Rose debug info
---------------

Human Factor Blog

how human behavior affects security

Programmer’s Digest #120

01/29/2025-02/05/2025 New Veeam Flaw, Weaponized Go Package Module, PyPI Adds Project Archiving System to Stop Malicious Updates And More.

1. New Veeam Flaw Allows Arbitrary Code Execution via Man-in-the-Middle Attack

Veeam has patched a critical security flaw (CVE-2025-23114, CVSS 9.0) in its Backup software that could allow attackers to execute arbitrary code via a Man-in-the-Middle attack. The vulnerability affects older versions of Veeam Backup for Salesforce, Nutanix AHV, AWS, Microsoft Azure, Google Cloud, and Oracle Linux/Red Hat Virtualization. Updated versions with fixes include:

  • Salesforce – Updater v7.9.0.1124
  • Nutanix AHV – Updater v9.0.0.1125
  • AWS – Updater v9.0.0.1126
  • Microsoft Azure – Updater v9.0.0.1128
  • Google Cloud – Updater v9.0.0.1128
  • Oracle Linux/Red Hat Virtualization – Updater v9.0.0.1127

Deployments not protecting these cloud environments remain unaffected. Organizations should update immediately to mitigate security risks.

2. CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The list of vulnerabilities is as follows:

  • CVE-2024-45195 (CVSS score: 7.5/9.8) – A forced browsing vulnerability in Apache OFBiz that allows a remote attacker to obtain unauthorized access and execute arbitrary code on the server (Fixed in September 2024)
  • CVE-2024-29059 (CVSS score: 7.5) – An information disclosure vulnerability in Microsoft .NET Framework that could expose the ObjRef URI and lead to remote code execution (Fixed in March 2024)
  • CVE-2018-9276 (CVSS score: 7.2) – An operating system command injection vulnerability in Paessler PRTG Network Monitor that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console (Fixed in April 2018)
  • CVE-2018-19410 (CVSS score: 9.8) – A local file inclusion vulnerability in Paessler PRTG Network Monitor that allows a remote, unauthenticated attacker to create users with read-write privileges (Fixed in April 2018)

3. Weaponized Go Package Module Let Attackers Gain Remote Access To Infected Systems

Researchers at Socket have uncovered a malicious Go package exploiting the Go Module Proxy caching mechanism for remote access.

The attack uses a typosquatted version of the BoltDB database module, named “boltdb-go”, mimicking the legitimate github.com/boltdb/bolt package. This trick deceives developers into downloading the malicious version. The package includes a backdoor enabling remote code execution via a command and control (C2) server. Once cached by the Go Module Proxy, the attacker altered Git tags to point to a clean version, hiding malware traces from manual inspections. The malicious code obfuscates the C2 IP address (49.12.198[.]231:20022) by manipulating constants in cursor.go.

Developers should verify package authenticity and watch for potential backdoors. The Go community must also address vulnerabilities in the Go Module Proxy caching system to prevent similar attacks.

4. PyPI Adds Project Archiving System to Stop Malicious Updates

PyPI has introduced ‘Project Archival,’ allowing developers to archive projects, signaling no further updates while keeping them downloadable. A warning will inform users of the maintenance status, improving supply-chain security by reducing the risk of hijacked, abandoned packages distributing malicious updates.

The feature also reduces support requests by clearly communicating a project’s lifecycle. Developers can archive projects via PyPI settings and unarchive them anytime. PyPI recommends a final release explaining the archival, though it’s not mandatory.

Built on the LifecycleStatus model, originally designed for project quarantine, the system enables transitions between statuses. Future updates may include statuses like ‘deprecated,’ ‘feature-complete,’ and ‘unmaintained.’ This initiative enhances transparency, helping developers find actively maintained alternatives instead of relying on outdated, insecure dependencies. It also mitigates risks like ‘Revival Hijack’ attacks, where deleted projects are taken over by attackers. By providing a structured approach, PyPI aims to improve security and clarity in open-source project maintenance.

5. Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits

Three security flaws in the open-source PHP package Voyager could allow attackers to execute remote code with a single click.

Sonar researcher Yaniv Nizry revealed that when an authenticated user clicks a malicious link, attackers can run arbitrary code on the server. Despite responsible disclosure on September 11, 2024, the flaws remain unpatched:

  • CVE-2024-55417 – Arbitrary file write via /admin/media/upload
  • CVE-2024-55416 – Reflected XSS in /admin/compass
  • CVE-2024-55415 – Arbitrary file leak and deletion

Attackers can bypass MIME type verification to upload a polyglot file containing executable PHP code. This could be combined with the XSS vulnerability to escalate the attack, triggering remote code execution when a user clicks a crafted link. Additionally, CVE-2024-55415 allows attackers to delete or extract file contents.
Since no fix is available, users should exercise caution when using Voyager.

6. Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution

A critical security flaw in the Cacti network monitoring framework (CVE-2025-22604, CVSS 9.1) could allow authenticated attackers to execute remote code. The issue stems from a flaw in the multi-line SNMP result parser, enabling users to inject malformed OIDs that lead to command execution via system commands. Exploiting this vulnerability lets users with device management permissions run arbitrary code, risking data theft, modification, or deletion. It affects all versions up to 1.2.28 and is patched in 1.2.29. Security researcher u32i discovered the flaw.

Another vulnerability (CVE-2025-24367, CVSS 7.2) is also fixed, preventing attackers from injecting PHP scripts via graph-related functions. Given past active exploits in Cacti, organizations should urgently update to the latest version to mitigate risks.

2 d   digest   programmers'

Programmer’s Digest #119

01/22/2025-01/29/2025 Critical Vulnerability in Meta’s Llama Framework, Old jQuery Vulnerability, High-Severity SQL Injection Flaw in VMware Avi Load Balancer And More.

1. Critical Vulnerability in Meta’s Llama Framework Exposes AI Systems to Remote Attacks

A critical security flaw, CVE-2024-50050, has been discovered in Meta’s Llama Stack, an open-source framework for generative AI. The vulnerability, caused by unsafe deserialization via Python’s pickle module, allows remote attackers to execute arbitrary code on affected servers. The flaw exists in the recv_pyobj method from pyzmq, which deserializes untrusted data. Attackers can exploit this by sending malicious payloads over exposed ZeroMQ sockets, leading to remote code execution (RCE). While Meta initially rated the severity as 6.3 (medium), security firms like Snyk assigned it a 9.3 (critical) under CVSS v4.0 due to risks of data breaches and system takeover.

Following responsible disclosure on September 29, 2024, Meta patched the issue in version 0.0.41, replacing pickle with a secure JSON-based implementation. Users should upgrade immediately to mitigate risks. This flaw highlights broader security concerns in AI frameworks and the need for stronger safeguards in open-source dependencies.

2. CISA Warns of Old jQuery Vulnerability Linked to Chinese APT

CISA has added an old jQuery vulnerability (CVE-2020-11023) to its KEV catalog.
Disclosed in April 2020, this medium-severity XSS flaw can lead to arbitrary code execution. Major organizations like Linux distributions, F5, IBM, and Atlassian previously warned users about its impact.

It’s unclear why CISA added it now, as no recent exploitation reports have surfaced. However, past reports indicate that Chinese state-sponsored APT1 exploited the flaw, with Tenable confirming its use in 2021 for system compromises.

CISA hasn’t clarified if newer attacks prompted this move or if it’s based on older threats. Federal agencies must assess their exposure and take action by February 13.

3. Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits

A security review of Palo Alto Networks firewalls uncovered multiple firmware vulnerabilities and misconfigurations, exposing devices to potential attacks.
Security firm Eclypsium analyzed three models—PA-3260, PA-1410, and PA-415—identifying well-known flaws, collectively named PANdora’s Box.

