and was addressed with the release of version 6.44 of the plugin on November 1. 

However, this update inadvertently introduced another vulnerability, CVE-2024-10781, which provided attackers with an alternative method of bypassing token authorization. CVE-2024-10781 arises from a flaw in how the plugin processes tokens for authorization. Specifically, if a website has not configured an API key in the plugin, attackers can use a token that matches an empty hash value to authenticate themselves. This effectively nullifies the intended security measures and allows attackers to install and activate arbitrary plugins, which can then be exploited for malicious purposes, such as executing remote code. 

The CleanTalk development team addressed this second vulnerability with the release of version 6.45 on November 14, which contains fixes for both CVE-2024-10542 and CVE-2024-10781. Despite the availability of this updated version, data from WordPress indicates that as of November 26, approximately half of the plugin’s active installations are still running outdated and vulnerable versions. This exposes a significant number of websites to potential exploitation. The risks associated with these vulnerabilities are considerable, as attackers could gain complete control over affected websites by leveraging these flaws. This includes the ability to install additional plugins, some of which may themselves contain vulnerabilities that could be exploited for further malicious activities. 

Website administrators using the CleanTalk anti-spam plugin are strongly urged to update to version 6.45 or later as soon as possible. Keeping plugins up to date is a critical step in maintaining the security of WordPress websites. By applying the latest updates, administrators can protect their sites against known vulnerabilities and reduce the risk of being targeted by cyberattacks. In addition to updating plugins, security experts recommend implementing additional security measures, such as monitoring for unauthorized changes, using a robust firewall, and conducting regular security audits. 

These practices can help ensure that websites remain secure against evolving threats. By addressing these vulnerabilities and staying proactive about updates, WordPress site owners can safeguard their online presence and protect the sensitive data entrusted to their platforms.
Read more »
RCE
AI Models Cross Site Scripting Cyber Security Enterprise security Jailbreak Tool Jailbreaking LLM LLM security RCE

Managing LLM Security Risks in Enterprises: Preventing Insider Threats

 

Large language models (LLMs) are transforming enterprise automation and efficiency but come with significant security risks. These AI models, which lack critical thinking, can be manipulated to disclose sensitive data or even trigger actions within integrated business systems. Jailbreaking LLMs can lead to unauthorized access, phishing, and remote code execution vulnerabilities. Mitigating these risks requires strict security protocols, such as enforcing least privilege, limiting LLM actions, and sanitizing input and output data. LLMs in corporate environments pose threats because they can be tricked into sharing sensitive information or be used to trigger harmful actions within systems. 

Unlike traditional tools, their intelligent, responsive nature can be exploited through jailbreaking—altering the model’s behavior with crafted prompts. For instance, LLMs integrated with a company’s financial system could be compromised, leading to data manipulation, phishing attacks, or broader security vulnerabilities such as remote code execution. The severity of these risks grows when LLMs are deeply integrated into essential business operations, expanding potential attack vectors. In some cases, threats like remote code execution (RCE) can be facilitated by LLMs, allowing hackers to exploit weaknesses in frameworks like LangChain. This not only threatens sensitive data but can also lead to significant business harm, from financial document manipulation to broader lateral movement within a company’s systems.  

Although some content-filtering and guardrails exist, the black-box nature of LLMs makes specific vulnerabilities challenging to detect and fix through traditional patching. Meta’s Llama Guard and other similar tools provide external solutions, but a more comprehensive approach is needed to address the underlying risks posed by LLMs. To mitigate the risks, companies should enforce strict security measures. This includes applying the principle of least privilege—restricting LLM access and functionality to the minimum necessary for specific tasks—and avoiding reliance on LLMs as a security perimeter. 

Organizations should also ensure that input data is sanitized and validate all outputs for potential threats like cross-site scripting (XSS) attacks. Another important measure is limiting the actions that LLMs can perform, preventing them from mimicking end-users or executing actions outside their intended purpose. For cases where LLMs are used to run code, employing a sandbox environment can help isolate the system and protect sensitive data. 

While LLMs bring incredible potential to enterprises, their integration into critical systems must be carefully managed. Organizations need to implement robust security measures, from limiting access privileges to scrutinizing training data and ensuring that sensitive data is protected. This strategic approach will help mitigate the risks associated with LLMs and reduce the chance of exploitation by malicious actors.
Read more »
Vulnerabilities and Exploits
Apache CyberCrime Cyberhackers Cybersecurity Cyberthreats RCE Software Vulnerabilities and Exploits

Apache Addresses Severe RCE Vulnerability in OFBiz with an Urgent Patch

 


In a recent release, the Apache OFBiz project developers have been working on a patch to fix a new critical flaw of software that can be exploited by unauthenticated attackers to execute arbitrary code on the server. Considering that attackers are likely to exploit this vulnerability in real-world attacks, users are advised to deploy the patch as soon as possible to avoid falling victim to this vulnerability.

