06/21/2023-06/28/2023 Critical SQL Injection Flaws, New Fortinet’s FortiNAC Vulnerability, Million of GitHub Repositories Likely Vulnerable to RepoJacking Attack And More.

1. Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution

Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems. The two issues have been collectively tracked as CVE-2023-28424 (CVSS score: 9.1). Soko is a Go software module that powers packages.gentoo.org, offering users an easy way to search through different Portage packages that are available for Gentoo Linux distribution. The SQL injections were exploitable and had the ability to disclose the PostgreSQL server’s version and execute arbitrary commands on the system. The development comes months after SonarSource uncovered a cross-site scripting (XSS) flaw in an open-source business suite called Odoo that could be exploited to impersonate any victim on a vulnerable Odoo instance as well as exfiltrate valuable data.

2. New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain

Cybersecurity researchers found an ongoing campaign targeting the npm ecosystem. The attack involves pairs of packages that work together to fetch and decode additional resources. The order of installation is crucial for a successful attack. The first package stores a token locally, retrieved from a remote server, while the second package passes the token and operating system type in an HTTP GET request to acquire a second script. A decoded Base64 string is executed if it exceeds 100 characters. The endpoint has returned the string “no history available,” suggesting the attack is either a work in progress or time-specific. The threat actor remains unknown, but the attack demonstrates sophisticated supply chain tactics. In a separate discovery, Sonatype found malicious packages on the Python Package Index targeting Windows with a Trojan downloaded from Discord’s servers, while a package called libiobe targeted both Windows and Linux, stealing information from Windows and profiling Linux systems.

3. New Fortinet’s FortiNAC Vulnerability Exposes Networks to Code Execution Attacks

Fortinet has released updates to fix a critical vulnerability in its FortiNAC network access control solution. Tracked as CVE-2023-33299, the flaw allows the execution of arbitrary code through Java untrusted object deserialization. An advisory by Fortinet states that the vulnerability can be exploited by an unauthenticated user sending crafted requests to the tcp/1050 service. The affected versions range from 7.2.0 to 9.4.3. Fortinet also addressed another vulnerability, CVE-2023-33300, which is an improper access control issue affecting versions 7.2.0 to 9.4.3. The discovery of both bugs is credited to Florian Hauser from CODE WHITE. This update comes after the active exploitation of a critical vulnerability in FortiOS and FortiProxy (CVE-2023-27997) and a previously fixed severe bug (CVE-2022-39952) that was later exploited.

4. U.S. Cybersecurity Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six vulnerabilities to its Known Exploited Vulnerabilities catalog. This includes three patched flaws in Apple (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two vulnerabilities in VMware (CVE-2023-20867 and CVE-2023-20887), and one affecting Zyxel devices (CVE-2023-27992). CVE-2023-32434 and CVE-2023-32435 have been exploited in a long-running cyber espionage campaign called Operation Triangulation. The attack involves a malicious iMessage attachment that triggers code execution without user interaction. Kaspersky discovered the campaign and found that the compromised devices are targeted to gather various information and execute operations. Additionally, CISA issued an alert for three vulnerabilities (CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911) in BIND 9 DNS software that could lead to denial-of-service conditions.

5. Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware

A new JavaScript dropper called PindOS has been identified, delivering payloads such as Bumblebee and IcedID. PindOS, tracked by Deep Instinct, contains the name in its “User-Agent” string. Both Bumblebee and IcedID act as loaders, serving as a vehicle for other malware, including ransomware. IcedID has recently shifted its focus solely to malware delivery. Bumblebee replaces the BazarLoader and has been associated with groups like TrickBot and Conti. PindOS’s source code contains Russian comments, indicating potential collaboration between e-crime groups. The loader downloads malicious executables from remote servers using two URLs, with fallback functionality. Each payload is fetched pseudo-randomly, resulting in unique sample hashes. It launches DLL files using the legitimate Windows tool rundll32.exe. The long-term adoption of PindOS by Bumblebee and IcedID actors remains uncertain.

6. Alert: Million of GitHub Repositories Likely Vulnerable to RepoJacking Attack

A new study by Aqua has revealed that millions of software repositories on GitHub are susceptible to an attack called RepoJacking. This vulnerability allows threat actors to take over retired organization or user names and publish malicious versions of repositories. When a repository owner changes their username or transfers ownership to another user, a link is created between the old and new names. However, anyone can create the old username and break this link, allowing them to poison the software supply chain. Aqua’s analysis showed that approximately 2.95% of repositories were vulnerable to RepoJacking in June 2019, suggesting a significant number of repositories are at risk. Users are advised to regularly inspect their code for links fetching resources from external GitHub repositories to mitigate this threat.

7. Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites

A critical security flaw has been discovered in the WordPress plugin “Abandoned Cart Lite for WooCommerce” installed on over 30,000 websites. The vulnerability, tracked as CVE-2023-2986, allows attackers to gain access to user accounts that have abandoned their shopping carts. The flaw is due to an authentication bypass resulting from insufficient encryption protections. The encryption key is hardcoded, enabling malicious actors to login as a user with an abandoned cart and potentially gain access to higher-level accounts. The issue has been addressed by the plugin developer, Tyche Softwares, with version 5.15.0. In a separate disclosure, an authentication bypass flaw was also found in the “Booking Calendar | Appointment Booking | BookIt” plugin by StylemixThemes, impacting over 10,000 WordPress installs.