Vulnerebility  2024  2023  2022  2021  2020


Google Cloud Resolves Privilege Escalation Flaw Impacting Kubernetes Service
28.12.23  Vulnerebility  The Hacker News
Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges.

"An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster," the company said as part of an advisory released on December 14, 2023.

Palo Alto Networks Unit 42, which discovered and reported the shortcoming, said adversaries could weaponize it to carry out "data theft, deploy malicious pods, and disrupt the cluster's operations."

There is no evidence that the issue has been exploited in the wild. It has been addressed in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) -

1.25.16-gke.1020000
1.26.10-gke.1235000
1.27.7-gke.1293000
1.28.4-gke.1083000
1.17.8-asm.8
1.18.6-asm.2
1.19.5-asm.4
A key prerequisite to successfully exploiting the vulnerability hinges on an attacker having already compromised a FluentBit container by some other initial access methods, such as via a remote code execution flaw.


"GKE uses Fluent Bit to process logs for workloads running on clusters," Google elaborated. "Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node."

This meant that a threat actor could use this access to gain privileged access to a Kubernetes cluster that has ASM enabled and then subsequently use ASM's service account token to escalate their privileges by creating a new pod with cluster-admin privileges.

"The clusterrole-aggregation-controller (CRAC) service account is probably the leading candidate, as it can add arbitrary permissions to existing cluster roles," security researcher Shaul Ben Hai said. "The attacker can update the cluster role bound to CRAC to possess all privileges."

By way of fixes, Google has removed Fluent Bit's access to the service account tokens and re-architected the functionality of ASM to remove excessive role-based access control (RBAC) permissions.

"Cloud vendors automatically create system pods when your cluster is launched," Ben Hai concluded. "They are built in your Kubernetes infrastructure, the same as add-on pods that have been created when you enable a feature."

"This is because cloud or application vendors typically create and manage them, and the user has no control over their configuration or permissions. This can also be extremely risky since these pods run with elevated privileges."


Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack
28.12.23  Vulnerebility  The Hacker News
A new zero-day security flaw has been discovered in Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections.

The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month.

"The security measures taken to patch CVE-2023-49070 left the root issue intact and therefore the authentication bypass was still present," the SonicWall Capture Labs threat research team, which discovered the bug, said in a statement shared with The Hacker News.


CVE-2023-49070 refers to a pre-authenticated remote code execution flaw impacting versions prior to 18.12.10 that, when successfully exploited, could allow threat actors to gain full control over the server and siphon sensitive data. It is caused due to a deprecated XML-RPC component within Apache OFBiz.

According to SonicWall, CVE-2023-51467 could be triggered using empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication success message, effectively circumventing the protection and enabling a threat actor to access otherwise unauthorized internal resources.

The attack hinges on the fact that the parameter "requirePasswordChange" is set to "Y" (i.e., yes) in the URL, causing the authentication to be trivially bypassed regardless of the values passed in the username and password fields.

"The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF)," according to a description of the flaw on the NIST National Vulnerability Database (NVD).

Users who rely on Apache OFbiz to update to version 18.12.11 or later as soon as possible to mitigate any potential threats.


Urgent: New Chrome Zero-Day Vulnerability Exploited in the Wild - Update ASAP
21.12.23  Vulnerebility  The Hacker News
Google has rolled out security updates for the Chrome web browser to address a high-severity zero-day flaw that it said has been exploited in the wild.

The vulnerability, assigned the CVE identifier CVE-2023-7024, has been described as a heap-based buffer overflow bug in the WebRTC framework that could be exploited to result in program crashes or arbitrary code execution.

Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw.

No other details about the security defect have been released to prevent further abuse, with Google acknowledging that "an exploit for CVE-2023-7024 exists in the wild."

The development marks the resolution of the eighth actively exploited zero-day in Chrome since the start of the year -

CVE-2023-2033 (CVSS score: 8.8) - Type confusion in V8
CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia
CVE-2023-3079 (CVSS score: 8.8) - Type confusion in V8
CVE-2023-4762 (CVSS score: 8.8) - Type confusion in V8
CVE-2023-4863 (CVSS score: 8.8) - Heap buffer overflow in WebP
CVE-2023-5217 (CVSS score: 8.8) - Heap buffer overflow in vp8 encoding in libvpx
CVE-2023-6345 (CVSS score: 9.6) - Integer overflow in Skia
A total of 26,447 vulnerabilities have been disclosed so far in 2023, surpassing the previous year by over 1,500 CVEs, according to data compiled by Qualys, with 115 flaws exploited by threat actors and ransomware groups.

Remote code execution, security feature bypass, buffer manipulation, privilege escalation, and input validation and parsing flaws emerged as the top vulnerability types.

Users are recommended to upgrade to Chrome version 120.0.6099.129/130 for Windows and 120.0.6099.129 for macOS and Linux to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.


New Security Vulnerabilities Uncovered in pfSense Firewall Software - Patch Now
15.12.23  Vulnerebility  The Hacker News
Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances.

The issues relate to two reflected cross-site scripting (XSS) bugs and one command injection flaw, according to new findings from Sonar.

"Security inside a local network is often more lax as network administrators trust their firewalls to protect them from remote attacks," security researcher Oskar Zeino-Mahmalat said.

"Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network."

Impacting pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below, the shortcomings could be weaponized by tricking an authenticated pfSense user (i.e., an admin user) into clicking on a specially crafted URL, which contains an XSS payload that activates command injection.

A brief description of the flaws is given below -

CVE-2023-42325 (CVSS score: 5.4) - An XSS vulnerability that allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
CVE-2023-42327 (CVSS score: 5.4) - An XSS vulnerability that allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
CVE-2023-42326 (CVSS score: 8.8) - A lack of validation that allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.
Reflected XSS attacks, also called non-persistent attacks, occur when an attacker delivers a malicious script to a vulnerable web application, which is then returned in the HTTP response and executed on the victim's web browser.

As a result, attacks of this kind are triggered by means of crafted links embedded in phishing messages or a third-party website, for example, in a comment section or in the form of links shared on social media posts. In the case of pfSense, the threat actor can perform actions in the firewall with the victim's permissions.

"Because the pfSense process runs as root to be able to change networking settings, the attacker can execute arbitrary system commands as root using this attack," Zeino-Mahmalat said.

Cybersecurity
Following responsible disclosure on July 3, 2023, the flaws were addressed in pfSense CE 2.7.1 and pfSense Plus 23.09 released last month.

The development comes weeks after Sonar detailed a remote code execution flaw in Microsoft Visual Studio Code's built-in integration of npm (CVE-2023-36742, CVSS score: 7.8) that could be weaponized to execute arbitrary commands. It was addressed by Microsoft as part of its Patch Tuesday updates for September 2023.


Microsoft's Final 2023 Patch Tuesday: 33 Flaws Fixed, Including 4 Critical
13.12.23  Vulnerebility  The Hacker News
Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years.

Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for November 2023.

According to data from the Zero Day Initiative, the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022.

While none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below -

CVE-2023-35628 (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-35630 (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-35636 (CVSS score: 6.5) - Microsoft Outlook Information Disclosure Vulnerability
CVE-2023-35639 (CVSS score: 8.8) - Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2023-35641 (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-35642 (CVSS score: 6.5) - Internet Connection Sharing (ICS) Denial-of-Service Vulnerability
CVE-2023-36019 (CVSS score: 9.6) - Microsoft Power Platform Connector Spoofing Vulnerability
CVE-2023-36019 is also significant because it allows the attacker to send a specially crafted URL to the target, resulting in the execution of malicious scripts in the victim's browser on their machine.

"An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim," Microsoft said in an advisory.

Microsoft's Patch Tuesday update also plugs three flaws in the Dynamic Host Configuration Protocol (DHCP) server service that could lead to a denial-of-service or information disclosure -

CVE-2023-35638 (CVSS score: 7.5) - DHCP Server Service Denial-of-Service Vulnerability
CVE-2023-35643 (CVSS score: 7.5) - DHCP Server Service Information Disclosure Vulnerability
CVE-2023-36012 (CVSS score: 5.3) - DHCP Server Service Information Disclosure Vulnerability
The disclosure also comes as Akamai discovered a new set of attacks against Active Directory domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers.

"These attacks could allow attackers to spoof sensitive DNS records, resulting in varying consequences from credential theft to full Active Directory domain compromise," Ori David said in a report last week. "The attacks don't require any credentials, and work with the default configuration of Microsoft DHCP server."

The web infrastructure and security company further noted the impact of the flaws can be significant as they can be exploited to spoof DNS records on Microsoft DNS servers, including an unauthenticated arbitrary DNS record overwrite, thereby enabling an actor to gain a machine-in-the-middle position on hosts in the domain and access sensitive data.

Microsoft, in response to the findings, said the "problems are either by design, or not severe enough to receive a fix," necessitating that users Disable DHCP DNS Dynamic Updates if not required and refrain from using DNSUpdateProxy.


New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now
12.12.23  Vulnerebility  The Hacker News
Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution.

Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code.

Struts is a Java framework that uses the Model-View-Controller (MVC) architecture for building enterprise-oriented web applications.

Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software -

Struts 2.3.37 (EOL)
Struts 2.5.0 - Struts 2.5.32, and
Struts 6.0.0 - Struts 6.3.0
Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue.

"All developers are strongly advised to perform this upgrade," the project maintainers said in an advisory posted last week. "This is a drop-in replacement and upgrade should be straightforward."

While there is no evidence that the vulnerability is being maliciously exploited in real-world attacks, a prior security flaw in the software (CVE-2017-5638, CVSS score: 10.0) was weaponized by threat actors to breach consumer credit reporting agency Equifax in 2017.


WordPress Releases Update 6.4.2 to Address Critical Remote Attack Vulnerability
9.12.23  Vulnerebility  The Hacker News
WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites.

"A remote code execution vulnerability that is not directly exploitable in core; however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations," WordPress said.

According to WordPress security company Wordfence, the issue is rooted in the WP_HTML_Token class that was introduced in version 6.4 to improve HTML parsing in the block editor.

A threat actor with the ability to exploit a PHP object injection vulnerability present in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the targeted site.

"If a POP [property-oriented programming] chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code," Wordfence noted previously in September 2023.


In a similar advisory released by Patchstack, the company said an exploitation chain has been made available on GitHub as of November 17 and added to the PHP Generic Gadget Chains (PHPGGC) project. It's recommended that users manually check their sites to ensure that it's updated to the latest version.

"If you are a developer and any of your projects contain function calls to the unserialize function, we highly recommend you swap this with something else, such as JSON encoding/decoding using the json_encode and json_decode PHP functions," Patchstack CTO Dave Jong said.


Sierra:21 - Flaws in Sierra Wireless Routers Expose Critical Sectors to Cyber Attacks
7.12.23  Vulnerebility  The Hacker News
A collection of 21 security flaws have been discovered in Sierra Wireless AirLink cellular routers and open-source software components like TinyXML and OpenNDS.

Collectively tracked as Sierra:21, the issues expose over 86,000 devices across critical sectors like energy, healthcare, waste management, retail, emergency services, and vehicle tracking to cyber threats, according to Forescout Vedere Labs. A majority of these devices are located in the U.S., Canada, Australia, France, and Thailand.

"These vulnerabilities may allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device and use it as an initial access point into critical networks," the industrial cybersecurity company said in a new analysis.

Of the 21 vulnerabilities, one is rated critical, nine are rated high, and 11 are rated medium in severity.

This includes remote code execution (RCE), cross-site scripting (XSS), denial-of-service (DoS), unauthorized access, and authentication bypasses that could be exploited to seize control of vulnerable devices, conduct credential theft via injection of malicious JavaScript, crash the management application, amd conduct adversary-in-the-middle (AitM) attacks.


These shortcomings can also be weaponized by botnet malware for worm-like automatic propagation, communication with command-and-control (C2) servers, and enslaving affected susceptible machines to launch DDoS attacks.

Fixes for the flaws have been released in ALEOS 4.17.0 (or ALEOS 4.9.9), and OpenNDS 10.1.3. TinyXML, on the other hand, is no longer actively maintained, necessitating that the problems be addressed downstream by affected vendors.

"Attackers could leverage some of the new vulnerabilities to take full control of an OT/IoT router in critical infrastructure and achieve different goals such as network disruption, espionage, lateral movement and further malware deployment," Forescout said.

"Vulnerabilities impacting critical infrastructure are like an open window for bad actors in every community. State-sponsored actors are developing custom malware to use routers for persistence and espionage. Cybercriminals are also leveraging routers and related infrastructure for residential proxies and to recruit into botnets."


Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution
7.12.23  Vulnerebility  The Hacker News
Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution.

The list of vulnerabilities is below -

CVE-2022-1471 (CVSS score: 9.8) - Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products
CVE-2023-22522 (CVSS score: 9.0) - Remote code execution vulnerability in Confluence Data Center and Confluence Server (affects all versions including and after 4.0.0)
CVE-2023-22523 (CVSS score: 9.8) - Remote code execution vulnerability in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (affects all versions up to but not including 3.2.0-cloud / 6.2.0 data center and server)
CVE-2023-22524 (CVSS score: 9.6) - Remote code execution vulnerability in Atlassian Companion app for macOS (affects all versions up to but not including 2.0.0)
Atlassian described CVE-2023-22522 as a template injection flaw that allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page, resulting in code execution.

The Assets Discovery flaw allows an attacker to perform privileged remote code execution on machines with the Assets Discovery agent installed, whereas CVE-2023-22524 could permit an attacker to achieve code execution by utilizing WebSockets to bypass Atlassian Companion's blocklist and macOS Gatekeeper protections.

The advisory comes nearly a month after the Australian software company revealed all versions of its Bamboo Data Center and Server products are impacted by an actively exploited critical security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0). Fixes have been released in versions 9.2.7, 9.3.5, and 9.4.1 or later.

With Atlassian products becoming lucrative attack vectors in recent years, it's highly recommended that users move quickly to update affected installations to a patched version.


Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks
6.12.23  Vulnerebility  The Hacker News
hipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023.

The vulnerabilities are as follows -

CVE-2023-33063 (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP.
CVE-2023-33106 (CVSS score: 8.4) - Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
CVE-2023-33107 (CVSS score: 8.4) - Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.
Google's Threat Analysis Group and Google Project Zero revealed back in October 2023 that the three flaws, along with CVE-2022-22071 (CVSS score: 8.4), have been exploited in the wild as part of limited, targeted attacks.

A security researcher named luckyrb, the Google Android Security team, and TAG researcher Benoît Sevens and Jann Horn of Google Project Zero have been credited with reporting the security vulnerabilities, respectively.

It's currently not known how these shortcomings have been weaponized, and who are behind the attacks.

The development, however, has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the four bugs to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the patches by December 26, 2023.

It also follows Google's announcement that the December 2023 security updates for Android address 85 flaws, including a critical issue in the System component tracked as CVE-2023-40088 that "could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed" and without any user interaction.


Zyxel Releases Patches to Fix 15 Flaws in NAS, Firewall, and AP Devices
1.12.23  Vulnerebility  The Hacker News
Zyxel has released patches to address 15 security issues impacting network-attached storage (NAS), firewall, and access point (AP) devices, including three critical flaws that could lead to authentication bypass and command injection.

The three vulnerabilities are listed below -

CVE-2023-35138 (CVSS score: 9.8) - A command injection vulnerability that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted HTTP POST request.
CVE-2023-4473 (CVSS score: 9.8) - A command injection vulnerability in the web server that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted URL to a vulnerable device.
CVE-2023-4474 (CVSS score: 9.8) - An improper neutralization of special elements vulnerability that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted URL to a vulnerable device.
Also patched by Zyxel are three high-severity flaws (CVE-2023-35137, CVE-2023-37927, and CVE-2023-37928) that, if successfully exploited, could allow attackers to obtain system information and execute arbitrary commands. It's worth noting that both CVE-2023-37927 and CVE-2023-37928 require authentication.

The flaws impact the following models and versions -

NAS326 - versions V5.21(AAZF.14)C0 and earlier (Patched in V5.21(AAZF.15)C0)
NAS542 - versions V5.21(ABAG.11)C0 and earlier (Patched in V5.21(ABAG.12)C0)
The advisory comes days after the Taiwanese networking vendor shipped fixes for nine flaws in select firewall and access point (AP) versions, some of which could be weaponized to access system files and administrator logs, as well as cause a denial-of-service (DoS) condition.

With Zyxel devices often exploited by threat actors, it's highly recommended that users apply the latest updates to mitigate potential threats.


Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability
29.11.23  Vulnerebility  The Hacker News
Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild.

Tracked as CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library.

Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw on November 24, 2023.

As is typically the case, the search giant acknowledged that "an exploit for CVE-2023-6345 exists in the wild," but stopped short of sharing additional information surrounding the nature of attacks and the threat actors that may be weaponizing it in real-world attacks.

It's worth noting that Google released patches for a similar integer overflow flaw in the same component (CVE-2023-2136) in April 2023 that had also come under active exploitation as a zero-day, raising the possibility that CVE-2023-6345 could be a patch bypass for the former.

CVE-2023-2136 is said to have "allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page."

With the latest update, the tech giant has addressed a total of six zero-days in Chrome since the start of the year -

CVE-2023-2033 (CVSS score: 8.8) - Type confusion in V8
CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia
CVE-2023-3079 (CVSS score: 8.8) - Type confusion in V8
CVE-2023-4863 (CVSS score: 8.8) - Heap buffer overflow in WebP
CVE-2023-5217 (CVSS score: 8.8) - Heap buffer overflow in vp8 encoding in libvpx
Users are recommended to upgrade to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.


Design Flaw in Google Workspace Could Let Attackers Gain Unauthorized Access
29.11.23  Vulnerebility  The Hacker News

Cybersecurity researchers have detailed a "severe design flaw" in Google Workspace's domain-wide delegation (DWD) feature that could be exploited by threat actors to facilitate privilege escalation and obtain unauthorized access to Workspace APIs without super admin privileges.

"Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain," cybersecurity firm Hunters said in a technical report shared with The Hacker News.

The design weakness – which remains active to this date – has been codenamed DeleFriend for its ability to manipulate existing delegations in the Google Cloud Platform (GCP) and Google Workspace without possessing super admin privileges.

When reached for comment, Google disputed the characterization of the issue as a design flaw. “This report does not identify an underlying security issue in our products,” it said. “As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible (see guidance here). Doing so is key to combating these types of attacks.”

Domain-wide delegation, per Google, is a "powerful feature" that allows third-party and internal apps to access users' data across an organization's Google Workspace environment.

The vulnerability is rooted in the fact that a domain delegation configuration is determined by the service account resource identifier (OAuth ID), and not the specific private keys associated with the service account identity object.

As a result, potential threat actors with less privileged access to a target GCP project could "create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled."


To put it differently, an IAM identity that has access to create new private keys to a relevant GCP service account resource that has existing domain-wide delegation permission can be leveraged to create a fresh private key, which can be used to perform API calls to Google Workspace on behalf of other identities in the domain.

Successful exploitation of the flaw could allow exfiltration of sensitive data from Google services like Gmail, Drive, Calendar, and others. Hunters has also made available a proof-of-concept (PoC) that can be utilized to detect DWD misconfigurations.

"The potential consequences of malicious actors misusing domain-wide delegation are severe," Hunters security researcher Yonatan Khanashvili said. "Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain.


Warning: 3 Critical Vulnerabilities Expose ownCloud Users to Data Breaches
25.11.23  Vulnerebility  The Hacker News
The maintainers of the open-source file-sharing software ownCloud have warned of three critical security flaws that could be exploited to disclose sensitive information and modify files.

A brief description of the vulnerabilities is as follows -

Disclosure of sensitive credentials and configuration in containerized deployments impacting graphapi versions from 0.2.0 to 0.3.0. (CVSS score: 10.0)
WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6.0 to 10.13.0 (CVSS score: 9.8)
Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1 (CVSS score: 9.0)
"The 'graphapi' app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo)," the company said of the first flaw.

"This information includes all the environment variables of the web server. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key."

As a fix, ownCloud is recommending to delete the "owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php" file and disable the 'phpinfo' function. It is also advising users to change secrets like the ownCloud admin password, mail server and database credentials, and Object-Store/S3 access keys.

The second problem makes it possible to access, modify or delete any file sans authentication if the username of the victim is known and the victim has no signing-key configured, which is the default behavior.

Lastly, the third flaw relates to a case of improper access control that allows an attacker to "pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker."

Besides adding hardening measures to the validation code in the oauth2 app, ownCloud has suggested that users disable the "Allow Subdomains" option as a workaround.

The disclosure comes as a proof-of-concept (PoC) exploit has been released for a critical remote code execution vulnerability in the CrushFTP solution (CVE-2023-43177) that could be weaponized by an unauthenticated attacker to access files, run arbitrary programs on the host, and acquire plain-text passwords.

The issue has been addressed in CrushFTP version 10.5.2, which was released on August 10, 2023.

"This vulnerability is critical because it does NOT require any authentication," CrushFTP noted in an advisory released at the time. "It can be done anonymously and steal the session of other users and escalate to an administrator user."


New Flaws in Fingerprint Sensors Let Attackers Bypass Windows Hello Login
23.11.23  Vulnerebility  The Hacker News
A new research has uncovered multiple vulnerabilities that could be exploited to bypass Windows Hello authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops.

The flaws were discovered by researchers at hardware and software product security and offensive research firm Blackwing Intelligence, who found the weaknesses in the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded into the devices.

A prerequisite for the fingerprint reader exploits is that the users of the targeted laptops have fingerprint authentication already set up.

All the three fingerprint sensors are a type of sensor called "match on chip" (MoC), which integrates the matching and other biometric management functions directly into the sensor's integrated circuit.

"While MoC prevents replaying stored fingerprint data to the host for matching, it does not, in itself, prevent a malicious sensor from spoofing a legitimate sensor's communication with the host and falsely claiming that an authorized user has successfully authenticated," researchers Jesse D'Aguanno and Timo Teräs said.

The MoC also does not prevent replay of previously recorded traffic between the host and sensor.

Although the Secure Device Connection Protocol (SDCP) created by Microsoft aims to alleviate some of these problems by creating an end-to-end secure channel, the researchers uncovered a novel method that could be used to circumvent these protections and stage adversary-in-the-middle (AitM) attacks.

Specifically, the ELAN sensor was found to be vulnerable to a combination of sensor spoofing stemming from the lack of SDCP support and cleartext transmission of security identifiers (SIDs), thereby allowing any USB device to masquerade as the fingerprint sensor and claim that an authorized user is logging in.

In the case of Synaptics, not only was SDCP discovered to be turned off by default, the implementation chose to rely on a flawed custom Transport Layer Security (TLS) stack to secure USB communications between the host driver and sensor that could be weaponized to sidestep biometric authentication.

The exploitation of Goodix sensor, on the other hand, capitalizes on a fundamental difference in enrollment operations carried out on a machine that's loaded with both Windows and Linux, taking advantage of the fact that the latter does not support SDCP to perform the following actions -

Boot to Linux
Enumerate valid IDs
Enroll attacker's fingerprint using the same ID as a legitimate Windows user
MitM the connection between the host and sensor by leveraging the cleartext USB communication
Boot to Windows
Intercept and rewrite the configuration packet to point to the Linux DB using our MitM
Login as the legitimate user with attacker's print
It's worth pointing out that while the Goodix sensor has separate fingerprint template databases for Windows and non-Windows systems, the attack is possible owing to the fact that the host driver sends an unauthenticated configuration packet to the sensor to specify what database to use during sensor initialization.

To mitigate such attacks, it's recommended that original equipment manufacturers (OEMs) enable SDCP and ensure that the fingerprint sensor implementation is audited by independent qualified experts.

This isn't the first time that Windows Hello biometrics-based authentication has been successfully defeated. In July 2021, Microsoft issued patches for a medium-severity security flaw (CVE-2021-34466, CVSS score: 6.1) that could permit an adversary to spoof a target's face and get around the login screen.

"Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives," the researchers said.

"Additionally, SDCP only covers a very narrow scope of a typical device's operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all."


CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog
17.11.23  Vulnerebility  The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation in the wild.

The vulnerabilities are as follows -

CVE-2023-36584 (CVSS score: 5.4) - Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
CVE-2023-1671 (CVSS score: 9.8) - Sophos Web Appliance Command Injection Vulnerability
CVE-2023-2551 (CVSS score: 8.8) - Oracle Fusion Middleware Unspecified Vulnerability
CVE-2023-1671 relates to a critical pre-auth command injection vulnerability that allows for the execution of arbitrary code. CVE-2023-2551 is a flaw in the WLS Core Components that allows an unauthenticated attacker with network access to compromise the WebLogic Server.

There are currently no public reports documenting in-the-wild attacks leveraging the two flaws.

On the other hand, the addition of CVE-2023-36584 to the KEV catalog is based on a report from Palo Alto Networks Unit 42 earlier this week, which detailed spear-phishing attacks mounted by pro-Russian APT group known as Storm-0978 (aka RomCom or Void Rabisu) targeting groups supporting Ukraine's admission into NATO in July 2023.

CVE-2023-36584, patched by Microsoft as part of October 2023 security updates, is said to have been used alongside CVE-2023-36884, a Windows remote code execution vulnerability addressed in July, in an exploit chain to deliver PEAPOD, an updated version of RomCom RAT.

In light of active exploitation, federal agencies are recommended to apply the fixes by December 7, 2023, to secure their networks against potential threats.

