Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Security Patch. Show all posts

New Flaws in Fortinet, SonicWall, and Grafana Pose Significant Threats

 

Cyble Research and Intelligence Labs (CRIL) has discovered new IT vulnerabilities that affect Fortinet, SonicWall, Grafana Labs, and CyberPanel, among others. 

The report for the week of October 23-29 identifies seven security flaws that require immediate attention from security teams, especially given the large number of exposed devices. The most recent discoveries show that vulnerabilities in Fortinet, SonicWall, and Grafana Labs affect over 1 million web-facing assets.

Notably, two critical vulnerabilities in CyberPanel have already been exploited in huge ransomware assaults. Organisations are recommended to quickly investigate their environments for these vulnerabilities and apply the relevant fixes and mitigations. 

Cyble's researchers have detailed the following top vulnerabilities, emphasising their potential impact on IT security: 

CVE-2024-40766: SonicWall SonicOS 

CVE-2024-40766 indicates an improper access control flaw within the administrative interface of SonicWall's SonicOS, with a severity rating of 9.8. This vulnerability has piqued the interest of managed security organisations such as Arctic Wolf, who report that ransomware gangs such as Fog and Akira are exploiting it in SSL VPN setups to breach networks. 

CVE-2024-9264: Grafana labs 

The 9.4-rated vulnerability, CVE-2024-9264, affects Grafana Labs' open-source analytics and monitoring platform's SQL Expressions capability. This flaw allows for command injection and local file inclusion since user input in 'duckdb' queries is not properly sanitised. 

CVE-2024-46483: Xlight FTP server

This critical integer overflow bug impacts the Xlight FTP Server, allowing hackers to exploit packet parsing logic and cause heap overflows. With the accessibility of public Proof of Concepts (PoCs), this vulnerability could be used in a variety of attack tactics. 

Prevention tips 

  • Ensure that all software and hardware systems receive the most recent patches from official vendors. 
  • Use an organised approach to inventory management, patch assessment, testing, deployment, and verification. 
  • To reduce the attack surface, isolate key assets with firewalls, VLANs, and access controls. 
  • Establish and maintain an incident response strategy, which should be evaluated on a regular basis to respond to emerging threats. 
  • Employ complete monitoring technologies to discover and analyse suspicious actions in real time. Keep up with vendor, CERT, and other sources' alerts to promptly fix issues.

Unofficial Patches Published for New Windows Themes Zero-Day Exploit

 

Free unofficial fixes are now available for a new zero-day flaw in Windows Themes that allows hackers to remotely harvest a target's NTLM credentials.

NTLM has been extensively exploited in NTLM relay attacks, in which threat actors force susceptible network devices to authenticate against servers under their control, and in pass-the-hash attacks, in which attackers exploit system vulnerabilities or deploy malicious software to steal NTLM hashes (hash passwords) from target systems. 

Once they acquire the hash, the attackers can impersonate the affected user, gaining access to sensitive data and expanding laterally throughout the now-compromised network. Microsoft indicated a year ago that it will drop the NTLM authentication technology in Windows 11. 

ACROS security experts uncovered the new Windows Themes zero-day (which has yet to be assigned a CVE ID) while working on a micropatch for a flaw tracked as CVE-2024-38030 that might reveal a user's credentials (reported by Akamai's Tomer Peled), which was itself a workaround for another Windows Themes spoofing vulnerability (CVE-2024-21320) fixed by Microsoft in January. 

According to Peled, "when a theme file specified a network file path for some of the theme properties (specifically BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including user's NTLM credentials when such a theme file would be viewed in Windows Explorer.”

"This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user's credentials without any additional user action," ACROS Security CEO Mitja Kolsek stated. 

Even though Microsoft fixed CVE-2024-38030 in July, ACROS Security discovered another vulnerability that attackers may use to steal a target's NTLM credentials on all fully updated Windows versions, from Windows 7 to Windows 11 24H2. 

"So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file," Kolsek added. 

The firm is now offering free and unofficial security updates for this zero-day flaw via its 0patch micropatching service for all affected Windows versions until official patches from Microsoft are available, which have already been applied to all online Windows systems running the company's 0patch agent.

To install the micropatch on your Windows device, first create a 0patch account and then install the 0patch Agent. If no specific patching policy prevents it, the micropatch will be applied immediately without the need for a system restart once the agent is activated. 

However, it is crucial to remember that in this case, 0patch only delivers micropatches for Windows Workstation, as Windows Themes does not work on Windows Server until the Desktop Experience feature is deployed.

OpenStack Ironic Users Advised to Patch Critical Security Vulnerability

 

OpenStack's Ironic project, which is used for provisioning bare metal machines, has been identified with a critical security flaw (CVE-2024-44082) that allows authenticated users to exploit unvalidated image data. This vulnerability impacts multiple versions of Ironic and the Ironic-Python-Agent (IPA), potentially leading to unauthorized access to sensitive information due to improper handling of images processed by qemu-img.

