09/27/2023-10/04/2023 New Linux Flaw, PyTorch Models Vulnerable, Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server And More.

1. Looney Tunables: New Linux Flaw Enables Privilege Escalation on Major Distributions

A new Linux security vulnerability, named Looney Tunables (CVE-2023-4911, CVSS score: 7.8), has been found in the GNU C library’s dynamic loader. This vulnerability, discovered by Qualys, involves a buffer overflow when processing the GLIBC_TUNABLES environment variable. It was introduced in an April 2021 code commit. This library is critical to Linux systems, responsible for preparing and running programs.
Major Linux distributions like Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13 are affected. An attacker with local access could exploit this flaw to execute code with elevated privileges. Red Hat has issued a mitigation that terminates setuid programs invoked with GLIBC_TUNABLES in the environment. Looney Tunables joins a growing list of privilege escalation vulnerabilities in Linux in recent years.

2. Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch

Researchers have uncovered critical security flaws in the PyTorch model-serving tool, TorchServe, which they’ve named ShellTorch. These vulnerabilities could potentially lead to remote code execution. Israel-based security firm Oligo made the discovery and warns that these flaws pose a serious risk to numerous services, including some major companies, as they allow unauthorized access and the insertion of malicious AI models. The vulnerabilities have been addressed in version 0.8.2. Exploiting these flaws could allow an attacker to upload a malicious model and execute arbitrary code without requiring authentication on a default TorchServe server. AWS has issued an advisory urging users to update to TorchServe version 0.8.2 if they are using specific PyTorch inference Deep Learning Containers.

3. Over 3 Dozen Data-Stealing Malicious npm Packages Found Targeting Developers

Almost three dozen counterfeit npm packages have been discovered by Fortinet FortiGuard Labs, posing a threat to developer systems. One group of packages, including @expue/webpack and @virtualsearchtable/virtualsearchtable, contains an obfuscated JavaScript file capable of collecting valuable data like Kubernetes configurations, SSH keys, and system metadata. Another set of modules, binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, unauthorizedly extracts source code and configuration files. Some packages use Discord webhooks for data exfiltration, while others automatically download and execute potentially malicious files from URLs. Notably, @cima/prism-utils disables TLS certificate validation, potentially exposing connections to adversary-in-the-middle attacks. Fortinet categorized these modules into nine groups based on code similarities and functions, with many using install scripts for data harvesting.

4. Arm Issues Patch for Mali GPU Kernel Driver Vulnerability Amidst Ongoing Exploitation

Arm has released security patches to address a security flaw (CVE-2023-4211) in the Mali GPU Kernel Driver that’s being actively exploited. This vulnerability impacts various driver versions, allowing a local non-privileged user to gain access to already freed memory through improper GPU memory processing operations. Google has also identified targeted exploitation of this flaw. Arm has fixed the issue in specific driver versions.

In addition, Arm resolved two other vulnerabilities in the Mali GPU Kernel Driver:

• CVE-2023-33200: Allows a local non-privileged user to exploit a software race condition, potentially accessing already freed memory.
• CVE-2023-34970: Permits a local non-privileged user to make improper GPU processing operations, potentially accessing memory outside buffer bounds or exploiting a software race condition, leading to access to already freed memory.

5. Progress Software Releases Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server

Progress Software has issued critical security hotfixes for eight vulnerabilities in WS_FTP Server Ad hoc Transfer Module and the WS_FTP Server manager interface. One of the flaws, CVE-2023-40044, with a CVSS score of 10.0, is particularly severe, allowing pre-authenticated attackers to execute remote commands. Other vulnerabilities include directory traversal (CVE-2023-42657), XSS (CVE-2023-40045 and CVE-2023-40047), SQL injection (CVE-2023-40046), CSRF (CVE-2023-40048), and authentication bypass (CVE-2023-40049). Rapid7 has observed instances of exploitation in the wild, emphasizing the importance of promptly applying the patches. Progress Software has been dealing with the aftermath of a major hack targeting its MOVEit Transfer platform since May 2023, affecting numerous organizations and individuals.

