10/04/2023-10/11/2023 Critical Atlassian Confluence Vulnerability, Linux Systems Vulnerable to RCE Attacks, Security Patch for Two New Flaws in Curl Library And More.

1. Microsoft Warns of Nation-State Hackers Exploiting Critical Atlassian Confluence Vulnerability

Microsoft has tied the recent critical flaw in Atlassian Confluence Data Center and Server, known as CVE-2023-22515, to a nation-state actor called Storm-0062 (aka DarkShadow or Oro0lxy). This vulnerability, a privilege escalation issue, enables the creation of unauthorized Confluence administrator accounts and has been exploited in the wild since September 14, 2023. Rated 10.0 on the CVSS severity scale, it affects various Confluence versions. Although the full extent of the attacks remains uncertain, Atlassian learned of the issue from a few customers, indicating that it was a zero-day exploit. Notably, Oro0lxy is a digital alias used by Li Xiaoyu, a Chinese hacker accused by the U.S. Department of Justice in July 2020 of infiltrating numerous companies, including Moderna, a COVID-19 vaccine developer, on behalf of the Ministry of State Security (MSS) in Guangdong.

2.  HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks

In August 2023, Amazon Web Services (AWS), Cloudflare, and Google disclosed mitigating unprecedented DDoS attacks that exploited the HTTP/2 Rapid Reset technique, tracked as CVE-2023-44487 with a CVSS score of 7.5. These layer 7 attacks flooded Google’s cloud infrastructure with up to 398 million requests per second, while AWS and Cloudflare experienced 155 million and 201 million RPS, respectively. HTTP/2 Rapid Reset exploits a zero-day flaw in HTTP/2, using the protocol’s multiplexing feature to send and cancel requests in quick succession, overwhelming servers. Notably, even a relatively small botnet of around 20,000 machines can execute such attacks. These DDoS attacks have become a significant threat, with HTTP/2 widely used across 35.6% of websites and 77% of web requests. Google observed multiple variants of Rapid Reset attacks, some more efficient than standard HTTP/2 DDoS attacks, making it a critical tool for threat actors.

3.  libcue Library Flaw Opens GNOME Linux Systems Vulnerable to RCE Attacks

A security flaw in the libcue library has been revealed, affecting GNOME Linux systems and posing a risk of remote code execution (RCE). Tracked as CVE-2023-43641 with a CVSS score of 8.8, this issue results from memory corruption in libcue versions 2.2.1 and earlier. The flaw resides in an out-of-bounds array access in the track_set_index function, enabling code execution when a victim downloads a .cue file from a malicious link. This vulnerability in libcue can be exploited with just one click, making it particularly concerning. Users are urged to install the latest updates, as further technical details are being withheld for security reasons. This disclosure follows a recent high-severity vulnerability in Google Chrome’s V8 JavaScript engine that also enabled RCE through visiting malicious sites, emphasizing the importance of prompt patching.

4. Security Patch for Two New Flaws in Curl Library Arriving on October 11

 Curl library maintainers have warned of two upcoming security vulnerabilities to be addressed in the October 11, 2023, update. These are CVE-2023-38545 (high-severity) and CVE-2023-38546 (low-severity). Detailed information is withheld to prevent pre-release problem identification, but it affects versions over the past several years. Curl, a widely-used command-line data transfer tool, supports various protocols. CVE-2023-38545 impacts both libcurl and curl, while CVE-2023-38546 affects only libcurl. The vulnerabilities will be fixed in curl version 8.4.0. Users are advised to scan their systems using curl and libcurl, anticipating potentially vulnerable versions when details are disclosed in the release on October 11. 

5. GitHub’s Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack

GitHub is enhancing its secret scanning feature to validate tokens from services like AWS, Microsoft, Google, and Slack, alerting users to exposed tokens. This improvement builds on the validity checks introduced earlier this year for GitHub tokens and is planned to expand to more tokens in the future. To enable this feature, enterprise or organization owners and repository administrators can go to Settings > Code security and analysis > Secret scanning and select “Automatically verify if a secret is valid by sending it to the relevant partner.” 

6. CISA Warns of Active Exploitation of JetBrains and Windows Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog. Two new additions include:

• CVE-2023-42793 (CVSS 9.8) – JetBrains TeamCity Authentication Bypass Vulnerability: This flaw allows remote code execution on TeamCity Server, with 74 unique IP addresses attempting exploitation.
• CVE-2023-28229 (CVSS 7.0) – Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability: This high-severity issue enables specific SYSTEM privileges. While in-the-wild exploitation hasn’t been reported, a proof-of-concept (PoC) was shared.

Five vulnerabilities related to Owl Labs Meeting Owl have been removed due to insufficient evidence. Federal Civilian Executive Branch agencies must apply vendor-provided patches for the two actively exploited flaws by October 25, 2023, for network security. Microsoft has rated CVE-2023-28229 as “Exploitation Less Likely” and addressed it in April 2023 Patch Tuesday updates.

7. Cisco Releases Urgent Patch to Fix Critical Flaw in Emergency Responder Systems

 Cisco has released updates to address a critical security flaw in Emergency Responder (CVE-2023-20101, CVSS 9.8). This vulnerability allows unauthenticated, remote attackers to log into affected systems using hard-coded credentials. The flaw results from static user credentials for the root account, typically used during development. Exploiting this flaw could grant attackers access to the system and the ability to execute arbitrary commands as the root user. The issue affects Cisco Emergency Responder Release 12.5(1)SU4 and has been resolved in version 12.5(1)SU5. Cisco detected this problem during internal security testing and is not aware of any in-the-wild exploitation. Customers are advised to update to the latest version to mitigate potential threats.