10/16/2024-10/23/2024 Critical OPA Vulnerability, VMware Fixes Bad Patch For Critical vCenter Server RCE Flaw And More.

1. Critical OPA Vulnerability Exposes Windows Credentials

A now-patched security flaw in Styra’s Open Policy Agent (OPA) could expose sensitive credentials on Windows systems, affecting millions of users. The vulnerability, CVE-2024-8260 had a CVSS score of 6.1, making it a medium-severity risk. Tenable found that attackers could exploit the flaw by sending a malicious command, causing OPA to authenticate with a server controlled by the attacker. This would leak NTLM credentials, used for logging into Windows systems. Organizations using OPA on Windows should update to the latest version (v0.68.0). Attackers could exploit this by using social engineering tactics, such as tricking users into running OPA via malicious files. They could also manipulate OPA’s Rego rules or command-line arguments to redirect it to their server.

2. Malicious npm Packages Target Developers’ Ethereum Wallets with SSH Backdoor

Cybersecurity researchers discovered malicious packages on the npm registry designed to steal Ethereum private keys and gain remote access via SSH. The packages attempt to add the attacker’s SSH key to the root user’s authorized keys file, giving them access to the victim’s machine, according to Phylum. The packages, posing as legitimate ones like “ethers-mew,” “ethers-web3,” and others, were likely released for testing. The most advanced package, “ethers-mew,” embeds malicious code that siphons Ethereum private keys to “ether-sign[.]com” and allows remote access to compromised systems. Unlike typical malware that executes upon installation, this attack requires the developer to use the package in their code. Phylum noted that the packages and the authors’ accounts were quickly removed by the attackers themselves. This isn’t the first such attack—similar malicious packages have been seen in the npm registry before.

3. VMware Fixes Bad Patch For Critical vCenter Server RCE Flaw

VMware has issued a new security update for CVE-2024-38812, a critical remote code execution flaw in vCenter Server that was not fully addressed in the September 2024 patch. Rated 9.8 (CVSS v3.1), the vulnerability stems from a heap overflow in the DCE/RPC protocol, affecting vCenter Server, vSphere, and Cloud Foundation. Exploiting the flaw requires no user interaction, as it triggers when a malicious network packet is received. Discovered during the 2024 Matrix Cup hacking contest, researchers also revealed CVE-2024-38813, a related privilege escalation flaw. VMware urges users to apply new patches for vCenter 7.0.3, 8.0.2, and 8.0.3, as older versions like vSphere 6.5 and 6.7 won’t receive updates. No workarounds exist, and there are no reports of active exploitation yet. These updates are critical since attackers often target vCenter vulnerabilities to gain access to virtual machines.

4. Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks

Bad actors are targeting Docker remote API servers to deploy SRBMiner crypto miners. Using the gRPC protocol over h2c, attackers bypass security measures to exploit vulnerable Docker hosts. They start by checking for public-facing Docker API servers, then request upgrades to the h2c protocol (HTTP/2 without TLS encryption). Next, they use gRPC methods to manipulate Docker functionalities, such as health checks and file synchronization, before sending a “/moby.buildkit.v1.Control/Solve” request to create a container and mine XRP cryptocurrency via SRBMiner hosted on GitHub. Trend Micro also reported attackers using Docker API servers to deploy perfctl malware, which creates a malicious container to download and execute harmful payloads. Users are advised to secure Docker remote APIs with strong access controls and monitor for unusual activity.

5. Roundcube XSS Flaw Exploited to Steal Credentials, Email (CVE-2024-37383)

Attackers exploited an XSS vulnerability (CVE-2024-37383) in the Roundcube Webmail client to target a governmental organization in a CIS country. This flaw, patched in May 2024, affects Roundcube versions 1.5.7 and 1.6.7. The exploit was sent via email in June 2024. CVE-2024-37383 allows attackers to inject malicious code using SVG animate attributes. In this case, the email contained hidden JavaScript, which ran when opened, downloading a decoy document while attempting to steal messages and login credentials. XSS vulnerabilities in Roundcube have been exploited before, including by state-sponsored actors targeting government entities. While not the most widely used email client, Roundcube is frequently targeted due to its use in government agencies.

