01/24/2024-01/31/2024 Upgrade GitLab, Urgent Junos OS Updates, Critical Jenkins Vulnerability, Malicious PyPI Packages And More.

1. URGENT: Upgrade GitLab – Critical Workspace Creation Flaw Allows File Overwrite

GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating a workspace. Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10. The company also noted patches for the bug have been backported to 16.5.8, 16.6.6, 16.7.4, and 16.8.1. Also resolved by GitLab are four medium-severity flaws that could lead to a regular expression denial-of-service (ReDoS), HTML injection, and the disclosure of a user’s public email address via the tags RSS feed. The latest update arrives two weeks after the DevSecOps platform shipped fixes to close out two critical shortcomings, including one that could be exploited to take over accounts without requiring any user interaction (CVE-2023-7028, CVSS score: 10.0). Users are advised to upgrade the installations to a patched version as soon as possible to mitigate potential risks.

2. Juniper Networks Releases Urgent Junos OS Updates for High-Severity Flaws

Juniper Networks has issued critical updates for SRX Series and EX Series, targeting high-severity vulnerabilities in J-Web (CVE-2024-21619 and CVE-2024-21620). These flaws could empower threat actors to seize control of vulnerable systems. CVE-2024-21619 poses a moderate risk (CVSS score: 5.3) due to a missing authentication vulnerability, exposing sensitive configuration information. On the other hand, CVE-2024-21620 presents a higher risk (CVSS score: 8.8) as a cross-site scripting (XSS) vulnerability, enabling the execution of arbitrary commands. As a temporary measure, Juniper advises users to disable J-Web or limit access to trusted hosts until the updates are implemented. Additionally, two earlier disclosed vulnerabilities (CVE-2023-36846 and CVE-2023-36851) were previously flagged as actively exploited.

3. Critical Jenkins Vulnerability Exposes Servers to RCE Attacks – Patch ASAP!

Jenkins, the open-source CI/CD automation software, has patched nine security flaws, including CVE-2024-23897, a critical bug allowing remote code execution through an arbitrary file read vulnerability in the CLI. Jenkins uses the args4j library for CLI command processing, enabling a feature (expandAtFiles) that replaces ‘@’ followed by a file path with the file’s content. This feature, active by default in Jenkins 2.441 and earlier, could be exploited by threat actors with “Overall/Read” permission to read entire files, potentially leading to various attacks, including remote code execution, XSS, and CSRF protection bypass. SonarSource researcher Yaniv Nizry discovered the flaw, fixed in Jenkins 2.442 and LTS 2.426.3 by disabling the command parser feature. While awaiting the patch, users are advised to disable CLI access as a temporary measure. Proof-of-concept exploits for CVE-2024-23897 have been published, emphasizing the urgency of updates.

4. Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines

Researchers have detected malicious packages on the Python Package Index (PyPI), distributing WhiteSnake Stealer malware on Windows systems. These packages, uploaded by a threat actor named “WS,” include nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. The packages embed Base64-encoded source code in their setup.py files, delivering the final payload upon installation based on the victim’s operating system. WhiteSnake, primarily targeting Windows, has an Anti-VM mechanism, communicates via Tor, and steals information from browsers, cryptocurrency wallets, and various applications. PYTA31, the threat actor tracked by Checkmarx, aims to exfiltrate sensitive and crypto wallet data. Some packages incorporate clipper functionality to replace clipboard content for unauthorized transactions. This discovery highlights the ability of a single malware author to disseminate multiple info-stealing packages into PyPI with distinct payload intricacies.

5. Researchers Uncover How Outlook Vulnerability Could Leak Your NTLM Passwords

A recently patched security flaw in Microsoft Outlook (CVE-2023-35636, CVSS score: 6.5) exposed NT LAN Manager (NTLM) v2 hashed passwords. This vulnerability, addressed in Microsoft’s December 2023 Patch Tuesday updates, allowed threat actors to access passwords when victims opened a specially crafted file. In email attacks, the attacker sends the file, while in web-based attacks, a malicious website hosts it. The flaw originates from the calendar-sharing function in Outlook, utilizing crafted headers. Varonis researcher Dolev Taler discovered the bug, highlighting the potential leakage of NTLM hashes via Windows Performance Analyzer (WPA) and Windows File Explorer, yet these methods remain unpatched. This disclosure coincides with Check Point’s revelation of “forced authentication,” demonstrating the exploitation of NTLM tokens by tricking users into opening a rogue Microsoft Access file.

6. Critical Cisco Flaw Lets Hackers Remotely Take Over Unified Comms Systems

Cisco has issued patches for a critical vulnerability (CVE-2024-20253, CVSS score: 9.9) affecting Unified Communications and Contact Center Solutions. The flaw arises from improper processing of user-provided data, enabling a remote attacker to execute arbitrary code on the target device. Successful exploitation could lead to arbitrary command execution with web services user privileges and potential root access. The affected products include Unified Communications Manager, Unified Communications Manager IM & Presence Service, Unified Communications Manager Session Management Edition, Unified Contact Center Express, Unity Connection, and Virtualized Voice Browser. Synacktiv researcher Julien Egloff discovered the vulnerability. While no workarounds exist, Cisco recommends implementing access control lists (ACLs) as a temporary measure.