10/04/2023-10/11/2023 Critical Atlassian Confluence Vulnerability, Linux Systems Vulnerable to RCE Attacks, Security Patch for Two New Flaws in Curl Library And More.

1. Microsoft Warns of Nation-State Hackers Exploiting Critical Atlassian Confluence Vulnerability

Microsoft has tied the recent critical flaw in Atlassian Confluence Data Center and Server, known as CVE-2023-22515, to a nation-state actor called Storm-0062 (aka DarkShadow or Oro0lxy). This vulnerability, a privilege escalation issue, enables the creation of unauthorized Confluence administrator accounts and has been exploited in the wild since September 14, 2023. Rated 10.0 on the CVSS severity scale, it affects various Confluence versions. Although the full extent of the attacks remains uncertain, Atlassian learned of the issue from a few customers, indicating that it was a zero-day exploit. Notably, Oro0lxy is a digital alias used by Li Xiaoyu, a Chinese hacker accused by the U.S. Department of Justice in July 2020 of infiltrating numerous companies, including Moderna, a COVID-19 vaccine developer, on behalf of the Ministry of State Security (MSS) in Guangdong.

2.  HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks

In August 2023, Amazon Web Services (AWS), Cloudflare, and Google disclosed mitigating unprecedented DDoS attacks that exploited the HTTP/2 Rapid Reset technique, tracked as CVE-2023-44487 with a CVSS score of 7.5. These layer 7 attacks flooded Google’s cloud infrastructure with up to 398 million requests per second, while AWS and Cloudflare experienced 155 million and 201 million RPS, respectively. HTTP/2 Rapid Reset exploits a zero-day flaw in HTTP/2, using the protocol’s multiplexing feature to send and cancel requests in quick succession, overwhelming servers. Notably, even a relatively small botnet of around 20,000 machines can execute such attacks. These DDoS attacks have become a significant threat, with HTTP/2 widely used across 35.6% of websites and 77% of web requests. Google observed multiple variants of Rapid Reset attacks, some more efficient than standard HTTP/2 DDoS attacks, making it a critical tool for threat actors.

3.  libcue Library Flaw Opens GNOME Linux Systems Vulnerable to RCE Attacks

A security flaw in the libcue library has been revealed, affecting GNOME Linux systems and posing a risk of remote code execution (RCE). Tracked as CVE-2023-43641 with a CVSS score of 8.8, this issue results from memory corruption in libcue versions 2.2.1 and earlier. The flaw resides in an out-of-bounds array access in the track_set_index function, enabling code execution when a victim downloads a .cue file from a malicious link. This vulnerability in libcue can be exploited with just one click, making it particularly concerning. Users are urged to install the latest updates, as further technical details are being withheld for security reasons. This disclosure follows a recent high-severity vulnerability in Google Chrome’s V8 JavaScript engine that also enabled RCE through visiting malicious sites, emphasizing the importance of prompt patching.

4. Security Patch for Two New Flaws in Curl Library Arriving on October 11

 Curl library maintainers have warned of two upcoming security vulnerabilities to be addressed in the October 11, 2023, update. These are CVE-2023-38545 (high-severity) and CVE-2023-38546 (low-severity). Detailed information is withheld to prevent pre-release problem identification, but it affects versions over the past several years. Curl, a widely-used command-line data transfer tool, supports various protocols. CVE-2023-38545 impacts both libcurl and curl, while CVE-2023-38546 affects only libcurl. The vulnerabilities will be fixed in curl version 8.4.0. Users are advised to scan their systems using curl and libcurl, anticipating potentially vulnerable versions when details are disclosed in the release on October 11. 

5. GitHub’s Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack

GitHub is enhancing its secret scanning feature to validate tokens from services like AWS, Microsoft, Google, and Slack, alerting users to exposed tokens. This improvement builds on the validity checks introduced earlier this year for GitHub tokens and is planned to expand to more tokens in the future. To enable this feature, enterprise or organization owners and repository administrators can go to Settings > Code security and analysis > Secret scanning and select “Automatically verify if a secret is valid by sending it to the relevant partner.” 

