Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilties and Exploits. Show all posts
Vulnerabilties and Exploits
CISA Company Security FBI Path Traversal Vulnerabilties and Exploits

CISA Ask Companies to Fix Path Traversal Vulnerabilities


CISA and FBI urge companies to take patch actions 

CISA and the FBI recommended software companies today to assess their products and fix route traversal security flaws before selling.

Attackers can leverage path traversal vulnerabilities (also known as directory traversal) to create or overwrite important files used to execute malware or circumvent security systems such as authentication. 

“Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in our Known Exploited Vulnerabilities (KEV) catalog,” says the CISA and FBI joint report.

Impact of these security loops

Such security holes can also allow threat actors to acquire sensitive data, such as credentials, which can then be used to brute-force existing accounts and compromise the targeted systems.

Another option is to disable or limit access to vulnerable systems by overwriting, destroying, or altering critical authentication files (which would lock out all users).

CISA and the FBI propose that software buyers ask vendors if they completed formal directory traversal testing. 

To eliminate this type of problem from all goods, manufacturers should ensure that their software developers immediately install the necessary mitigations. Integrating security into products from the start can eliminate directory traversal issues.

About directory traversal vulnerabilities

Directory traversal vulnerabilities occur when users manipulate inputs, such as file paths, to gain unauthorized access to application files and directories. Malicious cyber actors can use these exploits to access restricted directories and read, change, or write arbitrary files, which can have adverse effects.

How Can Software Vendors Avoid Directory Traversal Risks?

To minimize directory traversal vulnerabilities in software products, developers should apply proven mitigations such as:

  • Use random identification and store metadata independently (e.g., in a database) instead of relying on user input for a file name.
  • If the previous strategy is not followed, restrict file names to alphanumeric characters. Please ensure that submitted files do not have executable permissions.

Path vulnerabilities ranked eighth on MITRE's list of the 25 dangerous software issues, trailing only out-of-bounds write, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bounds read flaws.

In March, CISA and the FBI released another "Secure by Design" alert, advising executives of software manufacturing companies to develop mitigations to prevent SQL injection (SQLi) security risks.

SQLi vulnerabilities were listed third among MITRE's top 25 most hazardous software vulnerabilities between 2021 and 2022, trailing only out-of-bounds writes and cross-site scripting.

Read more »
Vulnerabilties and Exploits
CISA Google Software Providers SQL Injection Vulnerabilties and Exploits

Protecting Users Against Bugs: Software Providers' Scalable Attempts

Protecting Users Against Bugs

Ransomware assaults, such as the one on Change Healthcare, continue to create serious disruptions. However, they are not inevitable. Software developers can create products that are immune to the most frequent types of cyberattacks used by ransomware gangs. This blog discusses what can be done and encourages customers to demand that software companies take action.

Millions of Americans recently experienced prescription medicine delays or were forced to pay full price as a result of a ransomware assault. While the United States has begun to make headway in reacting to cyberattacks, including the passage of incident reporting requirements into law, it is apparent that much more work remains to be done to combat the ransomware epidemic. 

Ransomware gangs flourish because they usually attack genuinely easy weaknesses in software that serve as the basis for critical operations and services.

Providing scalable solutions: Company duty

Business leaders of software manufacturers hold the key: They can build products that are resilient against the most common classes of cyberattacks by ransomware gangs.

The security community has known how to eliminate classes of vulnerabilities across software for decades. What is needed is not perfectly secure software but “secure enough” software, which software manufacturers are capable of creating.n exploit remarkably simple vulnerabilities in software that is the foundation for the essential processes and services.

Systemic classes of defects like SQL injection or insecure default configurations, such as a lack of multi-factor authentication by default or hardcoded default passwords, enable the vast majority of ransomware attacks and are preventable at scale.

The expense of preventing some types of vulnerabilities during the design stage is substantially less than dealing with the complex aftermath of a breach. 

According to a recent Google study, it has nearly eliminated many common types of vulnerabilities in its products, such as SQL injection and cross-site scripting. Furthermore, Google claims that such tactics were cost-effective and, in some cases, saved money ultimately as a result of having to worry about bugs.

Fighting lack of action

Inaction is exactly what has occurred in the software business. The Biden administration's National Cybersecurity Strategy asks for a shift in this direction, with software manufacturers accepting responsibility for product security from the start.

For example, whereas conventional vulnerability assessment approaches urge a sequential approach to identifying and patching vulnerabilities one by one, the agency's SQL injection alert promotes software manufacturers' executives to lead codebase reviews and eliminate all potentially unsafe functions to prevent SQL injection at the source.