6. How to Impersonate a Service Account Using Bigquery Client Library

A service account in Google Cloud is a specialized account designed for applications and compute workloads, rather than human users. It’s identified by a unique email address. To make an application act like a service account, you connect it to the resource where it runs, like a Compute Engine instance. This allows the application to act on behalf of the service account. You can then grant the service account specific permissions (IAM roles) to access Google Cloud resources.
For scenarios requiring stricter permissions control, especially in multi-tenant deployments, Google Cloud offers Service Account impersonation. This feature allows for isolation of resource access controls for each organization or customer.
Impersonation enables authenticated principals (e. g., users or other service accounts) to assume the permissions of a service account. It’s particularly useful for short-lived token flows to avoid exposing service account credentials.
To implement Service Account impersonation with the BigQuery client library, you’ll need to use packages like google-cloud-bigquery and google-auth. More details and code samples can be found in Google Cloud’s documentation on Service Account impersonation.

7. Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts

Cisco has issued a warning about a medium-severity vulnerability (CVE-2023-20109) in its IOS Software and IOS XE Software. The flaw, with a CVSS score of 6.6, affects versions of the software with the GDOI or G-IKEv2 protocol enabled. An authenticated remote attacker with administrative control of a group member or key server could execute arbitrary code or crash the device. The issue stems from insufficient validation of attributes in the GDOI and G-IKEv2 protocols of the GET VPN feature. It could be exploited by compromising a key server or altering the configuration of a group member to point to an attacker-controlled key server. Cisco also disclosed five flaws in Catalyst SD-WAN Manager (versions 20.3 to 20.12) that could lead to unauthorized access, configuration rollback, information disclosure, authorization bypass, and denial of service. Customers are advised to update to a fixed software release to address these vulnerabilities.

09/20/2023-09/27/2023 Critical libwebp Vulnerability, Critical JetBrains TeamCity Flaw, Beyond CVSS: Project Context, Exploitability, and Reachability of Vulnerabilities And More.

1. Critical libwebp Vulnerability Under Active Exploitation – Gets Maximum CVSS Score

Google has issued a critical CVE (CVE-2023-5129) for a security flaw in the libwebp image library used for WebP format rendering, currently under active exploitation. Rated at the maximum CVSS severity of 10.0, the issue stems from the Huffman coding algorithm. Specifically, a crafted WebP file can lead to out-of-bounds data writing in the heap due to a size miscalculation in the ReadHuffmanCodes() function. Apple, Google, and Mozilla have recently released fixes for similar vulnerabilities (CVE-2023-41064 and CVE-2023-4863) believed to share the same root cause. CVE-2023-4863’s misclassification in Google Chrome highlights its broader impact on applications reliant on libwebp. A range of widely used software and packages are potentially vulnerable. The prevalence of libwebp elevates the overall risk for users and organizations.

2. Critical JetBrains TeamCity Flaw Could Expose Source Code and Build Pipelines to Attackers

A critical security flaw (CVE-2023-42793) in JetBrains TeamCity CI/CD software posed a severe risk, potentially enabling remote code execution for unauthenticated attackers. With a CVSS score of 9.8, JetBrains promptly addressed the issue in version 2023.05.4 following its responsible disclosure on September 6, 2023. Exploiting this vulnerability could lead to source code theft, service secret exposure, and control over build agents. Threat actors could also manipulate build pipelines, risking integrity breaches and supply chain compromises. Notably, the flaw affects on-premise versions of JetBrains software, with TeamCity Cloud already patched. Detailed information is withheld due to the potential for wild exploitation. JetBrains urges users to update and offers a security patch plugin for TeamCity versions 8.0 and higher.