The flaw was discovered by security experts Dan Smith and Julia Kreger of Red Hat, and Jay Faulkner of G-Research. It originates from the lack of validation for image data passed to qemu-img during processing. Authenticated attackers could leverage a specially crafted image to trigger unintended actions, potentially exposing sensitive data.

Affected versions include:

Ironic: Versions prior to 21.4.3, between 22.0.0 and 23.0.2, from 23.1.0 to 24.1.2, and between 25.0.0 and 26.0.1.

Ironic-Python-Agent: Versions before 9.4.2, between 9.5.0 and 9.7.1, from 9.8.0 to 9.11.1, and between 9.12.0 and 9.13.1.

To mitigate the CVE-2024-44082 vulnerability, OpenStack has issued patches for all maintained branches of Ironic and Ironic-Python-Agent, from the Dalmatian development branch to Antelope. These updates include code changes that validate images before passing them to qemu-img, preventing malicious images from executing unauthorized actions.

In cases where the Ironic-Python-Agent cannot be updated, administrators can enable the configuration option `[conductor]conductor_always_validates_images`, which forces all image downloads to be validated through the Ironic conductor. However, this option may lead to performance issues in high-traffic environments.

As part of the remediation, administrators should clear cached images by stopping the Ironic conductor and deleting files from the `[pxe]instance_master_path` directory.

Additionally, a new configuration option `[conductor]permitted_image_formats` has been introduced to restrict the accepted image formats. By default, only raw and qcow2 formats are allowed, as these are the only formats tested and supported by Ironic. Expanding this list is possible but not recommended due to potential security vulnerabilities.

It's crucial to note that the Ironic project does not support using ironic-lib for non-Ironic purposes. Independent use of ironic-lib could expose users to this vulnerability. The Ironic project plans to remove the vulnerable methods from ironic-lib in future releases.

Cisco Firepower Management Center Impacted By a High-Severity Vulnerability

 

Cisco addressed a flaw in the web-based management interface of the Firepower Management Centre (FMC) Software, identified as CVE-2024-20360 (CVSS score 8.8). 

The vulnerability is a SQL injection bug; an intruder can use it to acquire any data from the database, run arbitrary commands on the underlying operating system, and elevate privileges to root. The attacker can only exploit this flaw if they have at least Read Only user privileges. 

“A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.” reads the advisory. “This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system.” 

“A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials,” the advisory adds. 

According to Cisco, there isn't a fix for this vulnerability. The IT giant confirmed that neither Firepower Threat Defence (FTD) nor Adaptive Security Appliance (ASA) software is impacted by this security vulnerability. The attacks that are taking advantage of this vulnerability in the wild are unknown to the Cisco Product Security Incident Response Team (PSIRT). 

Security patch 

Cisco has published free software upgrades to address the vulnerability stated in the advisory. Customers with service contracts that include regular software updates should receive security fixes through their usual update channels. Customers can only install and get support for software versions and feature sets for which they have acquired a licence. Customers agree to abide by the terms and conditions of the Cisco software licence while installing, downloading, accessing, or using such software upgrades. 

Furthermore, customers may only download software for which they have a valid licence, either directly from Cisco or through a Cisco authorised reseller or partner. In most cases, this will be a maintenance upgrade for already purchased software. Customers that receive free security software updates are not entitled to a new software licence, additional software feature sets, or significant revision upgrades.

Lazarus Hackers Target Microsoft IIS Servers to Propagate Malware

The infamous Lazarus hacker collective has reappeared in a recent wave of cyberattacks, using a cunning plan to spread malware through infected Microsoft Internet Information Services (IIS) servers. Cybersecurity professionals are actively watching the situation to reduce any hazards as a result of the attacks, which have caused them great anxiety.

The Lazarus hackers, according to reports from SC Magazine and Bleeping Computer, have successfully taken control of a number of Microsoft IIS servers and are using their ability to spread malicious malware across different networks to their advantage. The spread of the hackers' virus appears to be their main objective, which presents a serious risk to companies and organizations that depend on Microsoft's web server software.

Symantec's threat intelligence team recently made the attack vectors used by Lazarus public, highlighting the chutzpah with which the hackers used the hacked servers to further their evil ends. The malicious campaign was the Lazarus group's dream job, according to Symantec, who highlighted the gravity of the problem in a blog post.

AhnLab's security analysts have also provided insightful analysis of the ongoing attacks. They have been aggressively tracking the hackers' whereabouts and have found startling proof of their vast powers. In both English and Korean blog entries, AhnLab's research teams have warned users and administrators about the danger posed by Lazarus hackers and urged rapid security measures to prevent IIS servers from being attacked.

The Lazarus hacking group, known for its association with North Korea, has been linked to various high-profile cybercrimes in the past. Their expertise in cyber warfare and financially motivated attacks has made them a prominent concern for governments, businesses, and cybersecurity agencies worldwide. This recent incident involving the exploitation of Microsoft IIS servers signifies a new level of sophistication in their tactics, emphasizing the need for constant vigilance in the face of evolving threats.

