04/03/2024-04/10/2024 New HTTP/2 Vulnerability, Ivanti Rushes Patches for 4 New Flaws, Critical ‘BatBadBut’ Rust Vulnerability And More.

1. New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks

New research reveals a vulnerability in the HTTP/2 protocol’s CONTINUATION frame, dubbed HTTP/2 CONTINUATION Flood. Security expert Bartek Nowotarski reported the issue to CERT/CC on January 25, 2024. Many HTTP/2 implementations lack proper limits on CONTINUATION frames within a single stream, enabling attackers to flood servers with frames, leading to denial-of-service (DoS) attacks. These frames overwhelm server memory, causing crashes or performance degradation. Unlike HTTP/1, HTTP/2 uses header fields and CONTINUATION frames to transmit header blocks. Exploiting this vulnerability, an attacker can send endless header frames, exhausting server resources. Nowotarski warns that this attack, more severe than the Rapid Reset attack, bypasses access logs and impacts server availability. Incorrect handling of CONTINUATION frames poses significant security risks, potentially leading to crashes, memory exhaustion, or CPU overload, as outlined in RFC 9113.

2. Ivanti Rushes Patches for 4 New Flaws in Connect Secure and Policy Secure

Ivanti has issued security updates for Connect Secure and Policy Secure Gateways, addressing four flaws that could lead to code execution and denial-of-service (DoS) attacks.
The flaws include heap overflow (CVE-2024-21894, CVE-2024-22053), null pointer dereference (CVE-2024-22052), and XML entity expansion (CVE-2024-22023) vulnerabilities. These affect various components of the mentioned products, potentially allowing unauthenticated attackers to crash services or execute arbitrary code.
Ivanti recently patched critical vulnerabilities in Standalone Sentry (CVE-2023-41724) and on-premises Neurons for ITSM (CVE-2023-46808), highlighting ongoing security concerns. CEO Jeff Abbott acknowledged the challenges, emphasizing Ivanti’s commitment to enhancing security measures. 

3. Critical ‘BatBadBut’ Rust Vulnerability Exposes Windows Systems to Attacks

A critical security flaw in Rust’s standard library (CVE-2024-24576, CVSS score: 10.0 allows command injection attacks on Windows systems when batch files are invoked with untrusted arguments. The vulnerability arises from improper argument escaping in batch file invocation using Rust’s Command API. Exploiting this flaw, an attacker can execute arbitrary shell commands. This issue affects Rust versions prior to 1.77.2. Security researcher RyotaK discovered and reported the bug to CERT/CC, naming it BatBadBut. The flaw impacts multiple programming languages that use similar mechanisms. Developers are advised to exercise caution and avoid executing commands from directories included in the PATH environment variable to mitigate risks.

4. Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks

Threat actors are targeting around 92,000 internet-exposed D-Link NAS devices, exploiting CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3). These affect legacy D-Link products, now end-of-life (EoL). D-Link advises replacement as it won’t issue patches. Exploitation could lead to arbitrary command execution, granting access to sensitive data or enabling DoS attacks. Attackers use these flaws to distribute the Mirai botnet malware, potentially hijacking D-Link devices remotely. Shadowserver Foundation recommends firewalling remote access or taking devices offline until a fix is available.
Palo Alto Networks Unit 42 warns of increasing malware-initiated scanning attacks on network devices, underlining the evolving threat landscape.

5. OAuth 2.0 flows explained in GIFs

OAuth (Open Authorization) enables third-party websites or apps to access user’s data without requiring them to share their credentials. It is a set of rules that makes access delegation possible. The user gets to authorize which resources an app can access and limits access accordingly.
Post on the dev.to covering all OAuth 2.0 flows using GIFs that are simple and easier to understand. This post can be used as a cheat-sheet for future reference as well.

03/27/2024-04/03/2024 Flaw Found in Popular LayerSlider WordPress Plugin, Malicious Code in XZ Utils for Linux Systems, PyPI Halts Sign-Ups Amid Surge And More.

1. Critical Security Flaw Found in Popular LayerSlider WordPress Plugin

A critical security flaw (CVE-2024-2879) in the LayerSlider plugin for WordPress, rated 9.8/10 on the CVSS scale, allows attackers to extract sensitive data via SQL injection in versions 7.9.11 through 7.10.0. The issue is patched in version 7.10.1, released on March 27, 2024. LayerSlider, a popular web content editor and design tool, has millions of users worldwide. The vulnerability arises from insufficient parameter escaping, enabling attackers to append SQL queries. Meanwhile, WP-Members Membership Plugin was affected by an unauthenticated stored XSS flaw (CVE-2024-1852, CVSS score: 7.2), now fixed in version 3.4.9.3. This flaw allows attackers to inject malicious scripts, potentially leading to account creation, redirection, and other attacks if executed within an administrator’s session.

2. Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution

A recent analysis unveiled a malicious code inserted into XZ Utils, a commonly used package in major Linux distributions. Tracked as CVE-2024-3094 with a CVSS score of 10.0, the compromise allows remote code execution. Microsoft engineer Andres Freund discovered a backdoor, enabling attackers to bypass secure shell authentication and gain complete system access. The backdoor, discovered during micro-benchmarking, stemmed from unusual CPU usage in sshd processes. The compromised XZ Utils version 5.6.0 and 5.6.1 were released in February 2024. Project maintainer Jia Tan introduced the changes, possibly orchestrated over multiple years. The sophisticated attack involved social engineering with fake accounts and co-maintainer requests. The breach underscores the threat of supply chain attacks, with potential severe consequences if integrated into stable Linux releases.

3. PyPI Halts Sign-Ups Amid Surge of Malicious Package Uploads Targeting Developers

The Python Package Index (PyPI) temporarily halted new user sign-ups due to a surge in malicious projects as part of a typosquatting campaign. The suspension, aimed at mitigating a malware upload campaign, lasted 10 hours until March 28, 2024. Threat actors flooded the repository with typosquatted versions of popular packages, targeting developers to steal crypto wallets, browser data, and credentials. Over 100 malicious packages, including variations of ML libraries, were detected. The attack, automated and decentralized, involved over 500 deceptive variants uploaded from a unique account starting March 26, 2024. The malware, detected on Windows systems, steals files, Discord tokens, browser data, and cryptocurrency wallets. This incident underscores the growing threat of software supply chain attacks, necessitating rigorous scrutiny of third-party components by developers. PyPI has previously suspended user registrations multiple times due to similar security concerns.

4. CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw in Microsoft Sharepoint Server, CVE-2023-24955 (CVSS score: 7.2). The flaw permits authenticated attackers with Site Owner privileges to execute remote code. Microsoft patched this flaw in May 2023. CISA’s move follows the addition of CVE-2023-29357, a privilege escalation flaw, to the KEV catalog two months prior. While an exploit chain combining both vulnerabilities was demonstrated at Pwn2Own Vancouver, there’s no current information on active attacks or threat actors. Microsoft advises enabling automatic updates for protection.

5. Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining

Cybersecurity researchers warn of active exploitation of an unpatched vulnerability in Anyscale Ray, an open-source AI platform, for illicit cryptocurrency mining. Dubbed “ShadowRay,” the campaign targets computing power since September 2023 across sectors like education and biopharma. Ray, used by major companies, suffers from CVE-2023-48022 (CVSS: 9.8), allowing remote code execution. Anyscale doesn’t plan to fix it immediately, citing security boundaries, but plans authentication in future versions. Exploiting flaws in Ray components enables unauthorized job submissions and access to sensitive information. Oligo observed hundreds of GPU clusters breached, exposing crucial credentials and enabling cryptocurrency mining. Anyscale releases Ray Open Ports Checker to address cluster security concerns.

03/20/2024-03/27/2024 Sketchy NuGet Package, Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products, Over 800 npm Packages Found with Discrepancies And More.

1. Sketchy NuGet Package Likely Linked to Industrial Espionage Targets Developers

Threat hunters have discovered a suspicious package, SqzrFramework480, in the NuGet package manager, likely targeting developers working with tools from a Chinese industrial equipment manufacturer. Uploaded on January 24, 2024, by user “zhaoyushun1999,” the package has been downloaded 2,999 times. ReversingLabs noted no similar packages, theorizing it could facilitate industrial espionage via camera-equipped systems. The DLL file within includes features for screen capture and remote pinging, potentially indicating malicious intent. While individual behaviors may not be overtly malicious, combined they raise concerns. This tactic mirrors previous instances of malicious data communication via sockets. The motive remains unclear, but concealing nefarious code in benign software is a known tactic. Despite ambiguity, users must scrutinize libraries before use due to the rising trend of malicious packages in open-source repositories like NuGet.

2. CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation. The vulnerabilities are as follows:

• CVE-2023-48788: Fortinet FortiClient EMS SQL Injection (CVSS score: 9.3);
• CVE-2021-44529: Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection (CVSS score: 9.8);
• CVE-2019-7256: Nice Linear eMerge E3-Series OS Command Injection (CVSS score: 10.0).

