09/20/2023-09/27/2023 Critical libwebp Vulnerability, Critical JetBrains TeamCity Flaw, Beyond CVSS: Project Context, Exploitability, and Reachability of Vulnerabilities And More.

1. Critical libwebp Vulnerability Under Active Exploitation – Gets Maximum CVSS Score

Google has issued a critical CVE (CVE-2023-5129) for a security flaw in the libwebp image library used for WebP format rendering, currently under active exploitation. Rated at the maximum CVSS severity of 10.0, the issue stems from the Huffman coding algorithm. Specifically, a crafted WebP file can lead to out-of-bounds data writing in the heap due to a size miscalculation in the ReadHuffmanCodes() function. Apple, Google, and Mozilla have recently released fixes for similar vulnerabilities (CVE-2023-41064 and CVE-2023-4863) believed to share the same root cause. CVE-2023-4863’s misclassification in Google Chrome highlights its broader impact on applications reliant on libwebp. A range of widely used software and packages are potentially vulnerable. The prevalence of libwebp elevates the overall risk for users and organizations.

2. Critical JetBrains TeamCity Flaw Could Expose Source Code and Build Pipelines to Attackers

A critical security flaw (CVE-2023-42793) in JetBrains TeamCity CI/CD software posed a severe risk, potentially enabling remote code execution for unauthenticated attackers. With a CVSS score of 9.8, JetBrains promptly addressed the issue in version 2023.05.4 following its responsible disclosure on September 6, 2023. Exploiting this vulnerability could lead to source code theft, service secret exposure, and control over build agents. Threat actors could also manipulate build pipelines, risking integrity breaches and supply chain compromises. Notably, the flaw affects on-premise versions of JetBrains software, with TeamCity Cloud already patched. Detailed information is withheld due to the potential for wild exploitation. JetBrains urges users to update and offers a security patch plugin for TeamCity versions 8.0 and higher.

3. High-Severity Flaws Uncovered in Atlassian Products and ISC BIND Server

Atlassian and the Internet Systems Consortium (ISC) have disclosed several security flaws impacting their products that could be exploited to achieve denial-of-service (DoS) and remote code execution. 
the four high-severity flaws were fixed in new versions shipped last month. This includes –

• CVE-2022-25647 (CVSS score: 7.5) – A deserialization flaw in the Google Gson package impacting Patch Management in Jira Service Management Data Center and Server
• CVE-2023-22512 (CVSS score: 7.5) – A DoS flaw in Confluence Data Center and Server
• CVE-2023-22513 (CVSS score: 8.5) – A RCE flaw in Bitbucket Data Center and Server
• CVE-2023-28709 (CVSS score: 7.5) – A DoS flaw in Apache Tomcat server impacting Bamboo Data Center and Server.

4. Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with Venom RAT

A malicious actor posted a bogus proof-of-concept (PoC) exploit for a recent WinRAR vulnerability on GitHub, intending to distribute Venom RAT malware to those who downloaded it. The fake PoC, leveraging a publicly available script for a different vulnerability (CVE-2023-25157), aimed to deceive users. While such deceptive PoCs are known in the research community, this case suggests the actor might have targeted other malicious actors looking to exploit the latest vulnerabilities. The GitHub account hosting the repository, whalersplonk, is now inaccessible. This action occurred four days after the vulnerability (CVE-2023-40477) was disclosed, allowing remote code execution on Windows systems. The repository included a Python script and a video tutorial, which drew 121 views. The Python script sought an executable linked to Venom RAT from a remote server. The threat actor established the server domain before the vulnerability disclosure, emphasizing the attempt to exploit the critical flaw.

5. Beyond CVSS: Project Context, Exploitability, and Reachability of Vulnerabilities

CVSS, while useful, may not accurately reflect a vulnerability’s actual impact. Context is crucial. For instance, a critical-severity vulnerability in a library may not pose a risk if it’s not exploitable in the project’s specific use. On the other hand, a medium-severity flaw in a critical component could lead to substantial damage. Safety employs four key criteria for vulnerability assessment:
to manage the growing number of vulnerabilities, organizations need contextual analysis. Safety combines various criteria for a vulnerability risk score:

• Severity: Safety utilizes CVSS data and manual vetting for comprehensive severity data, covering over 12,600+ vulnerabilities.
• Project Context: Recognizes project significance, considering lifecycle, business criticality, data sensitivity, and network exposure.
• Exploitability: Assesses real-world exploit history and complexity.
• Reachability: Determines if an attacker can access the vulnerability within the project’s codebase.
  Safety’s approach reduces vulnerability noise by up to 90%, enabling efficient time allocation and prioritizing fixes based on real-world risk rather than theoretical severity ratings.

6. Critical Security Flaws Exposed in Nagios XI Network Monitoring Software

Nagios XI, version 5.11.1 and lower, is affected by four security vulnerabilities (CVE-2023-40931 to CVE-2023-40934), leading to potential privilege escalation and data exposure. These flaws, disclosed on August 4, 2023, were promptly patched in version 5.11.2 released on September 11, 2023. Three of the vulnerabilities involve SQL injections (CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934), potentially granting unauthorized access to database fields. The fourth flaw (CVE-2023-40932) is a cross-site scripting (XSS) issue in the Custom Logo component, enabling the reading of sensitive data. Exploitation could allow attackers to execute arbitrary SQL commands and inject JavaScript code. This isn’t the first time Nagios XI has faced security concerns; previous incidents involved vulnerabilities leading to infrastructure compromise and remote code execution.