11/13/2024-11/20/2024 High-Severity Flaw in PostgreSQL, Oracle Agile PLM Zero-Day Vulnerability, Critical WordPress Plugin Vulnerability And More.

1. Oracle Agile PLM Zero-Day Vulnerability Exploited In The Wild

Oracle has issued a security alert for a critical vulnerability (CVE-2024-21287) in its Agile Product Lifecycle Management (PLM) Framework, currently being actively exploited. The flaw, with a CVSS score of 7.5, affects version 9.3.6 and allows unauthenticated attackers to remotely access and download sensitive files via HTTP or HTTPS. Exploiting this vulnerability could grant attackers unauthorized access to critical data under the PLM application’s privileges.Oracle confirmed active exploitation and has released a security patch. Customers are urged to apply updates immediately and monitor for unauthorized activity.Organizations should act promptly to secure systems against this high-severity zero-day vulnerability.

2. Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites

A critical vulnerability (CVE-2024-10924, CVSS 9.8) in the Really Simple Security plugin for WordPress could allow attackers to gain full administrative access to affected sites. The flaw impacts versions 9.0.0 to 9.1.1.1 of the plugin, used by over 4 million websites. It stems from improper handling of user authentication in the “check_login_and_get_user” function, enabling unauthenticated attackers to bypass two-factor authentication. The vulnerability, disclosed by Wordfence on November 6, 2024, has been patched in version 9.1.2. To mitigate risks, WordPress collaborated with the plugin developers to force-update all affected sites. Separately, another flaw (CVE-2024-10470, CVSS 9.8) in the WPLMS Learning Management System plugin allows unauthenticated users to read or delete files, potentially enabling site takeovers.These incidents highlight the importance of immediate patching and maintaining updated WordPress plugins to protect against severe exploitation.

3. Palo Alto Networks Confirms Zero-Day Exploitation in PAN-OS Firewalls

Palo Alto Networks has confirmed active exploitation of a zero-day vulnerability in its PAN-OS firewall management interface, initially reported as a potential remote code execution flaw (CVSS 9.3). The zero-day is being exploited to deploy web shells for persistent remote access. A CVE is pending assignment. Threat actors target exposed management interfaces, emphasizing the need to restrict access to trusted internal IPs. The company recommends isolating the management interface on a VLAN, using jump servers, limiting inbound IPs, and allowing only secure protocols like SSH and HTTPS. Indicators of compromise (IoCs) include malicious activity from IPs such as `136.144.17[.]*` and a specific web shell checksum. Restricting interface access significantly reduces risk, dropping the CVSS score to 7.5. Palo Alto urges immediate application of these best practices. 

Additionally, CISA added two related vulnerabilities (CVE-2024-9463 and CVE-2024-9465) to its Known Exploited Vulnerabilities catalog.

4. Researchers Warn of Privilege Escalation Risks in Google’s Vertex AI ML Platform

Researchers from Palo Alto Networks Unit 42 uncovered two critical flaws in Google’s Vertex AI platform that could enable attackers to escalate privileges and exfiltrate machine learning (ML) models. The first vulnerability exploits Vertex AI Pipelines, a feature for automating ML workflows. By manipulating custom job permissions, attackers can escalate privileges, gain unauthorized access to restricted resources, and deploy a reverse shell for backdoor access. The second flaw involves deploying a poisoned model that abuses permissions to move laterally into Kubernetes clusters. This allows attackers to exfiltrate proprietary ML models, including fine-tuned large language models (LLMs). These vulnerabilities pose serious risks, as a single malicious model could compromise an entire AI environment. Google has since patched the issues.  

5. High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables

Researchers have disclosed a critical vulnerability (CVE-2024-10979) in PostgreSQL, rated CVSS 8.8, that allows unprivileged users to alter environment variables, potentially enabling code execution or information disclosure. The flaw affects PostgreSQL’s PL/Perl extension, where improper control of environment variables (e. g., PATH) can let attackers execute arbitrary code, even without access to the server’s operating system. This could lead to severe security risks, including malicious code execution or data extraction. The issue has been addressed in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Users are advised to apply the patch and restrict extension permissions, following the principle of least privilege, to minimize risk. The vulnerability was discovered by Varonis researchers Tal Peleg and Coby Abrams. More details are being withheld to allow time for users to secure their systems.

6. CISA Adds Palo Alto Networks Expedition Vulnerabilities to Exploited Catalog 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities in Palo Alto Networks’ Expedition tool to its Known Exploited Vulnerabilities (KEV) catalog. These flaws, affecting versions prior to 1.2.96, could allow attackers to access sensitive data, execute commands, and compromise firewall configurations.  

