Rose debug info
---------------

how human behavior affects security

Later Ctrl + ↑

Programmer’s Digest #122

02/12/2025-02/19/2025 PostgreSQL Vulnerability, New OpenSSH Flaws, Marstech1 JavaScript Implant And More.

1. PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks

Threat actors behind the December 2024 zero-day exploitation of BeyondTrust PRA and RS products likely also leveraged a newly discovered SQL injection flaw in PostgreSQL.Tracked as CVE-2025-1094 (CVSS 8.1), the vulnerability affects PostgreSQL’s interactive tool psql. Attackers can exploit it to achieve arbitrary code execution via meta-commands. Rapid7 discovered this issue while investigating CVE-2024-12356, a BeyondTrust flaw enabling unauthenticated remote code execution.

Successful exploitation of CVE-2024-12356 required CVE-2025-1094. PostgreSQL maintainers have patched the issue in versions 13.19, 14.16, 15.11, 16.7, and 17.3. The flaw stems from improper handling of invalid UTF-8 characters, allowing attackers to execute shell commands using the shortcut “!”. Meanwhile, CISA has added CVE-2024-57727, affecting SimpleHelp remote support software (CVSS 7.5), to its KEV catalog, mandating fixes by March 6, 2025.

2. New OpenSSH Flaws Expose SSH Servers to MiTM And DoS Attacks

OpenSSH has released security updates for two vulnerabilities: a man-in-the-middle (MitM) flaw (CVE-2025-26465) and a denial-of-service (DoS) issue (CVE-2025-26466). CVE-2025-26465, present since OpenSSH 6.8p1 (2014), affects clients with VerifyHostKeyDNS enabled, allowing attackers to hijack SSH sessions by forcing an out-of-memory error. Though disabled by default, it was enabled in FreeBSD from 2013–2023. CVE-2025-26466, introduced in OpenSSH 9.5p1 (2023), exploits unrestricted memory allocation during key exchange. Attackers can overload system resources by repeatedly sending small ping messages. Disabling VerifyHostKeyDNS and manually verifying SSH fingerprints are advised for security. To mitigate DoS risks, admins should enforce connection rate limits and monitor SSH traffic.

3. Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks

The Lazarus Group has been linked to Marstech1, a new JavaScript implant used in targeted attacks against developers. Dubbed Marstech Mayhem by SecurityScorecard, the malware was distributed via a now-deleted GitHub profile, SuccessFriend. It collects system data and can be embedded in websites and NPM packages, posing a supply chain risk.

Active since December 2024, the attack has impacted 233 victims across the U.S., Europe, and Asia. Marstech1 targets Chromium-based browser directories, altering settings for wallets like MetaMask, Exodus, and Atomic. It can also download additional payloads and exfiltrate stolen data. The implant uses advanced obfuscation techniques to evade detection. Meanwhile, Recorded Future uncovered a related North Korean operation, PurpleBravo, targeting cryptocurrency firms through fraudulent IT hires. These workers act as insider threats, stealing data and facilitating cyberattacks. Organizations hiring North Korean IT workers risk violating sanctions and facing security threats.

4. Palo Alto Networks Patches Authentication Bypass Exploit in PAN-OS Software

Palo Alto Networks has patched a high-severity authentication bypass flaw in PAN-OS, tracked as CVE-2025-0108 (CVSS 7.8). The flaw allows unauthenticated attackers with network access to invoke PHP scripts via the management interface, impacting system integrity and confidentiality.

The issue stems from discrepancies in how Nginx and Apache handle requests, enabling directory traversal attacks. It affects multiple PAN-OS versions, with fixes available in 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, and 10.1.14-h9. GreyNoise has detected active exploitation attempts from IPs in the U.S., China, and Israel. Palo Alto Networks confirmed ongoing attacks, warning that CVE-2025-0108 can be chained with CVE-2024-9474 for unauthorized access. Users should immediately apply patches and restrict access to the management interface. Those not using OpenConfig should disable or uninstall the plugin to mitigate risk.

2 mo   digest   programmers'

Programmer’s Digest #121

02/05/2025-02/12/2025 Critical Flaws in Connect Secure and Policy Secure, Vulnerabilities in Cisco Identity Services Engine, Zimbra Releases Security Updates And More.

1. Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now

Ivanti has released security updates to fix multiple vulnerabilities in Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could enable remote code execution.

