Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Unpatched Flaws. Show all posts

Progress Software Advises MOVEit Customers to Patch Third Severe Vulnerability

 

Customers of MOVEit are being urged by Progress Software to update their software in less than a month to address a third severe vulnerability. 

According to the most recent vulnerability, identified as CVE-2023-35708, an unauthenticated attacker may be able acquire escalated privileges and gain entry to the MOVEit Transfer database through a SQL injection bug.

In a warning, Progress states that, “an attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

Versions of MOVEit Transfer prior to 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) are affected by the vulnerability.

On June 15, proof-of-concept (PoC) code aimed at exploiting the flaw was made available. Progress quickly responded, noting that the flaw was made public "in a way that did not follow normal industry standards." 

After a zero-day vulnerability was discovered on May 31 and a second severe bug was patched a week later, Progress has now fixed three critical SQL injection flaws in its MOVEit products in around three weeks. CVE-2023-35708 is the most recent of these. 

Security experts discovered evidence indicating that exploitation may have begun two years prior to the initial flaw, CVE-2023-34362, which only began to be widely exploited in late May.

Attacks on the MOVEit zero-day have affected more than 100 organisations. The Cl0p ransomware gang is responsible for the most recent campaign, and it has begun naming some of the victims in public.

The British Broadcasting Corporation, British Airways, Aer Lingus, the Nova Scotia government, the U.S. Department of Energy, the Louisiana Office of Motor Vehicles, the Oregon Department of Transportation, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE) are just a few of the organisations that have been identified as victims to date. 

Austria, France, Germany, Luxembourg, the Netherlands, Switzerland, the United Kingdom, and the United States all have victims. Malwarebytes adds that the majority of the victims are in the US. 

On June 9, CVE-2023-35036, the second vulnerability, was made public; however, it does not seem to have been used in the wild. Even though Progress claims to be unaware of any exploits for CVE-2023-35708, it advises users to install the most recent updates as soon as feasible.

“All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer,” the company added. 

Customers should stop HTTP and HTTPS traffic, limiting access to localhost only, apply the updates that are available (the June 15th patch also fixes the prior vulnerabilities), and then re-enable HTTP and HTTPS traffic to prevent unauthorised access to the MOVEit Transfer environment. 

To fix the issues, Progress has published both DLL drop-in fixes and entire MOVEit Transfer installers. The company's advisory provides more details on how to apply the updates.

Online Thieves Exploits Vulnerability in Microsoft Visual Studio

 

Security professionals are alerting users regarding a vulnerability in the Microsoft Visual Studio installer that enables hackers to distribute harmful extensions to application developers while posing as a trusted software vendor. From there, they may sneak into development environments and seize control while contaminating code, stealing very valuable intellectual property, and doing other things. 

The CVE-2023-28299 spoofing vulnerability was patched by Microsoft as part of its April security release. At the time, the business rated the bug as having a low likelihood of being exploited and categorised the vulnerability as having moderate severity. However, the Varonis researchers who first identified the vulnerability provided a somewhat different perspective on the flaw and its potential consequences in a blog post this week.

According to the researchers, the flaw should be addressed because it is easily exploitable and is present in a product with a 26% market share and more than 30,000 consumers.

"With the UI bug found by Varonis Threat Labs, a threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis security researcher Dolor Taler explained. "Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system." 

Varonis identified a vulnerability that affects several iterations of the Visual Studio integrated development environment (IDE), ranging from Visual Studio 2017 through Visual Studio 2022. The problem is a security restriction in Visual Studio that makes it simple for anyone to get over, preventing users from entering data in the "product name" extension field. 

Taler discovered that an attacker may get around that restriction by opening a Visual Studio Extension (VSIX) package as a.ZIP file, and then manually adding newline characters to a tag in the "extension.vsixmanifest" file. Developers use a newline character to indicate the end of a line of text so that the cursor will move to the start of the following line on the screen.

"And because a threat actor controls the area under the extension name, they can easily add fake 'Digital Signature' text, visible to the user and appearing to be genuine," Taler added.

Nearly 50% of On-Premises Databases Have Unpatched Vulnerabilities

 

The five-year longitudinal research conducted by cybersecurity firm Imperva revealed that nearly half of on-premises databases globally contain at least one flaw that could expose them to cyber-attacks.

Researchers scanned roughly 27,000 databases, finding 46% contained vulnerabilities at an average of 26 vulnerabilities per database. Unfortunately, 56% of those vulnerabilities were ranked as ‘critical or high severity’, and some of them have gone unaddressed for three or more years. This suggests that many organizations are not prioritizing the security of their data and neglecting routine patching exercises.

“Too often, organizations overlook database security because they’re relying on native security offerings or outdated processes. Although we continue to see a major shift to cloud databases, the concerning reality is that most organizations rely on on-premises databases to store their most sensitive data,” said Elad Erez, Imperva's Chief Innovation Officer. 

A regional analysis of the data shows that France tops the list, with 84% of databases containing at least one flaw, at an average of 72 vulnerabilities per database. France is followed by Australia (65%, 20 vulnerabilities on average), Singapore (64%, 62 security flaws per database), UK (61%, 37 vulnerabilities on average), China (52%, 74 flaws per database), and Japan (50%). In the United States, 37% of databases have at least one vulnerability that could expose them to attacks, with an average of 25 issues per database. 

Given the number of security holes that exist in on-premises databases, it should come as no surprise that the number of data breach incidents has increased 15% over a 12-month average. An analysis of data breaches since 2017 shows that 74% of the data stolen in a breach is personal data, while login credentials (15%) and credit card details (10%) are also lucrative targets. 

“Organizations are making it too easy for the bad guys. Attackers now have access to a variety of tools that equip them with the ability to take over an entire database, or use a foothold into the database to move laterally throughout a network. The explosive growth in data breaches is evidence that organizations are not investing enough time or resources to truly secure their data. The answer is to build a security strategy that puts the protection of data at the center of everything,” Erez added.