3. High-Severity Flaws Uncovered in Atlassian Products and ISC BIND Server

Atlassian and the Internet Systems Consortium (ISC) have disclosed several security flaws impacting their products that could be exploited to achieve denial-of-service (DoS) and remote code execution. 
the four high-severity flaws were fixed in new versions shipped last month. This includes –

• CVE-2022-25647 (CVSS score: 7.5) – A deserialization flaw in the Google Gson package impacting Patch Management in Jira Service Management Data Center and Server
• CVE-2023-22512 (CVSS score: 7.5) – A DoS flaw in Confluence Data Center and Server
• CVE-2023-22513 (CVSS score: 8.5) – A RCE flaw in Bitbucket Data Center and Server
• CVE-2023-28709 (CVSS score: 7.5) – A DoS flaw in Apache Tomcat server impacting Bamboo Data Center and Server.

4. Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with Venom RAT

A malicious actor posted a bogus proof-of-concept (PoC) exploit for a recent WinRAR vulnerability on GitHub, intending to distribute Venom RAT malware to those who downloaded it. The fake PoC, leveraging a publicly available script for a different vulnerability (CVE-2023-25157), aimed to deceive users. While such deceptive PoCs are known in the research community, this case suggests the actor might have targeted other malicious actors looking to exploit the latest vulnerabilities. The GitHub account hosting the repository, whalersplonk, is now inaccessible. This action occurred four days after the vulnerability (CVE-2023-40477) was disclosed, allowing remote code execution on Windows systems. The repository included a Python script and a video tutorial, which drew 121 views. The Python script sought an executable linked to Venom RAT from a remote server. The threat actor established the server domain before the vulnerability disclosure, emphasizing the attempt to exploit the critical flaw.

5. Beyond CVSS: Project Context, Exploitability, and Reachability of Vulnerabilities

CVSS, while useful, may not accurately reflect a vulnerability’s actual impact. Context is crucial. For instance, a critical-severity vulnerability in a library may not pose a risk if it’s not exploitable in the project’s specific use. On the other hand, a medium-severity flaw in a critical component could lead to substantial damage. Safety employs four key criteria for vulnerability assessment:
to manage the growing number of vulnerabilities, organizations need contextual analysis. Safety combines various criteria for a vulnerability risk score:

• Severity: Safety utilizes CVSS data and manual vetting for comprehensive severity data, covering over 12,600+ vulnerabilities.
• Project Context: Recognizes project significance, considering lifecycle, business criticality, data sensitivity, and network exposure.
• Exploitability: Assesses real-world exploit history and complexity.
• Reachability: Determines if an attacker can access the vulnerability within the project’s codebase.
  Safety’s approach reduces vulnerability noise by up to 90%, enabling efficient time allocation and prioritizing fixes based on real-world risk rather than theoretical severity ratings.

6. Critical Security Flaws Exposed in Nagios XI Network Monitoring Software

Nagios XI, version 5.11.1 and lower, is affected by four security vulnerabilities (CVE-2023-40931 to CVE-2023-40934), leading to potential privilege escalation and data exposure. These flaws, disclosed on August 4, 2023, were promptly patched in version 5.11.2 released on September 11, 2023. Three of the vulnerabilities involve SQL injections (CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934), potentially granting unauthorized access to database fields. The fourth flaw (CVE-2023-40932) is a cross-site scripting (XSS) issue in the Custom Logo component, enabling the reading of sensitive data. Exploitation could allow attackers to execute arbitrary SQL commands and inject JavaScript code. This isn’t the first time Nagios XI has faced security concerns; previous incidents involved vulnerabilities leading to infrastructure compromise and remote code execution.

09/13/2023-09/20/2023 GitLab Releases Urgent Security Patches, Trend Micro Releases Urgent Fix, Nearly 12,000 Juniper Firewalls Found Vulnerable And More.

1. GitLab Releases Urgent Security Patches for Critical Vulnerability

GitLab has shipped security patches to resolve a critical flaw that allows an attacker to run pipelines as another user. The issue, tracked as CVE-2023-5009 (CVSS score: 9.6), impacts all versions of GitLab Enterprise Edition (EE) starting from 13.12 and prior to 16.2.7 as well as from 16.3 and before 16.3.4. It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. This was a bypass of CVE-2023-3932 showing additional impact. Successful exploitation of CVE-2023-5009 could allow a threat actor to access sensitive information or leverage the elevated permissions of the impersonated user to modify source code or run arbitrary code on the system, leading to severe consequences.

