06/26/2024-07/03/2024 New Intel CPU Vulnerability, New OpenSSH Vulnerability, Critical SQLi Vulnerability, Vulnerability in Vanna.AI And More.

1. New Intel CPU Vulnerability ‘Indirector’ Exposes Sensitive Data

Modern Intel CPUs, including Raptor Lake and Alder Lake, are vulnerable to a new side-channel attack called Indirector, discovered by researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen. This attack exploits weaknesses in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB), allowing attackers to bypass defenses and leak sensitive information. The attack, similar to Spectre v2 (CVE-2017–5715), uses a tool called iBranch Locator to find and exploit indirect branches through precise IBP and BTP injections. Intel was notified in February 2024 and has informed other affected vendors. Mitigations include aggressive use of the Indirect Branch Predictor Barrier (IBPB) and hardening the Branch Prediction Unit (BPU).

Separately, Arm CPUs are vulnerable to the TIKTAG speculative execution attack, which exploits the Memory Tagging Extension (MTE) to leak data with over a 95% success rate. Researchers recommend strengthening probabilistic defenses to counter such attacks.

2. New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems

OpenSSH has released updates to fix a critical flaw, CVE-2024-6387, named regreSSHion, which allows unauthenticated remote code execution with root privileges on glibc-based Linux systems. Discovered by Qualys, this vulnerability is a signal handler race condition in sshd, impacting versions 8.5p1 to 9.7p1 and versions prior to 4.4p1 unless patched for CVE-2006-5051 and CVE-2008-4109.

The flaw, reintroduced in October 2020, affects about 14 million OpenSSH servers. Exploiting this vulnerability requires 6-8 hours of continuous connections. While OpenBSD systems are safe, the exploitability on macOS and Windows remains unconfirmed. Users should apply patches and limit SSH access to mitigate potential threats. Although the attack requires specific conditions and is unlikely to be widespread, targeted exploitation remains a concern.

3. GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others

GitLab has released updates to fix 14 security flaws, including a critical vulnerability (CVE-2024-5655, CVSS score: 9.6) that could allow unauthorized CI/CD pipeline execution. The updates apply to GitLab Community Edition (CE) and Enterprise Edition (EE) in versions 17.1.1, 17.0.3, and 16.11.5. The critical flaw impacts versions 17.1 before 17.1.1, 17.0 before 17.0.3, and 15.8 before 16.11.5.

Other significant vulnerabilities addressed include:

• CVE-2024-4901 (CVSS score: 8.7): A stored XSS vulnerability from malicious commit notes
• CVE-2024-4994 (CVSS score: 8.1): A CSRF attack on the GraphQL API
• CVE-2024-6323 (CVSS score: 7.5): An authorization flaw in the global search feature
• CVE-2024-2177 (CVSS score: 6.8): A cross-window forgery vulnerability via OAuth
  Users are advised to apply the patches to protect against potential threats.

4. Critical SQLi Vulnerability Found in Fortra FileCatalyst Workflow Application

A critical security flaw has been disclosed in Fortra FileCatalyst Workflow that, if left unpatched, could allow an attacker to tamper with the application database. Tracked as CVE-2024-5276, the vulnerability carries a CVSS score of 9.8. It impacts FileCatalyst Workflow versions 5.1.6 Build 135 and earlier. It has been addressed in version 5.1.6 build 139. An SQL injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Users who cannot apply the patches immediately can disable the vulnerable servlets – csv_servlet, pdf_servlet, xml_servlet, and json_servlet – in the “web.xml” file located in the Apache Tomcat installation directory as temporary workarounds.

5. Exploit Attempts Recorded Against New MOVEit Transfer Vulnerability – Patch ASAP!

A critical vulnerability (CVE-2024-5806, CVSS score: 9.1) in Progress Software MOVEit Transfer is already being exploited. This authentication bypass flaw affects versions:

• 2023.0.0 before 2023.0.11
• 2023.1.0 before 2023.1.6
• 2024.0.0 before 2024.0.2

An advisory from Progress also addresses another critical issue (CVE-2024-5805, CVSS score: 9.1) in MOVEit Gateway 2024.0.0. Exploiting these flaws allows attackers to bypass SFTP authentication and access systems.

watchTowr Labs, which detailed CVE-2024-5806, notes it can be used to impersonate any server user. The flaw includes vulnerabilities in MOVEit and the IPWorks SSH library. Users are advised to block public inbound RDP access and limit outbound access to trusted endpoints.