Fortinet Discloses Critical Command Injection Bug in FortiSIEM#
The development comes as Fortinet is alerting customers of a critical command injection vulnerability in FortiSIEM report server (CVE-2023-36553, CVSS score: 9.3) that could be exploited by attackers to execute arbitrary commands.

CVE-2023-36553 has been described as a variant of CVE-2023-34992 (CVSS score: 9.7), a similar flaw in the same product that was remediated by Fortinet in early October 2023.

"An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests," the company said in an advisory this week.

The vulnerability, which impacts FortiSIEM versions 4.7, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, and 5.4, has been fixed in versions 7.1.0, 7.0.1, 6.7.6, 6.6.4, 6.5.2, 6.4.3, or later.


Zero-Day Flaw in Zimbra Email Software Exploited by Four Hacker Groups
17.11.23  Vulnerebility  The Hacker News
A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens.

"Most of this activity occurred after the initial fix became public on GitHub," Google Threat Analysis Group (TAG) said in a report shared with The Hacker News.

The flaw, tracked as CVE-2023-37580 (CVSS score: 6.1), is a reflected cross-site scripting (XSS) vulnerability impacting versions before 8.8.15 Patch 41. It was addressed by Zimbra as part of patches released on July 25, 2023.

Successful exploitation of the shortcoming could allow execution of malicious scripts on the victims' web browser simply by tricking them into clicking on a specially crafted URL, effectively initiating the XSS request to Zimbra and reflecting the attack back to the user.

Google TAG, whose researcher Clément Lecigne was credited with discovering and reporting the bug, said it discovered multiple campaign waves starting June 29, 2023, at least two weeks before Zimbra issued an advisory.

Three of the four campaigns were observed prior to the release of the patch, with the fourth campaign detected a month after the fixes were published.

The first campaign is said to have targeted a government organization in Greece, sending emails containing exploit URLs to their targets that, when clicked, delivered an email-stealing malware previously observed in a cyber espionage operation dubbed EmailThief in February 2022.

The intrusion set, which Volexity codenamed as TEMP_HERETIC, also exploited a then-zero-day flaw in Zimbra to carry out the attacks.


The second threat actor to exploit CVE-2023-37580 is Winter Vivern, which targeted government organizations in Moldova and Tunisia shortly after a patch for the vulnerability was pushed to GitHub on July 5.

It's worth noting that the adversarial collective has been linked to the exploitation of security vulnerabilities in Zimbra Collaboration and Roundcube by Proofpoint and ESET this year.

TAG said it spotted a third, unidentified group weaponizing the bug before the patch was pushed on July 25 to phish for credentials belonging to a government organization in Vietnam.

"In this case, the exploit URL pointed to a script that displayed a phishing page for users' webmail credentials and posted stolen credentials to a URL hosted on an official government domain that the attackers likely compromised," TAG noted.

Lastly, a government organization in Pakistan was targeted using the flaw on August 25, resulting in the exfiltration of the Zimbra authentication token to a remote domain named "ntcpk[.]org."

Google further pointed out a pattern in which threat actors are regularly exploiting XSS vulnerabilities in mail servers, necessitating that such applications are audited thoroughly.

"The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible," TAG said.

"These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users."


Reptar: New Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments
15.11.23  Vulnerebility  The Hacker News
Intel has released fixes to close out a high-severity flaw codenamed Reptar that impacts its desktop, mobile, and server CPUs.

Tracked as CVE-2023-23583 (CVSS score: 8.8), the issue has the potential to "allow escalation of privilege and/or information disclosure and/or denial of service via local access."

Successful exploitation of the vulnerability could also permit a bypass of the CPU's security boundaries, according to Google Cloud, describing it as an issue stemming from how redundant prefixes are interpreted by the processor.

"The impact of this vulnerability is demonstrated when exploited by an attacker in a multi-tenant virtualized environment, as the exploit on a guest machine causes the host machine to crash resulting in a Denial of Service to other guest machines running on the same host," Google Cloud's Phil Venables said.

"Additionally, the vulnerability could potentially lead to information disclosure or privilege escalation."

Security researcher Tavis Normandy, in a separate analysis of Reptar, said it can be abused to corrupt the system state and force a machine-check exception.

Intel, as part of November 2023 updates, has published updated microcode for all affected processors. The complete list of Intel CPUs impacted by CVE-2023-23583 is available here. There is no evidence of any active attacks using this vulnerability.

"Intel does not expect this issue to be encountered by any non-malicious real-world software," the company said in a guidance issued on November 14. "Malicious exploitation of this issue requires execution of arbitrary code."

The disclosure coincides with the release of patches for a security flaw in AMD processors called CacheWarp (CVE-2023-20592) that lets malicious actors break into AMD SEV-protected VMs to escalate privileges and gain remote code execution.


Alert: Microsoft Releases Patch Updates for 5 New Zero-Day Vulnerabilities
15.11.23  Vulnerebility  The Hacker News

Microsoft has released fixes to address 63 security bugs in its software for the month of November 2023, including three vulnerabilities that have come under active exploitation in the wild.

Of the 63 flaws, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. Two of them have been listed as publicly known at the time of the release.

The updates are in addition to more than 35 security shortcomings addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for October 2023.

The five zero-days that are of note are as follows -

CVE-2023-36025 (CVSS score: 8.8) - Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-36033 (CVSS score: 7.8) - Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2023-36036 (CVSS score: 7.8) - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2023-36038 (CVSS score: 8.2) - ASP.NET Core Denial of Service Vulnerability
CVE-2023-36413 (CVSS score: 6.5) - Microsoft Office Security Feature Bypass Vulnerability
Both CVE-2023-36033 and CVE-2023-36036 could be exploited by an attacker to gain SYSTEM privileges, while CVE-2023-36025 could make it possible to bypass Windows Defender SmartScreen checks and their associated prompts.

"The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker," Microsoft said about CVE-2023-36025.

CVE-2023-36025 is the third Windows SmartScreen zero-day vulnerability exploited in the wild in 2023 and the fourth in the last two years. In December 2022, Microsoft patched CVE-2022-44698 (CVSS score: 5.4), while CVE-2023-24880 (CVSS score: 5.1) was patched in March and CVE-2023-32049 (CVSS score: 8.8) was patched in July.

The Windows maker, however, has not provided any further guidance on the attack mechanisms employed and the threat actors that may be weaponizing them. But the active exploitation of the privilege escalation flaws suggests that they are likely used in conjunction with a remote code execution bug.

"There have been 12 elevation of privilege vulnerabilities in the DWM Core Library over the last two years, though this is the first to have been exploited in the wild as a zero-day," Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the three issues to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by December 5, 2023.

Also patched by Microsoft are two critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast (CVE-2023-36028 and CVE-2023-36397, CVSS scores: 9.8) that a threat actor could leverage to trigger the execution of malicious code.

The November update further includes a patch for CVE-2023-38545 (CVSS score: 9.8), a critical heap-based buffer overflow flaw in the curl library that came to light last month, as well as an information disclosure vulnerability in Azure CLI (CVE-2023-36052, CVSS score: 8.6).

"An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions," Microsoft said.

Palo Alto Networks researcher Aviad Hahami, who reported the issue, said the vulnerability could enable access to credentials stored in the pipeline's log and permit an adversary to potentially escalate their privileges for follow-on attacks.

In response, Microsoft said it has made changes to several Azure CLI commands to harden Azure CLI (version 2.54) against inadvertent usage that could lead to secrets exposure.


Urgent: VMware Warns of Unpatched Critical Cloud Director Vulnerability
15.11.23  Vulnerebility  The Hacker News
VMware is warning of a critical and unpatched security flaw in Cloud Director that could be exploited by a malicious actor to get around authentication protections.

Tracked as CVE-2023-34060 (CVSS score: 9.8), the vulnerability impacts instances that have been upgraded to version 10.5 from an older version.

"On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console)," the company said in an alert.

"This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present."

The virtualization services company further noted that the impact is due to the fact that it utilizes a version of sssd from the underlying Photon OS that is affected by CVE-2023-34060.

Dustin Hartle from IT solutions provider Ideal Integrations has been credited with discovering and reporting the shortcomings.

While VMware has yet to release a fix for the problem, it has provided a workaround in the form of a shell script ("WA_CVE-2023-34060.sh").

It also emphasized implementing the temporary mitigation will neither require downtime nor have a side-effect on the functionality of Cloud Director installations.

The development comes weeks after VMware released patches for another critical flaw in the vCenter Server (CVE-2023-34048, CVSS score: 9.8) that could result in remote code execution on affected systems.


CISA Sets a Deadline - Patch Juniper Junos OS Flaws Before November 17
14.11.23  Vulnerebility  The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given a November 17, 2023, deadline for federal agencies and organizations to apply mitigations to secure against a number of security flaws in Juniper Junos OS that came to light in August.

The agency on Monday added five vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation -

CVE-2023-36844 (CVSS score: 5.3) - Juniper Junos OS EX Series PHP External Variable Modification Vulnerability
CVE-2023-36845 (CVSS score: 5.3) - Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability
CVE-2023-36846 (CVSS score: 5.3) - Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability
CVE-2023-36847 (CVSS score: 5.3) - Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability
CVE-2023-36851 (CVSS score: 5.3) - Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability
The vulnerabilities, per Juniper, could be fashioned into an exploit chain to achieve remote code execution on unpatched devices. Also added to the list is CVE-2023-36851, which has been described as a variant of the SRX upload flaw.

Juniper, in an update to its advisory on November 8, 2023, said it's "now aware of successful exploitation of these vulnerabilities," recommending that customers update to the latest versions with immediate effect.

The details surrounding the nature of the exploitation are currently unknown.

In a separate alert, CISA has also warned that the Royal ransomware gang may rebrand as BlackSuit owing to the fact that the latter shares a "number of identified coding characteristics similar to Royal."

The development comes as Cyfirma disclosed that exploits for critical vulnerabilities are being offered for sale on darknet forums and Telegram channels.

"These vulnerabilities encompass elevation of privilege, authentication bypass, SQL injection, and remote code execution, posing significant security risks," the cybersecurity firm said, adding, "ransomware groups are actively searching for zero-day vulnerabilities in underground forums to compromise a large number of victims."

It also follows revelations from Huntress that threat actors are targeting multiple healthcare organizations by abusing the widely-used ScreenConnect remote access tool used by Transaction Data Systems, a pharmacy management software provider, for initial access.

"The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments," Huntress noted.


Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable
31.7.23 
Vulnerebility  The Hacker News
Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data.

The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack said in a report last week. Ninja Forms is installed on over 800,000 sites.

A brief description of each of the vulnerabilities is below -

CVE-2023-37979 (CVSS score: 7.1) - A POST-based reflected cross-site scripting (XSS) flaw that could allow any unauthenticated user to achieve privilege escalation on a target WordPress site by tricking privileged users to visit a specially crafted website.
CVE-2023-38386 and CVE-2023-38393 - Broken access control flaws in the form submissions export feature that could enable a bad actor with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site.
Users of the plugin are recommended to update to version 3.6.26 to mitigate potential threats.
The disclosure comes as Patchstack revealed another reflected XSS vulnerability flaw in the Freemius WordPress software development kit (SDK) affecting versions prior to 2.5.10 (CVE-2023-33999) that could be exploited to obtain elevated privileges.

Also discovered by the WordPress security company is a critical bug in the HT Mega plugin (CVE-2023-37999) present in versions 2.2.0 and below that enables any unauthenticated user to escalate their privilege to that of any role on the WordPress site.


Hackers Deploy "SUBMARINE" Backdoor in Barracuda Email Security Gateway Attacks
30.7.23 
Vulnerebility  The Hacker News
Barracuda Email Security Gateway
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a "novel persistent backdoor" called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances.

"SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable execution with root privileges, persistence, command and control, and cleanup," the agency said.

The findings come from an analysis of malware samples obtained from an unnamed organization that had been compromised by threat actors exploiting a critical flaw in ESG devices, CVE-2023-2868 (CVSS score: 9.8), which allows for remote command injection.

Evidence gathered so far shows that the attackers behind the activity, a suspected China nexus-actor tracked by Mandiant as UNC4841, leveraged the flaw as a zero-day in October 2022 to gain initial access to victim environments and implanted backdoors to establish and maintain persistence.

To that end, the infection chain involved sending phishing emails with booby-trapped TAR file attachments to trigger exploitation, leading to the deployment of a reverse shell payload to establish communication with the threat actor's command-and-control (C2) server, from where a passive backdoor known as SEASPY is downloaded for executing arbitrary commands on the device.

SUBMARINE, also codenamed DEPTHCHARGE by the Google-owned threat intelligence firm, is the latest malware family to be discovered in connection with the operation. Executed with root privileges, it resides in a Structured Query Language (SQL) database on the ESG appliance.
It's believed to have been "deployed in response to remediation efforts," echoing Mandiant's characterization of the adversary as an aggressive actor capable of quickly altering their malware and employing additional persistence mechanisms in an attempt to maintain their access.

The agency further said it "analyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database," and that it "poses a severe threat for lateral movement."


Ivanti Warns of Another Endpoint Manager Mobile Vulnerability Under Active Attack
30.7.23 
Vulnerebility  The Hacker News
Ivanti has disclosed yet another security flaw impacting Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, that it said has been weaponized as part of an exploit chain by malicious actors in the wild.

The new vulnerability, tracked as CVE-2023-35081 (CVSS score: 7.8), impacts supported versions 11.10, 11.9, and 11.8, as well as those that are currently end-of-life (EoL).

"CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server," the company said in an advisory. "This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable)."

A successful exploit could allow a threat actor to write arbitrary files on the appliance, thereby enabling the malicious party to execute OS commands on the appliance as the tomcat user.

"As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081," the company added.

It's worth noting that CVE-2023-35078 is a critical remote unauthenticated API access vulnerability that permits remote attackers to obtain sensitive information, add an EPMM administrative account, and change the configuration because of an authentication bypass.

The security flaws have been exploited by unknown actors targeting Norwegian government entities, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an alert urging users and organizations to apply the latest fixes.
The development also comes as the Google Project Zero team said 41 in-the-wild 0-days were detected and disclosed in 2022, down from 69 in 2021, noting that 17 of those are variants of previously public vulnerabilities.

"Similar to the overall numbers, there was a 42% drop in the number of detected in-the-wild 0-days targeting browsers from 2021 to 2022, dropping from 26 to 15," Google TAG researcher Maddie Stone said.

"We assess this reflects browsers' efforts to make exploitation more difficult overall as well as a shift in attacker behavior away from browsers towards zero-click exploits that target other components on the device."


Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required
28.7.23 
Vulnerebility  The Hacker News

Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations.

Tracked as CVE-2023-38646, the issue impacts open-source editions prior to 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1.

"An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on," Metabase said in an advisory released last week.

The issue has also been addressed in the following older versions -

0.45.4.1 and 1.45.4.1
0.44.7.1 and 1.44.7.1, and
0.43.7.2 and 1.43.7.2
While there is no evidence that the issue has been exploited in the wild, data gathered by the Shadowserver Foundation shows that 5,488 out of the total 6,936 Metabase instances are vulnerable as of July 26, 2023. A majority of the instances are located in the U.S., India, Germany, France, the U.K., Brazil, and Australia.
Assetnote, which claimed it discovered and reported the bug to Metabase, said the vulnerability is due to a JDBC connection issue in the API endpoint "/api/setup/validate," enabling a malicious actor to obtain a reverse shell on the system by means of a specially crafted request that takes advantage of an SQL injection flaw in the H2 database driver.

Users who cannot apply the patches immediately are recommended to block requests to the /api/setup endpoint, isolate the Metabase instance from your production network, and monitor for suspicious requests to the endpoint in question.


GameOver(lay): Two Severe Linux Vulnerabilities Impact 40% of Ubuntu Users
27.7.23 
Vulnerebility  The Hacker News
Cybersecurity researchers have disclosed two high-severity security flaws in the Ubuntu kernel that could pave the way for local privilege escalation attacks.

Cloud security firm Wiz, in a report shared with The Hacker News, said the easy-to-exploit shortcomings have the potential to impact 40% of Ubuntu users.

"The impacted Ubuntu versions are prevalent in the cloud as they serve as the default operating systems for multiple [cloud service providers]," security researchers Sagi Tzadik and Shir Tamari said.

The vulnerabilities – tracked as CVE-2023-32629 and 2023-2640 (CVSS scores: 7.8) and dubbed GameOver(lay) – are present in a module called OverlayFS and arise as a result of inadequate permissions checks in certain scenarios, enabling a local attacker to gain elevated privileges.

Overlay Filesystem refers to a union mount file system that makes it possible to combine multiple directory trees or file systems into a single, unified filesystem.

A brief description of the two flaws is below -

CVE-2023-2640 - On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs," an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
CVE-2023-32629 - Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
In a nutshell, GameOver(lay) makes it possible to "craft an executable file with scoped file capabilities and trick the Ubuntu Kernel into copying it to a different
location with unscoped capabilities, granting anyone who executes it root-like privileges."

Following responsible disclosure, the vulnerabilities have been fixed by Ubuntu as of July 24, 2023.

The findings underscore the fact that subtle changes in the Linux kernel introduced by Ubuntu could have unforeseen implications, Wiz CTO and co-founder Ami Luttwak said in a statement shared with the publication.

"Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu's individual changes to the OverlayFS module," the researchers said, adding the issues are comparable to other vulnerabilities such as CVE-2016-1576, CVE-2021-3493, CVE-2021-3847, and CVE-2023-0386.


Rust-based Realst Infostealer Targeting Apple macOS Users' Cryptocurrency Wallets
26.7.23 
Vulnerebility  The Hacker News
Infostealer
A new malware family called Realst has become the latest to target Apple macOS systems, with a third of the samples already designed to infect macOS 14 Sonoma, the upcoming major release of the operating system.

Written in the Rust programming language, the malware is distributed in the form of bogus blockchain games and is capable of "emptying crypto wallets and stealing stored password and browser data" from both Windows and macOS machines. Realst was first discovered in the wild by security researcher iamdeadlyz.

"Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend," SentinelOne security researcher Phil Stokes said in a report. "Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts."

The cybersecurity firm, which identified 16 variants across 59 samples, said the activity likely has links to another information stealer campaign called Pureland, which came to light earlier this March. Windows machines, on the other hand, are infected with RedLine Stealer.

The attack chains begin with threat actors approaching potential victims through direct messages on social media, convincing them to test a game as part of a paid collaboration, only to drain their cryptocurrency wallets and steal sensitive information upon execution.

The web browsers targeted for harvesting include Brave, Google Chrome, Mozilla Firefox, Opera, and Vivaldi. Apple Safari is a notable exception. The malware is also capable of gathering information from Telegram and capturing screenshots.

"Most variants attempt to grab the user's password via osascript and AppleScript spoofing and perform rudimentary checking that the host device is not a virtual machine via sysctl -n hw.model," Stokes explained.

"The number of Realst samples and their variation shows that the threat actor has invested serious effort in order to target macOS users for data and crypto wallet theft."

News of the Realst stealer follows the discovery of SophosEncrypt, which has been found impersonating cybersecurity firm Sophos and described as a "general-purpose remote access trojan (RAT) with the capacity to encrypt files and generate these ransom notes."
The developments come as data captured via commercial information stealers are being packaged and sold for profit on dark web marketplaces and Telegram channels, with over 200,000 OpenAI credentials leaked via stealer logs in 2022 and 2023, according to multiple reports from Bitdefender and Flare.

Stolen enterprise credentials, in particular, can act as a channel for initial access brokers to breach organizations, which can then be auctioned off to other actors looking to exploit the foothold for follow-on activities such as ransomware deployment.

According to IBM's Cost of a Data Breach Report 2023, which examined data breaches experienced by 553 organizations across 16 countries between March 2022 and March 2023, the global average cost of a data breach in 2023 stands at $4.45 million, a 15.3% increase from $3.86 million in 2020.

The study also found that "data breaches led to an increase in the pricing of their business offerings, passing on costs to consumers," a trend observed in 2022 as well.


Critical MikroTik RouterOS Vulnerability Exposes Over Half a Million Devices to Hacking
26.7.23 
Vulnerebility  The Hacker News
A severe privilege escalation issue impacting MikroTik RouterOS could be weaponized by remote malicious actors to execute arbitrary code and seize full control of vulnerable devices.

Cataloged as CVE-2023-30799 (CVSS score: 9.1), the shortcoming is expected to put approximately 500,000 and 900,000 RouterOS systems at risk of exploitation via their web and/or Winbox interfaces, respectively, VulnCheck disclosed in a Tuesday report.

"CVE-2023-30799 does require authentication," security researcher Jacob Baines said. "In fact, the vulnerability itself is a simple privilege escalation from admin to 'super-admin' which results in access to an arbitrary function. Acquiring credentials to RouterOS systems is easier than one might expect."

This is because the Mikrotik RouterOS operating system does not offer any protection against password brute-force attacks and ships with a well-known default "admin" user, with its password being an empty string until October 2021, at which point administrators were prompted to update the blank passwords with the release of RouterOS 6.49.

CVE-2023-30799 is said to have been originally disclosed by Margin Research as an exploit dubbed FOISted without an accompanying CVE identifier in June 2022. The security hole, however, was not plugged until October 13, 2022, in the RouterOS stable version 6.49.7 and on July 19, 2023, for the RouterOS Long-term version 6.49.8.

Vulnerability
VulnCheck noted that a patch for the Long-term release tree was made available only after it directly contacted the vendor and "published new exploits that attacked a wider range of MikroTik hardware."

A proof-of-concept (PoC) devised by the company shows that it's possible to derive a new MIPS architecture-based exploit chain from FOISted and obtain a root shell on the router.
"Given RouterOS' long history of being an APT target, combined with the fact that FOISted was released well over a year ago, we have to assume we aren't the first group to figure this out," Baines noted.

"Unfortunately, detection is nearly impossible. The RouterOS web and Winbox interfaces implement custom encryption schemes that neither Snort or Suricata can decrypt and inspect. Once an attacker is established on the device, they can easily make themselves invisible to the RouterOS UI."

With flaws in Mikrotik routers exploited to corral the devices into distributed denial-of-service (DDoS) botnets such as Mēris and use them as command-and-control proxies, it's recommended that users patch the flaw by updating to the latest version (6.49.8 or 7.x) as soon as possible.

Mitigation advice includes removing MikroTik administrative interfaces from the internet, limiting the IP addresses administrators can login from, disabling the Winbox and the web interfaces, and configuring SSH to use public/private keys and disable passwords.


TETRA:BURST — 5 New Vulnerabilities Exposed in Widely Used Radio Communication System
25.7.23 
Vulnerebility  The Hacker News

A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio (TETRA) standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information.

The issues, discovered by Midnight Blue in 2021 and held back until now, have been collectively called TETRA:BURST. There is no conclusive evidence to determine that the vulnerabilities have been exploited in the wild to date.

"Depending on infrastructure and device configurations, these vulnerabilities allow for real time decryption, harvest-now-decrypt-later attacks, message injection, user deanonymization, or session key pinning," the Netherlands-based cybersecurity company said.

Standardized by the European Telecommunications Standards Institute (ETSI) in 1995, TETRA is used in more than 100 countries and as a police radio communication system outside the U.S. It's also employed to control essential systems like power grids, gas pipelines, and railways.

That said, TETRA-based radios are estimated to be used in at least two dozen critical infrastructures in the U.S., per WIRED. This comprises electric utilities, a state border control agency, an oil refinery, chemical plants, a major mass transit system, three international airports, and a U.S. Army training base.

The system is underpinned by a collection of secret, proprietary cryptographic algorithms – the TETRA Authentication Algorithm (TAA1) suite for authentication and key distribution purposes and the TETRA Encryption Algorithm (TEA) suite for Air Interface Encryption (AIE) – which have been guarded as trade secrets under strict non-disclosure agreements (NDAs).

In reverse engineering TAA1 and TEA, Midnight Blue said it was able to discover five shortcomings, ranging from low to critical in severity, that allows for "practical interception and manipulation attacks by both passive and active adversaries" -

CVE-2022-24400 - A flaw in the authentication algorithm allows attackers to set the Derived Cypher Key (DCK) to 0.
CVE-2022-24401 - The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.
CVE-2022-24402 - The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.
CVE-2022-24403 - The cryptographic scheme used to obfuscate radio identities has a weak design that allows attackers to deanonymize and track users.
CVE-2022-24404 - Lack of ciphertext authentication on AIE allows for malleability attacks.
"The impact of the issues above is highly dependent on how TETRA is used by organizations, such as whether it transmits voice or data and which cryptographic algorithm is in place," cybersecurity company Forescout said.
One of the most severe issues is CVE-2022-24401, an oracle decryption attack that can be weaponized to reveal text, voice, or data communications without knowledge of the encryption key.

The second critical flaw is CVE-2022-24402, which permits attackers to inject data traffic that is used for monitoring and control of industrial equipment, the San Jose firm pointed out.

"Decrypting this traffic and injecting malicious traffic allows an attacker to achieve denial of control/view or manipulation of control/view, thus performing dangerous actions such as opening circuit breakers in electrical substations, which can lead to blackout events similar to the impact of the Industroyer malware," it pointed out.

"The vulnerability in the TEA1 cipher (CVE-2022-24402) is obviously the result of intentional weakening," the Midnight Blue team noted, describing the engineering weakness as having a "computational step which serves no other purpose than to reduce the key's effective entropy."