There was a high-severity vulnerability identified as CVE-2024-45195 (CVSS score: 7.5) affecting Apache OFBiz, a popular open-source business enterprise resource planning (ERP) system that is adapted from Apache OFBiz. In the field of enterprise process automation, Apache OFBiz® from the Apache Software Foundation consists of framework components and applications as well as a business process automation framework. 

This vulnerability is caused by Apache's OFBiz implementation of Direct Request ('Forced Browsing'). It has been found that all versions of the software before 18.12.16 are affected by this bug. The project maintainers have been working on CVE-2024-45195 for several months now to prevent the occurrence of a severe sequence of vulnerabilities, CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were already addressed by the project maintainers previously. 

CVE-2024-32113 and CVE-2024-38856, both of which appear to be exploited actively in the wild and the former of which is used to distribute the Mirai botnet malware, are exploited extensively. This was due to Rapid7's inability to desynchronize the controller state from the view map state, something that was never completely resolved in any of the patches that were released, but which led to all three of the earlier shortcomings. 

Because of the vulnerability, attackers may be able to exploit it to execute code, and SQL queries, and remotely execute the code without the need for authentication by exploiting it. This latest patch was put in place to validate that a view should allow anonymous access if a user is not authenticated (rather than performing authorization checks solely based on the target controller)." CVE-2024-38856 and CVE-2024-32113 are, in fact, critical vulnerabilities, and they've been actively targeted by attackers in the past few months. 

The Cybersecurity and Infrastructure Security Agency has listed them in its catalogue of Known Exploited Vulnerabilities in August. There has been speculation that companies can have a hard time resolving the underlying causes of vulnerabilities because of their size. Sometimes it is difficult to judge whether a patch will be effective until several researchers have tried bypassing it to test its effectiveness. It was Rapid7 that identified and reported the vulnerability, and they suggest that the three security defects are essentially the same bug because they are both caused by the same source code. 

In a report published in early May, CVE-2024-32113 was described as an issue in which a malicious user would be able to navigate through an unauthenticated controller and interact with an authenticated view map, granting them access to an admin-only view map or allowing them to execute SQL commands on it. It has been observed that there have been attempts to exploit people in July.  

A second vulnerability, CVE-2024-36104, which was disclosed in early June, was also explained as a path traversal vulnerability. There were multiple issues with the URI, including semicolons and URL-encoded periods that need to be removed. In early August, Apache drew attention to a vulnerability referred to as CVE-2024-38856. 

This has been described as a security flaw that could allow code execution due to an incorrect authorization. CISA, the United States Cyber Defense agency, announced that the bug had been added to its list of Known Exploited Vulnerabilities (KEVs) towards the end of August. Rapid7 said that all three issues are the result of controller-view map state fragmentation, which can occur when an application begins receiving URI patterns that are not expected. 

Assuming the root cause of the three vulnerabilities is the same, CVE-2024-38856 works on systems that are affected by CVE-2024-32113 and CVE-2024-36104, "since the payload for all three vulnerabilities is the same". There was a CVE-2024-32113 OFBiz vulnerability (patched in May) that was being exploited in attacks by hacker groups, just days after SonicWall researchers published detailed technical details on CVE-2024-38856, a bug involving pre-authentication RCE. 

CISA issued a warning regarding this CVE in early August. In addition to adding the two security bugs to its catalogue of actively exploited vulnerabilities, CISA also announced that federal agencies must patch their servers as soon as possible after the three-week deadline mandated by the binding operational directive (BOD 22-01) issued in November 2021. 

Even though BOD 22-01 only applies to agencies of the Federal Civilian Executive Branch (FCEB), the Center for Information Security and Assurance (CISA) is urging organizations to patch these security flaws immediately to prevent the onset of attacks against their networks. A public proof of concept exploit for OFBiz pre-authentication remote code execution vulnerability (CVE-2023-49070) was used in December to identify Confluence servers that were vulnerable to the exploit. 

The exploit was based on public proof of concept exploits. Having discovered that Emmons now had a new view map to abuse called XmlDsDump, he could query the underlying database for any data that may be available and then write the results to any file, anywhere on the disk, without any restrictions. 

Among the data displayed in this presentation could be hashed passwords of users defined in the system, which could then be cracked to reveal their passwords. As a result of this study, the researcher has taken it one step further by combining it with a script he discovered that was present in the system, named ViewDataFile.groovy, which could write files to disk from requests and used it to build a web shell that enabled remote code execution on the server using the script. 

