Rose debug info
---------------

how human behavior affects security

Later Ctrl + ↑

Programmer’s Digest #62

12/13/2023-12/20/2023 Oracle WebLogic Server Vulnerability, Security Vulnerabilities in pfSense Firewall Software, 116 Malware Packages Found on PyPI Repository And More.

1. 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware

The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials. The 8220 Gang has a history of leveraging known security flaws to distribute cryptojacking malware. Earlier this May, the group was spotted utilizing another shortcoming in Oracle WebLogic servers (CVE-2017-3506, CVSS score: 7.4) to rope the devices into a crypto mining botnet.

2. New Security Vulnerabilities Uncovered in pfSense Firewall Software – Patch Now

Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances. The issues relate to two reflected cross-site scripting (XSS) bugs and one command injection flaw. Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network. A brief description of the flaws is given below: 

  • CVE-2023-42325 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
  • CVE-2023-42327 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
  • CVE-2023-42326 (CVSS score: 8.8) – A lack of validation that allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

Reflected XSS attacksoccur when an attacker delivers a malicious script to a vulnerable web application, which is then returned in the HTTP response and executed on the victim’s web browser. As a result, attacks of this kind are triggered by means of crafted links embedded in phishing messages or a third-party website, for example, in a comment section or in the form of links shared on social media posts. In the case of pfSense, the threat actor can perform actions in the firewall with the victim’s permissions.

3. 116 Malware Packages Found on PyPI Repository Infecting Windows and Linux Systems

Cybersecurity researchers uncovered 116 malicious packages on the Python Package Index (PyPI), aiming to infect Windows and Linux systems with a custom backdoor. ESET researchers identified these packages, estimating over 10,000 downloads since May 2023. The attackers employ various techniques, including embedding malicious code via test.py and obfuscated forms in init.py and setup.py files. The end goal is compromising hosts with malware, particularly a backdoor for remote command execution, data exfiltration, and screenshots. The backdoor is implemented in Python for Windows and Go for Linux. Alternatively, attack chains may deploy W4SP Stealer or a clipper malware altering clipboard activity to replace wallet addresses. This incident joins a series of compromised Python packages used for supply chain attacks, such as libraries distributing Sordeal Stealer in May 2023 and BlazeStealer last month. The researchers advise Python developers to thoroughly vet downloaded code for these techniques. This discovery follows npm packages targeting a financial institution in an advanced adversary simulation exercise. The module names remain undisclosed for security reasons.

4. Microsoft Discovers Critical RCE Flaw In Perforce Helix Core Server

 Microsoft has uncovered four vulnerabilities, including a critical one, in the widely used Perforce Helix Core Server, a source code management platform prevalent in gaming, government, military, and technology sectors. Discovered during a security review by Microsoft analysts, the flaws pose risks of denial of service (DoS) and arbitrary remote code execution as LocalSystem by unauthenticated attackers. While there’s no observed exploitation in the wild, users are urged to upgrade to version 2023.1/2513900 released on November 7, 2023. The most severe flaw, CVE-2023-45849, allows unauthenticated attackers to execute code as LocalSystem, potentially leading to system control. The other three vulnerabilities also involve DoS risks. Microsoft recommends regular updates, access restrictions, TLS certificates, logging, crash alerts, and network segmentation to enhance protection. For details, consult the official security guide.

5. Google Using Clang Sanitizers to Protect Android Against Cellular Baseband Vulnerabilities

Google is emphasizing the role of Clang sanitizers, specifically IntSan and BoundSan, in securing the Android OS cellular baseband against vulnerabilities. These are part of UndefinedBehaviorSanitizer, designed to detect undefined behavior during program execution. While incurring performance overhead, Google activated these sanitizers in critical areas, covering functions parsing messages, libraries handling complex formats, and network stacks for 2G to 5G. Although beneficial, sanitizers don’t address all vulnerability classes, necessitating a transition to memory-safe languages like Rust. In October 2023, Google rewrote Android Virtualization Framework’s firmware in Rust for a memory-safe foundation. As the high-level OS becomes more resilient, Google anticipates increased attention on lower-level components like the baseband, emphasizing the importance of modern toolchains and exploit mitigation technologies

2023   digest   programmers'

Programmer’s Digest #61

12/06/2023-12/13/2023 New Critical RCE Vulnerability, SLAM Attack, Atlassian Releases Critical Software Fixes And More.

