08/15/2024-08/21/2024 GitHub Vulnerability ‘ArtiPACKED’, Jenkins RCE Bug, PHP Vulnerability And More

1. GitHub Vulnerability ‘ArtiPACKED’ Exposes Repositories to Potential Takeover

A newly discovered attack vector in GitHub Actions artifacts dubbed ArtiPACKED could be exploited to take over repositories and gain access to organizations’ cloud environments. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access. The cybersecurity company said it primarily observed the leakage of GitHub tokens (e. g., GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN), which could not only give malicious actors unauthorized access to the repositories, but also grant them the ability to poison the source code and get it pushed to production via CI/CD workflows. GitHub has labeled the issue as informational, urging users to secure their artifacts. Open-source projects from AWS, Google, Microsoft, Red Hat, and Ubuntu are among those affected.

2. CISA Warns Of Jenkins RCE Bug Exploited In Ransomware Attacks

CISA has added a critical Jenkins vulnerability, CVE-2024-23897, to its list of actively exploited security issues. This flaw, affecting Jenkins automation servers, allows unauthenticated attackers to read arbitrary files on the Jenkins controller through the args4j command parser, which processes file paths in arguments by default. Exploits for this vulnerability were published shortly after security updates in January, with attack attempts observed soon after. Shadowserver reports over 28,000 exposed Jenkins instances, with significant numbers in China and the U.S. Trend Micro notes exploitation began in March, and recent attacks include ransomware incidents by the RansomEXX gang, impacting Indian banks. CISA’s addition of CVE-2024-23897 to its Known Exploited Vulnerabilities catalog warns of ongoing exploitation and urges all organizations to address the flaw, especially federal agencies with a September 9 deadline to secure their Jenkins servers.

3. Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

A new backdoor named Msupedge has been discovered in an attack against a university in Taiwan. This backdoor communicates with its command-and-control (C&C) server using DNS traffic, leveraging a method based on the open-source dnscat2 tool. The backdoor, identified as a DLL installed in specific system paths, was likely deployed via the exploitation of a critical PHP vulnerability (CVE-2024-4577) with a CVSS score of 9.8. Msupedge uses DNS tunneling to receive commands and executes actions based on the resolved IP address of the C&C server.

Commands supported by Msupedge include creating processes, downloading files, and managing temporary files. Additionally, the UTG-Q-010 threat group is linked to a phishing campaign distributing the Pupy RAT, which uses malicious .lnk files to load and execute malware.

4. SolarWinds Urges an Immediate Update to Fix a Critical Web Help Desk Vulnerability

SolarWinds has released patches to fix a critical security vulnerability in its Web Help Desk software, identified as CVE-2024-28986. This flaw involves a Java deserialization issue that could permit an attacker to run commands on a compromised host machine. The company has issued a hotfix and urges users to install it immediately.

Initial reports indicated that the vulnerability could be exploited without authentication. However, SolarWinds’ extensive testing has not confirmed this claim.

The vulnerability affects all versions of Web Help Desk up to and including version 12.8.3, with the issue resolved in version 12.8.3 HF 1. SolarWinds advises all WHD customers to upgrade to the latest version, recommends to revoke secrets, passwords, and tokens configured in PAN-OS firewalls post-upgrade and create backup copies of original files before applying the hotfix to avoid potential issues.

5. Critical WordPress Plugin RCE Vulnerability Impacts 100k+ Sites

A severe flaw in the GiveWP WordPress donation plugin, affecting over 100,000 sites, has been uncovered. This unauthenticated PHP Object Injection vulnerability (CVE-2024-5932) allows remote code execution, rated a critical 10.0 on the CVSS scale. Discovered by researcher villu164 and reported through Wordfence on May 26, 2024, the flaw impacts all versions up to 3.14.1. It allows unauthenticated attackers to inject malicious PHP objects through the ‘give_title’ parameter, potentially leading to remote code execution and arbitrary file deletion. The vulnerability stems from improper input sanitization in the donation form processing function. Attackers can exploit this flaw to inject serialized PHP objects, which are then unserialized during payment processing. A PHP POP chain present in the plugin allows for the execution of arbitrary code and file deletion. A patched version has been released. Site administrators must update to version 3.14.2 immediately to avoid severe security risks.