10/18/2023-10/25/2023 Critical Citrix NetScaler Flaw, Vulnerability in Synology’s DiskStation Manager, vRealize RCE flaw And More.

1. Critical Citrix NetScaler Flaw Exploited to Target from Government, Tech Firms

Citrix is warning of a critical security flaw (CVE-2023-4966, CVSS 9.4) in NetScaler ADC and Gateway appliances. Exploitation has been observed, and Google-owned Mandiant detected zero-day exploitation starting in late August 2023. The flaw impacts specific versions and requires the device to be configured as a Gateway or authorization and accounting virtual server. While patches were released on October 10, 2023, Citrix reports active abuse of unmitigated appliances. Successful exploitation can hijack authenticated sessions, bypassing multi-factor authentication and potentially leading to further access. The threat actor responsible remains unidentified but has targeted professional services, technology, and government organizations. To mitigate these threats, users must promptly update their instances and terminate all active sessions, even though this isn’t a remote code execution vulnerability.

2. New Admin Takeover Vulnerability Exposed in Synology’s DiskStation Manager

A medium-severity flaw (CVE-2023-2729) in Synology’s DiskStation Manager (DSM) could potentially reveal an administrator’s password, leading to a remote account hijack. The issue was addressed in June 2023. The vulnerability stems from the use of a weak random number generator that relies on the JavaScript Math.random() method to construct the admin password. This “insecure randomness” can allow an attacker to predict the password. However, successful exploitation depends on the attacker extracting certain GUIDs generated during the setup process to reconstruct the seed for the pseudorandom number generator. While the attack requires multiple steps, users should promptly apply the update to mitigate the risk, especially considering the potential account takeover.

3. Backdoor Implanted on Hacked Cisco Devices Modified to Evade Detection

 A backdoor on Cisco devices, created through two zero-day flaws in IOS XE software, has been altered by the threat actor to evade detection. The modified backdoor only responds if the correct Authorization HTTP header is set, making it harder to detect. The attacker uses CVE-2023-20198 and CVE-2023-20273 to compromise devices, create privileged accounts, and install a Lua-based implant. Cisco is releasing security updates to address the vulnerabilities. The threat actor remains unidentified, but the attack has affected thousands of devices. Although the number of compromised devices decreased significantly, hidden changes to the implant explain this drop, as more than 37,000 devices still contain the backdoor. Cisco confirmed the change in behavior and provided a method to check for the implant’s presence.

4. Cross-site Scripting and how to fix it

Cross-site scripting (XSS) is a severe vulnerability enabling attackers to inject malicious code into web applications. It’s a major security concern, affecting websites lacking user input control. Various XSS exploits, such as injecting scripts via HTML forms or email, can compromise websites and servers. To prevent XSS, you should sanitize input and never output data directly to the browser without checking for malicious code. Filtering for XSS is a security feature that blocks malicious content, preventing server-side code execution and thwarting remote attacks. It eliminates risky elements like the <script> tag, JavaScript commands, CSS styles, and hazardous HTML markups, typically done via server-side code or safer library usage.  If you are using Java, then a good place to go is the OWASP Java Encoder Project. For PHP, there is a comprehensive library called HTML Purifier, which boasts strict standards compliance and better features than other filters. Restrict the type of input a user can submit in your form through validation. For instance, if you have an input field for an email, only allow input with the email format. This way, you minimize the chances of attackers submitting bad data. You can also use the validator package for this. This can be done on the backend still using the validator package.

check('username', 'Username must be an email address').isEmail()

The above code makes it paramount that the username the user is submitting is an email, else it displays an error message(“Username must be an email address”). Secure your cookies by implementing the httpOnly and secure flags. These settings are crucial for preventing session hijacking and unauthorized access.

5. VMware warns admins of public exploit for vRealize RCE flaw

VMware has issued a warning regarding a PoC exploit for an authentication bypass vulnerability (CVE-2023-34051) in vRealize Log Insight, now known as VMware Aria Operations for Logs. This flaw enables unauthenticated attackers to remotely execute code with root permissions if specific conditions are met. To exploit it, the attacker must compromise a host in the targeted environment and have permissions to add an extra interface or static IP address. Horizon3 security researchers, who discovered the bug, released a PoC exploit and indicators of compromise (IOCs) to detect exploitation attempts. This vulnerability also acts as a bypass for a chain of critical flaws patched by VMware in January, allowing attackers to gain remote code execution. While it requires some infrastructure setup, it poses a significant threat to previously compromised networks.

10/11/2023-10/18/2023 New Admin Takeover Vulnerability, Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software, Malicious NuGet Package And More.

1. New Admin Takeover Vulnerability Exposed in Synology’s DiskStation Manager

A medium-severity flaw has been discovered in Synology’s DiskStation Manager (DSM) that could be exploited to decipher an administrator’s password and remotely hijack the account. The flaw, assigned the identifier CVE-2023-2729, is rated 5.9 for severity on the CVSS scoring scale. The problem is rooted in the fact that the software uses a weak random number generator that relies on the JavaScript Math.random() method to programmatically construct the admin password for the network-attached storage (NAS) device. Referred to as insecure randomness, it arises when a function that can produce predictable values, or doesn’t have enough entropy, is used as a source of randomness in a security context, enabling an attacker to crack the encryption and defeat the integrity of sensitive information and systems. Successful exploitation of such flaws, therefore, could allow the threat actor to predict the generated password and gain access to otherwise restricted functionality.

2. Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software

Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems. A brief description of the two flaws is as follows –

• CVE-2023-37265 – Incorrect identification of the source IP address, allowing unauthenticated attackers to execute arbitrary commands as root on CasaOS instances
• CVE-2023-37265 – Unauthenticated attackers can craft arbitrary JSON Web Tokens (JWTs) and access features that require authentication and execute arbitrary commands as root on CasaOS instances.

A consequence of successful exploitation of the aforementioned flaws could allow attackers to get around authentication restrictions and gain administrative privileges on vulnerable CasaOS instances.

3. Experts Warn of Severe Flaws Affecting Milesight Routers and Titan SFTP Servers

A severe flaw in Milesight industrial cellular routers, tracked as CVE-2023-43261 with a CVSS score of 7.5, has been discovered and may have been exploited in real-world attacks. This vulnerability, affecting several router models, allows unauthorized access to sensitive information and could lead to the configuration of VPN servers and firewall protection removal. Evidence suggests that the flaw has been used on a small scale in the wild, with the attacker successfully authenticating on some systems using credentials extracted from httpd.log. Around 5% of internet-exposed Milesight routers are vulnerable to this issue, and the advice is to assume all credentials have been compromised and generate new ones while ensuring no interfaces are accessible from the internet to mitigate the risk.

4. Malicious NuGet Package Targeting .NET Developers with SeroXen RAT

 A malicious NuGet package, mimicking a legitimate one, has been discovered delivering the SeroXen RAT. While the genuine package had nearly 79,000 downloads, the malicious version artificially inflated its download count to over 100,000. The threat actor published six other packages, with four posing as crypto service libraries for Kraken, KuCoin, Solana, and Monero but actually deploying SeroXen RAT. The attack occurs during installation through a PowerShell script that exploits deprecated behavior, allowing arbitrary commands. SeroXen RAT, available for $60, is a fileless RAT combining the functions of Quasar RAT, r77 rootkit, and NirCmd. The discovery highlights the exploitation of open-source ecosystems by attackers.

5. Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits

In its October 2023 Patch Tuesday updates, Microsoft addressed 103 software vulnerabilities, including 13 Critical and 90 Important flaws, along with 18 in its Chromium-based Edge browser since September. Two zero-day vulnerabilities are of particular concern:

• CVE-2023-36563 (CVSS score: 6.5) – An information disclosure flaw in Microsoft WordPad, potentially leaking NTLM hashes.
• CVE-2023-41763 (CVSS score: 5.3) – A privilege escalation vulnerability in Skype for Business that could expose sensitive data, such as IP addresses and port numbers, granting access to internal networks.

Additionally, multiple vulnerabilities affecting Microsoft Message Queuing and Layer 2 Tunneling Protocol were fixed, which could lead to remote code execution and denial-of-service. A privilege escalation bug in Windows IIS Server (CVE-2023-36434) was addressed. An update for CVE-2023-44487 was released to mitigate HTTP/2 Rapid Reset attacks. Microsoft also deprecated Visual Basic Script, which has been exploited for malware distribution, and it will be removed from future Windows releases.

6. ShellBot Uses Hex IPs to Evade Detection in Attacks on Linux SSH Servers

Threat actors behind ShellBot are infiltrating poorly managed Linux SSH servers using hexadecimal IP addresses. They have altered their method of deploying ShellBot from a regular IP address to a hexadecimal value, aiming to avoid URL-based detection. ShellBot, also known as PerlBot, exploits servers with weak SSH credentials through dictionary attacks, serving as a conduit for DDoS attacks and cryptocurrency miners. The malware communicates with a command-and-control (C2) server via the IRC protocol. This change indicates ShellBot’s continued use for Linux system attacks. To counter this, users are advised to employ strong, regularly changed passwords to resist brute-force and dictionary attacks. Additionally, attackers are using abnormal certificates with exceptionally long strings in an attempt to distribute information-stealing malware. These malicious pages, often linked to illegal software, pose a threat to a wide range of users.

10/04/2023-10/11/2023 Critical Atlassian Confluence Vulnerability, Linux Systems Vulnerable to RCE Attacks, Security Patch for Two New Flaws in Curl Library And More.

