Rose debug info
---------------

how human behavior affects security

Later Ctrl + ↑

Programmer’s Digest #119

01/22/2025-01/29/2025 Critical Vulnerability in Meta’s Llama Framework, Old jQuery Vulnerability, High-Severity SQL Injection Flaw in VMware Avi Load Balancer And More.

1. Critical Vulnerability in Meta’s Llama Framework Exposes AI Systems to Remote Attacks

A critical security flaw, CVE-2024-50050, has been discovered in Meta’s Llama Stack, an open-source framework for generative AI. The vulnerability, caused by unsafe deserialization via Python’s pickle module, allows remote attackers to execute arbitrary code on affected servers. The flaw exists in the recv_pyobj method from pyzmq, which deserializes untrusted data. Attackers can exploit this by sending malicious payloads over exposed ZeroMQ sockets, leading to remote code execution (RCE). While Meta initially rated the severity as 6.3 (medium), security firms like Snyk assigned it a 9.3 (critical) under CVSS v4.0 due to risks of data breaches and system takeover.

Following responsible disclosure on September 29, 2024, Meta patched the issue in version 0.0.41, replacing pickle with a secure JSON-based implementation. Users should upgrade immediately to mitigate risks. This flaw highlights broader security concerns in AI frameworks and the need for stronger safeguards in open-source dependencies.

2. CISA Warns of Old jQuery Vulnerability Linked to Chinese APT

CISA has added an old jQuery vulnerability (CVE-2020-11023) to its KEV catalog.
Disclosed in April 2020, this medium-severity XSS flaw can lead to arbitrary code execution. Major organizations like Linux distributions, F5, IBM, and Atlassian previously warned users about its impact.

It’s unclear why CISA added it now, as no recent exploitation reports have surfaced. However, past reports indicate that Chinese state-sponsored APT1 exploited the flaw, with Tenable confirming its use in 2021 for system compromises.

CISA hasn’t clarified if newer attacks prompted this move or if it’s based on older threats. Federal agencies must assess their exposure and take action by February 13.

3. Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits

A security review of Palo Alto Networks firewalls uncovered multiple firmware vulnerabilities and misconfigurations, exposing devices to potential attacks.
Security firm Eclypsium analyzed three models—PA-3260, PA-1410, and PA-415—identifying well-known flaws, collectively named PANdora’s Box.

These include:

  • CVE-2020-10713 (BootHole) – Secure Boot bypass
  • Multiple SMM vulnerabilities (PA-3260) – Privilege escalation
  • LogoFAIL (PA-3260) – Secure Boot bypass via image parsing flaws
  • PixieFail (PA-1410, PA-415) – UEFI network stack vulnerabilities
  • Insecure flash access (PA-415) – UEFI modification risk
  • CVE-2023-1017 (PA-415) – TPM 2.0 out-of-bounds write
  • Intel BootGuard bypass (PA-1410)

Palo Alto Networks stated these flaws cannot be exploited under normal conditions with updated PAN-OS and secured interfaces but is working on mitigations. Organizations should update firmware and follow best practices to secure their networks.

4. Broadcom Warns of High-Severity SQL Injection Flaw in VMware Avi Load Balancer

Broadcom has warned of a high-severity flaw (CVE-2025-22217, CVSS 8.6) in VMware Avi Load Balancer, allowing attackers to gain unauthenticated database access via blind SQL injection.

Attackers with network access can exploit this by sending crafted SQL queries. The flaw, discovered by Daniel Kukuczka and Mateusz Darda, affects:

  • 30.1.1, 30.1.2 (Fixed in 30.1.2-2p2)
  • 30.2.1 (Fixed in 30.2.1-2p5)
  • 30.2.2 (Fixed in 30.2.2-2p2)

Versions 22.x and 21.x are not affected. Users on 30.1.1 must upgrade to 30.1.2+ before patching.

There are no workarounds, making immediate updates essential for security.

