08/21/2024-08/28/2024 Apache OFBiz RCE Flaw, Critical WPML Plugin Flaw, Supply Chain Vulnerabilities in MLOps Platforms And More.

1. CISA Warns About Actively Exploited Apache OFBiz RCE Flaw

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned of two exploited vulnerabilities, including a path traversal flaw in Apache OFBiz (CVE-2024-32113). Apache OFBiz, an open-source ERP system, is widely used due to its versatility. The flaw affects versions before 18.12.13 and allows remote execution of arbitrary commands. Federal agencies must apply security updates or stop using the product by August 28, 2024. Another vulnerability, CVE-2024-36971, affecting the Android kernel, was also flagged. A newer OFBiz flaw, CVE-2024-38856, impacts versions up to 18.12.14 and poses a critical pre-authentication remote code execution risk. Users should upgrade to version 18.12.15 to secure their systems.

2. Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution

A critical flaw in the WPML WordPress plugin (CVE-2024-6386, CVSS score: 9.9) could let authenticated users execute arbitrary code remotely. This vulnerability affects all versions before 4.6.13, released on August 20, 2024. Caused by missing input validation, the issue allows attackers with Contributor-level access or higher to exploit server-side template injection (SSTI) via shortcodes. WPML, used on over a million sites for multilingual content, failed to properly sanitize input in Twig templates, leading to potential server takeover. Users are strongly advised to update to the latest version to mitigate this risk.

3. SonicWall SonicOS Vulnerability Let Attackers Gain Unauthorized Access & Crash Firewall

SonicWall has disclosed a critical vulnerability (CVE-2024-40766) in its SonicOS management access, rated with a high CVSS score of 9.3. This flaw, identified as an improper access control issue, could lead to unauthorized resource access and potentially cause firewall crashes. The vulnerability affects a wide range of SonicWall devices, including Gen 5, Gen 6, and Gen 7 models. SonicWall strongly advises updating to the latest firmware versions to mitigate these risks and suggests restricting or disabling WAN management access from untrusted sources. Updated firmware versions are available, and users are urged to apply these patches immediately. 

4. Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms

Cybersecurity researchers have uncovered over 20 vulnerabilities in machine learning (ML) software supply chains, posing significant risks to MLOps platforms. These flaws, both inherent and implementation-based, could lead to severe outcomes such as arbitrary code execution or loading malicious datasets.

MLOps platforms enable the creation and execution of ML models, but vulnerabilities like automatic code execution in models and datasets, particularly in tools like JupyterLab, can open doors for malware attacks. Implementation weaknesses, such as lack of authentication, have been exploited by attackers to deploy cryptocurrency miners, as seen with unpatched Anyscale Ray instances. Additionally, a container escape vulnerability in Seldon Core allows attackers to move laterally in cloud environments, compromising models and data.

5. Hardcoded Credential Vulnerability Found in SolarWinds Web Help Desk

SolarWinds has issued patches to address a new security flaw in its Web Help Desk (WHD) software that could allow remote unauthenticated users to gain unauthorized access to susceptible instances. The issue, tracked as CVE-2024-28987, is rated 9.1 on the CVSS scoring system, indicating critical severity. Horizon3.ai security researcher Zach Hanley has been credited with discovering and reporting the flaw. Users are recommended to update to version 12.8.3 Hotfix 2, but applying the fix requires Web Help Desk 12.8.3.1813 or 12.8.3 HF1. The disclosure comes a week after SolarWinds moved to resolve another critical vulnerability in the same software that could be exploited to execute arbitrary code (CVE-2024-28986, CVSS score: 9.8). Additional details about CVE-2024-28987 are expected to be released next month.

08/15/2024-08/21/2024 GitHub Vulnerability ‘ArtiPACKED’, Jenkins RCE Bug, PHP Vulnerability And More

1. GitHub Vulnerability ‘ArtiPACKED’ Exposes Repositories to Potential Takeover

A newly discovered attack vector in GitHub Actions artifacts dubbed ArtiPACKED could be exploited to take over repositories and gain access to organizations’ cloud environments. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access. The cybersecurity company said it primarily observed the leakage of GitHub tokens (e. g., GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN), which could not only give malicious actors unauthorized access to the repositories, but also grant them the ability to poison the source code and get it pushed to production via CI/CD workflows. GitHub has labeled the issue as informational, urging users to secure their artifacts. Open-source projects from AWS, Google, Microsoft, Red Hat, and Ubuntu are among those affected.