But ETSI, in a statement shared with Vice, has pushed back against the term "backdoor," stating that "the TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption."


Zenbleed: New Flaw in AMD Zen 2 Processors Puts Encryption Keys and Passwords at Risk
25.7.23 
Vulnerebility  The Hacker News
Zenbleed
A new security vulnerability has been discovered in AMD's Zen 2 architecture-based processors that could be exploited to extract sensitive data such as encryption keys and passwords.

Discovered by Google Project Zero researcher Tavis Ormandy, the flaw – codenamed Zenbleed and tracked as CVE-2023-20593 (CVSS score: 6.5) – allows data exfiltration at the rate of 30 kb per core, per second.

The issue is part of a broader category of weaknesses called speculative execution attacks, in which the optimization technique widely used in modern CPUs is abused to access cryptographic keys from CPU registers.

"Under specific microarchitectural circumstances, a register in 'Zen 2' CPUs may not be written to 0 correctly," AMD explained in an advisory. "This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information."

Web infrastructure company Cloudflare noted that the attack could even be carried out remotely through JavaScript on a website, thereby obviating the need for physical access to the computer or server.
"Vectorized operations can be executed with great efficiency using the YMM registers," Cloudflare researchers Derek Chamorro and Ignat Korchagin said. "Applications that process large amounts of data stand to gain significantly from them, but they are increasingly the focus of malicious activity."

"This attack works by manipulating register files to force a mispredicted command. Since the register file is shared by all the processes running on the same physical core, this exploit can be used to eavesdrop on even the most fundamental system operations by monitoring the data being transferred between the CPU and the rest of the computer," they added.

While there is no evidence of the bug being exploited in the wild, it's essential that the microcode updates are applied to mitigate potential risk as and when they become available through original equipment manufacturers (OEMs).


Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo
25.7.23 
Vulnerebility  The Hacker News
Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems.

The list of the flaws is below -

CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and 8.4.0)
CVE-2023-22508 (CVSS score: 8.5) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 7.19.8 and 8.2.0)
CVE-2023-22506 (CVSS score: 7.5) - Injection, RCE (Remote Code Execution) in Bamboo (Fixed in versions 9.2.3 and 9.3.1)
CVE-2023-22505 and CVE-2023-22508 allow an "authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction," the company said.

While the first bug was introduced in version 8.0.0, CVE-2023-22508 was introduced in version 7.4.0 of the software.
CVE-2023-22506, introduced in version 8.0.0 of Bamboo Data Center, permits an "authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction," according to Atlassian.

Earlier this January, the Australian company shipped patches to resolve a critical security flaw in Jira Service Management Server and Data Center that could be abused by an attacker to pass off as another user and gain unauthorized access to susceptible instances (CVE-2023-22501, CVSS score: 9.4).

Weeks later, it also rolled out fixes for two critical overflow flaws in Git (CVE-2022-41903 and CVE-2022-23531) affecting Bitbucket Server and Data Center, Bamboo Server and Data Center, Fisheye, Crucible, and Sourcetree.

With security vulnerabilities in Atlassian servers becoming attack magnets in recent years, it's recommended that users move quickly to apply the patches to safeguard against potential threats.


Ivanti Releases Urgent Patch for EPMM Zero-Day Vulnerability Under Active Exploitation
25.7.23 
Vulnerebility  The Hacker News
Ivanti is warning users to update their Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core) to the latest version that fixes an actively exploited zero-day vulnerability.

Dubbed CVE-2023-35078, the issue has been described as a remote unauthenticated API access vulnerability that impacts currently supported version 11.4 releases 11.10, 11.9, and 11.8 as well as older releases. It has the maximum severity rating of 10 on the CVSS scale.

"An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication," the company said in a terse advisory.

"If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said an adversary with access to the API paths could exploit them to obtain personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system.
"An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system," CISA added.

The Utah-based IT software firm further said that it's aware of active exploitation of the bug against a "very limited number of customers" but did not disclose additional specifics about the nature of the attacks or the identity of the threat actor behind them.

Patches for the issue have been made available in versions 11.8.1.1, 11.9.1.1, and 11.10.0.2, according to security researcher Kevin Beaumont.


Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks
25.7.23 
Vulnerebility  The Hacker News
Privilege Escalation Attacks
Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks.

The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and June 26, 2023, respectively.

"The ability to initiate an operation from a NT AUTHORITY\SYSTEM context can present potential security risks if not properly managed," security researcher Andrew Oliveau said. "For instance, misconfigured Custom Actions running as NT AUTHORITY\SYSTEM can be exploited by attackers to execute local privilege escalation attacks."

Successful exploitation of such weaknesses could pave the way for the execution of arbitrary code with elevated privileges.

Both the flaws reside in the MSI installer's repair functionality, potentially creating a scenario where operations are triggered from an NT AUTHORITY\SYSTEM context even if they are initiated by a standard user.

According to the Google-owned threat intelligence firm, Atera Agent is susceptible to a local privilege escalation attack that can be exploited through DLL hijacking (CVE-2023-26077), which could then be abused to obtain a Command Prompt as the NT AUTHORITY\SYSTEM user.

Privilege Escalation Attacks
CVE-2023-26078, on the other hand, concerns the "execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process," as a result opening up a "command window, which, if executed with elevated privileges, can be exploited by an attacker to perform a local privilege escalation attack."

"Misconfigured Custom Actions can be trivial to identify and exploit, thereby posing significant security risks for organizations," Oliveau said. "It is essential for software developers to thoroughly review their Custom Actions to prevent attackers from hijacking NT AUTHORITY\SYSTEM operations triggered by MSI repairs."
The disclosure comes as Kaspersky shed more light on a now-fixed, severe privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8) that has come under active exploitation in the wild by threat actors using a specially crafted Outlook task, message or calendar event.

While Microsoft disclosed previously that Russian nation-state groups weaponized the bug since April 2022, evidence gathered by the antivirus vendor has revealed that real-world exploit attempts were carried out by an unknown attacker targeting government and critical infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine a month prior to the public disclosure.


New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection
24.7.23 
Vulnerebility  The Hacker News
Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.

"This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent," Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week.

The vulnerability is being tracked under the CVE identifier CVE-2023-38408 (CVSS score: N/A). It impacts all versions of OpenSSH before 9.3p2.

OpenSSH is a popular connectivity tool for remote login with the SSH protocol that's used for encrypting all traffic to eliminate eavesdropping, connection hijacking, and other attacks.

Successful exploitation requires the presence of certain libraries on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system. SSH agent is a background program that maintains users' keys in memory and facilitates remote logins to a server without having to enter their passphrase again.

"While browsing through ssh-agent's source code, we noticed that a remote attacker, who has access to the remote server where Alice's ssh-agent is forwarded to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice's workstation (via her forwarded ssh-agent, if it is compiled with ENABLE_PKCS11, which is the default)," Qualys explained.

The cybersecurity firm said it was able to devise a successful proof-of-concept (PoC) against default installations of Ubuntu Desktop 22.04 and 21.10, although other Linux distributions are expected to be vulnerable as well.
It is strongly advised that users of OpenSSH update to the most recent version in order to safeguard against potential cyber threats.

Earlier this February, OpenSSH maintainers released an update to remediate a medium-severity security flaw (CVE-2023-25136, CVSS score: 6.5) that could be exploited by an unauthenticated remote attacker to modify unexpected memory locations and theoretically achieve code execution.

A subsequent release in March addressed another security issue that could be abused by means of a specifically crafted DNS response to perform an out-of-bounds read of adjacent stack data and cause a denial-of- service to the SSH client.


Citrix NetScaler ADC and Gateway Devices Under Attack: CISA Urges Immediate Action
21.7.23 
Vulnerebility  The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Thursday warning that the newly disclosed critical security flaw in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices is being abused to drop web shells on vulnerable systems.

"In June 2023, threat actors exploited this vulnerability as a zero-day to drop a web shell on a critical infrastructure organization's non-production environment NetScaler ADC appliance," the agency said.

"The web shell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement."

The shortcoming in question is CVE-2023-3519 (CVSS score: 9.8), a code injection bug that could result in unauthenticated remote code execution. Citrix, earlier this week, released patches for the issue and warned of active in-the-wild exploitation.

Successful exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server.

CISA did not disclose the name of the organization that was impacted by the incident. The threat actor or the country allegedly behind it is presently unknown.

In the incident analyzed by CISA, the web shell is said to have enabled the collection of NetScaler configuration files, NetScaler decryption keys, and AD information, after which the data was transmitted as a PNG image file ("medialogininit.png").
The adversary's subsequent attempts to laterally move across the network as well as run commands to identify accessible targets and verify outbound network connectivity were thwarted due to robust network segmentation practices, the agency noted, adding the actors also attempted to delete their artifacts to cover up the tracks.

Citrix NetScaler ADC and Gateway
Vulnerabilities in gateway products such as NetScaler ADC and NetScaler Gateway have become popular targets for threat actors looking to obtain privileged access to targeted networks. This makes it imperative that users move quickly to apply the latest fixes to secure against potential threats.


Critical Flaws in AMI MegaRAC BMC Software Expose Servers to Remote Attacks
21.7.23 
Vulnerebility  The Hacker News
AMI MegaRAC BMC Software
Two more security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software that, if successfully exploited, could allow threat actors to remotely commandeer vulnerable servers and deploy malware.

"These new vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions," Eclypsium researchers Vlad Babkin and Scott Scheferman said in a report shared with The Hacker News.

"They can be exploited by remote attackers having access to Redfish remote management interfaces, or from a compromised host operating system."

To make matters worse, the shortcomings could also be weaponized to drop persistent firmware implants that are immune to operating system reinstalls and hard drive replacements, brick motherboard components, cause physical damage through overvolting attacks, and induce indefinite reboot loops.

"As attackers shift their focus from user facing operating systems to the lower level embedded code which hardware and computing trust relies on, compromise becomes harder to detect and exponentially more complex to remediate," the researchers pointed out.

Eclypsium's findings are based on an analysis of the AMI firmware leaked in a ransomware attack carried out by the RansomExx crew targeting hardware-maker GIGABYTE in August 2021.

The vulnerabilities are the latest additions to a set of bugs affecting AMI MegaRAC BMCs that have been cumulatively named BMC&C, some of which were disclosed by the firmware security company in December 2022 (CVE-2022-40259, CVE-2022-40242, and CVE-2022-2827) and January 2023 (CVE-2022-26872 and CVE-2022-40258).

The list of new flaws is as follows -

CVE-2023-34329 (CVSS score: 9.1) - Authentication bypass via HTTP header spoofing
CVE-2023-34330 (CVSS score: 8.2) - Code injection via dynamic Redfish extension interface
When chained together, the two bugs carry a combined severity score of 10.0, allowing an adversary to sidestep Redfish authentication and remotely execute arbitrary code on the BMC chip with the highest privileges. In addition, the aforementioned flaws could be strung together with CVE-2022-40258 to crack passwords for the admin accounts on the BMC chip.
It's worth pointing out that an attack of this nature could result in the installation of malware that could be used for conducting long-term cyber espionage while flying under the radar of security software, not to mention performing lateral movement and even destroy the CPU by power management tampering techniques like PMFault.

While there is no evidence that the flaws have been exploited in the wild, the popularity of MegaRAC BMC – a critical supply chain component found in millions of devices shipped by major vendors – makes it a lucrative target for threat actors looking to control every aspect of the targeted system.

"These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing," the researchers said. "In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can be passed on to many cloud services."

"As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use."


Apache OpenMeetings Web Conferencing Tool Exposed to Critical Vulnerabilities
21.7.23 
Vulnerebility  The Hacker News
Multiple security flaws have been disclosed in Apache OpenMeetings, a web conferencing solution, that could be potentially exploited by malicious actors to seize control of admin accounts and run malicious code on susceptible servers.

"Attackers can bring the application into an unexpected state, which allows them to take over any user account, including the admin account," Sonar vulnerability researcher Stefan Schiller said in a report shared with The Hacker News.

"The acquired admin privileges can further be leveraged to exploit another vulnerability allowing attackers to execute arbitrary code on the Apache OpenMeetings server."

Following responsible disclosure on March 20, 2023, the vulnerabilities were addressed with the release of Openmeetings version 7.1.0 that was released on May 9, 2023. The list of three flaws is as follows -

CVE-2023-28936 (CVSS score: 5.3) - Insufficient check of invitation hash
CVE-2023-29032 (CVSS score: 8.1) - An authentication bypass that leads to unrestricted access via invitation hash
CVE-2023-29246 (CVSS score: 7.2) - A NULL byte (%00) injection that allows an attacker with admin privileges to gain code execution
Meeting invites created using OpenMeetings come are not only bound to a specific room and a user but also come with a unique hash that's used by the application to retrieve details associated with the invitation.
The first two flaws, in a nutshell, have to do with a weak hash comparison between the user-supplied hash and what's present in the database and a quirk that allows for the creation of a room invitation without a room assigned to it, leading to a scenario where an invitation exists with no room attached to it.

A threat actor could exploit these shortcomings to create an event and join the corresponding room, and follow it up by deleting the event, at which point an invitation is created for the admin user to the non-existing room. In the next step, the weak hash comparison bug could be leveraged to enumerate the sent invitation and redeem it by providing a wildcard hash input.

Apache OpenMeetings
"Although the room is also deleted when its associated event is deleted, the presence of the attacker in the room makes this a zombie room," Schiller explained. "Although an error is raised when redeeming the hash for such an invitation, a valid web session for the invitee with full permissions of this user is created."

In other words, the zombie room could allow the attacker to acquire admin privileges and make modifications to the OpenMeetings instance, including adding and removing users and groups, changing room settings, and terminating sessions of connected users.

Sonar said it also identified a third vulnerability that's rooted in a feature that enables an administrator to configure the path for executables related to ImageMagick, an open-source software used to edit and process images. This allows an attacker with admin privileges to gain code execution by changing the ImageMagic path to "/bin/sh%00x" and triggering arbitrary shell commands.

"When now uploading a fake image containing a valid image header followed by arbitrary shell commands, the conversion spawns /bin/sh with the first argument being the fake image, effectively executing every command in it," Schiller said.

"In combination with the account takeover, this vulnerability allows a self-registered attacker to gain remote code execution on the underlying server."


Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability
20.7.23  Vulnerebility  The Hacker News
Adobe has released a fresh round of updates to address an incomplete fix for a recently disclosed ColdFusion flaw that has come under active exploitation in the wild.

The critical shortcoming, tracked as CVE-2023-38205 (CVSS score: 7.5), has been described as an instance of improper access control that could result in a security bypass. It impacts the following versions:

ColdFusion 2023 (Update 2 and earlier versions)
ColdFusion 2021 (Update 8 and earlier versions), and
ColdFusion 2018 (Update 18 and earlier versions)
"Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," the company said.

The update also addresses two other flaws, including a critical deserialization bug (CVE-2023-38204, CVSS score: 9.8) that could lead to remote code execution and a second improper access control flaw that could also pave the way for a security bypass (CVE-2023-38206, CVSS score: 5.3).
The disclosure arrives days after Rapid7 warned that the fix put in place for CVE-2023-29298 was incomplete and that it could be trivially sidestepped by malicious actors. The cybersecurity firm has confirmed that the new patch completely plugs the security hole.

CVE-2023-29298, an access control bypass vulnerability, has been weaponized in real-world attacks by chaining it with another flaw that's suspected to be CVE-2023-38203 to drop web shells on compromised systems for backdoor access.

Adobe ColdFusion users are highly recommended to update their installations to the latest version to mitigate potential threats.


Bad.Build Flaw in Google Cloud Build Raises Concerns of Privilege Escalation
19.7.23  Vulnerebility  The Hacker News

Cybersecurity researchers have uncovered a privilege escalation vulnerability in Google Cloud that could enable malicious actors tamper with application images and infect users, leading to supply chain attacks.

The issue, dubbed Bad.Build, is rooted in the Google Cloud Build service, according to cloud security firm Orca, which discovered and reported the issue.

"By abusing the flaw and enabling an impersonation of the default Cloud Build service, attackers can manipulate images in the Google Artifact Registry and inject malicious code," the company said in a statement shared with The Hacker News.

"Any applications built from the manipulated images are then affected and, if the malformed applications are meant to be deployed on customer's environments, the risk crosses from the supplying organization's environment to their customers' environments, constituting a major supply chain risk."

Following responsible disclosure, Google has issued a partial fix that doesn't eliminate the privilege escalation vector, describing it as a low-severity issue. No further customer action is required.

The design flaw stems from the fact that Cloud Build automatically creates a default service account to execute builds for a project on users' behalf. Specifically, the service account comes with excessive permissions ("logging.privateLogEntries.list"), which allows access to audit logs containing the complete list of all permissions on the project.

"What makes this information so lucrative is that it greatly facilitates lateral movement and privilege escalation in the environment," Orca researcher Roi Nisimi said. "Knowing which GCP account can perform which action, is equal to solving a great piece of the puzzle on how to launch an attack."

In doing so, a malicious actor could abuse the "cloudbuild.builds.create" permission already obtained by other means to impersonate the Google Cloud Build service account and obtain elevated privileges, exfiltrate an image that is being used inside Google Kubernetes Engine (GKE), and alter it to incorporate malware.

"Once the malicious image is deployed, the attacker can exploit it and run code on the docker container as root," Nisimi explained.
The patch put in place by Google revokes the logging.privateLogEntries.list permission from the Cloud Build service account, thereby preventing access to enumerate private logs by default.

This is not the first time privilege escalation flaws impacting the Google Cloud Platform have been reported. In 2020, Gitlab, Rhino Security Labs, and Praetorian detailed various techniques that could be exploited to compromise cloud environments.

Customers are advised to monitor the behavior of the default Google Cloud Build service account to detect any possible malicious behavior as well as apply the principle of least privilege (PoLP) to mitigate possible risks.


Microsoft Bug Allowed Hackers to Breach Over Two Dozen Organizations via Forged Azure AD Tokens
15.7.23  Vulnerebility  The Hacker News
Microsoft on Friday said a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by a malicious actor known as Storm-0558 using a Microsoft account (MSA) consumer signing key to breach two dozen organizations.

"Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com," the tech giant said in a deeper analysis of the campaign. "The method by which the actor acquired the key is a matter of ongoing investigation."

"Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected."

It's not immediately clear if the token validation issue was exploited as a "zero-day vulnerability" or if Microsoft was already aware of the problem before it came under in-the-wild abuse.

The attacks singled out approximately 25 organizations, including government entities and associated consumer accounts, to gain unauthorized email access and exfiltrate mailbox data. No other environment is said to have been impacted.

The exact scope of the breach remains unclear, but it's the latest example of a China-based threat actor conducting cyberattacks seeking sensitive information and pulling off a stealthy intelligence coup without attracting any attention for at least a month before it was discovered in June 2023.

The company was tipped off about the incident after the U.S. State Department detected anomalous email activity related to Exchange Online data access. Storm-0558 is suspected to be a China-based threat actor conducting malicious cyber activities that are consistent with espionage, although China has refuted the allegations.

Primary targets of the hacking crew include U.S. and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests, as well as media companies, think tanks, and telecommunications equipment and service providers.

It's said to have been active since at least August 2021, orchestrating credential harvesting, phishing campaigns, and OAuth token attacks aimed at Microsoft accounts to pursue its goals.

"Storm-0558 operates with a high degree of technical tradecraft and operational security," Microsoft said, describing it as technically adept, well-resourced, and having an acute understanding of various authentication techniques and applications.

Microsoft
"The actors are keenly aware of the target's environment, logging policies, authentication requirements, policies, and procedures."

Initial access to target networks is realized through phishing and exploitation of security flaws in public-facing applications, leading to the deployment of the China Chopper web shell for backdoor access and a tool called Cigril to facilitate credential theft.

Also employed by Storm-0558 are PowerShell and Python scripts to extract email data such as attachments, folder information, and entire conversations using Outlook Web Access (OWA) API calls.
Microsoft said since the discovery of the campaign on June 16, 2023, it has "identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities." It also noted it mitigated the issue "on customers' behalf" effective June 26, 2023.

The disclosure comes as Microsoft has faced criticism for its handling of the hack and for gating forensic capabilities behind additional licensing barriers, thereby preventing customers from accessing detailed audit logs that could have otherwise helped analyze the incident.

"Charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags," U.S. Senator Ron Wyden was quoted as saying.

The development comes as the U.K.'s Intelligence and Security Committee of Parliament (ISC) published a detailed Report on China, calling out its "highly effective cyber espionage capability" and its ability to penetrate a diverse range of foreign government and private sector IT systems.


Critical Security Flaws Uncovered in Honeywell Experion DCS and QuickBlox Services
15.7.23  Vulnerebility  The Hacker News
Multiple security vulnerabilities have been discovered in various services, including Honeywell Experion distributed control system (DCS) and QuickBlox, that, if successfully exploited, could result in severe compromise of affected systems.

Dubbed Crit.IX, the nine flaws in the Honeywell Experion DCS platform allow for "unauthorized remote code execution, which means an attacker would have the power to take over the devices and alter the operation of the DCS controller, whilst also hiding the alterations from the engineering workstation that manages the controller," Armis said in a statement shared with The Hacker News.

Put differently, the issues relate to lack of encryption and adequate authentication mechanisms in a proprietary protocol called Control Data Access (CDA) that's used to communicate between Experion Servers and C300 controllers, effectively enabling a threat actor to take over the devices and alter the operation of the DCS controller.

"As a result, anyone with access to the network is able to impersonate both the controller and the server," Tom Gol, CTO for research at Armis, said. " In addition, there are design flaws in the CDA protocol which make it hard to control the boundaries of the data and can lead to buffer overflows."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an advisory of its own, said seven of the nine flaws carry a CVSS score of 9.8 out 10, while the two others have a severity rating of 7.5. "Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow privilege escalation or allow remote code execution," it warned.

In a related development, Check Point and Claroty uncovered major flaws in a chat and video calling platform known as QuickBlox that's widely used in telemedicine, finance, and smart IoT devices. The vulnerabilities could allow attackers to leak the user database from many popular applications that incorporate QuickBlox SDK and API.

This includes Rozcom, an Israeli vendor that sells intercoms for residential and commercial use cases. A closer examination of its mobile app led to the discovery of additional bugs (CVE-2023-31184 and CVE-2023-31185) that made it possible to download all user databases, impersonate any user, and perform full account takeover attacks.

"As a result, we were able to take over all Rozcom intercom devices, giving us full control and allowing us to access device cameras and microphones, wiretap into its feed, open doors managed by the devices, and more," the researchers said.

Also disclosed this week are remote code execution flaws impacting Aerohive/Extreme Networks access points running HiveOS/Extreme IQ Engine versions before 10.6r2 and the open-source Ghostscript library (CVE-2023-36664, CVSS score: 9.8) that could result in the execution of arbitrary commands.
"Ghostscript is a widely used but not necessarily widely known package," Kroll researcher Dave Truman said. "It can be executed in many different ways, from opening a file in a vector image editor such as Inkscape to printing a file via CUPS. This means that an exploitation of a vulnerability in Ghostscript might not be limited to one application or be immediately obvious."

Security shortcomings have also been made public in two Golang-based open-source platforms Owncast (CVE-2023-3188, CVSS score: 6.5) and EaseProbe (CVE-2023-33967, CVSS score: 9.8) that could pave the way for Server-Side Request Forgery (SSRF) and SQL injection attacks, respectively.

Rounding off the list is the discovery of hard-coded credentials in Technicolor TG670 DSL gateway routers that could be weaponized by an authenticated user to gain full administrative control of the devices.

"A remote attacker can use the default username and password to login as the administrator to the router device," CERT/CC said in an advisory. "This allows the attacker to modify any of the administrative settings of the router and use it in unexpected ways."

Users are advised to disable remote administration on their devices to prevent potential exploitation attempts and check with the service providers to determine if appropriate patches and updates are available.


Zimbra Warns of Critical Zero-Day Flaw in Email Software Amid Active Exploitation
14.7.23  Vulnerebility  The Hacker News
Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild.

"A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced," the company said in an advisory.

It also said that the issue has been addressed and that it's expected to be delivered in the July patch release. Additional details about the flaw are currently unavailable.

In the interim, it is urging customers to apply a manual fix to eliminate the attack vector -

Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
Edit this file and go to line number 40
Update the parameter value as: <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>
Before the update, the line appeared as: <input name="st" type="hidden" value="${param.st}"/>
While the company did not disclose details of active exploitation, Google Threat Analysis Group (TAG) researcher Maddie Stone said it discovered the cross-site scripting (XSS) flaw being abused in the wild as part of a targeted attack. TAG researcher Clément Lecigne has been credited with discovering and reporting the bug.
The disclosure comes as Cisco released patches to remediate a critical flaw in its SD-WAN vManage software (CVE-2023-20214, CVSS score: 9.1) that could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance.

"A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance," the company said. "A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance."

The vulnerability has been addressed in versions 20.6.3.4, 20.6.4.2, 20.6.5.5, 20.9.3.2, 20.10.1.2, and 20.11.1.2. The networking equipment major said it's not aware of any malicious use of the flaw.


Fake PoC for Linux Kernel Vulnerability on GitHub Exposes Researchers to Malware
13.7.23  Vulnerebility  The Hacker News
Linux Kernel Vulnerability
In a sign that cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a "crafty" persistence method.

