Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Vulnerabilities anfd Exploits. Show all posts

Citrix Bleed Bug Delivers Sharp Blow: Vulnerability is Now Under "Mass Exploitation"

Citrix Bleed Bug

Citrix Bleed Bug: A Critical Vulnerability in Widespread Use

Despite the fact that a patch has been available for three weeks, ransomware hackers are exploiting a vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using Citrix hardware. 

What exactly is Citrix Bleed?

CVE-2023-4966, which exists in Citrix's NetScaler Application Delivery Controller and NetScaler Gateway, has been actively exploited since August. The vulnerability has a severity rating of 9.4 out of a possible 10, which is quite high for a simple information-disclosure fault. 

According to some estimates, 20,000 smartphones have already been compromised. The reason for this is that the information released may contain session tokens, which are assigned by the hardware to devices that have previously successfully provided credentials, including those delivering MFA

Attacks on the rise

Attacks have just lately increased, forcing security researcher Kevin Beaumont to write on Saturday, "This vulnerability is now under mass exploitation." He went on to describe the situation as follows: "From talking to multiple organizations, they are seeing widespread exploitation."

He stated that as of Saturday, he has discovered an estimated 20,000 instances of compromised Citrix machines with stolen session tokens. He stated that his estimate was based on establishing a honeypot of servers disguised as susceptible Netscaler devices to track opportunistic Internet attacks. Beaumont then compared the results to other data sources, such as Netflow and the Shodan search engine.

Meanwhile, GreyNoise, a security firm that also uses honeypots, was reporting CVE-2023-4966 attacks coming from 135 IP addresses. This is a 27-fold rise from the five IPs discovered by GreyNoise five days earlier.

Easy to exploit vulnerabilities 

According to the most recent data from security firm Shadowserver, there were approximately 5,500 unpatched machines. Beaumont has admitted that the amount contradicts his previous estimate of 20,000 affected devices. It's unclear what was causing the disparity.

The vulnerability is reasonably simple to exploit for experienced users. A simple reverse-engineering of the Citrix patch reveals the vulnerable methods, and it's not difficult to develop code that exploits them from there. A number of proof-of-concept exploits are available online, making attacks considerably easier.

What next? What should companies do to be safe?

Citrix Bleed is similar to Heartbleed, another major information leak vulnerability that rocked the Internet in 2014. This weakness, which was found in the OpenSSL code library, was widely exploited, allowing the theft of passwords, encryption keys, banking credentials, and other sensitive information. Citrix Bleed is less severe because fewer vulnerable devices are in operation.

Citrix Bleed, on the other hand, is still quite awful. All Netscaler devices should be considered hacked by organizations. This involves patching any unpatched devices that remain. Then, all credentials should be rotated to guarantee that any potentially leaked session tokens are expired. Mandiant, a security firm, provides comprehensive security advice here.

Critical Flaws Identified in InfiRay Thermal Camera

 

Security bugs in InfiRay thermal cameras might enable hackers to tamper with industrial processes, such as halting production or making changes that lead to lower quality products. 

InfiRay is a product of China-based iRay Technology that designs optical components. With products shipped in 89 nations and territories, InfiRay specializes in researching and designing infrared and thermal imaging devices. 

Analysts from SEC Consult, an Austrian cybersecurity company, discovered that at least one of the vendor’s thermal cameras, the A8Z3, is susceptible to many potentially catastrophic vulnerabilities. The A8Z3 device, sold on the Chinese marketplace Alibaba for approximately $3,000, is meant for a wide range of IoT applications. 

According to security analysts, InfiRay is susceptible to five categories of potentially critical bugs and hardcoded credentials for the camera’s web application are one concern. Since these accounts cannot be shut down and their passwords cannot be modified, they can be termed backdoor accounts that can provide a hacker access to the camera’s web interface. Subsequently, a malicious actor can exploit another loophole to implement arbitrary code. 

Additionally, the researchers spotted a buffer overflow in the firmware and several obsolete software components that are known to contain bugs. They also identified a Telnet root shell that is not password protected by default, allowing a local network hacker to execute arbitrary commands as root on the camera. 

According to SEC Consult, none of these thermal cameras have been exposed on the internet. However, an attacker who can secure unauthorized access to a device could exploit the vulnerabilities to cause considerable damage. 

“The camera is used in industrial environments to check/control temperatures. The test device was located in a factory, where it verified that metal pieces arriving on a conveyor belt were still hot enough for the next process step,” stated Steffen Robertz, an embedded systems security analyst at SEC Consult. 

“An attacker would be able to report wrong temperatures and thus create inferior products or halt the production. The temperature output might also be fed into a control loop. By reporting a lower temperature, the temperature of, for example, a furnace might be increased automatically.” 

The analysts did not perform any tests on any other devices from this vendor, but identical bugs are likely to impact other devices as well, based on historical experience. SEC Consult notified the Chinese firm of its discoveries over a year ago, but the vendor has been unresponsive, therefore it remains unknown whether updates are available or not.