05/25/2023-05/31/2023 PyPI Implements Mandatory Two-Factor Authentication, Critical OAuth Vulnerability, Zyxel Issues Critical Security Patches And More

1. PyPI Implements Mandatory Two-Factor Authentication for Project Owners

The Python Package Index (PyPI) announced that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication (2FA) by the end of the year. The enforcement also includes organization maintainers, but does not extend to every single user of the service. The goal is to neutralize the threats posed by account takeover attacks, which an attacker can leverage to distribute trojanized versions of popular packages to poison the software supply chain and deploy malware on a large scale. PyPI, like other open source repositories such as npm, has witnessed innumerable instances of malware and package impersonation.

2. Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

A critical security vulnerability in the OAuth implementation of Expo.io has been disclosed. The vulnerability, known as CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. Salt Labs, an API security firm, reported that the flaw exposed services using Expo.io to credential leakage, allowing attackers to hijack accounts and access sensitive data. Exploiting the vulnerability could enable threat actors to carry out unauthorized actions on behalf of compromised users across platforms like Facebook, Google, and Twitter. It’s important to note that successful attacks required Expo.io sites and applications to have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party provider. The vulnerability could be exploited by tricking users into clicking on a malicious link, distributed through methods such as email, SMS, or dubious websites. Expo.io released a hotfix shortly after responsible disclosure and advised users to migrate from AuthSession API proxies to direct registration of deep link URL schemes with authentication providers to enable SSO. Expo.io clarified that the vulnerability was due to storing an app’s callback URL before user confirmation.

3. Severe Flaw in Google Cloud’s Cloud SQL Service Exposed Confidential Data

A security flaw has been disclosed in Google Cloud Platform’s Cloud SQL service, which could allow unauthorized access to sensitive data. According to Israeli cloud security firm Dig, the vulnerability could enable an attacker to escalate privileges from a basic Cloud SQL user to a sysadmin, gaining access to internal GCP data, customer data, secrets, sensitive files, and passwords. Cloud SQL is a managed solution for creating databases for cloud-based applications using MySQL, PostgreSQL, and SQL Server. The attack chain identified by Dig exploited a security gap in the SQL Server associated with the cloud platform, allowing the attacker to elevate their privileges to an administrator role.
With the elevated permissions, the attacker could exploit another misconfiguration to gain system administrator rights and take full control of the database server. This would provide access to all files on the underlying operating system, enabling the attacker to extract passwords and potentially launch further attacks.
The exposure of internal data, including secrets, URLs, and passwords, poses a significant security incident for cloud providers and their customers, according to Dig researchers Ofir Balassiano and Ofir Shaty.

4. Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months

Barracuda, an enterprise security firm, revealed that threat actors have been exploiting a recently patched zero-day vulnerability in its Email Security Gateway (ESG) appliances since October 2022. The critical flaw, identified as CVE-2023-2868, allows remote attackers to execute code on vulnerable installations. The vulnerability affects versions 5.1.3.001 through 9.2.0.006. Barracuda released patches on May 20 and May 21 to address the issue.
The attacks, which were active for at least seven months before discovery, involved the use of three malware strains: SALTWATER, SEASPY, and SEASIDE. SALTWATER is a trojanized module capable of uploading or downloading files, executing commands, and proxying malicious traffic. SEASPY is an x64 ELF backdoor with persistence capabilities, activated by a magic packet. SEASIDE is a Lua-based module that establishes reverse shells via SMTP commands.
Mandiant, owned by Google, noted code overlaps between SEASPY and cd00r. The attacks have not been attributed to any known threat actor or group. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by June 16, 2023.

5. Zyxel Issues Critical Security Patches for Firewall and VPN Products

Zyxel has released software updates to address two critical buffer overflow vulnerabilities, identified as CVE-2023-33009 and CVE-2023-33010, affecting certain firewall and VPN products. The flaws, rated 9.8 out of 10 on the CVSS scoring system, could allow remote attackers to execute code and cause denial-of-service (DoS) conditions. The impacted devices include ATP, USG FLEX, USG FLEX50(W) / USG20(W)-VPN, VPN, and ZyWALL/USG models.
Security researchers from TRAPA Security and STAR Labs SG discovered and reported the vulnerabilities. This advisory follows Zyxel’s recent fixes for another critical flaw, CVE-2023-28771, which allowed remote code execution on firewall devices. That vulnerability was also credited to TRAPA Security and was exploited by threat actors associated with the Mirai botnet.
It is crucial for Zyxel users to apply the provided software updates promptly to mitigate the risks associated with these security vulnerabilities.

6. GUAC 0.1 Beta: Google’s Breakthrough Framework for Secure Software Supply Chains

Google has introduced GUAC (Graph for Understanding Artifact Composition), a beta version aimed at helping organizations enhance the security of their software supply chains. GUAC is an open-source framework offered as an API, enabling developers to integrate their own tools and policy engines.

It aggregates software security metadata from various sources into a graph database, facilitating the analysis of relationships between software components. By utilizing Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, and other data sources, GUAC assists in assessing risk profiles and visualizing artifact relationships. The objective is to address supply chain attacks effectively, generate patch plans, and promptly respond to security incidents. Google provided an example scenario where GUAC certifies a compromised builder and queries for affected artifacts.