1. New Critical RCE Vulnerability Discovered in Apache Struts 2 – Patch Now

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code. Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software:

  • Struts 2.3.37 (EOL)
  • Struts 2.5.0 – Struts 2.5.32, and
  • Struts 6.0.0 – Struts 6.3.0

Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue.

2. SLAM Attack: New Spectre-based Vulnerability Impacts Intel, AMD, and Arm CPUs

A new side-channel attack called SLAM has been disclosed. It could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm. SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data. While LAM is presented as a security feature, the study found that it ironically degrades security and “dramatically” increases the Spectre attack surface, resulting in a transient execution attack, which exploits speculative execution to extract sensitive data via a cache covert channel. Described as the first transient execution attack targeting future CPUs, SLAM takes advantage of a new covert channel based on non-canonical address translation that facilitates the practical exploitation of generic Spectre gadgets to leak valuable information.

It impacts the following CPUs:

  • Existing AMD CPUs vulnerable to CVE-2020-12965;
  • Future Intel CPUs supporting LAM (both 4- and 5-level paging);
  • Future AMD CPUs supporting UAI and 5-level paging;
  • Future Arm CPUs supporting TBI and 5-level paging.

3. WordPress Releases Update 6.4.2 to Address Critical Remote Attack Vulnerability

WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites. According to WordPress security company Wordfence, the issue is rooted in the WP_HTML_Token class that was introduced in version 6.4 to improve HTML parsing in the block editor. A threat actor with the ability to exploit a PHP object injection vulnerability present in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the targeted site. If a POP [property-oriented programming] chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. In a similar advisory released by Patchstack, the company said an exploitation chain has been made available on GitHub as of November 17 and added to the PHP Generic Gadget Chains (PHPGGC) project. It’s recommended that users manually check their sites to ensure that it’s updated to the latest version. 

4. Sierra:21 – Flaws in Sierra Wireless Routers Expose Critical Sectors to Cyber Attacks

A total of 21 security flaws, collectively named Sierra:21, have been identified in Sierra Wireless AirLink cellular routers and open-source software like TinyXML and OpenNDS. These vulnerabilities impact more than 86,000 devices in critical sectors worldwide, posing a significant cyber threat. Forescout Vedere Labs reveals that devices in the U.S., Canada, Australia, France, and Thailand are predominantly affected. The vulnerabilities could enable attackers to steal credentials, inject malicious code to take control of routers, persist on devices for unauthorized access, and serve as entry points to critical networks.The vulnerabilities have been addressed in ALEOS 4.17.0 (or ALEOS 4.9.9) and OpenNDS 10.1.3, but the outdated TinyXML requires downstream action by affected vendors. Exploitation of these flaws could lead to network disruption, espionage, lateral movement, and deployment of further malware, emphasizing the critical need for prompt mitigation.

5. Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution

Atlassian has issued software patches to address four critical vulnerabilities, each posing a risk of remote code execution:

  • CVE-2022-1471 (CVSS score: 9.8): Deserialization flaw in SnakeYAML library affecting multiple products.
  • CVE-2023-22522 (CVSS score: 9.0): Remote code execution vulnerability in Confluence Data Center and Server (versions 4.0.0 and later).
  • CVE-2023-22523 (CVSS score: 9.8): Remote code execution flaw in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (versions up to 3.2.0-cloud / 6.2.0).
  • CVE-2023-22524 (CVSS score: 9.6): Remote code execution vulnerability in Atlassian Companion app for macOS (versions up to 2.0.0).

Notably, CVE-2023-22522 allows authenticated attackers, even those with anonymous access, to inject unsafe input into Confluence pages for code execution. Additionally, CVE-2023-22524 could enable attackers to execute code by using WebSockets to bypass Atlassian Companion’s blocklist and macOS Gatekeeper protections. Users are strongly advised to apply the provided fixes promptly.