Key vulnerabilities include:  

• CVE-2024-9463 (CVSS 9.9): Unauthenticated command injection granting root access to sensitive data.  
• CVE-2024-9465 (CVSS 9.2):SQL injection enabling unauthorized database access and file manipulation.  
• CVE-2024-9464 (CVSS 9.3): Authenticated OS command injection exposing credentials and API keys.  

Researchers from Horizon3 shared proof-of-concept exploits and Indicators of Compromise (IOCs). Palo Alto recommends restricting Expedition’s access to trusted users and checking for compromise.  Federal agencies must address these flaws by December 5, 2024, per CISA’s Binding Operational Directive, and private organizations are advised to follow suit to protect their networks.

11/06/2024-11/13/2024 Patched Critical Vulnerability in Industrial Networking Solution, Security Flaws in Popular ML Toolkits, Potential PAN-OS RCE Vulnerability And More.

1. Cisco Patches Critical Vulnerability in Industrial Networking Solution

Cisco recently issued patches for multiple vulnerabilities across its enterprise products, including a critical bug in Unified Industrial Wireless software. The critical flaw, tracked as CVE-2024-20418 with a maximum CVSS score of 10, lets remote attackers execute commands with root privileges. This vulnerability exists due to improper input validation in the software’s web management interface, enabling crafted HTTP requests to bypass security controls. Devices affected include Catalyst IW9165D, IW9165E, and IW9167E access points with Ultra-Reliable Wireless Backhaul mode enabled. Cisco urges users to upgrade to version 17.15.1 to mitigate the risk.

Cisco also patched CVE-2024-20536, a high-severity vulnerability in the Nexus Dashboard Fabric Controller that could allow SQL command execution, and CVE-2024-20484 in Enterprise Chat and Email, which could cause denial-of-service. No known exploits of these flaws have been reported, and further details are available in Cisco’s security advisories.

2. Microsoft Confirms Zero-Day Exploitation of Task Scheduler Flaw

Microsoft’s security team released fixes for over 90 Windows vulnerabilities, highlighting two zero-day flaws already exploited in attacks. One flaw, CVE-2024-49039, is a privilege escalation issue in Windows Task Scheduler that could allow code execution from low-privilege applications. Discovered by Google’s Threat Analysis Group, it has a severity score of 8.8 and is suspected to have been used in targeted attacks. Another critical flaw, CVE-2024-43451, exposes a user’s NTLMv2 hash, enabling attackers to impersonate the user. Minimal interaction, like a single-click on a malicious file, could trigger this vulnerability.

The patch rollout also addresses a critical Windows Kerberos vulnerability (CVE-2024-43639) and a .NET/Visual Studio bug (CVE-2024-43498), both carrying severity scores of 9.8 and risking remote code execution. Additionally, Adobe issued fixes for 48 bugs across various products, including urgent patches for Adobe Commerce and other platforms vulnerable to code execution.

3. Security Flaws in Popular ML Toolkits Enable Server Hijacks, Privilege Escalation

Cybersecurity researchers have identified nearly two dozen vulnerabilities across 15 open-source machine learning (ML) projects, exposing critical security weaknesses. These flaws, which include issues on both server- and client-sides that could allow attackers to hijack ML model registries, databases, and pipelines. Key vulnerabilities include CVE-2024-7340, a directory traversal flaw in Weave ML that allows privilege escalation, and CVE-2024-6507, a command injection vulnerability in Deep Lake’s database that enables malicious command execution. Other severe flaws affect ZenML, Vanna.AI, and Mage AI, allowing unauthorized privilege elevation and code execution. These flaws highlight the risk of attacks such as ML model backdooring and data poisoning, which could lead to significant breaches.

4. Palo Alto Networks Warns of Potential PAN-OS RCE Vulnerability

Palo Alto Networks recently warned customers about a possible remote code execution vulnerability in the PAN-OS management interface of its next-generation firewalls. Although the company has not yet confirmed details of the vulnerability or detected active exploitation, it advises customers to restrict access to the interface by allowing only trusted internal IPs. For enhanced security, Palo Alto suggests isolating the management interface on a dedicated VLAN, using jump servers, and limiting IP access to approved devices. Cortex Xpanse and Cortex XSIAM customers can monitor for potential exposure via the Firewall Admin Login attack surface rule. Meanwhile, CISA has warned of ongoing attacks on a critical flaw in Palo Alto’s Expedition tool (CVE-2024-5910), which allows attackers to reset admin credentials. Exploits for this and related vulnerabilities, including CVE-2024-9464, have been demonstrated, potentially allowing unauthorized command execution.