How to identify bugs

Software vendors may assess vulnerability classes on two levels: impact, or the degree of damage that can be done by that class of vulnerability, and the cost of avoiding that flaw at scale.

SQL injection vulnerabilities are likely to be high in impact but inexpensive in cost to eliminate, whereas memory-safety issues have extremely high impact but need large investments to rewrite codebases systematically. Businesses can create a priority list of the most cost-effective tasks for fixing specific types of flaws in their products.

Customer's role: What can you do?

Companies should ask how their vendors attempt to remove entire classes of threats, such as implementing phishing-resistant multi-factor authentication and developing a memory-safe plan to address the most prevalent type of software vulnerability.

It is feasible that future ransomware assaults may be far more difficult to carry out. It's high time for software businesses to make this possibility a reality and safeguard Americans by including security from the beginning. Customers should insist that they do this.
Read more »
Vulnerabilties and Exploits
Android AutoSpill AutoSpill attack cybersecurity research Password Manager Stolen Credentials Vulnerabilties and Exploits

AutoSpill Attack Steal Credentials from Android Password Managers


Security researchers from the International Institute of Information Technology (IIIT) in Hyderabad, India, have discovered a new vulnerability with some Android password managers in which some malicious apps may steal or capture users’ data credentials in WebView. 

The threat actors carry out the operation particularly when the password manager is trying to autofill login credentials. 

In a presentation at the Black Hat Europe security conference, the researchers revealed that the majority of Android password managers are susceptible to AutoSpill even in the absence of JavaScript injection. 

How AutoSpill Works

WebView is frequently used in Android apps to render web content, which includes login pages, within the app, rather than redirecting users to the main browser, which would be more challenging on small-screen devices. 

Android password managers automatically enter a user's account information when an app loads the login page for services like Apple, Facebook, Microsoft, or Google by utilizing the WebView component of the platform. 

According to the researchers, it is possible to exploit vulnerabilities in this process to obtain the auto-filled credentials on the app that is being invoked. 

The researchers added that the password managers on Androids will be more vulnerable to the attack if the JavaScript injections are enabled. 

One of the main causes of the issue regarding AutoSpill is Android’s inability to specify who is responsible for handling the auto-filled data securely, which leaves the data vulnerable to leakage or capture by the host app.

In an attack scenario, the user's credentials could be obtained by a rogue app presenting a login form without leaving any trace of the breach.

Impact and Patch Work

Using Android's autofill framework, the researchers tested AutoSpill against a number of password managers on Android 10, 11, and 12. They discovered that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are vulnerable to assaults.

It was found that Google Smart Lock 13.30.8.26 and DashLane 6.2221.3 had different technical approaches for the autofill process, wherein they did not compromise data to the host app unless JavaScript injection was used.

The researchers submitted their recommendations for fixing the issue along with their results to the security team of Android and the affected software manufacturers. Their report was accepted as legitimate, however, no information regarding the plans for rectifying it was disclosed.  

Read more »
Windows
Adobe Adobe Acrobat macOS Software Security Vulnerabilties and Exploits Windows

Adobe Patches 30 Acrobat, Reader Vulnerabilities

Adobe

Adobe has recently released a large batch of security updates for its flagship Acrobat and Reader software, patching at least 30 vulnerabilities affecting Windows and MacOS installations. In this blog post, we’ll take a closer look at the details of these updates and what they mean for users.

The Details

On Tuesday, Adobe released a critical-level advisory listing the 30 security flaws that were patched in this update. The company cautioned that successful exploitation of these vulnerabilities could result in application denial-of-service attacks, arbitrary code execution, memory leaks, and feature bypasses. Among the affected programs are Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020.

The majority of the bugs were memory safety issues, according to Adobe. The company also claimed to be unaware of any public exploits of these vulnerabilities. In addition to these patches, Adobe also released a separate critical update addressing three security flaws.

What This Means for Users

For users of Adobe’s Acrobat and Reader software, this update is an important one to install. The vulnerabilities that have been patched could potentially allow attackers to execute arbitrary code on a user’s system or cause application denial-of-service attacks. By installing the updates, users can protect themselves from these potential threats.

It’s always important to keep software up-to-date with the latest security patches to ensure that your system is protected from known vulnerabilities. This is especially true for widely-used software like Adobe’s Acrobat and Reader programs.

What next?