1. Microsoft Warns of Nation-State Hackers Exploiting Critical Atlassian Confluence Vulnerability

Microsoft has tied the recent critical flaw in Atlassian Confluence Data Center and Server, known as CVE-2023-22515, to a nation-state actor called Storm-0062 (aka DarkShadow or Oro0lxy). This vulnerability, a privilege escalation issue, enables the creation of unauthorized Confluence administrator accounts and has been exploited in the wild since September 14, 2023. Rated 10.0 on the CVSS severity scale, it affects various Confluence versions. Although the full extent of the attacks remains uncertain, Atlassian learned of the issue from a few customers, indicating that it was a zero-day exploit. Notably, Oro0lxy is a digital alias used by Li Xiaoyu, a Chinese hacker accused by the U.S. Department of Justice in July 2020 of infiltrating numerous companies, including Moderna, a COVID-19 vaccine developer, on behalf of the Ministry of State Security (MSS) in Guangdong.

2.  HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks

In August 2023, Amazon Web Services (AWS), Cloudflare, and Google disclosed mitigating unprecedented DDoS attacks that exploited the HTTP/2 Rapid Reset technique, tracked as CVE-2023-44487 with a CVSS score of 7.5. These layer 7 attacks flooded Google’s cloud infrastructure with up to 398 million requests per second, while AWS and Cloudflare experienced 155 million and 201 million RPS, respectively. HTTP/2 Rapid Reset exploits a zero-day flaw in HTTP/2, using the protocol’s multiplexing feature to send and cancel requests in quick succession, overwhelming servers. Notably, even a relatively small botnet of around 20,000 machines can execute such attacks. These DDoS attacks have become a significant threat, with HTTP/2 widely used across 35.6% of websites and 77% of web requests. Google observed multiple variants of Rapid Reset attacks, some more efficient than standard HTTP/2 DDoS attacks, making it a critical tool for threat actors.

3.  libcue Library Flaw Opens GNOME Linux Systems Vulnerable to RCE Attacks

A security flaw in the libcue library has been revealed, affecting GNOME Linux systems and posing a risk of remote code execution (RCE). Tracked as CVE-2023-43641 with a CVSS score of 8.8, this issue results from memory corruption in libcue versions 2.2.1 and earlier. The flaw resides in an out-of-bounds array access in the track_set_index function, enabling code execution when a victim downloads a .cue file from a malicious link. This vulnerability in libcue can be exploited with just one click, making it particularly concerning. Users are urged to install the latest updates, as further technical details are being withheld for security reasons. This disclosure follows a recent high-severity vulnerability in Google Chrome’s V8 JavaScript engine that also enabled RCE through visiting malicious sites, emphasizing the importance of prompt patching.

4. Security Patch for Two New Flaws in Curl Library Arriving on October 11

 Curl library maintainers have warned of two upcoming security vulnerabilities to be addressed in the October 11, 2023, update. These are CVE-2023-38545 (high-severity) and CVE-2023-38546 (low-severity). Detailed information is withheld to prevent pre-release problem identification, but it affects versions over the past several years. Curl, a widely-used command-line data transfer tool, supports various protocols. CVE-2023-38545 impacts both libcurl and curl, while CVE-2023-38546 affects only libcurl. The vulnerabilities will be fixed in curl version 8.4.0. Users are advised to scan their systems using curl and libcurl, anticipating potentially vulnerable versions when details are disclosed in the release on October 11. 

5. GitHub’s Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack

GitHub is enhancing its secret scanning feature to validate tokens from services like AWS, Microsoft, Google, and Slack, alerting users to exposed tokens. This improvement builds on the validity checks introduced earlier this year for GitHub tokens and is planned to expand to more tokens in the future. To enable this feature, enterprise or organization owners and repository administrators can go to Settings > Code security and analysis > Secret scanning and select “Automatically verify if a secret is valid by sending it to the relevant partner.” 

6. CISA Warns of Active Exploitation of JetBrains and Windows Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog. Two new additions include:

• CVE-2023-42793 (CVSS 9.8) – JetBrains TeamCity Authentication Bypass Vulnerability: This flaw allows remote code execution on TeamCity Server, with 74 unique IP addresses attempting exploitation.
• CVE-2023-28229 (CVSS 7.0) – Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability: This high-severity issue enables specific SYSTEM privileges. While in-the-wild exploitation hasn’t been reported, a proof-of-concept (PoC) was shared.

Five vulnerabilities related to Owl Labs Meeting Owl have been removed due to insufficient evidence. Federal Civilian Executive Branch agencies must apply vendor-provided patches for the two actively exploited flaws by October 25, 2023, for network security. Microsoft has rated CVE-2023-28229 as “Exploitation Less Likely” and addressed it in April 2023 Patch Tuesday updates.

7. Cisco Releases Urgent Patch to Fix Critical Flaw in Emergency Responder Systems

 Cisco has released updates to address a critical security flaw in Emergency Responder (CVE-2023-20101, CVSS 9.8). This vulnerability allows unauthenticated, remote attackers to log into affected systems using hard-coded credentials. The flaw results from static user credentials for the root account, typically used during development. Exploiting this flaw could grant attackers access to the system and the ability to execute arbitrary commands as the root user. The issue affects Cisco Emergency Responder Release 12.5(1)SU4 and has been resolved in version 12.5(1)SU5. Cisco detected this problem during internal security testing and is not aware of any in-the-wild exploitation. Customers are advised to update to the latest version to mitigate potential threats.