04/24/2024-05/02/2024 Judge0 Sandbox Vulnerabilities, New R Programming Vulnerability, GitLab Password Reset Vulnerability And More.

1. Judge0 Sandbox Vulnerabilities Expose Systems to Takeover Risk

Judge0, an open-source code execution service, faces critical vulnerabilities (CVE-2024-29021, CVE-2024-28185, and CVE-2024-28189) discovered by Tanto Security, potentially leading to system takeover. These flaws allow attackers to escape sandboxes and gain root access. Organizations, including educational institutions and recruitment firms, heavily rely on Judge0 for secure code execution, especially in competitive programming. Tanto Security found weaknesses in Judge0’s isolate binary, running in privileged mode like Docker containers, posing risks of unauthorized system access. Vulnerabilities in user-submitted code processing and component interaction were identified, indicating potential system compromise. Despite initial patches, subsequent bypasses were found, highlighting persistent vulnerabilities. 

2. New R Programming Vulnerability Exposes Projects to Supply Chain Attacks

A critical flaw in the R programming language (CVE-2024-27322, CVSS score: 8.8) enables threat actors to execute code by crafting malicious RDS (R Data Serialization) files. HiddenLayer reported that lazy evaluation in R, akin to promise objects, is the root cause. RDS, similar to Python’s pickle, serializes data structures, and is used in R for saving and loading data and packages. Version 4.4.0, released on April 24, 2024, mitigates the issue. Attackers can exploit this flaw through specially crafted R packages, leading to supply chain attacks. The flaw is detailed in an advisory by CERT/CC, warning of potential exploitation through malicious RDS or rdx files, emphasizing the risk in projects utilizing readRDS on untrusted files.

3. CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability

CISA has flagged a critical flaw in GitLab, designated CVE-2023-7028, due to ongoing exploitation. This vulnerability, with a severity score of 10.0, allows account takeover by sending password reset emails to unverified addresses. GitLab disclosed the issue in January, linking it to a code change in version 16.1.0 from May 1, 2023. All authentication methods within these versions are affected, posing significant risks such as data theft and source code manipulation. Mitiga warns of potential supply chain attacks if malicious code is injected into CI/CD pipelines. GitLab has released patches for versions 16.5.6, 16.6.4, and 16.7.2, backporting fixes to older versions. CISA urges federal agencies to apply these updates by May 22, 2024, to safeguard their systems. No further details on real-world exploits have been provided by CISA yet.

4. Enhancing Software Supply Chain Security through GitHub’s 2FA Implementation

GitHub has enforced mandatory two-factor authentication (2FA) for code contributors, significantly boosting security in the software supply chain. This initiative has driven widespread adoption of 2FA among developers, prompting GitHub to encourage other organizations to follow suit. The platform has seen a notable increase in 2FA usage, particularly among users with critical roles in the software supply chain. The move to mandatory 2FA has not only enhanced security but also promoted the adoption of more robust 2FA methods, such as passkeys, over less secure options like SMS. Leading organizations like RubyGems, PyPI, and AWS have joined in, elevating software supply chain security standards. GitHub’s 2FA implementation has reduced reliance on SMS, mitigating vulnerabilities like SIM swapping. Users now frequently configure multiple 2FA methods, adding an extra layer of protection and decreasing related support tickets.

5. Bogus npm Packages Used to Trick Software Developers into Installing Malware

A social engineering campaign dubbed DEV#POPPER is targeting software developers, deceiving them with fake job interviews to download a Python backdoor via bogus npm packages. Securonix attributes this activity to North Korean threat actors. The scheme involves luring developers to run seemingly legitimate software from GitHub, containing malicious payloads compromising their systems. Initially flagged by Palo Alto Networks Unit 42 as Contagious Interview, the campaign evolved to distribute malware like BeaverTail and InvisibleFerret. Phylum discovered similar malicious npm packages on the registry, aiming to extract sensitive data. The attack chain starts with a ZIP archive on GitHub, containing a seemingly harmless npm module harboring a JavaScript file (BeaverTail) and a Python backdoor (InvisibleFerret).

6. Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Palo Alto Networks has issued guidance for fixing a critical security flaw, CVE-2024-3400, affecting PAN-OS. This flaw allows unauthenticated remote shell command execution on vulnerable devices and has been actively exploited since at least March 26, 2024, by a threat cluster known as UTA0218 in Operation MidnightEclipse.
Palo Alto Networks recommends different remediation steps based on the level of compromise:

• Level 0 Probe: Update to the latest hotfix.
• Level 1 Test: Update to the latest hotfix.
• Level 2 Potential Exfiltration: Update to the latest hotfix and perform a Private Data Reset.
• Level 3 Interactive access: Update to the latest hotfix and perform a Factory Reset.

