04/10/2024-04/17/2024 Potential JavaScript Project Takeover Attempt, Java G1 fix would speed JIT compilation, Hackers Exploit Fortinet Flaw And More.

1. OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

Security researchers have discovered a credible takeover attempt on the OpenJS Foundation, reminiscent of a recent incident involving the XZ Utils project. The OpenJS Foundation and Open Source Security Foundation (OpenSSF) issued a joint alert after receiving suspicious emails urging updates to JavaScript projects without specifics. The emails also sought to designate new maintainers without prior involvement. While no privileged access was granted, the incident echoes the XZ Utils case, where fictitious personas aimed to make Jia Tan a co-maintainer through social engineering. This suggests a broader campaign to undermine project security. The sophistication of these attacks underscores the vulnerability of open-source projects, as highlighted by CISA. CISA urges technology manufacturers to support maintainers, audit source code periodically, and implement secure design principles to mitigate such risks.

2. Java G1 fix would speed JIT compilation

A proposed change to Java’s G1 garbage collector aims to enhance Java’s C2 optimizing JIT compiler, particularly benefiting cloud deployments. The proposal simplifies G1’s barrier implementation, delaying their expansion in the C2 JIT compilation pipeline. This adjustment responds to the growing demand for minimizing JVM overhead in cloud-based Java deployments. Objectives include reducing C2 execution time with G1, enhancing comprehensibility for HotSpot developers, and maintaining code quality. Notably, the proposal does not aim to retain G1’s early barrier expansion as a legacy mode. Instead, it prioritizes transparency in the transition to late barrier expansion. Initial experiments show early barrier expansion increases C2 overhead by 10% to 20%, emphasizing the need to reduce such overhead for Java’s cloud suitability. Moreover, decoupling G1 barrier instrumentation from C2 internals can further optimize GC overhead through algorithmic enhancements and micro-optimizations. Lastly, the proposal suggests expanding G1 barriers as late as possible in C2’s compilation pipeline to maintain code quality.

3. Invision Community Vulnerabilities Risk E-Commerce Websites

Invision Community software has been found vulnerable, risking websites including major brands like Evernote, Sony, Corsair, Mattel, LEGO, and more. Researcher Egidio Romano uncovered a blind SQL injection flaw in Invision Community software, present for five years since version 4.4.0. This flaw (CVE-2024-30163) allowed unauthorized access to the AdminCP, enabling password resets and remote code execution. Version 4.7.16 patched this flaw. However, another vulnerability (CVE-2024-30162) persists, affecting even the latest version, 4.7.16. This flaw enables arbitrary PHP code execution via ZIP file uploads, requiring “toolbar_manage” permission. Romano has a track record of discovering such vulnerabilities, previously revealing critical flaws in phpFox. Vendors often take time to address these issues.

4. Quarkus 3.2.12.Final released – Maintenance LTS release

Quarkus 3.2.12.Final, the eleventh maintenance release of the 3.2 LTS release train has been released.
This release includes the following security-related fixes:

• CVE-2024-2700 io.quarkus/quarkus-core: Leak of local configuration properties into Quarkus applications;
• CVE-2024-29025 io.netty/netty-codec-http: Allocation of Resources Without Limits or Throttling;
• CVE-2023-51775 org.bitbucket.b_c/jose4j: Dos Attack Via specifically crafted JWE.

The upgrade from 3.2.11.Final to the latest release is safe. However, be aware that fixing CVE-2024-2700 alters how configuration options are recorded during build. Properties from local sources (like environment variables, system properties, Maven and Gradle project properties) won’t override default values of runtime configuration properties. This prevents local environment values from leaking into production builds.

5. Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign

Cybersecurity researchers have found a new cyber campaign exploiting a recent security flaw (CVE-2023-48788, CVSS score: 9.3) in Fortinet FortiClient EMS devices. The flaw enables attackers to execute unauthorized code via crafted requests. Forescout named the campaign Connect:fun due to its use of ScreenConnect and Powerfun post-exploitation. The intrusion targeted an unnamed media company whose vulnerable device was exposed to the internet after a proof-of-concept exploit release on March 21, 2024. The attacker attempted to download ScreenConnect unsuccessfully but succeeded in installing it via msiexec utility on March 25, alongside initiating a reverse connection with a PowerShell script. The attacker also used SQL statements to download ScreenConnect from “ursketz[.]com” and establish connections with a command-and-control server. The campaign appears to be manually operated, targeting specific environments with VPN appliances.

6. Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability

Palo Alto Networks has released urgent hotfixes for a critical vulnerability (CVE-2024-3400, CVSS score: 10.0) in PAN-OS software actively exploited in the wild. The flaw, a command injection in GlobalProtect, allows attackers to execute code with root privileges. Fixes are available for PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, with more patches expected soon. The vulnerability affects firewalls configured with GlobalProtect and device telemetry enabled. Cloud NGFW firewalls are unaffected, but certain PAN-OS versions in cloud-deployed firewalls are vulnerable. Palo Alto Networks Unit 42 is tracking the exploitation under “Operation MidnightEclipse.” Attackers have leveraged the flaw since at least March 26, 2024, deploying a Python-based backdoor called UPSTYLE. Users are urged to apply patches and monitor for signs of compromise using provided CLI commands.

04/03/2024-04/10/2024 New HTTP/2 Vulnerability, Ivanti Rushes Patches for 4 New Flaws, Critical ‘BatBadBut’ Rust Vulnerability And More.

1. New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks

New research reveals a vulnerability in the HTTP/2 protocol’s CONTINUATION frame, dubbed HTTP/2 CONTINUATION Flood. Security expert Bartek Nowotarski reported the issue to CERT/CC on January 25, 2024. Many HTTP/2 implementations lack proper limits on CONTINUATION frames within a single stream, enabling attackers to flood servers with frames, leading to denial-of-service (DoS) attacks. These frames overwhelm server memory, causing crashes or performance degradation. Unlike HTTP/1, HTTP/2 uses header fields and CONTINUATION frames to transmit header blocks. Exploiting this vulnerability, an attacker can send endless header frames, exhausting server resources. Nowotarski warns that this attack, more severe than the Rapid Reset attack, bypasses access logs and impacts server availability. Incorrect handling of CONTINUATION frames poses significant security risks, potentially leading to crashes, memory exhaustion, or CPU overload, as outlined in RFC 9113.

2. Ivanti Rushes Patches for 4 New Flaws in Connect Secure and Policy Secure

Ivanti has issued security updates for Connect Secure and Policy Secure Gateways, addressing four flaws that could lead to code execution and denial-of-service (DoS) attacks.
The flaws include heap overflow (CVE-2024-21894, CVE-2024-22053), null pointer dereference (CVE-2024-22052), and XML entity expansion (CVE-2024-22023) vulnerabilities. These affect various components of the mentioned products, potentially allowing unauthenticated attackers to crash services or execute arbitrary code.
Ivanti recently patched critical vulnerabilities in Standalone Sentry (CVE-2023-41724) and on-premises Neurons for ITSM (CVE-2023-46808), highlighting ongoing security concerns. CEO Jeff Abbott acknowledged the challenges, emphasizing Ivanti’s commitment to enhancing security measures. 

3. Critical ‘BatBadBut’ Rust Vulnerability Exposes Windows Systems to Attacks

A critical security flaw in Rust’s standard library (CVE-2024-24576, CVSS score: 10.0 allows command injection attacks on Windows systems when batch files are invoked with untrusted arguments. The vulnerability arises from improper argument escaping in batch file invocation using Rust’s Command API. Exploiting this flaw, an attacker can execute arbitrary shell commands. This issue affects Rust versions prior to 1.77.2. Security researcher RyotaK discovered and reported the bug to CERT/CC, naming it BatBadBut. The flaw impacts multiple programming languages that use similar mechanisms. Developers are advised to exercise caution and avoid executing commands from directories included in the PATH environment variable to mitigate risks.

4. Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks

Threat actors are targeting around 92,000 internet-exposed D-Link NAS devices, exploiting CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3). These affect legacy D-Link products, now end-of-life (EoL). D-Link advises replacement as it won’t issue patches. Exploitation could lead to arbitrary command execution, granting access to sensitive data or enabling DoS attacks. Attackers use these flaws to distribute the Mirai botnet malware, potentially hijacking D-Link devices remotely. Shadowserver Foundation recommends firewalling remote access or taking devices offline until a fix is available.
Palo Alto Networks Unit 42 warns of increasing malware-initiated scanning attacks on network devices, underlining the evolving threat landscape.