"In this instance, the PoC is a wolf in sheep's clothing, harboring malicious intent under the guise of a harmless learning tool," Uptycs researchers Nischay Hegde and Siddartha Malladi said. "Operating as a downloader, it silently dumps and executes a Linux bash script, all the while disguising its operations as a kernel-level process."

The repository masquerades as a PoC for CVE-2023-35829, a recently disclosed high-severity flaw in the Linux kernel. It has since been taken down, but not before it was forked 25 times. Another PoC shared by the same account, ChriSanders22, for CVE-2023-20871, a privilege escalation bug impacting VMware Fusion, was forked twice.

Uptypcs also identified a second GitHub profile containing a bogus PoC for CVE-2023-35829. It is still available as of writing and has been forked 19 times. A closer examination of the commit history shows that the changes were pushed by ChriSanders22, suggesting it was forked from the original repository.

Linux Kernel Vulnerability
The backdoor comes with a broad range of capabilities to steal sensitive data from compromised hosts as well as allow a threat actor to gain remote access by adding their SSH key to the .ssh/authorized_keys file.

"The PoC intends for us to run a make command that is an automation tool used to compile and build executables from source code files," the researchers explained. "But within the Makefile resides a code snippet that builds and executes the malware. The malware names and runs a file named kworker, which adds the $HOME/.local/kworker path in $HOME/.bashrc, thereby establishing its persistence."
The development comes nearly a month after VulnCheck discovered a number of fake GitHub accounts posing as security researchers to distribute malware under the guise of PoC exploits for popular software such as Discord, Google Chrome, Microsoft Exchange Server, Signal, and WhatsApp.

Users who have downloaded and executed the PoCs are recommended to unauthorized SSH keys, delete the kworker file, erase the kworker path from the bashrc file, and check /tmp/.iCE-unix.pid for potential threats.

"While it can be challenging to distinguish legitimate PoCs from deceptive ones, adopting safe practices such as testing in isolated environments (e.g., virtual machines) can provide a layer of protection," the researchers said.


New Vulnerabilities Disclosed in SonicWall and Fortinet Network Security Products
13.7.23  Vulnerebility  The Hacker News
SonicWall on Wednesday urged customers of Global Management System (GMS) firewall management and Analytics network reporting engine software to apply the latest fixes to secure against a set of 15 security flaws that could be exploited by a threat actor to circumvent authentication and access sensitive information.

Of the 15 shortcomings (tracked from CVE-2023-34123 through CVE-2023-34137), four are rated Critical, four are rated High, and seven are rated Medium in severity. The vulnerabilities were disclosed by NCC Group.

The flaws impact on-premise versions of GMS 9.3.2-SP1 and before and Analytics 2.5.0.4-R7 and before. Fixes are available in versions GMS 9.3.3 and Analytics 2.5.2.

"The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve," SonicWall said. "This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior."

The list of critical flaws is as follows -

CVE-2023-34124 (CVSS score: 9.4) - Web Service Authentication Bypass
CVE-2023-34133 (CVSS score: 9.8) - Multiple Unauthenticated SQL Injection Issues and Security Filter Bypass
CVE-2023-34134 (CVSS score: 9.8) - Password Hash Read via Web Service
CVE-2023-34137 (CVSS score: 9.4) - Cloud App Security (CAS) Authentication Bypass
The disclosure comes as Fortinet revealed a critical flaw affecting FortiOS and FortiProxy (CVE-2023-33308, CVSS score: 9.8) that could enable an adversary to achieve remote code execution under certain circumstances. It said the issue was resolved in a previous release, without an advisory.

"A stack-based overflow vulnerability [CWE-124] in FortiOS and FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection," the company said in an advisory.
Impacted products include FortiOS versions 7.2.0 through 7.2.3 and 7.0.0 through 7.0.10 as well as FortiProxy versions 7.2.0 through 7.2.2 and 7.0.0 through 7.0.9. The versions that plug the security hole are listed below -

FortiOS version 7.4.0 or above
FortiOS version 7.2.4 or above
FortiOS version 7.0.11 or above
FortiProxy version 7.2.3 or above, and
FortiProxy version 7.0.10 or above
It's worth noting that the flaw does not impact all versions of FortiOS 6.0, FortiOS 6.2, and FortiOS 6.4, and FortiProxy 1.x and FortiProxy 2.x.

For customers who cannot apply the updates immediately, Fortinet is recommending that they disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.


Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack
12.7.23  Vulnerebility  The Hacker News
Microsoft on Tuesday released updates to address a total of 132 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild.

Of the 132 vulnerabilities, nine are rated Critical, 122 are rated Important in severity, and one has been assigned a severity rating of "None." This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of last month.

The list of issues that have come under active exploitation is as follows -

CVE-2023-32046 (CVSS score: 7.8) - Windows MSHTML Platform Elevation of Privilege Vulnerability
CVE-2023-32049 (CVSS score: 8.8) - Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-35311 (CVSS score: 8.8) - Microsoft Outlook Security Feature Bypass Vulnerability
CVE-2023-36874 (CVSS score: 7.8) - Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2023-36884 (CVSS score: 8.3) - Office and Windows HTML Remote Code Execution Vulnerability (Also publicly known at the time of the release)
ADV230001 - Malicious use of Microsoft-signed drivers for post-exploitation activity (no CVE assigned)
The Windows maker said it's aware of targeted attacks against defense and government entities in Europe and North America that attempt to exploit CVE-2023-36884 by using specially-crafted Microsoft Office document lures related to the Ukrainian World Congress, echoing the latest findings from BlackBerry.

"An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim," Microsoft said. "However, an attacker would have to convince the victim to open the malicious file."

The company has flagged the intrusion campaign to a Russian cybercriminal group it tracks as Storm-0978, which is also known by the names RomCom, Tropical Scorpius, UNC2596, and Void Rabisu.

"The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022," the Microsoft Threat Intelligence team explained. "The actor's latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom."

Recent phishing attacks staged by the actor have entailed the use of trojanized versions of legitimate software hosted on lookalike websites to deploy a remote access trojan called RomCom RAT against various Ukrainian and pro-Ukraine targets in Eastern Europe and North America.

While RomCom was first clocked as a group tied to Cuba ransomware, it has since been linked to other ransomware strains such as Industrial Spy as well a new variant called Underground as of July 2023, which exhibits significant source code overlaps with Industry Spy.

Microsoft said it intends to take "appropriate action to help protect our customers" in the form of an out-of-band security update or via its monthly release process. In the absence of a patch for CVE-2023-36884, the company is urging users to use the "Block all Office applications from creating child processes" attack surface reduction (ASR) rule.

Redmond further said it revoked code-signing certificates used to sign and install malicious kernel-mode drivers on compromised systems by exploiting a Windows policy loophole to alter the signing date of drivers before July 29, 2015, by making use of open-source tools like HookSignTool and FuckCertVerifyTimeValidity.

The findings suggest that the use of rogue kernel-mode drivers is gaining traction among threat actors as they operate at the highest privilege level on Windows, thereby making it possible to establish persistence for extended periods of time while simultaneously interfering with the functioning of security software to evade detection.
It's not currently not clear how the other flaws are being exploited and how broadly those attacks are spread. But in light of active abuse, it's recommended that users move quickly to apply the updates to mitigate potential threats.


Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software
8.7.23  Vulnerebility  The Hacker News
Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer. In addition, Progress Software has patched two other high-severity vulnerabilities.

The identified SQL injection vulnerability, tagged as CVE-2023-36934, could potentially allow unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database.

SQL injection vulnerabilities are a well-known and dangerous security flaw that allows attackers to manipulate databases and run any code they want. Attackers can send specifically designed payloads to certain endpoints of the affected application, which could change or expose sensitive data in the database.

The reason CVE-2023-36934 is so critical is that it can be exploited without having to be logged in. This means that even attackers without valid credentials can potentially exploit the vulnerability. However, as of now, there have been no reports of this particular vulnerability being actively used by attackers.

This discovery comes after a series of recent cyberattacks that used a different SQL injection vulnerability (CVE-2023-34362) to target MOVEit Transfer with Clop ransomware. These attacks resulted in data theft and money extortion from affected organizations.

This latest security update from Progress Software also addresses two other high-severity vulnerabilities: CVE-2023-36932 and CVE-2023-36933.

CVE-2023-36932 is a SQL injection flaw that can be exploited by attackers who are logged in to gain unauthorized access to the MOVEit Transfer database. CVE-2023-36933, on the other hand, is a vulnerability that allows attackers to unexpectedly shut down the MOVEit Transfer program.
Researchers from HackerOne and Trend Micro's Zero Day Initiative responsibly reported Progress Software about these vulnerabilities.

These vulnerabilities affect multiple MOVEit Transfer versions, including 12.1.10 and previous versions, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, and 15.0.3 and earlier.

Progress Software has made the necessary updates available for all major MOVEit Transfer versions. Users are strongly advised to update to the latest version of MOVEit Transfer to reduce the risks posed by these vulnerabilities.


Mastodon Social Network Patches Critical Flaws Allowing Server Takeover
8.7.23  Vulnerebility  The Hacker News
Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.

Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances.

The most critical vulnerability, CVE-2023-36460, allows hackers to exploit a flaw in the media attachments feature, creating and overwriting files in any location the software could access on an instance.

This software vulnerability could be used for DoS and arbitrary remote code execution attacks, posing a significant threat to users and the broader Internet ecosystem.

If an attacker gains control over multiple instances, they could cause harm by instructing users to download malicious applications or even bring down the entire Mastodon infrastructure. Fortunately, there is no evidence of this vulnerability being exploited so far.

The critical flaw was discovered as part of a comprehensive penetration testing initiative funded by the Mozilla Foundation and conducted by Cure53.

The recent patch release addressed five vulnerabilities, including another critical issue tracked as CVE-2023-36459. This vulnerability could allow attackers to inject arbitrary HTML into oEmbed preview cards, bypassing Mastodon's HTML sanitization process.

Consequently, this introduced a vector for Cross-Site Scripting (XSS) payloads that could execute malicious code when users clicked on preview cards associated with malicious links.
The remaining three vulnerabilities were classified as high and medium severity. They included "Blind LDAP injection in login," which allowed attackers to extract arbitrary attributes from the LDAP database, "Denial of Service through slow HTTP responses," and a formatting issue with "Verified profile links." Each of these flaws posed different levels of risk to Mastodon users.

To protect themselves, Mastodon users only need to ensure that their subscribed instance has installed the necessary updates promptly.


Alert: 330,000 FortiGate Firewalls Still Unpatched to CVE-2023-27997 RCE Flaw
4.7.23  Vulnerebility  The Hacker News
FortiGate Firewall Exploit
No less than 330000 FortiGate firewalls are still unpatched and vulnerable to CVE-2023-27997, a critical security flaw affecting Fortinet devices that have come under active exploitation in the wild.

Cybersecurity firm Bishop Fox, in a report published last week, said that out of nearly 490,000 Fortinet SSL-VPN interfaces exposed on the internet, about 69 percent remain unpatched.

CVE-2023-27997 (CVSS score: 9.8), also called XORtigate, is a critical vulnerability impacting Fortinet FortiOS and FortiProxy SSL-VPN appliances that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Patches were released by Fortinet last month in versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5, although the company acknowledged that the flaw may have been "exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors.

FortiGate Firewall Exploit
Bishop Fox's analysis further found that 153,414 of the discovered appliances had been updated to a patched FortiOS version.

Another crucial discovery is that many of the publicly accessible Fortinet devices did not receive an update for the past eight years, with the installations running FortiOS versions 5 and 6.

Given that security flaws in Fortinet devices have been lucrative attack vectors, it's imperative that users move quickly to update to the latest version as soon as possible.


CISA Flags 8 Actively Exploited Flaws in Samsung and D-Link Devices
3.7.23  Vulnerebility  The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a set of eight flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

This includes six shortcomings affecting Samsung smartphones and two vulnerabilities impacting D-Link devices. All the flaws have been patched as of 2021.

CVE-2021-25394 (CVSS score: 6.4) - Samsung mobile devices race condition vulnerability
CVE-2021-25395 (CVSS score: 6.4) - Samsung mobile devices race condition vulnerability
CVE-2021-25371 (CVSS score: 6.7) - An unspecified vulnerability in the DSP driver used in Samsung mobile devices that allows loading of arbitrary ELF libraries
CVE-2021-25372 (CVSS score: 6.7) - Samsung mobile devices improper boundary check within the DSP driver in Samsung mobile devices
CVE-2021-25487 (CVSS score: 7.8) - Samsung mobile devices out-of-bounds read vulnerability leading to arbitrary code execution
CVE-2021-25489 (CVSS score: 5.5) - Samsung Mobile devices improper input validation vulnerability resulting in kernel panic
CVE-2019-17621 (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability in D-Link DIR-859 Router
CVE-2019-20500 (CVSS score: 7.8) - An authenticated OS command injection vulnerability in D-Link DWL-2600AP
The addition of the two D-Link vulnerabilities follows a report from Palo Alto Networks Unit 42 last month about threat actors associated with a Mirai botnet variant leveraging flaws in several IoT devices to propagate the malware in a series of attacks beginning in March 2023.

However, it's not immediately clear how the flaws in Samsung devices are being exploited in the wild. But given the nature of the targeting, it's likely that they may have been put to use by a commercial spyware vendor in highly targeted attacks.

It's worth noting that Google Project Zero disclosed a set of flaws in November 2022 that it said were weaponized as part of an exploit chain aimed at Samsung handsets.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply necessary fixes by July 20, 2023, to secure their networks against potential threats.


Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign
30.6.23  Vulnerebility  The Hacker News
Proxyjacking Campaign
An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network.

"This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain," Akamai researcher Allen West said in a Thursday report.

Unlike cryptojacking, in which a compromised system's resources are used to illicitly mine cryptocurrency, proxyjacking offers the ability for threat actors to leverage the victim's unused bandwidth to covertly run different services as a P2P node.

This offers two-fold benefits: It not only enables the attacker to monetize the extra bandwidth with a significantly reduced resource load that would be necessary to carry out cryptojacking, it also reduces the chances of discovery.

"It is a stealthier alternative to cryptojacking and has serious implications that can increase the headaches that proxied Layer 7 attacks already serve," West said.

To make matters worse, the anonymity provided by proxyware services can be a double-edged sword in that they could be abused by malicious actors to obfuscate the source of their attacks by routing traffic through intermediary nodes.

Proxyjacking Campaign
Akamai, which discovered the latest campaign on June 8, 2023, said the activity is designed to breach susceptible SSH servers and deploy an obfuscated Bash script that, in turn, is equipped to fetch necessary dependencies from a compromised web server, including the curl command-line tool by camouflaging it as a CSS file ("csdark.css").

The stealthy script further actively searches for and terminates competing instances running bandwidth-sharing services, before launching Docker services that share the victim's bandwidth for profits.

A further examination of the web server has revealed that it's also being used to host a cryptocurrency miner, suggesting that the threat actors are dabbling in both cryptojacking and proxyjacking attacks.
While proxyware is not inherently nefarious, Akamai noted that "some of these companies do not properly verify the sourcing of the IPs in the network, and even occasionally suggest that people install the software on their work computers."

But such operations transcend into the realm of cybercrime when the applications are installed without the users' knowledge or consent, thereby allowing the threat actor to control several systems and generate illegitimate revenue.

"Old techniques remain effective, especially when paired with new outcomes," West said. "Standard security practices remain an effective prevention mechanism, including strong passwords, patch management, and meticulous logging."


MITRE Unveils Top 25 Most Dangerous Software Weaknesses of 2023: Are You at Risk?
30.6.23  Vulnerebility  The Hacker News

Most Dangerous Software Weaknesses
MITRE has released its annual list of the Top 25 "most dangerous software weaknesses" for the year 2023.

"These weaknesses lead to serious vulnerabilities in software," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. "An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working."

The list is based on an analysis of public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two years. A total of 43,996 CVE entries were examined and a score was attached to each of them based on prevalence and severity.

Coming out top is Out-of-bounds Write, followed by Cross-site Scripting, SQL Injection, Use After Free, OS Command Injection, Improper Input Validation, Out-of-bounds Read, Path Traversal, Cross-Site Request Forgery (CSRF), and Unrestricted Upload of File with Dangerous Type. Out-of-bounds Write also took the top spot in 2022.

70 vulnerabilities added to the Known Exploited Vulnerabilities (KEV) catalog in 2021 and 2022 were Out-of-bounds Write bugs. One weakness category that fell off the Top 25 is Improper Restriction of XML External Entity Reference.

"Trend analysis on vulnerability data like this enables organizations to make better investment and policy decisions in vulnerability management," the Common Weakness Enumeration (CWE) research team said.

Besides software, MITRE also maintains a list of important hardware weaknesses with an aim to "prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle."

The disclosure comes as CISA, together with the U.S. National Security Agency (NSA), released recommendations and best practices for organizations to harden their Continuous Integration/Continuous Delivery (CI/CD) environments against malicious cyber actors.

This includes the implementation of strong cryptographic algorithms when configuring cloud applications, minimizing the use of long-term credentials, adding secure code signing, utilizing two-person rules (2PR) to review developer code commits, adopting the principle of least privilege (PoLP), using network segmentation, and regularly audit accounts, secrets, and systems.
"By implementing the proposed mitigations, organizations can reduce the number of exploitation vectors into their CI/CD environments and create a challenging environment for the adversary to penetrate," the agencies said.

The development also follows new findings from Censys that nearly 250 devices running on various U.S. government networks have exposed remote management interfaces on the open web, many of which run remote protocols such as SSH and TELNET.

"FCEB agencies are required to take action in compliance with BOD 23-02 within 14 days of identifying one of these devices, either by securing it according to Zero Trust Architecture concepts or removing the device from the public internet," Censys researchers said.

Publicly accessible remote management interfaces have emerged as one of the most common avenues for attacks by nation-state hackers and cybercriminals, with the exploitation of remote desktop protocol (RDP) and VPNs becoming a preferred initial access technique over the past year, according to a new report from ReliaQuest.


Critical Security Flaw in Social Login Plugin for WordPress Exposes Users' Accounts
30.6.23  Vulnerebility  The Hacker News
A critical security flaw has been disclosed in miniOrange's Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known.

Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023, with the release of version 7.6.5 following responsible disclosure on June 2, 2023.

"The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address," Wordfence researcher István Márton said.

The issue is rooted in the fact that the encryption key used to secure the information during login using social media accounts is hard-coded, thus leading to a scenario where attackers could create a valid request with a properly encrypted email address used to identify the user.

Should the account belong to the WordPress site administrator, it could result in a complete compromise. The plugin is used on more than 30,000 sites.
The advisory follows the discovery of a high-severity flaw affecting LearnDash LMS plugin, a WordPress plugin with over 100,000 active installations, that could permit any user with an existing account to reset arbitrary user passwords, including those with administrator access.

The bug (CVE-2023-3105, CVSS score: 8.8), has been patched in version 4.6.0.1 that was shipped on June 6, 2023.

It also comes weeks after Patchstack detailed a cross-site request forgery (CSRF) vulnerability in the UpdraftPlus plugin (CVE-2023-32960, CVSS score: 7.1) that could allow an unauthenticated attacker to steal sensitive data and elevate privileges by tricking a user with administrative permissions to visit a crafted WordPress site URL.


Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution
28.6.23  Vulnerebility  The Hacker News
SQL Injection
Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems.

"These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements," SonarSource researcher Thomas Chauchefoin said, adding they could result in RCE on Soko because of a "misconfiguration of the database."

The two issues, which were discovered in the search feature of Soko, have been collectively tracked as CVE-2023-28424 (CVSS score: 9.1). They were addressed within 24 hours of responsible disclosure on March 17, 2023.

Soko is a Go software module that powers packages.gentoo.org, offering users an easy way to search through different Portage packages that are available for Gentoo Linux distribution.

But the shortcomings identified in the service meant that it could have been possible for a malicious actor to inject specially crafted code, resulting in the exposure of sensitive information.
"The SQL injections were exploitable and had the ability to disclose the PostgreSQL server's version and execute arbitrary commands on the system," SonarSource said.

The development comes months after SonarSource uncovered a cross-site scripting (XSS) flaw in an open-source business suite called Odoo that could be exploited to impersonate any victim on a vulnerable Odoo instance as well as exfiltrate valuable data.

Earlier this year, security weaknesses were also disclosed in open-source software such as Pretalx and OpenEMR that could pave the way for remote attackers to execute arbitrary code.


New Fortinet's FortiNAC Vulnerability Exposes Networks to Code Execution Attacks
27.6.23  Vulnerebility  The Hacker News
Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code.

Tracked as CVE-2023-33299, the flaw is rated 9.6 out of 10 for severity on the CVSS scoring system. It has been described as a case of Java untrusted object deserialization.

"A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service," Fortinet said in an advisory published last week.

The shortcoming impacts the following products, with patches available in FortiNAC versions 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later -

FortiNAC version 9.4.0 through 9.4.2
FortiNAC version 9.2.0 through 9.2.7
FortiNAC version 9.1.0 through 9.1.9
FortiNAC version 7.2.0 through 7.2.1
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions, and
FortiNAC 8.3 all versions
Also resolved by Fortinet is a medium-severity vulnerability tracked as CVE-2023-33300 (CVSS score: 4.8), an improper access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1. It has been fixed in FortiNAC versions 7.2.2 and 9.4.4.

Florian Hauser from German cybersecurity firm CODE WHITE has been credited with discovering and reporting the two bugs.

The alert follows the active exploitation of another critical vulnerability affecting FortiOS and FortiProxy (CVE-2023-27997, CVSS score: 9.2) that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Fortinet, earlier this month, acknowledged that the issue may have been abused in limited attacks targeting government, manufacturing, and critical infrastructure sectors, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog.

Cybersecurity
It also comes more than four months after Fortinet addressed a severe bug in FortiNAC (CVE-2022-39952, CVSS score: 9.8) that could lead to arbitrary code execution. The flaw has since come under active exploitation shortly after a proof-of-concept (PoC) was made available.

In a related development, Grafana has released patches for a critical security vulnerability (CVE-2023-3128) that could permit malicious attackers to bypass authentication and take over any account that uses Azure Active Directory for authentication.

"If exploited, the attacker can gain complete control of a user's account, including access to private customer data and sensitive information," Grafana said. "If exploited, the attacker can gain complete control of a user's account, including access to private customer data and sensitive information."


Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites
23.6.23  Vulnerebility  The Hacker News
A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites.

"This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met," Defiant's Wordfence said in an advisory.

Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system. It impacts all versions of the plugin, including and prior to versions 5.14.2.

The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase.

Specifically, the encryption key is hard-coded in the plugin, thereby allowing malicious actors to login as a user with an abandoned cart.

"However, there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account if they have been testing the abandoned cart functionality," security researcher István Márton said.

Following responsible disclosure on May 30, 2023, the vulnerability was addressed by the plugin developer, Tyche Softwares, on June 6, 2023, with version 5.15.0. The current version of Abandoned Cart Lite for WooCommerce is 5.15.2.

The disclosure comes as Wordfence revealed another authentication bypass flaw impacting StylemixThemes' "Booking Calendar | Appointment Booking | BookIt" plugin (CVE-2023-2834, CVSS score: 9.8) that has over 10,000 WordPress installs.

"This is due to insufficient verification on the user being supplied during booking an appointment through the plugin," Márton explained. "This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email."

The flaw, affecting versions 2.3.7 and earlier, has been addressed in version 2.3.8, which was released on June 13, 2023.


Critical 'nOAuth' Flaw in Microsoft Azure AD Enabled Complete Account Takeover
22.6.23  Vulnerebility  The Hacker News
Microsoft Azure AD OAuth
A security shortcoming in Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process could have been exploited to achieve full account takeover, researchers said.

California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubbed it nOAuth.

"nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications," Omer Cohen, chief security officer at Descope, said.

The misconfiguration has to do with how a malicious actor can modify email attributes under "Contact Information" in the Azure AD account and exploit the "Log in with Microsoft" feature to hijack a victim account.

To pull off the attack, all an adversary has to do is to create and access an Azure AD admin account and modify their email address to that of a victim and take advantage of the single sign-on scheme on a vulnerable app or website.

"If the app merges user accounts without validation, the attacker now has full control over the victim's account, even if the victim doesn't have a Microsoft account," Cohen explained.

Successful exploitation grants the adversary an "open field" to set up persistence, exfiltrate data, and carry out other post-exploitation activities based on the nature of the app.

This stems from the fact that an email address is both mutable and unverified in Azure AD, prompting Microsoft to issue a warning not to use email claims for authorization purposes.
The tech giant characterized the issue as an "insecure anti-pattern used in Azure AD (AAD) applications" where the use of the email claim from access tokens for authorization can lead to an escalation of privilege.

"An attacker can falsify the email claim in tokens issued to applications," it noted. "Additionally, the threat of data leakage exists if applications use such claims for email lookup."

It also said it identified and notified several multi-tenant applications with users that utilize an email address with an unverified domain owner.


Alert! Hackers Exploiting Critical Vulnerability in VMware's Aria Operations Networks
21.6.23  Vulnerebility  The Hacker News
VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild.

The flaw, tracked as CVE-2023-20887, could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution.

It impacts VMware Aria Operations Networks versions 6.x, with fixes released in versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10 on June 7, 2023.

Now according to an update shared by the virtualization services provider on June 20, the flaw has been weaponized in real-world attacks, although the exact specifics are unknown as yet.

"VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild," the company noted.

Data gathered by threat intelligence firm GreyNoise shows active exploitation of the flaw from two different IP addresses located in the Netherlands.

