06/12/2024-06/19/2024 VMware Issues Patches, Google Warns of Pixel Firmware Security Flaw, Exploit for Veeam Recovery Orchestrator Auth Bypass And More.

1. VMware Issues Patches for Cloud Foundation, vCenter Server, and vSphere ESXi

VMware has released updates to fix critical flaws in Cloud Foundation, vCenter Server, and vSphere ESXi, which could lead to privilege escalation and remote code execution.

The vulnerabilities are:

• CVE-2024-37079 & CVE-2024-37080 (CVSS 9.8): Heap-overflow issues in the DCE/RPC protocol allowing remote code execution via crafted network packets.
• CVE-2024-37081 (CVSS 7.8): Local privilege escalation in vCenter due to sudo misconfiguration, enabling non-admin users to gain root access.

Previously, in October 2023, VMware patched CVE-2023-34048 (CVSS 9.8), another critical DCE/RPC flaw. These issues affect vCenter Server versions 7.0 and 8.0, patched in 7.0 U3r, 8.0 U1e, and 8.0 U2d. Users should promptly apply these patches despite no known active exploits.

2. Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day

Google has warned of a zero-day security flaw in Pixel Firmware, CVE-2024-32896, being exploited in the wild. This high-severity vulnerability is an elevation of privilege issue.The company did not share any additional details related to the nature of attacks exploiting it, but noted “there are indications that CVE-2024-32896 may be under limited, targeted exploitation.”

The June 2024 security update addresses a total of 50 security vulnerabilities, five of which relate to various components in Qualcomm chipsets. Key patches address a Modem DoS issue and information disclosure flaws in GsmSs, ACPM, and Trusty. The update is available for Pixel 5a with 5G, Pixel 6 series, Pixel 7 series, Pixel 8 series, and Pixel Fold. GrapheneOS maintainers clarified that CVE-2024-32896 and CVE-2024-29748 concern the same vulnerability affecting all devices but mitigations are specific to Pixels. 

3. Exploit for Veeam Recovery Orchestrator Auth Bypass Available, Patch Now

A proof-of-concept (PoC) exploit for Veeam Recovery Orchestrator’s critical authentication bypass vulnerability, CVE-2024-29855, has been released by researcher Sina Kheirkhah. This vulnerability, rated 9.0 (critical) on the CVSS scale, impacts Veeam Recovery Orchestrator (VRO) versions 7.0.0.337, 7.1.0.205, and older.

The flaw allows unauthenticated attackers to log into the VRO web UI with admin privileges using a hardcoded JSON Web Token (JWT) secret, enabling them to generate valid tokens. Veeam recommends upgrading to versions 7.1.0.230 and 7.0.0.379 to mitigate the issue.

Kheirkhah’s post shows the vulnerability is easier to exploit than described by Veeam, bypassing some requirements like knowing the exact username and role. The public availability of this exploit heightens the risk, making prompt patching essential.

4. New Malware Targets Exposed Docker APIs for Cryptocurrency Mining

Cybersecurity researchers have identified a new malware campaign targeting exposed Docker API endpoints to deliver cryptocurrency miners and other malicious payloads. The tools include a remote access utility for executing additional malware and propagating via SSH, according to a Datadog report.

This campaign shows similarities to the previous Spinning YARN activity, which targeted misconfigured services like Apache Hadoop YARN and Docker for cryptojacking. Attackers focus on Docker servers with open ports, starting with reconnaissance and privilege escalation.

Malware is delivered through a shell script named “vurl,” which includes other scripts such as “b.sh” and “ar.sh.” These scripts fetch further payloads, disable firewalls, and scan for vulnerable hosts. The campaign also uses Go-based binaries like “chkstart” to complicate analysis and facilitate remote access, and tools like “exeremo” for spreading infection and “fkoths” to erase traces of the malware.

06/05/2024-06/12/2024 New PHP Vulnerability, Microsoft Issues Patches for 51 Flaws, Hackers Target Python Developers And More.

1. New PHP Vulnerability Exposes Windows Servers to Remote Code Execution

A critical security flaw, CVE-2024-4577, has been discovered in PHP on Windows, allowing remote code execution. This CGI argument injection vulnerability bypasses protections from CVE-2012-1823 due to an encoding conversion feature in Windows, as noted by DEVCORE’s Orange Tsai. A fix was released on May 7, 2024, in PHP versions 8.3.8, 8.2.20, and 8.1.29. DEVCORE warns that XAMPP installations using Traditional Chinese, Simplified Chinese, or Japanese locales are particularly vulnerable.