Palo Alto Networks updated its advisory on April 29, 2024, acknowledging proof-of-concept post-exploit persistence techniques. Fixes and Threat Prevention signatures are recommended to prevent further exploitation.

04/17/2024-04/24/2024 Details on Critical PAN-OS Flaw, Vulnerability for PHP (CVE-2024-2961), Critical Atlassian Flaw Exploited And More.

1. Apache Cordova App Harness Targeted in Dependency Confusion Attack

A dependency confusion vulnerability affects Cordova App Harness, an archived Apache project. Exploiting package manager behaviors, attackers can replace private packages with malicious ones in public repositories. This exposes downstream users to risks. Despite npm’s fixes, Cordova App Harness lacks proper dependency references. Legit Security demonstrated this flaw, highlighting the risk. Apache addressed the issue by taking control of the package. The incident underscores the importance of monitoring third-party dependencies, especially in archived projects. Security researcher Ofek Haviv emphasizes the need for vigilance, as such projects often harbor unfixed vulnerabilities. Organizations should use public packages as placeholders to mitigate such attacks. 

2. Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack

Palo Alto Networks disclosed a critical security flaw, CVE-2024-3400, in PAN-OS software versions 10.2, 11.0, and 11.1. This flaw allows attackers to execute remote shell commands. The exploit involves two bugs: one allowing storage of files with chosen filenames and another trusting those filenames as system-generated commands. Threat actor UTA0218 has exploited this flaw in Operation MidnightEclipse, deploying commands and tools like GOST. Recent findings by Bishop Fox revealed that device telemetry is not required for exploitation. Palo Alto Networks has issued patches for affected versions. Users should apply these fixes promptly due to active exploitation and the availability of exploit code. The U.S. CISA has listed the flaw as a Known Exploited Vulnerability, mandating federal agencies to secure their devices by April 19, 2024.
 

3. Mitigating the Iconv Vulnerability for PHP (CVE-2024-2961)

Recently, CVE-2024-2961 was released which identifies a buffer overflow vulnerability in GNU libc versions < 2.39 when converting charsets to certain Chinese Extended encodings. This vulnerability affects PHP when iconv is used to translate request encodings to/from the affected charsets and has the potential to be wide-ranging (e.g. the latest wordpress:apache image has iconv with the vulnerable charsets enabled).Obviously, the best mitigation is to update to a patched version of glibc. However, if you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv. The elaborated information on how to check for and mitigate this issue at the OS-level can be found in the link mentioned above. 

4. Recent Rust Security Advisory: CVE-2024-24576

The Rust Security Response WG announced CVE-2024-24576, which affects the Rust Standard Library on Windows. Some Tauri organization repositories use batch files (cmd.exe under the hood) for developer environment tooling such as build scripts. No reviewed repositories use batch files for runtime code. our Tauri app might be affected if it meets specific criteria, such as using Tauri v1 shell feature with certain configurations. Implementing custom commands exposing Rust Command with runtime arguments could also be a risk. Please upgrade your Rust version to 1.77.2 as soon as possible and distribute updates to your users.
 

5. Linux Cerber Ransomware Variant Exploits Atlassian Servers

Threat actors exploit unpatched Atlassian servers, deploying Cerber ransomware, aka C3RB3R, targeting CVE-2023-22518 in Atlassian Confluence. This critical flaw allows unauthorized access to reset Confluence and create admin accounts, granting control over systems. Financially motivated groups install the Effluence web shell plugin for arbitrary command execution. The ransomware, written in C++, carries additional harmful software fetched from attackers’ servers. After encryption, it self-removes, leaving behind components for permission checks and file encryption. Despite ransom notes, no data exfiltration occurs. The prevalence of C++ payloads stands out amidst language shifts. Cerber’s sophistication is noted, but encryption limited to Confluence data reduces victim payment incentives. New ransomware variants target Windows and VMware ESXi, emphasizing the need for robust security measures and a strong cybersecurity culture.

04/10/2024-04/17/2024 Potential JavaScript Project Takeover Attempt, Java G1 fix would speed JIT compilation, Hackers Exploit Fortinet Flaw And More.

1. OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

Security researchers have discovered a credible takeover attempt on the OpenJS Foundation, reminiscent of a recent incident involving the XZ Utils project. The OpenJS Foundation and Open Source Security Foundation (OpenSSF) issued a joint alert after receiving suspicious emails urging updates to JavaScript projects without specifics. The emails also sought to designate new maintainers without prior involvement. While no privileged access was granted, the incident echoes the XZ Utils case, where fictitious personas aimed to make Jia Tan a co-maintainer through social engineering. This suggests a broader campaign to undermine project security. The sophistication of these attacks underscores the vulnerability of open-source projects, as highlighted by CISA. CISA urges technology manufacturers to support maintainers, audit source code periodically, and implement secure design principles to mitigate such risks.