Vulnerability in VMware
The development comes after Summoning Team researcher Sina Kheirkhah, who identified and reported the flaws, released a proof-of-concept (PoC) for the bug.

"This vulnerability comprises a chain of two issues leading to remote code execution (RCE) that can be exploited by unauthenticated attackers," Kheirkhah said.
If anything, the speed at which either state actors or financially motivated groups turn around newly disclosed vulnerabilities and exploit them to their advantage continues to be a major threat for organizations across the world.

The disclosure also follows a report from Mandiant, which unearthed active exploitation of another flaw in VMware Tools (CVE-2023-20867) by a suspected Chinese actor dubbed UNC3886 to backdoor Windows and Linux hosts.

Users of Aria Operations for Networks are recommended to update to the latest version as soon as possible to mitigate potential risks.


Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices
21.6.23  Vulnerebility  The Hacker News
Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage (NAS) devices that could result in the execution of arbitrary commands on affected systems.

Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been described as a pre-authentication command injection vulnerability.

"The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request," Zyxel said in an advisory published today.

Andrej Zaujec, NCSC-FI, and Maxim Suslov have been credited with discovering and reporting the flaw. The following versions are impacted by CVE-2023-27992 -

NAS326 (V5.21(AAZF.13)C0 and earlier, patched in V5.21(AAZF.14)C0),
NAS540 (V5.21(AATB.10)C0 and earlier, patched in V5.21(AATB.11)C0), and
NAS542 (V5.21(ABAG.10)C0 and earlier, patched in V5.21(ABAG.11)C0)
The alert comes two weeks after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two flaws in Zyxel firewalls (CVE-2023-33009 and CVE-2023-33010) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

With Zyxel devices becoming an attack magnet for threat actors, it's imperative that customers apply the fixes as soon as possible to prevent potential risks.


Researchers Expose New Severe Flaws in Wago and Schneider Electric OT Products
21.6.23  Vulnerebility  The Hacker News
Three security vulnerabilities have been disclosed in operational technology (OT) products from Wago and Schneider Electric.

The flaws, per Forescout, are part of a broader set of shortcomings collectively called OT:ICEFALL, which now comprises a total of 61 issues spanning 13 different vendors.

"OT:ICEFALL demonstrates the need for tighter scrutiny of, and improvements to, processes related to secure design, patching and testing in OT device vendors," the company said in a report shared with The Hacker News.

The most severe of the flaws is CVE-2022-46680 (CVSS score: 8.8), which concerns the plaintext transmission of credentials in the ION/TCP protocol used by power meters from Schneider Electric.

Successful exploitation of the bug could enable threat actors to gain control of vulnerable devices. It's worth noting that CVE-2022-46680 is one among the 56 flaws originally unearthed by Forescout in June 2022.

Operational Technology
The other two new security holes (CVE-2023-1619 and CVE-2023-1620, CVSS scores: 4.9) relate to denial-of-service (DoS) bugs impacting WAGO 750 controllers that could be activated by an authenticated attacker by sending specific malformed packets or specific requests after being logged out.

In concluding the OT:ICEFALL research, Forescout notes that vendors still lack a fundamental understanding of secure-by-design practices and that they release incomplete patches and fail to implement appropriate security testing procedures.

"This is worrying because as OT products start implementing security controls and end up getting certified, the perception of their security posture might change and the sense of urgency around compensating controls might drop – leading to a false sense of security," the company said.


ASUS Releases Patches to Fix Critical Security Bugs Impacting Multiple Router Models
21.6.23  Vulnerebility  The Hacker News
Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models.

Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis.

The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.

Topping the list of fixes are CVE-2018-1160 and CVE-2022-26376, both of which are rated 9.8 out of a maximum of 10 on the CVSS scoring system.

CVE-2018-1160 concerns a nearly five-year-old out-of-bounds write bug in Netatalk versions before 3.1.12 that could allow a remote unauthenticated attacker to achieve arbitrary code execution.

CVE-2022-26376 has been described as a memory corruption vulnerability in the Asuswrt firmware that could be triggered by means of a specially-crafted HTTP request.

The seven other flaws are as follows -

CVE-2022-35401 (CVSS score: 8.1) - An authentication bypass vulnerability that could permit an attacker to send malicious HTTP requests to gain full administrative access to the device.
CVE-2022-38105 (CVSS score: 7.5) - An information disclosure vulnerability that could be exploited to access sensitive information by sending specially-crafted network packets.
CVE-2022-38393 (CVSS score: 7.5) - A denial-of-service (DoS) vulnerability that could be triggered by sending a specially-crafted network packet.
CVE-2022-46871 (CVSS score: 8.8) - The use of an out-of-date libusrsctp library that could open targeted devices to other attacks.
CVE-2023-28702 (CVSS score: 8.8) - A command injection flaw that could be exploited by a local attacker to execute arbitrary system commands, disrupt system, or terminate service.
CVE-2023-28703 (CVSS score: 7.2) - A stack-based buffer overflow vulnerability that could be exploited by an attacker with admin privileges to execute arbitrary system commands, disrupt system, or terminate service.
CVE-2023-31195 (CVSS score: N/A) - An adversary-in-the-middle (AitM) flaw that could lead to a hijack of a user's session.
ASUS is recommending that users apply the latest updates as soon as possible to mitigate security risks. As a workaround, it's advising users to disable services accessible from the WAN side to avoid potential unwanted intrusions.

"These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, [and] port trigger," the company said, urging customers to periodically audit their equipment as well as set up separate passwords for the wireless network and the router-administration page.


Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems
15.6.23  Vulnerebility  The Hacker News
The Chinese state-sponsored group known as UNC3886 has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems.

The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867 (CVSS score: 3.9), "enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs," Mandiant said.

UNC3886 was initially documented by the Google-owned threat intelligence firm in September 2022 as a cyber espionage actor infecting VMware ESXi and vCenter servers with backdoors named VIRTUALPITA and VIRTUALPIE.

Earlier this March, the group was linked to the exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system to deploy implants on the network appliances and interact with the aforementioned malware.

The threat actor has been described as a "highly adept" adversarial collective targeting defense, technology, and telecommunication organizations in the U.S., Japan, and the Asia-Pacific region.

"The group has access to extensive research and support for understanding the underlying technology of appliances being targeted," Mandiant researchers said, calling out its pattern of weaponizing flaws in firewall and virtualization software that do not support EDR solutions.

VMware Zero-Day Flaw
As part of its efforts to exploit ESXi systems, the threat actor has also been observed harvesting credentials from vCenter servers as well as abusing CVE-2023-20867 to execute commands and transfer files to and from guest VMs from a compromised ESXi host.

A notable aspect of UNC3886's tradecraft is its use of Virtual Machine Communication Interface (VMCI) sockets for lateral movement and continued persistence, thereby allowing it to establish a covert channel between the ESXi host and its guest VMs.
"This open communication channel between guest and host, where either role can act as client or server, has enabled a new means of persistence to regain access on a backdoored ESXi host as long as a backdoor is deployed and the attacker gains initial access to any guest machine," the company said.

The development comes as Summoning Team researcher Sina Kheirkhah disclosed three different flaws in VMware Aria Operations for Networks (CVE-2023-20887, CVE-2023-20888, and CVE-2023-20889) that could result in remote code execution.

"UNC3886 continues to present challenges to investigators by disabling and tampering with logging services, selectively removing log events related to their activity," it further added. "The threat actors' retroactive cleanup performed within days of past public disclosures on their activity indicates how vigilant they are."


Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry
14.6.23  Vulnerebility  The Hacker News

Two "dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting (XSS) attacks.

"The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes," Orca security researcher Lidor Ben Shitrit said in a report shared with The Hacker News.

XSS attacks take place when threat actors inject arbitrary code into an otherwise trusted website, which then gets executed every time when unsuspecting users visit the site.

The two flaws identified by Orca leverage a weakness in the postMessage iframe, which enables cross-origin communication between Window objects.

This meant that the shortcoming could be abused to embed endpoints within remote servers using the iframe tag and ultimately execute malicious JavaScript code, leading to the compromise of sensitive data.

However, in order to exploit these weaknesses, a threat actor would have to conduct reconnaissance on different Azure services to single out vulnerable endpoints embedded within the Azure portal that may have missing X-Frame-Options headers or weak Content Security Policies (CSPs).

"Once the attacker successfully embeds the iframe in a remote server, they proceed to exploit the misconfigured endpoint," Ben Shitrit explained. "They focus on the postMessage handler, which handles remote events such as postMessages."

By analyzing the legitimate postMessages sent to the iframe from portal.azure[.]com, the adversary could subsequently craft appropriate payloads by embedding the vulnerable iframe in an actor-controlled server (e.g., ngrok) and creating a postMessage handler that delivers the malicious payload.

Thus when a victim is lured into visiting the compromised endpoint, the "malicious postMessage payload is delivered to the embedded iframe, triggering the XSS vulnerability and executing the attacker's code within the victim's context."
In a proof-of-concept (PoC) demonstrated by Orca, a specially crafted postMessage was found to be able to manipulate the Azure Bastion Topology View SVG exporter or Azure Container Registry Quick Start to execute an XSS payload.

Following responsible disclosure of the flaws on April 13 and May 3, 2023, Microsoft rolled out security fixes to remediate them. No further action is required on the part of Azure users.

The disclosure comes more than a month after Microsoft plugged three vulnerabilities in the Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services.


Critical Security Vulnerability Discovered in WooCommerce Stripe Gateway Plugin
14.6.23  Vulnerebility  The Hacker News
WooCommerce Stripe Gateway
A security flaw has been uncovered in the WooCommerce Stripe Gateway WordPress plugin that could lead to the unauthorized disclosure of sensitive information.

The flaw, tracked as CVE-2023-34000, impacts versions 7.4.0 and below. It was addressed by the plugin maintainers in version 7.4.1, which shipped on May 30, 2023.

WooCommerce Stripe Gateway allows e-commerce websites to directly accept various payment methods through Stripe's payment processing API. It boasts of over 900,000 active installations.

According to Patch security researcher Rafie Muhammad, the plugin suffers from what's called an unauthenticated Insecure direct object references (IDOR) vulnerability, which allows a bad actor to bypass authorization and access resources.

Specially, the problem stems from the insecure handling of order objects and a lack of adequate access control mechanism in the plugin's 'javascript_params' and 'payment_fields' functions of the plugin.

"This vulnerability allows any unauthenticated user to view any WooCommnerce order's PII data including email, user's name, and full address," Muhammad said.

The development comes weeks after the WordPress core team released 6.2.1 and 6.2.2 to address five security issues, including an unauthenticated directory traversal vulnerability and an unauthenticated cross-site scripting flaw. Three of the bugs were uncovered during a third-party security audit.


Microsoft Releases Updates to Patch Critical Flaws in Windows and Other Software
14.6.23  Vulnerebility  The Hacker News
Microsoft has rolled out fixes for its Windows operating system and other software components to remediate major security shortcomings as part of Patch Tuesday updates for June 2023.

Of the 73 flaws, six are rated Critical, 63 are rated Important, two are rated Moderate, and one is rated Low in severity. This also includes three issues the tech giant addressed in its Chromium-based Edge browser.

It's worth noting that Microsoft also closed out 26 other flaws in Edge – all of them rooted in Chromium itself – since the release of May Patch Tuesday updates. This comprises CVE-2023-3079, a zero-day bug that Google disclosed as being actively exploited in the wild last week.

The June 2023 updates also mark the first time in several months that doesn't feature any zero-day flaw in Microsoft products that's publicly known or under active attack at the time of release.

Topping the list of fixes is CVE-2023-29357 (CVSS score: 9.8), a privilege escalation flaw in SharePoint Server that could be exploited by an attacker to gain administrator privileges.

"An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," Microsoft said. "The attacker needs no privileges nor does the user need to perform any action."

Also patched by Redmond are three critical remote code execution bugs (CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015, CVSS scores: 9.8) in Windows Pragmatic General Multicast (PGM) that could be weaponized to "achieve remote code execution and attempt to trigger malicious code."

Microsoft previously addressed a similar flaw in the same component (CVE-2023-28250, CVSS score: 9.8), a protocol designed to deliver packets between multiple network members in a reliable manner, in April 2023.
Also resolved by the tech giant are two remote code execution bugs impacting Exchange Server (CVE-2023-28310 and CVE-2023-32031) that could permit an authenticated attacker to achieve remote code execution on affected installations.


Critical FortiOS and FortiProxy Vulnerability Likely Exploited - Patch Now!
13.6.23  Vulnerebility  The Hacker News
Fortinet on Monday disclosed that a newly patched critical flaw impacting FortiOS and FortiProxy may have been "exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors.

The vulnerability, tracked as CVE-2023-27997 (CVSS score: 9.2), concerns a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

LEXFO security researchers Charles Fol and Dany Bach have been credited with discovering and reporting the flaw. It was addressed by Fortinet on June 9, 2023 in the following versions -

FortiOS-6K7K version 7.0.12 or above
FortiOS-6K7K version 6.4.13 or above
FortiOS-6K7K version 6.2.15 or above
FortiOS-6K7K version 6.0.17 or above
FortiProxy version 7.2.4 or above
FortiProxy version 7.0.10 or above
FortiProxy version 2.0.13 or above
FortiOS version 7.4.0 or above
FortiOS version 7.2.5 or above
FortiOS version 7.0.12 or above
FortiOS version 6.4.13 or above
FortiOS version 6.2.14 or above, and
FortiOS version 6.0.17 or above
The company, in an independent disclosure, said the issue was simultaneously discovered during a code audit that was prudently initiated following the active exploitation of a similar flaw in the SSL-VPN product (CVE-2022-42475, CVSS score: 9.3) in December 2022.
Fortinet further said it is not attributing the exploitation events at this stage to a Chinese state-sponsored actor codenamed Volt Typhoon, which was disclosed by Microsoft last month as leveraging an unknown zero-day flaw in internet-facing Fortinet FortiGuard devices to gain initial access to target environments.

It, however, noted it "expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices."

In light of active in-the-wild abuse, the company is recommending that customers take immediate action to update to the latest firmware version to avert potential risks.

"Fortinet continues to monitor the situation and has been proactively communicating to customers, strongly urging them to immediately follow the guidance provided to mitigate the vulnerability using either the provided workarounds or by upgrading," the company told The Hacker News.


Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer
13.6.23  Vulnerebility  The Hacker News
Microsoft Visual Studio

Security researchers have warned about an "easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions.

"A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis researcher Dolev Taler said. "Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system."

The vulnerability, which is tracked as CVE-2023-28299 (CVSS score: 5.5), was addressed by Microsoft as part of its Patch Tuesday updates for April 2023, describing it as a spoofing flaw.

The bug discovered by Varonis has to do with the Visual Studio user interface, which allows for spoofed publisher digital signatures.

Specifically, it trivially bypasses a restriction that prevents users from entering information in the "product name" extension property by opening a Visual Studio Extension (VSIX) package as a .ZIP file and then manually adding newline characters to the "DisplayName" tag in the "extension.vsixmanifest" file.

Microsoft Visual Studio Installer
By introducing enough newline characters in the vsixmanifest file and adding fake "Digital Signature" text, it was found that warnings about the extension not being digitally signed could be easily suppressed, thereby tricking a developer into installing it.
In a hypothetical attack scenario, a bad actor could send a phishing email bearing the spoofed VSIX extension by camouflaging it as a legitimate software update and, post-installation, gain a foothold into the targeted machine.

The unauthorized access could then be used as a launchpad to gain deeper control of the network and facilitate the theft of sensitive information.

"The low complexity and privileges required make this exploit easy to weaponize," Taler said. "Threat actors could use this vulnerability to issue spoofed malicious extensions with the intention of compromising systems."


Critical RCE Flaw Discovered in Fortinet FortiGate Firewalls - Patch Now!
12.6.23  Vulnerebility  The Hacker News
Fortinet has released patches to address a critical security flaw in its FortiGate firewalls that could be abused by a threat actor to achieve remote code execution.

The vulnerability, tracked as CVE-2023-27997, is "reachable pre-authentication, on every SSL VPN appliance," Lexfo Security researcher Charles Fol, who discovered and reported the flaw, said in a tweet over the weekend.

Details about the security flaw are currently withheld and Fortinet is yet to release an advisory, although the network security company is expected to publish more details in the coming days.

French cybersecurity company Olympe Cyberdefense, in an independent alert, said the issue has been patched in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

"The flaw would allow a hostile agent to interfere via the VPN, even if the MFA is activated," the firm noted.

With Fortinet flaws emerging as a lucrative attack vector for threat actors in recent years, it's highly recommended that users move quickly to apply the fixes as soon as possible to mitigate potential risks.

The development comes as Cisco and VMware released updates to address severe vulnerabilities affecting Expressway Series and TelePresence Video Communication Server (VCS) and Aria Operations for Networks, respectively, that could lead to privilege escalation and code execution.

Update#
Fortinet shared the following statement with The Hacker News after the publication of the story -

Timely and ongoing communications with our customers is a key component in our efforts to best protect and secure their organization. There are instances where confidential advance customer communications can include early warning on Advisories to enable customers to further strengthen their security posture, prior to the Advisory being publicly released to a broader audience. This process follows best practices for responsible disclosure to ensure our customers have the timely information they need to help them make informed risk-based decisions. For more on Fortinet's responsible disclosure process, visit the Fortinet Product Security Incident Response Team (PSIRT) page: https://www.fortiguard.com/psirt_policy.


New Critical MOVEit Transfer SQL Injection Vulnerabilities Discovered - Patch Now!
10.6.23  Vulnerebility  The Hacker News
Progress Software, the company behind the MOVEit Transfer application, has released patches to address brand new SQL injection vulnerabilities affecting the file transfer solution that could enable the theft of sensitive information.

"Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database," the company said in an advisory released on June 9, 2023.

"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content."

The flaws, which impact all versions of the service, have been addressed in MOVEit Transfer versions 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). All MOVEit Cloud instances have been fully patched.

Cybersecurity firm Huntress has been credited with discovering and reporting the vulnerabilities as part of a code review. Progress Software said it has not observed indications of the newly discovered flaws being exploited in the wild.

The development comes as the previously reported MOVEit Transfer vulnerability (CVE-2023-34362) has come under heavy exploitation to drop web shells on targeted systems.

The activity has been attributed to the notorious Cl0p ransomware gang, which has a track record of orchestrating data theft campaigns and exploiting zero-day bugs in various managed file transfer platforms since December 2020.
Corporate investigation and risk consulting firm Kroll also found evidence that the cybercrime gang had been experimenting with ways to exploit CVE-2023-34362 as far back as July 2021, as well as devising methods to extract data from compromised MOVEit servers since at least April 2022.

Much of the malicious reconnaissance and testing activity in July 2021 is said to have been manual in nature, before switching to an automated mechanism in April 2022 for probing multiple organizations and collecting information.

"It appears that the Clop threat actors had the MOVEit Transfer exploit completed at the time of the GoAnywhere event and chose to execute the attacks sequentially instead of in parallel," the company said. "These findings highlight the significant planning and preparation that likely precede mass exploitation events."

The Cl0p actors have also issued an extortion notice to affected companies, urging them to contact the group by June 14, 2023, or have their stolen information published on the data leak site.


Experts Unveil Exploit for Recent Windows Vulnerability Under Active Exploitation
10.6.23  Vulnerebility  The Hacker News
Details have emerged about a now-patched actively exploited security flaw in Microsoft Windows that could be abused by a threat actor to gain elevated privileges on affected systems.

The vulnerability, tracked as CVE-2023-29336, is rated 7.8 for severity and concerns an elevation of privilege bug in the Win32k component.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft disclosed in an advisory issued last month as part of Patch Tuesday updates.

Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra were credited with discovering and reporting the flaw.

Win32k.sys is a kernel-mode driver and an integral part of the Windows architecture, being responsible for graphical device interface (GUI) and window management.

While the exact specifics surrounding in-the-wild abuse of the flaw is presently not known, Numen Cyber has deconstructed the patch released by Microsoft to craft a proof-of-concept (PoC) exploit for Windows Server 2016.

The Singapore-based cybersecurity company said the vulnerability relied on the leaked kernel handle address in the heap memory to ultimately obtain a read-write primitive.

"Win32k vulnerabilities are well-known in history," Numen Cyber said. "However, in the latest Windows 11 preview version, Microsoft has attempted to refactor this part of the kernel code using Rust. This may eliminate such vulnerabilities in the new system in the future."

Numen Cyber distinguishes itself from typical Web3 security companies by emphasizing the need for advanced security capabilities, specifically focusing on OS-level security attack and defense capabilities. Their products and services offer state-of-the-art solutions to address the unique security challenges of Web3.


Urgent Security Updates: Cisco and VMware Address Critical Vulnerabilities
8.6.23  Vulnerebility  The Hacker News
VMware has released security updates to fix a trio of flaws in Aria Operations for Networks that could result in information disclosure and remote code execution.

The most critical of the three vulnerabilities is a command injection vulnerability tracked as CVE-2023-20887 (CVSS score: 9.8) that could allow a malicious actor with network access to achieve remote code execution.

Also patched by VMware is another deserialization vulnerability (CVE-2023-20888) that's rated 9.1 out of a maximum of 10 on the CVSS scoring system.

"A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution," the company said in an advisory.

The third security defect is a high-severity information disclosure bug (CVE-2023-20889, CVSS score: 8.8) that could permit an actor with network access to perform a command injection attack and obtain access to sensitive data.

The three shortcomings, which impact VMware Aria Operations Networks version 6.x, have been remediated in the following versions: 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. There are no workarounds that mitigate the issues.

The alert comes as Cisco shipped fixes for a critical flaw in its Expressway Series and TelePresence Video Communication Server (VCS) that could "allow an authenticated attacker with Administrator-level read-only credentials to elevate their privileges to Administrator with read-write credentials on an affected system."

The privilege escalation flaw (CVE-2023-20105, CVSS score: 9.6), it said, stems from incorrect handling of password change requests, thereby allowing an attacker to alter the passwords of any user on the system, including an administrative read-write user, and then impersonate that user.
A second high-severity vulnerability in the same product (CVE-2023-20192, CVSS score: 8.4) could permit an authenticated, local attacker to execute commands and modify system configuration parameters.

As a workaround for CVE-2023-20192, Cisco is recommending that customers disable CLI access for read-only users. Both issues have been addressed in VCS versions 14.2.1 and 14.3.0, respectively.

While there is no evidence that any of the aforementioned flaws have been abused in the wild, it's highly advised to patch the vulnerabilities as soon as possible to mitigate potential risks.

The advisories also follow the discovery of three security bugs in RenderDoc (CVE-2023-33863, CVE-2023-33864, and CVE-2023-33865), an open-source graphics debugger, that could allow an advisory to gain elevated privileges and execute arbitrary code.


Barracuda Urges Immediate Replacement of Hacked ESG Appliances
8.6.23  Vulnerebility  The Hacker News
Enterprise security company Barracuda is now urging customers who were impacted by a recently disclosed zero-day flaw in its Email Security Gateway (ESG) appliances to immediately replace them.

"Impacted ESG appliances must be immediately replaced regardless of patch version level," the company said in an update, adding its "remediation recommendation at this time is full replacement of the impacted ESG."

The latest development comes as Barracuda disclosed that a critical flaw in the devices (CVE-2023-2868, CVSS score: 9.8) has been exploited as a zero-day for at least seven months since October 2022 to deliver bespoke malware and steal data.

The vulnerability concerns a case of remote code injection affecting versions 5.1.3.001 through 9.2.0.006 that stems from an incomplete validation of attachments contained within incoming emails. It was addressed on May 20 and May 21, 2023.

The three different malware families discovered to date come with capabilities to upload or download arbitrary files, execute commands, set up persistence, and establish reverse shells to an actor-controlled server.

The exact scope of the incident still remains unknown. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended that federal agencies apply the fixes by June 16, 2023.


Zero-Day Alert: Google Issues Patch for New Chrome Vulnerability - Update Now!
7.6.23  Vulnerebility  The Hacker News
Google on Monday released security updates to patch a high-severity flaw in its Chrome web browser that it said is being actively exploited in the wild.

Tracked as CVE-2023-3079, the vulnerability has been described as a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on June 1, 2023.

"Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to the NIST's National Vulnerability Database (NVD).

The tech giant, as is typically the case, did not disclose details of the nature of the attacks, but noted it's "aware that an exploit for CVE-2023-3079 exists in the wild."

With the latest development, Google has addressed a total of three actively exploited zero-days in Chrome since the start of the year -

CVE-2023-2033 (CVSS score: 8.8) - Type Confusion in V8
CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia
Users are recommended to upgrade to version 114.0.5735.110 for Windows and 114.0.5735.106 for macOS and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.


Zyxel Firewalls Under Attack! Urgent Patching Required
7.6.23  Vulnerebility  The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed two recently disclosed flaws in Zyxel firewalls to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, are buffer overflow vulnerabilities that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution.

Patches to plug the security holes were released by Zyxel on May 24, 2023. The following list of devices are affected -

ATP (versions ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
USG FLEX (versions ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
USG FLEX50(W) / USG20(W)-VPN (versions ZLD V4.25 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
VPN (versions ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), and
ZyWALL/USG (versions ZLD V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2)
While the exact nature of the attacks is unknown, the development comes days after another flaw in Zyxel firewalls (CVE-2023-28771) has come under active exploitation to ensnare susceptible devices into a Mirai botnet.
Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by June 26, 2023, to secure their networks against possible threats.

