12/28/2022-01/04/2023. PyTorch Machine Learning Framework Compromised, WordPress Security Alert, Exploitation of JasperReports Vulnerabilities And More

1. PyTorch Machine Learning Framework Compromised with Malicious Dependency

The maintainers of the PyTorch package have warned users who have installed the nightly builds of the library between December 25, 2022, and December 30, 2022, to uninstall and download the latest versions following a dependency confusion attack. The PyTorch team said that it became aware of the malicious dependency on December 30. The supply chain attack entailed uploading the malware-laced copy of a legitimate dependency named torchtriton to the Python Package Index (PyPI) code repository. Since package managers like pip check public code registries such as PyPI for a package before private registries, it allowed the fraudulent module to be installed on users’ systems as opposed to the actual version pulled from the third-party index. As mitigations, torchtriton has been removed as a dependency and replaced with pytorch-triton. A dummy package has also been registered on PyPI as a placeholder to prevent further abuse.

2. WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws

WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites. The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network. It’s also capable of injecting JavaScript code retrieved from a remote server in order to redirect the site visitors to an arbitrary website of the attacker’s choice. WordPress users are recommended to keep all the components of the platform up-to-date, including third-party add-ons and themes. It’s also advised to use strong and unique logins and passwords to secure their accounts.
 

3. CISA Warns of Active Exploitation of JasperReports Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two years-old security flaws impacting TIBCO Software’s JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively. The first of the two issues, CVE-2018-5430, relates to an information disclosure bug in the server component that could enable an authenticated user to gain read-only access to arbitrary files, including key configurations.

JasperReports Vulnerabilities

The impact includes the possible read-only access by authenticated users to web application configuration files that contain the credentials used by the server. Those credentials could then be used to affect external systems accessed by the JasperReports Server.
CVE-2018-18809 is a directory traversal vulnerability in the JasperReports Library that could permit web server users to access sensitive files on the host, potentially making it possible for an attacker to steal credentials and break into other systems. 
 

4. Thousands of Citrix Servers Still Unpatched for Critical Vulnerabilities

Thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. The issues in question are CVE-2022-27510 and CVE-2022-27518 (CVSS scores: 9.8). While CVE-2022-27510 relates to an authentication bypass that could be exploited to gain unauthorized access to Gateway user capabilities, CVE-2022-27518 concerns a remote code execution bug that could enable the takeover of affected systems. Citrix  warned that CVE-2022-27518 is being actively exploited in the wild by threat actors, including the China-linked APT5 state-sponsored group.  According to a new analysis from NCC Group’s Fox-IT research team, thousands of internet-facing Citrix servers are still unpatched, making them an attractive target for hacking crews. This includes over 3,500 Citrix ADC and Gateway servers running version 12.1-65.21 that are susceptible to CVE-2022-27518, as well as more than 500 servers running 12.1-63.22 that are vulnerable to both flaws. A majority of the servers, amounting to no less than 5,000, are running 13.0-88.14, a version that’s immune to CVE-2022-27510 and CVE-2022-27518.

5. Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers

 Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities. One flaw is CVE-2022-3156, which impacts the Studio 5000 Logix Emulate controller emulation software. The vulnerability is caused by a misconfiguration that results in users being granted elevated permissions on certain product services. An attacker could exploit the weakness for remote code execution.
The second vulnerability is CVE-2022-3157, which affects CompactLogix, GuardLogix (including Compact), and ControlLogix controllers. An attacker can exploit the flaw to launch a denial-of-service (DoS) attack against a device by sending specially crafted CIP requests that cause a “major non-recoverable fault”. The remaining vulnerabilities impact MicroLogix 1100 and 1400 programmable logic controllers (PLCs). One of the security holes, CVE-2022-46670, is a stored cross-site scripting (XSS) issue in the embedded webserver that can be exploited for remote code execution without authentication. The second bug, CVE-2022-3166, is a clickjacking issue that can be exploited by an attacker with network access to the affected device to cause a DoS condition for the webserver application. 
The first two vulnerabilities have been patched with updates. For the last two issues, the vendor has made available mitigations that should prevent attacks.

6. Critical Vulnerabilities Patched in Synology Routers

Taiwan-based networking and storage solutions provider Synology has informed customers about the availability of patches for several critical vulnerabilities, including flaws likely exploited recently at the Pwn2Own hacking contest. The company published two new critical advisories in late December. One of them describes an internally discovered vulnerability affecting Synology VPN Plus Server, which turns routers into an advanced VPN server.
The security hole, tracked as CVE-2022-43931, is an out-of-bounds write issue in the remote desktop functionality of VPN Plus Server. It can allow a remote attacker to execute arbitrary commands. The second advisory describes multiple vulnerabilities impacting the Synology Router Manager (SRM), the operating system that powers the firm’s routers. The flaws can be exploited for arbitrary command execution, denial-of-service (DoS) attacks, and reading arbitrary files.