5. Hackers Actively Exploiting Zyxel 0-day Vulnerability to Execute Arbitrary Commands

A zero-day vulnerability (CVE-2024-40891) in Zyxel CPE devices is being actively exploited, allowing attackers to execute arbitrary commands without authentication. This flaw poses serious risks, including system compromise, data theft, and network infiltration.

Security scans have identified over 1,500 infected devices, with no official fix available. The flaw, a command injection issue in telnet service accounts (e. g., “supervisor,” “zyuser”), enables attackers to send crafted telnet requests to gain control.

Researchers at GreyNoise and VulnCheck confirmed active exploitation, but Zyxel has not yet released a patch.

Mitigation Steps:

  • Monitor network traffic for suspicious telnet activity.
  • Restrict access to admin interfaces from trusted IPs.
  • Disable remote management to reduce attack surfaces.
  • Check for Zyxel security updates and apply patches when available.

Organizations using Zyxel CPE devices must act immediately to mitigate threats while awaiting an official fix.

6. GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs

Several security vulnerabilities, collectively named Clone2Leak, have been found in GitHub Desktop and related Git projects, potentially exposing users’ Git credentials.

Key Vulnerabilities:

  • CVE-2025-23040 (6.6 CVSS) – Crafted URLs can leak credentials in GitHub Desktop.
  • CVE-2024-50338 (7.4 CVSS) – Carriage return character smuggling in Git Credential Manager.
  • CVE-2024-53263 (8.5 CVSS) – Git LFS leaks credentials via HTTP URL injection.
  • CVE-2024-53858 (6.5 CVSS) – GitHub CLI leaks authentication tokens to unauthorized hosts.

Exploitation could allow attackers to access privileged Git resources. Git has patched CVE-2024-52006 and CVE-2024-50349 in v2.48.1.

Mitigation Steps:

  • Update Git, GitHub Desktop, and Git LFS to the latest versions.
  • Avoid cloning untrusted repositories with --recurse-submodules.
  • Disable credential helpers and use public repositories when possible.
2 mo   digest   programmers'

Programmer’s Digest #118

01/15/2025-01/22/2025 Ivanti Patches Critical Vulnerabilities, Malicious npm Packages Stealling Solana Wallet Keys, New UEFI Secure Boot Flaw And More.

1. Ivanti Patches Critical Vulnerabilities in Endpoint Manager

Ivanti announced patches for critical and high-severity vulnerabilities in Avalanche, Application Control Engine, and Endpoint Manager (EPM). The most severe issues are four absolute path traversal bugs in EPM (CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, CVE-2024-13159) with a CVSS score of 9.8. These impact EPM 2024 and 2022 SU6 (with November 2024 updates) and could leak sensitive data remotely without authentication. January 2025 updates also address 12 high-severity flaws, including remote code execution (RCE), denial-of-service (DoS), and privilege escalation.

Avalanche 6.4.7 resolves three high-severity path traversal vulnerabilities (CVE-2024-13181, CVE-2024-13180, CVE-2024-13179) that could bypass authentication and leak data. Two also fix incomplete October 2024 patches. Application Control Engine updates (versions 2024.3 HF1, 2024.1 HF4, 2023.3 HF3) address a high-severity race condition flaw requiring authentication to exploit. No fixes will be provided for older modules.

2. Hackers Deploy Malicious npm Packages to Steal Solana Wallet Keys via Gmail SMTP

Cybersecurity researchers have identified malicious npm and PyPI packages capable of stealing and deleting sensitive data. Notable packages include:

  • npm: @async-mutex/mutex, dexscreener, solana-transaction-toolkit, solana-stable-web-huks, cschokidar-next, achokidar-next, achalk-next, csbchalk-next, cschalk.
  • PyPI: pycord-self.

The first four npm packages intercept Solana private keys, using Gmail’s SMTP servers to exfiltrate data, and can drain up to 98% of wallet contents. GitHub repositories promoting these packages, linked to accounts like “moonshot-wif-hwan”, have been taken down. Other npm packages feature a “kill switch” to wipe project files and exfiltrate environment variables. For instance, csbchalk-next activates deletion only upon receiving a specific server response.