Zyxel, in a new guidance issued last week, is also urging customers to disable HTTP/HTTPS services from WAN unless "absolutely" required and disable UDP ports 500 and 4500 if not in use.

The development also comes as the Taiwanese company released fixes for two flaws in GS1900 series switches (CVE-2022-45853) and 4G LTE and 5G NR outdoor routers (CVE-2023-27989) that could result in privilege escalation and denial-of-service (DoS).


MOVEit Transfer Under Attack: Zero-Day Vulnerability Actively Being Exploited
2.6.23  Vulnerebility  The Hacker News
A critical flaw in Progress Software's in MOVEit Transfer managed file transfer application has come under widespread exploitation in the wild to take over vulnerable systems.

The shortcoming, which is assigned the CVE identifier CVE-2023-34362, relates to a severe SQL injection vulnerability that could lead to escalated privileges and potential unauthorized access to the environment.

"An SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database," the company said.

"Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements."

Patches for the bug have been made available by the Massachusetts-based company, which also owns Telerik, in the following versions: 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).

The development was first reported by Bleeping Computer. According to Huntress and Rapid7, roughly 2,500 instances of MOVEit Transfer were exposed to the public internet as of May 31, 2023, a majority of them located in the U.S.

Successful exploitation attempts culminate in the deployment of a web shell, a file named "human2.aspx" in the "wwwroot" directory that's created via script with a randomized filename, to "exfiltrate various data stored by the local MOVEit service."

Secure File Transfer - MOVEit Transfer
The web shell is also engineered to add new admin user account sessions with the name "Health Check Service" in a likely effort to sidestep detection, an analysis of the attack chain has revealed.

Threat intelligence firm GreyNoise said it "observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3, 2023," adding five different IP addresses have been detected "attempting to discover the location of MOVEit installations."

"While we don't know the specifics around the group behind the zero day attacks involving MOVEit, it underscores a worrisome trend of threat actors targeting file transfer solutions," Satnam Narang, senior staff research engineer at Tenable, said.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert, urging users and organizations to follow the mitigation steps to secure against any malicious activity.

It's also advised to isolate the servers by blocking inbound and outbound traffic and inspect the environments for possible indicators of compromise (IoCs), and if so, delete them before applying the fixes.
"If it turns out to be a ransomware group again this will be the second enterprise MFT zero day in a year, cl0p went wild with GoAnywhere recently," security researcher Kevin Beaumont said.

MOVEit Transfer Flaw Added to KEV Catalog#
CISA on Friday placed the SQL injection flaw impacting Progress MOVEit Transfer to its Known Exploited Vulnerabilities (KEV) catalog, recommending federal agencies to apply vendor-provided patches by June 23, 2023.

Attack surface management company Censys has discovered over 3,000 exposed hosts utilizing the MOVEit Transfer service, of which more than 60 belong to U.S. federal and state governments.

Mandiant, which is tracking the activity under the uncategorized moniker UNC4857, said the opportunistic attacks have singled out a "wide range of industries" based in Canada, India, the U.S., Italy, Pakistan, and Germany.

The Google Cloud subsidiary said it is "aware of multiple cases where large volumes of files have been stolen from victims' MOVEit transfer systems," adding the web shell (dubbed LEMURLOOT) is also capable of stealing Azure Storage Blob information.

While the exact motivations behind the mass exploitation are currently unknown, it's not uncommon for cybercriminal actors to monetize stolen data via extortion operations or offer it for sale on underground forums.'

It's also the latest effort by threat actors to target enterprise file transfer systems in recent years, which have proven to be a lucrative means to siphon critical data from several victims at once.

"If the goal of this operation is extortion, we anticipate that victim organizations could receive extortion emails in the coming days to weeks," Mandiant researchers said.

(The story has been updated after publication to reflect the CVE identifier and the inclusion of the flaw to the KEV catalog.)


Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites
1.6.23  Vulnerebility  The Hacker News
WordPress has issued an automatic update to address a critical flaw in the Jetpack plugin that's installed on over five million sites.

The vulnerability, which was unearthed during an internal security audit, resides in an API present in the plugin since version 2.0, which was released in November 2012.

"This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation," Jetpack said in an advisory. 102 new versions of Jetpack have been released to remediate the bug.

While there is no evidence the issue has been exploited in the wild, it's not uncommon for flaws in popular WordPress plugins to be leveraged by threat actors looking to take over the sites for malicious ends.

This is not the first time severe security weaknesses in Jetpack have prompted WordPress to force install the patches.

In November 2019, Jetpack released version 7.9.1 to fix a defect in the way the plugin handled embed code that had existed since July 2017 (version 5.1).

The development also comes as Patchstack revealed a security flaw in the premium Gravity Forms plugin that could allow an unauthenticated user to inject arbitrary PHP code.

WordPress
The issue (CVE-2023-28782) impacts all versions from 2.7.3 and below. It has been addressed in version 2.7.4, which was made available on April 11, 2023.


Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices
31.5.23  Vulnerebility  The Hacker News
Cybersecurity researchers have found "backdoor-like behavior" within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.

Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.

"Most Gigabyte firmware includes a Windows Native Binary executable embedded inside of the UEFI firmware," John Loucaides, senior vice president of strategy at Eclypsium, told The Hacker News.

"The detected Windows executable is dropped to disk and executed as part of the Windows startup process, similar to the LoJack double agent attack. This executable then downloads and runs additional binaries via insecure methods."

"Only the intention of the author can distinguish this sort of vulnerability from a malicious backdoor," Loucaides added.

The executable, per Eclypsium, is embedded into UEFI firmware and written to disk by firmware as part of the system boot process and subsequently launched as an update service.

The .NET-based application, for its part, is configured to download and execute a payload from Gigabyte update servers over plain HTTP, thereby exposing the process to adversary-in-the-middle (AitM) attacks via a compromised router.

Loucaides said the software "seems to have been intended as a legitimate update application," noting the issue potentially impacts "around 364 Gigabyte systems with a rough estimate of 7 million devices."

With threat actors constantly on the lookout for ways to remain undetected and leave a minimal intrusion footprint, vulnerabilities in the privileged firmware update mechanism could pave the way for stealthy UEFI bootkits and implants that can subvert all security controls running in the operating system plane.
To make matters worse, since the UEFI code resides on the motherboard, malware injected to the firmware can persist even if drives are wiped and the operating system is reinstalled.

Organizations are advised to apply the latest firmware updates to minimize potential risks. It's also advised to inspect and disable the "APP Center Download & Install" feature in UEFI/BIOS Setup and set a BIOS password to deter malicious changes.

"Firmware updates have notoriously low uptake with end users," Loucaides said. "Therefore, it is easy to understand thinking that an update application in firmware may help."

"However, the irony of a highly insecure update application, backed into firmware to automatically download and run a payload, is not lost."


Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers
30.5.23  Vulnerebility  The Hacker News

Critical Security Flaws

Multiple security flaws uncovered in Sonos One wireless speakers could be potentially exploited to achieve information disclosure and remote code execution, the Zero Day Initiative (ZDI) said in a report published last week.

The vulnerabilities were demonstrated by three different teams from Qrious Secure, STAR Labs, and DEVCORE at the Pwn2Own hacking contest held in Toronto late last year, netting them $105,000 in monetary rewards.

The list of four flaws, which impact Sonos One Speaker 70.3-35220, is below -

CVE-2023-27352 and CVE-2023-27355 (CVSS scores: 8.8) - Unauthenticated flaws that allow network-adjacent attackers to execute arbitrary code on affected installations.
CVE-2023-27353 and CVE-2023-27354 (CVSS score: 6.5) - Unauthenticated flaws that allow network-adjacent attackers to disclose sensitive information on affected installations.
While CVE-2023-27352 stems from when processing SMB directory query commands, CVE-2023-27355 exists within the MPEG-TS parser.
Successful exploitation of both shortcomings could permit an attacker to execute arbitrary code in the context of the root user.

Both the information disclosure flaws can be combined separately with other flaws in the systems to achieve code execution with elevated privileges.

Following responsible disclosure on December 29, 2022, the flaws were addressed by Sonos as part of Sonos S2 and S1 software versions 15.1 and 11.7.1, respectively. Users are recommended to apply the latest patches to mitigate potential risks.


Severe Flaw in Google Cloud's Cloud SQL Service Exposed Confidential Data
28.5.23  Vulnerebility  The Hacker News
A new security flaw has been disclosed in the Google Cloud Platform's (GCP) Cloud SQL service that could be potentially exploited to obtain access to confidential data.

"The vulnerability could have enabled a malicious actor to escalate from a basic Cloud SQL user to a full-fledged sysadmin on a container, gaining access to internal GCP data like secrets, sensitive files, passwords, in addition to customer data," Israeli cloud security firm Dig said.

Cloud SQL is a fully-managed solution to build MySQL, PostgreSQL, and SQL Server databases for cloud-based applications.

The multi-stage attack chain identified by Dig, in a nutshell, leveraged a gap in the cloud platform's security layer associated with SQL Server to escalate the privileges of a user to that of an administrator role.

The elevated permissions subsequently made it possible to abuse another critical misconfiguration to obtain system administrator rights and take full control of the database server.

Cloud SQL
From there, a threat actor could access all files hosted on the underlying operating system, enumerate files, and extract passwords, which could then act as a launchpad for further attacks.

"Gaining access to internal data like secrets, URLs, and passwords can lead to exposure of cloud providers' data and customers' sensitive data which is a major security incident," Dig researchers Ofir Balassiano and Ofir Shaty said.
Following responsible disclosure in February 2023, the issue was addressed by Google in April 2023.

The disclosure comes as Google announced the availability of its Automatic Certificate Management Environment (ACME) API for all Google Cloud users to automatically acquire and renew TLS certificates for free.


Zyxel Issues Critical Security Patches for Firewall and VPN Products
25.5.23  Vulnerebility  The Hacker News
Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution.

Both the flaws – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system.

A brief description of the two issues is below -

CVE-2023-33009 - A buffer overflow vulnerability in the notification function that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution.
CVE-2023-33010 - A buffer overflow vulnerability in the ID processing function that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution.
The following devices are impacted -

ATP (versions ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
USG FLEX (versions ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
USG FLEX50(W) / USG20(W)-VPN (versions ZLD V4.25 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
VPN (versions ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), and
ZyWALL/USG (versions ZLD V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2)
Security researchers from TRAPA Security and STAR Labs SG have been credited with discovering and reporting the flaws.

UPCOMING WEBINAR
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!
The advisory comes less than a month after Zyxel shipped fixes for another critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems.

The issue, tracked as CVE-2023-28771 (CVSS score: 9.8), was also credited to TRAPA Security, with the networking equipment maker blaming it on improper error message handling. It has since come under active exploitation by threat actors associated with the Mirai botnet.


Samsung Devices Under Active Exploitation! CISA Warns of Critical Flaw
20.5.23  Vulnerebility  The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a medium-severity flaw affecting Samsung devices.

The issue, tracked as CVE-2023-21492 (CVSS score: 4.4), impacts select Samsung devices running Android versions 11, 12, and 13.

The South Korean electronics giant described the issue as an information disclosure flaw that could be exploited by a privileged attacker to bypass address space layout randomization (ASLR) protections.

ASLR is a security technique that's designed to thwart memory corruption and code execution flaws by obscuring the location of an executable in a device's memory.

Samsung, in an advisory released this month, said it was "notified that an exploit for this issue had existed in the wild," adding it was privately disclosed to the company on January 17, 2023.

Other details about how the flaw is being exploited are currently not known, but vulnerabilities in Samsung phones have been weaponized by commercial spyware vendors in the past to deploy malicious software.

Back in August 2020, Google Project Zero also demonstrated a remote zero-click MMS attack that leveraged two buffer overwrite flaws in the Quram qmg library (SVE-2020-16747 and SVE-2020-17675) to defeat ASLR and achieve code execution.

In light of active abuse, CISA has added the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, alongside two Cisco IOS flaws (CVE-2004-1464 and CVE-2016-6415), urging Federal Civilian Executive Branch (FCEB) agencies to apply patches by June 9, 2023.

Last week, CISA also added seven vulnerabilities to the KEV catalog, the oldest of which is a 13-year-old bug impacting Linux (CVE-2010-3904) that allows an unprivileged local attacker can escalate their privileges to root.


Critical Flaws in Cisco Small Business Switches Could Allow Remote Attacks
18.5.23  Vulnerebility  The Hacker News
Cisco has released updates to address a set of nine security flaws in its Small Business Series Switches that could be exploited by an unauthenticated, remote attacker to run arbitrary code or cause a denial-of-service (DoS) condition.

"These vulnerabilities are due to improper validation of requests that are sent to the web interface," Cisco said, crediting an unnamed external researcher for reporting the issues.

Four of the nine vulnerabilities are rated 9.8 out of 10 on the CVSS scoring system, making them critical in nature. The nine flaws affect the following product lines -

250 Series Smart Switches (Fixed in firmware version 2.5.9.16)
350 Series Managed Switches (Fixed in firmware version 2.5.9.16)
350X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)
550X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)
Business 250 Series Smart Switches (Fixed in firmware version 3.3.0.16)
Business 350 Series Managed Switches (Fixed in firmware version 3.3.0.16)
Small Business 200 Series Smart Switches (Will not be patched)
Small Business 300 Series Managed Switches (Will not be patched)
Small Business 500 Series Stackable Managed Switches (Will not be patched)
A brief description of each of the flaws is as follows -

CVE-2023-20159 (CVSS score: 9.8): Cisco Small Business Series Switches Stack Buffer Overflow Vulnerability
CVE-2023-20160 (CVSS score: 9.8): Cisco Small Business Series Switches Unauthenticated BSS Buffer Overflow Vulnerability
CVE-2023-20161 (CVSS score: 9.8): Cisco Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
CVE-2023-20189 (CVSS score: 9.8): Cisco Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability
CVE-2023-20024 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
CVE-2023-20156 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
CVE-2023-20157 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
CVE-2023-20158 (CVSS score: 8.6): Cisco Small Business Series Switches Unauthenticated Denial-of-Service Vulnerability
CVE-2023-20162 (CVSS score: 7.5): Cisco Small Business Series Switches Unauthenticated Configuration Reading Vulnerability
Successful exploitation of the aforementioned bugs could permit an unauthenticated, remote attacker to execute arbitrary code with root privileges on an affected device by sending a specially crafted request through the web-based user interface.

Alternatively, they could also be abused to trigger a DoS condition or read unauthorized information on vulnerable systems by means of a malicious request.

Cisco said it does not plan to release firmware updates for Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches as they have entered the end-of-life process.

The networking equipment major also said it's aware of the availability of a proof-of-concept (PoC) exploit code, but noted that it did not observe any evidence of malicious exploitation in the wild.

With Cisco devices becoming a lucrative attack vector for threat actors, users are recommended to move quickly to apply the patches to mitigate potential threats.


Serious Unpatched Vulnerability Uncovered in Popular Belkin Wemo Smart Plugs
17.5.23  Vulnerebility  The Hacker News
Belkin Wemo Smart Plugs
The second generation version of Belkin's Wemo Mini Smart Plug has been found to contain a buffer overflow vulnerability that could be weaponized by a threat actor to inject arbitrary commands remotely.

The issue, assigned the identifier CVE-2023-27217, was discovered and reported to Belkin on January 9, 2023, by Israeli IoT security company Sternum, which reverse-engineered the device and gained firmware access.

Wemo Mini Smart Plug V2 (F7C063) offers convenient remote control, allowing users to turn electronic devices on or off using a companion app installed on a smartphone or tablet.

The heart of the problem lies in a feature that makes it possible to rename the smart plug to a more "FriendlyName." The default name assigned is "Wemo mini 6E9."

Wemo Smart Plugs
"The name length is limited to 30 characters or less, but this rule is only enforced by the app itself," security researchers Amit Serper and Reuven Yakar said in a report shared with The Hacker News, adding the validation was not applied by the firmware code.

As a result, circumventing the character limit by using a Python module named pyWeMo can lead to a buffer overflow condition, which can then be reliably exploited to crash the device or, alternatively, trick the code into running malicious commands and take over control.

Belkin, in response to the findings, has said that it does not plan to address the flaw owing to the fact that the device is reaching end-of-life (EoL) and has been replaced by newer models.

Belkin Wemo Smart Plugs
"It appears that this vulnerability could be triggered via the Cloud interface (meaning, without a direct connection to the device)," the researchers cautioned.

In the absence of a fix, users of Wemo Mini Smart Plug V2 are recommended to avoid exposing them directly to the internet and ensure that appropriate segmentation measures are implemented if they have been deployed in sensitive networks.

"This is what happens when devices are shipped without any on-device protection. If you only rely on responsive security patching, as most device manufacturers do today, two things are certain: you will always be one step behind the attacker, and one day the patches will stop coming," said Igal Zeifman, vice president of marketing for Sternum.


Netgear Routers' Flaws Expose Users to Malware, Remote Attacks, and Surveillance
13.5.23  Vulnerebility  The Hacker News
Netgear
As many as five security flaws have been disclosed in Netgear RAX30 routers that could be chained to bypass authentication and achieve remote code execution.

"Successful exploits could allow attackers to monitor users' internet activity, hijack internet connections, and redirect traffic to malicious websites or inject malware into network traffic," Claroty security researcher Uri Katz said in a report.

Additionally, a network-adjacent threat actor could also weaponize the flaws to access and control networked smart devices like security cameras, thermostats, smart locks; tamper with router settings, and even use a compromised network to launch attacks against other devices or networks.

The list of flaws, which were demonstrated at the Pwn2Own hacking competition held at Toronto in December 2022, is as follows -

CVE-2023-27357 (CVSS score: 6.5) - Missing Authentication Information Disclosure Vulnerability
CVE-2023-27368 (CVSS score: 8.8) - Stack-based Buffer Overflow Authentication Bypass Vulnerability
CVE-2023-27369 (CVSS score: 8.8) - Stack-based Buffer Overflow Authentication Bypass Vulnerability
CVE-2023-27370 (CVSS score: 5.7) - Device Configuration Cleartext Storage Information Disclosure Vulnerability
CVE-2023-27367 (CVSS score: 8.0) - Command Injection Remote Code Execution Vulnerability
Netgear
A proof-of-concept (PoC) exploit chain illustrated by the industrial cybersecurity firm shows that it's possible to string the flaws -- CVE-2023-27357, CVE-2023-27369, CVE-2023-27368, CVE-2023-27370, and CVE-2023-27367 (in that order) -- to extract the device serial number and ultimately obtain root access to it.

"These five CVEs can be chained together to compromise affected RAX30 routers, the most severe of which enable pre-authentication remote code execution on the device," Katz noted.

Users of Netgear RAX30 routers are advised to update to firmware version 1.0.10.94 released by the networking company on April 7, 2023, to address the flaws and mitigate potential risks.


Severe Security Flaw Exposes Over a Million WordPress Sites to Hijack
12.5.23  Vulnerebility  The Hacker News
A security vulnerability has been disclosed in the popular WordPress plugin Essential Addons for Elementor that could be potentially exploited to achieve elevated privileges on affected sites.

The issue, tracked as CVE-2023-32243, has been addressed by the plugin maintainers in version 5.7.2 that was shipped on May 11, 2023. Essential Addons for Elementor has over one million active installations.

"This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site," Patchstack researcher Rafie Muhammad said.

Successful exploitation of the flaw could permit a threat actor to reset the password of any arbitrary user as long as the malicious party is aware of their username. The shortcoming is believed to have existed since version 5.4.0.

This can have serious ramifications as the flaw could be weaponized to reset the password associated with an administrator account and seize full control of the website.

"This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user," Muhammad pointed out.

The disclosure comes more than a year after Patchstack revealed another severe flaw in the same plugin that could have been abused to execute arbitrary code on compromised websites.

The findings also follow the discovery of a new wave of attacks targeting WordPress sites since late March 2023 that aims to inject the infamous SocGholish (aka FakeUpdates) malware.

SocGholish is a persistent JavaScript malware framework that functions as an initial access provider to facilitate the delivery of additional malware to infected hosts. The malware has been distributed via drive-by downloads masquerading as a web browser update.

The latest campaign detected by Sucuri has been found to leverage compression techniques using a software library called zlib to conceal the malware, reduce its footprint, and avoid detection.

"Bad actors are continually evolving their tactics, techniques, and procedures to evade detection and prolong the life of their malware campaigns," Sucuri researcher Denis Sinegubko said.

"SocGholish malware is a prime example of this, as attackers have altered their approach in the past to inject malicious scripts into compromised WordPress websites."

It's not just SocGholish. Malwarebytes, in a technical report this week, detailed a malvertising campaign that serves visitors to adult websites with popunder ads that simulate a fake Windows update to drop the "in2al5d p3in4er" (aka Invalid Printer) loader.

WordPress
"The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you'd expect from Microsoft," Jérôme Segura, director of threat intelligence at Malwarebytes, said.

The loader, which was documented by Morphisec last month, is designed to check the system's graphic card to determine if it's running on a virtual machine or in a sandbox environment, and ultimately launch the Aurora information stealer malware.

The campaign, per Malwarebytes, has claimed 585 victims over the past two months, with the threat actor also linked to other tech support scams and an Amadey bot command-and-control panel.


Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft
12.5.23  Vulnerebility  The Hacker News
Zero-Click Windows Vulnerability
Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines.

The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023.

Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange servers with the March update omit the vulnerable feature.

"An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server," Barnea said in a report shared with The Hacker News.

"This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction."

It's also worth noting that CVE-2023-29324 is a bypass for a fix Microsoft put in place in March 2023 to resolve CVE-2023-23397, a critical privilege escalation flaw in Outlook that the company said has been exploited by Russian threat actors in attacks aimed at European entities since April 2022.

Akamai said the issue stems from complex handling of paths in Windows, thereby allowing a threat actor to craft a malicious URL that can sidestep internet security zone checks.

"This vulnerability is yet another example of patch scrutinizing leading to new vulnerabilities and bypasses," Barnea said. "It is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities."

In order to stay fully protected, Microsoft is further recommending users to install Internet Explorer Cumulative updates to address vulnerabilities in the MSHTML platform and scripting engine.


Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug
10.5.23  Vulnerebility  The Hacker News
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild.

Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months."

Of the 38 vulnerabilities, six are rated Critical and 32 are rated Important in severity. Eight of the flaws have been tagged with "Exploitation More Likely" assessment by Microsoft.

This is aside from 18 flaws – including 11 bugs since the start of May – the Windows maker resolved in its Chromium-based Edge browser following the release of April Patch Tuesday updates.

Topping the list is CVE-2023-29336 (CVSS score: 7.8), a privilege escalation flaw in Win32k that has come under active exploitation. It's not immediately clear how widespread the attacks are.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said, crediting Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra for reporting the flaw.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply vendor fixes by May 30, 2023.

Also of note are two publicly known flaws, one of which is a critical remote code execution flaw impacting Windows OLE (CVE-2023-29325, CVSS score: 8.1) that could be weaponized by an actor by sending a specially crafted email to the victim.

Microsoft, as mitigations, is recommending that users read email messages in plain text format to protect against this vulnerability.

The second publicly known vulnerability is CVE-2023-24932 (CVSS score: 6.7), a Secure Boot security feature bypass that's weaponized by the BlackLotus UEFI bootkit to exploit CVE-2022-21894 (aka Baton Drop), which was resolved in January 2022.

"This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled," Microsoft said in a separate guidance.

"This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device."

It's worth noting that the fix shipped by Microsoft is disabled by default and requires customers to manually apply the revocations, but not before updating all bootable media.

"Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device," Microsoft cautioned. "Even reformatting of the disk will not remove the revocations if they have already been applied."

The tech giant said it's taking a phased approach to completely plug the attack vector to avoid unintended disruption risks, an exercise that's expected to stretch until the first quarter of 2024.

"Modern UEFI-based Secure Boot schemes are extremely complicated to configure correctly and/or to reduce their attack surfaces meaningfully," firmware security firm Binarly noted earlier this March. "That being said, bootloader attacks are not likely to disappear anytime soon."


New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks
6.5.23  Vulnerebility  The Hacker News
Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw.

The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites.

The plugin, which is available both as a free and pro version, has over two million active installations. The issue was discovered and reported to the maintainers on May 2, 2023.

"This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path," Patchstack researcher Rafie Muhammad said.

Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user's browser.

This element of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible.

"[A reflected XSS attack] is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application's functions and the activation of malicious scripts," Imperva notes.

WordPress Plugin
It's worth noting that CVE-2023-30777 can be activated on a default installation or configuration of Advanced Custom Fields, although it's only possible to do so from logged-in users who have access to the plugin.

The development comes as Craft CMS patched two medium-severity XSS flaws (CVE-2023-30177 and CVE-2023-31144) that could be exploited by a threat actor to serve malicious payloads.

It also follows the disclosure of another XSS flaw in the cPanel product (CVE-2023-29489, CVSS score: 6.1) that could be exploited without any authentication to run arbitrary JavaScript.

"An attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443," Assetnote's Shubham Shah said, adding it could enable an adversary to hijack a valid user's cPanel session.

"Once acting on behalf of an authenticated user of cPanel, it is usually trivial to upload a web shell and gain command execution."


Cisco Warns of Vulnerability in Popular Phone Adapter, Urges Migration to Newer Model
5.5.23  Vulnerebility  The Hacker News
Cisco has warned of a critical security flaw in SPA112 2-Port Phone Adapters that it said could be exploited by a remote attacker to execute arbitrary code on affected devices.