2023   digest   programmers'

Programmer’s Digest #60

11/29/2023-12/06/2023 Repositories on GitHub Vulnerable, UEFI Vulnerabilities, Cloud Pentest 101 And More.

1.  15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack

Recent research identified over 15,000 vulnerable Go module repositories on GitHub at risk of “repojacking.” Jacob Baines, CTO at VulnCheck, highlighted 9,000 repositories vulnerable due to username changes and 6,000 due to account deletion. These repositories encompass at least 800,000 Go module versions. Unlike npm or PyPI, Go modules on GitHub or Bitbucket lack centralized control, making them prone to abuse.
GitHub employs protective measures, like repository namespace retirement, but VulnCheck notes its ineffectiveness for Go modules, as they are cached, allowing potential bypass. 
It’s important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from.

2. CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks

A CACTUS ransomware campaign is leveraging recently disclosed vulnerabilities in the Qlik Sense cloud analytics platform for initial access, marking the first documented instance of such an attack. Arctic Wolf researchers have noted exploitation of three disclosed flaws in the past three months:

  • CVE-2023-41265 (CVSS score: 9.9): An HTTP Request Tunneling vulnerability enabling remote privilege escalation.
  • CVE-2023-41266 (CVSS score: 6.5): A path traversal flaw allowing unauthorized transmission of HTTP requests.
  • CVE-2023-48365 (CVSS score: 9.9): An unauthenticated remote code execution vulnerability stemming from improper validation of HTTP headers.

Arctic Wolf observed attackers exploiting these vulnerabilities to abuse the Qlik Sense Scheduler service, downloading tools for persistence and remote control, including ManageEngine UEMS and AnyDesk. The campaign concludes with CACTUS ransomware deployment and data exfiltration using rclone.

3.  LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks

The Unified Extensible Firmware Interface (UEFI) code from multiple independent firmware vendors is susceptible to high-impact vulnerabilities collectively known as LogoFAIL, as identified by Binarly. Exploiting flaws in embedded image parsing libraries, threat actors can use this to deliver a malicious payload, bypassing security technologies like Secure Boot and Intel Boot Guard. The vulnerabilities, affecting both x86 and ARM devices, allow attackers to inject a malicious logo image into the EFI system partition during the boot phase, delivering persistent malware. Unlike previous exploits, LogoFAIL doesn’t compromise runtime integrity but poses a significant risk, impacting major firmware vendors and numerous devices from Intel, Acer, Lenovo, and others.  

4. Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks

 Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under “limited, targeted exploitation” back in October 2023.

The vulnerabilities are as follows –

  • CVE-2023-33063 (CVSS score: 7.8) – Memory corruption in DSP Services during a remote call from HLOS to DSP.
  • CVE-2023-33106 (CVSS score: 8.4) – Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
  • CVE-2023-33107 (CVSS score: 8.4) – Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.

Google’s Threat Analysis Group and Google Project Zero revealed back in October 2023 that the three flaws, along with CVE-2022-22071 (CVSS score: 8.4), have been exploited in the wild as part of limited, targeted attacks. It’s currently not known how these shortcomings have been weaponized, and who are behind the attacks. 

5. DJVU Ransomware’s Latest Variant ‘Xaro’ Disguised as Cracked Software

 A new variant of the DJVU ransomware, dubbed Xaro by cybersecurity firm Cybereason, is spreading through cracked software. Unlike previous DJVU attacks, Xaro appends the .xaro extension to files, demanding a ransom for decryption. It is distributed as an archive file from dubious sources posing as legitimate freeware sites. Upon opening, it executes a fake installer for CutePDF, actually a pay-per-install malware downloader called PrivateLoader. PrivateLoader contacts a command-and-control server, downloading various malware families like RedLine Stealer and Vidar, in addition to dropping Xaro. This approach aims to ensure attack success, even if security software blocks some payloads. Xaro encrypts files, deploys Vidar infostealer, and demands a $980 ransom, reducing to $490 within 72 hours. The incident highlights the risks of downloading from untrusted sources, emphasizing the use of caution for defending against covertly deployed malware.

2023   digest   programmers'
Earlier Ctrl + ↓