Adobe’s recent release of security updates for its Acrobat and Reader software is an important step in protecting users from potential threats. By patching at least 30 vulnerabilities affecting Windows and MacOS installations, Adobe has taken proactive measures to ensure the safety and security of its users. As always, it’s important for users to install these updates as soon as possible to protect themselves from potential exploits.

Read more »
XS-Leak
Cloud Misconfiguration NFT Open Sea Phishing Attack User Privacy Vulnerabilties and Exploits XS-Leak

OpenSea NFT Market Users' Identities Were Exposed via a Bug

In 2022, OpenSea had more than 1 million members who had registered and more than 121 million people visited the website each month. Because of this, OpenSea is not only the biggest NFT market but also a highly attractive target for cybercriminals. Any platform flaw could present a chance for criminal activity and result in catastrophe for gullible consumers.

The cross-site search vulnerability, which a hacker can use to gain user identities, was made possible by a misconfiguration.

According to the report, OpenSea has subsequently issued a patch to address the problem. In order to reduce the possibility of additional exploitation, the patch limits cross-origin communication. The vulnerability no longer exists, according to the cyber security company's analysis of the remedy.

Web applications which use query-based search systems are vulnerable to cross-site search. By submitting queries and looking for variations in the search system's behavior when it returns or doesn't, it enables an attacker to retrieve sensitive data from another origin.

After confirming that the fundamental exploit strategies were effective, researchers started looking at OpenSea's search feature. ElasticSearch was referenced by the company in one of their job listings, therefore this is probably the engine they utilize for their search function. 

With the help of ElasticSearch, you can swiftly search through and analyze huge amounts of data. ElasticSearch's capacity to normalize language via language-specific analyzers and stemmers is one of its important features.

The $13.3 billion market's use of the incorrectly configured iFrame-resizer library is the root of the problem. Cross-site search vulnerability occurs when this library is used in environments where cross-origin communication is unrestricted. This problem resulted from OpenSea's lack of restrictions.

Misconfiguration permits the existence of this bug and user identity exposure. Given that the NFT ecosystem is solely predicated on anonymity, this kind of weakness might have major financial repercussions for OpenSea because, if exploited, the attacker could conduct phishing assaults. They could also keep tabs on those who made the most expensive NFT purchases.

Immediately after the vulnerability was made public, OpenSea patched it by limiting cross-origin communication. This reduced the vulnerability's potential for further exploitation. In order to stop the exploitation of these platforms, it is crucial to be constantly on the lookout for inherent faults and vulnerabilities.


Read more »
Vulnerabilties and Exploits
CSMS DDoS Electric Vehicles SaiFlow Vulnerabilties and Exploits

Electric Vehicle Vulnerabilities Can Allow Hackers To Disrupt System, Cause Energy Theft




About the vulnerability

The vulnerabilities were found by experts working for SaiFlow, a company based in Israel that specializes in defending EV charging infrastructure and distributed energy resources. 

The security loopholes are linked to the communications between the charging system management service (CSMS) and the EV charge point (CP), especially using the Open Charge Port Protocol (OCPP). The loopholes are believed to affect the CSMS offered by various vendors. 

The issue is associated with the use of WebSocket communications by the OCPP and how it handles multiple connections poorly. The protocol lacks knowledge about handling more than one CP connection at a time and threat actors can abuse this by opening a new connection to the CSMS. Another problem is related to what SaiFlow explains as a "weak OCPP authentication and chargers identities policy." 

How does a hacker exploit the vulnerability?

By opening a new connection to the CSMS on behalf of a charge point, the threat actor can impact the original connection to be shut down or become non-functional.

 As per SailFlow, a threat actor can misuse the loopholes to deploy a distributed denial of service (DDoS) attack that destroys the electric vehicle supply equipment (EVSE) network. 

Besides this, if a threat actor can connect to CSMS, they may be able to get drivers' personal information, this includes payment card data, along with other sensitive data like server credentials. 

What do experts say about the vulnerabilities?

Ron Tiberg-Shachar, co-founder and CEO of SaiFlow said "in particular configurations, if the charger approves unfamiliar driver identities, an attacker can manage to charge their vehicle without paying for it. Since the CSMS platforms are publicly accessible, it is possible for an attacker to hijack the connection remotely, without needing to gain credentials, access, or perform MITM attacks." Tiberg believes that it may be possible for an amateur hacker to launch an attack, even with scarce resources. 

