Rose debug info
---------------

how human behavior affects security

Later Ctrl + ↑

Programmer’s Digest #50

09/20/2023-09/27/2023 Critical libwebp Vulnerability, Critical JetBrains TeamCity Flaw, Beyond CVSS: Project Context, Exploitability, and Reachability of Vulnerabilities And More.

1. Critical libwebp Vulnerability Under Active Exploitation – Gets Maximum CVSS Score

Google has issued a critical CVE (CVE-2023-5129) for a security flaw in the libwebp image library used for WebP format rendering, currently under active exploitation. Rated at the maximum CVSS severity of 10.0, the issue stems from the Huffman coding algorithm. Specifically, a crafted WebP file can lead to out-of-bounds data writing in the heap due to a size miscalculation in the ReadHuffmanCodes() function. Apple, Google, and Mozilla have recently released fixes for similar vulnerabilities (CVE-2023-41064 and CVE-2023-4863) believed to share the same root cause. CVE-2023-4863’s misclassification in Google Chrome highlights its broader impact on applications reliant on libwebp. A range of widely used software and packages are potentially vulnerable. The prevalence of libwebp elevates the overall risk for users and organizations.

2. Critical JetBrains TeamCity Flaw Could Expose Source Code and Build Pipelines to Attackers

A critical security flaw (CVE-2023-42793) in JetBrains TeamCity CI/CD software posed a severe risk, potentially enabling remote code execution for unauthenticated attackers. With a CVSS score of 9.8, JetBrains promptly addressed the issue in version 2023.05.4 following its responsible disclosure on September 6, 2023. Exploiting this vulnerability could lead to source code theft, service secret exposure, and control over build agents. Threat actors could also manipulate build pipelines, risking integrity breaches and supply chain compromises. Notably, the flaw affects on-premise versions of JetBrains software, with TeamCity Cloud already patched. Detailed information is withheld due to the potential for wild exploitation. JetBrains urges users to update and offers a security patch plugin for TeamCity versions 8.0 and higher.

3. High-Severity Flaws Uncovered in Atlassian Products and ISC BIND Server

Atlassian and the Internet Systems Consortium (ISC) have disclosed several security flaws impacting their products that could be exploited to achieve denial-of-service (DoS) and remote code execution. 
the four high-severity flaws were fixed in new versions shipped last month. This includes –

  • CVE-2022-25647 (CVSS score: 7.5) – A deserialization flaw in the Google Gson package impacting Patch Management in Jira Service Management Data Center and Server
  • CVE-2023-22512 (CVSS score: 7.5) – A DoS flaw in Confluence Data Center and Server
  • CVE-2023-22513 (CVSS score: 8.5) – A RCE flaw in Bitbucket Data Center and Server
  • CVE-2023-28709 (CVSS score: 7.5) – A DoS flaw in Apache Tomcat server impacting Bamboo Data Center and Server.

4. Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with Venom RAT

A malicious actor posted a bogus proof-of-concept (PoC) exploit for a recent WinRAR vulnerability on GitHub, intending to distribute Venom RAT malware to those who downloaded it. The fake PoC, leveraging a publicly available script for a different vulnerability (CVE-2023-25157), aimed to deceive users. While such deceptive PoCs are known in the research community, this case suggests the actor might have targeted other malicious actors looking to exploit the latest vulnerabilities. The GitHub account hosting the repository, whalersplonk, is now inaccessible. This action occurred four days after the vulnerability (CVE-2023-40477) was disclosed, allowing remote code execution on Windows systems. The repository included a Python script and a video tutorial, which drew 121 views. The Python script sought an executable linked to Venom RAT from a remote server. The threat actor established the server domain before the vulnerability disclosure, emphasizing the attempt to exploit the critical flaw.