Rapid7 notes that exploiting CVE-2024-5806 requires knowledge of an existing username, remote authentication capability, and public SFTP service access. Approximately 2,700 MOVEit Transfer instances are online, mostly in the U.S. and Europe.

6. Analyzing the Remote Code Execution Vulnerability in Vanna.AI Due to Prompt Injection

A critical security flaw (CVE-2024-5565) in Vanna.AI, a library for text-to-SQL interfaces, allows remote code execution (RCE) and stems from the ability to manipulate the context of machine learning models’ predefined instructions. This incident underscores the risks associated with integrating large language models (LLMs) in actionable systems, highlighting the need for robust security measures beyond simple pre-prompting techniques.

Vanna.AI generates and executes Python code dynamically through Plotly visualization. An attacker can exploit this via the ‘ask’ function, injecting malicious prompts to execute arbitrary commands.

This flaw risks database breaches and unauthorized actions. Attacks like Skeleton Key and Crescendo illustrate the dangers of AI jailbreaks, stressing the need for stringent security measures beyond pre-prompting. Developers should implement comprehensive security measures, including input validation, restrictive execution environments, and advanced anomaly detection to monitor suspicious activities. This incident underscores the importance of robust defenses in generative AI systems.

06/20/2024-06/26/2024 Hackers Exploit Multiple WordPress Plugins, Critical RCE Vulnerability, SolarWinds Serv-U Vulnerability And More.

1. Hackers Exploit Multiple WordPress Plugins to Hack Websites & Create Rogue Admin Accounts 

The Wordfence Threat Intelligence team discovered a significant security breach involving several WordPress plugins on June 22nd, 2024. The Social Warfare plugin was found with malicious code, prompting further investigation that revealed four additional compromised plugins: Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks. Wordfence alerted the WordPress plugins team, leading to the delisting of affected plugins. Users should update to patched versions or remove the plugins if no patch exists.

The injected malware creates a new admin user and adds SEO spam. Indicators include server IP 94.156.79.8 and generated usernames Options and PluginAuth. Users should scan for malware, check for unauthorized admin accounts, and follow detailed cleaning guidance on the Wordfence website.
 

2. Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool

Cybersecurity researchers found a security flaw in the Ollama AI platform, tracked as CVE-2024-37032 and named Probllama by Wiz. This vulnerability, patched in version 0.1.34 on May 7, 2024, could allow remote code execution due to insufficient input validation leading to a path traversal flaw. Attackers could exploit this by sending crafted HTTP requests to the Ollama API server’s “/api/pull” endpoint.

The flaw allows overwriting arbitrary files, potentially enabling code execution by modifying the dynamic linker configuration file. The risk is higher in Docker deployments, where the API server is publicly exposed. Over 1,000 exposed instances were found. The issue highlights the need for securing such services with authentication and middleware.

3. SolarWinds Serv-U Vulnerability Under Attack

A high-severity vulnerability in SolarWinds Serv-U, CVE-2024-28995, is being actively exploited. Disclosed on June 5, this directory traversal flaw allows unauthenticated attackers to read sensitive files. It has a CVSS score of 8.6. SolarWinds urged users to update to Serv-U 15.4.2 HF 2.

Following a proof-of-concept exploit on June 13, the Centre for Cybersecurity Belgium (CCB) confirmed active exploitation and issued a warning on X, urging immediate updates. The vulnerability, although easy to exploit, does not allow file changes, which kept its CVSS score at 8.6. Monitoring and detection tools are recommended for previously compromised systems.
 

4. Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs

Cybersecurity researchers disclosed a patched security flaw in Phoenix SecureCore UEFI firmware affecting Intel Core processors. Known as CVE-2024-0762 (CVSS score: 7.5), this “UEFIcanhazbufferoverflow” vulnerability involves a buffer overflow in the TPM configuration, allowing local attackers to execute malicious code and escalate privileges within UEFI firmware.

Eclypsium highlighted the risk of ongoing persistence and evasion of security measures due to this low-level exploitation. Phoenix Technologies addressed the issue in April 2024, and Lenovo released updates last month. The flaw affects Intel families including Alder Lake, Coffee Lake, and more.

UEFI firmware, critical for hardware initialization and OS booting, is a prime target for attackers due to its high-level privileges.

5. How to fix a ReDoS

Although some ReDoS vulnerabilities can be very serious (particularly when they’re server-side and enable an untrusted remote attacker to DOS the server), very often they land much closer to the “annoying” end of the CVSS rating scale: not particularly serious, but easy to create by accident, obscure to understand, and sometimes tricky to fix.