Fortinet confirmed active exploitation of the FortiClient EMS flaw. Ivanti’s vulnerability allows malicious code execution. Research suggests CVE-2021-44529 might be an intentional backdoor. CVE-2019-7256 has been exploited since February 2020. Federal agencies must apply vendor-provided mitigations by April 15, 2024.CISA and the FBI issued a joint alert urging software makers to address SQL injection flaws, citing the Cl0p ransomware gang’s exploitation of CVE-2023-34362 in Progress Software’s MOVEit Transfer. Despite long-standing awareness and available fixes, manufacturers continue to release vulnerable products, endangering customers.

3. Massive Sign1 Campaign Infects 39,000+ WordPress Sites with Scam Redirects

The Sign1 malware campaign has infiltrated 39,000 WordPress sites in six months, using JavaScript injections to redirect users to scam sites. The latest variant infected at least 2,500 sites in two months. Attackers inject rogue JavaScript into HTML widgets and plugins, allowing malicious code insertion. XOR-encoded JavaScript is decoded to execute a file on a remote server, redirecting to a VexTrio-operated traffic distribution system based on specific criteria. The malware dynamically fetches URLs every 10 minutes to evade blocklists. If visitors don’t come from major websites, the malware doesn’t execute. Suspected to exploit WordPress vulnerabilities, the campaign has used up to 15 domains since July 2023. Attackers may use brute-force attacks or plugin vulnerabilities to compromise sites, often injecting code via the Simple Custom CSS and JS plugin.

4. Over 800 npm Packages Found with Discrepancies, 18 Exploit ‘Manifest Confusion’

New research has discovered over 800 packages in the npm registry which have discrepancies from their registry entries, out of which 18 have been found to exploit a technique called manifest confusion. The problem stems from the fact that the npm registry does not validate whether the manifest file contained in the tarball (package.json) matches the manifest data provided to the npm server during the publishing process via an HTTP PUT request to the package URI endpoint. As a result, a threat actor could take advantage of this lack of cross verification to supply a different manifest containing hidden dependencies that’s processed during package installation to stealthily install malicious dependencies onto the developer’s system.Developers should verify package safety beyond npm’s website. Organizations must ensure all packages are safe, especially regarding manifest confusion, by analyzing for hidden dependencies. Trusting packages solely by appearance on npm’s site may be risky.

5. Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability

Ivanti disclosed a critical remote code execution flaw, CVE-2023-41724, in Standalone Sentry, urging immediate patching. The vulnerability affects versions 9.17.0 to 9.19.0. Ivanti credited NATO Cyber Security Centre for collaboration. Another critical flaw, CVE-2023-46808, impacting on-premises Neurons for ITSM, permits authenticated remote attackers to execute arbitrary code. Patched versions are available. Despite no known customer impact, Ivanti advises applying fixes. Mandiant tracked China-linked cyber espionage clusters exploiting Ivanti flaws. SonarSource revealed an mXSS flaw in Mailspring (CVE-2023-47479), allowing code execution when replying to malicious emails. Yaniv Nizry highlighted mXSS’s ability to bypass sandbox and CSP protections.

6. Atlassian Releases Fixes for Over 2 Dozen Flaws, Including Critical Bamboo Bug

Atlassian patched over two dozen security flaws, notably CVE-2024-1597, a critical SQL injection bug in Bamboo Data Center and Server with a CVSS score of 10.0. Despite its severity, Atlassian noted it stems from an org.postgresql dependency, slightly reducing risk. The vulnerability could allow unauthenticated attackers to exploit assets without user interaction. The flaw affects PostgreSQL JDBC Driver versions prior to those listed. Atlassian clarified that Bamboo and other Data Center products aren’t affected as they don’t use the vulnerable query mode. The vulnerability was introduced in specific versions of Bamboo Data Center and Server. SonarSource’s Paul Gerste discovered the flaw. Users should update their instances promptly.

7. GitHub Launches AI-Powered Autofix Tool to Assist Devs in Patching Security Flaws

GitHub introduced code scanning autofix in public beta for Advanced Security customers, utilizing GitHub Copilot and CodeQL to provide targeted recommendations and avoid new security issues. Covering over 90% of alert types in JavaScript, Typescript, Java, and Python, it suggests fixes for two-thirds of vulnerabilities with minimal editing. Leveraging CodeQL, Copilot APIs, and OpenAI GPT-4, it plans to support more languages like C# and Go. Autofix generates potential fixes and provides explanations, extending beyond the current file to include dependencies. Developers must evaluate suggestions to ensure correctness and security, considering potential limitations like syntactic errors, incorrect placements, semantic changes, unresolved root causes, partial fixes, and insecure dependencies. GitHub warns about possible supply chain attacks due to incomplete dependency knowledge.