Administrators are advised to switch to more secure solutions like Mod-PHP, FastCGI, or PHP-FPM. Exploitation attempts have already been detected by the Shadowserver Foundation, highlighting the urgency for users to apply the latest patches quickly.
 

2. Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability

Microsoft’s June 2024 Patch Tuesday addressed 51 security flaws, including one Critical and 50 Important. Additionally, 17 vulnerabilities in the Chromium-based Edge browser were fixed.

None of these flaws have been actively exploited, but one, CVE-2023-50868 (CVSS 7.5), is publicly known. This denial-of-service issue, affecting DNSSEC validation, can cause CPU exhaustion on a DNSSEC-validating resolver. It was reported by researchers from ATHENE in February. The most critical flaw, CVE-2024-30080 (CVSS 9.8), affects the Microsoft Message Queuing (MSMQ) service and allows remote code execution via a specially crafted MSMQ packet.

Several other vulnerabilities, including those in Microsoft Outlook (CVE-2024-30103), Windows Wi-Fi Driver (CVE-2024-30078), and various Windows subsystems, were also addressed. Morphisec highlighted the Outlook flaw’s potential for exploitation without user interaction, posing a significant risk. In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities.
 

3. Commando Cat Cryptojacking Attacks Target Misconfigured Docker Instances

The threat actor Commando Cat is exploiting insecure Docker instances to deploy cryptocurrency miners. Using the cmd.cat/chattr Docker image, the attackers download a payload from their command-and-control (C&C) server. First identified by Cado Security, these attacks target misconfigured Docker remote API servers, using the chroot command to break out of the container and access the host system. The miner binary is retrieved via curl or wget from a C&C server.

Trend Micro researchers highlighted the use of Docker images to evade security detection. Additionally, Akamai reported that old vulnerabilities in ThinkPHP applications (CVE-2018-20062, CVE-2019-9082) are being exploited by a Chinese-speaking threat actor to deploy a persistent web shell named Dama, capable of advanced system manipulation and data gathering.

4. Hackers Target Python Developers with Fake “Crytic-Compilers” Package on PyPI

Researchers found a malicious Python package on PyPI, named crytic-compilers, designed to deliver the Lumma information stealer. This typosquatted version of the legitimate crytic-compile package was downloaded 441 times before removal.

Sonatype’s Ax Sharma noted the counterfeit package mimicked the legitimate library’s versioning to appear genuine. While earlier versions installed the real package, the latest version targeted Windows systems to launch a malicious executable fetching Lumma Stealer, a malware-as-a-service (MaaS) tool. Additionally, over 300 WordPress sites were compromised with fake Google Chrome update pop-ups. Attackers used the legitimate Hustle plugin to display these pop-ups, which install information stealers and remote access trojans. This highlights a trend of hackers exploiting legitimate plugins to evade detection.

5. JetBrains Warns of IntelliJ IDE Bug Exposing GitHub Access Tokens

 JetBrains urges users to patch a critical vulnerability (CVE-2024-37051) in IntelliJ IDEs that exposes GitHub access tokens. The flaw, reported on May 29, 2024, affects all IntelliJ-based IDEs from version 2023.1 onwards with the GitHub plugin enabled. Malicious content in pull requests could exploit this flaw.

JetBrains has released updates for the affected versions and removed vulnerable plugin versions from its marketplace. Users are strongly advised to update to the latest versions and revoke GitHub tokens used by the plugin to prevent unauthorized access. The GitHub plugin may not work correctly in older IDE versions due to mitigation measures.

In February, JetBrains also disclosed a critical vulnerability in TeamCity On-Premises servers, highlighting the importance of timely updates.
 

6. Arm Warns of Actively Exploited Flaw in Mali GPU Kernel Drivers

Arm has issued a security bulletin about a use-after-free vulnerability (CVE-2024-4610) in Bifrost and Valhall GPU kernel drivers, exploited in the wild. This flaw affects all versions from r34p0 to r40p0 and can lead to information disclosure and arbitrary code execution.