Hosting websites and web applications on Microsoft IIS servers is a common practice worldwide. For businesses that depend on this web server software, the disclosure of this vulnerability raises a warning. Users are advised by security experts to swiftly upgrade and patch their systems to the most recent versions, put in place strong security policies, and carry out routine audits to look for any suspicious activity.

Microsoft has been actively engaging with security companies and organizations to study the nature of the attack and strengthen their protection measures in response to the growing cyber threat. Users can greatly lower their risk of succumbing to these malicious attempts by being watchful and proactive.

Apple Issues Security Updates for Actively Exploited Vulnerabilities in iOS

 

Apple announced a series of patches this week for several of iOS zero-day flaws that have already been used by malicious parties to sneakily install malware and steal user data. Therefore, it is important that you update your phone as soon as you can. 

iOS 16.5.1, which is now available for download if you have an iPhone 8 or newer, fixes a critical security vulnerability that allows hackers to access all of your personal data saved on your iPhone.

This particular vulnerability was discovered in Russia, where thousands of Russian government officials' iPhones were allegedly infected with malware. It's a kernel flaw that allows bad actors to execute arbitrary code with kernel privileges, which means hackers can run whatever code they want on a targeted device. 

According to The Washington Post, the attackers have been sending iMessages with malicious attachments that corrupt and provide access to their targets' iPhones. The latest iOS patch from Apple also addresses a vulnerability in WebKit, the foundation that allows developers to display webpages on Apple devices. Again, it allowed hackers to obtain personal data from users by executing arbitrary code on their target's phone. 

The tech giant stated on the support page for the upgrade that the attacks have only been observed on devices running iOS 15.7 or earlier. Even while this indicates that the company is not aware of any vulnerabilities on iOS devices running newer versions, those systems may still be exposed. Because of this, Apple urges all users to download iOS 16.5.1 even if their iPhone is already shielded from the aforementioned vulnerabilities. 

This security concern is being taken seriously even by American authorities. Federal agencies were asked to download the most recent version by July 13 after the Cybersecurity and Infrastructure Security Agency added the two exploits to its list of known exploited vulnerabilities.

Even if you don't think you're a target for malware, now is a good time to upgrade your device if you have one of the best iPhones. To install iOS 16.5.1 on your device right now, go to Settings, General, and then Software Update.

Critical CryptoAPI Spoofing Flaw in Windows PoC Exploit Released

 

Proof-of-concept (Poc) code has been made available for a high-severity security vulnerability in the Windows CryptoAPI that Microsoft was notified of by the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) last year. 

The CVE-2022-34689 spoofing vulnerability, with a CVSS score of 7.5, was fixed by the tech giant as part of Patch Tuesday updates delivered in August 2022, although it wasn't made public until October 11, 2022. 

In a then-released advisory, Microsoft warned that "an attacker might alter an existing public x.509 certificate to impersonate their identity and conduct actions such as authentication or code signing as the targeted certificate." 

The Windows CryptoAPI provides an interface for programmers to integrate cryptographic services, including as data encryption and decryption and digital certificate authentication, into their programmes.

CVE-2022-34689, according to web security firm Akamai, which published the proof-of-concept, was caused by a vulnerable piece of code that was intended to accept an x.509 certificate and conducted a check that only considered the certificate's MD5 fingerprint. 

As of December 2008, birthday attacks, a cryptanalytic technique used to identify collisions in a hash function, made it possible for MD5, a message-digest algorithm used for hashing, to be practically cryptographically broken. 

A bad actor might use this flaw to provide a modified version of a genuine certificate to a victim app, then construct a new certificate whose MD5 hash collides with the compromised certificate and use it to pose as the original entity. 

In other words, the vulnerability could be exploited by a malicious third party to launch a mallory-in-the-middle (MitM) attack and reroute users using an outdated version of Google Chrome (version 48 and earlier) to any website of the attacker's choosing simply because the vulnerable web browser trusts the malicious certificate. 

"Certificates play a major role in identity verification online, making this vulnerability lucrative for attackers," Akamai stated.

The Massachusetts-based company noted that despite the flaw's limited reach, "there is still a lot of code that utilises this API and might be susceptible to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7."

Node.js Patches Various Flaws that may Lead to Attacks

About vulnerabilities

Node.js maintainers released multiple patches for flaws in the JavaScript runtime environment that can cause HTTP request smuggling and arbitrary code execution, among some other attacks. An advisory mentions the information about the seven patched bugs, it includes three seperate HTTP Request Smuggling vulnerabilities. 

The three flaws- a flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213, an errored delimiting of header fields issue, tracked as CVE-2022-32214, and an improper parsing of multi-line transfer encoding exploit, tracked as CVE-2022-32215, can all in the end lead towards HTTP request smuggling. 

The Daily Swig says "the moderate-severity implementation bug (CVE-2022-2097) could cause encryption to fail in some circumstances. AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation will not encrypt the entirety of the data, which could reveal sixteen bytes of data that was pre-existing in the memory that wasn’t written." 

How Severe are these bugs?

The three bugs were rated as "medium" severity, they affect all three variants of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 includes the patches that were updated inside Node.js. 