5. Beyond CVSS: Project Context, Exploitability, and Reachability of Vulnerabilities

CVSS, while useful, may not accurately reflect a vulnerability’s actual impact. Context is crucial. For instance, a critical-severity vulnerability in a library may not pose a risk if it’s not exploitable in the project’s specific use. On the other hand, a medium-severity flaw in a critical component could lead to substantial damage. Safety employs four key criteria for vulnerability assessment:
to manage the growing number of vulnerabilities, organizations need contextual analysis. Safety combines various criteria for a vulnerability risk score:

  • Severity: Safety utilizes CVSS data and manual vetting for comprehensive severity data, covering over 12,600+ vulnerabilities.
  • Project Context: Recognizes project significance, considering lifecycle, business criticality, data sensitivity, and network exposure.
  • Exploitability: Assesses real-world exploit history and complexity.
  • Reachability: Determines if an attacker can access the vulnerability within the project’s codebase.
    Safety’s approach reduces vulnerability noise by up to 90%, enabling efficient time allocation and prioritizing fixes based on real-world risk rather than theoretical severity ratings.

6. Critical Security Flaws Exposed in Nagios XI Network Monitoring Software

Nagios XI, version 5.11.1 and lower, is affected by four security vulnerabilities (CVE-2023-40931 to CVE-2023-40934), leading to potential privilege escalation and data exposure. These flaws, disclosed on August 4, 2023, were promptly patched in version 5.11.2 released on September 11, 2023. Three of the vulnerabilities involve SQL injections (CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934), potentially granting unauthorized access to database fields. The fourth flaw (CVE-2023-40932) is a cross-site scripting (XSS) issue in the Custom Logo component, enabling the reading of sensitive data. Exploitation could allow attackers to execute arbitrary SQL commands and inject JavaScript code. This isn’t the first time Nagios XI has faced security concerns; previous incidents involved vulnerabilities leading to infrastructure compromise and remote code execution.

2023   digest   programmers'

Programmer’s Digest #49

09/13/2023-09/20/2023 GitLab Releases Urgent Security Patches, Trend Micro Releases Urgent Fix, Nearly 12,000 Juniper Firewalls Found Vulnerable And More.

1. GitLab Releases Urgent Security Patches for Critical Vulnerability

GitLab has shipped security patches to resolve a critical flaw that allows an attacker to run pipelines as another user. The issue, tracked as CVE-2023-5009 (CVSS score: 9.6), impacts all versions of GitLab Enterprise Edition (EE) starting from 13.12 and prior to 16.2.7 as well as from 16.3 and before 16.3.4. It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. This was a bypass of CVE-2023-3932 showing additional impact. Successful exploitation of CVE-2023-5009 could allow a threat actor to access sensitive information or leverage the elevated permissions of the impersonated user to modify source code or run arbitrary code on the system, leading to severe consequences.

2. Trend Micro Releases Urgent Fix for Actively Exploited Critical Security Vulnerability

Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks.
Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that’s bundled along with the software. The complete list of impacted products is as follows –

  • Apex One – version 2019 (on-premise), fixed in SP1 Patch 1 (B12380)
  • Apex One as a Service – fixed in SP1 Patch 1 (B12380) and Agent version 14.0.12637
  • Worry-Free Business Security – version 10.0 SP1, fixed in 10.0 SP1 Patch 2495
  • Worry-Free Business Security Services – fixed in July 31, 2023, Monthly Maintenance Release

A successful exploitation of the flaw could allow an attacker to manipulate the component to execute arbitrary commands on an affected installation. However, it requires that the adversary already has administrative console access on the target system. As a workaround, it’s recommending that customers limit access to the product’s administration console to trusted networks.

3. Nearly 12,000 Juniper Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability

Close to 12,000 Juniper firewalls exposed on the internet are vulnerable to a recently discovered remote code execution flaw (CVE-2023-36845). Exploitable by an unauthenticated remote attacker, it allows arbitrary code execution without creating a system file. This medium-severity flaw in Junos OS’ J-Web component could be exploited to control vital environment variables. Juniper Networks released a patch last month in an out-of-cycle update, addressing this along with other vulnerabilities. A proof-of-concept exploit combines CVE-2023-36846 and CVE-2023-36845 to achieve code execution. The new exploit impacts older systems and requires just a single cURL command. It manipulates the PHPRC environment variable through a crafted HTTP request, enabling the leak of sensitive information and executing arbitrary code using PHP’s options.