The issue, tracked as CVE-2023-20126, is rated 9.8 out of a maximum of 10 on the CVSS scoring system. The company credited Catalpa of DBappSecurity for reporting the shortcoming.

The product in question makes it possible to connect analog phones and fax machines to a VoIP service provider without requiring an upgrade.

"This vulnerability is due to a missing authentication process within the firmware upgrade function," the company said in a bulletin.

"An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges."

Despite the severity of the flaw, the networking equipment maker said it does not intend to release fixes due to the fact the devices have reached end-of-life (EoL) status as of June 1, 2020.

It instead is recommending that users migrate to a Cisco ATA 190 Series Analog Telephone Adapter, which is set to receive its last update on March 31, 2024. There is no evidence that the flaw has been maliciously exploited in the wild.


Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service
5.5.23  Vulnerebility  The Hacker News
Microsoft Azure API Management Service
Three new security flaws have been disclosed in Microsoft Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services.

This includes two server-side request forgery (SSRF) flaws and one instance of unrestricted file upload functionality in the API Management developer portal, according to Israeli cloud security firm Ermetic.

"By abusing the SSRF vulnerabilities, attackers could send requests from the service's CORS Proxy and the hosting proxy itself, access internal Azure assets, deny service and bypass web application firewalls," security researcher Liv Matan said in a report shared with The Hacker News.

"With the file upload path traversal, attackers could upload malicious files to Azure's hosted internal workload."

Azure API Management is a multicloud management platform that allows organizations to securely expose their APIs to external and internal customers and enable a wide range of connected experiences.

Of the two SSRF flaws identified by Ermetic, one of them is a bypass for a fix put in place by Microsoft to address a similar vulnerability reported by Orca earlier this year. The other vulnerability resides in the API Management proxy function.

Exploitation of SSRF flaws can result in loss of confidentiality and integrity, permitting a threat actor to read internal Azure resources and execute unauthorized code.

Microsoft Azure API Management Service
The path traversal flaw discovered in the developer portal, on the other hand, stems from a lack of validation of the file type and path of the files uploaded.

An authenticated user can leverage this loophole to upload malicious files to the developer portal server and potentially even execute arbitrary code on the underlying system.

Following responsible disclosure, all the three flaws have been patched by Microsoft.

The findings come weeks after researchers from Orca detailed a "by-design flaw" in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.

It also follows the discovery of another Azure vulnerability dubbed EmojiDeploy that could enable an attacker to seize control of a targeted application.


Hackers Exploiting 5-year-old Unpatched Vulnerability in TBK DVR Devices
3.5.23  Vulnerebility  The Hacker News
Threat actors are actively exploiting an unpatched five-year-old flaw impacting TBK digital video recording (DVR) devices, according to an advisory issued by Fortinet FortiGuard Labs.

The vulnerability in question is CVE-2018-9995 (CVSS score: 9.8), a critical authentication bypass issue that could be exploited by remote actors to gain elevated permissions.

"The 5-year-old vulnerability (CVE-2018-9995) is due to an error when handling a maliciously crafted HTTP cookie," Fortinet said in an outbreak alert on May 1, 2023. "A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges eventually leading access to camera video feeds."

The network security company said it observed over 50,000 attempts to exploit TBK DVR devices using the flaw in the month of April 2023. Despite the availability of a proof-of-concept (PoC) exploit, there are no fixes that address the vulnerability.

The flaw impacts TBK DVR4104 and DVR4216 product lines, which are also rebranded and sold using the names CeNova, DVR Login, HVR Login, MDVR Login, Night OWL, Novo, QSee, Pulnix, Securus, and XVR 5 in 1.

Additionally, Fortinet warned of a surge in the exploitation of CVE-2016-20016 (CVSS score: 9.8), another critical vulnerability affecting MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE.

The flaw could permit a remote unauthenticated attacker to execute arbitrary operating system commands as root due to the presence of a web shell that is accessible over a /shell URI.

"With tens of thousands of TBK DVRs available under different brands, publicly-available PoC code, and an easy-to-exploit makes this vulnerability an easy target for attackers," Fortinet noted. "The recent spike in IPS detections shows that network camera devices remain a popular target for attackers."


CISA Issues Advisory on Critical RCE Affecting ME RTU Remote Terminal Units
3.5.23  Vulnerebility  The Hacker News
Remote Terminal Units
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an Industrial Control Systems (ICS) advisory about a critical flaw affecting ME RTU remote terminal units.

The security vulnerability, tracked as CVE-2023-2131, has received the highest severity rating of 10.0 on the CVSS scoring system for its low attack complexity.

"Successful exploitation of this vulnerability could allow remote code execution," CISA said, describing it as a case of command injection affecting versions of INEA ME RTU firmware prior to version 3.36.

Security researcher Floris Hendriks of Radboud University has been credited with reporting the issue to CISA.

Also published by CISA is an alert related to multiple known security holes in Intel(R) processors impacting Factory Automation (FA) products from Mitsubishi Electric that could result in privilege escalation and a denial-of-service (DoS) condition.

The development comes as the agency recommended critical infrastructure organizations to take necessary steps to secure the supply chains by reviewing the Federal Communications Commission's (FCC) Covered List of communications equipment that are deemed a national security risk.

CISA has also urged entities to adopt guidance issued by NIST to identify, assess, and mitigate supply chain risks, and enroll for the agency's free Vulnerability Scanning service to pinpoint vulnerable and high-risk devices.

It further follows efforts undertaken by cybersecurity authorities in Australia, Canada, United Kingdom, Germany, Netherlands, New Zealand, and the U.S. to "take urgent steps necessary to ship products that are secure-by-design and -default."


Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software
3.5.23  Vulnerebility  The Hacker News
Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers.

The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. It's currently used by several vendors like NVIDIA Cumulus, DENT, and SONiC, posing supply chain risks.

The discovery is the result of an analysis of seven different implementations of BGP carried out by Forescout Vedere Labs: FRRouting, BIRD, OpenBGPd, Mikrotik RouterOS, Juniper JunOS, Cisco IOS, and Arista EOS.

BGP is a gateway protocol that's designed to exchange routing and reachability information between autonomous systems. It's used to find the most efficient routes for delivering internet traffic.

The list of three flaws is as follows -

CVE-2022-40302 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.
CVE-2022-40318 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.
CVE-2022-43681 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message that abruptly ends with the option length octet.
The issues "could be exploited by attackers to achieve a DoS condition on vulnerable BGP peers, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive," the company said in a report shared with The Hacker News.

BGP Vulnerabilities
"The DoS condition may be prolonged indefinitely by repeatedly sending malformed packets. The main root cause is the same vulnerable code pattern copied into several functions related to different stages of parsing OPEN messages."

A threat actor could spoof a valid IP address of a trusted BGP peer or exploit other flaws and misconfigurations to compromise a legitimate peer and then issue a specially-crafted unsolicited BGP OPEN message.

This is achieved by taking advantage of the fact that "FRRouting begins to process OPEN messages (e.g., decapsulating optional parameters) before it gets a chance to verify the BGP Identifier and ASN fields of the originating router."

Forescout has also made available a Python-based open source BGP Fuzzer tool that allows organizations to test the security of the BGP suites used internally as well as find new flaws in BGP implementations.

"Modern BGP implementations still have low-hanging fruits that can be abused by attackers," Forescout said. "To mitigate the risk of vulnerable BGP implementations, [...] the best recommendation is to patch network infrastructure devices as often as possible."

The findings come weeks after ESET found that secondhand routers previously used in business networking environments harbored sensitive data, including corporate credentials, VPN details, cryptographic keys, and other vital customer information.

"In the wrong hands, the data gleaned from the devices – including customer data, router-to-router authentication keys, application lists, and much more – is enough to launch a cyberattack," the Slovak cybersecurity firm said.


CISA Warns of Critical Flaws in Illumina's DNA Sequencing Instruments
30.4.23  Vulnerebility  The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an Industrial Control Systems (ICS) medical advisory warning of a critical flaw impacting Illumina medical devices.

The issues impact the Universal Copy Service (UCS) software in the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 DNA sequencing instruments.

The most severe of the flaws, CVE-2023-1968 (CVSS score: 10.0), permits remote attackers to bind to exposed IP addresses, thereby making it possible to eavesdrop on network traffic and remotely transmit arbitrary commands.

The second issue relates to a case of privilege misconfiguration (CVE-2023-1966, CVSS score: 7.4) that could enable a remote unauthenticated malicious actor to upload and execute code with elevated permissions.

"Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level," CISA said. "A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network."

The Food and Drug Administration (FDA) said an unauthorized user could weaponize the shortcoming to impact "genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results, or a potential data breach."

There is no evidence that the two vulnerabilities have been exploited in the wild. Users are recommended to apply the fixes released on April 5, 2023, to mitigate potential threats.
This is not the first time severe flaws have come to light in Illumina's DNA Sequencing Devices. In June 2022, the company disclosed multiple similar vulnerabilities that could have been abused to seize control of affected systems.

The disclosure comes almost a month after the FDA issued new guidance that will require medical device makers to adhere to a set of cybersecurity requirements when submitting an application for a new product.

This includes a plan to monitor, identify, and address "postmarket" cybersecurity vulnerabilities and exploits within a reasonable time period, and design and maintain processes to ensure the security of such devices via regular and out-of-band patches.


Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now
28.4.23  Vulnerebility  The Hacker News
Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems.

The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw.

"Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device," Zyxel said in an advisory on April 25, 2023.

Products impacted by the flaw are -

ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and
ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1)
Zyxel has also addressed a high-severity post-authentication command injection vulnerability affecting select firewall versions (CVE-2023-27991, CVSS score: 8.8) that could permit an authenticated attacker to execute some OS commands remotely.

The shortcoming, which impacts ATP, USG FLEX, USG FLEX 50(W) / USG20(W)-VPN, and VPN devices, has been resolved in ZLD V5.36.
Lastly, the company also shipped fixes for five high-severity flaws affecting several firewalls and access point (AP) devices (from CVE-2023-22913 to CVE-2023-22918) that could result in code execution and cause a denial-of-service (DoS) condition.

Nikita Abramov from Russian cybersecurity company Positive Technologies has been credited for reporting the issues. Abramov, earlier this year, also discovered four command injection and buffer overflow vulnerabilities in CPE, fiber ONTs, and WiFi extenders.

The most severe of the flaws is CVE-2022-43389 (CVSS score: 9.8), a buffer overflow vulnerability impacting 5G NR/4G LTE CPE devices.

"It did not require authentication to be exploited and led to arbitrary code execution on the device," Abramov explained at the time. "As a result, an attacker could gain remote access to the device and fully control its operation."


Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks
26.4.23  Vulnerebility  The Hacker News
The maintainers of the Apache Superset open source data visualization software have released fixes to plug an insecure default configuration that could lead to remote code execution.

The vulnerability, tracked as CVE-2023-27524 (CVSS score: 8.9), impacts versions up to and including 2.0.1 and relates to the use of a default SECRET_KEY that could be abused by attackers to authenticate and access unauthorized resources on internet-exposed installations.

Naveen Sunkavally, the chief architect at Horizon3.ai, described the issue as "a dangerous default configuration in Apache Superset that allows an unauth attacker to gain remote code execution, harvest credentials, and compromise data."

It's worth noting that the flaw does not affect Superset instances that have changed the default value for the SECRET_KEY config to a more cryptographically secure random string.

The cybersecurity firm, which found that the SECRET_KEY is defaulted to the value "\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h" at install time, said that 918 out of 1,288 publicly-accessible servers were using the default configuration in October 2021.

An attacker who had knowledge of the secret key could then sign in to these servers as an administrator by forging a session cookie and seize control of the systems.

On January 11, 2022, the project maintainers attempted to rectify the problem by rotating the SECRET_KEY value to "CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET" in the Python code along with user instructions to override it.

Apache Superset Vulnerability
Horizon3.ai said it further found two additional SECRET_KEY configurations that were assigned the default values "USE_YOUR_OWN_SECURE_RANDOM_KEY" and "thisISaSECRET_1234."

An expanded search conducted in February 2023 with these four keys unearthed 3,176 instances, out of which 2,124 were using one of the default keys. Some of those affected include large corporations, small companies, government agencies, and universities.

Following responsible disclosure to the Apache security team a second time, a new update (version 2.1) was released on April 5, 2023, to plug the security hole by preventing the server from starting up altogether if it's configured with the default SECRET_KEY.
"This fix is not foolproof though as it's still possible to run Superset with a default SECRET_KEY if it's installed through a docker-compose file or a helm template," Sunkavally said.

"The docker-compose file contains a new default SECRET_KEY of TEST_NON_DEV_SECRET that we suspect some users will unwittingly run Superset with. Some configurations also set admin/admin as the default credential for the admin user."

Horizon3.ai has also made available a Python script that can be used to determine if Superset instances are susceptible to the flaw.

"It's commonly accepted that users don't read documentation and applications should be designed to force users along a path where they have no choice but to be secure by default," Sunkavally concluded. "The best approach is to take the choice away from users and require them to take deliberate actions to be purposefully insecure."


VMware Releases Critical Patches for Workstation and Fusion Software
26.4.23  Vulnerebility  The Hacker News
VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution.

The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine.

"A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," the company said.

Also patched by VMware is an out-of-bounds read vulnerability affecting the same feature (CVE-2023-20870, CVSS score: 7.1), that could be abused by a local adversary with admin privileges to read sensitive information contained in hypervisor memory from a virtual machine.

Both vulnerabilities were demonstrated by researchers from STAR Labs on the third day of the Pwn2Own hacking contest held in Vancouver last month, earning them an $80,000 reward.

VMware has also patched two additional shortcomings, which include a local privilege escalation flaw (CVE-2023-20871, CVSS score: 7.3) in Fusion and an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation (CVE-2023-20872, CVSS score: 7.7).

While the former could enable a bad actor with read/write access to the host operating system to obtain root access, the latter could result in arbitrary code execution.

VMware
"A malicious attacker with access to a virtual machine that has a physical CD/DVD drive attached and configured to use a virtual SCSI controller may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine," VMware said.

The flaws have been addressed in Workstation version 17.0.2 and Fusion version 13.0.2. As a temporary workaround for CVE-2023-20869 and CVE-2023-20870, VMware is suggesting that users turn off Bluetooth support on the virtual machine.
As for mitigating CVE-2023-20872, it's advised to remove the CD/DVD device from the virtual machine or configure the virtual machine not to use a virtual SCSI controller.

The development comes less than a week after the virtualization services provider fixed a critical deserialization flaw impacting multiple versions of Aria Operations for Logs (CVE-2023-20864, CVSS score: 9.8).


New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks
25.4.23  Vulnerebility  The Hacker News

Details have emerged about a high-severity security vulnerability impacting Service Location Protocol (SLP) that could be weaponized to launch volumetric denial-of-service attacks against targets.

"Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported," Bitsight and Curesec researchers Pedro Umbelino and Marco Lux said in a report shared with The Hacker News.

The vulnerability, which has been assigned the identifier CVE-2023-29552 (CVSS score: 8.6), is said to impact more than 2,000 global organizations and over 54,000 SLP instances that are accessible over the internet.

This includes VMWare ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and 665 other product types.

The top 10 countries with the most organizations having vulnerable SLP instances are the U.S., the U.K., Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain.

SLP is a service discovery protocol that makes it possible for computers and other devices to find services in a local area network such as printers, file servers, and other network resources.

Successful exploitation of CVE-2023-29552 could allow permit an attacker to take advantage of susceptible SLP instances to launch a reflection amplification attack and overwhelm a target server with bogus traffic.

To do so, all an attacker needs to do is find an SLP server on UDP port 427 and register "services until SLP denies more entries," followed by repeatedly spoofing a request to that service with a victim's IP as the source address.
An attack of this kind can produce an amplification factor of up to 2,200, resulting in large-scale DoS attacks. To mitigate against the threat, users are recommended to disable SLP on systems directly connected to the internet, or alternatively filter traffic on UDP and TCP port 427.

"It is equally important to enforce strong authentication and access controls, allowing only authorized users to access the correct network resources, with access being closely monitored and audited," the researchers said.

Web security company Cloudflare, in an advisory, said it "expects the prevalence of SLP-based DDoS attacks to rise significantly in the coming weeks" as threat actors experiment with the new DDoS amplification vector.

The findings come as a now-patched two-year-old flaw in VMware's SLP implementation was exploited by actors associated with the ESXiArgs ransomware in widespread attacks earlier this year.


GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform
21.4.23  Vulnerebility  The Hacker News
Cybersecurity researchers have disclosed details of a now-patched zero-day flaw in Google Cloud Platform (GCP) that could have enabled threat actors to conceal an unremovable, malicious application inside a victim's Google account.

Israeli cybersecurity startup Astrix Security, which discovered and reported the issue to Google on June 19, 2022, dubbed the shortcoming GhostToken.

The issue impacted all Google accounts, including enterprise-focused Workspace accounts. Google deployed a global-patch more than nine months later on April 7, 2023.

"The vulnerability [...] allows attackers to gain permanent and unremovable access to a victim's Google account by converting an already authorized third-party application into a malicious trojan app, leaving the victim's personal data exposed forever," Astrix said in a report.

In a nutshell, the flaw makes it possible for an attacker to hide their malicious app from a victim's Google account application management page, thereby effectively preventing users from revoking its access.

This is achieved by deleting the GCP project associated with the authorized OAuth application, causing it to go in a "pending deletion" state. The threat actor, armed with this capability, could then unhide the rogue app by restoring the project and use the access token to obtain the victim's data, and make it invisible again.

Google Cloud Platform
"In other words, the attacker holds a 'ghost' token to the victim's account," Astrix said.

The kind of data that can be accessed depends on the permissions granted to the app, which the adversaries can abuse to delete files from Google Drive, write emails on the victim's behalf to perform social engineering attacks, track locations, and exfiltrate sensitive data from Google Calendar, Photos, and Drive.

"Victims may unknowingly authorize access to such malicious applications by installing a seemingly innocent app from the Google Marketplace or one of the many productivity tools available online," Astrix added.
"Once the malicious app has been authorized, an attacker exploiting the vulnerability can bypass Google's "Apps with access to your account" management feature, which is the only place where Google users can view third-party apps connected to their account."

Google's patch addresses the problem by now displaying apps that are in a pending deletion state on the third-party access page, allowing users to revoke the permission granted to such apps.

The development comes as Google Cloud fixed a privilege escalation flaw in the Cloud Asset Inventory API dubbed Asset Key Thief that could be exploited to steal user-managed Service Account private keys and gain access to valuable data. The issue, which was discovered by SADA earlier this February, was patched by the tech giant on March 14, 2023.

The findings come a little over a month after cloud incident response firm Mitiga revealed that adversaries could take advantage of "insufficient" forensic visibility into GCP to exfiltrate sensitive data.


Cisco and VMware Release Security Updates to Patch Critical Flaws in their Products
21.4.23  Vulnerebility  The Hacker News
Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems.

The most severe of the vulnerabilities is a command injection flaw in Cisco Industrial Network Director (CVE-2023-20036, CVSS score: 9.9), which resides in the web UI component and arises as a result of improper input validation when uploading a Device Pack.

"A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device," Cisco said in an advisory released on April 19, 2023.

The networking equipment major also resolved a medium-severity file permissions vulnerability in the same product (CVE-2023-20039, CVSS score: 5.5) that an authenticated, local attacker could abuse to view sensitive information.

Patches have been made available in version 1.11.3, with Cisco crediting an unnamed "external" researcher for reporting the two issues.

Also fixed by Cisco is another critical flaw in the external authentication mechanism of the Modeling Labs network simulation platform. Tracked as CVE-2023-20154 (CVSS score: 9.1), the vulnerability could permit an unauthenticated, remote attacker to access the web interface with administrative privileges.

"To exploit this vulnerability, the attacker would need valid user credentials that are stored on the associated external authentication server," the company noted.

"If the LDAP server is configured in such a way that it will reply to search queries with a non-empty array of matching entries (replies that contain search result reference entries), this authentication bypass vulnerability can be exploited."

While there are workarounds that plug the security hole, Cisco cautions customers to test the effectiveness of such remediations in their own environments before administering them. The shortcoming has been patched with the release of version 2.5.1.

VMware ships updates for Aria Operations for Logs#
VMware, in an advisory released on April 20, 2023, warned of a critical deserialization flaw impacting multiple versions of Aria Operations for Logs (CVE-2023-20864, CVSS score: 9.8).
"An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root," the virtualization services provider said.

VMware Aria Operations for Logs 8.12 fixes this vulnerability along with a high-severity command injection flaw (CVE-2023-20865, CVSS score: 7.2) that could allow an attacker with admin privileges to run arbitrary commands as root.

"CVE-2023-20864 is a critical issue and should be patched immediately," the company said. "It needs to be highlighted that only version 8.10.2 is impacted by this vulnerability."

The alert comes almost three months after VMware plugged two critical issues in the same product (CVE-2022-31704 and CVE-2022-31706, CVSS scores: 9.8) that could result in remote code execution.

With Cisco and VMware appliances turning out to be lucrative targets for threat actors, it's recommended that users move quickly to apply the updates to mitigate potential threats.


Two Critical Flaws Found in Alibaba Cloud's PostgreSQL Databases
21.4.23  Vulnerebility  The Hacker News
Alibaba Cloud PostgreSQL Databases
A chain of two critical flaws has been disclosed in Alibaba Cloud's ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers.

"The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers' PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services," cloud security firm Wiz said in a new report shared with The Hacker News.

The issues, dubbed BrokenSesame, were reported to Alibaba Cloud in December 2022, following mitigations were deployed by the company on April 12, 2023. There is no evidence to suggest that the weaknesses were exploited in the wild.

In a nutshell, the vulnerabilities – a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS – made it possible to elevate privileges to root within the container, escape to the underlying Kubernetes node, and ultimately obtain unauthorized access to the API server.

Armed with this capability, an attacker could retrieve credentials associated with the container registry from the API server and push a malicious image to gain control of customer databases belonging to other tenants on the shared node.

Alibaba Cloud PostgreSQL Databases
"The credentials used to pull images were not scoped correctly and allowed push permissions, laying the foundation for a supply-chain attack," Wiz researchers Ronen Shustin and Shir Tamari said.

This is not the first time PostgreSQL vulnerabilities have been identified in cloud services. Last year, Wiz uncovered similar issues in Azure Database for PostgreSQL Flexible Server (ExtraReplica) and IBM Cloud Databases for PostgreSQL (Hell's Keychain).
The findings come as Palo Alto Networks Unit 42, in its Cloud Threat Report, revealed that "threat actors have become adept at exploiting common, everyday issues in the cloud," including misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities and malicious open source software (OSS) packages.

"76% of organizations don't enforce MFA [multi-factor authentication] for console users, while 58% of organizations don't enforce MFA for root/admin users," the cybersecurity firm said.


Google Chrome Hit by Second Zero-Day Attack - Urgent Patch Update Released
20.4.23  Vulnerebility  The Hacker News
Google on Tuesday rolled out emergency fixes to address another actively exploited high-severity zero-day flaw in its Chrome web browser.

The flaw, tracked as CVE-2023-2136, is described as a case of integer overflow in Skia, an open source 2D graphics library. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on April 12, 2023.

"Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page," according to the NIST's National Vulnerability Database (NVD).

The tech giant, which also fixed seven other security issues with the latest update, said it's aware of active exploitation of the flaw, but did not disclose additional details to prevent further abuse.

The development marks the second Chrome zero-day vulnerability to be exploited by malicious actors this year, and comes merely days after Google patched CVE-2023-2033 last week. It's not immediately clear if the two zero-days have been chained together as part of in-the-wild attacks.

Users are recommended to upgrade to version 112.0.5615.137/138 for Windows, 112.0.5615.137 for macOS, and 112.0.5615.165 for Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.


Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution
19.4.23  Vulnerebility  The Hacker News
A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of the sandbox protections.

Both the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively.

Successful exploitation of the bugs, which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.

"A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," the maintainers of the vm2 library said in an alert.

Credited with discovering and reporting the vulnerabilities is security researcher SeungHyun Lee, who has also released proof-of-concept (PoC) exploits for the two issues in question.

The disclosure comes a little over a week after vm2 remediated another sandbox escape flaw (CVE-2023-29017, CVSS score: 9.8) that could lead to the execution of arbitrary code on the underlying system.

It's worth noting that researchers from Oxeye detailed a critical remote code execution vulnerability in vm2 late last year (CVE-2022-36067, CVSS score: 9.8) that was codenamed Sandbreak.


Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit
12.4.23  Vulnerebility  The Hacker News
It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.

Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevation of privilege vulnerabilities. The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month.

The security flaw that's come under active exploitation is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue.

CVE-2023-28252 is the fourth privilege escalation flaw in the CLFS component that has come under active abuse in the past year alone after CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376 (CVSS scores: 7.8). At least 32 vulnerabilities have been identified in CLFS since 2018.

According to Russian cybersecurity firm Kaspersky, the vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.

"CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block," Larin said. "The vulnerability gets triggered by the manipulation of the base log file."

In light of ongoing exploitation of the flaw, CISA has added the Windows zero-day to its catalog of Known Exploited Vulnerabilities (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by May 2, 2023.

Active Ransomware Exploit
Also patched are critical remote code execution flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ).

