07/03/2024-07/10/2024 Trojanized jQuery Packages, Flaws Disclosed in Gogs Open-Source Git Service, Remote Code Execution Vulnerability in OpenSSH And More.

1. Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories

Unknown threat actors have been distributing trojanized versions of jQuery on npm, GitHub, and jsDelivr in a complex and persistent supply chain attack. According to Phylum, the malware is hidden in the rarely-used “end” function of jQuery, called internally by the popular “fadeTo” function. The campaign, linked to 68 packages, began on May 26 and continued until June 23, 2024, with names such as cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets. Each package appears to be manually assembled due to the variation in naming conventions, personal files, and the prolonged upload period. The malware exfiltrates website form data to a remote URL. A GitHub repository associated with “indexsc” hosts the trojanized jQuery file and related JavaScript. JsDelivr constructs these URLs automatically, making the source appear more legitimate.

2. Critical Unpatched Flaws Disclosed in Popular Gogs Open-Source Git Service

Four unpatched security flaws, including three critical ones, have been disclosed in the Gogs open-source Git service. These vulnerabilities could allow authenticated attackers to breach instances, steal or wipe source code, and plant backdoors.

The flaws are:

• CVE-2024-39930 (CVSS 9.9) – Argument injection in the built-in SSH server
• CVE-2024-39931 (CVSS 9.9) – Deletion of internal files
• CVE-2024-39932 (CVSS 9.9) – Argument injection during changes preview
• CVE-2024-39933 (CVSS 7.7) – Argument injection when tagging new releases

Exploiting the first three flaws can lead to arbitrary command execution, while the fourth flaw allows reading arbitrary files. All vulnerabilities require authentication and specific conditions for exploitation. Users are advised to disable the built-in SSH server, turn off user registration, or switch to Gitea. SonarSource released a patch, but it hasn’t been extensively tested. Immediate protective measures are recommended.

3. CVE-2024-6409: New Remote Code Execution Vulnerability in OpenSSH

A newly discovered vulnerability in OpenSSH, CVE-2024-6409, exposes systems to potential remote code execution (RCE) due to a race condition in signal handling. This flaw, with a CVSS score of 7.0, affects OpenSSH versions 8.7 and 8.8. It stems from the call to cleanup_exit() from grace_alarm_handler() in the privileged separation (privsep) child process, which may trigger unsafe functions. The issue specifically arises in Red Hat’s OpenSSH package and affects Red Hat Enterprise Linux (RHEL) 9 and Fedora versions 36 and 37. However, Fedora 38 and later versions are not vulnerable.

Administrators should update OpenSSH on affected systems, particularly RHEL 9 and older Fedora releases. Applying the “LoginGraceTime 0” configuration option can mitigate this vulnerability and the related CVE-2024-6387. Immediate action is recommended to reduce the risk of exploitation.

4. Microsoft Uncovers Critical Flaws in Rockwell Automation PanelView Plus

Microsoft has disclosed two security flaws in Rockwell Automation PanelView Plus, allowing remote, unauthenticated attackers to execute arbitrary code and trigger a denial-of-service (DoS) condition.

The vulnerabilities are:

• CVE-2023-2071 (CVSS 9.8) – Improper input validation lets attackers achieve remote code execution via crafted malicious packets.
• CVE-2023-29464 (CVSS 8.2) – Improper input validation lets attackers read memory data and cause a DoS by sending oversized packets.

These flaws impact FactoryTalk View Machine Edition (versions 13.0, 12.0, and prior) and FactoryTalk Linx (versions 6.30, 6.20, and prior). Rockwell Automation released advisories in September and October 2023. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued alerts. Additionally, unknown threat actors are exploiting a critical flaw in HTTP File Server (CVE-2024-23692, CVSS 9.8) to deliver malware like Xeno RAT and Gh0st RAT. This vulnerability allows remote, unauthenticated attackers to execute arbitrary commands via crafted HTTP requests.

5. RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks

Researchers have discovered a vulnerability in the RADIUS network authentication protocol called BlastRADIUS, allowing attackers to conduct Man-in-the-Middle (MitM) attacks and bypass integrity checks. RADIUS, which provides centralized authentication, authorization, and accounting (AAA) management, relies on a hash derived from the MD5 algorithm, known to be cryptographically broken since 2008.

The flaw, CVE-2024-3596 (CVSS 9.0), enables attackers to modify Access-Request packets without detection, potentially forcing user authentication and granting unauthorized access. The vulnerability affects all RADIUS clients and servers, particularly PAP, CHAP, and MS-CHAPv2 authentication methods.