6. CISA Warns of Active Exploitation of JetBrains and Windows Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog. Two new additions include:

• CVE-2023-42793 (CVSS 9.8) – JetBrains TeamCity Authentication Bypass Vulnerability: This flaw allows remote code execution on TeamCity Server, with 74 unique IP addresses attempting exploitation.
• CVE-2023-28229 (CVSS 7.0) – Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability: This high-severity issue enables specific SYSTEM privileges. While in-the-wild exploitation hasn’t been reported, a proof-of-concept (PoC) was shared.

Five vulnerabilities related to Owl Labs Meeting Owl have been removed due to insufficient evidence. Federal Civilian Executive Branch agencies must apply vendor-provided patches for the two actively exploited flaws by October 25, 2023, for network security. Microsoft has rated CVE-2023-28229 as “Exploitation Less Likely” and addressed it in April 2023 Patch Tuesday updates.

7. Cisco Releases Urgent Patch to Fix Critical Flaw in Emergency Responder Systems

 Cisco has released updates to address a critical security flaw in Emergency Responder (CVE-2023-20101, CVSS 9.8). This vulnerability allows unauthenticated, remote attackers to log into affected systems using hard-coded credentials. The flaw results from static user credentials for the root account, typically used during development. Exploiting this flaw could grant attackers access to the system and the ability to execute arbitrary commands as the root user. The issue affects Cisco Emergency Responder Release 12.5(1)SU4 and has been resolved in version 12.5(1)SU5. Cisco detected this problem during internal security testing and is not aware of any in-the-wild exploitation. Customers are advised to update to the latest version to mitigate potential threats.

09/27/2023-10/04/2023 New Linux Flaw, PyTorch Models Vulnerable, Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server And More.

1. Looney Tunables: New Linux Flaw Enables Privilege Escalation on Major Distributions

A new Linux security vulnerability, named Looney Tunables (CVE-2023-4911, CVSS score: 7.8), has been found in the GNU C library’s dynamic loader. This vulnerability, discovered by Qualys, involves a buffer overflow when processing the GLIBC_TUNABLES environment variable. It was introduced in an April 2021 code commit. This library is critical to Linux systems, responsible for preparing and running programs.
Major Linux distributions like Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13 are affected. An attacker with local access could exploit this flaw to execute code with elevated privileges. Red Hat has issued a mitigation that terminates setuid programs invoked with GLIBC_TUNABLES in the environment. Looney Tunables joins a growing list of privilege escalation vulnerabilities in Linux in recent years.

2. Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch

Researchers have uncovered critical security flaws in the PyTorch model-serving tool, TorchServe, which they’ve named ShellTorch. These vulnerabilities could potentially lead to remote code execution. Israel-based security firm Oligo made the discovery and warns that these flaws pose a serious risk to numerous services, including some major companies, as they allow unauthorized access and the insertion of malicious AI models. The vulnerabilities have been addressed in version 0.8.2. Exploiting these flaws could allow an attacker to upload a malicious model and execute arbitrary code without requiring authentication on a default TorchServe server. AWS has issued an advisory urging users to update to TorchServe version 0.8.2 if they are using specific PyTorch inference Deep Learning Containers.

3. Over 3 Dozen Data-Stealing Malicious npm Packages Found Targeting Developers

Almost three dozen counterfeit npm packages have been discovered by Fortinet FortiGuard Labs, posing a threat to developer systems. One group of packages, including @expue/webpack and @virtualsearchtable/virtualsearchtable, contains an obfuscated JavaScript file capable of collecting valuable data like Kubernetes configurations, SSH keys, and system metadata. Another set of modules, binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, unauthorizedly extracts source code and configuration files. Some packages use Discord webhooks for data exfiltration, while others automatically download and execute potentially malicious files from URLs. Notably, @cima/prism-utils disables TLS certificate validation, potentially exposing connections to adversary-in-the-middle attacks. Fortinet categorized these modules into nine groups based on code similarities and functions, with many using install scripts for data harvesting.

4. Arm Issues Patch for Mali GPU Kernel Driver Vulnerability Amidst Ongoing Exploitation

Arm has released security patches to address a security flaw (CVE-2023-4211) in the Mali GPU Kernel Driver that’s being actively exploited. This vulnerability impacts various driver versions, allowing a local non-privileged user to gain access to already freed memory through improper GPU memory processing operations. Google has also identified targeted exploitation of this flaw. Arm has fixed the issue in specific driver versions.