10/09/2024-10/16/2024 GitHub Patches Critical Flaw, CISA Warns of Three Vulnerabilities, WordPress Plugin Jetpack Patches Major Vulnerability And More.

1. GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access

GitHub has released security updates for Enterprise Server (GHES) to fix several vulnerabilities, including a critical flaw (CVE-2024-9487) with a CVSS score of 9.5/10. This issue allows attackers to bypass SAML single sign-on (SSO) authentication and gain unauthorized access by exploiting a cryptographic signature verification weakness. The flaw is a regression from CVE-2024-4985, a maximum severity bug (CVSS 10.0) patched in May 2024. Two other issues were also fixed: CVE-2024-9539 (CVSS 5.7), which exposes user metadata, and sensitive data exposure in HTML forms.The vulnerabilities are patched in GHES versions 3.14.2, 3.13.5, 3.12.10, and 3.11.16. GitHub urges organizations using affected versions to update immediately to prevent potential security risks.

2. CISA Warns of Three Vulnerabilities Actively Exploited in the Wild

CISA has issued an urgent alert about three critical vulnerabilities being actively exploited in the wild.These affect Microsoft, Mozilla, and SolarWinds products, posing serious risks. The first, CVE-2024-30088, is a race condition in the Microsoft Windows Kernel, potentially allowing privilege escalation. Users should apply mitigations or discontinue use by November 5, 2024. The second, CVE-2024-9680, is a use-after-free flaw in Mozilla Firefox that could allow arbitrary code execution. Mozilla users must also apply fixes by the same deadline. The third, CVE-2024-28987, impacts SolarWinds Web Help Desk, involving hardcoded credentials that could allow unauthorized access.CISA urges immediate patching or mitigation to prevent exploitation. 

3. WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites

Jetpack, a popular WordPress plugin by Automattic, has released a security update to fix a critical vulnerability. The flaw, present since version 3.9.9 (2016), allowed logged-in users to view forms submitted by others on the site. Discovered during an internal audit, the issue affects Jetpack’s Contact Form feature. Jetpack, used on 27 million sites, worked with the WordPress.org Security Team to automatically update affected sites. While there’s no evidence of exploitation, the vulnerability could be abused now that it’s public. The update addresses this flaw across 101 Jetpack versions. In related news, WordPress founder Matt Mullenweg has taken control of WP Engine’s Advanced Custom Fields (ACF) plugin, launching a fork called Secure Custom Fields (SCF) to fix a security issue. WP Engine disputes the action, claiming it was taken without consent.

4. Ransomware operators exploited Veeam Backup & Replication flaw CVE-2024-40711 in recent attacks

Sophos reports that ransomware operators are exploiting a critical flaw, CVE-2024-40711, in Veeam Backup & Replication software to create rogue accounts and deploy malware. Veeam addressed this remote code execution (RCE) vulnerability (CVSS 9.8) in September 2024, as part of a security update that fixed 18 high and critical flaws.The flaw affects Veeam Backup & Replication version 12.1.2.172 and earlier. Attackers have used compromised credentials and the vulnerability to deploy ransomware, including Fog and Akira. These attacks often target outdated VPN gateways without multifactor authentication. Sophos warns that attackers exploited Veeam’s URI trigger on port 8000 to create local admin accounts and deploy ransomware. One attack involved Fog ransomware on an unprotected Hyper-V server, using rclone for data exfiltration. Sophos emphasizes the importance of patching vulnerabilities, updating outdated VPNs, and using multifactor authentication to prevent attacks.

5. Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems

Cybersecurity researchers warn of an unpatched vulnerability (CVE-2024-9441, CVSS 9.8) in Nice Linear eMerge E3 access controllers that allows remote attackers to execute arbitrary OS commands. Despite public disclosure, no fix or workaround has been provided by the vendor.The flaw affects several versions of the Nortek Linear eMerge E3, including 0.32-03i through 1.00.07. Proof-of-concept exploits have been released, increasing the risk of malicious attacks. A similar flaw (CVE-2019-7256) was exploited in the past to recruit devices into the Raptor Train botnet, which raises concerns about the vendor’s slow response.

Nice recommends following security best practices, such as network segmentation, restricting internet access, and using firewalls to protect affected devices.

10/02/2024-10/09/2024 Microsoft Issues Security Update Fixing 118 Flaws,Three More CSA Zero-Days Exploited, Critical Apache Avro SDK Flaw And More.

1. Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Microsoft has issued security updates addressing 118 vulnerabilities, two of which are actively exploited. The updates include fixes for three Critical, 113 Important, and two Moderate flaws, excluding 25 additional vulnerabilities in Edge. Five vulnerabilities were publicly known at release, with two under active exploitation as zero-days: CVE-2024-43572 (Remote Code Execution) and CVE-2024-43573 (Spoofing). Both are listed in CISA’s Known Exploited Vulnerabilities catalog, requiring fixes by October 29, 2024. The most severe flaw (CVE-2024-43468, CVSS score: 9.8) affects Microsoft Configuration Manager and could allow unauthenticated attackers to execute arbitrary commands. Other critical flaws involve Visual Studio Code (CVE-2024-43488) and Remote Desktop Protocol (CVE-2024-43582). Attack complexity for the latter is high, requiring a race condition to access memory improperly.

2. Ivanti Warns Of Three More CSA Zero-Days Exploited in Attacks

Ivanti has released security updates to patch three new Cloud Services Appliance (CSA) zero-day vulnerabilities actively exploited in attacks. These flaws, when chained with another zero-day (CVE-2024-8963) patched in September, allow attackers to perform SQL injection, execute arbitrary code, and bypass security restrictions on vulnerable CSA gateways. The vulnerabilities affect CSA versions 5.0.1 and earlier. Ivanti recommends users upgrade to version 5.0.2 and rebuild compromised systems. For detection, admins should review endpoint detection and response (EDR) alerts or check for new or modified admin users. While CSA 4.6 is end-of-life, Ivanti emphasized no exploitation has been seen in CSA 5.0. Ivanti is enhancing security practices, having signed the CISA Secure by Design pledge, and continues to improve its disclosure process for faster issue resolution.

3. Critical Apache Avro SDK Flaw Impacts Java Applications 

A critical vulnerability in the Apache Avro Java SDK, tracked as CVE-2024-47561, can allow arbitrary code execution on affected instances. This flaw impacts all versions of the software prior to 1.11.4. Apache Avro, a data serialization framework used in big data and distributed systems, is part of the Apache Hadoop project. The issue stems from the Java SDK’s schema parsing, which could be exploited by malicious actors. Users are advised to upgrade to versions 1.11.4 or 1.12.0, which address the vulnerability. Applications allowing user-provided Avro schemas for parsing are at risk. For those unable to update, mitigations include avoiding user-provided schema parsing or sanitizing schemas before processing.

4. WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks

A high-severity vulnerability (CVE-2024-47374, CVSS score: 7.2) has been identified in the LiteSpeed Cache plugin for WordPress, affecting versions up to 6.5.0.2. This stored cross-site scripting (XSS) flaw allows malicious actors to inject JavaScript, potentially leading to privilege escalation or sensitive data theft. The issue was resolved in version 6.5.1 on September 25, 2024, following responsible disclosure by researcher TaiYou from Patchstack Alliance. The vulnerability arises from improper parsing of the “X-LSCACHE-VARY-VALUE” HTTP header. The exploit requires the plugin’s “CSS Combine” and “Generate UCSS” options to be enabled. Stored XSS attacks are dangerous as they can execute malicious scripts whenever a site visitor accesses the affected page.This vulnerability is particularly concerning due to LiteSpeed Cache’s large user base, with over six million installations.

5. CISA Warns of Exploited Ivanti Flaw: Urgent Patch Needed

CISA warns of active exploitation of a critical vulnerability (CVE-2024-29824) in Ivanti Endpoint Manager, urging organizations to apply the May 2024 patch immediately. This flaw, which allows unauthorized access, could lead to data theft, ransomware, and other attacks. CISA has added the bug to its Known Exploited Vulnerabilities Catalog, citing evidence of ongoing exploitation. Ivanti confirmed that a limited number of customers have already been targeted. Government agencies must patch systems by October 23, 2024, and all organizations are advised to prioritize this fix. This follows a series of attacks exploiting multiple Ivanti security flaws, including zero-day vulnerabilities. Ivanti is working to improve its security processes to address threats faster. With over 40,000 companies using Ivanti’s tools, the widespread impact underscores the urgency of addressing this issue swiftly.