Other problems 

The advisory also includes information about a DNS rebinding flaw in --inspect through improper IP addresses. Categorised as "high" severity, the bug (CVE-2022-32212) can permit arbitrary code execution, warns the advisory. 

“The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not.When an invalid IPv4 address is provided browsers will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MitM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884,” says the advisory. 

The flaw affects all variants of the 18.x, 16.x, and 14.x releases lines.

HP Fixes UEFI Flaws Affecting 200+ Computers

 

HP released updates for two high-severity flaws in the UEFI firmware of more than 200 laptops, workstations, and other products on Wednesday. 

CVE-2021-3808 and CVE-2021-3809 are the two flaws, which have a CVSS score of 8.8. HP credited Aruba Threat Labs' Nicholas Starke and a researcher going by the online handle "yngweijw" with reporting the issues but did not disclose technical details on either of the flaws. 

The company did, however, provide a list of affected products, which includes a variety of corporate notebooks and desktop PCs, as well as desktop workstations, retail point-of-sale devices, and thin client PCs. 

“Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities,” HP notes in its advisory. 

According to Starke, HP took almost six months to fix CVE-2021-3809, the issue he disclosed. He adds that the security flaw is due to a SMI (System Management Interrupt) handler called from System Management Mode (SMM), a highly privileged x86 processor execution mode. The SMI handler, according to Starke, may be triggered from a kernel execution context like a Windows Kernel Driver, enabling an attacker to determine the memory location of a specific function and overwrite it in physical memory to refer to attacker code. 

“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks,” Starke added.

While the majority of the vulnerable devices have already received firmware updates, a handful has yet to receive them. Users can check HP's advisory for more information on the impact and upgrades. HP also released warnings this week that outline the updates Intel have released to address several firmware and software vulnerabilities affecting its CPUs and chipsets, as well as HP products.

Software Vendor VMware Patches Critical Bug Exploited in the Wild

 

Malicious actors are actively exploiting a critical bug, tracked as CVE-2022-22954, in VMware Workspace ONE Access and Identity Manager recently addressed by the vendor. The vulnerability is used in active attacks that infect servers with coin miners. 

Earlier this month, VMWare rolled out an update to resolve a critical security flaw (CVSS: 9.8) in several of their products, including VMware’s Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products.

The software vendor also warned regarding the possibility of an attacker with network access triggering a server-side template injection that results in RCE. The vulnerability is not unprecedented: in late September 2022, CVE-2021-22005 enabled malicious actors to strike vulnerable systems with RCE attacks, achieving root privileges and reaching the vCenter Server over the network. 

“VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the security advisory. “A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.”

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011. The ramifications of this vulnerability are serious,” the software vendor said while urging its customers to address the vulnerabilities immediately to prevent its exploitation. 

In the past two weeks, multiple security researchers designed working exploits for CVE-2022-22954, with at least one proof-of-concept exploit released on Twitter. While publishing public exploits raises the risks that threat actors will use them in attacks, they are also meant to help secure systems through testing and serve as validators of existing fixes/patches. 

According to cybersecurity intelligence firm Bad Packets, malicious actors are actively scanning for vulnerable hosts to exploit the flaw in the wild. The IP address, 106.246.224.219, used in the payload, was recently seen dropping the Linux Tsunami backdoor in other attacks. However, it remains unclear what the 'one' executable is, as it is no longer accessible. Security researcher Daniel Card also joined the queue by releasing proof-of-concept exploits on Twitter and stated that the vulnerability was being exploited to deploy coinminer payloads.

F5 Patches NGINX LDAP Zero-Day Bug

 

The maintainers of NGINX, F5 Networks, have disclosed a zero-day bug on NGINX Lightweight Directory Access Protocol Reference (LDAP) implementation at the end of the first week of April. Now, they have released security updates to address security loophole in LDAP.

According to security analysts at F5, NGINX Open Source and NGINX Plus are not affected by the bug by themselves. So, there is no action required if the reference implementation is not employed.

“NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation,” Liam Crilly and Timo Stark of F5 Networks said in an advisory. However, if LDAP reference implementation is used, any of the following conditions will cause vulnerability in the systems: 

• Command-line parameters to configure the Python-based reference implementation daemon 
• Unused, optional configuration parameters and 
• Specific group membership to carry out LDAP authentication

If any of these conditions are fulfilled, a threat actor could override the configuration parameters by sending specially designed HTTP request headers and even bypass LDAP authentication. This would allow LDAP authentication failure to occur even if the user is falsely authenticated. 

“The Python daemon does not sanitize its inputs. Consequently, an attacker can use a specially crafted request header to bypass the group membership (member Of) check and so force LDAP authentication to succeed even if the user being authenticated does not belong to the required groups,” F5 researchers told.

“To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters – () – and the equal sign (=), which all have special meanings for LDAP servers. advisory. The backend daemon in the LDAP reference implementation will be updated in this way in due course.” 