In addition, Arm resolved two other vulnerabilities in the Mali GPU Kernel Driver:

• CVE-2023-33200: Allows a local non-privileged user to exploit a software race condition, potentially accessing already freed memory.
• CVE-2023-34970: Permits a local non-privileged user to make improper GPU processing operations, potentially accessing memory outside buffer bounds or exploiting a software race condition, leading to access to already freed memory.

5. Progress Software Releases Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server

Progress Software has issued critical security hotfixes for eight vulnerabilities in WS_FTP Server Ad hoc Transfer Module and the WS_FTP Server manager interface. One of the flaws, CVE-2023-40044, with a CVSS score of 10.0, is particularly severe, allowing pre-authenticated attackers to execute remote commands. Other vulnerabilities include directory traversal (CVE-2023-42657), XSS (CVE-2023-40045 and CVE-2023-40047), SQL injection (CVE-2023-40046), CSRF (CVE-2023-40048), and authentication bypass (CVE-2023-40049). Rapid7 has observed instances of exploitation in the wild, emphasizing the importance of promptly applying the patches. Progress Software has been dealing with the aftermath of a major hack targeting its MOVEit Transfer platform since May 2023, affecting numerous organizations and individuals.

6. How to Impersonate a Service Account Using Bigquery Client Library

A service account in Google Cloud is a specialized account designed for applications and compute workloads, rather than human users. It’s identified by a unique email address. To make an application act like a service account, you connect it to the resource where it runs, like a Compute Engine instance. This allows the application to act on behalf of the service account. You can then grant the service account specific permissions (IAM roles) to access Google Cloud resources.
For scenarios requiring stricter permissions control, especially in multi-tenant deployments, Google Cloud offers Service Account impersonation. This feature allows for isolation of resource access controls for each organization or customer.
Impersonation enables authenticated principals (e. g., users or other service accounts) to assume the permissions of a service account. It’s particularly useful for short-lived token flows to avoid exposing service account credentials.
To implement Service Account impersonation with the BigQuery client library, you’ll need to use packages like google-cloud-bigquery and google-auth. More details and code samples can be found in Google Cloud’s documentation on Service Account impersonation.

7. Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts

Cisco has issued a warning about a medium-severity vulnerability (CVE-2023-20109) in its IOS Software and IOS XE Software. The flaw, with a CVSS score of 6.6, affects versions of the software with the GDOI or G-IKEv2 protocol enabled. An authenticated remote attacker with administrative control of a group member or key server could execute arbitrary code or crash the device. The issue stems from insufficient validation of attributes in the GDOI and G-IKEv2 protocols of the GET VPN feature. It could be exploited by compromising a key server or altering the configuration of a group member to point to an attacker-controlled key server. Cisco also disclosed five flaws in Catalyst SD-WAN Manager (versions 20.3 to 20.12) that could lead to unauthorized access, configuration rollback, information disclosure, authorization bypass, and denial of service. Customers are advised to update to a fixed software release to address these vulnerabilities.

09/20/2023-09/27/2023 Critical libwebp Vulnerability, Critical JetBrains TeamCity Flaw, Beyond CVSS: Project Context, Exploitability, and Reachability of Vulnerabilities And More.

1. Critical libwebp Vulnerability Under Active Exploitation – Gets Maximum CVSS Score

Google has issued a critical CVE (CVE-2023-5129) for a security flaw in the libwebp image library used for WebP format rendering, currently under active exploitation. Rated at the maximum CVSS severity of 10.0, the issue stems from the Huffman coding algorithm. Specifically, a crafted WebP file can lead to out-of-bounds data writing in the heap due to a size miscalculation in the ReadHuffmanCodes() function. Apple, Google, and Mozilla have recently released fixes for similar vulnerabilities (CVE-2023-41064 and CVE-2023-4863) believed to share the same root cause. CVE-2023-4863’s misclassification in Google Chrome highlights its broader impact on applications reliant on libwebp. A range of widely used software and packages are potentially vulnerable. The prevalence of libwebp elevates the overall risk for users and organizations.

