04/26/2023-05/03/2023 New BGP Flaws, Apache Superset Vulnerability, Zyxel Firewall Devices Vulnerable And More

1. CISA Issues Advisory on Critical RCE Affecting ME RTU Remote Terminal Units

(CISA)  released an Industrial Control Systems (ICS) advisory about a critical flaw affecting ME RTU remote terminal units. The security vulnerability, tracked as CVE-2023-2131, has received the highest severity rating of 10.0 on the CVSS scoring system for its low attack complexity. Successful exploitation of this vulnerability could allow remote code execution.CISA has also urged entities to adopt guidance issued by NIST to identify, assess, and mitigate supply chain risks, and enroll for the agency’s free Vulnerability Scanning service to pinpoint vulnerable and high-risk devices.

2. Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software

Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. It’s currently used by several vendors like NVIDIA Cumulus, DENT, and SONiC, posing supply chain risks. BGP is a gateway protocol that’s designed to exchange routing and reachability information between autonomous systems. It’s used to find the most efficient routes for delivering internet traffic.  Three flaws (CVE-2022-40302, CVE-2022-40318, and CVE-2022-43681) with a CVSS score of 6.5 involve out-of-bounds reads when processing malformed BGP OPEN messages. These flaws could result in a DoS attack, rendering the peer unresponsive by dropping all BGP sessions and routing tables.

3. Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected

Three high-severity security vulnerabilities have been added to the KEV catalog: CVE-2023-1389, CVE-2021-45046, and CVE-2023-21839. CVE-2023-1389 concerns a command injection flaw affecting TP-Link Archer AX-21 routers, being exploited by the Mirai botnet since April 11, 2023. CVE-2021-45046 is a remote code execution flaw affecting Apache Log4j2 logging library, with evidence of exploitation attempts over the past 30 days. CVE-2023-21839 is an unspecified vulnerability in Oracle WebLogic Server that allows unauthorized access to sensitive data via T3 and IIOP. All three vulnerabilities have a high CVSS score and pose significant security risks. It is essential to apply patches and security updates promptly to avoid potential security breaches.

4. Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now

Zyxel has released patches for a critical security flaw in its firewall devices, tracked as CVE-2023-28771, which could lead to remote code execution. The vulnerability, rated 9.8 on the CVSS scoring system, was reported by researchers from TRAPA Security. The flaw was caused by “improper error message handling” in some firewall versions, enabling unauthenticated attackers to remotely execute OS commands by sending forged packets to an impacted device. Zyxel has addressed a high-severity post-authentication command injection flaw affecting specific firewall versions, which allowed authenticated attackers to remotely execute some OS commands. The firm also fixed five high-severity vulnerabilities and one medium-severity bug impacting numerous firewalls and access point devices, which could result in code execution and a denial-of-service condition.

5. RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts

The RTM Locker ransomware group has developed a new strain capable of infecting Linux machines, marking their first foray into open source operating systems. According to a report by Uptycs, the malware is inspired by the Babuk ransomware’s leaked source code and encrypts files using a combination of asymmetric and symmetric encryption. RTM Locker was first identified by Trellix, which described its developers as a private ransomware-as-a-service (RaaS) provider that avoids high-profile targets to draw as little attention as possible. The Linux version targets ESXi hosts by terminating all virtual machines running on a compromised host before starting the encryption process. The initial infector used to deliver the ransomware is unknown, and the encryption function uses pthreads to speed up execution. After successful encryption, victims must contact the support team within 48 hours via Tox or risk having their data published.

6. Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks

Apache Superset has released fixes for a vulnerability that could lead to remote code execution. Versions up to and including 2.0.1 are impacted by the vulnerability, which relates to the use of a default SECRET_KEY that can be used by attackers to access unauthorized resources on internet-exposed installations. The issue allows an attacker to gain remote code execution, steal credentials, and compromise data. Horizon3.ai’s chief architect, Naveen Sunkavally, warns of “a dangerous default configuration in Apache Superset.” Superset instances that have changed the default value for the SECRET_KEY configuration to a more cryptographically secure random string are not affected by the flaw. The vulnerability is tracked as CVE-2023-27524 and has a CVSS score of 8.9.