5. New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration

Cybersecurity researchers have found security flaws in Citrix Virtual Apps and Desktops that could allow remote code execution (RCE) through the Session Recording component, which logs user activity for compliance purposes. The vulnerability arises from a misconfigured Microsoft Message Queuing (MSMQ) instance, allowing unauthorized access via BinaryFormatter deserialization. Notably, Citrix stated that successful exploitation requires an authenticated user in the same domain, and patches are available in newer versions, including updates for LTSR releases. The flaws are tracked as CVE-2024-8068 and CVE-2024-8069. Microsoft has discouraged using BinaryFormatter due to security risks, removing it in .NET 9 for safety. Researchers warn the vulnerability could lead to “point-click-full-takeover” attacks. Shadowserver Foundation has observed potential exploitation attempts and strongly advises immediate patching to secure affected systems.

10/31/2024-11/06/2024 LiteSpeed Cache Plugin Vulnerability, Zero-Day Vulnerability in SQLite Database Engine And More.

1. LottieFiles Issues Warning About Compromised “lottie-player” npm Package

LottieFiles has revealed that its npm package “lottie-player” was compromised as part of a supply chain attack, prompting it to release an updated version of the library. According to the company, “a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”  The malicious versions of the package contained code that prompted users to connect their cryptocurrency wallets, with the likely goal of draining their funds. Users who are on versions 2.0.5, 2.0.6, and 2.0.7 are recommended to update to 2.0.8 . Even with 2FA configured, the threat actors somehow got the npm automation token set in the CI/CD pipeline to automate version releases to publish the malicious versions 2.0.5, 2.0.6, and 2.0.7 of the npm package.

2. LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites

A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions. The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin. The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain administrator level access after which malicious plugins could be uploaded and installed. The newly identified issue, per Patchstack, is rooted in a function named is_role_simulation and is similar to an earlier flaw that was publicly documented back in August 2024 (CVE-2024-28000, CVSS score: 9.8). It stems from the use of a weak security hash check that could be brute-forced by a bad actor, thus allowing for the crawler feature to be abused to simulate a logged-in user, including an administrator. CVE-2024-50550 is the third security flaw to be disclosed in LiteSpeed within the last two months, the other two being CVE-2024-44000 (CVSS score: 7.5) and CVE-2024-47374 (CVSS score: 7.2). Users who fail to manually install plugins removed from the WordPress.org repository risk not receiving new updates which can include important security fixes. 

3. Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Cybersecurity researchers have identified a malicious Python package called “CryptoAITools,” which pretends to be a cryptocurrency trading tool but is actually designed to steal sensitive data and drain crypto wallets. Distributed on both the Python Package Index (PyPI) and GitHub, it was downloaded over 1,300 times before PyPI removed it. The malware activates immediately upon installation on Windows and macOS, deploying a deceptive interface to distract users while it performs data theft in the background. Embedded in the code is a function that downloads further malicious payloads from a fake cryptocurrency trading site, enabling multi-stage infections. CryptoAITools gathers a range of sensitive data, including cryptocurrency wallet information, passwords, cookies, SSH keys, and files. It even targets Apple-specific data on macOS. In addition, a related GitHub repository, “Meme Token Hunter Bot,” and a Telegram channel are used to promote the malware, extending its reach to cautious users across multiple platforms.

4. Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine

Google recently uncovered a zero-day vulnerability in the SQLite open-source database using its AI-powered Big Sleep framework (formerly Project Naptime). This marks the “first real-world vulnerability” found by an AI tool, according to Google.The vulnerability is a stack buffer underflow in SQLite, caused by referencing memory locations outside a buffer’s bounds, potentially leading to crashes or unauthorized code execution. Following responsible disclosure, the issue was addressed as of October 2024. Big Sleep, initially detailed in June 2024, leverages large language models to automate vulnerability detection. It enables AI to simulate human analysis, using tools to navigate code, perform sandboxed tests, and debug. While Big Sleep shows promise for pre-release security, Google notes it’s experimental and that specialized fuzzers might still be as effective for certain targets.

5. Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned

Cybersecurity researchers have uncovered a large-scale campaign, dubbed EMERALDWHALE, that targets exposed Git configurations to steal credentials, clone private repositories, and access cloud services.EMERALDWHALE is believed to have compromised over 10,000 private repositories, with the stolen data stored in an Amazon S3 bucket linked to a prior victim. The operation has obtained at least 15,000 credentials from cloud providers and email services, reportedly for phishing and spam. Although not highly advanced, EMERALDWHALE uses private tools to scan for exposed Git config files and Laravel `.env` files, scraping sensitive information. The group employs tools like MZR V2 and Seyzo-v2, which exploit exposed IPs and are available on underground markets. Additionally, lists of vulnerable Git paths are sold on Telegram, highlighting a growing market for configuration files with sensitive data.