These include:

  • CVE-2020-10713 (BootHole) – Secure Boot bypass
  • Multiple SMM vulnerabilities (PA-3260) – Privilege escalation
  • LogoFAIL (PA-3260) – Secure Boot bypass via image parsing flaws
  • PixieFail (PA-1410, PA-415) – UEFI network stack vulnerabilities
  • Insecure flash access (PA-415) – UEFI modification risk
  • CVE-2023-1017 (PA-415) – TPM 2.0 out-of-bounds write
  • Intel BootGuard bypass (PA-1410)

Palo Alto Networks stated these flaws cannot be exploited under normal conditions with updated PAN-OS and secured interfaces but is working on mitigations. Organizations should update firmware and follow best practices to secure their networks.

4. Broadcom Warns of High-Severity SQL Injection Flaw in VMware Avi Load Balancer

Broadcom has warned of a high-severity flaw (CVE-2025-22217, CVSS 8.6) in VMware Avi Load Balancer, allowing attackers to gain unauthenticated database access via blind SQL injection.

Attackers with network access can exploit this by sending crafted SQL queries. The flaw, discovered by Daniel Kukuczka and Mateusz Darda, affects:

  • 30.1.1, 30.1.2 (Fixed in 30.1.2-2p2)
  • 30.2.1 (Fixed in 30.2.1-2p5)
  • 30.2.2 (Fixed in 30.2.2-2p2)

Versions 22.x and 21.x are not affected. Users on 30.1.1 must upgrade to 30.1.2+ before patching.

There are no workarounds, making immediate updates essential for security.

5. Hackers Actively Exploiting Zyxel 0-day Vulnerability to Execute Arbitrary Commands

A zero-day vulnerability (CVE-2024-40891) in Zyxel CPE devices is being actively exploited, allowing attackers to execute arbitrary commands without authentication. This flaw poses serious risks, including system compromise, data theft, and network infiltration.

Security scans have identified over 1,500 infected devices, with no official fix available. The flaw, a command injection issue in telnet service accounts (e. g., “supervisor,” “zyuser”), enables attackers to send crafted telnet requests to gain control.

Researchers at GreyNoise and VulnCheck confirmed active exploitation, but Zyxel has not yet released a patch.

Mitigation Steps:

  • Monitor network traffic for suspicious telnet activity.
  • Restrict access to admin interfaces from trusted IPs.
  • Disable remote management to reduce attack surfaces.
  • Check for Zyxel security updates and apply patches when available.

Organizations using Zyxel CPE devices must act immediately to mitigate threats while awaiting an official fix.

6. GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs

Several security vulnerabilities, collectively named Clone2Leak, have been found in GitHub Desktop and related Git projects, potentially exposing users’ Git credentials.

Key Vulnerabilities:

  • CVE-2025-23040 (6.6 CVSS) – Crafted URLs can leak credentials in GitHub Desktop.
  • CVE-2024-50338 (7.4 CVSS) – Carriage return character smuggling in Git Credential Manager.
  • CVE-2024-53263 (8.5 CVSS) – Git LFS leaks credentials via HTTP URL injection.
  • CVE-2024-53858 (6.5 CVSS) – GitHub CLI leaks authentication tokens to unauthorized hosts.

Exploitation could allow attackers to access privileged Git resources. Git has patched CVE-2024-52006 and CVE-2024-50349 in v2.48.1.

Mitigation Steps:

  • Update Git, GitHub Desktop, and Git LFS to the latest versions.
  • Avoid cloning untrusted repositories with --recurse-submodules.
  • Disable credential helpers and use public repositories when possible.
10 d   digest   programmers'

Programmer’s Digest #118

01/15/2025-01/22/2025 Ivanti Patches Critical Vulnerabilities, Malicious npm Packages Stealling Solana Wallet Keys, New UEFI Secure Boot Flaw And More.