NGINX project developers advised users to strip special characters so as they are removed from the username field during authentication, and to update configuration parameters using an empty value. The LDAP-reference implementation mainly explains how the integration operates, and all the components necessary to verify it and how it is not a production grade LDAP solution.

Japanese Automation Firm Yokogawa Patches CENTUM, Exaopc Vulnerabilities

 

Yokogawa Electric Corp., of Japan, recently patched multiple critical flaws in its control system software that can be abused to suppress alarms, read or write files, crash the server, or execute arbitrary code. 

Researchers at cybersecurity firm Dragos have identified ten critical flaws in Yokogawa’s CENTUM VP distributed control system (DCS) and the Exaopc OPC server for CENTUM systems. The remotely exploitable vulnerabilities are related to hard-coded credentials, relative path traversal, improper output neutralization for logs, OS command injection, permissions, privileges, access controls, and uncontrolled resource consumption. 

The vulnerabilities, a lot of which have been assigned a “high severity” rating, require local access to the targeted device, while others can be abused by sending specially designed packets to the Consolidated Alarm Management Software (CAMS) for the human interface station (HIS or HMI).

“Most likely, the adversary would need access to the LAN for successful exploitation,” Sam Hanson, vulnerability expert in Dragos' Threat Operations Center, stated. “However, if the HIS is somehow internet-facing then exploitation from the internet is possible.” 

Thus far, Dragos researchers have no evidence to suggest that vulnerabilities are exploited in the wild. However, in a real-world attack, a malicious actor could abuse the security loopholes to secure access to the HIS or render it useless by causing a DoS condition. 

“An adversary could use these issues to affect a loss of control and loss of view. Depending on the configuration, the adversary could manipulate physical process controls,” Hanson added. 

Japanese automation giant has released patches and mitigations for affected products. However, CENTUM CS 3000 products, which have reached the end of life, will not receive updates and users have been recommended to update to CENTUM VP. The company released details about the flaws in January and February, and the US Cybersecurity and Infrastructure Security Agency (CISA) published its own advisory in late March. 

“CENTUM VP has been targeted in the past by security researchers. HIS operations involve many file system interactions and therefore there are plenty of places for bugs (such as directory traversals) to appear,” Hanson concluded. “While security has improved over time, Dragos expects more of this type of issue to surface until Yokogawa can find a way to mitigate these issues en masse (through file system permissions, sandboxing, or utilizing a common DLL for file access, etc.).” 

Earlier this year in February, Dragos reported that 1,703 ICS/OT vulnerabilities received a CVE identifier in 2021, more than twice as many as in the previous year. More than two-thirds of the security loopholes examined by the firm impacted systems located deep within the industrial network.

Mozilla Patches Critical Security Bug in Cross-Platform Cryptography library

 

Mozilla has patched a critical bug present in the NSS (Network Security Services) cross-platform cryptographic library that could be potentially abused by threat actors to crash a susceptible device and even implement arbitrary code. 

The vulnerability tracked as CVE-2021-43527, was discovered by Tavis Ormandy, a renowned bug-hunter with Google Project Zero who named the flaw “BigSig.” 

“I've discovered a critical vulnerability in Network Security Services (NSS). NSS is the Mozilla project's cross-platform cryptography library. In 2021, all good bugs need a catchy name, so I'm calling this one "BigSig",” Ormandy explained in a blog post.

According to Ormandy, the flaw could have directed to a heap-based buffer overflow while verifying DER-encoded DSA or RSA-PSS signatures in multiple email users and PDF viewers that use the NSS versions prior to 3.73 or 3.68.1 ESR. 

All applications that depend on NSS for managing signatures encoded within CMS, PKCS #7, PKCS #12, and S/MIME are likely to be impacted, Mozilla said in an advisory. Additionally, the vulnerability may also affect applications that employ NSS for validating certificates, or for additional CRL, OCSP, TLS, or X.509 functionality, depending on how NSS is configured. The exploitation of the flaw could allow an attacker to crash an application or potentially achieve arbitrary code execution.

“This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted,” Mozilla says. 

The vulnerability exists because a VFYContext structure that NSS manufactures to store data when verifying a digital signature could only accommodate maximum signature sizes of 16384 bits (RSA at 2048 bytes). Thus, signatures larger than that would lead to a buffer overflow, Ormandy explained. 

“The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data,” Ormandy said. The security researcher also observed that the security bug can be easily reproduced and that multiple algorithms are affected.

“The bug is that there are simply no bounds checking at all; sig and key are arbitrary-length, attacker-controlled blobs, and cx->u is a fixed-size buffer. The hashobj member contains function pointers, so redirecting execution is trivial,” Ormandy concluded.

VMware Patched SSRF& Arbitrary File Read Flaws in vCenter Server

 

VMware has published security upgrades for the vCenter Server after addressing arbitrary file read and server-side request forgery (SSRF) vulnerabilities in the vSphere Web Client (FLEX/Flash).

A VMWare security alert was released on November 23 and the US Cybersecurity and Infrastructure Security Agency (CISA) also encouraged enterprises to use vulnerable instances of the server management platform to deploy required upgrades. 

