04/20/2023-04/27/2023 Critical Patches for Workstation and Fusion Software, SLP Vulnerability, Exploit Released For PaperCut Flaw And More

1. VMware Releases Critical Patches for Workstation and Fusion Software

VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution. The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. VMware has also patched two additional shortcomings, which include a local privilege escalation flaw (CVE-2023-20871, CVSS score: 7.3) in Fusion and an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation (CVE-2023-20872, CVSS score: 7.7). While the former could enable a bad actor with read/write access to the host operating system to obtain root access, the latter could result in arbitrary code execution. 

2. New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks

Details have emerged about a high-severity security vulnerability impacting Service Location Protocol (SLP) that could be weaponized to launch volumetric denial-of-service attacks against targets. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2,200 times, potentially making it one of the largest amplification attacks ever reported. The vulnerability, which has been assigned the identifier CVE-2023-29552 (CVSS score: 8.6), is said to impact more than 2,000 global organizations and over 54,000 SLP instances that are accessible over the internet. Successful exploitation of CVE-2023-29552 could allow permit an attacker to take advantage of susceptible SLP instances to launch a reflection amplification attack and overwhelm a target server with bogus traffic. The best option to address CVE-2023-29552 is to upgrade to a supported release line that is not impacted by the vulnerability.

3. Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack

Threat actors are employing a previously undocumented “defense evasion tool” dubbed AuKill that’s designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system. The BYOVD technique relies on threat actors misusing a legitimate, but out-of-date and exploitable, driver signed by Microsoft (or using a stolen or leaked certificate) to gain elevated privileges and turn off security mechanisms. By using valid, susceptible drivers, the idea is to bypass a key Windows safeguard known as Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before they are allowed to run.

4. Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign. The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that’s then executed every time the posts are opened in a web browser. GoDaddy’s Sucuri found that infected websites had malicious code injected into the “wp_posts” table, which stores posts, pages, and navigation menus. The injected code creates a PHP script with remote code execution backdoor using the file_put_contents function. Sucuri detected over 6,000 instances of this backdoor in the last 6 months, originating from three Russian IP addresses. Attackers established persistent backdoors by misusing the Eval PHP plugin to save rogue pages as drafts. Rogue pages were created with a legitimate site administrator as the author, suggesting successful login as a privileged user. The plugin was used to execute PHP code inside shortcodes, making it easy to reinfect the website and stay hidden.

Recommendation 
Site owners are advised to secure the WP Admin dashboard as well as watch out for any suspicious logins to prevent threat actors from gaining admin access and install the plugin.

5. CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, after evidence of active exploitation. The vulnerabilities are:

• CVE-2023-28432, a MinIO information disclosure vulnerability.
• CVE-2023-27350, an improper access control vulnerability in PaperCut MF/NG.
• CVE-2023-2136, a Google Chrome Skia integer overflow vulnerability.

MinIO maintainers said the information disclosure flaw disclosed all environment variables in a cluster deployment. As many as 18 unique malicious IP addresses from five countries attempted to exploit the flaw over the past 30 days. Threat intelligence firm GreyNoise also noted that an older version of MinIO that’s vulnerable to CVE-2023-28432 was being used in a reference implementation provided by OpenAI for developers to integrate their plugins to ChatGPT. Another flaw affecting PaperCut print management software has been addressed by the vendor.

6. Two Critical Flaws Found in Alibaba Cloud’s PostgreSQL Databases

A chain of two critical flaws has been disclosed in Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers. The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers’ PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services. In a nutshell, the vulnerabilities – a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS – made it possible to elevate privileges to root within the container, escape to the underlying Kubernetes node, and ultimately obtain unauthorized access to the API server. Armed with this capability, an attacker could retrieve credentials associated with the container registry from the API server and push a malicious image to gain control of customer databases belonging to other tenants on the shared node.

7. Exploit Released For PaperCut Flaw Abused To Hijack Servers

Attackers are exploiting severe vulnerabilities in the widely-used PaperCut MF/NG print management software to install Atera remote management software to take over servers.
The software’s developer claims it’s used by more than 100 million users from over 70,000 companies worldwide.
The two security flaws (tracked as CVE-2023-27350 and CVE-2023-27351) allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low-complexity attacks that don’t require user interaction.
Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. It is  recommended upgrading to one of these versions containing the fix.