2. Critical JetBrains TeamCity Flaw Could Expose Source Code and Build Pipelines to Attackers

A critical security flaw (CVE-2023-42793) in JetBrains TeamCity CI/CD software posed a severe risk, potentially enabling remote code execution for unauthenticated attackers. With a CVSS score of 9.8, JetBrains promptly addressed the issue in version 2023.05.4 following its responsible disclosure on September 6, 2023. Exploiting this vulnerability could lead to source code theft, service secret exposure, and control over build agents. Threat actors could also manipulate build pipelines, risking integrity breaches and supply chain compromises. Notably, the flaw affects on-premise versions of JetBrains software, with TeamCity Cloud already patched. Detailed information is withheld due to the potential for wild exploitation. JetBrains urges users to update and offers a security patch plugin for TeamCity versions 8.0 and higher.

3. High-Severity Flaws Uncovered in Atlassian Products and ISC BIND Server

Atlassian and the Internet Systems Consortium (ISC) have disclosed several security flaws impacting their products that could be exploited to achieve denial-of-service (DoS) and remote code execution. 
the four high-severity flaws were fixed in new versions shipped last month. This includes –

• CVE-2022-25647 (CVSS score: 7.5) – A deserialization flaw in the Google Gson package impacting Patch Management in Jira Service Management Data Center and Server
• CVE-2023-22512 (CVSS score: 7.5) – A DoS flaw in Confluence Data Center and Server
• CVE-2023-22513 (CVSS score: 8.5) – A RCE flaw in Bitbucket Data Center and Server
• CVE-2023-28709 (CVSS score: 7.5) – A DoS flaw in Apache Tomcat server impacting Bamboo Data Center and Server.

4. Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with Venom RAT

A malicious actor posted a bogus proof-of-concept (PoC) exploit for a recent WinRAR vulnerability on GitHub, intending to distribute Venom RAT malware to those who downloaded it. The fake PoC, leveraging a publicly available script for a different vulnerability (CVE-2023-25157), aimed to deceive users. While such deceptive PoCs are known in the research community, this case suggests the actor might have targeted other malicious actors looking to exploit the latest vulnerabilities. The GitHub account hosting the repository, whalersplonk, is now inaccessible. This action occurred four days after the vulnerability (CVE-2023-40477) was disclosed, allowing remote code execution on Windows systems. The repository included a Python script and a video tutorial, which drew 121 views. The Python script sought an executable linked to Venom RAT from a remote server. The threat actor established the server domain before the vulnerability disclosure, emphasizing the attempt to exploit the critical flaw.

5. Beyond CVSS: Project Context, Exploitability, and Reachability of Vulnerabilities

CVSS, while useful, may not accurately reflect a vulnerability’s actual impact. Context is crucial. For instance, a critical-severity vulnerability in a library may not pose a risk if it’s not exploitable in the project’s specific use. On the other hand, a medium-severity flaw in a critical component could lead to substantial damage. Safety employs four key criteria for vulnerability assessment:
to manage the growing number of vulnerabilities, organizations need contextual analysis. Safety combines various criteria for a vulnerability risk score:

• Severity: Safety utilizes CVSS data and manual vetting for comprehensive severity data, covering over 12,600+ vulnerabilities.
• Project Context: Recognizes project significance, considering lifecycle, business criticality, data sensitivity, and network exposure.
• Exploitability: Assesses real-world exploit history and complexity.
• Reachability: Determines if an attacker can access the vulnerability within the project’s codebase.
  Safety’s approach reduces vulnerability noise by up to 90%, enabling efficient time allocation and prioritizing fixes based on real-world risk rather than theoretical severity ratings.

6. Critical Security Flaws Exposed in Nagios XI Network Monitoring Software

Nagios XI, version 5.11.1 and lower, is affected by four security vulnerabilities (CVE-2023-40931 to CVE-2023-40934), leading to potential privilege escalation and data exposure. These flaws, disclosed on August 4, 2023, were promptly patched in version 5.11.2 released on September 11, 2023. Three of the vulnerabilities involve SQL injections (CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934), potentially granting unauthorized access to database fields. The fourth flaw (CVE-2023-40932) is a cross-site scripting (XSS) issue in the Custom Logo component, enabling the reading of sensitive data. Exploitation could allow attackers to execute arbitrary SQL commands and inject JavaScript code. This isn’t the first time Nagios XI has faced security concerns; previous incidents involved vulnerabilities leading to infrastructure compromise and remote code execution.