PyPI package pycord-self targets Python developers by capturing Discord tokens and establishing persistent backdoor access.

Additionally, attackers target Roblox users via fake libraries leveraging open-source stealer malware. Developers are advised to exercise caution and verify package authenticity.

3. New UEFI Secure Boot Flaw Exposes Systems to Bootkits

A new UEFI Secure Boot bypass vulnerability, CVE-2024-7344, impacts a Microsoft-signed application and can deploy bootkits even with Secure Boot enabled. Bootkits are hard to detect, as they load before the OS and persist after re-installs.

The vulnerability arises from a custom PE loader in certain UEFI recovery tools, bypassing Secure Boot validation. The affected application uses insecure methods to decrypt and execute binaries, allowing attackers to replace the default bootloader with a vulnerable one and deploy a malicious payload.

Impacted products include:

  • Howyar SysReturn <10.2.023_20240919
  • Greenware GreenGuard <10.2.023-20240927
  • Radix SmartRecovery <11.2.023-20240927
  • Others listed by ESET.

Microsoft patched the issue on January 14, 2025, revoking certificates for affected UEFI apps. Users should install the latest updates to mitigate risks. ESET provided PowerShell commands to verify certificate revocations and demonstrated the exploit in a video.

4. Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation

Researchers have uncovered three vulnerabilities in Planet Technology’s WGS-804HPT industrial switches that could enable pre-authentication remote code execution. These switches are widely used in building and home automation networks, making them a critical target for attackers.

Claroty’s analysis revealed the flaws in the dispatcher.cgi interface, which powers the switches’ web service:

  • CVE-2024-52558 (CVSS 5.3): An integer underflow flaw causing a crash via malformed HTTP requests.
  • CVE-2024-52320 (CVSS 9.8): An OS command injection flaw enabling remote code execution.
  • CVE-2024-48871 (CVSS 9.8): A stack-based buffer overflow leading to remote code execution.

Exploiting these flaws allows attackers to embed shellcode in HTTP requests, hijack execution flow, and execute OS commands.

Planet Technology patched the issues with firmware version 1.305b241111, released on November 15, 2024. Users are urged to update immediately to mitigate the risk.

2 mo   digest   programmers'

Programmer’s Digest #117

01/08/2025-01/15/2025 Critical SimpleHelp Flaws, Major Vulnerabilities Patched in SonicWall, Palo Alto Expedition, and Aviatrix Controllers, Critical RCE Flaw in GFI KerioControl And More.

1. Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks

Researchers have identified critical vulnerabilities in SimpleHelp remote access software, potentially enabling information disclosure, privilege escalation, and remote code execution. Horizon3.ai’s Naveen Sunkavally described the flaws as easy to exploit:

  • CVE-2024-57727: An unauthenticated path traversal flaw lets attackers download arbitrary files, including hashed admin and technician passwords.
  • CVE-2024-57728: Allows admins or privileged technicians to upload files anywhere, potentially enabling remote code execution.
  • CVE-2024-57726: A privilege escalation vulnerability lets low-privilege technicians gain admin access by exploiting missing authorization checks.

Attackers could chain CVE-2024-57726 and CVE-2024-57728 to gain admin control and execute malicious payloads. Following disclosure on January 6, 2025, SimpleHelp released patches in versions 5.3.9, 5.4.10, and 5.5.8. Users are urged to patch immediately, update admin and technician passwords, and restrict login IPs to protect against potential exploitation.

