11/27/2024-12/04/2024 RCE Vulnerability, Critical SailPoint IdentityIQ Vulnerability, ProjectSend, North Grid Proself, and Zyxel Firewalls Bugs.

1. XML-RPC npm Library Turns Malicious, Steals Data, Deploys Crypto Miner

Researchers uncovered a year-long software supply chain attack on the npm registry involving the package @0xengine/xmlrpc, initially published as a JavaScript XML-RPC library. Malicious code was introduced in version 1.3.4, enabling the theft of SSH keys, bash history, system metadata, and environment variables every 12 hours. It also installed the XMRig cryptocurrency miner, compromising at least 68 systems. The attack spread through npm installations and a GitHub project named yawpp, which listed the malicious package as a dependency, causing automatic downloads during setup. The malware established persistence using systemd, monitored processes to evade detection, and suspended mining when user activity was detected.

This incident highlights the risks of supply chain attacks. “Even well-maintained packages can become malicious,” warned security researcher Yehuda Gelb. Additionally, Datadog Security Labs reported another campaign using fake npm and PyPI packages to deploy malware targeting Roblox developers.

2. Veeam Service Provider RCE Vulnerability Let Attackers Execute Arbitrary Code

Veeam has disclosed two major vulnerabilities in its Service Provider Console (VSPC), including a critical remote code execution (RCE) flaw. The most severe issue, CVE-2024-42448, has a CVSS score of 9.9, allowing attackers to execute arbitrary code on unpatched VSPC servers if the management agent is authorized. Another vulnerability, CVE-2024-42449, rated at 7.1, enables attackers to steal NTLM hashes and potentially delete files. Both flaws affect VSPC version 8.1.0.21377 and earlier. Veeam urges users to upgrade to the patched version (8.1.0.21999) immediately, as no mitigation methods are available. These vulnerabilities underscore the need for timely updates, especially after incidents like ransomware attacks exploiting prior Veeam flaws. Organizations must act quickly to secure their systems and safeguard data from potential threats.

3. Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

A critical vulnerability in SailPoint’s IdentityIQ software (CVE-2024-10905) has been disclosed, earning a maximum CVSS score of 10.0. This flaw affects IdentityIQ versions 8.2, 8.3, 8.4, and earlier. The issue stems from improper handling of virtual resource file names (CWE-66), enabling unauthorized HTTP access to static content in the application directory, potentially exposing sensitive files. Impacted versions include all 8.4 patch levels before 8.4p2, 8.3 versions before 8.3p5, 8.2 versions before 8.2p8, and all prior releases.

SailPoint has not yet issued a security advisory or additional details about the flaw. Organizations using affected versions should upgrade to patched levels immediately to mitigate risks.

4. Decade-Old Cisco Vulnerability Under Active Exploit 

Cisco has issued a warning about active exploitation of a decade-old vulnerability (CVE-2014-2120) in its Adaptive Security Appliance (ASA). The flaw, found in ASA’s WebVPN login page, allows unauthenticated attackers to launch cross-site scripting (XSS) attacks by tricking users into clicking malicious links. Cisco first identified the vulnerability in 2014, citing insufficient input validation. Recent in-the-wild exploitation attempts were reported in November 2024. The company urges users to upgrade to a fixed software release, as no workarounds are available.

5. CISA Adds to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2023-45727 (Proself): XXE flaw in versions before Ver5.62, Ver1.65, and Ver1.08 allows unauthenticated attackers to read server files.
• CVE-2024-11680 (ProjectSend): Improper authentication in versions before r1720 enables attackers to modify configurations, upload webshells, and embed malicious JavaScript.
• CVE-2024-11667 (Zyxel): Directory traversal flaw in firmware V5.00–V5.38 allows file upload/download via crafted URLs.

The ProjectSend flaw (CVSS 9.8) has been exploited in the wild since September 2024 using tools like Metasploit. Attackers enable user registration, modify configurations, and store webshells in predictable locations. CISA urges FCEB agencies to patch these flaws under BOD 22-01, and private organizations are advised to review and address the vulnerabilities to secure their systems.