2. CISA Warns Of Jenkins RCE Bug Exploited In Ransomware Attacks

CISA has added a critical Jenkins vulnerability, CVE-2024-23897, to its list of actively exploited security issues. This flaw, affecting Jenkins automation servers, allows unauthenticated attackers to read arbitrary files on the Jenkins controller through the args4j command parser, which processes file paths in arguments by default. Exploits for this vulnerability were published shortly after security updates in January, with attack attempts observed soon after. Shadowserver reports over 28,000 exposed Jenkins instances, with significant numbers in China and the U.S. Trend Micro notes exploitation began in March, and recent attacks include ransomware incidents by the RansomEXX gang, impacting Indian banks. CISA’s addition of CVE-2024-23897 to its Known Exploited Vulnerabilities catalog warns of ongoing exploitation and urges all organizations to address the flaw, especially federal agencies with a September 9 deadline to secure their Jenkins servers.

3. Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

A new backdoor named Msupedge has been discovered in an attack against a university in Taiwan. This backdoor communicates with its command-and-control (C&C) server using DNS traffic, leveraging a method based on the open-source dnscat2 tool. The backdoor, identified as a DLL installed in specific system paths, was likely deployed via the exploitation of a critical PHP vulnerability (CVE-2024-4577) with a CVSS score of 9.8. Msupedge uses DNS tunneling to receive commands and executes actions based on the resolved IP address of the C&C server.

Commands supported by Msupedge include creating processes, downloading files, and managing temporary files. Additionally, the UTG-Q-010 threat group is linked to a phishing campaign distributing the Pupy RAT, which uses malicious .lnk files to load and execute malware.

4. SolarWinds Urges an Immediate Update to Fix a Critical Web Help Desk Vulnerability

SolarWinds has released patches to fix a critical security vulnerability in its Web Help Desk software, identified as CVE-2024-28986. This flaw involves a Java deserialization issue that could permit an attacker to run commands on a compromised host machine. The company has issued a hotfix and urges users to install it immediately.

Initial reports indicated that the vulnerability could be exploited without authentication. However, SolarWinds’ extensive testing has not confirmed this claim.

The vulnerability affects all versions of Web Help Desk up to and including version 12.8.3, with the issue resolved in version 12.8.3 HF 1. SolarWinds advises all WHD customers to upgrade to the latest version, recommends to revoke secrets, passwords, and tokens configured in PAN-OS firewalls post-upgrade and create backup copies of original files before applying the hotfix to avoid potential issues.

5. Critical WordPress Plugin RCE Vulnerability Impacts 100k+ Sites

A severe flaw in the GiveWP WordPress donation plugin, affecting over 100,000 sites, has been uncovered. This unauthenticated PHP Object Injection vulnerability (CVE-2024-5932) allows remote code execution, rated a critical 10.0 on the CVSS scale. Discovered by researcher villu164 and reported through Wordfence on May 26, 2024, the flaw impacts all versions up to 3.14.1. It allows unauthenticated attackers to inject malicious PHP objects through the ‘give_title’ parameter, potentially leading to remote code execution and arbitrary file deletion. The vulnerability stems from improper input sanitization in the donation form processing function. Attackers can exploit this flaw to inject serialized PHP objects, which are then unserialized during payment processing. A PHP POP chain present in the plugin allows for the execution of arbitrary code and file deletion. A patched version has been released. Site administrators must update to version 3.14.2 immediately to avoid severe security risks.
 

08/07/2024-08/14/2024 Microsoft Issues Patches for 90 Flaws, Rogue PyPI Library Solana, Patch Released for High-Severity OpenSSH Vulnerability And More.

1. Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits

Microsoft released fixes for 90 security flaws, including 10 zero-days, with six actively exploited. Among the 90 bugs, seven are Critical, 79 Important, and one Moderate. The updates also cover 36 Edge browser vulnerabilities.

Notably, six zero-days are addressed:

• CVE-2024-38189: Microsoft Project Remote Code Execution (CVSS 8.8)
• CVE-2024-38178: Windows Scripting Engine Memory Corruption (CVSS 7.5)
• CVE-2024-38193: WinSock Elevation of Privilege (CVSS 7.8)
• CVE-2024-38106: Windows Kernel Elevation of Privilege (CVSS 7.0)
• CVE-2024-38107: Power Dependency Coordinator Elevation of Privilege (CVSS 7.8)
• CVE-2024-38213: Mark of the Web Security Feature Bypass (CVSS 6.5)

Trend Micro’s Peter Girnus discovered CVE-2024-38213, leading CISA to add these flaws to its Known Exploited Vulnerabilities (KEV) catalog. Additionally, four CVEs are publicly known, including a Microsoft Office Spoofing Vulnerability (CVE-2024-38200, CVSS 7.5) that could expose NTLM hashes through phishing. Microsoft also fixed a Print Spooler privilege escalation flaw (CVE-2024-38198, CVSS 7.8) but has not released updates for CVE-2024-38202 and CVE-2024-21302. A separate report from Fortra highlighted a DoS flaw in the CLFS driver (CVE-2024-6768, CVSS 6.8), which Microsoft will address in a future update.