2. CISA Adds Second BeyondTrust CVE to Known Exploited Vulnerabilities List

CISA added a command injection vulnerability in BeyondTrust Remote Support and Privileged Access products (CVE-2024-12686) to its catalog of known exploited vulnerabilities. This medium-severity flaw (CVSS 6.6) allows attackers with admin privileges to inject commands into networks as site users. It follows CVE-2024-12356, a critical command injection flaw (CVSS 9.8) linked to BeyondTrust’s investigation into a December attack spree. During the attacks, a compromised SaaS API key led to password resets for multiple accounts, affecting some RemoteSupport SaaS customers. It’s unclear if CVE-2024-12686 is exploited alone or chained with CVE-2024-12356. Federal agencies are investigating connections between these CVEs and the Treasury Department hack, attributed to a Chinese state-linked actor using a stolen vendor key.

3. Major Vulnerabilities Patched in SonicWall, Palo Alto Expedition, and Aviatrix Controllers

Palo Alto Networks has patched several vulnerabilities in its Expedition migration tool, including a high-severity flaw (CVE-2025-0103, CVSS 7.8) that allows authenticated attackers to access sensitive data like passwords, device configurations, and API keys. Expedition, which reached end-of-life on December 31, 2024, also had other flaws:

  • CVE-2025-0104 (CVSS 4.7): XSS allowing phishing and session theft.
  • CVE-2025-0105 (CVSS 2.7): File deletion by unauthenticated attackers.
  • CVE-2025-0106 (CVSS 2.7): File enumeration via wildcard expansion.
  • CVE-2025-0107 (CVSS 2.3): OS command injection enabling data disclosure.

Fixes are available in versions 1.2.100 and 1.2.101. Palo Alto advises restricting access or disabling the tool if unused.

Meanwhile, SonicWall patched SonicOS vulnerabilities, including CVE-2024-53704 (authentication bypass) and CVE-2024-53706 (privilege escalation). Polish firm Securing also disclosed a critical Aviatrix Controller flaw (CVE-2024-50603, CVSS 10.0) fixed in versions 7.1.4191 and 7.2.4996. Users are urged to apply these updates promptly.

4. Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection

Threat actors are exploiting a recently disclosed security flaw in GFI KerioControl firewalls, CVE-2024-52875, enabling remote code execution (RCE). The vulnerability stems from a CRLF injection attack that allows HTTP response splitting, potentially leading to cross-site scripting (XSS). KerioControl versions 9.2.5–9.4.5 are affected, as disclosed by security researcher Egidio Romano. Exploitation involves injecting malicious inputs into HTTP headers, exploiting unsanitized user input in specific URI paths like /nonauth/addCertException.cs and /nonauth/guestConfirm.cs. GFI released a fix (version 9.4.5 Patch 1) on December 19, 2024. However, a proof-of-concept exploit surfaced, enabling adversaries to craft malicious URLs that trigger firmware upgrades via admin clicks, potentially granting root access. GreyNoise reported exploitation attempts from seven IPs since December 28, 2024. Over 23,800 internet-exposed KerioControl instances are at risk, mainly in Iran, Italy, and the U.S. Users should secure their instances immediately to mitigate threats.

5. Critical Ivanti Connect Secure zero-day flaw under attack

Ivanti disclosed a critical vulnerability, CVE-2025-0282, affecting Connect Secure, Policy Secure, and ZTA gateways. This stack-based buffer overflow flaw, with a 9.0 CVSS score, enables remote code execution in Connect Secure versions before 22.7R2.5, Policy Secure before 22.7R1.2, and ZTA gateways before 22.7R2.3. Another vulnerability, CVE-2025-0283, allows privilege escalation for local attackers and has a 7.0 CVSS score. While CVE-2025-0282 exploitation is confirmed for Connect Secure, Ivanti reports no exploitation of Policy Secure, ZTA gateways, or CVE-2025-0283. Ivanti released patches for affected Connect Secure versions, with Policy Secure and ZTA patches expected by January 21. Exploitation of CVE-2025-0282 can be detected using Ivanti’s Integrity Checker Tool (ICT).

Ivanti credited Mandiant and Microsoft for their assistance and emphasized proactive monitoring with ICT to safeguard network infrastructure.

2 mo   digest   programmers'
Earlier Ctrl + ↓