03/06/2024-03/13/2024 Microsoft’s March Updates Fix 61 Vulnerabilities, OpenEdge Vulnerability, Vulnerability in the Popup Builder Plugin, PyPI Python Packages Can Drain Your Crypto Wallets And More.

1. Microsoft’s March Updates Fix 61 Vulnerabilities, Including Critical Hyper-V Flaws

Microsoft released its monthly security update, fixing 61 flaws across its software, including two critical issues in Windows Hyper-V that could lead to DoS and remote code execution. Of these vulnerabilities, two are Critical, 58 are Important, and one is Low severity. Although none are publicly known or actively attacked, six are tagged “Exploitation More Likely.” This update also patches 17 flaws in the Chromium-based Edge browser since February 2024. Critical issues include Hyper-V flaws CVE-2024-21407 and CVE-2024-21408. Additionally, there are privilege escalation flaws in Azure Kubernetes Service, Windows Composite Image File System, and Authenticator. Notably, CVE-2024-21390 could allow an attacker to access multi-factor authentication codes. Another critical flaw is CVE-2024-21334, a remote code execution in Open Management Infrastructure.

2. Proof-of-Concept Exploit Released for Progress Software OpenEdge Vulnerability

A critical security flaw (CVE-2024-1403) in Progress Software OpenEdge Authentication Gateway and AdminServer allows bypassing authentication protections. It affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0. The flaw, rated 10.0 on the CVSS scale, enables unauthorized access due to mishandling of usernames and passwords. Progress Software released fixes in versions OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1. A PoC exploit has been released by Horizon3.ai, revealing the flaw’s root cause in a function called connect(). This function invokes authorizeUser(), which if supplied with specific credentials, can bypass authentication. However, accessing deeper attack surfaces, like deploying new applications, requires increased complexity due to internal service message brokers and custom messages, noted security researcher Zach Hanley.

3. Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites

A malware campaign exploits a severe vulnerability in the Popup Builder plugin for WordPress, infecting over 3,900 sites within three weeks, as reported by Sucuri. Exploiting CVE-2023-6000, attackers create rogue admin users and install arbitrary plugins. This flaw was also exploited in a previous Balada Injector campaign, compromising over 7,000 sites in January. The current attacks inject malicious JavaScript code, redirecting visitors to phishing and scam pages. WordPress site owners are urged to update plugins, scan for suspicious code or users, and perform cleanup. Meanwhile, Wordfence disclosed a high-severity XSS bug (CVE-2024-2123) in the Ultimate Member plugin, patched in version 2.8.4 on March 6, 2024. This flaw allows unauthenticated attackers to inject arbitrary web scripts, potentially gaining administrative access. 

4. Cisco Issues Patch for High-Severity VPN Hijacking Bug in Secure Client

Cisco has patched a high-severity vulnerability (CVE-2024-20337, CVSS score: 8.2) in its Secure Client software, enabling a threat actor to initiate a VPN session with a targeted user. Arising from insufficient validation of user input, a malicious link could be used to execute arbitrary script code in the browser, accessing sensitive information like a valid SAML token. This token could then be exploited to establish a remote access VPN session as the affected user. The flaw affects Secure Client for Windows, Linux, and macOS, with fixes available in versions 4.10.08025, 5.1.2.42, and beyond. The vulnerability enables attackers to access internal networks when victims visit a controlled website. Additionally, Cisco addressed CVE-2024-20338 (CVSS score: 7.3) in Secure Client for Linux, allowing local attackers to elevate privileges; fixed in version 5.1.2.42.

5. CISA Warns of Actively Exploited JetBrains TeamCity Vulnerability

 CISA  added a critical security flaw impacting JetBrains TeamCity On-Premises software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.The vulnerability, tracked as CVE-2024-27198 (CVSS score: 9.8), refers to an authentication bypass bug that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker. It was addressed by JetBrains earlier this week alongside CVE-2024-27199 (CVSS score: 7.3), another moderate-severity authentication bypass flaw that allows for a “limited amount” of information disclosure and system modification.The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server. In light of active exploitation, users running on-premises versions of the software are advised to apply the updates as soon as possible to mitigate potential threats.

6. Watch Out: These PyPI Python Packages Can Drain Your Crypto Wallets

Threat hunters uncovered seven Python packages on PyPI designed to steal BIP39 mnemonic phrases for cryptocurrency wallets, dubbed BIPClip by ReversingLabs. The packages were downloaded 7,451 times before removal. Operating since December 2022, this campaign targeted crypto wallet developers. Though one package, mnemonic_to_address, lacked malicious functionality, it listed bip39-mnemonic-decrypt as a dependency, containing the harmful component. These packages stealthily exfiltrate mnemonic phrases to a controlled server. ReversingLabs identified two other packages, public-address-generator and erc20-scanner, working similarly. Hashdecrypts, meanwhile, functions independently to harvest data. The GitHub profile “HashSnake’’ is associated with these packages, with a repository named hCrypto advertised for phrase extraction. The packages were meticulously crafted to target crypto wallets, minimizing detection by security tools.