2. Java G1 fix would speed JIT compilation

A proposed change to Java’s G1 garbage collector aims to enhance Java’s C2 optimizing JIT compiler, particularly benefiting cloud deployments. The proposal simplifies G1’s barrier implementation, delaying their expansion in the C2 JIT compilation pipeline. This adjustment responds to the growing demand for minimizing JVM overhead in cloud-based Java deployments. Objectives include reducing C2 execution time with G1, enhancing comprehensibility for HotSpot developers, and maintaining code quality. Notably, the proposal does not aim to retain G1’s early barrier expansion as a legacy mode. Instead, it prioritizes transparency in the transition to late barrier expansion. Initial experiments show early barrier expansion increases C2 overhead by 10% to 20%, emphasizing the need to reduce such overhead for Java’s cloud suitability. Moreover, decoupling G1 barrier instrumentation from C2 internals can further optimize GC overhead through algorithmic enhancements and micro-optimizations. Lastly, the proposal suggests expanding G1 barriers as late as possible in C2’s compilation pipeline to maintain code quality.

3. Invision Community Vulnerabilities Risk E-Commerce Websites

Invision Community software has been found vulnerable, risking websites including major brands like Evernote, Sony, Corsair, Mattel, LEGO, and more. Researcher Egidio Romano uncovered a blind SQL injection flaw in Invision Community software, present for five years since version 4.4.0. This flaw (CVE-2024-30163) allowed unauthorized access to the AdminCP, enabling password resets and remote code execution. Version 4.7.16 patched this flaw. However, another vulnerability (CVE-2024-30162) persists, affecting even the latest version, 4.7.16. This flaw enables arbitrary PHP code execution via ZIP file uploads, requiring “toolbar_manage” permission. Romano has a track record of discovering such vulnerabilities, previously revealing critical flaws in phpFox. Vendors often take time to address these issues.

4. Quarkus 3.2.12.Final released – Maintenance LTS release

Quarkus 3.2.12.Final, the eleventh maintenance release of the 3.2 LTS release train has been released.
This release includes the following security-related fixes:

• CVE-2024-2700 io.quarkus/quarkus-core: Leak of local configuration properties into Quarkus applications;
• CVE-2024-29025 io.netty/netty-codec-http: Allocation of Resources Without Limits or Throttling;
• CVE-2023-51775 org.bitbucket.b_c/jose4j: Dos Attack Via specifically crafted JWE.

The upgrade from 3.2.11.Final to the latest release is safe. However, be aware that fixing CVE-2024-2700 alters how configuration options are recorded during build. Properties from local sources (like environment variables, system properties, Maven and Gradle project properties) won’t override default values of runtime configuration properties. This prevents local environment values from leaking into production builds.

5. Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign

Cybersecurity researchers have found a new cyber campaign exploiting a recent security flaw (CVE-2023-48788, CVSS score: 9.3) in Fortinet FortiClient EMS devices. The flaw enables attackers to execute unauthorized code via crafted requests. Forescout named the campaign Connect:fun due to its use of ScreenConnect and Powerfun post-exploitation. The intrusion targeted an unnamed media company whose vulnerable device was exposed to the internet after a proof-of-concept exploit release on March 21, 2024. The attacker attempted to download ScreenConnect unsuccessfully but succeeded in installing it via msiexec utility on March 25, alongside initiating a reverse connection with a PowerShell script. The attacker also used SQL statements to download ScreenConnect from “ursketz[.]com” and establish connections with a command-and-control server. The campaign appears to be manually operated, targeting specific environments with VPN appliances.

6. Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability

Palo Alto Networks has released urgent hotfixes for a critical vulnerability (CVE-2024-3400, CVSS score: 10.0) in PAN-OS software actively exploited in the wild. The flaw, a command injection in GlobalProtect, allows attackers to execute code with root privileges. Fixes are available for PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, with more patches expected soon. The vulnerability affects firewalls configured with GlobalProtect and device telemetry enabled. Cloud NGFW firewalls are unaffected, but certain PAN-OS versions in cloud-deployed firewalls are vulnerable. Palo Alto Networks Unit 42 is tracking the exploitation under “Operation MidnightEclipse.” Attackers have leveraged the flaw since at least March 26, 2024, deploying a Python-based backdoor called UPSTYLE. Users are urged to apply patches and monitor for signs of compromise using provided CLI commands.