The most annoying thing about ReDoS vulnerabilities is that they’re not caused by careless coding, but by an obscure edge-case in the regex engine.

Code scanning detects ReDoS vulnerabilities automatically, but fixing them isn’t always easy. This blog post describes a 4-step strategy for fixing ReDoS bugs.

6. How To Protect Web Services with OpenIG

Securing web services is critical part of production environment to prevent compromising application from attacks. In microservice architecture, there is no need to implement security for each microservice. Each microservice should be responsible for its atomic functionality. To protect services you need to user API Gateway application. Consider how to protect simple web service with Open Identity Gateway (OpenIG) in this article.

06/12/2024-06/19/2024 VMware Issues Patches, Google Warns of Pixel Firmware Security Flaw, Exploit for Veeam Recovery Orchestrator Auth Bypass And More.

1. VMware Issues Patches for Cloud Foundation, vCenter Server, and vSphere ESXi

VMware has released updates to fix critical flaws in Cloud Foundation, vCenter Server, and vSphere ESXi, which could lead to privilege escalation and remote code execution.

The vulnerabilities are:

• CVE-2024-37079 & CVE-2024-37080 (CVSS 9.8): Heap-overflow issues in the DCE/RPC protocol allowing remote code execution via crafted network packets.
• CVE-2024-37081 (CVSS 7.8): Local privilege escalation in vCenter due to sudo misconfiguration, enabling non-admin users to gain root access.

Previously, in October 2023, VMware patched CVE-2023-34048 (CVSS 9.8), another critical DCE/RPC flaw. These issues affect vCenter Server versions 7.0 and 8.0, patched in 7.0 U3r, 8.0 U1e, and 8.0 U2d. Users should promptly apply these patches despite no known active exploits.

2. Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day

Google has warned of a zero-day security flaw in Pixel Firmware, CVE-2024-32896, being exploited in the wild. This high-severity vulnerability is an elevation of privilege issue.The company did not share any additional details related to the nature of attacks exploiting it, but noted “there are indications that CVE-2024-32896 may be under limited, targeted exploitation.”

The June 2024 security update addresses a total of 50 security vulnerabilities, five of which relate to various components in Qualcomm chipsets. Key patches address a Modem DoS issue and information disclosure flaws in GsmSs, ACPM, and Trusty. The update is available for Pixel 5a with 5G, Pixel 6 series, Pixel 7 series, Pixel 8 series, and Pixel Fold. GrapheneOS maintainers clarified that CVE-2024-32896 and CVE-2024-29748 concern the same vulnerability affecting all devices but mitigations are specific to Pixels. 

3. Exploit for Veeam Recovery Orchestrator Auth Bypass Available, Patch Now

A proof-of-concept (PoC) exploit for Veeam Recovery Orchestrator’s critical authentication bypass vulnerability, CVE-2024-29855, has been released by researcher Sina Kheirkhah. This vulnerability, rated 9.0 (critical) on the CVSS scale, impacts Veeam Recovery Orchestrator (VRO) versions 7.0.0.337, 7.1.0.205, and older.

The flaw allows unauthenticated attackers to log into the VRO web UI with admin privileges using a hardcoded JSON Web Token (JWT) secret, enabling them to generate valid tokens. Veeam recommends upgrading to versions 7.1.0.230 and 7.0.0.379 to mitigate the issue.

Kheirkhah’s post shows the vulnerability is easier to exploit than described by Veeam, bypassing some requirements like knowing the exact username and role. The public availability of this exploit heightens the risk, making prompt patching essential.

4. New Malware Targets Exposed Docker APIs for Cryptocurrency Mining

Cybersecurity researchers have identified a new malware campaign targeting exposed Docker API endpoints to deliver cryptocurrency miners and other malicious payloads. The tools include a remote access utility for executing additional malware and propagating via SSH, according to a Datadog report.

This campaign shows similarities to the previous Spinning YARN activity, which targeted misconfigured services like Apache Hadoop YARN and Docker for cryptojacking. Attackers focus on Docker servers with open ports, starting with reconnaissance and privilege escalation.

Malware is delivered through a shell script named “vurl,” which includes other scripts such as “b.sh” and “ar.sh.” These scripts fetch further payloads, disable firewalls, and scan for vulnerable hosts. The campaign also uses Go-based binaries like “chkstart” to complicate analysis and facilitate remote access, and tools like “exeremo” for spreading infection and “fkoths” to erase traces of the malware.