In terms of severity, both flaws were labelled as 'important.' The most serious, with a CVSS rating of 7.5, is the arbitrary file read flaw (CVE-2021-21980), which if exploited might allow a nefarious attacker to get access to sensitive data. The SSRF vulnerability (CVE-2021-22049) was discovered in the vSAN Web Client (vSAN UI) plugin, with a CVSS of 6.5. An attacker might take advantage of this vulnerability by gaining access to an internal service or making a URL request from outside of the vCenter Server. 

VMware has released security updates for vCenter Server versions 6.5 and 6.7 that address both vulnerabilities. The issues do not impact the 7.x release line, which cannot utilise vSphere Web Client (FLEX/Flash).Cloud Foundation's 3.x release line is still waiting for patches for both problems, whereas 4.x is untouched. 

VMware acknowledged Orz lab's 'ch0wn' for disclosing the arbitrary file read issue and the QI-ANXIN Group's'magiczero for reporting the SSRF. As per Statista, three of the top five server virtualization systems with the largest market share are VMware platforms, with vSphere leading the pack and vCenter Server ranking fifth. 

VMware's dominance in the server virtualization market, along with many organisations' latency to implement upgrades, has made its systems great targets for skilled attackers. The Daily Swig revealed in September that another significant arbitrary file upload flaw in the vCenter Server was being exploited. 

In June, it was revealed that thousands of vCenter Server instances remained unpatched for three weeks after a pair of serious issues in the vSphere Client (HTML5) were discovered.

Critical Citrix DDoS Flaw Collapses Network Access

 

Cyberattackers could use a significant security flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway to disrupt entire corporate networks without requiring them to authenticate. 

The two Citrix solutions in issue (previously the NetScaler ADC and Gateway) are used to manage application-aware traffic and provide secure remote access, respectively. According to the alert, the federated working specialist released a security patch on Tuesday for the CVE-2021-22955 vulnerability, which permits unauthenticated denial of service (DoS) due to uncontrolled resource consumption. 

Citrix also fixed an issue of a lower severity that was caused by unmanaged resource usage. It affects both prior Citrix SD-WAN WANOP Edition products and the Citrix SD-WAN WANOP Edition appliance. The latter offers optimization for Citrix SD-WAN deployments, which enable secure connectivity and seamless access to virtual, cloud and software-as-a-service (SaaS) apps across enterprise and branch locations.

The second vulnerability, labelled CVE-2021-22956, allows for temporary interruption of a device's management GUI; the Nitro API for configuring and monitoring NetScaler appliances; and remote procedure call (RPC) communication, which is what facilitates Citrix's distributed computing in Citrix settings. 

In terms of exploitation's effect, all three products are extensively used over the world, with Gateway and ADC deployed in at least 80,000 firms in 158 countries as of early 2020, as per Positive Technologies analysis at the time. 

Any of the equipment being down could hinder remote and branch access to corporate assets and the blocking of cloud and virtual assets and apps in general. All of this makes them a tempting target for cybercriminals, and the Citrix ADC and Gateway, in particular, are far from novices when it comes to severe vulnerabilities. 

About affected versions: 

Though Citrix did not provide technical information on the new vulnerabilities, VulnDB stated on Wednesday that “the exploitability is told to be difficult. The attack can only be initiated within the local network. The exploitation doesn’t require any form of authentication.” 

Despite Citrix's internal classification of "critical," it gave the issue a severity score of 5.1 out of 10. The site stated that vulnerabilities are worth up to $5,000, and that "manipulation with an unknown input leads in a denial of service vulnerability...This will have a negative influence on availability." 

The vulnerabilities, according to the vendor, impact the following supported versions:
Citrix ADC and Citrix Gateway (CVE-2021-22955 and CVE-2021-22956): 
• Citrix ADC and Citrix Gateway 13.0 before 13.0-83.27 
• Citrix ADC and Citrix Gateway 12.1 before 12.1-63.22 
• Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.23 
• Citrix ADC 12.1-FIPS before 12.1-55.257 

Citrix SD-WAN WANOP Edition (CVE-2021-22956): 
• Models 4000-WO, 4100-WO, 5000-WO and 5100-WO 
• Version 11.4 before 11.4.2 
• Version 10.2 before 10.2.9c 
• The WANOP feature of SD-WAN Premium Edition is not impacted. 

Appliances have to be set up as a VPN or AAA virtual server to be vulnerable to the initial Citrix ADC and Gateway flaw. In the case of the second bug, appliances must have management interface access to NSIP or SNIP. Customers that use Citrix-managed cloud services will not be impacted.

Threat Actors are Still Exploting Old Bugs to Target Organizations

 

Cybersecurity researchers at Qualys have published a free ransomware risk and assessment tool designed to scan systems, identify flaws and finally automate patching and remediation.

Researchers at Qualys analyzed 36 leading ransomware families and their attacks in recent years. It was found that unpatched flaws, device misconfigurations, internet-facing assets, and cracked software were consistently ranked among the top attack vectors.