In response to this flaw, OFBiz developers came up with a more comprehensive fix that does not rely only on non-centralized authorization checks on view maps anymore but also takes into account non-centralized authorization checks for target controllers for the view maps as well.
Read more »
RCE
Cloud Platform Data Breach Data Leak GitHub RCE

Major Security Flaw Discovered in Popular Cloud Logging Tool

 



Researchers at Tenable have identified a severe memory corruption vulnerability in Fluent Bit, an open-source logging utility integral to major cloud services. With over 3 billion downloads as of 2022 and an additional 10 million deployments daily, Fluent Bit is a cornerstone of cloud infrastructure used by prominent organisations such as VMware, Cisco, Adobe, Walmart, LinkedIn, and cloud giants like AWS, Microsoft, and Google Cloud.

The issue, dubbed "Linguistic Lumberjack" by Tenable, stems from how Fluent Bit's embedded HTTP server handles trace requests. The vulnerability can be exploited to cause denial of service (DoS), data leaks, or even remote code execution (RCE) in cloud environments.

"While vulnerabilities in major cloud providers like Azure, AWS, and GCP grab headlines, it's crucial to scrutinise the underlying technologies these services rely on," says Jimi Sebree, senior staff research engineer at Tenable. "Critical components like Fluent Bit, which are embedded in many cloud services, pose significant risks if compromised."

Tenable's researchers stumbled upon this flaw while investigating another security issue in a cloud service. They discovered they could access various internal metrics and logging endpoints of the cloud service provider, which included Fluent Bit instances. This cross-tenant data leakage revealed a more profound problem.

The vulnerability lies in the /api/v1/traces endpoint of Fluent Bit's monitoring API. The service fails to validate data types properly, allowing attackers to input non-string values that cause memory corruption. By manipulating these inputs, attackers can crash the service and leak sensitive data. Although exploiting this for RCE would require sophisticated, targeted efforts, the potential for harm remains high.

The bug affects Fluent Bit versions 2.0.7 through 3.0.3 and is tracked under CVE-2024-4323, with critical CVSS scores exceeding 9.5 out of 10. After reporting the issue on April 30, Fluent Bit's developers promptly addressed it by validating input data types in the problematic endpoint. The fix was implemented in the project's main branch on GitHub by May 15.

Organisations using Fluent Bit are strongly advised to update their software to the latest version immediately. Alternatively, administrators should review and restrict access to Fluent Bit's monitoring API to authorised users only, or disable it entirely if feasible.

The discovery of this vulnerability accentuates the importance of scrutinising not just the cloud services themselves but also the foundational technologies they depend on. Ensuring the security of tools like Fluent Bit is vital for maintaining the integrity of cloud environments across industries.



Read more »
RCE
Black Cat Data Breach Encryption Microsoft Phishing Attacks Python Maintainers Ransomware Attacks. RCE

Microsoft Discovers BlackCat's Sphynx Ransomware Exploiting Impacket & RemCom

A new strain of ransomware known as BlackCat's Sphynx has recently been discovered by cybersecurity researchers at Microsoft. It has gained notice because it incorporates advanced hacking tools like Impacket and RemCom. This finding highlights the increasing sophistication and power of current ransomware attacks, creating concerns for both individuals and companies.

A new strain of ransomware known as BlackCat's Sphynx has recently been discovered by cybersecurity researchers at Microsoft. It has gained notice because it incorporates advanced hacking tools like Impacket and RemCom. This finding highlights the increasing sophistication and power of current ransomware attacks, creating concerns for both individuals and companies.

Impacket, an open-source collection of Python classes, enables the manipulation of network protocols and facilitates the creation of network-aware tools. It has legitimate uses in areas like network testing and penetration testing but can be weaponized by threat actors to infiltrate systems. RemCom, on the other hand, is a tool that grants remote access and control over compromised systems, allowing hackers to execute arbitrary commands.

Microsoft's analysis reveals that BlackCat's Sphynx leverages these tools to infiltrate networks, escalate privileges, and finally deploy ransomware to encrypt victims' data. The combination of these powerful tools amplifies the threat potential, as it grants attackers multiple avenues to compromise systems and ensure the success of their ransom demands.

The implications of this discovery extend beyond the immediate threat posed by BlackCat's Sphynx ransomware. The integration of well-established tools like Impacket and RemCom indicates an evolution in the tactics and techniques employed by ransomware operators. This also highlights the importance of organizations and individuals staying updated on the latest cybersecurity threats and fortifying their defenses against emerging attack vectors.

