12/25/2024-01/03/2025 Severe Security Flaws Patched in Microsoft Dynamics 365, Malicious Obfuscated NPM Package, Apache MINA CVE-2024-52046.

1. Critical Deadline: Update Old .NET Domains Before January 7, 2025 to Avoid Service Disruption

Microsoft has announced a change to how .NET installers and archives are distributed, requiring developers to update their infrastructure. This change follows Akamai’s acquisition of assets from Edgio, which is shutting down its service on January 15, 2025. .NET binaries are currently hosted on Edgio’s CDN, but Microsoft is migrating to Azure Front Door CDNs. If no action is taken, Microsoft will automatically migrate customers by January 7, 2025. However, automatic migration won’t be possible for some endpoints, and users migrating to other CDNs must set a feature flag by the same date. Configuration changes to Azure CDN by Edgio profiles will freeze on January 3, 2025. Microsoft recommends migrating to a custom domain to avoid future risks. Users must also update their codebases to avoid relying on *.azureedge[.]net.

2. Severe Security Flaws Patched in Microsoft Dynamics 365 and Power Apps Web API

Three security vulnerabilities in Dynamics 365 and Power Apps Web API, discovered by Stratus Security, were patched in May 2024. Two flaws are in the OData Web API Filter, and one is in the FetchXML API. The first vulnerability allows unauthorized access to sensitive data, like password hashes, through a lack of access control. Attackers can exploit this by performing a sequential search to retrieve the complete password hash. The second flaw lets attackers use the orderby clause to extract data from columns like email addresses. The FetchXML vulnerability allows attackers to bypass access controls and retrieve restricted data using a crafted query. These flaws could enable attackers to steal or sell password hashes and emails. Stratus Security emphasizes the need for constant cybersecurity vigilance, especially for large data holders like Microsoft.

3. Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

Researchers found a malicious package on npm, named ethereumvulncontracthandler, disguised as an Ethereum vulnerability detection tool. Published on December 18, 2024, it has been downloaded 66 times. When installed, it retrieves a script from a remote server to deploy the Quasar RAT, a remote access trojan, on Windows systems. The trojan uses techniques like Base64 and XOR encoding to avoid detection and establishes persistence by modifying the Windows Registry. It then connects to a command-and-control server to exfiltrate data and receive instructions. The Quasar RAT has been used in cybercrime and espionage campaigns since 2014. This discovery highlights the growing issue of fake “stars” on GitHub, used to artificially inflate the popularity of malicious repositories. Researchers urge caution, noting that star counts alone are unreliable for assessing repository quality.

4. Palo Alto Networks Patches DoS Bug in PAN-OS Software

Palo Alto Networks released a patch on Dec. 26 for a high-severity DoS vulnerability (CVE-2024-3393) in the DNS security feature of its PAN-OS firewall software. The flaw allows unauthenticated attackers to send malicious packets that reboot the firewall, causing it to enter maintenance mode after repeated attempts. This issue affects PAN-OS versions 10.X and 11.X, as well as Prisma Access running PAN-OS 10.2.8 and later, or prior to 11.2.3. The company has issued patches for affected versions. Experts warn that the vulnerability could disrupt network operations, requiring manual intervention. Palo Alto Networks discovered this flaw in production, indicating potential active exploitation. Immediate patching is recommended to avoid service disruptions and ensure continued protection from DNS-based attacks.

5. Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization

The Apache Software Foundation (ASF) has released patches for a critical vulnerability in the MINA Java network framework, tracked as CVE-2024-52046, with a CVSS score of 10.0. The flaw affects versions 2.0.X, 2.1.X, and 2.2.X. It arises from the ObjectSerializationDecoder, which improperly handles Java’s native deserialization protocol, allowing remote code execution (RCE) if exploited with specially crafted data. The vulnerability is exploitable only when specific methods and classes are used. ASF advises upgrading and explicitly configuring the decoder to accept safe classes. This disclosure follows recent fixes for vulnerabilities in Tomcat, Traffic Control, HugeGraph-Server, and Struts, all with significant security implications. Users are urged to update to protect against potential threats.