According to researchers, the top five CVEs exploited by leading ransomware families to target organizations worldwide, have been known for almost a decade and had vendor patches available. But because many organizations still haven't applied the available security updates, they remain susceptible to ransomware attacks. 

CVE-2012-1723, is the oldest of the top five vulnerabilities, a flaw in the Java Runtime Environment (JRE) component in Oracle Java SE 7, detailed in 2012. According to researchers, it's been commonly used to distribute Urausy ransomware. 

The other two other common flaws detailed by researchers are from 2013; CVE-2013-0431 is a vulnerability in JRE leveraged by Reveton ransomware, while CVE-2013-1493 is a vulnerability in Oracle Java that is exploited by Exxroute ransomware. In both cases, security updates have been available for more than eight years.

CVE-2018-12808, on the other hand, is a three-year-old bug in Adobe Acrobat, which is used to deliver ransomware via phishing emails and malicious PDF files. Both Ryuk ransomware and Conti ransomware have been known to use this attack method. The latest bug on the list is Adobe CVE-2019-1458, a privilege escalation flaw in Windows that appeared in December 2019 and has been commonly used by the NetWalker ransomware group.

“For IT and information security teams, applying all the patches needed to keep a network secure is often an uphill battle. The rate at which vulnerabilities are rising is exponentially higher than the rate at which operations teams are patching. This is the number one driving factor for why vulnerabilities remain unpatched It is easy for operations teams to get overwhelmed when they do not have a prioritized list of patches or software listings provided from security teams," Shailesh Athalye, SVP of product management at Qualys, stated. 

Threat actors exploit these flaws because they know many organizations don’t pay attention to the security updates and so they are actively searching for flaws that allow them to lay down the foundations for ransomware attacks.

"There is no silver bullet to prevent ransomware and remediate vulnerabilities, but overall, driving processes for reducing an attack surface should be the goal. The important part of vulnerability management is the combination of vulnerability assessment, prioritization, and remediation," Athalye further told.

SonicWall Patches Critical Flaw in SMA 100 Products

 

SonicWall has released a security advisory to warn users regarding a critical flaw impacting some of its Secure Mobile Access (SMA) 100 appliances. The vulnerability spotted as CVE-2021-20034 could potentially allow a remote unauthenticated hacker to delete arbitrary files from the targeted appliance and secure administrator access to the device.

"The vulnerability is due to an improper limitation of a file path to a restricted directory potentially leading to arbitrary file deletion as 'nobody'. There is no evidence that this vulnerability is being exploited in the wild,” researchers explained. 

The critical flaw has received a score of 9.1 out of 10 on the CVSS scale of severity. The products that are affected are SMA 100, 200, 210, 400, 410, and 500v; As there are no temporary mitigations, SonicWall recommends impacted users execute applicable patches as soon as possible. 

Since the start of 2021, SonicWall SMA 100 series appliances have been targeted multiple times by ransomware gangs, with the end goal of moving laterally into the firm’s network.

Earlier, a threat group Mandiant tracked as UNC2447 exploited the CVE-2021-20016 zero-day bug in SonicWall SMA 100 Series VPN appliances to set up a new ransomware strain known as FiveHands. Their attacks targeted multiple North American and European organizations before SonicWall released patches in late February 2021. A similar zero-day flaw was also abused in January in attacks targeting SonicWall's internal systems and later instinctively exploited in the wild. 

Earlier this year in July, SonicWall issued a warning for an increased threat of ransomware attacks targeting unpatched end-of-life (EoL) SMA 100 series and Secure Remote Access (SRA) devices. Security researchers at CrowdStrike and CISA added to SonicWall's warning saying that the ransomware campaign was ongoing.

The latest updates for SMA 100 series products also address two medium-severity flaws, including one that can direct to privilege escalation to root, and one that can be abused for authenticated arbitrary code injection and DoS attacks. 

SonicWall recently revealed that its products are used by more than half a million customers in over 215 countries and territories worldwide. Many of them are deployed on the networks of the world's largest organizations, businesses, and government agencies.

Vulnerabilities Detected in Open Source elFinder File Manager

 

In elFinder, an open-source web file organizer, security researchers from SonarSource identified five flaws that form a severe vulnerability chain.

The elFinder file manager is often used in content management systems and frameworks like WordPress plugins and Symfony bundles to make it easier to manage both local and remote files. It's written in JavaScript with the use of jQuery UI. 

The five flaws, termed CVE-2021-32682 as a group, have a CVSS score of 9.8, which means they're highly dangerous. The vulnerability chain impacts elFinder version 2.1.58. 

According to the researchers, exploiting the vulnerabilities may allow an intruder to run arbitrary code and instructions on the server hosting the elFinder PHP connector. The vulnerabilities have been patched in elFinder version 2.1.59. The five weaknesses in the chain are classified by researchers as "innocuous bugs" that may be combined to acquire arbitrary code execution. 

The researchers noted, "We discovered multiple new code vulnerabilities in elFinder and demonstrate how they could be exploited to gain control of the underlying server and its data." 

