04/17/2024-04/24/2024 Details on Critical PAN-OS Flaw, Vulnerability for PHP (CVE-2024-2961), Critical Atlassian Flaw Exploited And More.

1. Apache Cordova App Harness Targeted in Dependency Confusion Attack

A dependency confusion vulnerability affects Cordova App Harness, an archived Apache project. Exploiting package manager behaviors, attackers can replace private packages with malicious ones in public repositories. This exposes downstream users to risks. Despite npm’s fixes, Cordova App Harness lacks proper dependency references. Legit Security demonstrated this flaw, highlighting the risk. Apache addressed the issue by taking control of the package. The incident underscores the importance of monitoring third-party dependencies, especially in archived projects. Security researcher Ofek Haviv emphasizes the need for vigilance, as such projects often harbor unfixed vulnerabilities. Organizations should use public packages as placeholders to mitigate such attacks. 

2. Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack

Palo Alto Networks disclosed a critical security flaw, CVE-2024-3400, in PAN-OS software versions 10.2, 11.0, and 11.1. This flaw allows attackers to execute remote shell commands. The exploit involves two bugs: one allowing storage of files with chosen filenames and another trusting those filenames as system-generated commands. Threat actor UTA0218 has exploited this flaw in Operation MidnightEclipse, deploying commands and tools like GOST. Recent findings by Bishop Fox revealed that device telemetry is not required for exploitation. Palo Alto Networks has issued patches for affected versions. Users should apply these fixes promptly due to active exploitation and the availability of exploit code. The U.S. CISA has listed the flaw as a Known Exploited Vulnerability, mandating federal agencies to secure their devices by April 19, 2024.
 

3. Mitigating the Iconv Vulnerability for PHP (CVE-2024-2961)

Recently, CVE-2024-2961 was released which identifies a buffer overflow vulnerability in GNU libc versions < 2.39 when converting charsets to certain Chinese Extended encodings. This vulnerability affects PHP when iconv is used to translate request encodings to/from the affected charsets and has the potential to be wide-ranging (e.g. the latest wordpress:apache image has iconv with the vulnerable charsets enabled).Obviously, the best mitigation is to update to a patched version of glibc. However, if you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv. The elaborated information on how to check for and mitigate this issue at the OS-level can be found in the link mentioned above. 

4. Recent Rust Security Advisory: CVE-2024-24576

The Rust Security Response WG announced CVE-2024-24576, which affects the Rust Standard Library on Windows. Some Tauri organization repositories use batch files (cmd.exe under the hood) for developer environment tooling such as build scripts. No reviewed repositories use batch files for runtime code. our Tauri app might be affected if it meets specific criteria, such as using Tauri v1 shell feature with certain configurations. Implementing custom commands exposing Rust Command with runtime arguments could also be a risk. Please upgrade your Rust version to 1.77.2 as soon as possible and distribute updates to your users.
 

5. Linux Cerber Ransomware Variant Exploits Atlassian Servers

Threat actors exploit unpatched Atlassian servers, deploying Cerber ransomware, aka C3RB3R, targeting CVE-2023-22518 in Atlassian Confluence. This critical flaw allows unauthorized access to reset Confluence and create admin accounts, granting control over systems. Financially motivated groups install the Effluence web shell plugin for arbitrary command execution. The ransomware, written in C++, carries additional harmful software fetched from attackers’ servers. After encryption, it self-removes, leaving behind components for permission checks and file encryption. Despite ransom notes, no data exfiltration occurs. The prevalence of C++ payloads stands out amidst language shifts. Cerber’s sophistication is noted, but encryption limited to Confluence data reduces victim payment incentives. New ransomware variants target Windows and VMware ESXi, emphasizing the need for robust security measures and a strong cybersecurity culture.