Vulnerabilities:

  • CVE-2024-38657 (CVSS 9.1): Arbitrary file write via external control of file name (ICS <22.7R2.4, IPS <22.7R1.3).
  • CVE-2025-22467 (CVSS 9.9): Stack-based buffer overflow (ICS <22.7R2.6).
  • CVE-2024-10644 (CVSS 9.1): Code injection (ICS <22.7R2.4, IPS <22.7R1.3).
  • CVE-2024-47908 (CVSS 9.1): OS command injection in CSA admin console (<5.0.5).

Fixed Versions: ICS 22.7R2.6, IPS 22.7R1.3, CSA 5.0.5. Ivanti urges immediate patching, warning that its products are targeted by sophisticated attackers.

Meanwhile, Bishop Fox disclosed details of CVE-2024-53704 in SonicWall SonicOS, affecting 4,500 unpatched SSL VPN servers. Akamai also revealed two vulnerabilities in Fortinet FortiOS (CVE-2024-46666, CVE-2024-46668), with Fortinet fixing another flaw (CVE-2025-24472).

2. Multiple Vulnerabilities in Cisco Identity Services Engine (ISE)

Cisco has released security updates to address critical vulnerabilities (CVE-2025-20124 and CVE-2025-20125) affecting their Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), regardless of device configuration.

Vulnerabilities:

  • CVE-2025-20124: Successful exploitation of the insecure java deserialisation vulnerability could allow an authenticated remote attacker to perform arbitrary code execution on the vulnerable device as a root user. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.9 out of 10.
  • CVE-2025-20125: Successful exploitation of the authorisation bypass vulnerability could allow an authenticated remote attacker with valid read-only credentials to access sensitive information, modify node configurations, and restart the node.
    The vulnerabilities affect Cisco ISE Software versions 3.3 and earlier.

3. Progress Software Fixes Multiple Vulnerabilities in Its LoadMaster Software

Progress Software has patched multiple high-severity vulnerabilities in its LoadMaster software that could allow authenticated attackers to execute system commands or access files. The flaws include CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, and CVE-2024-56135 (CVSS 8.4), all caused by improper input validation, enabling OS command injection. CVE-2024-56134 (CVSS 8.4) allows an attacker with access to the management interface to download any file via a crafted HTTP request. An attacker who gains access to LoadMaster’s management interface and successfully authenticates could exploit these flaws using specially crafted HTTP requests.

4. Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities

Zimbra has released updates to fix critical security flaws in its Collaboration software, including CVE-2025-25064 (CVSS 9.8), an SQL injection vulnerability in the ZimbraSync Service SOAP endpoint affecting versions before 10.0.12 and 10.1.4. Attackers could exploit it to retrieve email metadata. Another patched flaw is a stored cross-site scripting (XSS) vulnerability in the Zimbra Classic Web Client, which improves input sanitization. The fix is available in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5.

Zimbra also addressed CVE-2025-25065 (CVSS 5.3), a server-side request forgery (SSRF) flaw in the RSS feed parser that could allow unauthorized redirection to internal endpoints. This was patched in versions 9.0.0 Patch 43, 10.0.12, and 10.1.4.
Users are urged to update to the latest Zimbra Collaboration versions to protect against these vulnerabilities.

5. Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware

Threat actors are exploiting recently disclosed vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) software as part of a ransomware attack, according to Field Effect. The flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—allow information disclosure, privilege escalation, and remote code execution. They were patched in SimpleHelp versions 5.3.9, 5.4.10, and 5.5.8. Field Effect observed attackers using a vulnerable SimpleHelp instance to gain access, create an admin account, and deploy the Sliver framework for persistence. The attackers attempted to use a Cloudflare tunnel to stealthily route traffic, but the attack was detected before execution. The tactics resemble Akira ransomware attacks from 2023, though other threat actors may be involved. Organizations using SimpleHelp are urged to update immediately.

2 mo   digest   programmers'

Programmer’s Digest #120

01/29/2025-02/05/2025 New Veeam Flaw, Weaponized Go Package Module, PyPI Adds Project Archiving System to Stop Malicious Updates And More.

1. New Veeam Flaw Allows Arbitrary Code Execution via Man-in-the-Middle Attack

Veeam has patched a critical security flaw (CVE-2025-23114, CVSS 9.0) in its Backup software that could allow attackers to execute arbitrary code via a Man-in-the-Middle attack. The vulnerability affects older versions of Veeam Backup for Salesforce, Nutanix AHV, AWS, Microsoft Azure, Google Cloud, and Oracle Linux/Red Hat Virtualization. Updated versions with fixes include:

  • Salesforce – Updater v7.9.0.1124
  • Nutanix AHV – Updater v9.0.0.1125
  • AWS – Updater v9.0.0.1126
  • Microsoft Azure – Updater v9.0.0.1128
  • Google Cloud – Updater v9.0.0.1128
  • Oracle Linux/Red Hat Virtualization – Updater v9.0.0.1127

Deployments not protecting these cloud environments remain unaffected. Organizations should update immediately to mitigate security risks.

2. CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The list of vulnerabilities is as follows:

  • CVE-2024-45195 (CVSS score: 7.5/9.8) – A forced browsing vulnerability in Apache OFBiz that allows a remote attacker to obtain unauthorized access and execute arbitrary code on the server (Fixed in September 2024)
  • CVE-2024-29059 (CVSS score: 7.5) – An information disclosure vulnerability in Microsoft .NET Framework that could expose the ObjRef URI and lead to remote code execution (Fixed in March 2024)
  • CVE-2018-9276 (CVSS score: 7.2) – An operating system command injection vulnerability in Paessler PRTG Network Monitor that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console (Fixed in April 2018)
  • CVE-2018-19410 (CVSS score: 9.8) – A local file inclusion vulnerability in Paessler PRTG Network Monitor that allows a remote, unauthenticated attacker to create users with read-write privileges (Fixed in April 2018)

3. Weaponized Go Package Module Let Attackers Gain Remote Access To Infected Systems

Researchers at Socket have uncovered a malicious Go package exploiting the Go Module Proxy caching mechanism for remote access.

The attack uses a typosquatted version of the BoltDB database module, named “boltdb-go”, mimicking the legitimate github.com/boltdb/bolt package. This trick deceives developers into downloading the malicious version. The package includes a backdoor enabling remote code execution via a command and control (C2) server. Once cached by the Go Module Proxy, the attacker altered Git tags to point to a clean version, hiding malware traces from manual inspections. The malicious code obfuscates the C2 IP address (49.12.198[.]231:20022) by manipulating constants in cursor.go.

Developers should verify package authenticity and watch for potential backdoors. The Go community must also address vulnerabilities in the Go Module Proxy caching system to prevent similar attacks.

4. PyPI Adds Project Archiving System to Stop Malicious Updates

PyPI has introduced ‘Project Archival,’ allowing developers to archive projects, signaling no further updates while keeping them downloadable. A warning will inform users of the maintenance status, improving supply-chain security by reducing the risk of hijacked, abandoned packages distributing malicious updates.

The feature also reduces support requests by clearly communicating a project’s lifecycle. Developers can archive projects via PyPI settings and unarchive them anytime. PyPI recommends a final release explaining the archival, though it’s not mandatory.

Built on the LifecycleStatus model, originally designed for project quarantine, the system enables transitions between statuses. Future updates may include statuses like ‘deprecated,’ ‘feature-complete,’ and ‘unmaintained.’ This initiative enhances transparency, helping developers find actively maintained alternatives instead of relying on outdated, insecure dependencies. It also mitigates risks like ‘Revival Hijack’ attacks, where deleted projects are taken over by attackers. By providing a structured approach, PyPI aims to improve security and clarity in open-source project maintenance.

5. Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits

Three security flaws in the open-source PHP package Voyager could allow attackers to execute remote code with a single click.

Sonar researcher Yaniv Nizry revealed that when an authenticated user clicks a malicious link, attackers can run arbitrary code on the server. Despite responsible disclosure on September 11, 2024, the flaws remain unpatched:

  • CVE-2024-55417 – Arbitrary file write via /admin/media/upload
  • CVE-2024-55416 – Reflected XSS in /admin/compass
  • CVE-2024-55415 – Arbitrary file leak and deletion

Attackers can bypass MIME type verification to upload a polyglot file containing executable PHP code. This could be combined with the XSS vulnerability to escalate the attack, triggering remote code execution when a user clicks a crafted link. Additionally, CVE-2024-55415 allows attackers to delete or extract file contents.
Since no fix is available, users should exercise caution when using Voyager.

6. Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution

A critical security flaw in the Cacti network monitoring framework (CVE-2025-22604, CVSS 9.1) could allow authenticated attackers to execute remote code. The issue stems from a flaw in the multi-line SNMP result parser, enabling users to inject malformed OIDs that lead to command execution via system commands. Exploiting this vulnerability lets users with device management permissions run arbitrary code, risking data theft, modification, or deletion. It affects all versions up to 1.2.28 and is patched in 1.2.29. Security researcher u32i discovered the flaw.

Another vulnerability (CVE-2025-24367, CVSS 7.2) is also fixed, preventing attackers from injecting PHP scripts via graph-related functions. Given past active exploits in Cacti, organizations should urgently update to the latest version to mitigate risks.

2 mo   digest   programmers'
Earlier Ctrl + ↓