Update to the latest version:

According to Thomas Chauchefoin, the security researcher at SonarSource, all users should immediately upgrade elFinder to the latest upgrade. 

"There is no doubt these vulnerabilities will also be exploited in the wild because exploits targeting old versions have been publicly released and the connectors filenames are part of compilations of paths to look for when trying to compromise websites." 

While the researchers did not announce any publicly available exploits, they claim that exploiting these issues can allow an attacker to run arbitrary PHP code on the server where elFinder is installed, eventually leading to its takeover. Attackers could then delete or remove any files they want, upload PHP files, and so on. 

"All these bug classes are very common in software that exposes filesystems to users and are likely to impact a broad range of products, not only elFinder," Chauchefoin added.

F5 Security Patched Severe Vulnerabilities in its BIG-IP Networking Device

 

F5 Security has patched over a dozen critical-severity vulnerabilities in its BIG-IP networking device, including one which was classified as critical severity when exploited under certain conditions. 

A privilege escalation flaw, tracked as CVE-2021-23031 affects the BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) Traffic Management User Interface (TMUI). 

An authorized attacker who has entry to the Configuration tool can exploit the issue to run arbitrary system commands, create or remove files, and/or discontinue services. Due to the flaw, an attacker can totally compromise the network device. 

The vulnerability was assigned a severity level of 8.8, but according to the security notice, users that use the Appliance Mode, which imposes some technical constraints, get a severity value of 9.9 out of 10. As per the security advisory for CVE-2021-23031, the problem is only affecting a small number of clients in critical condition. 

“When this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise.” states the advisory. 

“The limited number of customers using Appliance mode have Scope: Changed, which raises the CVSSv3 score to 9.9. For information about Appliance mode, refer to K12815: Overview of Appliance mode.” 

The vendor advises that the device should be updated; however, if this is not feasible, admins should restrict access to the Configuration utility to only 100% trusted users. 

The U. S. Cybersecurity and Infrastructure Security Agency (CISA) also issued a security notification advising users and administrators to examine the F5 security advisory and install updated software or implement adequate measures as soon as possible. 

F5 addressed 30 high-severity flaws in various products, including authenticated remote command execution vulnerabilities, cross-site scripting (XSS) issues, request forgery bugs, inadequate permission flaws, and denial-of-service flaws. 

The flaws were given a severity score ranging from 7.2 to 7.5. The following is a list of issues patched by the vendor, along with their CVE and CVSS scores: 
  •  CVE-2021-23025: High 7.2
  •  CVE-2021-23026: High 7.5
  •  CVE-2021-23027: High 7.5
  •  CVE-2021-23028: High 7.5
  •  CVE-2021-23029: High 7.5
  •  CVE-2021-23030: High 7.5
  •  CVE-2021-23031: High–Critical – Appliance mode only 8.8–9.9
  •  CVE-2021-23032: High 7.5
  •  CVE-2021-23033: High 7.5
  •  CVE-2021-23034: High 7.5
  •  CVE-2021-23035: High 7.5
  •  CVE-2021-23036: High 7.5
  •  CVE-2021-23037: High 7.5

Lastly, the vendor also fixed medium and low severity vulnerabilities.

VMware Patches Authentication Bypass in Carbon Black App Control

 

VMware, the California-based cloud computing and virtualization technology firm has patched an authentication bypass vulnerability in its Carbon Black App Control (AppC) management server. According to VMware’s advisory, the authentication-bypass vulnerability affected AppC versions 8.0.x, 8.1.x, 8.5.x, and 8.6.x. 

The flaw tracked as CVE-2021-21998, falls into a highly critical range with a maximum CVSSv3 base score of 9.4 out of 10.A malicious actor with network access to the VMware Carbon Black App Control management server might be able to gain administrative privileges to the application without the need to authenticate, VMware explained. 

However, even if the attacker doesn’t need valid credentials for the target application, they would still have to first gain network access to the VMware Carbon Black App Control management server for the attack to succeed, VMware explains in an advisory.

AppC is designed to strengthen the security of servers and to prevent unauthorized changes in the face of cyber-attacks and ensure compliance with regulatory mandates such as PCI-DSS, HIPAA, GDPR, SOX, FISMA, and NERC. 

Besides the authentication-bypass patch, VMware also patched a local privilege escalation flaw affecting VMware Tools for Windows, VMware Remote Console for Windows (VMRC for Windows), and VMware App Volumes that could allow an attacker to implement arbitrary code on compromised systems. 

At this point, the flaw doesn’t have a severity score from the National Institute of Standards and Technology (NIST), but VMware evaluated it at 7.8 (high severity). The flaw, CVE-2021-21999, is a local privilege-escalation vulnerability.

"An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as 'openssl.cnf' in an unrestricted directory which would allow code to be executed with elevated privileges," VMware noted. 

The flaw in AppC is only the latest severe problem that VMware has patched. In February, VMware fixed three bugs in its virtual machine infrastructure for data centers, including a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to discover other vulnerable points of network entry to take over affected systems.