2. Trend Micro Releases Urgent Fix for Actively Exploited Critical Security Vulnerability

Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks.
Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that’s bundled along with the software. The complete list of impacted products is as follows –

• Apex One – version 2019 (on-premise), fixed in SP1 Patch 1 (B12380)
• Apex One as a Service – fixed in SP1 Patch 1 (B12380) and Agent version 14.0.12637
• Worry-Free Business Security – version 10.0 SP1, fixed in 10.0 SP1 Patch 2495
• Worry-Free Business Security Services – fixed in July 31, 2023, Monthly Maintenance Release

A successful exploitation of the flaw could allow an attacker to manipulate the component to execute arbitrary commands on an affected installation. However, it requires that the adversary already has administrative console access on the target system. As a workaround, it’s recommending that customers limit access to the product’s administration console to trusted networks.

3. Nearly 12,000 Juniper Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability

Close to 12,000 Juniper firewalls exposed on the internet are vulnerable to a recently discovered remote code execution flaw (CVE-2023-36845). Exploitable by an unauthenticated remote attacker, it allows arbitrary code execution without creating a system file. This medium-severity flaw in Junos OS’ J-Web component could be exploited to control vital environment variables. Juniper Networks released a patch last month in an out-of-cycle update, addressing this along with other vulnerabilities. A proof-of-concept exploit combines CVE-2023-36846 and CVE-2023-36845 to achieve code execution. The new exploit impacts older systems and requires just a single cURL command. It manipulates the PHPRC environment variable through a crafted HTTP request, enabling the leak of sensitive information and executing arbitrary code using PHP’s options.

4. Microsoft Uncovers Flaws in ncurses Library Affecting Linux and macOS Systems

Memory corruption flaws found in the ncurses programming library pose a threat to Linux and macOS systems. Threat actors could exploit these vulnerabilities, collectively known as CVE-2023-29491, with a CVSS score of 7.8, to execute malicious code and elevate privileges through environment variable poisoning. Microsoft Threat Intelligence researchers identified and remedied these issues in April 2023, collaborating with Apple to address macOS-specific concerns. Environment variables can influence how programs behave, and manipulating them can lead to unauthorized actions. By poisoning variables like TERMINFO, the ncurses library could be leveraged for privilege escalation. The vulnerabilities involve stack information leaks, parameterized string type confusion, off-by-one errors, heap out-of-bounds issues during terminfo database parsing, and denial-of-service with canceled strings. While these flaws had the potential for privilege escalation and code execution, a multi-stage attack would be required to gain control over a program.

5. Alert: New Kubernetes Vulnerabilities Enable Remote Attacks on Windows Endpoints

Three high-severity security flaws (CVE-2023-3676, CVE-2023-3893, CVE-2023-3955) discovered in Kubernetes pose a risk of remote code execution with elevated privileges on Windows endpoints in Kubernetes clusters. These vulnerabilities affect all Kubernetes environments with Windows nodes and were responsibly disclosed by Akamai on July 13, 2023, with fixes released on August 23, 2023. Attackers can achieve remote code execution with SYSTEM privileges by applying a malicious YAML file to the cluster, targeting kubelet versions below v1.28.1, v1.27.5, v1.26.8, v1.25.13, and v1.24.17. CVE-2023-3676 requires low privileges, making it accessible to attackers with node access and apply privileges. CVE-2023-3955 results from input sanitization issues, enabling command execution via a specially crafted path string. CVE-2023-3893 involves privilege escalation in the Container Storage Interface (CSI) proxy, granting malicious actors administrator access on the node. These vulnerabilities highlight input sanitization lapses in Windows-specific porting of Kubelet.