To conduct an attack, the hacker first needs to get a charger's identity. This identity generally has a standard structure, making it easier for hackers to enumerate the values of valid identifiers. 

In the next stage, they need to get info on which CSMS platform the charger is connected to. According to experts, the CSMS URL can be found using services like Shodan or SecurityTrails. 

The impact of this vulnerability

SailFlow has made a technical blog post explaining the vulnerabilities and the attack scenarios. The company also gave recommendations for how these kinds of attacks can be controlled. It seems unlikely that vendors can easily patch the vulnerabilities. 

Tiberg said, "we’ve approached many key players in the industry (and keep on doing so) to make them aware of our findings and how they can approach a solution. Additionally, we’ve made our solutions team available to support any specific technical questions, in an effort to reinforce vulnerabilities as quickly as possible. Our key goal is to support partners in scaling their charging infrastructure as quickly and safely as possible."

Read more »
Vulnerabilties and Exploits
Application Security Endpoint IoT Vulnerabilties and Exploits

From BMW to Ferrari, Automotive Industry Flooded with Vulnerabilties


Automakers struggling with vulnerabilities

A range of automakers from Toyota to Acura is affected by vulnerabilities within their vehicles that can let hackers steal personally identifiable information (PII), lock owners out of their vehicles, and even control functions like starting and stopping the vehicle's engine. 

A team of seven security experts said vulnerabilities in the automakers' internal applications and systems gave them a proof-of-concept hack to send commands using only the vehicle identification number (VIN), which can be seen through the windshield outside the vehicle. 

Experts found security loopholes in the automaker industry

The team has found serious security loopholes from automakers like BMW, Ford, Volvo, Ferrari, and various others throughout Europe, the US, and Asia. It has also found problems with suppliers and telematic companies like Spireon, which makes Gps-based vehicle tracking solutions. 

BMW said that IT and data security are the top priorities for the company, and it continuously monitors its system landscapes for potential security threats or vulnerabilities. 

"The relevant addressed vulnerability issues were closed within 24 hours and we have no indication of any data leaks. No vehicle-related IT systems were affected or compromised. No BMW Group customers or employee accounts were compromised," a spokesperson at BMW said. 

This is the most recent security threat that surfaced, in March last year, telemetry from industrial systems security firm Dragons found Emotet command-and-control servers in contact with various automotive manufacturer systems. 

In December, experts found vulnerabilities in three mobile apps that let drivers remotely unlock or start their vehicles. These bugs allowed unauthorized malicious actors to perform the same commands from afar. 

Automakers slow to identify threats

Security vulnerabilities have been a challenge in the automotive industry for a long time, and automakers are not very proactive in identifying the potential severity of the threat developments. 

Experts believe that while automakers are slowly changing into software developers, they find it difficult to address all points of the development cycle- which includes security. 

One very simple notion is if you're not good at software, you're probably not going to be very good at making that software safe. That is guaranteed." "Automakers look at this in a more reactive way than a proactive way, basically saying we'll address the small number of customers affected and solve the issue and then everything goes back to normal," he says. "That's the way of thinking for many carmakers," said Gartner automotive industry analyst Pedro Pacheco.

When automakers make more sophisticated ecosystems that connect customers with app stores and connect them with their smartphones and other connected devices, the stakes also get high. 

"This is the reason why cybersecurity is going to become more and more of a pressing issue," said Pedro. "The more the vehicle takes over driving, then of course the more chances there are that this can be used against the customer and against the automaker. It hasn't happened yet, but it could very well happen in the future."






Read more »
Vulnerabilties and Exploits
Bugs Data Flaws Safety Security Vulnerabilties and Exploits

Fortinet Alerts: Active Exploitation of Newly Discovered Critical Auth Bypass Bug

 

Fortinet revealed on Monday that a recently patched critical security vulnerability affecting its firewall and proxy products is being actively exploited in the wild. 
The flaw, identified as CVE-2022-40684 (CVSS score: 9.6), concerns an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorised operations on the administrative interface via specially crafted HTTP(S) requests. 

"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'" the company noted in an advisory.

The list of impacted devices is below -
  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0, and
  • FortiSwitchManager version 7.0.0
Updates have been released by the security company in FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1.