“A local non-privileged user can exploit GPU memory processing to access freed memory,” Arm explains. The vulnerability was fixed in version r41p0, released on November 24, 2022, with the latest driver version being r49p0. Arm advises users to upgrade if impacted. Due to the complex Android supply chain, patches may reach end users with delays. Some older devices might no longer receive updates, affecting various smartphones, tablets, Chromebooks, and embedded systems using Bifrost and Valhall GPUs.

05/30/2024-06/05/2024 RAT-Dropping npm Package, XSS Flaws In Multiple WordPress Plugins, Actively Exploited Linux Kernel Flaw And More.

1. Researchers Uncover RAT-Dropping npm Package Targeting Gulp Users

Cybersecurity researchers found a malicious package, glup-debugger-log, in the npm registry designed to deploy a remote access trojan (RAT) on compromised systems. Targeting users of the gulp toolkit, it has been downloaded 175 times. Phylum, a software supply chain security firm, discovered the package includes two obfuscated files: one acts as an initial dropper, compromising the target and downloading additional malware, while the other maintains persistent remote access.
The package’s “index.js” file runs another obfuscated file, “play.js,” which performs checks to ensure it’s on an active developer machine. If successful, “play-safe.js” sets up persistence and can execute arbitrary commands via an HTTP server. Phylum described the RAT as both crude and sophisticated, highlighting evolving malware tactics in open-source ecosystems.

2. Exploit For Critical Progress Telerik Auth Bypass Released, Patch Now

Researchers have published a proof-of-concept (PoC) exploit script demonstrating a chained remote code execution (RCE) vulnerability on Progress Telerik Report Servers. The exploit chains an authentication bypass (CVE-2024-4358) and a deserialization flaw (CVE-2024-1800). The bypass flaw allows admin account creation without checks and has a CVSS score of 9.8. The deserialization flaw, with a CVSS score of 8.8, enables remote code execution via specially crafted XML payloads. Both issues have been addressed in updates, and organizations are urged to upgrade to version 10.1.24.514 or later. Administrators should review user lists for unfamiliar accounts due to potential exploitation.

3. XSS Flaws In Multiple WordPress Plugins Exploited To Deploy Malware

Researchers uncovered malware attacks exploiting XSS vulnerabilities in WordPress plugins. Attackers leveraged known flaws in three plugins: WP Meta SEO (CVE-2023-6961), LiteSpeed Cache (CVE-2023-40000), and WP Statistics (CVE-2024-2194). These high-severity vulnerabilities allowed the injection of malicious scripts. Fastly’s security team observed JavaScript malware performing functions such as installing PHP backdoors, creating rogue admin accounts, and setting up tracking scripts. Despite patches being available, active exploitation indicates that many sites are not updated. WordPress admins must update plugins to the latest versions to protect against these threats.

4. Zyxel Releases Patches for Firmware Vulnerabilities in EoL NAS Models

Zyxel has issued updates to address critical flaws in two end-of-life NAS devices. Three of the five vulnerabilities could allow unauthenticated attackers to execute OS commands and arbitrary code.

Affected models include NAS326 (versions V5.21(AAZF.16)C0 and earlier) and NAS542 (versions V5.21(ABAG.13)C0 and earlier). These issues are fixed in versions V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0.

The flaws include:

• CVE-2024-29972: Command injection in “remote_help-cgi” via crafted HTTP POST.
• CVE-2024-29973: Command injection via the ‘setCookie’ parameter.
• CVE-2024-29974: Remote code execution via “file_upload-cgi” with a crafted file.
• CVE-2024-29975: Privilege management issue allowing root command execution.
  CVE-2024-29976: Privilege management issue leaking session information.

Outpost24’s Timothy Hjort reported these flaws. Users should update to the latest versions for protection.

5. CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw

(CISA) on Thursday added a security flaw impacting the Linux kernel to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This high-severity issue, with a CVSS score of 7.8, involves a use-after-free bug in the netfilter component, allowing local attackers to escalate privileges to root. Also added to the KEV catalog is a newly disclosed security flaw impacting Check Point network gateway security products (CVE-2024-24919, CVSS score: 7.5) that allows an attacker to read sensitive information on Internet-connected Gateways with remote access VPN or mobile access enabled.

In light of the active exploitation of CVE-2024-1086 and CVE-2024-24919, federal agencies are recommended to apply the latest fixes by June 20, 2024, to protect their networks against potential threats.