4. Microsoft Uncovers Flaws in ncurses Library Affecting Linux and macOS Systems

Memory corruption flaws found in the ncurses programming library pose a threat to Linux and macOS systems. Threat actors could exploit these vulnerabilities, collectively known as CVE-2023-29491, with a CVSS score of 7.8, to execute malicious code and elevate privileges through environment variable poisoning. Microsoft Threat Intelligence researchers identified and remedied these issues in April 2023, collaborating with Apple to address macOS-specific concerns. Environment variables can influence how programs behave, and manipulating them can lead to unauthorized actions. By poisoning variables like TERMINFO, the ncurses library could be leveraged for privilege escalation. The vulnerabilities involve stack information leaks, parameterized string type confusion, off-by-one errors, heap out-of-bounds issues during terminfo database parsing, and denial-of-service with canceled strings. While these flaws had the potential for privilege escalation and code execution, a multi-stage attack would be required to gain control over a program.

5. Alert: New Kubernetes Vulnerabilities Enable Remote Attacks on Windows Endpoints

Three high-severity security flaws (CVE-2023-3676, CVE-2023-3893, CVE-2023-3955) discovered in Kubernetes pose a risk of remote code execution with elevated privileges on Windows endpoints in Kubernetes clusters. These vulnerabilities affect all Kubernetes environments with Windows nodes and were responsibly disclosed by Akamai on July 13, 2023, with fixes released on August 23, 2023. Attackers can achieve remote code execution with SYSTEM privileges by applying a malicious YAML file to the cluster, targeting kubelet versions below v1.28.1, v1.27.5, v1.26.8, v1.25.13, and v1.24.17. CVE-2023-3676 requires low privileges, making it accessible to attackers with node access and apply privileges. CVE-2023-3955 results from input sanitization issues, enabling command execution via a specially crafted path string. CVE-2023-3893 involves privilege escalation in the Container Storage Interface (CSI) proxy, granting malicious actors administrator access on the node. These vulnerabilities highlight input sanitization lapses in Windows-specific porting of Kubelet.

2023   digest   programmers'

Programmer’s Digest #48

09/06/2023-09/13/2023 Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws, Critical GitHub Vulnerability, Apache Superset Vulnerabilities And More.

1. Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws

Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month’s Patch Tuesday edition, which also encompasses a fix for CVE-2023-4863, a critical heap buffer overflow flaw in the WebP image format.
The two Microsoft vulnerabilities that have come under active exploitation in real-world attacks are listed below:

  • CVE-2023-36761 (CVSS score: 6.2) – Microsoft Word Information Disclosure Vulnerability;
    CVE-2023-36802 (CVSS score: 7.8) – Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability.

Exploiting this vulnerability could allow the disclosure of NTLM hashes. Exact details surrounding the nature of the exploitation or the identity of the threat actors behind the attacks are currently unknown.

2. Update Adobe Acrobat and Reader to Patch Actively Exploited Vulnerability

Adobe’s September 2023 Patch Tuesday addresses a critical security flaw, CVE-2023-26369, in Acrobat and Reader. This vulnerability, with a severity rating of 7.8, affects Windows and macOS versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020. It enables attackers to execute malicious code via specially crafted PDF documents. Adobe confirmed limited real-world exploitation and released updates to fix the issue:

  • Acrobat DC (v23.003.20284 and earlier): Fixed in v23.006.20320;
  • Acrobat Reader DC (v23.003.20284 and earlier): Fixed in v23.006.20320;
  • Acrobat 2020 (Windows and macOS): Fixed in v20.005.30524;
  • Acrobat Reader 2020 (Windows and macOS): Fixed in v20.005.30524.

Additionally, Adobe patched two cross-site scripting flaws in Adobe Connect (CVE-2023-29305 and CVE-2023-29306) and Adobe Experience Manager (CVE-2023-38214 and CVE-2023-38215), both of which could lead to arbitrary code execution.

3. Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack

A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks. The flaw could allow an attacker to exploit a race condition within GitHub’s repository creation and username renaming operations. Successful exploitation of this vulnerability impacts the open-source community by enabling the hijacking of over 4,000 code packages in languages such as Go, PHP, and Swift, as well as GitHub actions.

Repojacking, or repository hijacking, bypasses a security measure known as namespace retirement, gaining control of a repository. This defense prevents duplicate repository names after a user’s account is renamed, making the combination “retired” if over 100 clones exist. Exploiting this could let threat actors create new accounts with the same name, potentially leading to supply chain attacks. Checkmarx’s method exploits a race condition:

  • Victim owns “victim_user/repo”;
  • Victim changes to “renamed_user”;
  • “victim_user/repo” is retired;
  • Attacker creates “repo” and renames to “victim_user”.

This involves API requests for repository creation and username renaming interception. This flaw echoes a previous GitHub patch.

4. Navigating the Dark Corners of the Internet with a Beacon of Hope

At #CivoNavigate, Oliver Pinson-Roxburgh emphasized internet security risks, including unsecured systems and compromised Kubernetes clusters. Third-party software patches were flagged as a major vulnerability source. The open-source community, however, holds potential for timely, secure patches. Platforms like Mintycode offer hope, enabling businesses to sponsor dedicated patches promptly. This collaborative approach not only reduces third-party patch risks but also fosters a secure ecosystem. The conference highlighted both risks and the open-source community’s potential for positive impact. In this journey, platforms like Mintycode and collective efforts in open source can guide us towards a safer digital future. 

5. Alert: Apache Superset Vulnerabilities Expose Servers to Remote Code Execution Attacks

Apache Superset released version 2.1.1 to address two critical security vulnerabilities: CVE-2023-39265 and CVE-2023-37941. These flaws can lead to remote code execution when an attacker gains control of Superset’s metadata database. Additionally, CVE-2023-36388, an improper REST API permission issue, enables SSRF attacks for low-privilege users.
CVE-2023-39265 involves URI bypass when connecting to the SQLite database, allowing data manipulation commands. The same CVE includes a lack of validation for importing SQLite database connection information from a file.
CVE-2023-37941 allows attackers to insert malicious payloads into the metadata database, leading to remote code execution.
Other fixed issues include MySQL arbitrary file read, abuse of Superset load_examples, default credentials access, and database credential leaks.
This disclosure follows a previous high-severity vulnerability (CVE-2023-27524) that allowed unauthorized admin access due to a default SECRET_KEY. Many installations still use weak or default keys, highlighting the need for automatic key generation.

6. CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities

CISA has issued a warning about nation-state actors exploiting security vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. They exploited CVE-2022-47966 to access Zoho ManageEngine ServiceDesk Plus, gaining persistence and lateral network movement. The threat groups’ identities remain undisclosed, but U.S. Cyber Command hinted at Iranian involvement. CISA discovered this during an incident response engagement in an aeronautical sector organization between February and April 2023. The attackers also leveraged CVE-2022-42475 to access Fortinet FortiOS SSL-VPN. To protect against such threats, organizations should update, monitor remote access software, and eliminate unnecessary accounts and groups.

7.Cisco Issues Urgent Fix for Authentication Bypass Bug Affecting BroadWorks Platform

Cisco has issued security fixes for various vulnerabilities, including a critical authentication bypass flaw, CVE-2023-20238, in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform. The flaw could enable an attacker to forge credentials, potentially leading to toll fraud or executing commands at the forged account’s privilege level. Cisco has also resolved a high-severity issue in the RADIUS message processing feature of Cisco Identity Services Engine (CVE-2023-20243), and an unpatched medium-severity flaw in Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software (CVE-2023-20269), which could allow unauthorized remote access. Additionally, Juniper Networks addressed a severe BGP flaw (CVE-2023-4481) in Junos OS, and an authentication bypass vulnerability (CVE-2023-4498) was reported in Tenda’s N300 Wireless N VDSL2 Modem Router. Organizations should apply updates and remain vigilant.

2023   digest   programmers'
Earlier Ctrl + ↓