Rose debug info
---------------

Programmer’s Digest #31

05/04/2023-05/10/2023 Critical PaperCut Vulnerability, MSI Data Breach, New Linux Kernel NetFilter Flaw And More

1. Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability

Iranian nation-state groups have been exploiting a critical vulnerability in PaperCut print management software, according to Microsoft’s threat intelligence team. Both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) have been observed exploiting CVE-2023-27350 to gain initial access. While the former is said to be using tools from previous intrusions to connect to their C2 infrastructure, the latter has been able to quickly incorporate proof-of-concept exploits into their operations. Both groups are known state-sponsored actors, with Mango Sandstorm linked to Iran’s Ministry of Intelligence and Security and Mint Sandstorm associated with the Islamic Revolutionary Guard Corps. This comes after cybercrime gang Lace Tempest was found to have abused the same vulnerability to distribute ransomware. PaperCut released a patch for the flaw on March 8, 2023, and Trend Micro’s Zero Day Initiative is expected to release more technical information about it on May 10, 2023.

2. MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web

private code signing keys on a dark website. The leaked data includes firmware image signing keys for 57 PCs and private signing keys for Intel Boot Guard used in 116 MSI products. The impact of the leaked keys extends beyond MSI to device vendors such as Intel, Lenovo, and Supermicro. Intel Boot Guard is a hardware-based security technology that safeguards against tampered UEFI firmware execution. The leak undermines firmware integrity checks, enabling threat actors to sign and deploy malicious updates and payloads undetected. This incident follows a double extortion ransomware attack on MSI by the Money Message gang, but MSI reported a gradual return to normal operations with no major financial impact. Users were advised to obtain firmware/BIOS updates exclusively from the official website and beware of fraudulent emails claiming collaboration with MSI. Notably, this is not the first time UEFI firmware code has been exposed, as a similar incident occurred with Alder Lake BIOS source code in October 2022.

3. New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw. The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites. The plugin, which is available both as a free and pro version, has over two million active installations. This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path. Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user’s browser. This element of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible. It’s worth noting that CVE-2023-30777 can be activated on a default installation or configuration of Advanced Custom Fields, although it’s also possible to do so from logged-in users who have access to the plugin.

4. Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Installs Compromised

PHP software package repository Packagist revealed that an “attacker” gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes. The package URLs were then changed to point to the forked repositories. The four user accounts are said to have had access to a total of 14 packages, including multiple Doctrine packages.The attack chain, in a nutshell, made it possible to modify the Packagist page for each of these packages to a namesake GitHub repository, effectively altering the installation workflow used within Composer environments. Successful exploitation meant that developers downloading the packages would get the forked version as opposed to the actual contents.No additional malicious changes were distributed, and that all the accounts were disabled and their packages restored on May 2, 2023. It’s also urging users to enable two-factor authentication (2FA) to secure their accounts.

5. Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service

Microsoft Azure API Management service has been found to have three security vulnerabilities, as disclosed by Israeli cloud security firm Ermetic. The vulnerabilities include two server-side request forgery (SSRF) flaws and one unrestricted file upload functionality in the API Management developer portal. Exploiting the SSRF vulnerabilities would allow attackers to send requests from the service’s CORS Proxy and hosting proxy, gaining access to internal Azure assets, bypassing web application firewalls, and potentially causing denial of service. The file upload vulnerability enables attackers to upload malicious files to Azure’s internal workload. Azure API Management is a platform that allows organizations to securely expose their APIs. Microsoft has patched all three vulnerabilities following responsible disclosure. 

6.  GitHub Now Auto-Blocks Token and API key Leaks For All Repos

GitHub is now automatically blocking the leak of sensitive information like API keys and access tokens for all public code repositories. This feature proactively prevents leaks by scanning for secrets before ‘git push’ operations are accepted, and it works with 69 token types (API keys, private keys, secret keys, authentication tokens, access tokens, management certificates, credentials, and more) detectable with a low “false positive” detection rate. Since its beta release, software developers who enabled it successfully averted around 17,000 accidental exposures of sensitive information, saving more than 95,000 hours that would’ve been spent revoking, rotating, and remediating compromised secrets, according to GitHub. Today, push protection is generally available for private repositories with a GitHub Advanced Security (GHAS) license. 

7. New Linux Kernel NetFilter Flaw Gives Attackers Root Privileges

A new Linux NetFilter kernel flaw has been discovered, allowing unprivileged local users to escalate their privileges to root level, allowing complete control over a system. The CVE-2023-32233 identifier has been reserved for the vulnerability, but a severity level is yet to be determined. The security problem stems from Netfilter nf_tables accepting invalid updates to its configuration, allowing specific scenarios where invalid batch requests lead to the corruption of the subsystem’s internal state. Netfilter is a packet filtering and network address translation (NAT) framework built into the Linux kernel that is managed through front-end utilities, such as IPtables and UFW. Corrupting the system’s internal state leads to a use-after-free vulnerability that can be exploited to perform arbitrary reads and writes in the kernel memory. A Linux kernel source code commit was submitted to address the problem by engineer Pablo Neira Ayuso, introducing two functions that manage the lifecycle of anonymous sets in the Netfilter nf_tables subsystem. By properly managing the activation and deactivation of anonymous sets and preventing further updates, this fix prevents memory corruption and the possibility of attackers exploiting the use-after-free issue to escalate their privileges to root level.

2023   digest   programmers'