The MSMQ bug, tracked as CVE-2023-21554 (CVSS score: 9.8) and dubbed QueueJumper by Check Point, could lead to unauthorized code execution and take over a server by sending a specially crafted malicious MSMQ packet to an MSMQ server.

"The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801," Check Point researcher Haifei Li said. "In other words, an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability."

Two other flaws discovered in MSMQ, CVE-2023-21769 and CVE-2023-28302 (CVSS scores: 7.5), could be exploited to cause a denial-of-service (DoS) condition such as a service crash and Windows Blue Screen of Death (BSoD).
Microsoft has also updated its advisory for CVE-2013-3900, a 10-year-old WinVerifyTrust signature validation vulnerability, to include the following Server Core installation versions -

Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x65-based Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service 1
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019, and
Windows Server 2022
The development comes as North Korea-linked threat actors have been observed leveraging the flaw to incorporate encrypted shellcode into legitimate libraries without invalidating the Microsoft-issued signature.

Microsoft Issues Guidance for BlackLotus Bootkit Attacks#
In tandem with the update, the tech giant also issued guidance for CVE-2022-21894 (aka Baton Drop), a now-fixed Secure Boot bypass flaw that has been exploited by threat actors using a nascent Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus to establish persistence on a host.

Some indicators of compromise (IoCs) include recently created and locked bootloader files in the EFI system partition (ESP), event logs associated with the stoppage of Microsoft Defender Antivirus, presence of the staging directory ESP:/system32/, and modifications to the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity.

"UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms," the Microsoft Incident Response team said.

Microsoft further recommends that compromised devices be removed from the network and examined for evidence of follow-on activity, reformat or restore the machines from a known clean backup that includes the EFI partition, maintain credential hygiene, and enforce the principle of least privilege (PoLP).


Newly Discovered "By-Design" Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers
11.4.23  Vulnerebility  The Hacker News
Microsoft Azure
A "by-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.

"It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE)," Orca said in a new report shared with The Hacker News.

The exploitation path that underpins this attack is a mechanism called Shared Key authorization, which is enabled by default on storage accounts.

According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key.

"Storage account access keys provide full access to the configuration of a storage account, as well as the data," Microsoft notes in its documentation. "Access to the shared key grants a user full access to a storage account's configuration and its data."

The cloud security firm said these access tokens can be stolen by manipulating Azure Functions, potentially enabling a threat actor with access to an account with Storage Account Contributor role to escalate privileges and take over systems.

Specifically, should a managed identity be used to invoke the Function app, it could be abused to execute any command. This, in turn, is made possible owing to the fact that a dedicated storage account is created when deploying an Azure Function app.

"Once an attacker locates the storage account of a Function app that is assigned with a strong managed identity, it can run code on its behalf and as a result acquire a subscription privilege escalation (PE)," Orca researcher Roi Nisimi said.
In other words, by exfiltrating the access-token of the Azure Function app's assigned managed identity to a remote server, a threat actor can elevate privileges, move laterally, access new resources, and execute a reverse shell on virtual machines.

"By overriding function files in storage accounts, an attacker can steal and exfiltrate a higher-privileged identity and use it to move laterally, exploit and compromise victims' most valuable crown jewels," Nisimi explained.

As mitigations, it's recommended that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead. In a coordinated disclosure, Microsoft said it "plans to update how Functions client tools work with storage accounts."

"This includes changes to better support scenarios using identity. After identity-based connections for AzureWebJobsStorage are generally available and the new experiences are validated, identity will become the default mode for AzureWebJobsStorage, which is intended to move away from shared key authorization," the tech giant further added.

The findings arrive weeks after Microsoft patched a misconfiguration issue impacting Azure Active Directory that made it possible to tamper with Bing search results and a reflected XSS vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.


Microsoft Fixes New Azure AD Vulnerability Impacting Bing Search and Major Apps
1.4.23  Vulnerebility  The Hacker News
Azure AD Vulnerability
Microsoft has patched a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several "high-impact" applications to unauthorized access.

"One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users," cloud security firm Wiz said in a report. "Those attacks could compromise users' personal data, including Outlook emails and SharePoint documents."

The issues were reported to Microsoft in January and February 2022, following which the tech giant applied fixes and awarded Wiz a $40,000 bug bounty. Redmond said it found no evidence that the misconfigurations were exploited in the wild.

The crux of the vulnerability stems from what's called "Shared Responsibility confusion," wherein an Azure app can be incorrectly configured to allow users from any Microsoft tenant, leading to a potential case of unintended access.

Interestingly, a number of Microsoft's own internal apps were found to exhibit this behavior, thereby permitting external parties to obtain read and write to the affected applications.

This includes the Bing Trivia app, which the cybersecurity firm exploited to alter search results in Bing and even manipulate content on the homepage as part of an attack chain dubbed BingBang.

Azure AD Vulnerability
To make matters worse, the exploit could be weaponized to trigger a cross-site scripting (XSS) attack on Bing.com and extract a victim's Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files.

Azure AD Vulnerability
"A malicious actor with the same access could've hijacked the most popular search results with the same payload and leak sensitive data from millions of users," Wiz researcher Hillai Ben-Sasson noted.

Other apps that were found susceptible to the misconfiguration issue include Mag News, Central Notification Service (CNS), Contact Center, PoliCheck, Power Automate Blog, and COSMOS.
The development comes as enterprise penetration testing firm NetSPI revealed details of a cross-tenant vulnerability in Power Platform connectors that could be abused to gain access to sensitive data.

Following responsible disclosure in September 2022, the deserialization vulnerability was resolved by Microsoft in December 2022.

The research also follows the release of patches to remediate Super FabriXss (CVE-2023-23383, CVSS score: 8.2), a reflected XSS vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.


Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation
1.4.23  Vulnerebility  The Hacker News
Vulnerabilities Under Active Exploitation
Critical security flaws in Cacti, Realtek, and IBM Aspera Faspex are being exploited by various threat actors in hacks targeting unpatched systems.

This entails the abuse of CVE-2022-46169 (CVSS score: 9.8) and CVE-2021-35394 (CVSS score: 9.8) to deliver MooBot and ShellBot (aka PerlBot), Fortinet FortiGuard Labs said in a report published this week.

CVE-2022-46169 relates to a critical authentication bypass and command injection flaw in Cacti servers that allows an unauthenticated user to execute arbitrary code. CVE-2021-35394 also concerns an arbitrary command injection vulnerability impacting the Realtek Jungle SDK that was patched in 2021.

While the latter has been previously exploited to distribute botnets like Mirai, Gafgyt, Mozi, and RedGoBot, the development marks the first time it has been utilized to deploy MooBot, a Mirai variant known to be active since 2019.

The Cacti flaw, besides being leveraged for MooBot attacks, has also been observed serving ShellBot payloads since January 2023, when the issue came to light.

At least three different versions of ShellBot have been detected – viz. PowerBots (C) GohacK, LiGhT's Modded perlbot v2, and B0tchZ 0.2a – the first two of which were recently disclosed by the AhnLab Security Emergency response Center (ASEC).

Vulnerabilities Under Active Exploitation
All three variants are capable of orchestrating distributed denial-of-service (DDoS) attacks. PowerBots (C) GohacK and B0tchZ 0.2a also feature backdoor capabilities to carry out file uploads/downloads and launch a reverse shell.

"Compromised victims can be controlled and used as DDoS bots after receiving a command from a C2 server," Fortinet researcher Cara Lin said. "Because MooBot can kill other botnet processes and also deploy brute force attacks, administrators should use strong passwords and change them periodically."

Active Exploitation of IBM Aspera Faspex Flaw#
A third security vulnerability that has come under active exploitation is CVE-2022-47986 (CVSS score: 9.8), a critical YAML deserialization issue in IBM's Aspera Faspex file exchange application.
The bug, patched in December 2022 (version 4.4.2 Patch Level 2), has been co-opted by cybercriminals in ransomware campaigns associated with Buhti and IceFire since February, shortly after the release of the proof-of-concept (PoC) exploit.

Cybersecurity firm Rapid7, earlier this week, revealed that one of its customers was compromised by the security flaw, necessitating that users move quickly to apply the fixes to prevent potential risks.

"Because this is typically an internet-facing service and the vulnerability has been linked to ransomware group activity, we recommend taking the service offline if a patch cannot be installed right away," the company said.


Researchers Detail Severe "Super FabriXss" Vulnerability in Microsoft Azure SFX
1.4.23  Vulnerebility  The Hacker News
Super FabriXss Vulnerability
Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.

Tracked as CVE-2023-23383 (CVSS score: 8.2), the issue has been dubbed "Super FabriXss" by Orca Security, a nod to the FabriXss flaw (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022.

"The Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication," security researcher Lidor Ben Shitrit said in a report shared with The Hacker News.

XSS refers to a kind of client-side code injection attack that makes it possible to upload malicious scripts into otherwise trusted websites. The scripts then get executed every time a victim visits the compromised website, thereby leading to unintended consequences.

While both FabriXss and Super FabriXss are XSS flaws, Super FabriXss has more severe implications in that it could be weaponized to execute code and potentially gain control of susceptible systems.

Super FabriXss, which resides in the "Events" tab associated with each node in the cluster from the user interface, is also a reflected XSS flaw, meaning the script is embedded into a link, and is only triggered when the link is clicked.

"This attack takes advantage of the Cluster Type Toggle options under the Events Tab in the Service Fabric platform that allows an attacker to overwrite an existing Compose deployment by triggering an upgrade with a specially crafted URL from XSS Vulnerability," Ben Shitrit explained.

Microsoft Azure Vulnerability
"By taking control of a legitimate application in this way, the attacker can then use it as a platform to launch further attacks or gain access to sensitive data or resources."

The flaw, according to Orca, impacts Azure Service Fabric Explorer version 9.1.1436.9590 or earlier. It has since been addressed by Microsoft as part of its March 2023 Patch Tuesday update, with the tech giant describing it as a spoofing vulnerability.

"The vulnerability is in the web client, but the malicious scripts executed in the victim's browser translate into actions executed in the (remote) cluster," Microsoft noted in its advisory. "A victim user would have to click the stored XSS payload injected by the attacker to be compromised."
The disclosure comes as NetSPI revealed a privilege escalation flaw in Azure Function Apps, enabling users with "read only" permissions to access sensitive information and gain command execution.

It also follows the discovery of a misconfiguration in Azure Active Directory that exposed a number of applications to unauthorized access, including a content management system (CMS) that powers Bing.com.

Cloud security firm Wiz, which codenamed the attack BingBang, said it could be weaponized to alter search results in Bing, and worse, even perform XSS attacks on its users.


New Wi-Fi Protocol Security Flaw Affecting Linux, Android and iOS Devices
1.4.23  Vulnerebility  The Hacker News

A group of academics from Northeastern University and KU Leuven has disclosed a fundamental design flaw in the IEEE 802.11 Wi-Fi protocol standard, impacting a wide range of devices running Linux, FreeBSD, Android, and iOS.

Successful exploitation of the shortcoming could be abused to hijack TCP connections or intercept client and web traffic, researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef said in a paper published this week.

The approach exploits power-save mechanisms in endpoint devices to trick access points into leaking data frames in plaintext, or encrypt them using an all-zero key.

"The unprotected nature of the power-save bit in a frame's header [...] also allows an adversary to force queue frames intended for a specific client resulting in its disconnection and trivially executing a denial-of-service attack," the researchers noted.

In other words, the goal is to leak frames from the access point destined to a victim client station by taking advantage of the fact that most Wi-Fi stacks do not adequately dequeue or purge their transmit queues when the security context changes.

Besides manipulating the security context to leak frames from the queue, an attacker can override the client's security context used by an access point to receive packets intended for the victim. This attack pre-supposes that the targeted party is connected to a hotspot-like network.

"The core idea behind the attack is that the manner in which clients are authenticated is unrelated to how packets are routed to the correct Wi-Fi client," Vanhoef explained.

"A malicious insider can abuse this to intercept data towards a Wi-Fi client by disconnecting a victim and then connecting under the MAC address of the victim (using the credentials of the adversary). Any packets that were still underway to the victim, such website data that the victim was still loading, will now be received by the adversary instead."

Cisco, in an informational advisory, described the vulnerabilities as an "opportunistic attack and the information gained by the attacker would be of minimal value in a securely configured network."

However, the company acknowledged that the attacks presented in the study may be successful against Cisco Wireless Access Point products and Cisco Meraki products with wireless capabilities.

To reduce the probability of such attacks, it's recommended to implement transport layer security (TLS) to encrypt data in transit and apply policy enforcement mechanisms to restrict network access.
The findings arrive months after researchers Ali Abedi and Deepak Vasisht demonstrated a location-revealing privacy attack called Wi-Peep that also exploits the 802.11 protocol's power-saving mechanism to localize target devices.

The research also follows other recent studies that have leveraged the Google Maps' Geolocation API to launch location spoofing attacks in urban areas, not to mention use Wi-Fi signals to detect and map human movement in a room.


Microsoft Issues Patch for aCropalypse Privacy Flaw in Windows Screenshot Tools
28.3.23  Vulnerebility  The Hacker News

Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11.

The issue, dubbed aCropalypse, could enable malicious actors to recover edited portions of screenshots, potentially revealing sensitive information that may have been cropped out.

Tracked as CVE-2023-28303, the vulnerability is rated 3.3 on the CVSS scoring system. It affects both the Snip & Sketch app on Windows 10 and the Snipping Tool on Windows 11.

"The severity of this vulnerability is Low because successful exploitation requires uncommon user interaction and several factors outside of an attacker's control," Microsoft said in an advisory released on March 24, 2023.

Successful exploitation requires that the following two prerequisites are met -

The user must take a screenshot, save it to a file, modify the file (for example, crop it), and then save the modified file to the same location.
The user must open an image in Snipping Tool, modify the file (for example, crop it), and then save the modified file to the same location.
However, it does not impact scenarios where an image is copied from the Snipping Tool or modified before saving it.

"If you take a screenshot of your bank statement, save it to your desktop, and crop out your account number before saving it to the same location, the cropped image could still contain your account number in a hidden format that could be recovered by someone who has access to the complete image file," Microsoft explains.

"However, if you copy the cropped image from Snipping Tool and paste it into an email or a document, the hidden data will not be copied, and your account number will be safe."

The vulnerability has been addressed in-app version 10.2008.3001.0 of Snip and Sketch installed on Windows 10 and version 11.2302.20.0 of Snipping Tool installed on Windows 11.

aCropalypse first came to light on March 18, 2022, when it was found that a bug in Google Pixel's Markup tool made it possible to retroactively reverse the changes introduced to screenshots, thereby recovering personal information from redacted screenshots and images, including those that have been cropped or had their contents masked.

Credited with discovering the problem are reverse engineers Simon Aarons and David Buchanan. The Pixel-related high-severity flaw, tracked as CVE-2023-21036, was reported to Google on January 2, 2023, and was fixed via an update released on March 6, 2023 for Pixel 4A, 5A, 7, and 7 Pro devices.

The shortcoming has existed since the release of the Markup utility with Android 9 Pie in 2018, and images already shared over the past five years are vulnerable to the Acropalypse attack, raising possible privacy concerns.

"You can patch it, but you can't easily un-share all the vulnerable images you may have sent," Buchanan said in a tweet, describing it as a "bad one."

A similar issue with reversible cropping was recently disclosed in Google Docs as well, allowing users with view-only access to recover original versions of cropped images in shared documents without having the edit permissions to do so.


Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites
24.3.23  Vulnerebility  The Hacker News
Wordpress WooCommerce
Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites.

The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1.

Put differently, the issue could permit an "unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required," WordPress security company Wordfence said.

The vulnerability appears to reside in a PHP file called "class-platform-checkout-session.php," Sucuri researcher Ben Martin noted.

Credited with discovering and reporting the vulnerability is Michael Mazzolini of Swiss penetration testing company GoldNetwork.

WooCommerce also said it worked with WordPress to auto-update sites using affected versions of the software. Patched versions include 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.

Furthermore, the maintainers of the e-commerce plugin noted that it's disabling the WooPay beta program owing to concerns that the security defect has the potential to impact the payment checkout service.

There is no evidence that the vulnerability has been actively exploited to date, but it's expected to be weaponized on a large scale once a proof-of-concept becomes available, Wordfence researcher Ram Gall cautioned.

Besides updating to the latest version, users are recommended to check for newly added admin users, and if so, change all administrator passwords and rotate payment gateway and WooCommerce API keys.


Google Uncovers 18 Severe Security Vulnerabilities in Samsung Exynos Chips
17.3.23  Vulnerebility  The Hacker News
Google is calling attention to a set of severe security flaws in Samsung's Exynos chips, some of which could be exploited remotely to completely compromise a phone without requiring any user interaction.

The 18 zero-day vulnerabilities affect a wide range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123 chipset.

Four of the 18 flaws make it possible for a threat actor to achieve internet-to-Samsung, Vivo, and Google, as well as wearables using the Exynos W920 chipset and vehicleses in late 2022 and early 2023, said.

"[The] four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," Tim Willis, head of Google Project Zero, said.

In doing so, a threat actor could gain entrenched access to cellular information passing in and out of the targeted device. Additional details about the bugs have been withheld.

The attacks might sound prohibitive to execute, but, to the contrary, they are well within reach of skilled attackers, who can quickly devise an operational exploit to breach affected devices "silently and remotely."

The remaining 14 flaws are said to be not as severe, as it necessitates a rogue mobile network insider or an attacker with local access to the device.
While Pixel 6 and 7 handsets have already received a fix as part of March 2023 security updates, patches for other devices are expected to vary depending on the manufacturer's timeline.

Until then, users are recommended to switch off Wi-Fi calling and Voice over LTE (VoLTE) in their device settings to "remove the exploitation risk of these vulnerabilities."


Microsoft Rolls Out Patches for 80 New Security Flaws — Two Under Active Attack
15.3.23  Vulnerebility  The Hacker News
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild.

Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks.

The two vulnerabilities that have come under active attack include a Microsoft Outlook privilege escalation flaw (CVE-2023-23397, CVSS score: 9.8) and a Windows SmartScreen security feature bypass (CVE-2023-24880, CVSS score: 5.1).

CVE-2023-23397 is "triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server," Microsoft said in a standalone advisory.

A threat actor could leverage this flaw by sending a specially crafted email, activating it automatically when it is retrieved and processed by the Outlook client for Windows. As a result, this could lead to exploitation without requiring any user interaction and before even the message is viewed in the Preview Pane.

Microsoft credited the Computer Emergency Response Team of Ukraine (CERT-UA) with reporting the flaw, adding it is aware of "limited targeted attacks" mounted by a Russia-based threat actor against government, transportation, energy, and military sectors in Europe.

CVE-2023-24880, on the other hand, concerns a security bypass flaw that could be exploited to evade Mark-of-the-Web (MotW) protections when opening untrusted files downloaded from the internet.

It is also the consequence of a narrow patch released by Microsoft to resolve another SmartScreen bypass bug (CVE-2022-44698, CVSS score: 5.4) that came to light last year and which was exploited by financially motivated actors to deliver Magniber ransomware.

"Vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants," Google Threat Analysis Group (TAG) researcher Benoit Sevens said in a report.

"Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug."

TAG said it observed over 100,000 downloads of malicious MSI files signed with malformed Authenticode signature since January 2023, thereby permitting the adversary to distribute Magniber ransomware without raising any security warnings. A majority of those downloads have been associated with users in Europe.

Microsoft
The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two flaws to the Known Exploited Vulnerabilities (KEV) catalog and announced a new pilot program that aims to warn critical infrastructure entities about "vulnerabilities commonly associated with known ransomware exploitation."

Also closed out by Microsoft are a number of critical remote code execution flaws impacting HTTP Protocol Stack (CVE-2023-23392, CVSS score: 9.8), Internet Control Message Protocol (CVE-2023-23415, CVSS score: 9.8), and Remote Procedure Call Runtime (CVE-2023-21708, CVSS score: 9.8).

Other notable mentions include patches for four privilege escalation bugs identified in the Windows Kernel, 10 remote code execution flaws affecting Microsoft PostScript and PCL6 Class Printer Driver, and a WebView2 spoofing vulnerability in the Edge browser.
Microsoft also remedied two information disclosure flaws in OneDrive for Android (CVE-2023-24882 and CVE-2023-24923, CVSS scores: 5.5), one spoofing vulnerability in Office for Android (CVE-2023-23391, CVSS score: 5.5), one security bypass bug in OneDrive for iOS (CVE-2023-24890, CVSS score: 4.3), and one privilege escalation issue in OneDrive for macOS (CVE-2023-24930, CVSS score: 7.8).

Rounding off the list are patches for two high-severity vulnerabilities in the Trusted Platform Module (TPM) 2.0 reference library specification (CVE-2023-1017 and CVE-2023-1018, CVSS scores: 8.8) that could lead to information disclosure or privilege escalation.


Fortinet FortiOS Flaw Exploited in Targeted Cyberattacks on Government Entities
14.3.23  Vulnerebility  The Hacker News
Government entities and large organizations have been targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption.

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers Guillaume Lovet and Alex Kong said in an advisory last week.

The zero-day flaw in question is CVE-2022-41328 (CVSS score: 6.5), a medium security path traversal bug in FortiOS that could lead to arbitrary code execution.

"An improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands," the company noted.

The shortcoming impacts FortiOS versions 6.0, 6.2, 6.4.0 through 6.4.11, 7.0.0 through 7.0.9, and 7.2.0 through 7.2.3. Fixes are available in versions 6.4.12, 7.0.10, and 7.2.4 respectively.

The disclosure comes days after Fortinet released patches to address 15 security flaws, including CVE-2022-41328 and a critical heap-based buffer underflow issue impacting FortiOS and FortiProxy (CVE-2023-25610, CVSS score: 9.3).

According to the Sunnyvale-based company, multiple FortiGate devices belonging to an unnamed customer suffered from a "sudden system halt and subsequent boot failure," indicating an integrity breach.

Fortinet FortiOS
Further analysis of the incident revealed that the threat actors modified the device's firmware image to include a new payload ("/bin/fgfm") such that it's always launched before the booting process began.

The /bin/fgfm malware is designed to establish contact with a remote server to download files, exfiltrate data from the compromised host, and grant remote shell access.

Additional changes introduced to the firmware are said to have provided the attacker with persistent access and control, not to mention even disable firmware verification at startup.
Fortinet said the attack was highly targeted, with evidence pointing to governmental or government-affiliated organizations.

Given the complexity of the exploit, it's suspected that the attacker has a "deep understanding of FortiOS and the underlying hardware" and possesses advanced capabilities to reverse engineer different aspects of the FortiOS operating system.

It's not immediately clear if the threat actor has any connections to another intrusion set that was observed weaponizing a flaw in FortiOS SSL-VPN (CVE-2022-42475) earlier this January to deploy a Linux implant.


Researchers Uncover Over a Dozen Security Flaws in Akuvox E11 Smart Intercom
13.3.23  Vulnerebility  The Hacker News 
Akuvox E11 Smart Intercom
More than a dozen security flaws have been disclosed in E11, a smart intercom product made by Chinese company Akuvox.

"The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device's camera and microphone, steal video and images, or gain a network foothold," Claroty security researcher Vera Mens said in a technical write-up.

Akuvox E11 is described by the company on its website as a "SIP [Session Initiation Protocol] video doorphone specially designed for villas, houses, and apartments."

The product listing, however, has been taken down from the website, displaying an error message: "Page does not exist." A snapshot captured by Google shows that the page was live as recently as March 12, 2023, 05:59:51 GMT.

The attacks can manifest either through remote code execution within the local area network (LAN) or remote activation of the E11's camera and microphone, allowing the adversary to collect and exfiltrate multimedia recordings.

A third attack vector takes advantage of an external, insecure file transfer protocol (FTP) server to download stored images and data.

The most severe of the issues are as follows -

CVE-2023-0344 (CVSS score: 9.1) - Akuvox E11 appears to be using a custom version of dropbear SSH server. This server allows an insecure option that by default is not in the official dropbear SSH server.
CVE-2023-0345 (CVSS score: 9.8) - The Akuvox E11 secure shell (SSH) server is enabled by default and can be accessed by the root user. This password cannot be changed by the user.
CVE-2023-0352 (CVSS score: 9.1) - The Akuvox E11 password recovery webpage can be accessed without authentication, and an attacker could download the device key file. An attacker could then use this page to reset the password back to the default.
CVE-2023-0354 (CVSS score: 9.1) - The Akuvox E11 web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs.
A majority of the 13 security issues remain unpatched to date, with the industrial and IoT security company noting that Akuvox has since addressed the FTP server permissions issue by disabling the "the ability to list its content so malicious actors could not enumerate files anymore."
The findings have also prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an Industrial Control Systems (ICS) advisory of its own last week.

Akuvox E11 Smart Intercom
"Successful exploitation of these vulnerabilities could cause loss of sensitive information, unauthorized access, and grant full administrative control to an attacker," the agency cautioned.

In the absence of patches, organizations using the doorphone are advised to disconnect it from the internet until the vulnerabilities are fixed to mitigate potential remote attacks.

It's also advised to change the default password used to secure the web interface and "segment and isolate the Akuvox device from the rest of the enterprise network" to prevent lateral movement attacks.

The development comes as Wago released patches for several of its programmable logic controllers (PLCs) to address four vulnerabilities (CVE-2022-45137, CVE-2022-45138, CVE-2022-45139, and CVE-2022-45140) two of which could be exploited to achieve full system compromise.