04/24/2024-05/02/2024 Judge0 Sandbox Vulnerabilities, New R Programming Vulnerability, GitLab Password Reset Vulnerability And More.

1. Judge0 Sandbox Vulnerabilities Expose Systems to Takeover Risk

Judge0, an open-source code execution service, faces critical vulnerabilities (CVE-2024-29021, CVE-2024-28185, and CVE-2024-28189) discovered by Tanto Security, potentially leading to system takeover. These flaws allow attackers to escape sandboxes and gain root access. Organizations, including educational institutions and recruitment firms, heavily rely on Judge0 for secure code execution, especially in competitive programming. Tanto Security found weaknesses in Judge0’s isolate binary, running in privileged mode like Docker containers, posing risks of unauthorized system access. Vulnerabilities in user-submitted code processing and component interaction were identified, indicating potential system compromise. Despite initial patches, subsequent bypasses were found, highlighting persistent vulnerabilities. 

2. New R Programming Vulnerability Exposes Projects to Supply Chain Attacks

A critical flaw in the R programming language (CVE-2024-27322, CVSS score: 8.8) enables threat actors to execute code by crafting malicious RDS (R Data Serialization) files. HiddenLayer reported that lazy evaluation in R, akin to promise objects, is the root cause. RDS, similar to Python’s pickle, serializes data structures, and is used in R for saving and loading data and packages. Version 4.4.0, released on April 24, 2024, mitigates the issue. Attackers can exploit this flaw through specially crafted R packages, leading to supply chain attacks. The flaw is detailed in an advisory by CERT/CC, warning of potential exploitation through malicious RDS or rdx files, emphasizing the risk in projects utilizing readRDS on untrusted files.

3. CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability

CISA has flagged a critical flaw in GitLab, designated CVE-2023-7028, due to ongoing exploitation. This vulnerability, with a severity score of 10.0, allows account takeover by sending password reset emails to unverified addresses. GitLab disclosed the issue in January, linking it to a code change in version 16.1.0 from May 1, 2023. All authentication methods within these versions are affected, posing significant risks such as data theft and source code manipulation. Mitiga warns of potential supply chain attacks if malicious code is injected into CI/CD pipelines. GitLab has released patches for versions 16.5.6, 16.6.4, and 16.7.2, backporting fixes to older versions. CISA urges federal agencies to apply these updates by May 22, 2024, to safeguard their systems. No further details on real-world exploits have been provided by CISA yet.

4. Enhancing Software Supply Chain Security through GitHub’s 2FA Implementation

GitHub has enforced mandatory two-factor authentication (2FA) for code contributors, significantly boosting security in the software supply chain. This initiative has driven widespread adoption of 2FA among developers, prompting GitHub to encourage other organizations to follow suit. The platform has seen a notable increase in 2FA usage, particularly among users with critical roles in the software supply chain. The move to mandatory 2FA has not only enhanced security but also promoted the adoption of more robust 2FA methods, such as passkeys, over less secure options like SMS. Leading organizations like RubyGems, PyPI, and AWS have joined in, elevating software supply chain security standards. GitHub’s 2FA implementation has reduced reliance on SMS, mitigating vulnerabilities like SIM swapping. Users now frequently configure multiple 2FA methods, adding an extra layer of protection and decreasing related support tickets.

5. Bogus npm Packages Used to Trick Software Developers into Installing Malware

A social engineering campaign dubbed DEV#POPPER is targeting software developers, deceiving them with fake job interviews to download a Python backdoor via bogus npm packages. Securonix attributes this activity to North Korean threat actors. The scheme involves luring developers to run seemingly legitimate software from GitHub, containing malicious payloads compromising their systems. Initially flagged by Palo Alto Networks Unit 42 as Contagious Interview, the campaign evolved to distribute malware like BeaverTail and InvisibleFerret. Phylum discovered similar malicious npm packages on the registry, aiming to extract sensitive data. The attack chain starts with a ZIP archive on GitHub, containing a seemingly harmless npm module harboring a JavaScript file (BeaverTail) and a Python backdoor (InvisibleFerret).

6. Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Palo Alto Networks has issued guidance for fixing a critical security flaw, CVE-2024-3400, affecting PAN-OS. This flaw allows unauthenticated remote shell command execution on vulnerable devices and has been actively exploited since at least March 26, 2024, by a threat cluster known as UTA0218 in Operation MidnightEclipse.
Palo Alto Networks recommends different remediation steps based on the level of compromise:

• Level 0 Probe: Update to the latest hotfix.
• Level 1 Test: Update to the latest hotfix.
• Level 2 Potential Exfiltration: Update to the latest hotfix and perform a Private Data Reset.
• Level 3 Interactive access: Update to the latest hotfix and perform a Factory Reset.

Palo Alto Networks updated its advisory on April 29, 2024, acknowledging proof-of-concept post-exploit persistence techniques. Fixes and Threat Prevention signatures are recommended to prevent further exploitation.