The security firm has released updates for FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1. The announcement comes just days after Fortinet sent "confidential advance customer communications" to its customers, urging them to install patches to prevent potential attacks exploiting the flaw. If updating to the latest version is not an option, users should disable the  HTTP/HTTPS administrative interface, or alternatively limit IP addresses that can access the administrative interface.
Read more »
Vulnerabilties and Exploits
Canon Healthcare Medical Security Patient Info Vulnerabilties and Exploits

XSS Bugs in Canon's Vitrea View Tool, Can Expose Patient Data


XSS Bugs in Canon's Vitrea View

In a penetration test, Trustwave Spiderlabs' experts found two reflected cross-site scriptings (XSS) flaws, together termed as CVE-2022-3746, in third-party software for Canon Medical's Vitrea View. The Vitrea View feature lets you view and safely share medical images via DICOM standard. 

"Canon Medical released a patch for these issues in version 7.7.6. We recommend all customers on version 7. x to update to the latest release. We always appreciate vendors like Canon Medical that approach the disclosure process with transparency and in the interest of the security of their products and users."

A threat actor can activate the bugs to access/change patient details (i.e. stored scans and images) and get extra access to some features related to Vitrea View. 

The first problem is an unauthorized Reflected XSS that exists in an error message at /vitrea-view/error/, reflecting all input following the /error/ subdirectory back to the user, with minor limitations. 

How does the bug work?

The researchers observed that space characters and single and double quotes can alter the reflection. The use of base 64 encoding and backticks (`) can allow to escape these restrictions, as well as importing remote scripts. 

The second problem is one more Reflected XSS within the Vitrea View Administrative panel. A threat actor can access the panel by luring the victims to click on a specially made link. 

The researchers found the search for 'limit', 'offset', and 'group' in the 'Group and Users' page of the admin panel all highlight their inputs back to the user, after the text is entered rather than anticipated numerical inputs. 

The report says :

"Like the previous finding, the reflected input is slightly restricted, as it does not allow spaces. Once an authenticated admin is coerced into visiting the affected URL, it is possible to create and modify the Python, JavaScript, and Groovy scripts used by the Vitrea View application.”

The researchers also wrote a proof-of-concept for both these vulnerabilities. Canon Medical handled these two vulnerabilities by releasing Vitrea View version 7.7.6. 




Read more »
Vulnerabilties and Exploits
Mercury Microsoft MuddyWater Vulnerabilties and Exploits

Iran Based MuddyWater Attacks Israel Companies


What is MuddyWater?

A threat actor from Iran named "Muddy Water" (called by Microsoft MERCURY) has been elevating the abuse of Log4j2 vulnerabilities in SysAid applications to attack organizations in Israel. 

Microsoft security researchers released the news advisory and said on Thursday that they analyzed (with high confidence) that MERCURY's observed operations were linked with Iran's Ministry of Intelligence and Security (MOIS). 

On July 23 and 25, 2022, MERCURY was found using exploits against a vulnerable SysAid Server as its initial access vector. According to the observations from earlier campaigns and flaws found in victim environments, the researchers have assessed that the exploits used were most probably related to Log4j.2. 

Microsoft links attack to Iranian Hackers

Microsoft said it assesses with moderate confidence that MERCURY exploited remote code execution vulnerabilities in Apache Log4j 2 (also referred to as “Log4Shell”) in vulnerable SysAid Server instances the targets were running. MERCURY has used Log4j 2 exploits in past campaigns as well. 

MSTIC assesses with high confidence that MERCURY is coordinating its operations in affiliation with Iran’s Ministry of Intelligence and Security (MOIS). According to the US Cyber Command, MuddyWater, a group we track as MERCURY, “is a subordinate element within the Iranian Ministry of Intelligence and Security.”

As a matter of fact, the novel campaign found by Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team is different from earlier MERCURY variants as it is the only one in which the group exploits SysAid apps as a vector for earlier access. 

How does Mercury work?

Once MERCURY has gained access, it creates persistence, dumps credentials, and travels laterally within the victim organization via custom and popular hacking tools and built-in operating system tools for its hands-on-keyboard attacks. 

Microsoft has also added a list of common techniques and tooling used by MERCURY, these include spearphishing, along with programs like Venom proxy tool, the Ligolo reverse tunneling technique, and home-grown PowerShell programs. 

What next?

Microsoft confirmed that it informed customers that have been hit or targeted, giving them the info required to protect their accounts. Microsoft has also given a list of indicators of compromise (IOCs) linked to MERCURY's activity. 

Microsoft isn't the first company that has linked MERCURY with Iranian state actors. At the beginning of this year, both U.K. and U.S. governments released warnings linking the group with the state's MOIS. 

"We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems," said Microsoft. 
Read more »
Subscribe to: Posts (Atom)