2. Rogue PyPI Library Solana Users, Steals Blockchain Wallet Keys

Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that masquerades as a library from the Solana blockchain platform but is actually designed to steal victims’ secrets. The malicious “solana-py” package attracted a total of 1,122 downloads since it was published on August 4, 2024. It’s no longer available for download from PyPI. The most striking aspect of the library is that it carried the version numbers 0.34.3, 0.34.4, and 0.34.5. The latest version of the legitimate “solana” package is 0.34.3. This clearly indicates an attempt on the part of the threat actor to trick users looking for “solana” into inadvertently downloading “solana-py” instead. The attack campaign poses a supply chain risk in that Sonatype’s investigation found that legitimate libraries like “solders” make references to “solana-py” in their PyPI documentation, leading to a scenario where developers could have mistakenly downloaded “solana-py” from PyPI and broadened the attack surface. If a developer using the legitimate ‘solders’ PyPI package in their application is mislead (by solders’ documentation) to fall for the typosquatted ‘solana-py’ project, they’d inadvertently introduce a crypto stealer into their application. 

3. Ivanti Virtual Traffic Manager Flaw Let Hackers Create Rogue Admin Accounts

Ivanti Virtual Traffic Manager has been discovered with a critical vulnerability which was associated with authentication bypass. This vulnerability has been assigned with CVE-2024-7593 and the severity was given as 9.8. However, Ivanti has patched this vulnerability and released a security advisory to address it. This vulnerability allows an unauthenticated remote threat actor to bypass the admin panel authentication and perform malicious actions.

Further, a threat actor can also create an administrator account on the vulnerable Ivanti instances as a backdoor. This particular vulnerability exists due to the incorrect implementation of the authentication algorithm in Ivanti vTM. Nevertheless, this vulnerability exists in all versions of Ivanti vTM other than versions 22.2R1 or 22.7R2. Ivanti also advises its users to restrict access to the management interface and ensure they are placed on a private IP with restricted access.

4. Urgent Patch Released for High-Severity OpenSSH Vulnerability on FreeBSD

On August 12, 2024, the FreeBSD Project released a critical update for a high-severity vulnerability in OpenSSH, identified as CVE-2024–7589, which has a CVSS score of 7.4.
This flaw could allow attackers to remotely execute arbitrary code with elevated privileges on affected systems. CVE-2024–7589 stems from a flaw in the signal handler of the sshd(8) daemon, used for handling SSH connections. The issue arises when a logging function, not async-signal-safe, is called within the signal handler, potentially leading to race conditions.

This vulnerability could give attackers complete control over the affected system, making it a severe security risk. Users should update FreeBSD to a version with the latest security patches and restart the sshd(8) daemon to mitigate this issue.

5. Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE

Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE). This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information.

The list of vulnerabilities is as follows:

• CVE-2024-27459: Stack overflow vulnerability causing DoS and LPE in Windows.
• CVE-2024-24974: Unauthorized access to the “\openvpn\service” named pipe in Windows, allowing remote operations.
• CVE-2024-27903: Plugin mechanism vulnerability leading to RCE in Windows and LPE/data manipulation in Android, iOS, macOS, and BSD.
• CVE-2024-1305: Memory overflow vulnerability causing DoS in Windows.

The first three of the four flaws are rooted in a component named openvpnserv, while the last one resides in the Windows Terminal Access Point (TAP) driver. An attacker could leverage at least three of the four discovered vulnerabilities to create exploits to facilitate RCE and LPE, which could then be chained together to create a powerful attack chain. 

6. CISA Warns of Hackers Exploiting Legacy Cisco Smart Install Feature

(CISA) has revealed that threat actors are exploiting the legacy Cisco Smart Install (SMI) feature to access sensitive data. Adversaries are using this method to acquire system configuration files by exploiting vulnerabilities in Cisco devices.

CISA has also noted the prevalence of weak password types on Cisco network devices, making them vulnerable to password-cracking attacks. The agency recommends using “type 8” password protection and suggests reviewing the NSA’s Smart Install Protocol Misuse advisory for configuration guidance. Cisco has also warned of critical flaws (CVE-2024-20419, CVE-2024-20450, CVE-2024-20452, CVE-2024-20454) in its Smart Software Manager and SPA Series IP Phones. These vulnerabilities could lead to unauthorized access, arbitrary command execution, or denial-of-service conditions.