5. OAuth 2.0 flows explained in GIFs

OAuth (Open Authorization) enables third-party websites or apps to access user’s data without requiring them to share their credentials. It is a set of rules that makes access delegation possible. The user gets to authorize which resources an app can access and limits access accordingly.
Post on the dev.to covering all OAuth 2.0 flows using GIFs that are simple and easier to understand. This post can be used as a cheat-sheet for future reference as well.

03/27/2024-04/03/2024 Flaw Found in Popular LayerSlider WordPress Plugin, Malicious Code in XZ Utils for Linux Systems, PyPI Halts Sign-Ups Amid Surge And More.

1. Critical Security Flaw Found in Popular LayerSlider WordPress Plugin

A critical security flaw (CVE-2024-2879) in the LayerSlider plugin for WordPress, rated 9.8/10 on the CVSS scale, allows attackers to extract sensitive data via SQL injection in versions 7.9.11 through 7.10.0. The issue is patched in version 7.10.1, released on March 27, 2024. LayerSlider, a popular web content editor and design tool, has millions of users worldwide. The vulnerability arises from insufficient parameter escaping, enabling attackers to append SQL queries. Meanwhile, WP-Members Membership Plugin was affected by an unauthenticated stored XSS flaw (CVE-2024-1852, CVSS score: 7.2), now fixed in version 3.4.9.3. This flaw allows attackers to inject malicious scripts, potentially leading to account creation, redirection, and other attacks if executed within an administrator’s session.

2. Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution

A recent analysis unveiled a malicious code inserted into XZ Utils, a commonly used package in major Linux distributions. Tracked as CVE-2024-3094 with a CVSS score of 10.0, the compromise allows remote code execution. Microsoft engineer Andres Freund discovered a backdoor, enabling attackers to bypass secure shell authentication and gain complete system access. The backdoor, discovered during micro-benchmarking, stemmed from unusual CPU usage in sshd processes. The compromised XZ Utils version 5.6.0 and 5.6.1 were released in February 2024. Project maintainer Jia Tan introduced the changes, possibly orchestrated over multiple years. The sophisticated attack involved social engineering with fake accounts and co-maintainer requests. The breach underscores the threat of supply chain attacks, with potential severe consequences if integrated into stable Linux releases.

3. PyPI Halts Sign-Ups Amid Surge of Malicious Package Uploads Targeting Developers

The Python Package Index (PyPI) temporarily halted new user sign-ups due to a surge in malicious projects as part of a typosquatting campaign. The suspension, aimed at mitigating a malware upload campaign, lasted 10 hours until March 28, 2024. Threat actors flooded the repository with typosquatted versions of popular packages, targeting developers to steal crypto wallets, browser data, and credentials. Over 100 malicious packages, including variations of ML libraries, were detected. The attack, automated and decentralized, involved over 500 deceptive variants uploaded from a unique account starting March 26, 2024. The malware, detected on Windows systems, steals files, Discord tokens, browser data, and cryptocurrency wallets. This incident underscores the growing threat of software supply chain attacks, necessitating rigorous scrutiny of third-party components by developers. PyPI has previously suspended user registrations multiple times due to similar security concerns.

4. CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw in Microsoft Sharepoint Server, CVE-2023-24955 (CVSS score: 7.2). The flaw permits authenticated attackers with Site Owner privileges to execute remote code. Microsoft patched this flaw in May 2023. CISA’s move follows the addition of CVE-2023-29357, a privilege escalation flaw, to the KEV catalog two months prior. While an exploit chain combining both vulnerabilities was demonstrated at Pwn2Own Vancouver, there’s no current information on active attacks or threat actors. Microsoft advises enabling automatic updates for protection.

5. Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining

Cybersecurity researchers warn of active exploitation of an unpatched vulnerability in Anyscale Ray, an open-source AI platform, for illicit cryptocurrency mining. Dubbed “ShadowRay,” the campaign targets computing power since September 2023 across sectors like education and biopharma. Ray, used by major companies, suffers from CVE-2023-48022 (CVSS: 9.8), allowing remote code execution. Anyscale doesn’t plan to fix it immediately, citing security boundaries, but plans authentication in future versions. Exploiting flaws in Ray components enables unauthorized job submissions and access to sensitive information. Oligo observed hundreds of GPU clusters breached, exposing crucial credentials and enabling cryptocurrency mining. Anyscale releases Ray Open Ports Checker to address cluster security concerns.