As ransomware attacks continue to surge and become increasingly sophisticated, cybersecurity experts stress the significance of a multi-layered defense strategy. Regularly updating software, educating users about phishing and social engineering tactics, and implementing robust network segmentation are among the recommended measures to minimize the risk of falling victim to such attacks.


Read more »
Windows MSHTML
CVE-2023-32046 CVE-2023-36884 Microsoft Microsoft Security Update Guide Rapid7 RCE Remote Code Execution Security Flaws Vulnerabilities and Exploits Windows MSHTML

Microsoft Confirms Zero Day Exploits, Prompts Users to Update


This week Microsoft confirmed around 132 security vulnerabilities in its product lines, including a total of six zero-day flaws that are currently being actively exploited. Because of this, security professionals advise Windows users to upgrade right away.

One of these zero-day vulnerabilities is of remote code executive (RCE) type, affecting Windows HTML and Microsoft Office. Microsoft has surprisingly not yet released a patch for CVE-2023-36884, opting instead to provide configuration mitigation methods, despite this being a Patch Tuesday rollout. Microsoft has connected the exploitation of this vulnerability to the Russian cybercrime group RomCom, which is suspected to be acting in the interests of Russian intelligence.

According to Rapid7 vulnerability risk management specialist Adam Barnett, the RomCom gang has also been linked to ransomware assaults that have been directed at a variety of targets. More such security experts are raising concerns given the number of vulnerabilities and the multiple zero-days that they are coming across, regarding which they are warning Windows users to adopt the updated versions promptly. The Microsoft Security Update Guide contains a comprehensive list of the vulnerabilities fixed by the most recent Patch Tuesday release. Security professionals have, however, drawn attention to some of the more crucial ones.

CVE-2023-36884 

According to Microsoft, “investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

While this vulnerability is still unpatched, Microsoft says it will “take the appropriate action to help protect our customers” ones they are done with the investigations. However, speculations claims that this will happen via an out-of-band security update rather than leaving an actively exploited zero-day up for patch for next month’s Patch Tuesday rollout. Microsoft directs users to a threat intelligence blog article that offers workaround mitigations in the meantime.

CVE-2023-32046 

This flaw is a Windows MSHTML platform elevation of privilege vulnerability that is being exploited. The zero-day flaw exploits the MSHTML core Windows components, that are used to produce content like HTML.

According to Kev Breen, director of cyber threat research at Immersive Labs, “This is not limited to browsers.” He warns, “other applications like Office, Outlook, and Skype also make use of this component.” It is likely that the attack vectors would include typical suspects—a malicious document attached to an email or a malicious website or web page. . “This vulnerability would likely be used as an initial infection vector[…]allowing the attacker to gain code execution in the context of the user clicking the link or opening the document,” says Breen.

Read more »
Vulnerabilities and Exploits
CISA Netwrix Auditor RCE Security Bug Vulnerabilities and Exploits

Netwrix Auditor RCE Bug Abused in Truebot Malware Campaign

 

A severe remote code execution (RCE) vulnerability in the Netwrix Auditor software was used in attacks against organisations across the United States and Canada, according to a warning issued today by CISA and the FBI. These assaults targeted organisations in the United States and Canada. 

Unauthorised attackers can run malicious code with the privileges of the SYSTEM user thanks to a security flaw that affects the Netwrix Auditor server and the agents installed on monitored network systems (tagged as CVE-2022-31199). 

Since December 2022, TA505 hackers (connected with the FIN11 organisation) have exploited TrueBot, a malware downloader related to the Russian-speaking Silence cybercrime group, to install Clop ransomware on compromised networks. 

After installing TrueBot on compromised networks, the hackers install the FlawedGrace Remote Access Trojan (RAT), which is likewise affiliated with the TA505 group and allows them to escalate privileges and establish persistence on the compromised systems. 

Hackers will also deploy Cobalt Strike beacons hours after the initial breach, which might potentially be exploited to perform various post-exploitation tasks such as data theft and delivering other malware payloads such as ransomware. 

"Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199," the two federal agencies explained in a joint report with MS-ISAC and the Canadian Centre for Cyber Security.

"As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organisations in the U.S. and Canada."

Based on the nature of Truebot operations documented thus far, the primary purpose of attackers behind Truebot is to acquire confidential data from compromised systems for monetary gain.

Following the guidelines laid out in joint advisory, security teams are advised to search for evidence of malicious activity pointing to a Truebot infection.

If they find any indicators of compromise (IOCs) within their organization's network, they should immediately implement the mitigation and incident response steps suggested in the advisory and report the incident to CISA or the FBI.
Read more »
Subscribe to: Posts (Atom)