1. Ivanti Patches Critical Vulnerabilities in Endpoint Manager

Ivanti announced patches for critical and high-severity vulnerabilities in Avalanche, Application Control Engine, and Endpoint Manager (EPM). The most severe issues are four absolute path traversal bugs in EPM (CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, CVE-2024-13159) with a CVSS score of 9.8. These impact EPM 2024 and 2022 SU6 (with November 2024 updates) and could leak sensitive data remotely without authentication. January 2025 updates also address 12 high-severity flaws, including remote code execution (RCE), denial-of-service (DoS), and privilege escalation.

Avalanche 6.4.7 resolves three high-severity path traversal vulnerabilities (CVE-2024-13181, CVE-2024-13180, CVE-2024-13179) that could bypass authentication and leak data. Two also fix incomplete October 2024 patches. Application Control Engine updates (versions 2024.3 HF1, 2024.1 HF4, 2023.3 HF3) address a high-severity race condition flaw requiring authentication to exploit. No fixes will be provided for older modules.

2. Hackers Deploy Malicious npm Packages to Steal Solana Wallet Keys via Gmail SMTP

Cybersecurity researchers have identified malicious npm and PyPI packages capable of stealing and deleting sensitive data. Notable packages include:

  • npm: @async-mutex/mutex, dexscreener, solana-transaction-toolkit, solana-stable-web-huks, cschokidar-next, achokidar-next, achalk-next, csbchalk-next, cschalk.
  • PyPI: pycord-self.

The first four npm packages intercept Solana private keys, using Gmail’s SMTP servers to exfiltrate data, and can drain up to 98% of wallet contents. GitHub repositories promoting these packages, linked to accounts like “moonshot-wif-hwan”, have been taken down. Other npm packages feature a “kill switch” to wipe project files and exfiltrate environment variables. For instance, csbchalk-next activates deletion only upon receiving a specific server response.

PyPI package pycord-self targets Python developers by capturing Discord tokens and establishing persistent backdoor access.

Additionally, attackers target Roblox users via fake libraries leveraging open-source stealer malware. Developers are advised to exercise caution and verify package authenticity.

3. New UEFI Secure Boot Flaw Exposes Systems to Bootkits

A new UEFI Secure Boot bypass vulnerability, CVE-2024-7344, impacts a Microsoft-signed application and can deploy bootkits even with Secure Boot enabled. Bootkits are hard to detect, as they load before the OS and persist after re-installs.

The vulnerability arises from a custom PE loader in certain UEFI recovery tools, bypassing Secure Boot validation. The affected application uses insecure methods to decrypt and execute binaries, allowing attackers to replace the default bootloader with a vulnerable one and deploy a malicious payload.

Impacted products include:

  • Howyar SysReturn <10.2.023_20240919
  • Greenware GreenGuard <10.2.023-20240927
  • Radix SmartRecovery <11.2.023-20240927
  • Others listed by ESET.

Microsoft patched the issue on January 14, 2025, revoking certificates for affected UEFI apps. Users should install the latest updates to mitigate risks. ESET provided PowerShell commands to verify certificate revocations and demonstrated the exploit in a video.

4. Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation

Researchers have uncovered three vulnerabilities in Planet Technology’s WGS-804HPT industrial switches that could enable pre-authentication remote code execution. These switches are widely used in building and home automation networks, making them a critical target for attackers.

Claroty’s analysis revealed the flaws in the dispatcher.cgi interface, which powers the switches’ web service:

  • CVE-2024-52558 (CVSS 5.3): An integer underflow flaw causing a crash via malformed HTTP requests.
  • CVE-2024-52320 (CVSS 9.8): An OS command injection flaw enabling remote code execution.
  • CVE-2024-48871 (CVSS 9.8): A stack-based buffer overflow leading to remote code execution.

Exploiting these flaws allows attackers to embed shellcode in HTTP requests, hijack execution flow, and execute OS commands.

Planet Technology patched the issues with firmware version 1.305b241111, released on November 15, 2024. Users are urged to update immediately to mitigate the risk.

17 d   digest   programmers'
Earlier Ctrl + ↓